No preview available
HomeMy WebLinkAboutC21-451 MasabiPage 1 of 47 AGREEMENT FOR PROFESSIONAL SERVICES BETWEEN EAGLE COUNTY AND MASABI, LLC THIS AGREEMENT (“Agreement”) is effective as of the __________________ by and between Masabi a LLC (hereinafter “Consultant” or “Contractor”) and Eagle County, Colorado, a body corporate and politic (hereinafter “County”). RECITALS WHEREAS, County desires to enter into a contract with Contractor to furnish a Mobile Fares Payment System and support services (the “Project”) at the ECO Transit Maintenance Service Center located at 3289 Cooley Mesa Road, Gypsum, CO 81637 (the “Property”); and WHEREAS, Contractor responded to an RFP with the attached response found in Exhibit G; and WHEREAS, Consultant is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined below in paragraph 1 hereof; and WHEREAS, this Agreement shall govern the relationship between Consultant and County in connection with the Services. NOW, THEREFORE, in consideration of the foregoing and the following promises Consultant and County agree as follows: AGREEMENT 1. DEFINITIONS: Whenever used herein, any schedules, exhibits, order forms, or addenda to this Agreement, the following terms shall have the meanings assigned below unless otherwise defined therein. Other capitalized terms used in this Agreement are defined in the context in which they are used. 1.1. “Additional Services” means (i) any services in addition to the Platform Services including (but not limited to) ad-hoc support and maintenance, consulting services, and custom development, that at Customer’s request (and Masabi’s agreement) is provided by Masabi to the Customer from time to time; and (ii) implementing changes to the initially deployed configuration of the Justride Platform and/or product customization that may be agreed between the parties in accordance with clause 17 of this Agreement. All Additional Services shall be priced using the Rates and with reasonable and proper travel and subsistence expenses incurred in the performance of the Additional Services to be charged by Masabi in addition to the agreed charges, all as notified to the Customer in writing in advance of such reasonable and proper expenses being incurred. 1.2. “Agreement” or “Contract” means this cloud computing Agreement between DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 12/21/2021 Page 2 of 47 County and Contractor, inclusive of all schedules, exhibits, attachments, addenda and other documents incorporated by reference between the County and Contractor. 1.3. “App” or “Justride Retail Mobile App” means the component of Contractor’s Justride Platform that is a white-labelled mobile application provided to County and branded for County for the purpose of selling Products to End Users. 1.4. “Business Day” means a day other than a Saturday, Sunday or public holiday in the States of Colorado or New York, USA. 1.5. “Charges” means the prices for the Services provided by Contractor as set in Exhibit A (Statement of Work and Pricing). 1.6. “Confidential Information” means any and all records or data not subject to disclosure under CORA”). Confidential Information shall include, but is not limited to, PII, PHI, PCI, Tax Information, CJI, and personnel records not subject to disclosure under CORA. Confidential Information also means any information or data that a disclosing party treats in a confidential manner and that is marked “Confidential Information” or is considered “proprietary” prior to disclosure to the other party. Confidential Information does not include information which: (a) is public or becomes public through no breach of the confidentiality obligations herein; (b) is disclosed by the party that has received Confidential Information (the "Receiving Party") with the prior written approval of the other party; (c) was known by the Receiving Party at the time of disclosure; (d) was developed independently by the Receiving Party without use of the Confidential Information; (e) becomes known to the Receiving Party from a source other than the disclosing party through lawful means; (f) is disclosed by the disclosing party to others without confidentiality obligations; (g) is required by law to be disclosed; or (h) is this Agreement. 1.7. “Contractor’s Proposal” means the Contractor’s proposal submitted in response to the RFP for Transit Mobile Fare Payment System and RFP # 2020-007 and set out at Exhibit G (Masabi RFP Response). 1.8. “CORA” means the Colorado Open Records Act, C.R.S. §§ 24-72-200.1, et. seq. 1.9. “County Data” means all information, whether in oral or written (including electronic) form, created by or in any way originating with County and End Users, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with County and End Users, in the course of using and configuring the Services provided under this Agreement, and includes all records relating to County’s use of Contractor Services and Protected Information. 1.10. “Data Incident” means any accidental or deliberate event that results in or DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 3 of 47 constitutes an imminent threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of any communications or information resources of the County. Data Incidents include, without limitation (i) successful attempts to gain unauthorized access to a County system or County information regardless of where such information is located; (ii) unwanted disruption or denial of service; (iii) the unauthorized use of a County system for the processing or storage of data; or (iv) changes to County system hardware, firmware, or software characteristics without the County’s knowledge, instruction, or consent. It shall also include any actual or reasonably suspected unauthorized access to or acquisition of computerized County Data that compromises the security, confidentiality, or integrity of the County Data, or the ability of County to access the County Data. 1.11. “Deliverable” means the outcome to be achieved or output to be provided, in the form of a tangible object or software that is produced as a result of Contractor’s Work that is intended to be delivered to the County by Contractor. 1.12. "Documentation" means, collectively: (a) all materials published or otherwise made available to County by Contractor that relate to the functional, operational and/or performance capabilities of the Services; (b) all user, operator, system administration, technical, support and other manuals and all other materials published or otherwise made available by Contractor that describe the functional, operational and/or performance capabilities of the Services; (c) any Requests for Information and/or Requests for Proposals (or documents of similar effect) issued by County, and the responses thereto from Contractor, and any document which purports to update or revise any of the foregoing; and (d) the results of any Contractor “Use Cases Presentation”, “Proof of Concept” or similar type presentations or tests provided by Contractor to County. 1.13. “Downtime” means any period of time of any duration that the Services are not made available by Contractor to County for any reason, excluding scheduled maintenance windows and planned outages (including for scheduled Enhancements). 1.14. “Effective Date” means the date on which this Agreement is fully approved and signed by the County as shown on the Signature Page for this Agreement. The Effective Date for Services may be set out in an order form or similar exhibit. 1.15. “End User” means the individuals (including, but not limited to employees, authorized agents, students and volunteers of County; Third Party consultants, auditors and other independent contractors performing services for County; any governmental, accrediting or regulatory bodies lawfully requesting or requiring access to any Services; customers of County provided services; and any external users collaborating with County) authorized by County to access and use the Services provided by Contractor under this Agreement and passengers (i.e. County’s riders who are authorized by County to access or use the Justride DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 4 of 47 Platform (via the Justride Retail Mobile App) to purchase a Product. 1.16. “End User Data” includes End User account credentials and information, and all records sent, received, or created by or for End Users, including email content, headers, and attachments, and any Protected Information of any End User or Third Party contained therein or in any logs or other records of Contractor reflecting End User’s use of Contractor Services. 1.17. "Enhancements" means any improvements, modifications, upgrades, updates, fixes, revisions and/or expansions to the Services that Contractor may develop or acquire and incorporate into its standard version of the Services or which the Contractor has elected to make generally available to its customers. 1.18. “in-App End User Terms” means the terms for download, licence and use of the Justride Retail Mobile App for purchase of Products, as finally decided by County but materially in the form of the End User T&Cs set out at Exhibit A, Attachment 1 (End User Terms). 1.19. “Intellectual Property Rights” includes without limitation all right, title, and interest in and to all (a) Patent and all filed, pending, or potential applications for Patent, including any reissue, reexamination, division, continuation, or continuation-in-part applications throughout the world now or hereafter filed; (b) trade secret rights and equivalent rights arising under the common law, state law, and federal law; (c) copyrights, other literary property or authors rights, whether or not protected by copyright or as a mask work, under common law, state law, and federal law; (d) database rights, patents and rights in inventions, semi- conductor topography rights, design rights (whether registerable or otherwise) and registered designs, know-how, and moral right; and (d) proprietary indicia, trademarks, trade names, symbols, logos, and/or brand names under common law, state law, and federal law and other similar rights or obligations together with applications for registration and the right to apply for registration and all other rights (whether registerable or not) having equivalent or similar effect in any country or jurisdiction. 1.20. “Justride Hub” means Contractor’s responsive web back-office called the ‘Hub’ or ‘Justride Hub’ which offers customers a self-service consumer-grade user experience for securely operating the Justride Platform. Hub functionality encompasses tariff administration, customer services handling, all types of fare media, tariff setup, validation device management, reporting and analytics. 1.21. "Justride Platform" means components of Contractor’s Justride transit fare payments platform (IT systems and software - known as ‘the Justride Platform’) as detailed in the Contractor’s Proposal and including the Justride Hub and Justride Retail Mobile App, Justride Inspect Software and Justride SDK (if applicable) as described in the Contractor’s Proposal and deployed to and configured for the County. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 5 of 47 1.22. “Masabi Hardware Warranty Plan” means the hardware warranty plan as set out in Exhibit C (Masabi Hardware Warranty Plan). 1.23. “PCI” means payment card information including any data related to credit card holders’ names, credit card numbers, or other credit card information as may be protected by state or federal law. 1.24. “PII” means personally identifiable information including, without limitation, any information maintained by the County about an individual that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. PII includes, but is not limited to, all information defined as personally identifiable information in C.R.S. §§ 24-72-501 and 24-73-101. 1.25. “PHI” means any protected health information, including, without limitation any information whether oral or recorded in any form or medium: (i) that relates to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes, but is not limited to, any information defined as Individually Identifiable Health Information by the federal Health Insurance Portability and Accountability Act. 1.26. “Platform Services” means the Justride Platform configuration and implementation services described in the Contractor’s Proposal and Exhibit A (Statement of Work and Pricing). 1.27. “Product” means a ticket, pass, voucher, or similar mechanism which can be used to redeem transportation services from County. 1.28. “Protected Information” includes, but is not limited to, personally-identifiable information, student records, protected health information, criminal justice information or individual financial information and other data defined under C.R.S. § 24-72-101 et seq., and personal information that is subject to local, state or federal statute, regulatory oversight or industry standard restricting the use and disclosure of such information. The loss of such Protected Information would constitute a direct damage to the County. 1.29. "RFP Response" means any proposal submitted by Contractor to County in response to County's Request for Proposal ("RFP") titled 2020-007 ECRTA Transit Mobile Fare System. 1.30. “Scope of Support Services Document” means the Contractor’s support services (and service level agreement) for the Services and Justride Retail Mobile App (the DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 6 of 47 app support being in-App support) set out in Exhibit E (Support Services and SLA) as amended by subsequent notification to County from time to time. Exhibit E (Support Services and SLA) outlines the Contractor’s support programs, the process for supporting and managing inbound customer and agency requests and also provides a detailed description of the Contractor’s ‘Incident Support Management’ process and the service level agreements (SLAs) for the Contractor to respond and resolve critical incidents. 1.31. “Service(s)” means the service(s) provided or to be provided to County under (and pursuant to) this Agreement (as the case may be) and which shall comprise the Platform Services, Support Services and the Additional Services (if any) that provide the functionality and/or produce the results described in the Documentation, including without limitation all Enhancements thereto and all interfaces. 1.32. “Subcontractor” means any third party engaged by Contractor to aid in performance of the work or the Service. 1.33. “Support Services” means the support services to be provided in accordance with the provisions of the Scope of Support Services Document. 1.34. “Term” has the meaning set out in Section 18 (Term). 1.35. "Third Party" means persons, corporations and entities other than Contractor, County or any of their employees, contractors or agents. 1.36. “Third Party Host” means that the servers where the Contractor’s software resides is at physical location which is not controlled by the Contractor, sometimes called “managed hosting”, for example, Amazon Web Service. 1.37. “Validation Hardware” or “JRV” means the Justride electronic validation unit (and quantities) as described in under ‘Equipment’ in the Contractor’s Proposal and Exhibit A Scope of Work and Pricing . 1.38. “Validation Hardware PCI Compliance Plan” means the Masabi Hardware Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan set out at Exhibit D. 1.39. “Validation Hardware IAT Procedure” means the Masabi Generic JRV Installation Acceptance Test (IAT) Procedure at Exhibit B. 2. RIGHTS AND LICENSE IN AND TO DATA: 2.1. The parties agree that as between them, all rights in and to County Data shall remain the exclusive property of County, and Contractor has a limited, nonexclusive license to access and use County Data as provided in this DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 7 of 47 Agreement solely for the purpose of performing its obligations hereunder. 2.2. All End User Data and County Data created and/or processed by the Service is and shall remain the property of County and shall in no way become attached to the Service, nor shall Contractor have any rights in or to the County Data without the express written permission of the County and may not include Protected Information. Notwithstanding the foregoing, the County acknowledges and agrees that Masabi shall be entitled to generate analyses and meta-data from the use of the Justride Platform for the purposes of monitoring and improving the Justride Platform, developing new services and for Contractor’s other business purposes (the “Contractor Data”). Contractor shall own all of the Intellectual Property Rights in the Contractor Data (which shall be considered the Confidential Information of Contractor) and shall be entitled to freely use and exploit it, provided that Contractor shall ensure that such data cannot be used to identify any individual and is only published in aggregated format in a manner that does not enable the County or End Users to be identified. 2.3. This Agreement does not give a party any rights, implied or otherwise, to the other’s data, content, or intellectual property, except as expressly stated in the Agreement. 2.4. County retains the right to use the Service to access and retrieve data stored on Contractor’s Service infrastructure at any time during the term of this Agreement at its sole discretion. 3. DATA PRIVACY: 3.1. Contractor will use County Data and End User Data only for the purpose of fulfilling its duties under this Agreement and for County’s and its End User’s sole benefit and will not share County Data with or disclose it to any Third Party without the prior written consent of County or as otherwise required by law. By way of illustration and not of limitation, Contractor will not use County Data for Contractor’s own benefit and, in particular, will not engage in “data mining” of County Data or communications, whether through automated or human means, except as specifically and expressly required by law or authorized in writing by County. PROVIDED THAT, County acknowledges and agrees that the Contractor shall be entitled to freely use Contractor Data as explained in Paragraph 2.2. 3.2. Contractor will provide access to County Data only to those Contractor employees, contractors and subcontractors (“Contractor Staff”) who need to access the County Data to fulfill Contractor’s obligations under this Agreement. Contractor will ensure that, prior to being granted access to the County Data, Contractor Staff who perform work under this Agreement have all undergone and passed criminal background screenings; have successfully completed annual instruction of a nature sufficient to enable them to effectively comply with all data DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 8 of 47 protection provisions of this Agreement; and possess all qualifications appropriate to the nature of the employees’ duties and the sensitivity of the County Data they will be handling. 3.3. If Contractor receives personal identifying information of a Colorado resident under this Agreement, Contractor shall implement and maintain reasonable written security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of Contractor’s business and its operations. Unless Contractor agrees to provide its own security protections for the information it discloses to a third-party service provider, Contractor shall require all its third-party service providers to implement and maintain reasonable written security procedures and practices that are appropriate to the nature of the personal identifying information disclosed and reasonably designed to help protect the personal identifying information subject to this Agreement from unauthorized access, use, modification, disclosure, or destruction. Contractor and its third-party service providers that maintain electronic or paper documents that contain personal identifying information under this Agreement shall develop a written policy for the destruction of such records by shredding, erasing, or otherwise modifying the personal identifying information to make it unreadable or indecipherable when the records are no longer needed. 3.4. The Contractor uses AWS servers located in the USA in order to provide the services offered by the Justride Retail Mobile App. However, County Data may be accessed by Contractor employees in locations outside the USA for the purposes of supporting the Justride Platform and providing the Services. County acknowledges and agrees that the County Data may be accessed by Contractor employees in the UK and/or Romania– for the purposes of supporting the Justride Platform and providing the Services and meeting the Contractor’s other obligations under this Contract. County shall ensure that it is entitled to transfer the relevant County Data to the Contractor so that the Contractor may lawfully use, process and transfer the County Data in accordance with this Contract on County’s behalf. 3.5. Contractor may provide County Data to its agents, employees, assigns, and Subcontractors as necessary to perform the work, but shall restrict access to Confidential Information to those agents, employees, assigns, and subcontractors who require access to perform their obligations under this Agreement. Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Agreement, and that the nondisclosure provisions are in force at all times the agent, employee, assign, or Subcontractor has access to any Confidential Information. Contractor shall provide copies of those signed nondisclosure provisions to the County upon execution of the nondisclosure provisions if requested by the County. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 9 of 47 4. DATA SECURITY AND INTEGRITY: 4.1. All facilities, whether Contractor hosted or Third Party Hosted, used to store and process County Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service availability and to secure County Data from unauthorized access, destruction, use, modification, or disclosure. Such measures include, but not limited to all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) C.R.S. § 24-72-101 et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. The Contractor shall submit to the County, within fifteen (15) days of the County’s written request, copies of the Contractor’s policies and procedures to maintain the confidentiality of protected health information to which the Contractor has access, and if applicable, Contractor shall comply with all HIPAA requirements contained herein or attached as an exhibit. 4.2. Contractor warrants that all County Data and End User Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. 4.3. Contractor shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti- malware protections and intrusion detection and reporting in providing Services under this Agreement. Both parties shall take reasonable steps to minimize the risk of the transmission of viruses from that party’s systems to the systems of the other party or its third-party contractors. 4.4. Contractor shall, and shall cause its Subcontractors, to do all of the following: 4.4.1. Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. 4.4.2. Maintain network, system, and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or enhancements consistent DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 10 of 47 with evolving industry standards. 4.4.3. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. 4.4.4. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. Provided that if Contractor has complied with all of its obligations under the Agreement (including Section 4.2) it shall not be liable for any third party unauthorized access. 4.4.5. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. 4.4.6. Upon reasonable prior written notice (and not less than fourteen (14) days), Contractor shall provide the County with scheduled access for the purpose of inspecting and monitoring access and use of County Data, maintaining County systems, and evaluating physical and logical security control effectiveness. Except where there has been a Data Incident, such access shall be limited to two (2) times per year throughout the Term. 4.4.7. Contractor shall perform current background checks in a form reasonably acceptable to the County on all of its respective employees and agents performing services or having access to County Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within 30 days prior to the date such employee or agent begins performance or obtains access to County Data shall be deemed to be current. 4.4.8. Upon request by the County, Contractor will provide notice to the County IT Department confirming that background checks have been performed. Such notice will inform the County of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. 4.4.9. If Contractor will have access to Federal Tax Information under the Agreement, Contractor shall comply with the background check requirements defined in IRS Publication 1075 and §24-50-1002, C.R.S. 4.5. Contractor shall use, hold, and maintain Confidential and Protected Information in compliance with any and all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. 4.6. Prior to the Effective Date of this Agreement, Contractor, will at its expense conduct or have conducted the following, and thereafter, Contractor will at its DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 11 of 47 expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: 4.6.1. A SSAE 16/SOC 2 or other mutually agreed upon audit of Contractor’s security policies, procedures and controls; 4.6.2. A quarterly external and internal vulnerability scan of Contractor’s systems and facilities, to include public facing websites, that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; 4.6.3. A formal penetration test, performed by a process and qualified personnel of Contractor’s systems and facilities that are used in any way to deliver Services under this Agreement. 4.7. Contractor will provide County the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of Contractor’s receipt of such results. 4.8. Based on the results and recommendations of the above audits, certifications, scans and tests, Contractor will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement and provide County with written evidence of remediation. 4.9. On fourteen (14) days’ written notice to Contractor, County may require, at its expense, that Contractor perform additional audits and tests, the results of which will be provided to County within seven (7) business days of Contractor’s receipt of such results. Except where there has been a Data Incident, such access shall be limited to two (2) times per year throughout the Term. 4.10. County shall (i) use all reasonable commercial endeavors to reduce levels of fraud and/or chargebacks in relation to the Products; and (ii) shall not (and shall use all reasonable commercial endeavors to procure that the End Users shall not) access or use the Justride Platform other than as and to the extent reasonably required for the purposes of using the Services as anticipated by this Contract. “Reasonable commercial endeavors” includes: 4.10.1. preventing access to the App by an End User upon the Contractor informing the Customer in writing of suspected fraudulent activity by such End Users; and 4.10.2. placing a warning to rider End Users in the In-App End User Terms of the potential consequences of suspected fraudulent activity (as set out in in sections 4.10.1 and 4.10.2 above), in relation to End User’s use of the Justride Retail Mobile App and Products, provided that nothing in this section 4.10 requires County to do anything that is DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 12 of 47 not in compliance with all applicable laws and regulations (including US consumer law). 4.11. The Contractor shall be entitled to suspend or restrict access to the Justride Platform in whole or in part at any time without liability to County where: 4.11.1. the Contractor reasonably considers that this is necessary to protect the Justride Platform or the data held on it or the systems of any other customer of the Contractor; or 4.11.2. the Contractor reasonably considers that County or an End User (as the case may be) is seeking to access or use the Justride Platform other than in accordance with this Contract. 4.12. The Contractor shall notify County in writing as soon as reasonably practicable of any suspension or restriction under section 4.11. The Contractor shall also restore access to the Justride Platform promptly after the matter that led the Contractor to restrict suspend access has been resolved to the Contractor’s reasonable satisfaction. 5. RESPONSE TO LEGAL ORDERS, DEMANDS OR REQUESTS FOR DATA: 5.1. Except as otherwise expressly prohibited by law, Contractor will: 5.1.1. If required by a court of competent jurisdiction or an administrative body to disclose County Data, Contractor will notify County in writing immediately upon receiving notice of such requirement and prior to any such disclosure; 5.1.2. Consult with County regarding its response; 5.1.3. Cooperate with County’s reasonable requests in connection with efforts by County to intervene and quash or modify the legal order, demand or request; and 5.1.4. Upon County’s request, provide County with a copy of its response. 5.2. If County receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Contractor, County will promptly provide a copy to Contractor. Contractor will supply County with copies of data required for County to respond within three (3) Business Days after receipt of copy from County and will cooperate with County’s reasonable requests in connection with its response. 6. DATA INCIDENT RESPONSE: 6.1. The Contractor shall maintain documented policies and procedures for Data Incident and breach reporting, notification, and mitigation. If the Contractor DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 13 of 47 becomes aware of any Data Incident, it shall notify the County immediately (and within 48 hours of becoming aware of the Data Incident) and cooperate with the County regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the County. The Contractor shall cooperate with the County to satisfy notification requirements as currently defined in either federal, state, or local law. Unless Contractor can establish that none of Contractor or any of its agents, employees, assigns or subcontractors are the cause or source of the Data Incident, Contractor shall be responsible for the reasonable cost of notifying each person who may have been impacted by the Data Incident. After a Data Incident, Contractor shall take steps to reduce the risk of incurring a similar type of Data Incident in the future as directed by the County, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the County at no additional cost to the County. 6.2. Contractor shall report, either orally or in writing, to County any Data Incident involving County Data, or circumstances that could have resulted in unauthorized access to or disclosure or use of County Data, not authorized by this Agreement or in writing by County, including any reasonable belief that an unauthorized individual has accessed County Data. Contractor shall make the report to County immediately upon discovery of the unauthorized disclosure, but in no event more than forty-eight (48) hours after Contractor reasonably believes there has been such unauthorized use or disclosure. Oral reports by Contractor regarding Data Incidents will be reduced to writing and supplied to County as soon as reasonably practicable, but in no event more than forty-eight (48) hours after oral report. 6.3. Immediately upon becoming aware of any such Data Incident, Contractor shall fully investigate the circumstances, extent and causes of the Data Incident, and report the results to County and continue to keep County informed daily of the progress of its investigation until the issue has been effectively resolved. 6.4. Contractor’s report discussed herein shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure (if known), (iv) what Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. 6.5. Within ten (10) calendar days (or such other time as may be agreed between the parties given the nature of the Data Incident) of the date Contractor becomes aware of any such Data Incident, Contractor shall have completed implementation of corrective actions to remedy the Data Incident, restore County access to the Services as directed by County, and prevent further similar unauthorized use or disclosure. 6.6. Contractor, at its expense, shall cooperate fully with County’s investigation of and response to any such Data Incident. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 14 of 47 6.7. Except as otherwise required by law, Contractor will not disclose or otherwise provide notice of the incident directly to any person, regulatory agencies, or other entities, without prior written permission from County. 6.8. Notwithstanding any other provision of this Agreement, and in addition to any other remedies available to County under law or equity, Contractor will promptly reimburse County in full for all reasonable costs incurred by County in any investigation, remediation or litigation resulting from any such Data Incident, including but not limited to providing notification to Third Parties whose data were compromised and to regulatory bodies, law-enforcement agencies or other entities as required by law or contract; establishing and monitoring call center(s), and credit monitoring and/or identity restoration services to assist each person impacted by a Data Incident in such a fashion that, in County’s (acting reasonably and in good faith) sole discretion, could lead to identity theft; and the payment of reasonable legal fees and expenses, audit costs, fines and penalties, and other fees imposed by regulatory agencies, courts of law, or contracting partners as a result of the Data Incident. PROVIDED THAT this section 6.8 shall not apply where the Data Incident (i) is not caused by the Contractor breaching its contractual obligations; or (ii) is caused by an act or omission of County. 7. DATA RETENTION AND DISPOSAL: 7.1. Contractor will retain Data in an End User’s account, including attachments, until the End User deletes them or for the time period mutually agreed to by the parties in this Agreement. 7.2. Using appropriate and reliable storage media, Contractor will regularly backup Data and retain such backup copies consistent with the County’s data retention policies. 7.3. At the County’s election, Contractor will either securely destroy or transmit to County repository any backup copies of County and/or End User Data. Contractor will supply County a certificate indicating the records disposed of, the date disposed of, and the method of disposition used. 7.4. Contractor will retain logs associated with End User activity consistent with the County’s data retention policies. 7.5. Contractor will immediately preserve the state of the data at the time of the request and place a “hold” on data destruction or disposal under its usual records retention policies of records that include data, in response to an oral or written request from County indicating that those records may be relevant to litigation that County reasonably anticipates. Oral requests by County for a hold on record destruction will be reduced to writing and supplied to Contractor for its records as soon as reasonably practicable under the circumstances. County will promptly DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 15 of 47 coordinate with Contractor regarding the preservation and disposition of these records. Contractor shall continue to preserve the records until further notice by County. 8. DATA TRANSFER UPON TERMINATION OR EXPIRATION: 8.1. Upon expiration or earlier termination of this Agreement or any Services provided in this Agreement, Contractor shall assist County with a complete transition of the Services from Contractor to the County or any replacement provider designated solely by the County and use reasonable endeavors to minimize any interruption of or adverse impact on the Services or any other services provided by third parties in this Agreement. Contractor shall provide reasonable cooperation to/with the County or such replacement provider and (in accordance with the timetable in any exit plan agreed with County) take all steps reasonably required to assist in effecting a complete transition of the Services designated by the County. Where the Agreement has been terminated for cause by County all services provided by Contractor related to such transition shall be performed at no additional cost beyond what would be paid for the Services in this Agreement. In all other circumstances of expiry or termination, (i) County shall pay Contractor’s reasonable fees for all services provided by Contractor related to such transition; and (ii) the parties shall agree (and document in writing) the transition services fees (if any) payable to Contractor, prior to any transition services being provided. 8.2. In the event of termination of any services or agreement in entirety, the Contractor shall not take any action to intentionally erase any County Data for a period of 60 days after the effective date of termination. After such period, the Contractor shall have no obligation to maintain or provide any County Data. After the 60 day period, unless otherwise agreed upon by Contractor and County in writing, Contractor will securely dispose all County Data in its systems or otherwise in its possession or under its control. 8.3. During any period of service suspension, the Contractor shall not take any action to intentionally erase any County Data. 9. SERVICE LEVELS: Incorporated into Masabi Support Program 3.3 - 2021_1_SLA update - Attachment E. 10. INTERRUPTIONS IN SERVICE; SUSPENSION AND TERMINATION OF SERVICE; CHANGES TO SERVICE: Incorporated into Agreement and Scope of Work. For operational and other reasons, Masabi may at any time vary the technical specification and form of the Services without seeking the consent of County PROVIDED THAT such variation does not detract from or impair to a material degree the overall operation or performance of Services or will or may result in County incurring additional costs or expenses. Contractor shall give notice to County of any such variation as soon as practicable. The expense of any such variation shall be borne by Contractor. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 16 of 47 11. COMPLIANCE WITH APPLICABLE LAWS AND COUNTY POLICIES: Contractor will comply with all applicable laws, codes, rules and regulations in performing the Services under this Agreement. Any Contractor personnel visiting County’s facilities will comply with all applicable County policies regarding access to, use of, and conduct within such facilities. County will provide copies of such policies to Contractor upon request. 12. WARRANTIES, REPRESENTATIONS AND COVENANTS: Contractor represents and warrants that: 12.1. The Service will conform to applicable specifications, and operate and produce results substantially in accordance with the Documentation and the Exhibits attached hereto, and will be free from material deficiencies and material defects in materials, workmanship, design and/or performance during the Term of this Agreement. 12.2. All technology related services will be performed by qualified personnel in a professional and workmanlike manner, consistent with industry standards. 12.3. Contractor has the requisite ownership, rights and licenses to perform its obligations under this Agreement fully as contemplated hereby and to grant to the County all rights with respect to the software and Services free and clear from all liens, adverse claims, encumbrances and interests of any Third Party. 12.4. There are no pending or threatened lawsuits, claims, disputes or actions: (i) alleging that any software or service infringes, violates or misappropriates any Third Party rights; or (ii) adversely affecting any software, service or supplier's ability to perform its obligations hereunder. 12.5. The Service will not violate, infringe, or misappropriate any patent, copyright, trademark, trade secret, or other intellectual property or proprietary right of any Third Party. 12.6. Excluding anything introduced by County or from County Data, the software and Service will contain no malicious or disabling code that is intended to damage, destroy or destructively alter software, hardware, systems or data. Excluding County Data, Contractor shall be responsible for the completeness and accuracy of the Services (excluding County Data and documents prepared or complied by County), including all supporting data or other documents prepared or compiled in performance of the Services, and shall correct, at its sole expense, all significant errors and omissions therein. The fact that the County has accepted or approved the Services shall not relieve Contractor of any of its responsibilities. If Contractor is unable to correct any breach in the Services warranty by the date which is sixty (60) calendar days after County provides notice of such breach, County may, in its sole discretion, either extend the time for Contractor to cure the breach or terminate this Agreement for cause and receive a full refund of all DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 17 of 47 amounts paid to Contractor under this Agreement during the period from the date of County notification of the breach to the date of termination. 12.7. Disabling Code Warranty. Contractor represents, warrants and agrees that the Services do not contain and County will not receive from Contractor (through any intentional act/omission of Contractor or Contractor’s default of its obligations under this Agreement) any virus, worm, trap door, back door, timer, clock, counter or other limiting routine, instruction or design, or other malicious, illicit or similar unrequested code, including surveillance software or routines which may, or is designed to, permit access by any person, or on its own, to erase, or otherwise harm or modify any County system or Data (a "Disabling Code"). In the event a Disabling Code is identified and is introduced (as result of an intentional act/omission of Contractor or Contractor’s default of its obligations under this Agreement), Contractor shall (using all reasonable commercial endeavors) take all steps necessary, at no additional cost to County, to: (a) restore and/or reconstruct any and all Data lost by County as a result of Disabling Code; (b) furnish to County a corrected version of the Services without the presence of Disabling Codes; and, (c) as needed, re-implement the Services at no additional cost to County. This warranty shall remain in full force and effect as long as this Agreement remains in effect. 12.8. Third Party Warranties and Indemnities. Contractor will assign to County all Third Party warranties and indemnities that Contractor receives in connection with any products provided to County. To the extent that Contractor is not permitted to assign any warranties or indemnities through to County, Contractor agrees to specifically identify and enforce those warranties and indemnities on behalf of County to the extent Contractor is permitted to do so under the terms of the applicable Third Party agreements. 12.9. THE WARRANTIES SET FORTH ABOVE ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THE SERVICES PURSUANT TO THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY. 13. CONFIDENTIALITY: 13.1. Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all County Data, unless the County Data are publicly available. Contractor shall not, without prior written approval of the County, use, publish, copy, disclose to any third party, or permit the use by any third party of any County Data, except as otherwise stated in this Agreement, permitted by law, or approved in writing by the County. Contractor shall provide for the security of all Confidential Information in accordance with all applicable laws, rules, policies, publications, and guidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, Contractor or its Subcontractors shall provide for the security of such data according to the following: (i) the most DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 18 of 47 recently promulgated IRS Publication 1075 for all Tax Information and in accordance with the Safeguarding Requirements for Federal Tax Information, attached to this Contract as an Exhibit if applicable; (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI; (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI; and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and in accordance with the HIPAA Business Associate Agreement attached to this Agreement as an Exhibit if applicable. 13.2. A Receiving Party shall ensure, with respect to all Confidential Information obtained by or on behalf of it from or relating to the Disclosing Party, any affiliate of the Disclosing Party, or the Disclosing Party’s employees or agents in connection with the Agreement or its performance, that it: 13.2.1. does not disclose it to any person except where and to the extent expressly permitted under section 13.3; 13.2.2. maintains it in confidence and takes all reasonable precautions to prevent any unauthorized disclosure or use of it including taking at least the same steps to protect it as it does with its own confidential information; and 13.2.3. uses it only to perform its obligations or exercise or evaluate its rights under this Agreement. 13.3. Each party agrees to exercise the same degree of care and protection with respect to the Confidential Information that it exercises with respect to its own similar Confidential Information and not to directly or indirectly provide, disclose, copy, distribute, republish or otherwise allow any Third Party to have access to any Confidential Information without prior written permission from the disclosing party. However: (a) either party may disclose Confidential Information to its employees and authorized agents who have a need to know; (b) either party may disclose Confidential Information if so required to perform any obligations under this Agreement; and (c) either party may disclose Confidential Information if so required by law (including court order or subpoena) in which case the Receiving Party shall give the Disclosing Party prompt notice of the relevant court order or subpoena. Nothing in this Agreement shall in any way limit the ability of County to comply with any laws or legal process concerning disclosures by public entities. Contractor acknowledges that any responses, materials, correspondence, documents or other information provided to County are subject to applicable state and federal law, including CORA, and that the release of Confidential Information in compliance with those acts or any other law will not constitute a breach or threatened breach of this Agreement. 13.4. Each party will inform its employees and officers of the obligations under this DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 19 of 47 Agreement, and all requirements and obligations of the Receiving Party under this Agreement shall survive the expiration or earlier termination of this Agreement. Contractor shall not disclose County Data or Confidential Information to subcontractors unless such subcontractors are bound by non-disclosure and confidentiality provisions at least as strict as those contained in this Agreement. 14. COLORADO OPEN RECORDS ACT: The parties understand that all the material provided or produced under this Agreement, including items marked Proprietary or Confidential, may be subject to the Colorado Open Records Act., C.R.S. § 24-72-201, et seq. In the event of a request to the County for disclosure of such information, the County shall advise Contractor of such request in order to give Contractor the opportunity to object to the disclosure of any of its documents which it marked as proprietary or confidential material. In the event of the filing of a lawsuit to compel such disclosure, the County will tender all such material to the court for judicial determination of the issue of disclosure and Contractor agrees to intervene in such lawsuit to protect and assert its claims of privilege against disclosure of such material or waive the same. Contractor further agrees to defend, indemnify and save and hold harmless the County, its officers, agents and employees, from any claim, damages, expense, loss or costs arising out of Contractor’s intervention to protect and assert its claim of privilege against disclosure under this Article including but not limited to, prompt reimbursement to the County of all reasonable attorney fees, costs and damages that the County may incur directly or may be ordered to pay by such court. 15. SOFTWARE AS A SERVICE, SUPPORT AND SERVICES TO BE PERFORMED: 15.1. Contractor, under the general direction of, and in coordination with, the County’s ECO Transit Department or other designated supervisory personnel (the “Manager”) agrees to provide the Services listed on Exhibit A and perform the technology related services described on attached Exhibit A (the “Scope of Work” or “SOW”). As part of the SOW, Exhibit B explains the Validator IAT Procedure and is incorporated herein. 15.2. In consideration for and subject to payment of the Charges and the other terms of this Contract, the Contractor shall provide to County throughout the Term: 15.2.1. access to and use of the Justride Platform in accordance with section 16 (Grant of Licenses and Restrictions); 15.2.2. the Platform Services; 15.2.3. the Support Services; and 15.2.4. any requested Additional Services as may be agreed in writing between the parties from time to time. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 20 of 47 15.3. Contractor shall display, and list the Products on the Justride Retail Mobile App and resell the Products through the Justride Retail Mobile App and shall accept and process orders for and take payments for such Products through the Justride Retail Mobile App as merchant of record. 15.4. As the Manager directs, the Contractor shall diligently undertake, perform, and complete all of the technology related services and produce all the deliverables set forth on Exhibit A to the County’s satisfaction. 15.5. By signing below, Contractor represents that it has the expertise and personnel necessary to properly and timely perform the technology related services and the Services required by this Agreement. 15.6. The Contractor shall faithfully perform the technology related services in accordance with the standards of care, skill, training, diligence, and judgment provided by highly competent individuals performing services of a similar nature to those described in the Agreement and in accordance with the terms of the Agreement. 15.7. User ID Credentials. Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: 15.7.1. Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) 15.7.2. Account credential lifecycle management from instantiation through revocation 15.7.3. Account credential and/or identity store minimization or re-use when feasible 15.7.4. Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expire able, non-shared authentication secrets) 15.8. Vendor Supported Releases. The Contractor shall maintain the currency all third- party software used in the development and execution or use of the software including, but not limited to: all code libraries, frameworks, components, and other products (e.g., Java JRE, code signing certificates, .NET, jQuery plugins, etc.), whether commercial, free, open-source, or closed-source; with third-party vendor approved and supported releases. 15.9. Azure AD. The County’s Identity and Access Provider system is an integrated infrastructure solution that enables many of the County’s services and online resources to operate more efficiently, effectively, economically and securely. All new and proposed applications must utilize federated single sign-on via Azure DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 21 of 47 AD. Strong authentication is required for privileged accounts or accounts with access to sensitive information. This technical requirement applies to all solutions, regardless to where the application is hosted. Validation Hardware and Warranty 15.10. The Contractor shall provide County with the Validation Hardware. The Contractor is not responsible for installation and/or configuration of the Validation Hardware, which shall be installed and configured by Customer (or its appointed installation agent or subcontractor) in accordance with the Documentation and specifications provided by the Contractor. Customer shall carry out installation acceptance testing using and following the Validation Hardware IAT Procedure to ensure that installation has been completed satisfactorily and confirm the results with the Contractor in writing. 15.11. Subject to the remainder of this Section 15, the Contractor warrants that the Validation Hardware is free from defects in manufacturing or workmanship for a period of 12 months after delivery to County (or its appointed installation agent or subcontractor) (the “Warranty Period”). 15.12. The Contractor provides a ‘back to base’ repair or replacement warranty as set out in the Masabi Hardware Warranty Plan as set out in Exhibit C (Hardware Warranty Plan for Validators). The warranty cover is provided at no cost to County during the 12 month Warranty Period. If County's warranty claim is subsequently found by the Contractor to be outside the scope or duration of the warranty, the costs of investigation and repair shall be borne by County. 15.13. County is responsible for ensuring they have sufficient spares of the Validation Hardware in stock to ensure that there is no impact on their baseline service whilst any Validation Hardware is returned for ‘under warranty’ repairs. 15.14. The Contractor shall not in any circumstances be liable for any damage or defect to the Validation Hardware caused by improper use of the Validation Hardware or use outside its normal application. cEMV Readiness 15.15. County shall at all times complies with all requirements of the Validation Hardware PCI Compliance Plan. 15.16. The Contractor encourages County to be ready for cEMV. If cEMV is planned, County must comply with the requirements of sections 15.17 to 15.22 (inclusive) or risk additional costs if it fails to comply and at some future date requires cEMV. 15.17. County shall (i) carry out self-service “Chain of Custody” training prior to receipt of Validation Hardware; (ii) comply with its Chain of Custody obligations; and DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 22 of 47 (iii) have secure locations to maintain access to the Validation Hardware. For the purposes of this clause, ‘Chain of Custody’ is a process for receiving, using and storing cEMV equipment. 15.18. County shall visually inspect each installed or stored JRV once per year, and record details of the inspection, sending a record of the inspections to the Contractor (the “County Submitted Records”). County shall return all damaged/broken/decommissioned units back to the Contractor. 15.19. County shall store all Validation Hardware in a secure location when they are not fitted to a bus or otherwise in use, and provide details of the storage locations (per-device) to the Contractor. 15.20. When the Contractor provides a web-based audit support tool to assist County in collecting the requested information in sections 15.21 and 15.22, County shall only use the web-based audit support tool to perform the annual inspection and secure storage tracking activities. 15.21. County shall, on demand (i) provide or procure access for the Contractor to the premises at which the Validation Hardware are (in accordance with section 15.17) stored; and (ii) provide reasonable co-operation and support to the Contractor, for the purposes of the Contractor conducting an on-site audit to verify County Submitted Records with the actual physical devices. If the above requirements are not complied with then the Contractor may give immediate notice and subsequently discontinue any cEMV service that may be provided to County. 15.22. County shall at all times comply with all requirements of the Validation Hardware PCI Compliance Plan if County wants to receive cEMV services at a future date. If County does not comply with all requirements of the Validation Hardware PCI Compliance Plan then it will face additional work and associated costs if it wants to receive cEMV services at a future date. As at the Effective Date, the works (and associated costs) include, but are not limited to, having to remove all Validation Hardware units and return them to the Contractor for Contractor to inspect each unit to see if the XAC processing chip element has been tampered with in any way and potentially change out the XAC processing chip element and on return of the Validation Hardware units to County, for County to re-install each unit on the buses. All removal, shipping (to and from Contractor), review and (potential) replace of the XAC processing chip element by Contractor and re- installation costs associated with this work is all at County’s cost. Masabi’s costs associated with the additional work it will carry out (i.e. inspecting each unit to see if the XAC processing chip element has been tampered with in any way and potentially changing out the XAC processing chip element) are not possible to accurately quantify at this point. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 23 of 47 Validation Hardware - Title and Risk 15.23. Title to and ownership of the Validation Hardware shall pass to County on payment in full in accordance with the terms of this Contract. Risk of loss of the Validation Hardware will pass to County at the point of landing delivery at the Premises. 15.24. From the point of landing delivery of the Validation Hardware at the Premises until title and ownership has passed to County under Section 15.23, County shall: 15.24.1. hold the Validation Hardware on a fiduciary basis as the Contractor’s bailee; 15.24.2. store the Validation Hardware (at no cost to the Contractor) in satisfactory conditions and separately from all County’s other equipment or that of a third party, so that it remains readily identifiable as the Contractor’s property; and 15.24.3. not destroy, deface or obscure any identifying mark or packaging on or relating to the Validation Hardware. 15.25. County’s right to possession of the Validation Hardware before ownership has passed to it shall terminate immediately if any of the circumstances set out in section 21.5 (Termination for Insolvency) arise or if County elects to encumber or in any way place a charge over the Validation Hardware. 15.26. Until title and ownership of the Validation Hardware is transferred to County in accordance with section 15.23, County grants the Contractor, its agents and employees an irrevocable licence to enter any vehicle or premises, on reasonable prior notice, where the Validation Hardware is or may be installed or stored in order to inspect it, or where County’s right to possession has terminated, to remove it. All reasonable costs incurred by the Contractor in repossessing the Validation Hardware shall be borne by County. Validator Disposal and Resale 15.27. County shall comply with its obligations in relation to disposal of the Validation Hardware set out in the Validation Hardware PCI Compliance Plan. Further, County is not permitted to resell the Validation Hardware without written consent from the Contractor. 15.28. EXCEPT FOR THE WARRANTIES SET OUT IN THE CONTRACT, ALL SERVICES MATERIALS, AND RIGHTS ARE PROVIDED "AS IS" AND THE CONTRACTOR HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHER, AND THE CONTRACTOR SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. WITHOUT LIMITING THE DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 24 of 47 FOREGOING, CONTRACTOR MAKES NO WARRANTY OF ANY KIND THAT THE SERVICES OR PROVIDER MATERIALS, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET TRANSIT AGENCY CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE OR ERROR FREE. ALL THIRD-PARTY MATERIALS ARE PROVIDED "AS IS" AND ANY REPRESENTATION OR WARRANTY OF OR CONCERNING ANY THIRD-PARTY MATERIALS IS STRICTLY BETWEEN CUSTOMER AND THE THIRD-PARTY OWNER OR DISTRIBUTOR OF THE THIRD-PARTY MATERIALS. 16. GRANT OF LICENSE; RESTRICTIONS: 16.1. Contractor grants to County, for the term of the Agreement, a non-exclusive, royalty-free license to access and use the Justride Platform, the Documentation and the results of any Additional Services in the Territory in connection with the Services and as contemplated under this Agreement (the “Licensed Products”). County shall have a right to use and receive all Updates free of charge during the Term of this Agreement. County shall also be entitled to receive software Updates to onboard hardware, free of charge, as Contractor may release such Updates during the Term of this Agreement. 16.2. License Restrictions: County shall not: 16.2.1. copy any part or all of the Licensed Products except as and to the extent expressly required to be permitted by law or any regulation or pursuant to an order of any court or governmental authority (to the extent applicable), or as contemplated in (and expressly permitted by) this Agreement; 16.2.2. alter, adapt, modify, translate, reverse engineer, disassemble or decompile the Licensed Products in any way or for any purpose, including without limitation, for error correction, except as and to the extent expressly permitted by this Agreement or as required to be permitted by law or any regulation or pursuant to an order of any court or governmental authority (to the extent applicable); 16.2.3. except as permitted under section 16.2.2 above, remove, change or obscure any aspect of the Licensed Products identification or notice of proprietary rights and restrictions on or in relation to the Licensed Products; 16.2.4. incorporate any part or all of the Licensed Products, or knowingly allow them to be incorporated, into any other product or documentation other DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 25 of 47 than strictly as and to the extent contemplated by and for the purposes of using the Licensed Products in accordance with this Agreement; or 16.2.5. load, use or sub-licence or otherwise make available any or all of the Licensed Products otherwise than as expressly permitted by this Agreement. 16.3. Title to and ownership of Licensed Products and the Service, including any solution provided to County to meet the requirements of the Statement of Work, will remain with Contractor. County will not reverse engineer or reverse compile any part of the Licensed Products or Service. County will not remove, obscure or deface any proprietary notice or legend contained in the Licensed Products, Service or Documentation without Contractor's prior written consent. 16.4. County grants the use of its name and any company logos to Contractor for the purposes of Contractor’s sales and marketing for the duration of this Agreement. 17. DELIVERY AND ACCEPTANCE: 17.1. During the implementation of the Service, the County may test and evaluate the Service to ensure that the Service conforms, in the County’s reasonable judgment, to the specifications outlined in the SOW or the Documentation. If at any time during implementation of the Service (excluding the JRVs which are subject the hardware warranty in sections 15.11 and 15.12 and Exhibit C (Masabi Hardware Warranty Plan) does not conform to said specifications, the County will notify Contractor in writing within sixty (60) days. Contractor will, at its expense, repair or replace the nonconforming Service within fifteen (15) days after receipt of the County’s notice of deficiency. The foregoing procedure will be repeated until the County accepts or finally rejects the Service, in whole or part, in its sole discretion. In the event that the Service does not perform to the County’s satisfaction, the County reserves the right to repudiate acceptance and terminate this Agreement (in its sole discretion) on thirty (30) days’ written notice to Contractor. In the event that the County finally rejects the Service, or repudiates acceptance of it and terminates this Agreement, Contractor will refund to the County all fees paid, if any, by the County with respect to the Service. 17.2. During implementation of the Service, if the County is not satisfied with the Contractor’s performance of the technology related services described in the SOW, the County will so notify Contractor within thirty (30) days after Contractor’s performance thereof. Contractor will, at its own expense, re-perform the service within fifteen (15) days after receipt of County's notice of deficiency. The foregoing procedure will be repeated until County accepts or finally rejects the technology related service in its sole discretion. In the event that County finally rejects any technology related service, Contractor will refund to County all fees paid by County with respect to such technology related service. 18. TERM: This Agreement shall commence upon the date first written above, and subject DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 26 of 47 to the provisions of paragraph 19 hereof, shall continue for one year. Thereafter, this agreement shall be automatically renewed for successive periods of 12 months (each a “Renewal Period”), unless either party notifies the other party of termination, in writing, at least sixty (60) days before the end of the initial Term or any Renewal Period. 19. COMPENSATION AND PAYMENT: 19.1. Fee: The fee for implementation of the Services and technology related services is described in Exhibit A and is capped at $ 294,299.35 (the “ Services Implementation Fee”). The Services Implementation Fee shall be paid in accordance with the Payment Milestones in Exhibit A. County will not withhold any taxes from monies paid to the Consultant hereunder and Consultant agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. The fee for ongoing services (i.e. all Product related transaction fees and license fees post implementation of the Services) are set out in Appendix A (Scope of Work and Pricing) shall be paid monthly. 19.2. Reimbursement Expenses: Any out-of-pocket expenses to be incurred by Contractor and reimbursed by County shall be identified on Exhibit A. Out-of- pocket expenses will be reimbursed without any additional mark-up thereon and are included in the Maximum Payment Obligation set forth below. Out-of-pocket expenses shall not include any payment of salaries, bonuses or other compensation to personnel of Contractor. Contractor shall not be reimbursed for expenses that are not set forth on Exhibit A unless specifically approved in writing by County. 19.3. Invoicing: Contractor must submit an invoice which shall include clear identification of the deliverable that has been completed, and other information reasonably requested by the County. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. 19.4. Maximum Payment Obligation: 19.4.1. Notwithstanding any other provision of the Agreement, the County’s maximum payment obligation for the Services Implementation Fee shall not exceed $294,299.35 (the “Maximum Implementation Payment Obligation”). No Additional Services or work performed by Contractor shall be the basis for additional compensation unless and until Contractor has obtained written authorization and acknowledgement by County for such Additional Services in accordance with County’s internal policies. Accordingly, no course of conduct or dealings between the parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any Additional Services, whether or not there is in fact any DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 27 of 47 such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such Additional Services is not timely executed and issued in strict accordance with this Agreement, Contractor’s rights with respect to such Additional Services shall be deemed waived and such failure shall result in non-payment for such Additional Services or work performed. For any Renewal Period, the OPEX Costs shall not exceed the sum that is equal to a three percent (3%) increase over the prior year’s OPEX Costs. “OPEX Costs” means, from Appendix A (Statement of Work and Pricing), the Platform hosting fee of $12,000 per year and the Inspect embedded license of $9,600.00 per year as set out in Appendix A (Statement of Work and Pricing). 19.4.2. Notwithstanding anything to the contrary contained in this Agreement, County and Contractor shall have no obligations under this Agreement after, nor shall any payments be made to Contractor in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. § 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20) (the “Approved Funds Appropriation”) . Notwithstanding any other term of this Agreement, Contractor shall have no obligation to provide Services and this Agreement shall automatically terminate if County does not receive the Approved Funds Appropriation. 19.5. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Contractor was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Contractor shall forthwith return such payment(s) to County EXCEPT WHERE Contractor disputes the matter and in such case the parties shall refer the matter to the senior management for resolution. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. 20. STATUS OF CONTRACTOR: This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer-employee, master-servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 28 of 47 21. TERMINATION AND SUSPENSION: 21.1. County may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with thirty (30) calendar days’ prior written notice to the Contractor. County shall pay all fees and charges owed to Contractor for Services provided prior to termination. 21.2. Notwithstanding the preceding paragraph, the County may terminate the Agreement on thirty (30) days’ written notice to the Contractor if the Contractor or any of its officers or employees are convicted, plead nolo contendere, enter into a formal agreement in which they admit guilt, enter a plea of guilty or otherwise admit culpability to criminal offenses of bribery, kickbacks, collusive bidding, bid-rigging, antitrust, fraud, undue influence, theft, racketeering, extortion or any offense of a similar nature in connection with Contractor’s business. Termination for the reasons stated in this paragraph is effective at the end of the thirty (30) days’ written notice period. 21.3. Suspension for Excessive Chargebacks: The Contractor may suspend the Services on immediate written notice, where after reasonable efforts have been made with County to reduce the incidence of chargebacks, Excessive Chargebacks are still occurring. “Excessive Chargebacks” means where the total chargebacks is greater than or equal to 1.5% of sales recorded across two (2) consecutive months. The Contractor reserves the right to withhold funds at any time as necessary for the settlement of any disputed charges, end user (i.e. users seeking to purchase, or have purchased, tickets) complaints, allegations of fraud, chargebacks, expected chargebacks and other discrepancies. 21.4. Termination for Insolvency. Without affecting any other right or remedy available to it, either party may terminate this Contract with immediate effect by giving written notice to the other party if the other party files a petition commencing a voluntary case under the U.S. Bankruptcy Code, or for liquidation, reorganization, or an arrangement pursuant to any other U.S. or state bankruptcy laws, or shall be adjudicated a debtor or be declared bankrupt or insolvent under the U.S. Bankruptcy Code, or any other federal or state laws relating to bankruptcy, insolvency, winding-up, or adjustment of debts, or makes a general assignment for the benefit of creditors, or admits in writing its inability to pay its debts generally as they become due, or if a petition commencing an involuntary case under the U.S. Bankruptcy Code or an answer proposing the adjudication of the other party as a debtor or bankrupt or proposing its liquidation or reorganization pursuant to the Bankruptcy Code or any other U.S. federal or state bankruptcy laws is filed in any court and the other party consents to or acquiesces in the filing of that pleading or the petition or answer is not discharged or denied within sixty (60) calendar days after it is filed. 21.5. On termination or expiry of this Contract for any reason: 21.5.1. all rights granted to County under section 16 (Grant of License; DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 29 of 47 Restrictions) shall cease and County shall cease all use of the Licensed Products and the Services and cease all activities previously authorized by this Agreement within 90 days of the date or termination (the “ Wind- Down Period”) provided all Charges continue to be paid by County during the Wind-Down Period; 21.5.2. At the end of the Wind-Down Period, excluding all Validation Hardware in which title has passed to County in accordance with Section 15.23,the Contractor may destroy or otherwise dispose of any of the County Data in its possession unless the Contractor receives, no later than ninety (90) days after the termination of this Contract, a written request for the delivery to the Contractor of the then most recent back-up of the County Data. The Contractor shall use reasonable commercial endeavors to deliver the back-up to County within 30 days of its receipt of such a written request, provided that County has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination).; and 21.5.3. At the of the Wind-Down Period, County shall destroy or return to the Contractor (at Contractor’s option) all of Contractor’s Confidential Information then in its possession, custody or control. 22. WHEN RIGHTS AND REMEDIES NOT WAIVED: In no event shall any action by either Party hereunder constitute or be construed to be a waiver by the other Party of any breach of covenant or default which may then exist on the part of the Party alleged to be in breach, and the non-breaching Party’s action or inaction when any such breach or default shall exist shall not impair or prejudice any right or remedy available to that Party with respect to such breach or default; and no assent, expressed or implied, to any breach of any one or more covenants, provisions or conditions of the Agreement shall be deemed or taken to be a waiver of any other breach. 23. INSURANCE: 23.1. General Conditions: Contractor agrees to secure, at or before the time of execution of this Agreement, the following insurance covering all operations, goods or services provided pursuant to this Agreement. Contractor shall keep the required insurance coverage in force at all times during the term of the Agreement, or any extension thereof, during any warranty period, and for three (3) years after termination of the Agreement. The required insurance shall be underwritten by an insurer licensed or authorized to do business in Colorado and rated by A.M. Best Company as “A-”VIII or better. Each policy shall contain a valid provision or endorsement requiring notification to the County in the event any of the required policies is canceled or non-renewed before the expiration date thereof. Such written notice shall be sent to the parties identified in the Notices section of this Agreement. Such notice shall reference the County contract number listed on the signature page of this Agreement. Said notice shall be sent thirty (30) days prior to such cancellation or non-renewal unless due to non- DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 30 of 47 payment of premiums for which notice shall be sent ten (10) days prior. If such written notice is unavailable from the insurer, contractor shall provide written notice of cancellation, non-renewal and any reduction in coverage to the parties identified in the Notices section by certified mail, return receipt requested within three (3) business days of such notice by its insurer(s) and referencing the County’s contract number. If any policy is in excess of a deductible or self- insured retention, the County must be notified by the Contractor. Contractor shall be responsible for the payment of any deductible or self-insured retention. The insurance coverages specified in this Agreement are the minimum requirements, and these requirements do not lessen or limit the liability of the Contractor. The Contractor shall maintain, at its own expense, any additional kinds or amounts of insurance that it may deem necessary to cover its obligations and liabilities under this Agreement. 23.2. Proof of Insurance: Contractor shall provide a copy of this Agreement to its insurance agent or broker. Contractor may not commence services or work relating to the Agreement prior to placement of coverages required under this Agreement. Contractor certifies that the certificate of insurance attached as Exhibit C, preferably an ACORD certificate, complies with all insurance requirements of this Agreement. The County’s acceptance of a certificate of insurance or other proof of insurance that does not comply with all insurance requirements set forth in this Agreement shall not act as a waiver of Contractor’s breach of this Agreement or of any of the County’s rights or remedies under this Agreement. 23.3. Additional Insureds: For Commercial General Liability, Auto Liability and Excess Liability/Umbrella (if required), Contractor and subcontractor’s insurer(s) shall include the County, its elected and appointed officials, employees and volunteers as additional insured. 23.4. Waiver of Subrogation: Consultant’s insurance coverage shall be primary and non-contributory with respect to all other available sources. Consultant’s policy shall contain a waiver of subrogation against Eagle County. 23.5. Subcontractors and Subconsultants: All subcontractors and subconsultants (including independent contractors, suppliers or other entities providing goods or services required by this Agreement) shall be subject to all of the requirements herein and shall procure and maintain the same coverages required of the Contractor. Contractor shall include all such subcontractors as additional insured under its policies (with the exception of Workers’ Compensation) or shall ensure that all such subcontractors and subconsultants maintain the required coverages. Contractor agrees to provide proof of insurance for all such subcontractors and subconsultants upon request by the County. 23.6. Workers’ Compensation/Employer’s Liability Insurance: Contractor shall maintain the coverage as required by statute for each work location and shall DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 31 of 47 maintain Employer’s Liability insurance with limits of $100,000 per occurrence for each bodily injury claim, $100,000 per occurrence for each bodily injury caused by disease claim, and $500,000 aggregate for all bodily injuries caused by disease claims. Contractor expressly represents to the County, as a material representation upon which the County is relying in entering into this Agreement, that none of the Contractor’s officers or employees who may be eligible under any statute or law to reject Workers’ Compensation Insurance shall effect such rejection during any part of the term of this Agreement, and that any such rejections previously affected, have been revoked as of the date Contractor executes this Agreement. 23.7. Commercial General Liability: Contractor shall maintain a Commercial General Liability insurance policy with limits of $1,000,000 for each occurrence, $1,000,000 for each personal and advertising injury claim, $2,000,000 products and completed operations aggregate, and $2,000,000 policy aggregate. 23.8. Business Automobile Liability: Contractor shall maintain Business Automobile Liability with limits of $1,000,000 combined single limit applicable to all owned, hired and non-owned vehicles used in performing services under this Agreement. 23.9. Technology Errors & Omissions: Contractor shall maintain Technology Errors and Omissions insurance including cyber liability, network security, privacy liability and product failure coverage with limits of $1,000,000 per occurrence and $1,000,000 policy aggregate. 23.10. Additional Provisions: 23.10.1. For Commercial General Liability, the policy must provide the following: 23.10.1.1. That this Agreement is an Insured contract under the policy; 23.10.1.2. Defense costs are outside the limits of liability; 23.10.1.3. A severability of interests or separation of insureds provision (no insured vs. insured exclusion); and 23.10.1.4. A provision that coverage is primary and non-contributory with other coverage or self-insurance maintained by the County. 23.10.2. For claims-made coverage: 23.10.2.1. The retroactive date must be on or before the Agreement date or the first date when any goods or services were provided to the County, whichever is earlier. 23.10.2.2. Contractor shall advise the County in the event any general aggregate or other aggregate limits are reduced below the required DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 32 of 47 per occurrence limits. At their own expense, and where such general aggregate or other aggregate limits have been reduced below the required per occurrence limit, the Contractor will procure such per occurrence limits and furnish a new certificate of insurance showing such coverage is in force. 23.10.3. Consultant is not entitled to workers’ compensation benefits except as provided by the Consultant, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Consultant or some other entity. The Consultant is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. 23.10.4. If Consultant fails to secure and maintain the insurance required by this Agreement and provide satisfactory evidence thereof to County, County shall be entitled to immediately terminate this Agreement. 23.10.5. The insurance provisions of this Agreement shall survive expiration or termination hereof. 24. DEFENSE AND INDEMNIFICATION: 24.1. Subject to section 24.2, Contractor hereby agrees to defend, indemnify, reimburse and hold harmless County, and any of its appointed and elected officials, agents and employees (“Indemnified Parties”) for, from and against all liabilities, claims, judgments, suits or demands for damages to persons or property arising out of, resulting from, or relating to the Services or work performed under this Agreement or are based on any performance or non-performance by Contractor or any of its subcontractors hereunder (“Claims”). This indemnity shall be interpreted in the broadest possible manner to indemnify County for any acts or omissions of Contractor or its subcontractors either passive or active, irrespective of fault, including County’s concurrent negligence whether active or passive, except for the sole negligence or willful misconduct of County . This indemnification shall not apply to claims (i) as a result of the sole negligence or willful misconduct of County; or (ii) by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Contractor. 24.2. Contractor’s duty to defend and indemnify County shall arise at the time written notice of the Claim is first provided to County regardless of whether claimant has filed suit on the Claim PROVIDED THAT: 24.2.1. Contractor is given prompt notice of any such Claim; and 24.2.2. County provides reasonable co-operation to Contractor in the defense and settlement of such Claim, at Contractor’s expense; and 24.2.3. County and Contractor will collaborate and co-operate in the defense of DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 33 of 47 the Claim, and no settlement shall be made without written agreement by both parties. 24.3. Contractor will defend any and all Claims which may be brought or threatened against County and will pay on behalf of County any expenses incurred by reason of such Claims including, but not limited to, court costs and reasonable attorney fees incurred in defending and investigating such Claims or seeking to enforce this indemnity obligation. Such payments on behalf of County shall be in addition to any other legal remedies available to County and shall not be considered County’s exclusive remedy. 24.4. Insurance coverage requirements specified in this Agreement shall in no way lessen or limit the liability of the Contractor under the terms of this indemnification obligation. The Contractor shall obtain, at its own expense, any additional insurance that it deems necessary for the County’s protection. 24.5. Contractor shall indemnify, save, and hold harmless the Indemnified Parties, against any and all costs, expenses, claims, damages, liabilities, and other amounts (including reasonable attorneys’ fees and costs) incurred by the Indemnified Parties in relation to any claim that any Deliverable, Service, software, or work product provided by Contractor under this Agreement (collectively, “IP Deliverables”), or the use thereof, infringes a patent, copyright, trademark, trade secret, or any other intellectual property right. 24.6. This defense and indemnification obligation shall survive the expiration or termination of this Agreement. 25. COLORADO GOVERNMENTAL IMMUNITY ACT: The parties hereto understand and agree that the County is relying upon, and has not waived, the monetary limitations and all other rights, immunities and protection provided by the Colorado Governmental Act, C.R.S. § 24-10-101, et seq. 26. TAXES, CHARGES AND PENALTIES: The County shall not be liable for the payment of taxes, late charges or penalties of any nature other than the compensation stated herein. 27. ASSIGNMENT; SUBCONTRACTING: The Contractor shall not voluntarily or involuntarily assign any of its rights or obligations, or subcontract performance obligations, under this Agreement without obtaining the County’s prior written consent. Any assignment or subcontracting without such consent will be ineffective and void and shall be cause for termination of this Agreement by the County. The County has sole and absolute discretion whether to consent to any assignment or subcontracting, or to terminate the Agreement because of unauthorized assignment or subcontracting. In the event of any subcontracting or unauthorized assignment: (i) the Contractor shall remain responsible to the County; and (ii) no contractual relationship shall be created between the County and any sub-consultant, subcontractor or assign. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 34 of 47 28. NO THIRD-PARTY BENEFICIARY: Enforcement of the terms of the Agreement and all rights of action relating to enforcement are strictly reserved to the parties. Nothing contained in the Agreement gives or allows any claim or right of action to any third person or entity. Any person or entity other than the County or the Contractor receiving services or benefits pursuant to the Agreement is an incidental beneficiary only. 29. NO AUTHORITY TO BIND COUNTY TO CONTRACTS: The Contractor lacks any authority to bind the County on any contractual matters. 30. AGREEMENT AS COMPLETE INTEGRATION-AMENDMENTS: The Agreement is the complete integration of all understandings between the parties as to the subject matter of the Agreement. No prior, contemporaneous or subsequent addition, deletion, or other modification has any force or effect, unless embodied in the Agreement in writing. No oral representation by any officer or employee of the County at variance with the terms of the Agreement or any written amendment to the Agreement will have any force or effect or bind the County. No amendment of this Agreement shall be effective unless it is in writing and signed by the parties. For operational and other reasons, Contractor may at any time vary the technical specification and form of the Services without seeking the consent of County PROVIDED THAT such variation does not detract from or impair to a material degree the overall operation or performance of Services or will or may result in County incurring additional costs or expenses. The Contractor shall give notice to County of any such variation as soon as practicable. The expense of any such variation shall be borne by the Contractor. 31. SEVERABILITY: Except for the provisions of the Agreement requiring appropriation of funds and limiting the total amount payable by the County, if a court of competent jurisdiction finds any provision of the Agreement or any portion of it to be invalid, illegal, or unenforceable, the validity of the remaining portions or provisions will not be affected, if the intent of the parties can be fulfilled. 32. CONFLICT OF INTEREST: 32.1. The signatories to this Agreement aver to their knowledge, no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Consultant has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Consultant shall not employ any person having such known interests. 32.2. The Contractor shall not engage in any transaction, activit y or conduct that would result in a conflict of interest under the Agreement. The Contractor represents that it has disclosed any and all current or potential conflicts of interest. A conflict of interest shall include transactions, activities or conduct that would affect the judgment, actions or work of the Contractor by placing the Contractor’s own interests, or the interests of any party with whom the Contractor has a DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 35 of 47 contractual arrangement, in conflict with those of the County. The County, in its sole discretion, will determine the existence of a conflict of interest and may terminate the Agreement in the event it determines a conflict exists, after it has given the Contractor written notice describing the conflict. 33. NOTICES: All notices required by the terms of the Agreement must be hand delivered, sent by overnight courier service, mailed by certified mail, return receipt requested, or mailed via United States mail, postage prepaid, if to Contractor at the address first above written, and if to the County at: Director of ECO Transit PO Box 850 500 Broadway Eagle, Colorado 81631 Masabi Attn: Jeff Nullmeyer 2187 Avenida Espada San Clemente, CA 92673 With a copy of any such notice to: Eagle County Attorney’s Office PO Box 850 500 Broadway Eagle, Colorado 81631 Notices hand delivered or sent by overnight courier are effective upon delivery. Notices sent by certified mail are effective upon receipt. Notices sent by mail are effective upon deposit with the U.S. Postal Service. The parties may designate substitute addresses where or persons to whom notices are to be mailed or delivered. However, these substitutions will not become effective until actual receipt of written notification. 34. GOVERNING LAW; VENUE: Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 35. NO DISCRIMINATION IN EMPLOYMENT: In connection with the performance of work under this contract, the Contractor may not refuse to hire, discharge, promote or demote, or discriminate in matters of compensation against any person otherwise qualified, solely because of race, color, religion, national origin, gender, age, military status, sexual orientation, gender identity or gender expression, marital status, or physical or mental disability. The Contractor shall insert the foregoing provision in all subcontracts. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 36 of 47 36. LEGAL AUTHORITY: Contractor represents and warrants that it possesses the legal authority, pursuant to any proper, appropriate and official motion, resolution or action passed or taken, to enter into the Agreement. Each person signing and executing the Agreement on behalf of Contractor represents and warrants that he has been fully authorized by Contractor to execute the Agreement on behalf of Contractor and to validly and legally bind Contractor to all the terms, performances and provisions of the Agreement. The County shall have the right, in its sole discretion, to either temporarily suspend or permanently terminate the Agreement if there is a dispute as to the legal authority of either Contractor or the person signing the Agreement to enter into the Agreement. 37. NO CONSTRUCTION AGAINST DRAFTING PARTY: The parties and their respective counsel have had the opportunity to review the Agreement, and the Agreement will not be construed against any party merely because any provisions of the Agreement were prepared by a particular party. 38. ORDER OF PRECEDENCE: In the event of any conflicts between the language of the Agreement and the exhibits, the language of the Agreement controls. 39. SURVIVAL OF CERTAIN PROVISIONS: The terms of the Agreement and any exhibits and attachments that by reasonable implication contemplate continued performance, rights, or compliance beyond expiration or termination of the Agreement survive the Agreement and will continue to be enforceable. Without limiting the generality of this provision, the Contractor’s obligations to provide insurance and to indemnify the County will survive for a period equal to any and all relevant statutes of limitation, plus the time necessary to fully resolve any claims, matters, or actions begun within that period. 40. INUREMENT: The rights and obligations of the parties herein set forth shall inure to the benefit of and be binding upon the parties hereto and their respective successors and assigns permitted under this Agreement. 41. LIMITATION OF LIABILITY 41.1. NOTHING IN THIS AGREEMENT SHALL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY FOR: 41.1.1. DEATH OR PERSONAL INJURY CAUSED BY ITS GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF ITS PERSONNEL, AGENTS OR SUBCONTRACTORS; 41.1.2. FRAUD OR FRAUDULENT MISREPRESENTATION; OR 41.1.3. ANY OTHER LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 37 of 47 41.2. NEITHER PARTY SHALL BE LIABLE, IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR FOR BREACH OF STATUTORY DUTY OR IN ANY OTHER WAY FOR: 41.2.1. ANY LOSS ARISING FROM OR IN CONNECTION WITH LOSS OF REVENUES, PROFITS, CONTRACTS OR BUSINESS OR FAILURE TO REALIZE ANTICIPATED SAVINGS (WHETHER SUCH LOSS IS DIRECT OR INDIRECT); 41.2.2. ANY LOSS OF GOODWILL OR REPUTATION (WHETHER SUCH LOSS IS DIRECT OR INDIRECT); 41.2.3. ANY SPECIAL, EXEMPLARY, PUNITIVE, INDIRECT OR CONSEQUENTIAL LOSSES; OR 41.2.4. ANY LOSS OF PRODUCTION, USE, BUSINESS, REVENUE OR PROFIT [OR DIMINUTION IN VALUE OR IMPAIRMENT, INABILITY TO USE OR LOSS, INTERRUPTION OR DELAY OF THE SERVICES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF DATA, OR BREACH OF DATA OR SYSTEM SECURITY, SUFFERED OR INCURRED BY THE OTHER PARTY, OR ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, REGARDLESS OF WHETHER THE OTHER PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE. 41.3. SUBJECT TO SECTION 41.1, EACH PARTIES TOTAL LIABILITY TO THE OTHER PARTY, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, ARISING UNDER OR IN CONNECTION WITH THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNT OF THE INSURANCE LIMITATIONS DETAILED IN SECTION 23. 41. FORCE MAJEURE: Neither party shall be responsible for failure to fulfill its obligations hereunder or liable for damages resulting from delay in performance as a result of war, fire, strike, riot or insurrection, natural disaster, unreasonable delay of carriers, governmental order or regulation, complete or partial shutdown of plant, unreasonable unavailability of equipment or software from suppliers, default of a subcontractor or vendor (if such default arises out of causes beyond their reasonable control), the actions or omissions of the other party or its officers, directors, employees, agents, Contractors or elected officials and/or other substantially similar occurrences DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 38 of 47 beyond the party’s reasonable control (“Excusable Delay”) herein. In the event of any such Excusable Delay, time for performance shall be extended for a period of time as may be reasonably necessary to compensate for such delay. 42. PARAGRAPH HEADINGS: The captions and headings set forth herein are for convenience of reference only and shall not be construed so as to define or limit the terms and provisions hereof. 43. COUNTY EXECUTION OF AGREEMENT: This Agreement is expressly subject to and shall not be or become effective or binding on the County until it has been fully executed by all signatories of the County. 44. COUNTERPARTS OF THIS AGREEMENT: This Agreement may be executed in counterparts, each of which shall be deemed to be an original of this Agreement. 45. ELECTRONIC SIGNATURES AND ELECTRONIC RECORDS: Contractor consents to the use of electronic signatures by the County. The Agreement, and any other documents requiring a signature hereunder, may be signed electronically by the County in the manner specified by the County. The Parties agree not to deny the legal effect or enforceability of the Agreement solely because it is in electronic form or because an electronic record was used in its formation. The Parties agree not to object to the admissibility of the Agreement in the form of an electronic record, or a paper copy of an electronic document, or a paper copy of a document bearing an electronic signature, on the ground that it is an electronic record or electronic signature or that it is not in its original form or is not an original. 46. ADVERTISING AND PUBLIC DISCLOSURE: The Contractor shall not include any reference to the Agreement or to services performed pursuant to the Agreement in any of the Contractor’s advertising or public relations materials without first obtaining the written approval of the Manager. Any oral presentation or written materials related to services performed under the Agreement will be limited to services that have been accepted by the County. The Contractor shall notify the Manager in advance of the date and time of any presentation. Nothing in this provision precludes the transmittal of any information to County officials. 47. COMPLIANCE FOR IN-SCOPE SERVICES: The Contractor covenants and agrees to comply with all information security and privacy obligations imposed by any federal, state, or local statute or regulation, or by any industry standards or guidelines, as applicable based on the classification of the data relevant to Contractor’s performance under the Contract. Such obligations may arise from: 47.1 Health Information Portability and Accountability Act (HIPAA) 47.2 IRS Publication 1075 47.3 Payment Card Industry Data Security Standard (PCI-DSS) DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 39 of 47 47.4 FBI Criminal Justice Information Service Security Addendum 47.5 CMS Minimum Acceptable Risk Standards for Exchanges and further covenants and agrees to maintain compliance with the same when appropriate for the Data and Services provided under the Agreement. Contractor further agrees to exercise reasonable due diligence to ensure that all of its service providers, agents, business partners, contractors, subcontractors and any person or entity that may have access to Data under this Agreement maintain compliance with and comply in full with the terms and conditions set out in this Section. Notwithstanding Force Majeure, the respective processing, handling, and security standards and guidelines referenced by this section may be revised or changed from time to time or Data may be utilized within the Services that change the compliance requirements. In the event that compliance requirements change, the Contractor and County shall collaborate in good faith and use all reasonable efforts to become or remain compliant as necessary under this section. In the event that compliance is required or statutory and no reasonable efforts are available, the County at its discretion may terminate the agreement for cause. 48. ON-LINE AGREEMENT DISCLAIMER: Notwithstanding anything to the contrary herein, the County shall not be subject to any provision included in any terms, conditions, or agreements appearing on Contractor’s or a Subcontractor’s website or any provision incorporated into any click-through or online agreements related to the work unless that provision is specifically referenced in this Agreement. 49. PROHIBITED TERMS: Any term included in this Agreement that requires the County to indemnify or hold Contractor harmless; requires the County to agree to binding arbitration; limits Contractor’s liability for damages resulting from death, bodily injury, or damage to tangible property; or that conflicts with this provision in any way shall be void ab initio. Nothing in this Agreement shall be construed as a waiver of any provision of C.R.S. § 24-106-109. 50. ON-CALL SERVICES: In the event that the Agreement or the SOW contains hourly or daily rates the Contractor and the Manager may enter into Work Orders for ongoing services. The County shall authorize specific assignments for the Contractor by placing a written service order signed by the Manager and the Contractor (the “Order”) describing in sufficient details the services and/or deliverables at the rates provided. The Contractor agrees that during the term of this Agreement it shall fully coordinate its provision of the services with any person or firm under contract with the County doing work or providing services which affect the Contractor’s services. The Contractor shall faithfully perform the work in accordance with the standards of care, skill, training, diligence and judgment provided by highly competent individuals and entities that perform services of a similar nature to those described in this Agreement. Contractor represents and warrants that all services will be performed by qualified personnel in a professional and workmanlike DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 40 of 47 manner, consistent with industry standards; all services will conform to applicable specifications and as attached to the Order, if any; and, it has the requisite ownership, rights and licenses to perform its obligations under this Agreement fully as contemplated hereby and to grant to the County all rights with respect to any software and services free and clear from any and all liens, adverse claims, encumbrances and interests of any third party. 51. RECORDS: Consultant shall maintain for a minimum of three years, adequate financial and other records for reporting to County. Consultant shall be subject to financial audit by federal, state or county auditors or their designees. Consultant authorizes such audits and inspections of records during normal business hours, upon 48 hours’ notice to Consultant. Consultant shall fully cooperate during such audit or inspections. 52. The Contractor, if a natural person eighteen (18) years of age or older, hereby swears and affirms under penalty of perjury that he or she (i) is a citizen or otherwise lawfully present in the United States pursuant to federal law, (ii) to the extent applicable shall comply with C.R.S. § 24-76.5-103 prior to the effective date of this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its BOARD OF COUNTY COMMISSIONERS By: ______________________________ Matt Scherr, Chair Attest: By: _________________________________ Regina O’Brien, Clerk to the Board CONSULTANT: By:________________________________ Print Name: _________________________ Title: ______________________________ ATTACHED EXHIBITS EXHIBIT A - SCOPE OF WORK AND PRICING EXHIBIT B - VALIDATOR IAT PROCEDURE EXHIBIT C - HARDWARE WARRANTY PLAN FOR VALIDATORS EXHIBIT D - VALIDATION HARDWARE PCI COMPLIANCE PLAN EXHIBIT E - SUPPORT SERVICES AND SLA EXHIBIT F - CERTIFICATE OF INSURANCE EXHIBIT G - MASABI RFP RESPONSE DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Jeff Nullmeyer Sr. Business Development Manager Page 41 of 47 EXHIBIT A - SCOPE OF WORK AND PRICING DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Exhibit A – Scope of Work and Pricing Scope of Work The County will implement the mobile fares project in multiple phases to accommodate supply chain and resource requirements. Phase 0 (Mobile Ticketing) and Phase 1 (Electronic Validation) will both be implemented together. Implementation of Phase 0 and Phase 1 will eliminate the Mobile Ticketing set -up fee. Phase 2 will add ITS Integration to allow for zonal fares. Phase 0 – Mobile Ticketing 1. Justride Mobile ticketing a. App will be cloud-hosted and deployable as SaaS b. App will be free and support iOS and Android platforms c. Downloaded app will generate End User Agreement for approval by the End User. Agreement is found in Attachment 1, which is incorporated herein. d. Update will be available for iOS and Android within five weeks of update release e. The County will be notified prior to deployment of any updates f. Tickets will be stored in the cloud and on the mobile device for offline support g. Branding of app will be approved by the County h. Riders can purchase single use ticket without requiring account registration i. Ability for rider to setup an account to manage tickets 2. Merchant Service Setup a. The contractor will be responsible for the setup of the merchant services. The merchant services will compose of Chase as the Merchant Acquiring bank and Mastercard Payment Gateway Services (MPGS) as its payment gateway. The associated payment processing fees charged by MPGS and Chase are industry standard and will be passed through to the County at cost b. The merchant service fees will vary depending on the number of transactions and the average transaction value (ATV). Examples of transaction costs are shown in the table below. Typically, the lower the ATV, the higher the percentage fee charged by the payment processor. The County will determine the minimum purchase amounts to establish an ATV that benefits it. 3. Visual validation a. Dynamic barcode built into ticket to prevent fraudulent ticket use b. Drivers visually validate ticket at boarding 4. County Fare Setup a. The County will provide the fare structure and ticket types to the contractor b. The County will have the ability to add new ticket types as needed a. Stored value and complex best-fare finding (fare capping) will be available if riders opt to create an account in the app 5. Software Development Kit (SDK) a. The Justride SDK will be enabled for third party offerings to create external orders in custom built apps 6. Justride Hub (back office) a. Browser access to cloud-hosted application b. Reporting capabilities 7. Sales Channels a. Web Portal - a website that allows riders to purchase mobile tickets, and optionally, DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 print-at-home PDF tickets b. Partner Portal - a web-based interface that allows business and institutional partners to manage mobile tickets for their members c. Vendor Portal i. Module within the back office that allows riders to pay in cash to purchase tickets or load stored value at County ticket windows 8. Training (Phase 0) a. Administrative staff training for the Justride platform including fare setup, Justride Hub and Sales Channels (web and partner portals) b. Onboard visual validation training for County driver trainers (re -trainers) and Intelligent Transit Systems (ITS) staff Phase 0 – Accelerated Mobile Ticketing & Web Portal Unit Quantity Unit Price Subtotal Price Set Up Fee Mobile Ticketing Mobile Ticketing Set-up *waived if electronic validation (Phase I) is elected from the onset day 1 $19,500.00 $0.00 Subtotal Mobile Ticketing Set-up fee* $0.00 Subtotal Mobile Ticketing $0.00 Phase 0 Total Costs $0.00 Phase 1 - Electronic Validation and Options 1. Justride Validators (JRV) a. JRVs will be updated by the contractor through Over the Air Updates (OTA) on an average of every six weeks. The contractor will notify the County when these updates occur. b. The JRV will communicate with the hosted platform through an existing on-board router provided with a cellular carrier designated by the County. c. The JRV will accept 2D barcodes, MIFARE ISO14443 smart cards, as well as containing the necessary hardware to accept contactless bank and credit card (cEMV) as they become available. d. The JRV is designed so that it can be easily removed and replaced with a spare by the County technicians. This facilitates both return-to-base repairs as well as easy future hardware upgrades should these ever be required. 2. Installation a. Installation of the JRVs will be completed at the property in coordination with the County project manager b. An IAT (Installation Acceptance Test) will be completed for each bus installation and include a n acceptance signature by the County project manager. c. The Site Survey will include the necessary cellular router testing to create the configuration needed for the fleet. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 3. Training a. Electronic Validation Training 4. Optional Validation Hardware PCI Compliance Plan training - 3 days at $1,294 p/d = $3,882.00 Phase 1 - Electronic Validation, Optional Portals Unit Quantity Unit Price Subtotal Price Project Management, Training, and Integration Support Design and UX day 1 $1,030.00 $1,030.00 Platform Engineer day 0.25 $1,363.00 $340.75 Project Manager day 17 $1,992.00 $33,864.00 Brand Configuration day 9.75 $932.00 $9,087.00 Training day 8 $1,294.00 $10,352.00 Subtotal Project Management, Training and Integration Support $54,673.75 Electronic Validation Hardware JRV Validator unit 40 $1,100.00 $44,000.00 (Optional) Stanchions unit 0 $183.00 Shipping unit 40 $95.00 $3,800.00 Misc. cabling, etc. unit 40 $189.00 $7,560.00 JRV Validators - Spares unit 4 $1,100.00 $4,400.00 Shipping - Spares unit 4 $95.00 $380.00 Misc. cable, etc. – Spares unit 4 $189.00 $756.00 Subtotal Electronic Validation Hardware, On-board Installation $60,896.00 On-board Installation Site Survey (1 tech for 1 week) day 1 $3,777.00 $3,777.00 Mobilization – 3 techs day 3 $1,700.00 $5,100.00 Installation of 1 JRV on each bus (front door day 40 $535.00 $21,400.00 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 only) Hardware Management & Engineering Support unit 1 $52,686.00 $52,686.00 Subtotal On-Board Installation $82,963.00 Subtotal Phase 1 – Electronic Validation, Optional Portals $198,532.75 Phase 2 – AVL Integration, Smart Cards and Retail Networks (Optional) 1. ECO Transit branded smartcards (NFC ISO1443) a. Branding graphics will meet the approval of the County 2. Configure Account Based Ticketing “ABT” for ECO Transit 3. Retail Networks a. Ability to top up a mobile stored value account using cash or credit card b. Ability to purchase and register new smartcards through vendor portal in retail stores c. Top up a rider account tied to a smart card using the smart card as the account identification token, using cash or card. d. Setup assistance for Incomm integration with ECRTA 4. AVL Integration with the Clever Devices ITS (Intelligent Transit Systems) a. Ability to read route data from Clever Devices system b. Change Justride fare structure on-board the bus based on route data from the current location Phase 2 – Account Based Ticketing (Optional) Smart Cards Fare Media Smart cards set-up and design (per design) unit 1.00 $5,036.00 $5,036.00 Smart card initial stock (per 10k unit batch, per design unit 10,000 $1.97 $19,700.00 Smart cards configuration, testing and support unit 15.00 $1,292.24 $19,383.60 Subtotal Smart Cards Fare Media $44,119.60 AVL Integration Integration Fee unit 1 $37,765.00 $37,765.00 Sub Total AVL Integration $37,765.00 Subtotal Phase 2 – Account Based Ticketing $81,884.60 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Operational Costs Ongoing operational costs will include a combination of fixed system costs (hosting, support, and licensing fees) and variable fees assessed by transaction. The following Operational Costs table provides sample operating costs for the first five years based on the schedule according to several potential adoption scenarios. The actual number will be based on the true adoption rate by the riders. The Masabi Support information is contained in Attachment 2, which is incorporated herein . Operation Costs Unit Quantity Unit Price Subtotal Price Platform Operation Year 1 Fixed Costs Justride platform hosting and support month 12.00 $1,000.00 $12,000.00 Electronic Validation License: Justride Inspect Embedded (excluded in minimum viable solution) unit/month 480 $20.00 $9,600.00 optional - Justride Inspect Handheld unit/month 0.00 $20.00 $0.00 Estimated Costs Pre-purchase / SVA Use Fee (10% adoption) % 180,000 3.25% $5,850.00 SVA Load/Cash Digitization Fee (2.5% adoption) % 45,000 1.50% $675.00 Subtotal Platform Operation Year 1 $28,125.00 Platform Operation Year 2 Fixed Costs Justride platform hosting and support month 12 $1,000.00 $12,000.00 Electronic Validation License: Justride Inspect Embedded (excluding minimum viable solution) unit/month 480.00 $20.00 $9,600.00 optional - Justride Inspect Handheld unit/month 0.00 $20.00 $0.00 Variable Costs Pre-purchase / SVA Use Fee (12% % 216,000 3.25% $7,020.00 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 adoption) SVA Load/Cash Digitization Fee (3% adoption) % 54,000 1.50% $810.00 Subtotal Platform Operation Year 2 $29,430.00 Platform Operation Year 3 Fixed Costs Justride platform hosting and support month 12.00 $1,000.00 $12,000.00 Electronic Validation License: Justride Inspect Embedded (excluding minimum viable solution) unit/month 480.00 $20.00 $9,600.00 optional - Justride Inspect Handheld unit/month 0.0 $20.00 $0.00 Variable Costs Pre-purchase / SVA Use Fee (15% adoption) % 270,000 3.25% $8,775.00 SVA Load/Cash Digitization Fee (3.75% adoption) % 67,500 1.50% $1,012.00 Subtotal Platform Operation Year 3 $31,387.00 Platform Operation Year 4 Fixed Costs Justride platform hosting and support month 12.00 $1,000.00 $12,000.00 Electronic Validation License: Justride Inspect Embedded (excluding minimum viable solution) unit/month 480.00 $20.00 $9,600.00 optional - Justride Inspect Handheld unit/month 0.00 $20.00 $0.00 Variable Costs Pre-purchase / SVA Use Fee (17% adoption) % 306,000 3.25% $9,945.00 SVA Load/Cash Digitization Fee (4.25% adoption) % 76,500 1.50% $1,147.50 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Subtotal Platform Operation Year 4 $32,692.50 Platform Operation Year 5 Fixed Costs Justride platform hosting and support month 12.00 $1,000.00 $12,000.00 Electronic Validation License: Justride Inspect Embedded (excluding minimum viable solution) unit/month 480.00 $20.00 $9,600.00 optional - Justride Inspect Handheld unit/month 0.00 $20.00 $0.00 Variable Costs Pre-purchase / SVA Use Fee (20% adoption) % 360,000 3.25% $11,700.00 SVA Load/Cash Digitization Fee (5.0% adoption) % 90,000 1.50% $1,350 Subtotal Platform Operation Year 5 $34,650.00 Estimated Payment Processing PSP Fees - Assumed 65% using credit/bank card transactions Year 1 (assumes $10 ATV) % 325,000.00 4.10% $13,325.00 Year 2 (assumes $10 ATV) % 585,000.00 4.10% $23,985.00 Year 3 (assumes $10 ATV) % 715,000.00 4.10% $29,315.00 Year 4 (assumes $10 ATV) % 845,000.00 4.10% $34,645.00 Year 5 (assumes $10 ATV) % 975,000.00 4.10% $39,975.00 Subtotal PSP Fees - Assumed 65% using credit/bank card transactions $141,245.00 Subtotal Estimated Payment Processing $141,245.00 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Merchant Services Fee Examples Indicative Payment Processing Fees* Transaction Size Estimated PSP Fee Estimated $ fee $1.00 36% 0.36 $2.50 15% 0.39 $5.00 9% 0.43 $10.00 5% 0.51 $20.00 3% 0.67 $50.00 2% 1.17 $100.00 2% 2.00 *Includes assumption for chargebacks, declined transactions and disbursement fees so can be seen as likely all in effective rates per capture. Payment and Fare Remittance The total value of fares received by the Service Provider less the charges described above shall be remitted t o the Customer within 5 working days of the end of each calendar month by ACH bank transfer, together with remittance advice by email. The Customer’s bank details for the ACH bank transfer is as follows: Name of the Bank: FirstBank Address of the Bank: 25 Market Street, Eagle, CO 81631 ABA Number: 107005047 Account Number: 2235566363 Name of the Account Holder: Eagle County Treasurer (#30) The Customer’s contact(s) for the remittance advice shall be: Dayana Herr DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Milestone Payments and Schedule Milestone # Milestone Amount Aggregated Amount Description Phase 0 and Phase 1 1 Phase 0 - Mobile Ticketing Visual Validation Deployment $0.00 $0.00 2 ABT/Electronic Validation Kick Off $27,336.88 $27,336.88 50% of PM, Training and Integration Support 3 JRV Ordering $30,448.00 $57,784.88 50% of Hardware Cost 4 Phase 1 Hardware Management $26,343.00 $84,127.88 50% of Hardware Management 5 JRVs Delivered $30,448.00 $114,575.88 50% of Hardware Cost 6 Installation Kick Off $8,877.00 $123,452.88 Site survey + Mobilization 7 Installation Completed $47,743.00 $171,195.88 Installation costs 8 SAT Test Completed $27,336.88 $198,532.75 50% of PM 9 AVL Integration Kick-Off $18,882.50 $217,415.25 50% of AVL Integration 10 AVL Integration Completed $18,882.50 $236,297.75 50% of AVL Integration 11 Smart Card Configuration/Testing $24,419.60 $260,717.35 Set-up/Config/Testing 12 Smart Cards $19,700.00 $280,417.35 Smart Cards Only Cost Assumptions 1. For County’s convenience, Contractor has used USD$2M as County’s total fare revenue in order to address fares during the life of the Agreement. 2. During mobile only phases, prior to deployment of electronic validation a $1,500 monthly minimum fee will be applied. This will be waived once County begins revenue service using electronic validation. 3. Any applicable taxes are excluded. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 4. Transaction fees and stored value usage fees are estimated at projected adoption rates. Actual rates charged will be charged per transaction as defined below. 5. Transactions are defined as the purchase of a ticket, the load of stored value, and the use of stored value. For transactions that are loading stored value, these will incur a 1.75% fee. For those tickets purchased with stored value, the agency will incur the stored value usage fee. For those tickets that are notionally free to the rider, please see note below on commercial value. 6. Third-party credit and debit card processing fees will be determined by the number of transactions, average transaction size, card types and chargebacks at market rates. For County’s benefit, Contractor has included an estimate of expected annual payment processing fees using an average transaction size of $10. Contractor would charge the actual payment processing fees charged by the payment processor at market rates. 7. To calculate the cost of payment processing, Contractor has estimated that 65% of the transactions will be made using a bank or credit card. The figures quoted are estimates. Actual amounts will be based on the total volume of transactions and will be passed through to County at cost. 8. For transactions that are notionally free to a rider, the transaction fee will be charged at the commercial value of tickets sold; commercial value is defined as the value that the agency (i.e. in this case, County) charges third parties for processing of tickets even if the tickets are notionally free to riders. If there is no commercial value assigned to a ticket, then these tickets will not incur a transaction fee. Commercial value to be provided in order to launch partner portal functionality. 9. Inspect license fees subject to change based on fare processing model of the Justride platform. 10. All prices are applicable to County’s current fare policy. Should fare policy change, per transaction fees are subject to change – with such changes to be agreed in writing with County. 11. All prices are subject to Justride being the only mobile ticketing sales channel for County. 12. Chargebacks shall be processed as follows: a. Any credit card chargebacks initiated by an end user for any reason with respect to fare product shall be charged back to County. b. A challenge disputing a chargeback may be initiated by Contractor directly or by County. c. Contractor shall present chargebacks on a timely basis to County for review. Should County wish to challenge a chargeback, County shall provide the Contractor details and information to support the challenge. The Contractor will submit the challenge to the credit card processing company on County’s behalf. There can be no guarantee the claim will be successful. d. Successful challenges will be rebated to County less any fees as charged by the credit card processing company on the subsequent remittance to County. 13. A $5,000 fixed fee will be charged by the Contractor for (1) decommissioning (deleting the App from the various App stores) if County goes fare free; and (2) an additional $5,000 fixed fee for re-commissioning/reinstating the App to the various App stores. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Exhibit A - Attachment 1 End User Terms “ECO Transit Mobile Tickets” Terms and Conditions Definitions and descriptions Thank you for using the (“ECO Transit”) mobile ticketing app (the “App”). The App is brought to you by ECO Transit, with mobile ticket sales provided by Masabi LLC (“Masabi”). These terms and conditions will govern the purchase and use of ECO Passes via the App and used on any ECO Transit bus service. ECO Transit and Masabi may modify the terms and conditions relating to mobile ticketing at any time by posting revised terms and conditions. This will not affect any existing terms accepted by you when making your purchase via the App. When downloading the App, you are also agreeing to be bound by these terms. The App ECO Transit grants you the right to download, install and use the App on your mobile handset to purchase passes and access information in accordance with these terms and conditions. Once you have downloaded the App you will be able to purchase tickets to travel with ECO Transit . All tickets purchased through the App are subject to our [Conditions of Carriage] which can be found at https://www.eaglecounty.us/transit. You do not and will not own the App or any information that is provided to you through it or ECO Transit, but you may use the App in accordance with these terms and conditions solely for the purposes of purchasing and using mobile passes and accessing transport information for your own personal use and not for any other purpose. The App is owned by the ECO Transit and may only be used for your own personal use. You must not try to alter, modify or in any way try to copy or transfer the mobile ticket facility to any other users. The App is provided to you free of charge. ECO Transit can suspend access to purchasing passes through the mobile application and can do so for any reason. You must ensure that your mobile device has the required version of the relevant operating system. You are responsible for all data charges incurred when using the app with your mobile phone provider. Your Data You acknowledges and agree that whilst ECO Transit’s supplier (Masabi LLC) uses AWS servers located in the USA, in order to provide the services offered by the App, your personal data may be accessed by Masabi LLC or Masabi Limited employees in locations outside the USA, currently the United Kingdom and Romania and by downloading and using the App you expressly consent to your personal data being accessed by Masabi LLC or Masabi Limite d employees in locations outside the USA. Mobile Ticketing and Use ECO Tickets and Passes are available to purchase via your mobile phone using ECO Transit’s App. Once you have purchased the ticket it will be delivered as a Mobile pass to and placed in a secure wallet on your mobile device. ECO Mobile Passes sold on the through ECO Transit’s App are for use on ECO Transit services only for the times and in the areas as specified at the time of purchase. The price you pay for the mobile ticket will be valid for the duration on the ticket and any subsequent price changes during the validity of the ticket will not affect ECO Passes you have already purchased. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 ECO Passes are valid immediately for travel once you have completed your transaction. Payment for an ECO mobile ticket must be made by credit, debit card, split payment is an option and or stored value if deployed by ECO Transit. Cash can be used to purchase tickets if desired at any applicable retail or agency location. The appropriate payment for the ECO Pass will be collected once the transaction is complete. Please note, as per PCI requirements, we do not store your debit/credit card details. ECO Passes are then located on the Justride platform and a copy is placed into a secure wallet. An internet or cellular connection is not needed to activate a ticket but is required to make an initial purchase. ECO Passes must be activated prior to you boarding the bus. Please ensure you have sufficient battery charge to show your ticket to the bus operator for visual validation and/or validate your ticket via an onboard validation device and for the whole duration of your journey. ECO Transit does not accept any liability for any loss you may incur in the event that you do not have sufficient battery life on you r mobile device. Please allow time for the App to load whilst waiting for the bus. If you are unable to display the ECO Pass on your phone the full cash fare must be paid. No refund will be given. You may be asked to show your ECO Pass to a bus operator, or any member of staff employed by the ECO Transit or local police. ECO Transit reserves the right to refuse travel on invalid ECO Passes or if used on a stolen phone. The ECO Passes are not transferable and may only be used by the registered phone user, and ECO Passes do not give you priority over other passengers. A mobile ticket refers to a type of pass valid for use on ECO Transit bus service, which is purchased only through Masabi’s Justride platform. The security of your mobile phone or pass is your responsibility. In the event that your mobile phone is lost or stolen, please contact ECO Transit’s customer service in order to put a hold on your account. Your mobile pass must be displayed clearly on the mobile phone screen to the bus operator every time you board an ECO Transit bus, or when requested by a police officer or bus operator to view the mobile pass. The mobile pass must be retained during your entire trip on an ECO Transit vehicle. Failure to show a valid pass is considered fare evasion and is subject to enforcement actions according to ECO Transit policy and Colorado State or federal laws. If you are unable to show a valid pass, you may be subject to a fine or other enforcement action. If the mobile pass has expired or if your mobile device is damaged, causing your ticket to not be readable by a bus operator or a validator, ECO Transit is not obligated to honor the ticket. Your ECO Transit mobile pass will be sold to you via ECO Transit’s mobile pass partner, Masabi. The mobile pass itself creates a contract between you and ECO Transit for the provision of the transport services that the mobile pass allows you to use. It is ECO Transit that provides these services to you under the mobile pass and in no event will Masabi be responsible for or h ave any liability to you in relation to these services or their availability or performance (including your use or access to any ECO Transit vehicle, the ECO Transit network, your use of any services provided under your mobile pass or for your use of the App) Prices and Receipts When you purchase a mobile pass on the App, you will be notified of the price before you confirm your purchase. For information on fares please visit the ECO Transit fare information web page at DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 www.eaglecounty.us/transit . Once you complete your purchase, a receipt will be emailed to the email address you provided. Changes, Refunds, and Replacements All refund requests will be reviewed on a case-by-case basis. In general, mobile passes cannot be replaced, changed, cancelled, or refunded except under very special circumstances, including but not limited to mobile application service disruptions. The decision to replace, change, cancel or refund a mobile pass is made at ECO Transit's sole and absolute discretion. You can submit a request for a refund by calling ECO Transit support line: (970)328-3570. Please note that where a refund is made it shall be for the pass price only. Any other associated fees are non -refundable. Neither ECO Transit nor Masabi shall be obliged to replace, change, cancel, or replace a ticket when ECO Transit has reason to believe that the circumstances prompting the replacement, change, cancellation, or replacement is the result of fraud. Data charges The App is free, but data charges may be incurred to you by your cell phone network provider. You are responsible for any such costs. ECO Transit will not take responsibility for any connectivity issues you may experience. Availability & Updates The mobile pass can be used on all ECO Transit bus service. Travel is based on fare applicability on ECO Transit services at the time of purchasing a pass. The mobile pass is valid when the ticket is activated on the mobile app after purchase. You may not start your trip on an ECO Transit vehicle until you have a valid pass. Once purchased, the mobile pass will specify the fare type, the validity of the pass and its expiration date. ECO Transit reserves the right to issue updates to the mobile application, in which case you may not be able to continue use of the version of the mobile application installed on your mobile handset without downloading the latest update. ECO Transit recommends that you download and install all updates issued. ECO Transit is not liable for errors which become apparent in old versions of the mobile application. Materials, Ownership and Restrictions on Use The mobile ticket app is operated by ECO Transit and is either owned by ECO Transit or its third party licensors (including without limitation Masabi) and any data, text, graphics, images, audio and video clips, logos, icons, software and links and any intellectual property and other rights relating thereto, are and will remain the property of ECO Transit or Masabi or their respective licensors. You may not copy (other than copies made incidentally on your mobile in the course of your use of the mobile ticket app), reproduce, republish, upload, post, transmit or distribute the mobile ticket app or any of its content without the prior written permission of ECO Transit and its licensors. Nor may you: (i) reverse engineer, decompile or seek to obtain the source code to the mobile ticket app except where and to the extent expressly required to be permitted by applicable law; or (ii) make or seek to make de rivative works based on the mobile ticket app. Use or downloading of the mobile ticketing app is conditioned on acceptance of the terms and conditions of this agreement. By using or downloading the mobile ticketing app, you agree to such terms and conditions. The mobile ticketing app is supplied to you by ECO Transit and neither Masabi nor any of ECO Transit’s other third-party licensors shall have any liability to you arising out of or in connection with the mobile ticketing app. Colorado and federal law applies to these terms and conditions and users agree that any dispute between ECO Transit and the users of the mobile ticketing app regarding the mobile application or arising out of or in connection with these terms and conditions are subject to Colorado State courts. Liability Disclaimer DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 In no event will ECO Transit be liable for any direct, indirect, special, punitive, exemplary or consequential losses or damages of whatsoever kind arising out of your use or access to the mobile ticketing application, including loss of profit or the like whether or not in the contemplation of the parties, whether based on breach of contract, tort (including negligence), product liability or otherwise . In no event will Masabi be liable for any direct, indirect, s pecial, punitive, exemplary or consequential losses or damages of whatsoever kind arising out of or in connection with your use or access to any mobile pass or the mobile ticketing application, including loss of profit or the like whether or not in the contemplation of the parties, whether based on breach of contract, tort (including negligence), product liability or otherwise. Neither ECO Transit nor Masabi shall be liable for any damage or alteration to your equipment including but not limited to computer equipment, handheld device or mobile telephones as a result of the installation or use of the mobile ticketing application or any mobile pass. Nothing in these terms and conditions shall exclude or limit a person’s liability for death or personal injury caused by negligence or for fraud or fraudulent misrepresentation or any other liability which cannot be excluded or limited under applicable law. Legal responsibility If you lose your mobile phone with a valid ECO Pass saved on it, please call our customer support number at (970) 328-3570. Any value remaining on your ECO Pass will be transferred to your new mobile phone. ECO Transit may cease to operate the service at any time, in which case the values of any balance associated with unused tickets at that time will be refunded. Privacy The collection, use, and security of information obtained from customers using “ECO Transit Mobile Tickets” are subject to ECO Transit's Privacy Policy, as amended. This policy is consistent with Federal and State laws governing an individual's right to privacy and may be amended from time to time, as deemed necessary by ECO Transit. The Privacy Policy is posted on the ECO Transit website at https://www.eaglecounty.us/transit/policyoverview . Support If you have any questions or problems with the mobile applications, please review the FAQs at https://www.eaglecounty.us/transit for answers to the most common questions ECO Transit receives from its users. If that does not answer your questions, please contact ECO Transit Customer Care at (970) 328-3570. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 42 of 47 EXHIBIT B - VALIDATOR IAT PROCEDURE DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Validator IAT Procedure Masabi Hardware: JRV Installation Acceptance Test (IAT) Procedure Version: 01 Date: 2020-04-01 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Revision History Author Version Date Details of Change CB 01 2020-04-01 Initial Release Copyright Copyright Masabi Ltd 2021. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission of the publisher. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Table of Contents Introduction 4 Purpose 4 Objective 4 Prerequisites 4 Process Outline 5 Safety Precautions 5 Glossary Error! Bookmark not defined. References 6 Graphical Display Screens 7 IAT Test Cases 9 Test Case 1 – Visual Inspection 10 Test Case 2 – Power-On Self-Test (POST) and Configuration 11 Test Case 3 – Mounting 12 Test Case 4 – Internet and Back-Office Connection 13 Test Case 5 – Mobile Barcode Ticket: Valid 14 Test Case 6 – Paper Barcode Ticket: Not Valid 15 Test Case 7 – Mobile Barcode Ticket: Reduced Fare 16 Test Case 8 – DESFIRE Smart Card Ticket 17 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Section 1 - Introduction The Justride Validator (JRV) is a multi-format validator that is designed for transit environments and will be deployed by Masabi in various locations around the world. When furnished with an Internet connection, and provided with a suitable power source, the JRV can be used to validate barcodes and NFC media. The Installation Acceptance Test (IAT) procedure contains, herein, the necessary instructions, steps and scripts to follow in order to approve and commission a successful installation of a JRV. 1.1 Purpose The purpose of the IAT is to approve the successful installation of the JRV and verify that it fulfils the requirements set by the customer and Masabi. 1.2 Objective The objectives of the IAT are to: ● Confirm that ticket validation functions correctly with all ticket types. ● Confirm connectivity and expected behaviour between the JRV and the Masabi back-office via a wired Ethernet connection to the Internet. ● Confirm that the JRV is fit for validation. 1.3 Prerequisites To complete the IAT the following prerequisites are required: ● Installed JRV ● Communication with the Internet (Masabi back office) available via Ethernet ● Paper Configuration Barcode ● Mobile Ticket Barcode ● Paper Test Barcode ● Smart Card Ticket ● Access to the Hub via a Computer DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 1.4 Process Outline The IAT process is split into a set of tests as detailed below. The procedure includes the necessary instructions to confirm the correct installation and ticket validation functionality of the JRV. Each of the test cases is designed to focus on a particular aspect or function of the validation solution and should be completed as per the stated instructions with the results recorded in the IAT-R. If all Test Cases within this document pass, then the IAT passes. 1.5 Conventions Throughout this document the following format will be used for notes and important information: Important: Mandatory and important notes that must be fulfilled Note: Important notes regarding mandatory requirements that may affect correct operation but do not present a safety risk or danger of damage to equipment. Recommendation: A non-mandatory addition to the instruction intended to highlight methods of completing actions that were previously found to be the most efficient or easiest. Throughout this document Masabi’s Customer will be referred to as “the Agency”, transit riders or Customers of the Agency will be referred to as “Cardholders”. 1.6 Safety Precautions No particular safety hazards identified. Please ensure that all safety precautions required in the location and situation that the test is completed in are adhered to. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 1.7 Glossary Note: Part and assembly names will be defined in the Orientation Section of this document. Acronym Definition cEMV Contactless EMV EMV Europay Mastercard Visa HW Hardware IAT Installation Acceptance Test IAT-R Installation Acceptance Test Record JRV Justride Validator N/A Not applicable PCI Payment Card Industry SAM Secure Access Memory TBA To be announced 1.8 References Doc # Reference DT2-0010 JRV Installation Acceptance Test Record (IAT-R) (latest issue) DP3-0001 JRV PCI HW Compliance Plan (latest issue) Note: The JRV Electronics Enclosure contains a cEMV reader. If the JRV is to be used in a deployment which handles cEMV cards, or may in the future, applicable PCI handling DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] procedures must be adopted and adhered to. In these cases, ensure that all handling is completed in accordance with the requirements laid out in the latest revision of DP3-0001 - JRV PCI HW Compliance Plan. Contact Masabi for further details. Note: All documents can be requested via support@masabi.com Section 2 - Graphical Display Screens These are the only messages that will be displayed during the demonstration. Image Accompanying Text Message Description Positive Message ● Valid Message used for instances when the ticket presented is valid for travel. Not valid Message ● Not valid Message used for instances when the ticket presented is not valid for travel. Check Message ● Show ID Message used for instances when a ticket with an entitlement (e.g. reduced fare) presented is valid for travel. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Ready Screen ● Scan your ticket Screen used when awaiting ticket media. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Section 3 - IAT Test Cases This section details the tests which form the IAT in their intended order. The purpose, objectives, prerequisites and the instructions to complete the test are detailed. ● Test Case 1. – Visual Inspection ● Test Case 2. – Power-On Self-Test (POST) and Configuration ● Test Case 3. – Mounting ● Test Case 4. – Internet and Back-Office Connection ● Test Case 5. – Mobile Barcode Ticket: Valid ● Test Case 6. – Paper Barcode Ticket: ‘Not Valid’ ● Test Case 7. – Mobile Barcode Ticket: Warning ● Test Case 8. – DESFIRESmart Card Ticket DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.1 Test Case 1 – Visual Inspection Purpose To verify that the JRV is undamaged and has not been tampered with Objectives Confirm that the JRV is not damaged and has not been tampered with Mandatory PCI Requirement: Any suspicion of tampering must be reported to Masabi immediately. The unit must not be used. Follow the procedure as described in DP3-0001 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan. Approximate Required Time 3min Prerequisites/ Preconditions ● Installed JRV Procedure Start with the JRV Electronics Enclosure removed from the Mounting Kit. 1) PCI tamper inspection a) Check that Card Reader is present behind transparent SIM/SAM Cover at the bottom of the unit and Serial Number is consistent with Documentation b) Check for any marks, such as scratches, etc. that may indicate that the JRV Electronic Enclosure has been opened. c) Check for any unnecessary additional or suspicious wiring 2) Mount JRV Electronics Enclosure onto the JRV Mounting Kit 3) Checking for damage a) Check if JRV Electronics Enclosure is flush with the JRV Mounting Kit. b) Check for any unacceptable marks on the front glass of the JRV and on the plastics Expected Results 1) JRV has not been tampered with a) Card Reader is present b) No marks that indicate that JRV was opened are present c) No suspicious wiring present Mandatory PCI Requirement: Otherwise follow DP3-0001. 2) JRV Electronics Enclosure flush with the JRV Mounting Kit 3) No damage DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. 3.2 Test Case 2 – Power-On Self-Test (POST) and Configuration Purpose To verify that the JRV passes POST on initial power-up after installation Objectives Confirm that the JRV passes POST and is ready for functional testing Approximate Required Time 2min Prerequisites/ Preconditions ● A JRV connected to the Internet via Ethernet that has successfully passed Test Case 1 ● Configuration Barcode (if unit not already logged in) Procedure Start with the JRV in the powered down state, apply power and observe the booting process. Present the appropriate Configuration Barcode for the vehicle when prompted by the unit. Expected Results 1) The JRV screen will show a Justride logo and progress bar 2) The progress bar will move to show progress and the LED in the camera cone will turn on 3) The screen will briefly change to a black screen with a clock and loading message 4) The display will then show an information screen detailing the brand, username, IP address. No fault codes are displayed on the screen. 5) The display message will read ‘Scan Config Barcode’. Note: This screen will not show if the unit has previously been logged in. Skip step 6) 6) Present the correct log in barcode for the unit. A beep will sound to indicate a valid barcode. Not necessary if the unit has previously been logged in. 7) After a short wait, the screen will show the ‘Scan your ticket’ screen. Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.3 Test Case 3 – Mounting Purpose To verify that the JRV is mounted correctly and securely Objectives Confirm that the JRV is mounted securely onto the Stanchion and the JRV Electronics Enclosure is attached correctly to the JRV Mounting Kit. and JRV is reliably powered. Approximate Time Required 1 min Prerequisites/ Preconditions ● The JRV has successfully passed Test Case 2. Procedure 1) Ensure that the JRV Lock is in the locked position and the Key is removed 2) Place a hand on the bottom of the JRV Electronics Enclosure and push upwards towards the display, i.e., in the same direction as an unlocked JRV would be pushed to remove the JRV Electronics Enclosure. Check if it slides and/or loses power/reboots 3) Attempt to move the JRV relatively to the stanchion. Check for unacceptable play between the JRV and the stanchion Expected Results 1) JRV is locked in position and the Key is removed 2) JRV does not slide. JRV does not reboot or lose power, as observed by monitoring the JRV Display. 3) JRV is securely attached to the stanchion. Neither Stanchion nor JRV move. Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.4 Test Case 4 – Internet and Back-Office Connection Purpose To verify that the JRV is logged in with the correct credentials for the location of installation. Objectives Confirm that the JRV is logged in correctly and has a connection to our back-office Approximate Time Required 2 min Prerequisites/ Preconditions ● The JRV has successfully passed Test Case 3. ● Access to the Hub with credentials to view Asset Monitoring Procedure Log into the hub and check if the JRV is listed as online and healthy 1. Log in to the hub 2. Asset Monitoring - Validation 3. Apply Filter a. Username b. Contains c. Enter JRV Username 4. Check if JRV is listed, online and healthy 5. Check JRV software version Expected Results The JRV will be visible in the hub shown as online, healthy and has most recent software version. Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.5 Test Case 5 – Mobile Barcode Ticket: Valid Purpose To verify that the JRV behaves as expected when presented with a valid barcode ticket. Objectives Confirm that the JRV presents expected indication to the user when presented with a valid barcode. Approximate Time Required 1 min Prerequisites/ Preconditions ● Valid ticket via app ● The JRV has successfully passed Test Case 4. Procedure 1) Ensure that the JRV is powered up, working and displaying the Ready screen. 2) Present the valid barcode to the JRV barcode scanner and observe for the below behaviour: a) JRV Graphical Display is green and displays “Valid” b) JRV Speaker plays the ‘Valid Beep’ Expected Results The JRV will present the user with the expected positive feedback: a) JRV Graphical Display is green and displays “Valid” b) JRV Speaker plays the ‘Valid Beep’ Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.6 Test Case 6 – Paper Barcode Ticket: Not Valid Purpose To verify that the JRV behaves as expected when presented with a ‘not valid’ barcode ticket. Objectives Confirm that the JRV presents expected indication to the user when presented with a ‘not valid’ barcode. Approximate Time Required 1 min Prerequisites/ Preconditions ● ‘Not valid’ paper ticket ● The JRV has successfully passed Test Case 5. Procedure 1) Ensure that the JRV is powered up, working and displaying the Ready screen. 2) Present the not valid barcode to the JRV barcode scanner and observe for the below behaviour: a) JRV Graphical Display is red and displays “Not Valid” b) JRV Speaker plays the ‘Not Valid Beep’ Expected Results The JRV will present the user with the expected positive feedback: a) JRV Graphical Display is red and displays “Not Valid” b) JRV Speaker plays the ‘Not Valid Beep’ Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.7 Test Case 7 – Mobile Barcode Ticket: Reduced Fare Purpose To verify that the JRV behaves as expected when presented with a valid barcode ticket with an entitlement (e.g. reduced fare ticket). Objectives Confirm that the JRV presents expected indication to the user when presented with a valid barcode with an entitlement (e.g., reduced fare ticket). Approximate Time Required 1 min Prerequisites/ Preconditions ● Valid ticket with a reduced fare (child or senior) via app ● The JRV has successfully passed Test Case 6. Procedure 1) Ensure that the JRV is powered up, working and displaying the Ready screen. 2) Present the valid barcode to the JRV barcode scanner and observe for the below behaviour: a) JRV Graphical Display is yellow and displays “Show ID” b) JRV Speaker plays the ‘Check Beep’ Expected Results The JRV will present the user with the expected positive feedback: a) JRV Graphical Display is yellow and displays “Show ID” b) JRV Speaker plays the ‘Check Beep’ Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] 3.8 Test Case 8 – DESFIRE Smart Card Ticket Purpose To verify that the JRV behaves as expected when presented with a valid Smart Card travel card Objectives Confirm that the JRV presents expected message to the user when presented with a DESFIRE Smart Card Ticket Approximate Time Required 1 min Prerequisites/ Preconditions ● Valid DESFIRE Smart Card Ticket ● The JRV has successfully passed Test Case 7. Procedure 1) Ensure that the JRV is powered up, working and displaying the Ready screen. 2) Present the travel card to the JRV card scanner and observe for the below behaviour: a) JRV Graphical Display is green and displays “Valid” b) JRV Speaker plays the ‘Valid Beep’ Expected Results The JRV will present the user with the expected positive feedback: a) JRV Graphical Display is green and displays “Valid” b) JRV Speaker plays the ‘Valid Beep’ Pass/Fail Criteria The test passes when all steps listed above are noted as passed. Results Results are to be recorded within the IAT-R. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 [Type here] EXHIBIT B [Type here] DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 43 of 47 EXHIBIT C - HARDWARE WARRANTY PLAN FOR VALIDATORS DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL Masabi Hardware - Warranty Plan Document No.: DP1-0001 Version: 07 Date: 2020-10-13 CONFIDENTIAL ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 1/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL Revision History Author Version Date Details of Change MC 00 2018-05-22 Draft MC 01 2018-06-12 Initial Release MC 02 2018-07-16 Removed unrequired content MC 03 2018-10-12 Correction in §2(6c) Addition of §2(6d) MC 04 2018-11-20 Correction in §3 MC 05 2020-03-23 Correction in document header. Correction in §1 Clarification of time zone in §2(2) Correction in §2(5) Addition of §2(9) Addition of §2(10) Addition of §2(11) Combine §3.1 into §3 Simplified §3 Promote §3.2 to §4 Simplified §4 Changed title of Appendix A MC (IP) 06 2020-03-25 Updated §2(6a) following input from IP. CR (Legal) 07 2020-10-13 Updated §2(6b) and §3 re costs of return Copyright Copyright Masabi Ltd 2020. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission of the publisher. ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 2/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL Table of Contents 1 Introduction 4 2 Generic Warranty Definition 2 3 Returns/Exchange Process 4 4 Out of Warranty Repairs 5 Appendix A – RMA Request Form 7 ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 3/10 TO C \o "1- 1" \h \z \u 1.1 Glossary 4 1.2 References 4 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL 1 Introduction This Warranty Plan contains herein the generic warranty provision applicable to hardware provided by Masabi, including the procedures for returning suspected faulty material for replacement, exchange and/or repair. The contents of this document may be superseded or supplemented by project, deployment or Customer specific Warranty Plan documents or other agreements. 1.1 Glossary Term Definition RMA Return Material Authorisation 1.2 References Ref. Title Version DP1-0001 07 ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 4/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL 2 Generic Warranty Definition As standard, hardware provided by Masabi is covered against defects in manufacturing or workmanship for a period of 12 months after delivery to the Customer. # Definition 1 The warranty is for a twelve (12) month period, i.e., the Warranty Period. 2 The Warranty Period commences at 00:01 local time on the day following delivery of the hardware to the Customer. 3 Failed hardware may be sent for triage and repair on a return-to-base (RTB) basis. 4 Failures within the warranted terms and Warranty Period will, at Masabi’s sole discretion, be repaired and returned, or the unit will be replaced, free of charge to the Customer, including shipping, duty, et cetera. 5 Repair or replacement for failures which are outside the scope of the warranty will be quoted for and carried out at the Customer’s cost, including shipping, duty, et cetera. 6 Masabi will be responsible for any repairs or replacement necessary within the Warranty Period with six exceptions. Masabi shall not in any circumstances be liable for a breach of the warranty ‘defects in manufacturing or workmanship’ above in any of the circumstance set out in 6a-f below: 6a The Customer or Agency staff, agents, subcontractors or other parties acting on their behalf or their instruction failed to follow correctly (or at all) the Supplier's oral or written instructions as to the storage, installation, commissioning, use or maintenance of the Equipment, or (if there are none) good trade practice. 6b Force Majeure, whereby Masabi will not be in default for any failure to perform its obligation(s), to the extent that performance of such obligation(s) is delayed or prevented by fire, flood, earthquake or similar natural disasters, riot, war, terrorism, civil strife, labour disputes or disturbances, industry-wide material shortages outside Masabi’s reasonable control, an epidemic/pandemic or other viral disease outbreak, governmental regulations, communication or utility failures or any other events outside the reasonable control of Masabi. 6c General wear & tear, intentional vandalism or destruction 6d Errors or mishandling by Customer or Agency staff, agents, subcontractors or other parties acting on their behalf or their instruction 6e The Customer or Agency staff, agents, subcontractors or other parties acting on their behalf or their instruction, alters or repairs the relevant Equipment without the prior written consent of Masabi. 6f Masabi shall not in any circumstances be liable for any damage or defect to the Equipment caused by improper use of the Equipment or use outside its normal application. ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 2/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL # Definition 7 Repaired or replacement parts will be shipped by Masabi within 25 working days of the arrival of a faulty part(s), notwithstanding delays due to the Customer or Agency. 8 At the conclusion of the Warranty Period, repairs or replacement will be quoted for and carried out at the Customer’s cost, including shipping, duty, etc., unless a suitable extended warranty agreement has been made to extend the Warranty Period before it concludes. 9 Masabi may charge the Customer for processing units which are found to have no fault, including shipping, duty, et cetera. 10 Masabi will charge the Customer a minimum handling fee of $100 USD for processing units which are found to have no fault and be out of warranty. The customer will also be charged for the cost of shipping, duty, et cetera. 11 For the purposes of determining validity of the warranty, the suspected failure or faulty part is considered as being reported at the date and time that this email is received. For the fault to be covered by the warranty this must be within the warranty period. 12 Any damage caused in transit due to the use of unsuitable packaging shall invalidate the warranty. ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 3/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL 3 Returns/Exchange Process Any suspected faulty parts should be returned (at Customer’s cost) to Masabi for repair or replacement. The below process shall be followed to achieve this: 1. The Customer informs Masabi of the suspected faulty parts by submitting the RMA Request Form (Appendix A) to support@masabi.com. 2. Masabi will raise a Zendesk ticket, verify whether the suspected faulty part is within its warranty period and issue a Return Material Authorization (RMA) number which must accompany the returned Hardware. 3. Upon receipt of the RMA number, the Customer will arrange for the unit to be suitably packed, preferably in purpose build or original packaging. 4. Once packed, the Customer will inform Masabi that the unit is ready for collection and confirm: a. The collection address is as listed on the RMA Request Form b. The weight of the package c. The dimensions of the package 5. Masabi will arrange for collection of the package by a courier and the package will be collected. 6. After receiving the faulty part: a. If the part and/or failure is within the warranty: at our discretion, Masabi will either repair the original part or provide a replacement. b. If the part and/or failure is not within the warranty: see Section 4. 7. Masabi will ship the repaired or replacement part to the address provided on the RMA Request Form with appropriate tracking information shared with the Customer. 8. Once the parts are shown as having arrived by the courier, the RMA is closed. ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 4/10 Note: If the unit is not within its warranty period the Customer shall be informed, as if the unit is to be returned the cost of return shipping, etc., will be at their expense. Note: Any damage caused in transit due to the use of unsuitable packaging shall invalidate the warranty. Note: Low value parts such as cable assemblies, PSUs and Configuration USB Keys will always be replaced. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL 4 Out of Warranty Repairs A returned part may be deemed Out of Warranty if: 1. The suspected failure or fault is reported after the warranty period, or 2. The part is returned for a fault or failure which is outside of the scope of the warranty as stated in §2 When a returned unit is determined as being Out of Warranty, Masabi may, at its sole discretion, either: 1. Provide a quote for a replacement part; or 2. Provide a quote for the repair of the part. This will be provided to the Customer after which Masabi will await a decision from Customer as to which option they wish to [proceed with: ✓ If a quotation is accepted, Masabi will process the repair or replacement unit and ship to the Customer as per §3(7) and provide a corresponding invoice.  If the provided quotation(s) are rejected, any hardware which has been sent to Masabi or a subcontractor will either be recycled, destroyed or returned to the Customer at their expense. Any shipping, duty or tax costs incurred by Masabi will be invoiced to the Customer for all out of warranty units, regardless of whether the quotation for replacement or repair is accepted. ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 5/10 Note: When a part is returned and subsequently not found to be faulty and out of warranty, the Customer will be charged for the cost of shipping and handling as well as any duty or tax costs incurred by Masabi. A minimum handling free of $100.00 (USD) will be charged. Note: When the repair of a part is anticipated to be uneconomical; i.e., likely to cost approximately the same or more than a replacement part, or where the original part is discontinued or considered end of life, a replacement part will be quoted for. In this case, at the discretion of Masabi, the Customer may be requested to hold the faulty part in stores until such time as it can be collected rather than arranging it to be shipped to Masabi. Note: Cable assemblies, PSUs and Configuration USB Keys are uneconomical to repair and therefore will always be replaced. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 6/10 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP1-0001-07 PLAN CONFIDENTIAL Appendix A – RMA Request Form Please complete the below section of this form and send it to support@masabi.com to arrange for the replacement or repair of faulty hardware. Reason for replacement/failure description: Health Monitoring state at time of failure: MASABI USE ONLY ver. date. title. pg. 07 2020-10-13 Masabi Hardware - Warranty Plan 7/10 Serial No. Part No. Station/Vehicle Username FCA & Turnstile Parent Serial No. Date Time Removed By Reported By Contact Name Return Address Contact Tel. Contact E-mail RMA No. Date Issued RMA Issued By ZenDesk No. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 44 of 47 EXHIBIT D - VALIDATION HARDWARE PCI COMPLIANCE PLAN DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 1/16 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan Document No.: DP3-0001 Version: 0B Date: 2019-12-13 CONFIDENTIAL Revision History DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 2/16 Author Version Date Details of Change CB 00 2019-06-10 DRAFT MC 0A 2019-06-19 DRAFT - Review of Initial Draft CB 0B 2019-07-01 DRAFT - Second Review CB 01 2019-12-13 Release Copyright Copyright Masabi Ltd 2019. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission of the publisher. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 3/16 Table of Contents 1 Introduction 4 1.1 Purpose Error! Bookmark not defined. 1.2 Objective 5 1.3 Conventions 5 1.4 Glossary 5 2 Responsibility 7 3 Delivery, Storage, Installation & Disposal 7 3.1 Delivery 8 3.2 Storage 9 3.3 Installation 9 3.4 Operation Error! Bookmark not defined. 3.5 Disposal 11 4 Regular Inspections 12 4.1 Daily Inspection 12 4.2 Annual Audit 12 5 Response on Discovering a Tampered JRV 14 6 Personnel & Training 16 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 4/16 1 Introduction In order to allow contactless EMV (cEMV) bank (debit) and credit cards to be used as tokens within the Justride platform it is necessary for validation hardware to be capable of interacting with these cards. To provide this functionality, the Justride Validator (JRV) contains a contactless smartcard reader with the necessary approvals to interact with cEMV cards, handle Cardholder data and contain the encryption keys needed to process payments. In order to minimise abuse or fraud, and increase controls around cardholder data, card brands, such as Visa, Mastercard and American Express, mandate that systems processing card payments or handling Cardholder data must fulfil the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS compliance is validated by periodical assessment by a Qualified Security Assessor (QSA). In addition, the hardware used to complete transactions must have Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval. In the case of the JRV, the integral cEMV card reader within it is certified to PCI PTS v4.0 as well as EMV contactless Level 1 and Level 2 for various card payment brands. As part of ensuring compliance with PCI DSS, and to prevent an invalidation of the PCI PTS POI device approval for a particular device, the JRV must be handled and inspected in certain ways throughout its lifecycle. This document contains herein the generic process and procedures for handling of the JRV as a cEMV reader. Warning: Failure by the Agency to comply with the requirements set out in this document may, at the sole discretion of Masabi, result in the withdrawal of cEMV capability from the platform or other actions deemed appropriate to either return the system to a PCI compliant state or otherwise remove it from service to protect Cardholder data and/or Masabi’s PCI DSS compliance, at the sole cost of the Agency. Note: For JRV deployments which are not currently accepting cEMV cards, the requirements in this document must be observed for this capability to be enabled later. If they are not, each JRV must be returned to Masabi prior to their being used for cEMV interactions. Unless contractually agreed otherwise, this will be completed at the Agency’s expense. 1.1 Purpose This document outlines herein the mandated handling requirements and procedures applicable to Masabi’s customers deploying JRVs that are or may be used to handle cEMV interactions with the intention to ensure that the deployment is compliant with the requirements of PCI DSS and the unit remains within it’s PCI PTS POI approvals. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 5/16 1.2 Objective The intention of this document is to ensure that Agencies are provided with all necessary information so that cEMV enabled JRV deployments are compliant with PCI DSS. In order to achieve this this document will outline the below: - Handling and storage requirements - Inspection requirements - Personnel training requirements 1.3 Conventions Throughout this document the following format will be used for notes and important information: Important: Mandatory and important notes that must be fulfilled Note: Important notes regarding mandatory requirements that may affect correct operation but do not present a safety risk or danger of damage to equipment. Recommendation: A non-mandatory addition to the instruction intended to highlight methods of completing actions that were previously found to be the most efficient or easiest. Throughout this document Masabi’s Customer will be referred to as “the Agency”, transit riders or Customers of the Agency will be referred to as “Cardholders”. 1.4 Glossary Acronym Definition JRV Justride Validator PCI Payment Card Industry DSS Data Security Standards POI Point of Interaction PTS PIN Transaction Security PIN Personal Identification Number cEMV Contactless EMV EMV Europay Mastercard Visa DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 6/16 QSA Qualified Security Assessor IAT Installation Acceptance Test DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 7/16 2 Responsibility With whom responsibility for PCI DSS compliance lies is dependant on who is the merchant of record and therefore may differ between deployments; however, in general: The Agency is responsible for ensuring that the requirements set out in this document, or any supplementary payment security document that may be applicable to the particular deployment are carried out and appropriately documented. During the course of a project to deploy cEMV capable JRVs, the Agency shall identify a suitable person, or position, within their organisation to act as the nominated responsible person and point of contact for PCI DSS compliance and compliance with the requirements set out in this document. That person or the Agency may also identify suitable deputies for this role. The nominated responsible person and their deputies will be recorded and shared with Masabi in line with the established governance for the project. Masabi is responsible for ensuring that this document is kept up to date and new versions are provided to the Agency as and when changes in PCI DSS or internal processes require. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 8/16 3 Delivery, Storage, Installation & Disposal Throughout the life cycle of any individual JRV it must be handled in accordance with the requirements laid out in this section to ensure that it is still in compliance with PCI DSS. The key stages of the life cycle of a JRV are delivery, storage, installation, operation and disposal. This section will provide an outline of the processes that are to be followed at the delivery, storage, installation and disposal stages. 3.1 Delivery Before a JRV is deployed it is important to ensure that it has arrived at the Agency in the same state that it was shipped by Masabi. Masabi therefore require that the Agency performs an inspection of each consignment, and JRV within it, to validate that security, and therefore PCI DSS compliance, has been maintained. Prior to shipment a consignment of JRVs will be sealed with tamper evident labels and/or tape by Masabi. These will be of design which the Agency have been made aware. Upon delivery, or as soon thereafter as possible, suitably trained and authorised Agency staff shall verify that the seals are intact and that the consignment shows no other sign of tampering. If the seal is broken, or other signs of tampering are identified, the Agency shall inform Masabi via support@masabi.com so that further instructions can be provided. Ultimately, if a shipment or JRV is suspected of being tampered with, it will be returned to Masabi where steps will be undertaken to ensure the security of the cEMV card reader, e.g., by replacement, before the JRV is returned to the Agency. The above inspection shall be carried out upon the return of any JRV. Where no evidence of suspected tampering is found, appropriately trained and authorised Agency staff shall: 1) Verify the serial numbers of both the JRV and the integral cEMV reader against a manifest provided by Masabi, 2) Validate that the internal tamper evident label over key screws does not show signs of being removed, 3) Inspect the unit for any signs of damage e.g., cracks or scratching, et cetera. Any discrepancies must be raised with Masabi via support@masabi.com so that further instructions can be provided. Again, if a shipment or JRV is suspected of being tampered with, it will be returned to Masabi where steps will be undertaken to ensure the security of the card reader, e.g., by replacement, before being returned to the Agency. All of the Inspection steps given in this section shall be carried out upon the return of any JRV. Note: The inspection steps within this section apply to both new and returned, repaired and/or refurbished JRVs. Note: Where records are not provided, are incomplete, inaccurate or otherwise unsatisfactory, Masabi may, at the Agency’s expense, arrange for a team to visit to verify the inspections and/or replace the units. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 9/16 3.2 Storage Whilst not installed, e.g., prior to installation, when being held as spare stock or after being removed from the field, JRVs must be stored in a secure location to which access is restricted to appropriately trained and authorised Agency staff only. This can be in the form of, for example, a locked room or cabinet to which only authorised persons have keys. An accurate inventory of all JRVs shall be maintained by the customer. The inventory shall include the serial number of both the JRV and the integral cEMV card reader. Each addition or removal of a JRV to or from storage shall be recorded with each instance including the date and time of the movement and who it was made by. Each instance of access to the secure location shall be recorded. The intention of these requirements is to ensure that the risk of devices being stolen, going missing or being tampered with is reduced as much as is practicable whilst they are out of service. Should a JRV is found to be missing or otherwise unaccounted for, the Agency shall inform Masabi of this immediately via email to support@masabi.com. 3.3 Installation Installation is the point at which the JRV enters public service and is therefore exposed to Cardholders. It is therefore important that certain procedures are followed and checks made to ensure that the JRV is as it should be prior to installation. Scripts for the installation, commissioning and testing of a JRV, including inspections required under PCI DSS, shall be included as part of the project documentation, e.g., within the appropriate Installation Work Instruction and/or Installation Acceptance Test (IAT) Procedure. A general outline of the activities that need to be completed and aspects that need to be inspected are outlined below. Important: The JRV must not be left unattended in an insecure area between storage and completion of installation. Before installation, the unit shall be carefully inspected by an appropriately trained and authorised Agency employee to confirm that the unit is suitable for use, this inspection will look for: - Damage to the enclosure of the JRV - Damage to the enclosure of the integral cEMV card reader - Suspicious or extraneous wiring or parts - Damaged or otherwise non-functioning lock - Void or missing tamper evident label(s) - Incorrect JRV serial number based on provided documentation - Incorrect integral cEMV card reader serial number based on provided manifest documentation and the JRV serial number that it is within DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 10/16 The result of all inspections shall be thoroughly recorded and provided to Masabi in accordance with the project governance for the deployment or via the Agency’s Masabi account manager if installation is after initial deployment. The records, along with installation, commissioning and test records, must be marked correctly with date and (where required) time as well as the name of the person or people completing each inspection or activity. The Agency must inform Masabi of inspection failures which indicate potential tampering via support@masabi.com so that further instructions can be provided. If a JRV is suspected of being tampered with, it will be returned to Masabi where steps will be undertaken to ensure the security of the cEMV card reader, e.g., by replacement, before being returned to the Agency. Dependant on the age of the reader and nature of the inspection failure, this may or may not be covered under warranty. At the conclusion of the installation, a final visual inspection to ensure that the JRV is properly fitted and is securely locked in position shall be completed and recorded. Again, records shall include date and, if necessary, time as well as the details of the person completing the inspection with copies provided to Masabi. The agency must maintain an accurate record of which JRV is installed on which vehicle and the home base of that vehicle. These records must be updated if, for example, the JRV is replaced due to a fault. Template forms for all these records will be made available to the Agency by Masabi. Note: Where records are not provided, are incomplete, inaccurate or otherwise unsatisfactory, Masabi may, at the Agency’s expense, arrange for a team to visit to verify the inspections and/or replace the units. 3.4 Operation Operational JRVs, i.e., those that have been installed, commissioned and tested such that they enter revenue service and handle Cardholder data, must undergo a regular and robust inspection regime to identify potential tampering. This is outlined in Section 4 of this document. During the operational stage of the JRV lifecycle, some JRVs will be damaged or otherwise suspected of being faulty. In these cases the Agency must inform Masabi of the faulty unit by emailing support@masabi.com as per the Warranty Plan. However, in the case of cEMV capable JRVs, Masabi and the Agency must additionally make a determination of whether the fault or damage was caused during an attempt to tamper with the JRV in such a way to expose Cardholder data, or payment keys, et cetera. The Agency shall provide Masabi with any additional information requested to complete this assessment. Faulty or damaged JRVs must still be handled with the same care, with regard to PCI, as those which are fully functional, i.e., faulty JRVs must not be left unattended having been removed from the vehicle, must be stored in the same conditions as a working JRV (see Section 3.2) and must be shipped in tamper evident packaging. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 11/16 Where a JRV is replaced due to being damaged or suspected fault, the same process followed for initial installation, particularly with regard to the inspections outlined in Section 3.3, must be followed when installing the replacement JRV. All records concerning storage and the details of which JRV is installed on the vehicle must be updated whenever a JRV is replaced to ensure their accuracy. 3.5 Disposal When a JRV reaches the end of its useful lifetime the integral cEMV card reader within the JRV must be securely destroyed. Depending on the specific contract agreed with the Agency, this may be completed by Masabi on their behalf, and potentially at their cost, or they may request approval from Masabi to use a third party. Approval will not be unreasonably withheld by Masabi; however, all parties must be confident that disposal will be completed appropriately to maintain the security of the deployment and hence PCI compliance. In all cases, units shall be shipped in packaging with tamper evident tape or labels, and shall be inspected upon delivery by the receiving partner. In the case of a third party being contracted, the destruction of each unit must be recorded with minimum details including the serial number of the integral cEMV card reader, the date of destruction and who completed the destruction, forming a certificate of destruction. The certificate of destruction shall be provided to Masabi in accordance with the project governance for the deployment or via the Agency’s Masabi account manager if it is after initial deployment The Agency must inform Masabi of inspection failures which indicate potential tampering via support@masabi.com so that further instructions can be provided. Note: Where records are not provided, are incomplete, inaccurate or otherwise unsatisfactory, Masabi may, at the Agency’s expense, arrange for a team to visit to verify the inspections and/or replace the units. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 12/16 4 Regular Inspections Following a successful installation the JRV will be available for use by Cardholders. In order to ensure that the JRV is not tampered with or otherwise compromised whilst in the field, it is necessary to regularly inspect the JRV and its integral cEMV card reader. There are two types of inspection: 1) The Daily Inspection is intended to become part of a driver or operators pre-departure vehicle checks 2) An Annual Audit is a more in-depth inspection completed by appropriately trained and authorised Agency employees to ensure that the unit is unchanged since installation. The following subsections provide an outline of each of these inspections. 4.1 Daily Inspection This inspection, which is intended to become part of the fare booth attendant opening activities and driver or operator’s pre-departure vehicle checks and includes verification of the following: - Is the JRV present? - Is the JRV securely fixed and locked onto the pole? - Are any new or strange cables, etc., running out of the JRV? - Does the JRV power up as expected? - Is there anything fixed to the JRV enclosure that is not expected, e.g., labels on the unit that are not sanctioned by the Agency? In the event that a driver identifies something that they believe is a sign of tampering, this should be raised with their supervisor for further investigation. Important: Where tampering is suspected, the JRV must be removed from service immediately and the incident reported to Masabi. The agency’s appointed PCI responsible person or their deputy may be asked to periodically attest to Masabi or to a QSA that these visual checks of the JRV are being undertaken as part of normal daily vehicle checks and/or maintenance checks by agency operational staff. The Agency must inform Masabi of inspection failures which indicate potential tampering via support@masabi.com so that further instructions can be provided. 4.2 Annual Audit In addition to the Daily Inspection, an Annual Audit of all JRVs, whether in storage or installed, must be completed. Masabi will provide templates that appropriately trained and authorised Agency staff will use to complete the Annual Audit. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 13/16 Inspections completed during the Annual Audit include: - Inspection of the JRV enclosure for damage or changes that may compromise the security of the unit or otherwise indicate that the device has been tampered with. - Inspection of the JRV lock to ensure that it works correctly and can be locked and unlocked with the correct key. - Inspection of the tamper evident labels to ensure they are present and not voided. - Inspection of the JRV for signs of additional or extraneous wires, circuit boards, labels or other parts which are not approved by Masabi and the Agency. - Verification of the serial number of the JRV - Verification of the serial number of the integral cEMV card reader within the JRV - Verification that combination of serial numbers for the JRV and the integral cEMV card reader are correct and as expected. - Verification that all JRVs are present and correct. Important: Where tampering is suspected, the JRV must be removed from service immediately and the incident reported to Masabi. The results of the above inspection shall be thoroughly documented, including evidence of the inspection having taken place, the date, time and location of the inspection as well as details of the person or people that completed it. The result of all inspections shall be provided to Masabi in accordance with the project governance for the deployment or via the Agency’s Masabi account manager if the inspection is completed after initial deployment. The Agency must inform Masabi of inspection failures which indicate potential tampering via support@masabi.com so that further instructions can be provided. If a unit is suspected of being tampered with, it will be returned to Masabi where steps will be undertaken to ensure the security of the cEMV card reader, e.g., by replacement or re-flashing of firmware and keys, before being returned to the Agency. Dependant on the age of the reader and nature of the inspection failure, this may or may not be covered under warranty. Note: Where records are not provided, are incomplete, inaccurate or otherwise unsatisfactory, Masabi may, at the Agency’s expense, arrange for a team to visit to verify the inspections and/or replace the units. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 14/16 5 Response on Discovering a Tampered JRV In order to minimise the potential exposure of Cardholder data it is important that instances of suspected tampering are dealt with quickly. An outline for the process that may be followed upon discovery of suspected tampering with a JRV is given below. The precise response will depend on the nature and severity of the issue. Important: Where tampering is suspected, the JRV must be removed from service immediately and the incident reported to Masabi. 1. Remove the JRV from service and secure it. 2. If tampering is suspected but the person who has identified it is unsure, this should be passed to an appropriately trained and authorised Agency employee to verify. If uncertainty remains this should be escalated to the nominated responsible person within the Agency or one of their agreed deputies. Note: If there is any doubt if the unit is tampered the device shall be handled as a manipulated unit. 3. Inform Masabi of the issue via support@masabi.com with as much information as possible, including photographs if available. Note: Masabi may request that the tampered JRV is made available for inspection depending on the nature of the suspected tampering. 4. If necessary upon discussion with Masabi, the Agency and Masabi shall inform local law enforcement. 5. If, as determined by Masabi and the Agency, the Cardholder data environment may be affected, the implicated payment schemes must be informed by the Agency and Masabi. Important: If the incident has affected the Cardholder data environment, and has impacted the system components within this environment, the incident must immediately be reported, its severity and other essential information provided to the applicable payment brands. The following table shows links to the major payment brands and how to handle such incidents for each: Payment Brand Information on Incident Handling and Reporting VISA https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if- compromised.pdf MasterCard https://www.mastercard.us/content/dam/mccom/en-us/documents/account- data-compromise-manual.pdf DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 15/16 American Express https://www.americanexpress.com/us/merchant/fraud-prevention.html Discover Card http://www.discovernetwork.com/fraudsecurity/databreach.html JCB http://www.global.jcb/en/l DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 DP3-0001-01 MASABI HARDWARE CONFIDENTIAL ver. date. title. pg. 01 2019-12-13 Masabi Hardware: Justride Validator (JRV) Payment Card Industries (PCI) Hardware Compliance Plan 16/16 6 Personnel & Training Agency personnel that are permitted to access stored JRVs, complete installation or maintenance of JRVs or complete inspections must have undergone appropriate training and been explicitly authorised by the Agency. Records of training and authorisation, and removal of authorisation, etc., is to be accurately compiled and maintained by the Agency and made available to Masabi upon request. Training requirements will be agreed between Masabi and the Agency during the project to deploy the cEMV capable JRV, but will generally consist of a ‘train-the-trainer’ approach. Training for each member of Agency staff who have a responsibility for or involvement in the cEMV capability of the JRV must be given training on the tasks they will undertake as well as the general requirements and importance of PCI DSS compliance, the consequences of not following the requirements and how they should report anything to which is suspicious or indicative of tampering. Note: The training must be refreshed every year. All instances of training, refresher or otherwise, are to be recorded by the Agency. Note: Where records are not provided, are incompleted, inaccurate or otherwise unsatisfactory, Masabi may, at the Agency’s expense, arrange for a team to visit to verify their accuracy. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 45 of 47 EXHIBIT E - SUPPORT SERVICES AND SLA DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 1 Masabi Support- Supporting You and Your Passengers v. 3.3 August 31st, 2021 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 2 Confidential Commercial Information Table of Contents Executive Summary 8 Masabi Support Vision 8 Standard Agency Support 8 Developer Support Model 9 Hardware Support 9 Masabi Support Program 10 Overview 10 Standard Support 11 Technical Support Operational Hours 11 Omnichannel Support 11 Support Meetings 11 Release Notes 11 Ticket Activity Reports 12 Support Newsletter 12 Training Programs 12 Standard Training 12 Custom Training Programs 12 Ongoing Training 12 Additional Support Services 12 Rider Support Operational Hours 12 In-App Support for Riders 12 In App Support Access 13 Advanced Analytics 13 Chargeback (Merchant of Record) Support 13 Technology Partner Support 13 SDK Developer Support 13 Developer Resources 14 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 3 Confidential Commercial Information Developer Training 14 Support Program Performance 14 SLA policies in Zendesk 14 Efficiency through Automation 15 Performance Measurement and Reporting 15 Support Team Roles 18 Appendix A- Support Guidelines 52 Document Purpose 20 Submitting Support Requests 20 Overview 20 Where can I find Masabi’s contact details? 20 Information to provide when submitting Support requests 21 Standard Support Requests 21 Submitting Standard Support Requests via the IVR 22 Submitting Standard Support Requests via the Online Help Center 22 Submitting Standard Support Requests via Email 23 Submitting Critical Support Requests 23 Submitting Other Requests 24 SDK & API support 24 Submitting a Chargeback Challenge Request (MOR) 25 Feature Requests & Enhancements 25 UAT Support 25 Masabi Help Center 25 Help Center Security 25 Managing Support Requests in the Help Center 26 Self-Service Knowledge Base 27 Release Notes 28 Following Knowledge Base sections, articles, and comments 28 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 4 Confidential Commercial Information Unfollowing Knowledge Base sections, articles, and comments 29 Promoted Articles 29 Self-Service Rider Support 30 Step One 30 Step Two 30 Contacting Customer Service 31 Submit A Ticket (Online) 31 Contact Us 31 Appendix B- Masabi Training Modules 32 Appendix C(1)- Incident Management Guidelines 34 Executive Summary 36 Document Purpose 36 Introduction 36 Definitions 37 Roles and Responsibilities 39 Masabi Roles & Responsibilities 39 Masabi Customer Support 39 Masabi IT Operations Support 39 Account Management 40 Agency Roles & Responsibilities 40 Agency Justride Application Owner 40 Primary Agency Contac–t IT Service / Customer Support Desk 40 System Uptime Performance 42 Retail Product Suite Priority Assignment 42 Validation Product Suite Priority Assignment 42 Definition of an Incident 43 Incident Logging & Categorization Process 43 Overview 43 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 5 Confidential Commercial Information Incident Notification Types 44 Incident Logging and Categorization 44 If Masabi Identifies a P1 or P2 Incident 44 If Agency Identifies a P1 or P2 Incident 45 For All P1 and P2 Incidents 45 Incident Categorization 45 Incident Prioritization 46 Impact Values 47 System Definitions 47 Priority Assignment 47 Target Response Times 47 Quick Reference Priority Assignment Examples 48 Incident Escalation 49 Overview 49 Response Process 49 Incidents Resolved by Release 49 Incident Tracking and Monitoring 49 Incident Closure 49 Appendix C(2)- Incident Monitoring Priority Classifications 51 Systems Definitions Matrix 51 Appendix D- Masabi Hardware RMA Procedure for Justride Validators 52 Appendix F– Points of Contact 59 Agency Support 59 Rider/Passenger Support 59 Account Support 59 Management Contacts 61 Appendix G–System Architecture & Performance 62 Agency System Architecture 62 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 6 Confidential Commercial Information System Resiliency and Uptime 62 Performance Agreement Between AWS™ and Masabi 64 Amazon Web Services (AWS™) 64 AWS Response Time 64 Third Parties Services Incorporated into the Agency Mobile Platform 64 Apple Application Repository (iTunes Store™) 64 Google Application Repository (Google Play Store™) 64 Payment Gateway/Merchant Acquirer Services 64 Braintree Payments Settlement Service 64 Customer Defined Payments Settlement Service (e.g. ChasePayment, PayEezy etc.) 65 Incident Monitoring 65 Live StatusPage and Agency Notifications 65 Monitoring & Alerting Tools 65 StackDriver2 65 PagerDuty 65 LogEntries 66 Pingdom Health Checks 66 Performance Monitoring 67 Appendix H– Disaster Recovery Plan 69 Masabi Disaster Recovery Strategy 69 Where is Masabi present: 69 Current Masabi AWS Region deployment: 69 Summary of current strategy: 69 What can the current plan mitigate against: 70 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 7 Confidential Commercial Information EXECUTIVE SUMMARY This document outlines Masabi’s support programs, the process for supporting and managing inbound customer and agency requests and also provides a detailed description of the Masabi Incident Support Management process and the Standard Level Agreement levels to respond and resolve critical incidents. MASABI SUPPORT VISION Every rider using a Masabi app has a destination they would like to reach. Masabi’s support service is no different. The following should provide an indication to an Agency of what Masabi strives for every single day: 1. Minimize any disruption an agencies’ riders have going about with their day-to-day lives. 2. Honest and honorable in everything Masabi does 3. Masabi employees may work with multiple agencies, but they care about each interaction as if they were employed by the agency 4. Measure, manage and move on to the next goal Masabi provides a range of support programs for agencies and their riders so that every agency has the support that best fits its own programs, rider expectations, and staffing. STANDARD AGENCY SUPPORT Based upon Masabi’s experience in the transit industry, most agencies prefer to own the direct customer experience. This allows them to provide their customers with high- touch customer service along with a full -service approach to any customer issue, whether it’s about operating schedules, agency policies, ticket rules, fare questions, TVMs, the mobile app, routes, or any other general inquiry. We’ve also found that bifurcating customer support channels creates customer confusion as to who should call, and when so a single point of entry, backed by Masabi’s full support, training and escalation. Masabi provides standard second level support for an agency. This means that the agency acts as-first- line support for its customers and staff, and Masabi acts as second-line support for the agency by handling its more technical or complex support issues. Masabi’s standard support offering covers the following: 1. Creating an app experience that is simple, fast and easy to use 2. Creating embedded help tools within the App to assist front line customers with commonly asked questions and troubleshooting tips (similar to the approach taken by Rideshare) 3. Creating an access point for riders into a self-registration to the Justride Knowledge Center with over 500 ready prepared questions to support inquiries 4. Creating help within the Agency facing portals (Hub, Partner etc) to address most of the common issues (as well as the comprehensive training) 5. Providing all tools to fully support an agency's customer services team; training, reference materials, standard responses, and troubleshooting trees. 6. Providing train the trainer sessions on all core materials and areas of knowledge, as well as ongoing training 7. Providing an 8:30 to 6:00 pm second line support via email, telephone, 8. Providing 24 hours 365 days per year IT Support Operations DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 8 Confidential Commercial Information 9. Working directly with an end-customer and support the agency team on a case by case basis with agency approval 10. Providing chargeback management and challenge support as part of the bundled payments processing service 11. Providing weekly support reviews with agency staff to review tickets, answer open questions and identify trends 12. Providing a monthly newsletter with tips and tricks, troubleshooting guides and recent promoted articles DEVELOPMENT SUPPORT MODEL Masabi offers specialized developer support to technology partners who are integrating the Justride SDK into their own applications and solutions as well as limited ongoing support HARDWARE SUPPORT Masabi’s On Board Validation (OBV) solutions, the third party Access Va-l100 Inspect Validator and the Justride Validator (JRV) have planned product lifetimes in excess of eight years with a return to base (RTB) service model. The proposed OBV solutions themselves have a designed Mean Time Before Failure (MTBF) of 50,000 hours and 88,000 hours for the Va-1l 00 Validator and Justride Validator respectively. All hardware is covered by statutory one-year (1) year warranty after delivery. Additional extended warranties are available to provide longer term warranty cover age. Masabi also provides the option to purchase spares to cover their service in the event of any technical maintenance issue and show-tap devices to provide a quick return to service operation.. While rarely required, Masabi can also provide - on site technical services (field engineers, support engineers etc) for any high visibility upgrade support or any complex troubleshooting (e.g. network or environment support should the need arise. Masabi will quote these services upon request. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 9 Confidential Commercial Information MASABISUPPORTPROGRAM OVERVIEW Masabi’s support program is delivered primarily through second line support, and when necessary, through extended escalation and direct customer engagement services. The Masabi support program is comprised of the following: Standard support activities include: ● Responding to support tickets and questions agencies are unable to resolve ● Verifying the existence of any software defect and determining the scope of its impact ● Submitting feature requests and other feedback on behalf of agencies ● Escalating incidents and other issues ● Helping to maintain quality standards throughout the support process ● Notifying agencies of planned system maintenance, expected outages, or alerts from third party services ● Providing agencies with copies of Incident Tracking and Monitoring logs and other relevant information from the Incident Management Suite ● Collaborating with Masabi engineers to develop resolutions or workarounds ● Contributing to outage reports that detail the root cause, impact, and actions taken to prevent recurrence DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 10 Confidential Commercial Information ● Administering faulty hardware returns ● Attending incident review meetings ● Testing fixes and notifying agencies when issues are resolved ● 24x7 Web based issue logging tool via “help & support” in the Hub ● 24x7 email logging tool available through support@masabi.comor criticalsupport@masabi.com ● 24x7 IVR phone system which will notify Masabi support for priority items STANDARD SUPPORT Technical Support Operational Hours The Masabi technical support center is staffed by a team of qualified engineers in the US and London. Phone support is available 5 days a week from 9:00 am UTC to 9:00 pm UTC. Agencies submit and review tickets at any time through the support portal. Omnichannel Support Masabi has tailored its inbound support process to provide multiple channels for you to contact us. Masabi uses Zendesk, a Gartner top award winner for support management. Zendesk is configured to organize and track all incoming support requests, from all channels. It is also used by engineering teams and product managers to help manage escalated issues effectively. Zendesk automated workflows are used to increase support efficiencies, integrations with software development tools to extend functionality and provide a seamless workflow between each engineering department. It is also used to track customer satisfaction via surveys and feedback. Support Meetings Masabi holds regular support meetings with key agency staff to review support tickets and other issues. These meetings are held weekly, Release Notes bi-weekly, or monthly per agency preference. Masabi publishes release notes on Zendesk to help agencies stay inormed about the latest features and fixes. Masabi support agents publish release notes as soon as they have been approved by the product teams. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 11 Confidential Commercial Information Ticket Activity Reports Masabi Support can provide the agency with reports for day-to -day ticket activity on request. These reports allow the agency to monitor daily ticket activity, agent performance, compliance with your service level agreements and average resolution times. Support Newsletter Masabi publishes a quarterly support newsletter featuring information on new features in its products, troubleshooting tips, promoted help center FAQs, customer survey polls and training announcements. Training Programs Standard Training Masabi provides training on all standard components of the Justride platform, as well as courses, guides, and job aids that cover core Justride platform features and modules, go-to-market strategies, technical troubleshooting, hardware installation and usage, and other topics specific to an agency’s deployment. Materials are available in multiple languages to support regional or local needs. Refer tA ppendix B for a list of the standard training sessions. Custom Training Programs In addition to the standard programs and refresher training, Masabi can provide fee-based custom training programs for specific course development including videos, specialized integrations, multi-language needs, train-the-trainer programs, or other learning aids. The training programs are fully customizable, include the agencies brands and type of equipment in use and enable agency staff to successfully administer and support the Justride mobile ticketing platform. Most often, training sessions are delivered via live webinars that include presentations, demonstrations, and Q&A. Masabi can host from 1 to 45 participants per training session. Your account manager will work with you to develop a training schedule that meets your needs and can provide additional training exercises and certificates based upon required levels of understanding. With advance request, Masabi can provide your agency with a recording of the live sessions along with copies of the slide decks. Ongoing Training After completing any of Masabi’s training programs, any performance or knowledge gaps can be addressed through Masabi Support via a support request, attendance at quarterly webinars, or through the s-elf service Knowledge Base. Agencies may also contact Masabi Account Management with requests for additional training sessions, topics, job aids, or other supporting materials and service offerings. ADDITIONAL SUPPORT SERVICES Rider Support Operational Hours The Masabi technical support center is staffed by a team of qualified engineers in the US and London. Phone support is available 5 days a week from 9:00 am UTC to 9:00 pm UTC. Riders can contact support by calling a dedicated phone number or sending an email, In-App Support for Riders During the deployment process, Masabi provides an in-app Standard Support Frequently Asked Question (FAQ) area with relevant and important information for riders / passengers. This is in addition to a general Agency policy and frequently asked question. The Standard Support FAQ also provides riders with access DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 12 Confidential Commercial Information to a Help Center which allows them to access additional information and submit and track their support tickets via Masabi’s support solution. In App Support Access In cases where Masabi is providing first line support for an agency, its riders can access an online help center from a link on the in-app Standard Support FAQ screen. Advanced Analytics The Justride platform is integrated with the third party Tableau analytics tool, which can be used by agency staff for building custom reports, data tables, visualizations and other analytics across all data within the Data Warehouse using an easy Windows application and/or web user interface. An example is the trace of validation events on Inspect bus validators in Las Vegas over a single day: Masabi can setup as many licenses as the agency requires, with a passthrough cost of the Tableau licence fee. All bespoke analytics work is charged through Masabi’s Professional Services team. Chargeback (Merchant of Record) Support Masabi understands the importance of recovering lost revenue and challenging illegitimate consumer behaviors and if Masabi is contracted as a Merchant of Record it will assist the agency with Chargeback Management Services, analysis and reporting as well as the process of challenging chargebacks. TECHNOLOGY PARTNER SUPPORT SDK Developer Support Whilst Masabi provides ongoing support for SDK partners, Masabi partners should have mobile development and API integration experience. Organizations that do not demonstrate this experience will need to sign-up for a technical support agreement with a minimum of 5 days of technical and delivery support pre- agreed. The Masabi team can se-tup regular calls to ensure that the agency has everything they require to complete effectively, including providing a time to answer questions, as well as the opportunity to further understand the functionality provided through the Masabi SDK. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 13 Confidential Commercial Information The Technology Partner will be able to raise up to 20 support requests per year . If the agency requires additional support, they will need to set up a development support contract with Masabi which will provide more direct access to Masabi development, and support and maintenance teams as required. During SDK integration, Masabi will provide support between 9am to 6pm (UTC). Developer Resources The Justride SDK enables a third-party application to access and use mobile ticketing provided by the Justride platform within their own application. All SDK partners will have access to an integration guide that covers the basic steps required to get started with a new SDK integration. Partners will need to sign an NDA before gaining access to the SDK guide. Developer Training For SDK partners, Masabi can provide a technical workshop to the agency technical teams to provide- a 2 4 hour overview of the Justride SDK, during which Masabi will provide suggested workflows, go through the agency’s proposed use cases, as well as answer any technical questions that the agency technical team may have. SUPPORTPROGRAMPERFORMANCE SLA policies in Zendesk Masabi has two policies setup in Zendesk which help Masabi Support engineers prioritize requests and ensure service level goals are met. The Masabi Incident SLA policy: - Is only applied when a ticket stems from an incident (as opposed to, for example, a feature request or user error) - The priority value is based on Masabi’s standard agency SLAs The “All-Other” tickets SLA policy: - Is only applied when the ticket is not an incident - The priority value is based on the following SLAs: DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 14 Confidential Commercial Information Efficiency through Automation Zendesk triggers are applied to the Masabi support process to improve workflow and responsiveness by automatically performing actions whenever a ticket is created or updated with specific conditions. Automated tasks Performance Measurement and Reporting Masabi tracks all customer interactions within Zendesk. Every email, phone call, and online entry is recorded. This enables Masabi to determine response times, resolution times, and number of requests created per agency. The support performance measurements represent real time data. Reports are run daily, monthly, quarterly, and yearly and are reviewed regularly with the account management and project management teams. The reports contain a range of key performance metrics, including: Team Level Metrics ● Acknowledgement Time ● First Reply Time ● Interactions per request ● Customer satisfaction ● Median Handle Time ● Median Resolution Time Individual Agent Metrics ● Resolved Cases ● Customer Interactions ● Customer Satisfaction ● Median Handle Time DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 15 Confidential Commercial Information Masabi can effectively filter report data by agent to get a snapshot of individual performance or analyze its global satisfaction level as reported through customer surveys. Masabi uses this data to identify and address areas in need of improvement. Sample of support engineer individual metrics Global satisfaction level and survey response rates Benchmark charts display three key metrics: customer satisfaction, first reply time, and new ticket volume. Masabi uses this data to adjust policies, change team workflows, and evaluate whether the service provided is above or below peer and industry standards. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 16 Confidential Commercial Information Sample benchmark data Customer Satisfaction In addition, the support performance management solution tracks agency satisfaction ratings on a ticket by ticket basis. Feedback is captured and if applicable, shared with the agency during regular account reviews. By default, each closed support request will receive an acknowledgement that the ticket has been closed and offered a survey where a rating can be submitted. If contracted, the transport agency can request Masabi to monitor rider satisfaction through the default ticket surveys or Masabi can set a custom survey for their riders, with a passthrough cost of the third party survey application. All bespoke survey work is charged for and delivered by the Masabi’s Professional Services team. IT Operations Management & Maintenance The Justride SaaS platform is continuously monitored and upgraded biweekly. Regular maintenance includes platform fixes, patches, and upgrades. Masabi IT Operations Management operates 24 hours per day, 365 days a year to handle any issue the arises with the platform. Masabi IT Operations Management has the primary goal of triaging, investigating and resolving platform-wide incidents in accordance with the SLAs. The IT Operations Management team monitors the performance, load balance, and scalability of the Justride platform and serves as the rapid response team for any perceived or actual degradation of service. The Masabi IT DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 17 Confidential Commercial Information Operations Management team resolves complex incidents and provides effective workarounds that allow business operations to be resumed with minimal downtime or impact to riders. IT Operations Management is also responsible for deploying new releases of software across the Justride platform live production environment and for ensuring that all releases perform as expected. In addition, alerts are distributed via the live status page for any scheduled maintenance programs. Account Management. After Masabi Project Management has successfully launched its services with an Agency it will appoint a Account Management team to manage the ongoing Agency relationship and adoption of Justride within an agency. An Account Manager works with the agencies’ stakeholders to update the then new features, present the Masabi product strategy and roadmaps, assist in developing new sales channels for an agency based upon the flexible Justride platform, addressing customer and rider concerns, tracks metrics for adoption and growth and assist with scoping custom development features. The Account Manager may also on an ongoing basis, Masabi conducts support ticketing reviews to ensure that all support tickets have been communicated, escalated, and resolved according to the standards set out in the SLA. Support Team Roles ● Head of Services- Responsible for the executive oversight and performance management of Support, Education, Project Management, and Account Management. ● Account Manager– Responsible for the day-to-day owner of an agency and its contract with Masabi. The Account Manager responsible for the relationship management and agency satisfaction with Masabi and the Justride platform. ● Support Manager- Responsible for overseeing the support team and ensuring that Masabi is constantly delivering excellence in customer service. ● Support Engineer– Responsible for responding to inbound technical and support requests. Serves as the support liaison with technical teams, product management, and Masabi development. Creates KPIs and manages monthly support reviews. ● Training Consultant– Responsible for the design and delivery of comprehensive training programs for agencies including needs analysis, courseware design, materials development, and training delivery. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 18 Confidential Commercial Information APPENDIX A – SUPPORT GUIDELINES Support Guide for Agencies Version: 1 Date: 1.1.2019 CONFIDENTIAL Revision History Author Version Date Details of Change Sergio Da Silva 1.0 2019-03-22 Final Copyright Copyright Masabi Ltd and Masabi LLC 2021. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission of the publisher. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 19 Confidential Commercial Information DOCUMENT PURPOSE This document (Support Guide for Agencies) outlines Masabi’s operational guidelines for standard operational support processes, how to interact with the Masabi support team and a detailed view of the process by which support tickets are submitted, reviewed and resolved. SUBMITTING SUPPORT REQUESTS OVERVIEW When submitting a support request, it is important to know why you are contacting Support. Masabi has tailored its inbound support process to provide multiple channels for you to contact us. The diagram below shows the different types of requests and recommended channels (highlighted). Definitions of Support Categories Critical support is to report an issue which may indicate an impact to the overall operation of an Agencies Justride service and is prevents standard functions to be complete or used (e.g. ticket purchases, access to Hub, failure of Inspect, repeated and systematic payment processing failures Standard support is to report a single issue regarding a potential defect or issue reported by a single customer General support is to ask for knowledge base support and how-tos, or general questions about new functionality releases When submitting a support request, it is important to know why you are contacting Support. The standard support email, IVR and Help Center can be used for all requests, but if you have a critical request, you can raise the request via the IVR, critical support email or help center. Critical issues will invoke the incident monitoring process (Appendix C(1)). WHERE CAN I FIND MASABI’S CONTACT DETAILS The most up-to-date contact details can be found in the Help Center (also Appendix F) DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 20 Confidential Commercial Information INFORMATION TO PROVIDE WHEN SUBMITTING SUPPORT REQUESTS To ensure a quick response you shuold include all relevant information when submitting support requests. Required: To minimize any delays in resolving your request, it is important to know the type of request you have and what information you might need from the rider. If applicable, all standard or critical support requests should include: - Contact information - Reason for the support request - Description of the problem or resolution sought - App or Account ID (if applicable) Optional: - Steps to recreate - Impact to business Agency staff may also submit a description of the priority or impact of the incident. Any tickets submitted via the help center will require certain fields before a ticket can be submitted. STANDARD SUPPORT REQUESTS All standard support requests go through the same workflow: 1. Support request is received: The request may be received online, over the phone, or through email 2. Support request is acknowledged*: An email acknowledgement is automatically within 15 minutes of submission 3. Ticket is created*: A ticket is automatically created in Zendesk and all support agents are notified 4. Ticket is assigned: A Masabi support engineer takes ownership of the ticket 5. Issue is triaged, escalated if needed, and resolved: Resolution and communication schedules are based on Masabi’s SLA (see Appendix C(1)) * When submitting a request via direct conversation with a Masabi support engineer, the engineer may provide verbal acknowledgement of the request and manually create the ticket in Zendesk Automatic acknowledgement of receipt of support request DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 21 Confidential Commercial Information SUBMITTING STANDARD SUPPORT REQUESTS VIA THE IVR Interactive Voice Response (IVR) is a telephony menu system that enables identification, segmentation and routing of callers to the most appropriate team. IVR segments calls by geography, hours of business, and priority. Support requests can be submitted by phone by speaking directly with a Masabi Support engineer. If callers are unable to speak with an engineer, they can submit their request by leaving a voicemail message. IVR will translate the message from speech to text and notify the on-call support engineer. Segment of IVR logic SUBMITTING STANDARD SUPPORT REQUESTS VIA TH E ONLINE HELP CENTER Support requests can be submitted through Masabi’s help center by clicking the Submit a request link located at the top of the Home page and submitting the online form. To submit a support request in Help Center 1. Click Submit a request at the top of the page 2. You can add one or more email addresses to copy a user on the ticket (separated by commas) 3. Enter a subject and description of the problem 4. As you enter a subject, a list of suggested articles in the knowledge base appears. You can click one of the articles instead of submitting the request 5. Add any required and optional information in the fields which describes your request* 6. If you belong to multiple organizations, select the organization for this support request 7. Add any attachment. 8. Attach a file if applicable. There is a limit of 20 MB per attachment 9. Click Submit. Once submitted a ticket will be assigned to a support agent DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 22 Confidential Commercial Information A passenger’s form may differ fromthe form which is visible to agency staff. SUBMITTING STANDARD SUPPORT REQUESTS VIA EMAIL Most standard support requests are submitted via email. - Passengers submit requests to help@justride.com - Agency staff submit standard requests to support@masabi.com Agency staff must send support requests from an official agency email address. SUBMITTING CRITICAL SUPPORT REQUESTS Urgent or critical support requests can be submitted by agency staff using any of the following methods: 1. Calling the Support line and selecting the critical support option (Recommended) 2. Sending an email tocriticalsupport@masabi.com 3. Submitting a support request via the online help center and setting the ticket priority to Urgent Each of these options will invoke a different workflow which will flag the relevant parties in a different manner to a standard support request. This helps us to minimize the time from notification to initial investigation. When a critical support request is submitted, a notification is sent to the Masabi Services team and a text and/or email notification is sent to the on-call Masabi Support engineer. The support engineer will conduct a preliminary investigation, categorize the ticket, assess the scope of impact, and assign a priority based on the protocols described in the Masabi SLA. If the issue requires escalation, the Masabi Support engineer will assign the ticket to the relevant product engineering group. If the issue is determined to be critical, the Masabi Support Engineer will invoke the Live Incident Management process. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 23 Confidential Commercial Information During unsociable hours, agency staff who call support for critical issues will be routed to the on call engineer. For more information on the incident monitoring guidelines and SLAs see Appendix C(1.) SUBMITTINGOTHERREQUESTS SDK & API SUPPORT A supported SDK version is guaranteed to function as it did on the day it was released, with no additional work by the Partner. If an issue (new, or pre-existing) is discovered that is present in a supported SDK version it will be investigated as a P1 issue. If it causes an app crash, it will be investigated as a P0 issue. Any development related issues can be logged via the Issues log, via the help center or via the standard support email support@masabi.com. Each request will be assigned to the specific team in accordance with Masabi’s development and support escalation process. Masabi will allocate up to 20 support tickets per month according to the following guidelines: ● Technical Support provides information on the purpose and usage of the API in the Justride SDK ● Technical Support provides guidance on how to prevent or workaround an error that occurs when using the API ● Technical Support provides guidance on how to approach a customization and provides high- level information on how to achieve certain functionality ● Technical Support does not create code for customer’s applications ● Technical Support does not provide exact steps on how to achieve a customization ● Technical Support does not perform code reviews of customizations When a new OS version is released, the following test procedure will be carried out: ● Masabi will test ticketing/SDK functionality of a reference application against the initial beta release of the OS within 3 weeks of that beta’s first release, to try and identify bugs as early as possible. ○ The reference application will be agreed between the agency and Masabi, and may change over time, subject to agreement ■ It will likely start as the first agency mTicketing application. ○ The Agency will be informed immediately if bugs are discovered. ● The agency will test the full set of applications it offers against the initial beta release of the OS, no later than 4 weeks before the expected release date of the OS. ○ Masabi must be informed of all bugs at the earliest opportunity. ○ The agency will be responsible for identifying which of its applications exhibit any bugs discovered by either party. ● When bugs are discovered against a new beta OS, Masabi will aim to have them fixed within 4 weeks of discovery, unless the agency and Masabi agree that it is more sensible to retest on the next OS beta release before fixing. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 24 Confidential Commercial Information SUBMITTING CHARGEBACK CHALLENGE REQUEST (MOR) A chargeback is a transaction reversal meant to serve as a form of consumer protection from fraudulent activity committed by individuals. If you have contracted Masabi to be your Merchant of Record. Masabi will assist the agency for chargebacks they would like to challenge. Agency staff can use any of the methods described in “Submitting Support Requests” Each agency will also have access to a shared chargeback sheet which is used for managing Chargebacks. ● Chargeback Sheet is shared with Agency stakeholders through a shared online Console. ● The solution is via Google Applications, but no google account is required. Hyperlinks are available to quickly locate customers in Hub. ● The data is refreshed every 2 hours. ● Agency is automatically notified weekly by email when new chargebacks are added. ● Transport agencies can update Current Status with decisions on whether to challenge or accept. ● If a ticket has already been refunded the chargeback will be challenged automatically. ● Chargebacks expire every 14 days if no decision is made. FEATURE REQUESTS & ENHANCEMENTS If you would like a certain feature to be added to Masabi products or you have an idea for improving it, you should reach out to your Account Manager. Alternatively, you can send an email to support@masabi.com. If the agency has raised a support request that turns out to be a feature enhancement, the support agent will forward that information to your Account Manager for further consultation. UAT SUPPORT Each customer is provided with a UAT environment to test and evaluate new releases of the Justride platform before releasing to a live production environment. Masabi will provide release notes and tests plans for major feature changes so that agencies can thoroughly review updates to the platform. An Account Manager or technical representative will work with an agency to schedule any required updates and messaging; and educate on any deployment wide changes necessary. In addition, a support alert is distributed through the live status service for any scheduled maintenance programs. Any incidents raised via support will be treated as non-critical requests as UAT environments are test environments and are not governed by the same levels of availability or escalation priority as live environments. MASABI HELP CENTER HELP CENTER SECURITY Masabi has defined user segments with permissions to control access to specific information and functionality within Zendesk. Agency staff can: - View agency and passenger FAQs - View Justride, Inspect, and Hub documentation - Follow Knowledge Base articles, sections, and comments - View standard and emergency contact information DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 25 Confidential Commercial Information - Submit, track, and manage their agency’s help requests (tickets) Riders can: - View passenger FAQs - Submit tickets (only for agencies that Masabi is providing first line support) Note: Riders cannot manage or track tickets Masabi Support staff can: - View and manage all tickets - Create and edit articles, FAQs, release notes, and other information - Configure the help center MANAGING SUPPORT REQUESTS IN THE HELP CENTER Once a support request is submitted, a corresponding ticket is created in Zendesk. Agency staff can use Zendesk to: - Update the CC or Organization fields on their tickets - Add a comment to their tickets - Mark their tickets as resolved - Create a follow-up ticket to a resolved ticket - Track all tickets associated with their agency Riders who submit support requests cannot track or manage those tickets. Viewing support requests (tickets) DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 26 Confidential Commercial Information SELF-SERVICE KNOWLEDGE BASE Ticket details The Knowledge Base in Zendesk is updated regularly with content that addresses questions from agencies and their riders. The Knowledge Base contains white papers, tutorials, FAQs, release notes, and training material for agencies’ customer care and support teams. The information in the Knowledge Base is organized into categories and is searchable from the Zendesk homepage. Agency staff view of the self-service Knowledge Base DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 27 Confidential Commercial Information Release Notes Search bar and search results Masabi publishes release notes on Zendesk to help agencies stay informed about the latest features and fixes. Masabi support agents publish release notes as soon as they have been approved by the product teams. Release notes accessible from the Software Releases and Announcements category Following Knowledge Base sections, articles, and comments Agency staff can be notified of updates to Knowledge Base sections, articles, and comments by clicking the Follow button that appears in the upper right corner of an article or section. To see which materials you are following, click My activities from your profile menu, and then click the Following tab. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 28 Confidential Commercial Information A list of items being followed Unfollowing Knowledge Base sections, articles, and comments To stop following a section, article, or comments: - Click the Unfollow button located in the upper right corner or an article or section; or - Click the Unsubscribe button on the Following tab of the My Activities page Promoted Articles Masabi may promote articles or other materials as a way of recommending reading for agencies or riders. Promoted articles will appear under the Knowledge Base categories and sections. Promoted articles DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 29 Confidential Commercial Information SELF-SERVICE RIDER SUPPORT STEP ONE When riders of the agency need to contact customer service, there are a number of tools the Justride app can provide. First, the rider will need to click on the “help” button. In this case the help button says “eTix Help”. This will bring the rider to the next page of the app where your Customer Service tools will live. STEP TWO From the “eTix Help” or customer service tools page you have a number of options: 1. Terms and Conditions : Opens the in-app Terms & Conditions 2. Customer Service: Deep Link to Customer Service Self-service tool 3. FAQ: Deep Links to a branded Customer Service FAQs page 4. App Info: Link to App Info (App ID, User ID, etc) Contact Us DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 30 Confidential Commercial Information CONTACTING CUSTOMER SERVICE Clicking on the Customer Service button will give the rider the following options: Submit A Ticket (Online) When passengers click on the Submit Ticket, they will be taken to a new page to enter information. They will also be asked to provide their AppID and select a brand from a drop-down. Submitting an online ticket is the fastest way to resolve issues. If you are unable to submit an online ticket you can text or call Masabi at (geo-based number). Unfortunately, responses to phone calls may be delayed and you may have to leave a message. Contact Us Customers who don't have data can send an SMS message. Passengers will have to remember to add identifiable information such as AppID. When texting, Masabi will have a phone number to call back. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 31 Confidential Commercial Information e APPENDIX B – MASABI TRAINING MODULES The following are some of the standard training sessions Masabi offers to agencies in preparation for the go live deployment: Module /Session Nam Intended Audience Type of Training Length of Training Session Max People Per Module Session # of Sessions What is mobile ticketing? Beginner; all job functions Introduction to the benefits of mobile ticketing for the agency and its riders, an overview of the mobile ticketing platform components, and a description of basic user requirements. 15 min 15 1 How to use the mobile ticketing app Beginner; all job functions Walkthrough of purchasing and using mobile tickets, including a live demonstration of your agency’s mobile ticketing application. 30 min 15 1 Delivering Customer Service in the Hub Intermediate; Customer service agents and Managers This in-depth look at the Hub starts with a description of the customer service process and how to find and interpret information on the Manage Customer page. It includes detailed walk-throughs of all customer service functions and a discussion of use cases. A live demonstration of your agency’s Hub and mobile ticketing app will show how customer service functions appear to both the rider and the customer service agent. 90 min 15 1 Hub Administration and Reporting Intermediate; Managers Demonstrates Hub administration functions including bulk operations and management of users and assets. It then examines four ways of viewing and interpreting information in the Hub, from the high-level dashboard through detailed reports and customized data extracts. This session includes a live demonstration of your Hub. 90 min Or 2 X 45 min 15 1 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 32 Confidential Commercial Information Visual Validation of Mobile Tickets Intermediate; Ticket inspectors, Customer service agents, and Managers Describes how to rapidly and accurately validate mobile tickets by sight. Several use cases are presented using p-re recorded or live demonstrations of your agency’s mobile tickets. 45 min 15 1 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 33 Confidential Commercial Information Validating tickets with Inspect Intermediate; Ticket inspectors, Customer service agents, and Managers Describes how to scan a ticket using the Inspect app. It includes a live demonstration of how to configure and use Inspect, a description of the scan response screens and scanning workflow and a discussion of troubleshooting scanning issues. 45 min 15 1 Marketing Mobile Ticketing Beginner; Managers Discussion of how your agency can introduce and promote mobile ticketing. Several examples are shown. 30 min 15 1 VAL-100 On- board Validator Beginner; Managers and Operators Overview of the VAL100 functionality and installation planning. Several examples of existing installations are examined. 30 min 15 1 Incident Monitoring and Escalation Intermediate; Customer service agents and Managers Describes Masabi’s incident management process. It includes a demonstration of how to use the Online Help Center (Zendesk) to create and manage support requests. 30 min 15 1 Partner Programs Intermediate; Customer service agents and Managers Discussion of the benefits of Partner Programs and provides examples of how they can be designed and implemented. In the Hub, Masabi will walk through how the program is administered and supported. 60 min Or 2 X 30 min 15 1 An Introduction to Tariffs Advanced; Managers Overview of tariffs. Using fictional agencies as examples, it looks at many the required values in flat-fare and simple A-to-B tariffs. A simulated walk- through of managing tariffs in the Hub is included. 60 min 15 1 Monitoring with the Pattern Tool Advanced; Customer service agents and Managers How to use the Pattern Tool in the Hub to detect and monitor suspicious rider account activity. It includes a discussion of events that can be monitored and the actions that can be taken in response. A walk-through of how to view activity and manage account monitoring in the Hub is provided. 45 min 15 1 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 34 Confidential Commercial Information APPENDIX C(1)- INCIDENT MANAGEMENT GUIDELINES Incident Management Guidelines Version: 4.7 Date: T CONFIDENTIAL Revision History Author Version Date Details of Change Sara Poulton 2.6 2018-06-08 Final Support Manager 2.7 2019-03-25 Update Support Manager 2.8 2019-09-06 Added Disaster Recovery Plan DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 35 Confidential Commercial Information Copyright Copyright Masabi Ltd and Masabi LLC 2021. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission of the publisher. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 36 Confidential Commercial Information EXECUTIVE SUMMARY This document describes the guidelines for the overall monitoring, incident response and escalation protocols employed by Masabi to monitor its Justride mobile ticketing platform, on which the Agency mobile system is built. The content herein outlines Agency architecture on the Justride platform (see Appendix F), monitoring program, the underlying system support services, and the steps that the Masabi Support team will provide in response to any unplanned inaccessibility or outage for the Agency’s mobile ticket application. DOCUMENT PURPOSE This document describes the service level guidelines for agencies for the overall monitoring, incident response and escalation protocols employed by Masabi to monitor an Agency’s Justride Mobile Ticketing platform This document outlines the performance measurements for the entire Justride platform, its SDK, and critical path third party providers. It will describe the definitions and terms used to monitor and respond to any performance related issue and escalation protocols should any incident impact the normal operations of the Justride platform. These guidelines apply solely to an Agency’s live production environment and do not cover other applications or environments, which, from time to time, may be made available to the Agency for the purpose of reviewing or testing new features and functionality, or which may be used to demonstrate features during a contracting process. INTRODUCTION Masabi provides a scalable, robust and responsive Incident Management process to administer an effective, highly redundant mobile ticketing platform for large metropolitan agencies. It utilizes a combination of best-in-breed cloud hosting through Amazon Web Services (AWS) with multi-layered load balancing, immediate scalability, and high-level incidence response. As additional measures, Masabi applies independent monitoring services for the components that make up the overall Agency mobile ticketing platform. This document outlines the performance measurements for the entire Justride platform, its SDK, and critical path third party providers. It will describe the definitions and terms used to monitor and respond to any performance related issue and escalation protocols should any incident impact the normal operations of the Justride platform. These guidelines apply solely to an Agency’s live production environment and do not cover other applications or environments such as the UAT environment which, from time to time, may be made available to the Agency for the purpose of reviewing or testing new features and functionality, or which may be used to demonstrate features during a contracting process. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 37 Confidential Commercial Information DEFINITIONS As used in this incident guidelines, the following capitalized terms will have the meanings defined here. In the event of any conflict between the definitions provided in this Incident Management Guide and those provided elsewhere in the guide, the definitions in this guide will control for purposes of this Incident Management Guide. ● Dedicated Support & Service– Masabi has dedicated services and support personnel who are trained for Incident Response Management and who understand the protocols for triage, first response acknowledgement, troubleshooting and problem resolution. Due to the criticality of servicing a solution with high-touch point customer satisfaction and experience, this team is available 365 days a year, 24 hours a day. ● Escalation– In addition, Masabi provides escalation and account management processes through a documented prioritization, categorization and resolution program, which is focused on account management and communication in addition to handling the technical resolution, which allows for internal agency communication and understanding. ● External Service– Any equipment or service or component being provided by a third party. ● Formal Review and Reporting– Formalized Incident Reports are generated for any Incident that affects the level of service as agreed upon between Masabi and the Customer. An Incident Report involves teams across Masabi including IT Operations, Support, Account Management, Engineering, Product Management, Engineering and Quality Assurance. ● Incident – An Incident is an unplanned interruption to the Justride service, or reduction in the quality of the service, affecting the Agency or its end-user experience. Failure of any item, software or hardware, used in the support of a system is also an Incident, even if the failure has not yet affected or impacted service. For example, the failure of one component of a redundant, high-availability configuration is categorized as an Incident even though it does not interrupt service. ● Live Status Notifications– Masabi will notify agencies through the live status page and will display a status per component as well as top-level status calculated based on all affected components: I1 ‘Major Outage’; I2 ‘Partial Outage’; I3 = ‘Service Degradation’; and I4 = ‘Degraded Performance’ ● Logging an Incident– If an incident should occur, an authorized Agency contact, using an Agency email account, will submit a support request using any of the methods in Submitting Support Requests. If an acknowledgement is not received within 15 minutes, Agency has a secondary means of escalation through the Support IVR ● Performance Uptime– In general, outside of scheduled maintenance windows and planned outages (system upgrades), the Agency mobile ticketing platform operates on a 99.95% uptime performance. It was designed to be highly redundant, integrated with elastic load balancing, which can direct traffic to redundant servers in case of a failure or it can increase capacity during high volume processing times. Additionally, it is PCI compliant and it adheres to all agreed upon standards for financial transaction processing. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 38 Confidential Commercial Information ● Priority – Masabi’s Incident Management guidelines stipulate as a standard performance measurement a 4-hour resolution for a Priority-1 (P1) incident and an 8-hour resolution for a Priority-2 (P2) incident. Interim timeframes are stated for acknowledgement and assignment to provide Customers with an understanding that their issues have been received and are in the process for resolution. ● Resolution - An incident is considered resolved when the fix is deployed to production and/or end- users are no longer affected by the incident. For incidents which require App releases, an incident is considered resolved when the release is submitted to the App stores, Apple, Google Play or Testflight or Hockey App. Equally, SDK incidents will be considered resolved when the SDK revision has been updated. It will be assumed that if an app release is required, app releases required to fix P1 incidents will be automatically accepted by the Agency, however, if the agency chooses deployment to UAT prior to production, the incident will be considered resolved when deployed to UAT. ● Response Time– Masabi’s Response Time is formulated on a scaled basis determined by the categorization of the Incident Severity, which is measured by the degree of service limitation experienced by the Agency and other hosted customers. In addition, for Incidents relating to AWS services, which is a critical component for providing overall service availability, Masabi and AWS operate with a 60 minute Incident Management Response plan, supported by Masabi’s own incident response time and processes. ● Scheduled Maintenance– means maintenance scheduled by Masabi to implement generic or agency specific changes to, or generic or agency specific version updates of, any app, back office system and network (and associated software and hardware configurations) supporting the Justride system. ● Severity – Agency’s incident categorization that correlates to Masabi’s Incident Priority. Incidents prioritized as P1 will be assigned a severity of, ‘Critical’; P2 = ‘High’; P3 = ‘Med’; and P4 = ‘Low’ ● Up-Time Performance- A designation of Justride system performance by key system based on a monthly measurement excluding scheduled maintenance time according to Masabi’s System Maintenance policies. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 39 Confidential Commercial Information ROLES AND RESPONSIBILITIES Masabi and the Agency will designate individuals within each respective organization to perform the Incident Management tasks outlined in this guide. The Agency agrees to maintain and communicate the designated Incident Management roles as defined below. Details of the designated parties can be found in the Points of Contact document (Appendix F). MASABI ROLES& RESPONSIBILITIES To ensure that Incidents and requests are handled efficiently, Masabi has implemented a two tier support structure that includes both Masabi Support technical leads (typically based in the UK) and Account Support leads (typically based in North America). Masabi Customer Support Masabi Customer Support provides comprehensive customer and technical support during standard business hours via London, UK and New York, USA. Masabi Customer Support is responsible for responding to inbound agency inquiries and tickets, troubleshooting with agency staff and escalating issues to product engineering when required. Masabi Customer Support monitors all inbound support tickets, collects troubleshooting data that is helpful to development and quality assurance, and provides general answers to agency staff on common questions and functionality queries. Masabi Customer Support is supported by Masabi IT Operations Support for round the clock global support and response. Masabi IT Operations Support Masabi IT Operations Support operates 24 hours per day, 365 days a year. Masabi IT Operations Support has the primary goal of triaging, investigating and resolving technical incidents, in accordance with agreed SLAs. The Masabi IT Operations Support team is capable of resolving complex incidents and providing effective workarounds that allow business operations to be resumed with minimal loss. Masabi IT Operations Support activities include, but not limited to the following: ● Contacts Agency in accordance with the Agency escalation contact protocol. ● Acts as a point of escalation for Incidents or ongoing issues. ● Creates an agreed-upon process for updates and notifications during the Incident Time Frame; and oversees the development of the official closing Incident Management Report ● Contacts Agency IT for any requests to implement a system outage necessary to enact a corrective action. ● Provides detailed updates and explanations to the Agency and Account Support, as recorded within the Incident Management Suite, including the Incident Tracking and Monitoring log. ● Collaborates with other secondary-tier engineers to formulate a resolution, temporary fix, or workaround via the raised record within Incident Management Suite. ● Ensures all development related fixes are recorded within the Product Development specific JIRA space. ● Collaborates with other Masabi resources to formulate comprehensive outage reports detailing the root cause, impact and mitigating actions to prevent recurrence. ● If required, attend regular incident review meetings with the Agency. The frequency of meetings will be as agreed per the Agency but shall be at least quarterly. ● Once incidents are resolved, tests and provides confirmation of resolution. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 40 Confidential Commercial Information Account Management An Account Manager is assigned to each agency upon contract award. The Account Manager is the day-to-day owner of an agency and its contract with Masabi. The Account Manager is responsible for the relationship management and agency satisfaction with Masabi and the Justride platform. Account Management activities include: ● Prime relationship management and contract management with Agency ● Responsible for tactical weekly status reviews with stakeholders ● Collates and distributes performance, financial and service reports. ● Conducts regular stakeholder reviews with the agency for product strategy, account strategy, and customer satisfaction metrics ● Acts as the Agency coordination point for any critical performance or service level disruption ● Reviews financial performance and assists with identification of additional ticketing channels and partnerships with other local agencies. ● Manages ongoing maintenance of the live-deployment and coordinates schedules of updates and new feature releases AGENCY ROLES& RESPONSIBILITIES To facilitate incident management performance, Masabi requests that an Agency designates specific internal owners of the Justride mobile platform, as recommended below. Agency Justride Application Owner ● A designated owner of the Justride platform as known to all agency staff and stakeholders. It is recommended that this person shall have decision making authority for the Justride platform, and release authority for Apps to be submitted to the Apps stores. This role is typically a Director of IT or Fare Collection ● Attends regular service review meetings with Masabi and, if necessary, attends incident review meetings. The frequency of meetings will be as agreed per the Agency but shall be at least quarterly. ● Provides approval for any required outages that affect the system or product necessary to implement a corrective action. ● Acts as a liaison between internal parties and Masabi for inbound and outbound incident reporting and coordination; coordinates internal team communication. ● Notifies internal functions of the status of Masabi services ● Notifies Masabi of any known hardware or operating system changes or updates. Primary Agency Contac–t IT Service / Customer Support Desk ● Responds to the Agency’s customer reported issues and submits Support Tickets on Agency behalf to Masabi for investigation and resolution. ● Acts as the single point of escalation for the Agency customer. ● Manages and tracks any raised incidents or requests submitted to Masabi. ● Raises known or discovered incidents through the Masabi Support process ● Provides support to internal functions utilizing Masabi services. ● Provides symptoms, investigatory information and support to the Masabi Support function. ● If required, attends regular incident review meetings with Masabi. The frequency of meetings will be as agreed per the Agency but shall be at least quarterly. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 41 Confidential Commercial Information SYSTEM UPTIME PERFORMANCE RETAILPRODUCTSUITEPRIORITYASSIGNMENT Service Monthly Uptime Percentage Functionality critical for travel Mobile application based ticket purchase 99.95% Mobile application based ticket retrieval and display 99.95% Mobile ticket retrieval and display 99.95% Mobile ticket activation and validation 99.95% Functionality not critical for travel Hub 99.9% Financial Reports 99.9% Customer Services User Interface 99.9% VALIDATION PRODUCT SUITE PRIORITY ASSIGNMENT Service Monthly Uptime Percentage Ticket Validation Database (TVD) Availability of Scan Record data to other applications 99.95% Record and manage Barcode Ticket Scan Records 99.95% Distribution of Deny Lists 99.95% Inspect Handheld application Barcode Validation 99.95% Sync Scan records and Deny Lists with TVD database 99.95% Gate-line, on-board and spot check mode 99.95% Functionality not critical for ticket validation Raw Data Feed from TVD 99.9% Hub 99.9% Customer Services User Interface 99.9% Validator Scan Performance On board validator scan through-put 200,000 max scans per hour based upon moderate load Scan response 500 mil-sec per scan DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 42 Confidential Commercial Information DEFINITION OF AN INCIDENT An Incident is an unplanned interruption to the Justride service, or reduction in the quality of the service, affecting the Agency or its end-user experience. Failure of any item, software or hardware, used in the support of a system is also an Incident, even if the failure has not yet affected or impacted service. For example, the failure of one component of a redundant, high availability configuration is categorized as an Incident even though it does not interrupt service. An Incident occurs when the operational status of a production item changes from working to failing or about to fail, resulting in a condition in which the item is not functioning as it was designed or implemented. The resolution for an Incident involves implementing a corrective action to restore the item to its original state. INCIDENTLOGGING& CATEGORIZATIONPROCESS Overview The priority and severity of an Incident are assigned during an initial triage as displayed in the ‘General Process Flow Diagram’ figure below. General Process Flow Diagram DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 43 Confidential Commercial Information The above defined process flow handles all levels of Priority Status (P1 through P4). In most cases, Incidents rated as P3 & P4 do not apply to core or support systems with high business impact such as the ability to purchase, store, validate and activate tickets. For P3 and P4 incidents, a general workaround is known and can be applied with a change to behavior and/or the incident is isolated to one or a very small proportion of end-users. P3 and P4 incidents will be tracked and monitored in an Incident Tracking and Monitoring log; P1 and P2 incidents are logged here if, and only if, there are no short-term resolutions available. Incident Notification Types There are three channels for Acknowledging Incidents: email or phone call. Notification Type Frequency Details Live Status Page (recommended) All P1-P2 Incidents All subscribers to this service will be notified when a P1 or P2 incident occurs. Email Every P1- P4 incident An email will be sent to the original submitter of the ticket. Support can request that an email is automatically cc’ed to any contacts listed in Appendix F Phone Call For inbound reporting of every P1-P4 incident Scheduled conference calls for group communication and follow up on Incidents with agencies. Incident Logging and Categorization If Masabi Identifies a P1 or P2 Incident Masabi’s Justride system monitoring will immediately identify many Incidents. Should Masabi Support receive an alert that may indicate a P1 or P2 Incident, the engineer on-call will conduct the following: 1) Test the Service a) Is it available? b) Is it potentially a system-wide outage? c) Are key services responding? d) Can a ticket be purchased? e) Does redeploying service resolve issues? 2) Escalate a) Use instant internal messaging systems at Masabi to seek escalation and resolution guidance. b) Inform Masabi Account Services who will: i) Inform Agency Point of Contact(s–) refer to Appendix F ii) Keep Agency Point of Contact Informed via ema–il refer to Appendix F c) Initiate Technical Escalation Process i) Functional Experts: DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 44 Confidential Commercial Information (1) Retail - Engineering (on-call) (2) Inspect - Engineering (on-call) (3) Hub - Engineering (on-call) (4) SDK - Engineering (on-call) (5) Hardware - Engineering (on-call) ii) VP of Engineering iii) CTO If Agency Identifies a P1 or P2 Incident In the instance that Agency encounters a fault with the Agency service, product, or system, Agency will submit a request to Masabi Support by following the steps below. ● Report the incident via any of channels recommended in Masabi’s Support guide for agencies confirming the system or product, the symptoms experienced and where possible the quantity of users affected. Important: emails should be sent from an official Agency email account to validate the inbound request. ● If an acknowledgement of the email is not received within 15 minutes, the Agency should call Masabi Support via the Support IVR provided in Appendix F. An on-call member of the Masabi Support team will be alerted following the P1 or P2 alerting channels. ● Agency will follow its contact protocol to notify the affected operational areas. ● Once the issue has been communicated to Masabi, by email, Masabi’s Support Management Suite will automatically create an Incident ticket, corresponding ITN, Incident Record, and alert the necessary Masabi Support staff. The incident notification will contain the information that the Agency has provided, an ITN, and notes from Masabi Support once triage has commenced. If the incident is communicated by phone, the support representative will create an incident ticket with corresponding ITN, Incident Record. For All P1 and P2 Incidents ● When alerted, the Masabi IT Ops Tier-One team will begin to triage the issue or incident and assign a priority based on the detail that the Agency has provided or from Masabi’s automated monitoring systems. To further Masabi’s progress in triaging or investigating the incident, Masabi may conduct a conference call with the relevant parties to discuss in detail the symptoms, impact, suspected cause and any known resolutions or temporary workarounds. ● Should the investigation prove that the incident is of a complex nature or a resolution cannot be found within a timely manner, the incident will be escalated to subject-matter experts within Masabi. For example, if the issue is with the payment process, Masabi Support will immediately notify members of Masabi’s Payments Team. INCIDENTCATEGORIZATION Once initial logging is complete, Masabi Support or the on-call engineer will categorize the Incident and define the impact level. Categorization of the incident is a factor in determining the prioritization, the level of effort required for the Incident Resolution and response plan The table below represents the Incident Categorizations. Incident Category Description Customer Retail App Inciden Customer application not available to end-users. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 45 Confidential Commercial Information SDK Incident Ticket purchasing via the SDK service is unable to provision new tickets Hub Incident Outage that affects the Hub back-office but no customer-facing components. Validation Incident Affects the Inspect app, handheld validation, onboard validators or gate kits. Please refer to the Hardware policy for more information on custom hardware integrations. Affects the Inspect app and electronic validation. Payment Incident Outage that prevents purchases and/or refunds, but does not impact activations, Hub, etc. Digital Wallet Incident Purchases of new tickets using a digital wallet e.g. Apple Pay are unable to complete purchases Ticket Usage Incident Accessibility or outage which affects prior ticket purchases or activation which affect a widespread customer base (e.g. not a user error on a singl ticket activation). Full System Outage No system components available to agency staff or end users. Platform Degradation Justride system components remain operational but below expected performance thresholds or time-outs exceed standard expected levels External Services Incident Includes external outages affecting Rider actions such as Ticket payments, email receipts, Masbai will always provide an advisory notification and Priority Level. Where Masabi manages the relationship (MPGS, Mandrill and Chase Paymentech), Masabi engineering will work diligently with the service provider to resolve all incidents. Uncategorized Defect Any other anomaly that is not classified in one of the above. INCIDENT PRIORITIZATION The priority (P-Value) of an incident is assigned during the logging and categorization (triage) phase; the level of priority is determined by the level of impact or service limitation experienced by the Agency. Support or the on-call engineer will perform an impact analysis on the Incident and define an Incident response plan, following which, Masabi Support will contact the Agency through the original submitter of the ticket or contacts as listed in the Appendix F. Additionally, if P1 or P2, all agency subscribers will be notified via the Live Status service. The support request or alert will also have an Incident Categorization assigned, as per the categories stated above. In order to assess a P1 or P2 priority level, during Masabi triage, it is expected that the reported incident is reproducible and to have received multiple occurrences of the same reported incident; e.g., verification of a single payment failure that is it not due to insufficient funds or typos in credit card details. If an incident is not reproducible, there are an isolated number of reports or only impacts support or minor systems, the incident should be classified as P3. In order to define level of impact, Masabi will measure the data in the present and compare it to the same measurement in a comparable period of time in the past, for example, 30% total transactions have failed between 9:00-10:00AM UTC at the beginning of the month versus 0% transactions failed at the beginning of the previous month. If a live incident occurs during a non-peak period such as 3:00am and an incident may potentially affect 4 users out of 5 (85%), I4 will be applied. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 46 Confidential Commercial Information Impact Values ● I1 – “Service” affected for more than 5% of criteria for analysis (users/payments/events) ● I2 – “Service” affected for less than 5% of criteria used for analysis (users/payments/events) but more than 1% ● I3 – “Service” affected for less than 1%of criteria used for analysis (users/payments/events) ● I4 - “Service” issue isolated to one or a very small proportion of criteria used for analysis (users/payments/events). However functionality may remain with a workaround. System Definitions Masabi looks at the area of the Justride platform and its components in addressing the Priority and Impact level. The following are the categories with examples of the functions Masabi uses for priority assignment: ● Core Functions- Ticket Validation, Purchases, Scanning Share ● Support Functions- Financial Data,, Data access e.g. TVD, Assets, reports, Hub CS Primary functions ● Minor Functions - UI, Analytics, Reports, Hub Non-revenue related actions ● External Services- Any third party services managed or monitored by Masabi. *Hub CS Primary functions includes Customer search, Customer Blocking/Unblocking, Refunds For a detailed priority classification table, please refer to the Appendix C(2). Priority Assignment Below is the priority assignment criteria that Masabi and the Agency use to classify priority of an Incident: Core Systems Support Systems Minor Systems I1 – “Service” affected for more than 5% of criteria for analysis (users/payments/events) P1 P2 P3 I2 – “Service” affected for less than 5% of criteria used for analysis (users/payments/events) but more than 1% P1 P2 P3 I3 – “Service” affected for less than 1% of criteria used for analysis (users/payments/events) or service disruption is intermittent P2 P3 P4 I4 - “Service” issue isolated to one or a very small proportion of criteria used for analysis (users/payments/events) or functionality may remain with a workaround. P3 P3 P4 Target Response Times Detailed below are the Incident Management targets for Masabi and the Agency; all timings are calculated from the moment the support request (Agency or automated) is received by Masabi’s Support function. Masabi Priority Acknowledgement Prioritization/ Categorization Guaranteed Response Escalation/ Assignment **** Resolution* DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 47 Confidential Commercial Information P1 15 Minutes 25 Minutes < 60 Minutes 30 Minutes 4 Hours P2 15 Minutes 60 Minutes < 4 Hours 60 Minutes 8 Hours P3 15 Minutes 24 Hours < 12 Hours 1 Business Day As Defined** P4 15 Minutes 24 Hours < 24 Hours 3 Business Days As Scheduled** (*) Resolution times are defined as the maximum time in elapsed minutes from the initial support request (e.g. total time) and includes time allocated to prior stage (**) As defined by the resolution plan agreed between Masabi and the Agency. Masabi will provide a working plan for a P3 incident which provides a timeline within 5 working days of the escalation and assignment. Total resolution time is based upon a number of factors that will be negotiated in good faith with an agency e.g. assigned to a specific app release on specific future schedule, providing an alternative workaround, and prioritization of development resources. (***) As scheduled, pending requirements and evaluation performed on a case by case basis. (****) Incident response plans (aka, corrective action plans) are determined based on the assigned priorities and severities. The assigned priority dictates the time by which Masabi will provide the Agency with the details of their planned corrective actions. For example, “Priority” (P) P1 issues are responded to within a guaranteed response of <60 minutes. QUICK REFERENCE PRIORITYASSIGNMENT EXAMPLES The following is a matrix providing a quick reference to help define priority levels for the most common categories Critical - P1 Urgent - P2 Normal -P3 Low - P4 Resolution: 4 hours Guaranteed Response : <60 mins Resolution: 8 hours Guaranteed Response <4 hrs Resolution: As Defined Guaranteed Response :<12 hrs Resolution: As planned Guaranteed Response : <24hrs Example Scenarios ● Tickets cannot be purchased or validated for high % of customers ● Outage on all systems ● Scanned Tickets not syncing on DB ● Tickets cannot be purchased or validated for low % of customers ● Hub site down affecting primary CS functions i.e. refunds ● Tickets cannot be purchased by a handful of customers ● Can’t download financial report ● Unable to send receipt ● Unable to view In- App Help Section ● Minor cosmetic issue ● Hub dashboard has data errors ● Unable to download validation report ● Cannot pay using digital wallet (must enter card details) DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 48 Confidential Commercial Information INCIDENT ESCALATION OVERVIEW Masabi provides an Incident Management Process that offers 24/7 coverage 365 days a year. Masabi has the primary goal of triaging, investigating, developing corrective action plans, and resolving Incidents, in accordance with stated service level agreements (SLAs). To ensure that Incidents and support requests are handled efficiently, Masabi has a Support and Incident escalation management program which quickly addresses high priority issues (P-1P2), while also providing more generalized support ticket response management (P3-P4 and other general inquiries). RESPONSE PROCESS Any Agency support requests should be raised through the proposed channels (listed in Appendix F) by Agency’s authorized contacts. If the incident is perceived as a P1/P2, please call the support IVR or send an email to criticalsupport@masabi.com. Receipt of this email will trigger the Incident handling and tracking mechanisms to ensure a support engineer is assigned to triage and address the support request. Similarly, when Masabi’s automated monitoring systems indicate a possible system outage; this will trigger the Incident handling and tracking mechanisms to assign a support engineer, too. If theAgency has not received an acknowledgement within 15 minutes of emailing the Masabi Support email address, the Agency should call the support number listed in Appendix F of this document or the Masabi Help Center. Additionally, in either case, once the Incident Priority and Category have been established, the Agency escalation contact protocol should be followed to allow the Agency to inform the affected operational departments quickly. INCIDENTS RESOLVED BY RELEASE These Incident Response Guidelines apply as much as Masabi are in control of deployment/release of the service. For example, Masabi is unable to provide guarantees for App store approvals and release times as they are in the hands of Apple and Google respectively. INCIDENT TRACKING AND MONITORING For all incidents, Masabi Support will generate an Incident Tracking Number (ITN) from Zendesk (Masabi’s Incident Monitoring Suite) that is assigned to the incident record, incident log entry and incident response plan. The ITN number is used for any follow-up referencing, as well as Tracking and Monitoring the status of corrective actions. The Incident Tracking and Monitoring log will be reviewed as part of the regular service review meetings. INCIDENT CLOSURE Once the Agency and Masabi have confirmed the incident has been resolved, the incident record will be closed and the status of the incident log entry will be changed to resolved/closed. Additionally, the below steps shall be followed. Please note, if the Agency has not received confirmation from Masabi Support, but Masabi has documented that incident has been resolved and service has resumed, the incident record will be closed, and the Agency will be notified: ● When the incident has been resolved, the incident record will be updated, and the Agency will be notified. ● Upon resolution and closure, the incident will be reviewed by the Masabi Support function. The incident will then feature within Masabi’s reporting system, should the nature of the incident DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 49 Confidential Commercial Information appear within a trend; the incident will form a record within Masabi’s Problem Management Process, leading to consideration for further enhancement to the product or system. ● If any downtime or system outage is encountered a full report will be provided to the Agency within 10 (ten) business days; detailing the root cause, steps taken to resolve, and measures implemented to deter a repeat occurrence. Time to develop the full Incident Report is determined by the severity of the problem and the level of investigation, if development is required, and platform wide impact. The Incident Report is the official recording of the Incident Management Process and Resolution; however, it is not the only communication during an incident timeline. During an incident, customers can expect to receive frequent updates on the cause, steps being taken in the troubleshooting process, updates on new information that may affect the outcome and standard stakeholder briefings. Masabi will work collaboratively to define the interval of communication best suited to the incident category and prioritization. For P1 and P2 category events, Masabi will communicate updates in 30 minute intervals. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 50 Confidential Commercial Information APPENDIX C 2)- INCIDENT MONITORING PRIORITY CLASSIFICATIONS SYSTEMS DEFINITIONS MATRIX The following is a non-exhaustive list used priority assignment which is provided for information purposes. Masabi reserves the right to modify this table. For any assignments which are not covered, please contact the Support team. This is provided for informational purposes. Masabi reserves the right to modify this table. Incident Category Core Services Support Services Minor Services Retail (Mobile) Login & Access Ticket Purchase with each payment method Ticket Retrieval & Display Ticket Activation & Validation Ticket Refunds User Verification (no guest accounts) Ticket Purchase with Saved Cards External Links User Verification (guest accounts) UI anomaly Retail (Web Portal) Login & Access Ticket Purchase with each payment method Download Paper Ticket Account Setup Web-Mobile sync Manage Customer Account Ticket Purchase with Saved Cards User Interface Profile FAQs access Download Receipts SDK / API Ticket Provisioning Ticket Purchase Ticket Retrieval & Display Account Authentication N/A User Interface Hub Machine Login (validation affected) Asset Management Financial Reports Machine Login Management Tariff configuration Entitlement Provisions Access and Login Customer Services Search Customer Refunds Data extracts download Analytics Dashboard Availability Pattern Fraud Detection (If included) Validation (Mobile) Ticket Validation Validation data sync (scans/deny/block lists) Authenticatio n Watermarkin g Record and manage Barcode Ticket Scan Records Ticket Scan Actions Metadata User Interface Preferences Validation (Fixed) Ticket Validation Validation data sync (scans/deny/block lists) Gates & Spot checks Authentication Watermarking Passback Control Record and manage Barcode Ticket Scan Records Metadata User Interface Payments (Internal) Payment Processing N/A N/A Full System Outage All Services N/A N/A External Services Payment Processing via PSP Email Notifications Email Receipts Zendesk AWS SQS DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 51 Confidential Commercial Information AWS S3 Uncategorized Defect Any uncategorized defect Any uncategorized defect Any uncategorized defect APPENDIX D – MASABI HARDWARE RMA PROCEDURE FOR JUSTRIDE VALIDATORS - NOT USED – SEE SEPARATE HARDWARE WARRANTY DOCUMENT AT SCHEDULE 4 OF THE CONTRACTOR’S SAAS & VALIDATOR TERMS DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 52 Confidential Commercial Information APPENDIX F – POINTS OF CONTACT All agencies will be provided with the following point of contact for their account as shown: AGENCY SUPPORT Title: Support Contacts Standard Support Email support@masabi.com Critical Support Email criticalsupport@masabi.com UK Phone(Local)* +44 (203) 750 9812 (Critical Support Option # 1 & 1) US Phone (Local)* +1 (917) 810-7644 (Critical Support Option # 1 & 1) US Phone (Tol-lFree) +1 (800) 290-8851 (Critical Support Option # 1 & 1) RIDER/PASSENGER SUPPORT If you have contracted Masabi to provide 1st line support to your riders/passengers, the contact details for your riders are: Title: Justride Rider/Passenger Support Email help@justride.com Phone: +1 (646) 836-9165 (Voicemail only) ACCOUNT SUPPORT Title: xxxx Email: Phone: Title: xxxx Email: Phone: DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 53 Confidential Commercial Information Management Contacts Your initial contact for logging a new request is with Masabi Support, whether by telephone, email or online form. In the event that you are not satisfied with the level of support, you may escalate a given request to any of the levels described here: ● Account Manager ● Project Manager ● Support Manager ● VP of Global Services To escalate an issue, please email Masabi Support and ask to speak to one of the above representatives. Direct contact details can be provided on request for the Support Manager or VP of Global Service Agency– Example of Points of Contact An agency shall submit to Masabi an Agency Point of Contact as shown Primary Agency Contact Title: Agency – e.g, IT Support Email (3 service desks): Phone: Secondary/ Additional Contact– Title: Agency – Secondary Contact Phone: DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 54 Confidential Commercial Information APPENDIX G– SYSTEM ARCHITECTURE & PERFORMANCE AGENCY SYSTEM ARCHITECTURE The Agency mobile ticketing platform comprises several components operating on an AWS hosted service for maximum scale and redundancy. Agency Ticketing System Architecture Diagram SYSTEM RESILIENCY AND UPTIME Masabi maintains best-n-class uptime using an extensive hosting design based on Amazon’s AWS cloud hosting products, featuring multi-availability zone redundancy on all components where each availability zone is a fully independent geographically discrete building, with separate electricity supply, cooling and internet connection. As shown in the diagram above, traffic comes into redundant Elastic Load Balancers (ELB), which split the traffic to a redundant set of servers in different zones running the lightweight Nginx web server. These act as a routing layer, directing requests on to the appropriate service. All databases within the system also offer multi-zone redundancy using Amazon’s RDS product, offering a master/slave database pair where an unresponsive master can automatically be swapped out for a slave containing identical data. In a number of services, additional read replica databases are used to segregate heavy read load from impacting updates to the master data. The diagram below explains both the redundancy across discrete zones for an individual service, and the ability to auto -scale to meet demand: DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 55 Confidential Commercial Information Diagram of Masabi AWS architecture for system resiliency Uptime is tracked for SLA conformance using Pingdom, an independent 3rd party tool that calls health checks on each service from multiple geographical locations around the world every minute. Alerts are sent to the 24/7 support team if any health check fails, for immediate attention. Uptime is tracked for SLA conformance using Pingdom, an independent 3rd party tool that calls health checks on each service from multiple geographical locations around the world every minute. Alerts are sent to the 24/7 support team if any health check fails, for immediate attention. Key Benefits of an AWS Hosting Environment as Configured Include: ● Continuously updated as hardware improves. ● Load balancer with built-in redundancy, automatically coping with the loss of a data center while continuing to serve traffic. ● Enables horizontal auto-scaling up to cope with demand, and down when not required. ● Auto-scaling also enables self-healing, recreating a new server if one locks up. ● Hosts Agency eTix’s core MySQL databases, which are automatically backed up. ● Automatic failover and multi data center redundancy. ● Upgrades power and memory quickly if scaling is an issue. ● Can rapidly create complete DB snapshots for offline tasks without affecting live service. ● Simple scalable storage system used for a range of tasks inside the platform ● Self-healing system is able to detect unresponsive nodes, responding by tearing down and rebuilding entire servers transparently. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 56 Confidential Commercial Information PERFORMANCE AGREEMENT BETWEEN AWS™ AND MASABI AWS Incident Response targets are provided under the general Terms & Conditions between AWS and Masabi as a Business Service Provider. Full details of these terms can be found on the AWS website at, https://aws.amazon.com/. All timings are calculated from the moment the support request is received by the AWS support function. Amazon Web Services (AWS™) ● Provision of a secure cloud hosted environment ● Provision of Cloud based storage ● Provision of up to seven (7) globally based data centers ● Provision of fully accredited disaster recovery mechanisms ● Provision of load balancing and maintenance services ● Hosts all Masabi Back Office Products and Services AWS Response Time At minimum, any and all requests provided by Masabi will be responded to within 60 minutes by an AWS Cloud Support Developer. In addition, there are unlimited incident reporting capabilities under the support agreement between Masabi and AWS. After the initial “Response”, all incidents will follow the Incident Categorization and Prioritization as outlined in this document. THIRD PARTIES SERVICES INCORPORATED INTO THE AGENCY MOBILE PLATFORM Detailed below are the third parties that provide services to Masabi to support the Agency platform. Parties noted below provide individual service monitoring in addition to the monitoring provisions provided by Masabi. On a case by case basis, the Agency may opt to use their own preferred service provider. Apple Application Repository (iTunes Store™) ● Provision of a publicly accessible mobile application repository ● Provision of a strict iOS compatibility and approval process for application submissions Google Application Repository (Google Play Store™) ● Provision of a publicly accessible mobile application repository ● Provision of a strict Android compatibility and approval process for application submissions Payment Gateway/Merchant Acquirer Services MPGS/Braintree/Chase payment services ● Provision of MasterCard / Visa Credit or Debit card payment settlement ● Provision of payment refund services ● Provision of global payments processing capabilities ● Provision of fraud detection services Braintree Payments Settlement Service ● Provision of MasterCard / Visa Credit or Debit card payment settlement ● Provision of payment refund services ● Provision of global payments processing capabilities DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 57 Confidential Commercial Information ● Provision of fraud detection services Customer Defined Payments Settlement Service (e.g. Chasepayment, PayEezy etc.) Customers may opt to use alternative payment services with payment gateways/merchant acquirer services other than bundled services as provided by Masabi. ● Provision of Credit or Debit card payment settlement ● Provision of payment refund services ● Provision of global payments processing capabilities ● Provision of fraud detection services If the Agency opts to use alternative payment services other than bundled services provided by Masabi, where possible, Masabi will send out an advisory notification to alert you of any potential impact to the Masabi platform. The Agency will ultimately bear responsibility for contacting the third party service in all events. INCIDENT MONITORING Masabi monitors the health of the Agency system via web server performance management solutions, which easily integrate into the AWS cloud services to monitor server performance and availability. The service is live-monitored using a full suite of tools including AWS Cloudwatch (with capacity alarms), AlertLogic, LogEntries triggers and other similar technologies. These events all flow through notification services to the Customer Support Team and Operations teams, as is appropriate to the event. Additionally, there is live monitoring using visible dashboards in the offices (allowing human glance pattern change recognition) and regular manual review of capacity, costs, and system behaviors for diagnosing potential resource constraints and/or unexpected changes in behavior. LIVE STATUS PAGE AND AGENCY NOTIFICATIONS Masabi’s monitoring and alerting tools monitor its services and hardware 24/7. When an incident occurs, Masabi will complete an initial triage. If an incident is deemed of a critical or urgent nature, Masabi will communicate the status of its systems or infrastructure through Statuspage. Scheduled maintenance notifications are also sent through the Live Status Page. Scheduled maintenance is displayed right on the page Incidents are prominently displayed at the top of the page for agencies to see when they log-in and they have easy access to subscribe to further updates via email or SMS. MONITORING & ALERTING TOOLS StackDriver2 ● Provides detailed granular monitoring of all servers. ● New servers are automatically recognized and integrated into monitoring when added by the ELB. PagerDuty ● 24/7 Masabi Support operations are contacted using PagerDuty alerting, which integrates cleanly into AWS. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 58 Confidential Commercial Information LogEntries ● A central log store essential for de-bugging maintenance, Log Entries is able to automatically accept logs from new Amazon nodes when added crucial when those nodes may be torn down at any point; e.g., during auto-recovery, which would otherwise result in loss of logs required for diagnostics. Pingdom Health Checks ● Uptime is tracked for SLA conformance using Pingdom, an independent 3rd party tool that calls health checks on each service from multiple geographical locations around the world every minute. If an incident occurs, Masabi personnel are immediately alerted via SMS, email, or in-app notifications from various potential points of failure. In addition, the web server performance management monitoring will present load balance, server uptime, and overall health checks on services. Alerts are sent to Masabi Support if any health check fails, for immediate attention. An example of uptime monitoring alerts DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 59 Confidential Commercial Information An example server availability report. An example of uptime monitoring alerts PERFORMANCE MONITORING Each service’s ELBs respond to demand, using auto-scaling to increase the number of servers hosting any service under heavy load, removing these again down to a minimal level as demand slackens – ensuring the service doesn’t lock up at peak times without overprovisioning hardware or response times. The service is monitored using StackDriver and New Relic third party tools, helping alert Masabi Support to live issues and helping Masabi rapidly diagnose any problems or automate provisioning of additional DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 60 Confidential Commercial Information servers. Extensive performance testing is carried out on major releases to ensure that response times and capacity have not been impaired by changes. The diagram below outlines the architecture of the load balancing process, routing of inbound traffic onto multiple nodes, and the ELB process to create multiple instances of a service at peak performance. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 61 Confidential Commercial Information APPENDIX H – DISASTER RECOVERY PLAN MASABI DISASTER RECOVERY STRATEGY Where is Masabi present: Current Masabi AWS Region deployment: ● UW2 - US West 2- Oregon- North American clients ● EW1- EU West 1- Ireland - European clients ● EW2- EU West 2- London - Secondary VPN entry point ● EC1- EU Central 1- Frankfurt - Backups / DR Site ● AS1- Asia Pacific1 - Singapore- Asian clients ● AS2- Asia Pacific 2- Sydney- Australian clients Summary of current strategy: All Masabi services are deployed to multiple availability zones (AZ’s). Availability Zones are designed for physical redundancy and provide resilience, enabling uninterrupted performance, even in the event of power outages, Internet downtime, floods, and other natural disasters. This means if one of the AWS ‘locations’ within a region were to be taken offline, Masabi services could continue to operate as normal. This holds true for server instances and database backends. AWS builds its data centers in multiple geographic Regions as well as across multiple AZs within each Region. Each Region is isolated from the others. And AWS AZs are true AZs: completely separate buildings kilometers apart for complete redundancy. Also automatic daily database backups of all production databases are taken, these backups are kept for 7 days. Regular snapshots are taken of all data to a separate AWS account, which has limited login access to ensure it can be recovered should the account be compromised. DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Supporting Justride Agencies and Riders 62 Confidential Commercial Information If an entire AWS region was taken offline (meaning the complete loss of 3 physically separate availability zones) Masabi would bring that production stack up within the secondary AWS account using automated provisioning tools. This process would take approximately half a day to complete. What can the current plan mitigate against: ● AZ Failure- TTR- 2-3 minutes (time take to automatically failover to standby database) ● Malicious damage to main production account TTR- 1 day ● Data loss or corruption- Daily DB backups kept for 7 days - End of Document- DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 46 of 47 EXHIBIT F - CERTIFICATE OF INSURANCE DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? INSR ADDL SUBR LTR INSD WVD PRODUCER CONTACT NAME: FAXPHONE (A/C, No):(A/C, No, Ext): E-MAIL ADDRESS: INSURER A : INSURED INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY)(MM/DD/YYYY) AUTOMOBILE LIABILITY UMBRELLA LIAB EXCESS LIAB WORKERS COMPENSATION AND EMPLOYERS' LIABILITY DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) AUTHORIZED REPRESENTATIVE EACH OCCURRENCE $ DAMAGE TO RENTEDCLAIMS-MADE OCCUR $PREMISES (Ea occurrence) MED EXP (Any one person)$ PERSONAL & ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $ PRO-POLICY LOC PRODUCTS - COMP/OP AGGJECT OTHER:$ COMBINED SINGLE LIMIT $(Ea accident) ANY AUTO BODILY INJURY (Per person)$ OWNED SCHEDULED BODILY INJURY (Per accident)$AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE $AUTOS ONLY AUTOS ONLY (Per accident) $ OCCUR EACH OCCURRENCE CLAIMS-MADE AGGREGATE $ DED RETENTION $ PER OTH- STATUTE ER E.L. EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE $ If yes, describe under E.L. DISEASE - POLICY LIMITDESCRIPTION OF OPERATIONS below INSURER(S) AFFORDING COVERAGE NAIC # COMMERCIAL GENERAL LIABILITY Y / N N / A (Mandatory in NH) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: CERTIFICATE HOLDER CANCELLATION © 1988-2015 ACORD CORPORATION. All rights reserved.ACORD 25 (2016/03) CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) $ $ $ $ $ The ACORD name and logo are registered marks of ACORD 12/2/2021 (312) 595-6892 00000 Masabi, LLC 1330 Avenue of the Americas Suite 23A New York, NY 10019 A Cyber-Tech E&O W14063210901 8/1/2021 Claims/Aggregate 3,000,000 A Cyber-Tech Excess ACX1003921 8/1/2021 8/1/2022 Policy Limit 2,000,000 LIMITS OF INSURANCE CONTINUED: Insurer A - W14063180901 08/01/2021 - 08/01/2022 - Retroactive Date: 08/01/2013 Media, Tech & Professional Liability, Regulatory Defense & Penalties, Data & Network Liability (Inclds: Data & Security Breach and Privacy Policy Violation) Each Claim Limit: $3,000,000 - Policy Aggregate Limit: $3,000,000 - Retention: $5,000* Eagle County Government Assistant County Attorney PO Box 850 Eagle, CO 81631-0850 MASALLC-01 JLEVIN2 Mesirow Insurance Services, Inc. 353 N Clark St 11th Floor Chicago, IL 60654 jonathan.levin@alliant.com Lloyd's of London 8/1/2022 DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) 12/02/2021 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND,EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW.THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT:If the certificate holder is an ADDITIONAL INSURED,the policy(ies)must be endorsed.If SUBROGATIONIS WAIVED, subject to the terms and conditions of the policy,certain policies may require an endorsement.A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER MESIROW INS SERVICES INC/BBT/PHS 83551324 The Hartford Business Service Center 3600 Wiseman Blvd San Antonio, TX 78251 CONTACT NAME: PHONE (A/C, No, Ext): (866) 467-8730 FAX (A/C, No): (888) 443-6112 E-MAIL ADDRESS: INSURER(S) AFFORDING COVERAGE NAIC# INSURED MASABI, LLC 1330 AVE OF THE AMERICAS STE23A NEW YORK NY 10019 INSURER A : Sentinel Insurance Company Ltd.11000 INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED.NOTWITHSTANDING ANY REQUIREMENT,TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN,THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR TYPE OF INSURANCE ADDL INSR SUBR WVD POLICY NUMBER POLICY EFF (MM/DD/YYYY) POLICY EXP (MM/DD/Y YYY)LIMITS A COMMERCIAL GENERAL LIABILITY 83 SBA TP9381 08/01/2021 08/01/2022 EACH OCCURRENCE $1,000,000 CLAIMS-MADE X OCCUR DAMAGE TO RENTED PREMISES (Ea occurrence)$1,000,000 X General Liability MED EXP (Any one person)$10,000 PERSONAL & ADV INJURY $1,000,000 GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $2,000,000 POLICY X PRO- JECT LOC PRODUCTS - COMP/OP AGG $2,000,000 OTHER: A AUTOMOBILE LIABILITY 83 SBA TP9381 08/01/2021 08/01/2022 COMBINED SINGLE LIMIT (Ea accident)$1,000,000 ANY AUTO BODILY INJURY (Per person) ALL OWNED AUTOS SCHEDULED AUTOS BODILY INJURY (Per accident) X HIRED AUTOS X NON-OWNED AUTOS PROPERTY DAMAGE (Per accident) A X UMBRELLA LIAB EXCESS LIAB X OCCUR CLAIMS- MADE 83 SBA TP9381 08/01/2021 08/01/2022 EACH OCCURRENCE $5,000,000 AGGREGATE $5,000,000 DED X RETENTION $ 10,000 WORKERS COMPENSATION AND EMPLOYERS' LIABILITY ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below N/ A PER STATUTE OTH- ER Y/N E.L. EACH ACCIDENT E.L. DISEASE -EA EMPLOYEE E.L. DISEASE - POLICY LIMIT A DATA BREACH - RESPONSE EXPENSE COVG 83 SBA TP9381 08/01/2021 08/01/2022 Limit $10,000 DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) Those usual to the Insured's Operations. CERTIFICATE HOLDER CANCELLATION Eagle County Government Assistant County Attorney PO Box 850 EAGLE CO 81631 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF,NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE © 1988-2015 ACORD CORPORATION. All rights reserved. ACORD 25 (2016/03)The ACORD name and logo are registered marks of ACORD DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Page 47 of 47 EXHIBIT G - MASABI RFP RESPONSE DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3       ECO Transit  Transit Mobile Fare Payment System  RFP # 2020-007  Technical Proposal  08-11-2020                       1    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Table of Contents   Executive Summary 6  Background and Experience 8  Key Company Data 8  Size & Location 8  Masabi History (Including Years in Business)8  Masabi’s Industry Awards 9  Deployment Experience 10  System Description 14  Project Objectives 14  Proposed Approach – Phased Deployment 19  Mobile First Approach 19  Phase 0 – Accelerated Mobile Ticketing (visval, web portal) → 2020 Q4 (October/Nov)19  Phase 1 – Mobile Ticketing Electronic Validation (Route-based fare rupes, SVA, cash top-ups →  vendor portal at agency locations, PDF printed tickets at agency windows) → 2021 Q2 19  Phase 2 – Account Based Ticketing Pay as You Go (route & discount/entitlement based PAYG , AVL  integration if current work is reusable, smartcards, retail network, paratransit) → 2021 Q3 20  Future Expansions and Additional Functionality 20  Functionality by Phase Table 21  Core System 22  1. Describe the overall proposed solution.22  Point of Sale Solution - Vendor Portal 22  Vendor Portal sales flow 23  Hardware requirements 23  Printed Tickets 24  2. Describe the overall capabilities of the solution.24  Justride Platform Overview 24  Compliance Matrix 25  3. Describe the rider experience for different phases of a bus ride which include trip planning, booking,  payment validation, trip updates and post-trip survey 42  2    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  4. Describe proposed system architecture 42  5. Describe fraud prevention and detection features of the product.44  Visual Validation 44  Electronic Validation with Justride Inspect 46  Masabi Validators 47  Validator Management 48  Automatic Vehicle Location (AVL) Integrations 49  Automated Anti-Fraud Pattern Matching 49  6. Describe configuration and functionality of the solution.50  Rider Interfaces 50  Agency Apps & Web Sites 50  White Label Justride Application 51  Custom Application Built Around Justride SDK 51  Justride Web Portal 51  Mobility-as-a-Service (MaaS)52  Cash Riders 53  Agency-Managed Ticket Windows 53  Retail Store POS Integrations 53  Retail Distribution Network with InComm 53  Account Based Ticketing - Pay as you Go (PAYG)54  Hub Back-Office 55  Access Control and Audit Trails 55  Customer Support 56  Data 57  Reporting 57  Analytics 57  Data Extraction 58  Accessibility 58  3    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Masabi’s Accessibility Philosophy 58  Current Accessibility Infrastructure 58  Ongoing Commitment to Accessibility 59  7. Describe procedures to add new fare products.59  8. Describe plan for upgrading smartphone applications in the future.61  Hosting 62  1. Provide a service level agreement, including tiers of service, response times, and standard metrics.62  2. Describe data center and storage facilities.62  Cloud Native - Resilient and Scalable 62  3. Describe security capabilities of the proposed system, including firewalls, backup storage, and antivirus  software encryption.63  Platform Security 63  Data Privacy 63  4. Describe change management, upgrade, and patch management policies and practices. Describe systems  administration/management capabilities including monitoring of performance measures, intrusion  detection, and error resolution.64  Change Management 64  Updates and Quality Assurance 64  5. Describe how the proposer would help move to a new operation at the end of the contract term or if the  contract is terminated, including process for notifying riders of termination.65  Project Plan 67  1. Project Execution Plan.67  2. Project approach to include describing interaction with and review cycle requirements.68  Project Management Approach 68  Project Management Methodology 69  3. Work plan to include a timeline for when certain core system features will be available 70  4. Schedule 73  5. Testing and Validation Approach 73  6. System Recovery Plan.74  Disaster Recovery 74  Masabi’s Locations:74  4    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Current Masabi AWS Region deployment:74  Summary of current strategy:74  What can Masabi’s current plan mitigate against:75  7. Training.75  Project Team 78  Org Chart with 79  Ongoing Support Services 79  1. Post “go live” support that is included in the proposal response.79  2. Telephone support.79  US Phone (Local)*79  3. Help Desk services.79  Support Contacts 79  4. Toll-free support line.80  US Phone (Toll-Free)80  5. Users group 80  References 80  ADDITIONAL SUBMISSION REQUIREMENTS TO DETERMINE PROPOSER RESPONSIBILITY 81  1. Litigation History 81  2. Financial Information 81  3. Insurance Requirements 81  Appendix A: Project Schedule 82  Appendix B: Most Recent Audited Financial Statement 83  Appendix C: Resumés 84  Sara Poulton, VP of Global Services 84  Nayeli Velez - Project Manager 86  Jorgen Pedersen, Director Technical Consulting Services 88  Chip Whitman, Senior Account Manager 92  Appendix D: Insurance Certificates 94  Appendix E: Masabi Standard SaaS Agreement - with SLAs 95  5    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  E​XECUTIVE​ S​UMMARY  Masabi is excited by the opportunity to present its mobile fare collection platform, Justride, for the  consideration of ECRTA as it seeks a modern mobility payment platform for its passengers. Launched  in 2012, Masabi deploys the Justride Platform as a multitenant, cloud hosted, account based,  Software-as-a-Service (SaaS) solution.   Masabi understands that cities like Eagle County are in the midst of a transformation in the way they  deliver service to their passengers. At the heart of this transformation are new challenges, new  services and new technologies. Agencies such as ECRTA are facing unprecedented circumstances that  have caused them to prioritize their efforts to keep passengers and employees safe during the  COVID-19 outbreak. Masabi’s fare collection technology, whether it is visually validated or  electronically validated, is a pivotal element of such a strategy.   No solution is better equipped to meet ECRTA’s mobile ticketing needs than Masabi’s Justride  platform. Justride is North America’s most used account based mobile ticketing service. In  non-pandemic circumstances, Masabi processes more than $1 billion dollars on its Justride Platform,  selling more than 10 million mobile tickets each month.  Moreover, the rapid pace of technological change means that traditional legacy fare collection  solutions, which by today's standards are slow and exceedingly costly, are quickly becoming a thing of  the past. For this reason, Masabi built the Justride platform to be an integrable, configurable fare  collection solution that allows agencies to launch mobile ticketing and scale the platform to serve as  a modern, full fare collection solution. Masabi calls this the “mobile-first approach.”   This differentiates the Justride platform from other solutions in the market. By deploying Justride,  ECRTA can launch a mobile ticketing solution for its passengers and can then expand to include  electronic validation, printed media, smartcards, ID cards (provided they are a suitable standard) and  other tokens, as required. Additionally, the platform can facilitate stored value and complex best-fare  finding (fare capping) in an account-based ticketing fare model.  Justride also allows agencies to deploy ticketing through a variety of frontend options for their  customers. Traditionally, the Justride platform has given agencies the ability to deploy an  agency-branded mobile ticketing application as a frontend ticketing experience for their passengers.  This allows agencies to deploy a branded digital asset for their riders, enabling riders to easily  manage accounts and purchase tickets. This is one option for ECRTA to deploy the Justride platform.  In addition, through the Justride Software Development Kit (SDK), Masabi is actively integrating public  transit with new and emerging modes of transit and transit technology. The SDK allows third parties  to embed Justride ticketing within their front-end applications and therefore achieves practical  integrated mobility, allowing ECRTA tickets to be purchased from within industry leading third party  apps. This proposal includes both the option to deploy the branded application as well as the SDK  integrated into one or more of our partners which include Transit, Kyyti, Moovit, Uber, Lyft and more.  For this proposal, Masabi has included the option for ECRTA to deploy Masabi’s SDK within the Transit  App. This integration means that in addition to deploying Masabi’s Justride branded application,  ECRTA can utilize the Masabi/Transit partnership to deploy Justride natively within Transit. This  deployment would offer a consolidated experience and a true MaaS product, allowing passengers to  plan journeys, provide cross-ticketing to micro-mobility partners and purchase ECRTA's tickets all  within a single app, improving the experience of ECRTA’s riders. The first deployment of this SDK  integration was deployed for St. Catharines in Canada, in November 2018. Since then, Masabi and  6    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Transit have deployed the integration to nearly 20 agencies including Metro Transit in St. Louis; RTS  in Rochester, NY; RTD in Denver; EZfare (14 agencies in Ohio and Kentucky) and more. Importantly,  this integration offers both mobile ticketing for the first phases of this deployment, and can also  expand to meet ECRTA’s future phases to include stored value and account-based ticketing.     In summary, Masabi is the ideal choice for ECRTA for the following reasons:  ●Unparallelled Experience:​ The Justride platform is trusted and delivered by a world-class team  with expertise deploying mobile ticketing solutions to over 70 agencies across the world,  including multiple electronic validation deployments such as the 600-validator deployment  with Las Vegas RTC and over a thousand validators deployment with Calgary Transit.  ●Expand Beyond Mobile: ​The Justride platform will meet Eagle County’s need to expand beyond  mobile ticketing, allowing ECRTA to introduce electronic validation, smartcards, cEMV (2021),  POS distribution, printed barcode tickets and far more.  ●Frontend Integrations: ​The Justride platform has been engineered to facilitate integrations with  mobility applications through the Software Development Kit and this will enable ECRTA to sell  tickets within one or more of Masabi’s journey planning partners, industry leading applications  such as the Transit app, Moovit, Kyyti, Uber, Lyft and more.   ●Industry-leading Back-Office:​ Masabi’s industry-leading back office management tool, the Hub,  offers real-time data, extensive data analytics and unparalleled control of the mobile ticketing  solution from a browser-accessible, user-friendly, intuitive interface.  ●Regional Program:​ Masabi’s Justride app can be configured to support a single agency or  multiple agencies. If a multiple agency regional program is of interest to ECRTA, Masabi has  extensive experience in successfully deploying regional programs such as the EZfare  deployment which comprises 14 agencies in Ohio and Kentucky. EZfare has been widely  considered a huge success.  ●Keeping Operators & Passengers Safe:​ Due to unprecedented circumstances, agencies such as  ECRTA are having to prioritize their efforts to keep passengers and employees safe during  COVID-19. Masabi’s fare collection technology, whether it is visually validated or electronically,  is at the forefront of this effort to assist passengers with their social distancing efforts.    Masabi’s team is passionate about delivering innovative solutions to public transit agencies and  excited to do so for ECRTA.    Best Regards,    Jeff Nullmeyer  Sr. Business Development Manager, North American Market  jeff@masabi.com  949-973-3982       7    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  B​ACKGROUND​ ​AND​ E​XPERIENCE  K​EY​ C​OMPANY​ D​ATA   Size & Location  London  New York Cluj Remote Workers  37 Bevenden Street  Hoxton  London, N1 6BH  205 E 42nd St, Ste  14003 New York, New  York 10017      UBC - United Business  Center Riviera  Strada Teodor Mihali,  nr. 64   Cluj-Napoca 400591  Various locations, UK  & USA  Number of Employees:  82  Number of Employees:  9  Number of Employees:  16  Number of Employees:  12  Total 119  Masabi History (Including Years in Business)  Masabi LLC is a 100% owned subsidiary of Masabi Group Ltd (founded as Blue Technologies Ltd in  2001 and re-named to Masabi Group Ltd in 2019). Masabi LLC was incorporated in 2012.   Masabi has been a pioneer in developing innovative software solutions for public transit fare  payments since its foundation, launching its first mobile ticketing service with Chiltern Railways in  2007 and designing, implementing, and operating fare collection systems for transit agencies,  agencies and their riders ever since.  Masabi's mass transit specific experience is informed by foundational experience at the cutting edge  of mobile and financial payments applications development. For example, Masabi designed the open  standards for barcode (AKA QR Code/Aztec Code) ticketing used by the UK’s national rail network in  2008.  In 2012, Masabi launched the Justride platform to offer transit agencies mobile ticketing on a common  Software-as-a-Service (SaaS) platform. The first deployment of Justride was for the Massachusetts Bay  Transit Authority (MBTA), which was also the first mobile ticketing deployment in North America. The  MBTA is still using Justride for their mobile ticketing and today over 70% of MBTA commuter rail  tickets purchased are now bought via the MBTA Justride mobile ticketing platform.  Since then, Masabi has deployed the Justride platform to agencies all across the world including New  York’s MTA for the Metro-North Railroad and Long Island Rail Road, Los Angeles Metrolink, Las Vegas  RTC, and Denver RTD. All of these deployments serve to reinforce that the platform is robust enough  to serve the needs of .  Most recently, Masabi has been focused on extending the platform beyond mobile ticketing to enable  transit agencies to serve innovative fare payment options to all riders in a modern transit landscape  where agencies need to integrate across all modes as well. Masabi has extended the platform from its  mobile ticketing foundation to be an account-based automatic fare collection (AFC) solution, where  each rider has an account which can be associated with multiple tokens (such as smart cards, student  IDs, and mobile tickets), and which can also hold stored value for cash digitization and automatic fare  processing - where passengers do not have to pre-select their fares and instead can simply tap and  ride. Rochester RTS in New York awarded Masabi its AFC replacement contract to utilize the platform  8    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  for this purpose where Masabi would be deploying mobile ticketing, smart cards, printed tickets,  TVMs, electronic validators, stored value/cash digitization, and a partner portal, all as part of the  platform.  Additionally, to meet the needs of agencies in the growing multi-modal transit ecosystem, Masabi has  developed a Software Development Kit enabling third-party providers (like Transit App and Uber) to  embed the Justride ticketing functionality within their applications. The first launch of an SDK enabled  app was with Kisio Digital in February 2017, and since then it has been launched within the Transit  App for St. Catharines Transit, Ontario, Canada and within Uber for RTD Denver in April 2019.  The Justride Fare Payments as a Service platform has been deployed successfully after customer  acceptance for over 70 agencies worldwide.  Masabi’s Industry Awards   Masabi has been consistently recognized for excellence and innovation across the globe with more  than a dozen industry awards for its Justride platform in the last four years.       9    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Deployment Experience  Masabi has deployed successfully the following fare payments solutions:  Agency/  Operator  Year Description  MBTA, Boston,  MA 2012  The Massachusetts Bay Transportation Authority is the United States 5th  largest transit agency. The MBTA app was the first mobile ticketing  deployment in the USA and accounts for over 1/3 of ticket sales where  available. MBTA’s mobile ticketing now has over 60% adoption  NICE Bus, NY 2014 The Nassau Inter County Express (NICE) Bus is the bus and paratransit  system that operates just east of New York City on Long Island.  Thames Clippers,  London, United  Kingdom   2014 Thames Clippers is the leading River Bus service in London serving  West-to-East from Putney to Woolwich. Thames Clippers looked to  Masabi to reduce ticket queues at peak times and modernize their  service.  MTA Metro-  North Railroad  and the Long  Island Rail Road,  NY  2016  New York’s MTA is the largest agency in the USA. Metro- North and the  Long Island Railroads are both the largest and second largest commuter  railroads in the United States. MTA’s mobile ticketing has over 30%  adoption.  LA Metrolink, CA 2016 Metrolink is Southern California's commuter rail system. It consists of  seven lines and 55 stations operating on more than 380 miles of rail.  RTC Las Vegas,  NV  2016 The RTCSNV is the transit authority and the transportation- planning  agency for Southern Nevada. RTC originally deployed with visual  validation and then they expanded their deployment to over 600  electronic validators across their entire fleet.  National Express  Buses, United  Kingdom  2016 Based in Birmingham with a fleet of over 1600 vehicles, National  Express West Midlands (NEWM) operates bus services within three areas  namely the West Midlands, Coventry and Dundee. NEWM is the largest  bus operator in the respective area and one of the largest in the UK  carrying over 1 million passengers every day. As well as bus services,  NEWM also operates The Metro link between Wolverhampton and  Birmingham.   The roll out of mobile ticketing has been considered a success at NEWM,  in particular with the student market, taking advantage of the high  number of colleges and universities in the area and building strong  partnerships.   Preston Bus,  United Kingdom  2016 Preston Bus was founded in 1904 and now has a fleet of 120 vehicles.  After being previously bought out by Stagecoach, Preston Bus was  acquired by its now parent company, Rotala Plc, in January 2011. The  joint aims of Preston Bus and Rotala Plc are growth in shareholder  value, continuous improvement of operational capability and delivery of  consistent customer service. Preston Bus delivers over 9 million  passenger journeys a year.  10    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  HTM, The Hague,  The Netherlands  2017 HTM Personenvervoer NV is a public transit company in the Netherlands  operating trams, light rail and bus within The Hague. Masabi provides  HTM with the Justride mobile ticketing solution for both bus and tram,  as HTM now operates a cashless network across its bus routes.  Sonoma–Marin  Area Rail Transit,  CA  2017  Sonoma–Marin Area Rail Transit (SMART) is a new passenger rail service  and bicycle-pedestrian pathway project in Sonoma and Marin counties of  the U.S. state of California.  Bustang, CO 2017 Bustang is the Colorado Department of Transportation’s (CDOT)  interregional express bus service running along the I-25 and I-70  corridor. Since the roll out of Masabi’s Justride platform, Bustang’s  mobile ticketing app now has an adoption of 66%.  Fire Island  Ferries, NY  2017 Fire Island Ferries has been supplying safe, convenient and fast marine  transportation services to Fire Island since 1948.  People Mover, AK 2017 People Mover is the public transportation agency that serves  metropolitan Anchorage, Alaska. It is owned and operated by the  Municipality of Anchorage.  Denver Regional  Transportation  District, CO  2017 Mobile Ticketing services with visual validation for public transit  services in eight out of the twelve counties in the  Denver-Aurora-Boulder Combined Statistical Area in Colorado.  Manly Fast Ferry,  Australia 2017  Manly Fast Ferry is the original fast ferry operation between Manly and  the Sydney city since 2009. The service is the exclusive provider of fast  ferry services to Circular Quay. It also provides regular services to other  quays across Darling Harbour, Mosman and Watsons Bay, as well as  whale watching and sightseeing tours. The most frequently traveled  route is Manly to Circular Quay and vice versa.  Ace Rail, CA 2018  The Altamont Corridor Express operates in San Joaquin Valley, Tri-Valley,  and Silicon Valley, providing a commuter railway service on one line  with 10 stations. They use the Justride Retail app to sell tickets and the  Justride Inspect for inspectors to validate tickets.  Palmetto Breeze,  SC  2018 Palmetto Breeze provides bus services across all five Lowcountry  counties including Beaufort, Jasper, Allendale, Colleton and Hampton in  South Carolina.  Suffolk County  Transit, NY  2018 Suffolk County Transit is the provider of bus services in Suffolk County,  New York on Long Island in the United States and is an agency of the  Suffolk County government.  SW Transit, MN 2018 SouthWest Transit is the public transit agency for Chaska, Chanhassen  and Eden Prairie, as well as Carver. They currently offer services to and  from Downtown Minneapolis, University of Minnesota, Normandale  Community College and Best Buy Headquarters.  Big Bus Tours 2018 Big Bus Tours is the largest operator of open-top sightseeing tours in the  world, providing sightseeing tours in 20 cities across three continents. It  was formed by the merger of two established sightseeing tour  11    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  businesses: the Big Bus Company Ltd (based in London) and Les Cars  Rouges (based in Paris).  Lurraldebus,  Spain  2018 Spanish intercity public transport service with more than 250 buses  operating in Gipuzkoa. Their app uses the Justride SDK to incorporate  Masabi’s market leading ticketing technology  National Express,  Dundee, UK  2018 Xplore Dundee is a bus operator based in Dundee, Scotland operating  services mainly within Dundee City.  St Catharines,  Canada  2019 Mobile Ticketing SDK services within the already existing "Transit app".  Users can plan their bus journey within St. Catharines, Ontario and  purchase more than twelve fare types seamlessly in one application.  Westmoreland  County, PA  2019 The Westmoreland County Transit Authority (WCTA) is a bus operator in  Westmoreland County, Pennsylvania. They operate 18 routes along the  urbanized corridor that makes up the western portion of the county.  Seaport Ferry,  MA  2019 Seaport / North Station Ferry is a public-private partnership providing a  commuter ferry service to seven companies in the Seaport area of  Boston, Massachusetts.  Valley Regional  Transit  2019 VRT, is a public agency which is the main provider of mass transit  service in metropolitan Boise, Idaho.  Societatea de  Transport  Bucuresti (STB),  Bucharest,  Romania  2019 Societatea de Transport București (STB; English: Bucharest Transit  Corporation), is the main public transit operator in Bucharest, Romania,  owned by the Municipality of Bucharest. STB operates a complex  network of buses, trolleybuses, light rail and trams. STB has an average  of approximately 1,180,000 daily riders of which 540,000 with buses,  520,000 with light rail and trams, and 120,000 with trolleybuses  Transfort (Fort  Collins, CO) 2019  Transfort is the ​public transportation​ operator for the metro area of ​Fort  Collins, Colorado​. Transfort currently offers twenty-two regular routes,  with 20 providing all-day service Monday through Friday. Six-day  intercity service is provided by the FLEX to ​Loveland​, ​Berthoud​, and  Longmont​. Additionally, five routes for transporting Colorado State  University students, faculty, and staff run throughout the school year.  The solution allows Colorado State University students to use their  existing student ID card (RamCard) to tap to travel when boarding bus  services. The system uses Masabi’s Justride account-based back office  and allows Transfort to turn on account-based fare for all riders when  required.  GreenLine, Italy 2019  The Italian tour bus operator whose brands include EnjoyBus and the  iconic ​GreenLine Tours​, launched a new mobile ticketing application  “Enjoy Bus Rome” for the Hop-on Hop-off sightseeing bus service in  Rome.  West Japan  Railway  Company  (through Jorudan)  2019  West Japan Railway Company provides rail transportation services  including the shinkansen network (bullet train) in North Kyushu, Kinki,  Chugoku, and Hokuriku including Kyoto and Osaka in Japan.  12    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Calgary Transit,  Canada 2020  Calgary Transit is the ​public transit​ service which is owned and operated  by the city of ​Calgary, Alberta​, Canada. In 2018, an estimated 105.3  million passengers boarded approximately 1,155 Calgary Transit  vehicles.  Citrus  Connection,  Florida      2020  Citrus Connection is the public transit system of Lakeland, Florida,  operated by the Lakeland Area Mass Transit District (LAMTD). The  system operates a fleet of 33 buses on 14 routes in the Lakeland area,  including service provided for Winter Haven Area Transit to the  neighboring cities of Auburndale, Winter Haven and Bartow.  EZfare, OH 2020 Regional mobile ticketing project that allows riders to purchase and use  tickets across 13+ agencies in the Ohio area. Tickets can be purchased  on a smartphone or web portal using a computer browser. Currently, live  with 3 agencies with plans to expand to 11 bus operators by the end of  2019.       13    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  S​YSTEM​ D​ESCRIPTION  Project Objectives  Project Goal Masabi Solution  Reference  Provide an Application  Programming Interface (API)  that would enable the to  develop applications that  could incorporate mobile  fare options.  ECRTA, via Masabi’s Justride SDK, will have  the ability to purchase fares in the Transit  app or other trip planning app and will also  have access to the Clever Devices real time  information.  See  Mobility-as-a-Service  (MaaS)    Increased Rider Convenience  through a comprehensive  Mobile Ticketing Application.  Using the Masabi SDK, Masabi is proposing  both a fully integrated solution using the  Transit App trip planner (or other partner’s  3rd party application) to identify route  selection and then go directly from that  into the Masabi purchase flow, as well as a  self-contained mobile application using  Masabi’s award-winning mobile ticketing  platform. Introducing Masabi’s mobile  ticketing platform directly into the Trip  Planner will provide a completely seamless  user experience enabling a user to identify  their best route to get from A-B, and then  with the tap of a button purchase the right  ticket to get them to their destination.   See ​White Label  Justride Application  Improved provision of  Real-Time Information to  riders via a Mobile Ticketing  Application.  By fully integrating fare purchase and       stored-value accounts into Transit,Masabi      will provide a proven,single-app solution       for riders to access information and fare        payment for Eagle County.With over 50        endorsements from transportation    agencies as their official trip-planning app       and a user base of millions of Americans,         Transit is the leading mobile app for        real-time public transit information in the       United States.   See  Mobility-as-a-Service  (MaaS)  Significant Adoption of a  Mobile Ticketing Application  (>50 Percent of Total  Boardings).  Masabi is confident about being able to  achieve 50% adoption or greater, once  electronic validation has been deployed  with smart cards, mobile, etc. Masabi’s  Services Team will work directly with  ECRTA in order to put together a strategy  utilizing things such as passenger  incentives, deployment phasing, retail  network, 3rd party apps and targeted  See ​Electronic  Validation with Justride  Inspect     14    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  marketing materials to achieve these  numbers, which are quite realistic.  Institute a robust and  flexible platform to support  Single and Multi-Agency  Fare Transactions (ticket  types, prices, validity and  expiration)  Justride offers several options for bringing  together ticketing across a region. An  agency that is deployed on Masabi’s  Justride Platform can deploy within a  single agency environment or it can choose  to deploy in a multi agency environment as  well. Masabi has significant experience  having deployed the regional solution for  14 agencies in and around Ohio. These  agencies are now going beyond mobile,  deploying ABT across the region. They are  also in the process of rolling out validation  which will enable a regional smart card  with intelligent multi-operator fare  capping driven by the Justride back office.  In a multi-agency environment, Masabi can  support each unique tariff/fare policy,  which means support for different  entitlements/fare types, and unique  pricing. The period of validity and  expiration of the pass/ticket is configurable  and can be set to each meet each agency’s  specific needs. within the environment.   See ​Justride Platform  Overview  Support Existing pass  products and single trip  payments.  All products within the current ECRTA fare  table will be fully supported on Masabi’s  flexible Justride platform by the proposed  dates within the phases as presented. For  single trip tickets Masabi would propose to  configure these so that they can be  purchased in advance, be held in the  customer’s ticket wallet waiting to be used  for up to, say, 60 days, and activated only  once. The activation would last for 90  minutes. Masabi assumes that during the  activation period the ticket can be validly  scanned multiple times, allowing transfer  between services (or it can be restricted to  a single scan, as you require).  See ​Proposed  Approach – Phased  Deployment     Support Future pass products  and programs.  Masabi’s Justride solution is highly  configurable, providing ECRTA the ability  to add future pass products or make  changes to the fare policy. The fare table  or tariff is held in Masabi’s back office but  can be uploaded or downloaded as a  See ​Phase 1 – Mobile  Ticketing Electronic  Validation  (Route-based fare  rupes, SVA, cash  top-ups → vendor  15    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  multi-tabbed Excel spreadsheet. New  versions can be uploaded using the Justride  Hub by appropriately authorized ECRTA  staff. For agencies that are new to the  Justride platform, or where the agency  does not wish to manage its own tariff,  Masabi’s services team can provide help  and assistance.   portal at agency  locations, PDF printed  tickets at agency  windows)  Ensure Convenience and  Ease of use for all riders.  Riders (of all fare types) will have a  seamless transit experience whereby they  no longer need to pre-purchase tickets for  their travel. They will simply board, tap  and ride. To this end, Justride supports the  use of mobile phones or NFC smartcards as  tokens, offering the same tap-to- ride  experience as smart cards A mobile user  can download the app, deposit cash into  their stored value account, and  immediately begin riding using a secure  barcode token held on their phone -  without the need to visit any ECRTA office  or retail store locations. In addition to  mobile users and smartcard users, Masabi  will also support the use of contactless  credit cards (cEMV) for a tap and ride  experience in 2021, bringing added  convenience to another group of  customers, those who have chosen not to  download the app or purchased a  smartcard.  See ​Mobility-as a  Service (MaaS)​,  Accessibility​, ​Account  Based Ticketing - Pay  as you Go (PAYG)  Make the Boarding Process  Easier for bus operators and  riders.  Whether it is visual validation or electronic  validation, Masabi’s Justride solution makes  the boarding process faster, simpler and  safer for passengers and bus operators  alike. For visual validation, a bus operator  will simply need to glance, from a safe  distance, in order to ascertain that the  ticket is genuine using Masabi’s Tri-Color  Bar Mechanism. For electronic validation,  the passenger will present their fare media  of choice to the Justride Validator which  will communicate the results of the  transaction through a distinguishable  sound and a green screen which tells the  passenger to board, minimal operator  involvement is required aside from  listening or watching to be sure that the  See ​Masabi Validators  16    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  payment is accepted.   Reduce Onboard Fare  Processing Time to improve  on-time performance.  Masabi’s validation solutions were  designed for secure and rapid passenger  use. An operator can quickly validate  tickets of multiple people boarding at once  reducing dwell times and without requiring  agency staff to circulate daily words or  images across their system. Because all  active tickets have the same three colors  displayed at any given point in time, an  inspector can quickly look for a ticket that  is an outlier (different colors from the valid  tickets.) In addition, the colors pulse up  and down visibly, and over the top of them,  the app displays the current date and time,  scrolling back and forth. These additional  security measures ensure that users cannot  use screen grabs or recording of the app  for travel.   However, Masabi’s most secure  implementation of any ticketing solution is  with the use of electronic validation. When  presented with a ticket, Masabi’s Inspect  software decrypts the payload and  analyzes it against a set of rules to  determine its validity. Every ticket scanned  is recorded in a core Ticket Validation  Database that is synchronized to every  validation device in the network. This  prevents fraudulent use or re-use of  canceled, blocked and copied tickets. A  tri-factor security combination of  encryption, rules-based validation, and  centrally synchronized use history prevents  manipulation, copying or use outside of the  validity period. Once scanned, the  validation device rapidly provides feedback  to the rider and agency staff to indicate the  validity of the ticket and any additional  authentication required for concession  tickets. The Justride validator screen uses a  clear traffic light system to convey this  feedback to the rider and the operator.  See ​Account Based  Ticketing - Pay as you  Go (PAYG)  Address the issue of Fare  Validation and Verification of  single and multi-pass tickets  in  Whether a passenger is using a single  ticket or a pass product, the process is one  that will not compromise the riders  experience. The passenger will present  See ​Masabi Validators  17    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  an effective approach that  does not compromise the  rider’s experience.  their fare media of choice to the Justride  Validator which will rapidly determine the  tickets validity. The JRV has clearly marked  tactical areas which will guide users to the  correct scanning zones on the device.  Integrated Reporting of fare  collected through existing  GFI farebox and the new  Mobile Ticketing device.  Justride’s DataMart APIs allow near  real-time extraction of all data within the  platform using RESTful APIs returning  either JSON or CSV files. This is used by  many agencies, such as New York MTA and  LA Metrolink, to integrate Justride data into  external data warehouses to obtain a full  cross-channel sales view. ECRTA would be  able to use this functionality to consolidate  data from both its Mobile Ticketing  Solution (and future account based Pay as  you Go system) with the data collected  from its Fareboxes in an external BI tool. In  addition, Masabi is in active discussions  with partners, such as TransTrack, who  provide products and services for transit  data consolidation and who have the  ability to extract and consolidate Genfare  farebox data with AFC data.  See ​Data Extraction  Achieve Cost Efficiencies  through the reduction of  cash handling, number of  forms of fare media, and  operating cost.  Masabi is at the forefront of the Transit  industry in its ability to offer a wide range  of fare media options to agencies and their  passengers. This includes mobile ticketing  (visually or electronically validated), NFC  smartcards, paper tokens, bluetooth LE and  cEMV (2021). The purpose of having a  variety of choices for fare media is in order  to provide passengers with choices in order  to ensure that all passengers have access.  When combining these options with a  retail network, such as InComm, the end  result is a high adoption level which will  reduce cash handling and in turn reduce  operational costs for ECRTA.  See ​Electronic  Validation with Justride  Inspect        18    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Proposed Approach – Phased Deployment   Mobile First Approach  Masabi’s SaaS platform is built to be flexible, extensible, and scalable. Utilizing a mobile first  approach allows Masabi to offer rapid deployment to agencies for its core mobile ticketing  functionality with additional features and capabilities being activated on a modular basis. A key  advantage of this approach is that not only agencies can go live with mobile ticketing technology  much faster than a custom-built solution. In addition, it allows agencies and its riders to become  accustomed to the new system over time through incremental deployment phases. The scope of these  phases is easily adjustable to meet ’s needs.   Phase 0 – Accelerated Mobile Ticketing (visval, web portal) → 2020 Q4 (October/Nov)  In order to meet ECRTA’s desire to launch a new solution as quickly as possible, Masabi proposes an  accelerated first phase (which is entitled Phase 0) consisting of mobile ticketing with Masabi’s  industry-leading visual validation technology. This deployment would entail pre-purchase mobile  ticketing in a -branded Justride Retail application and an optional integrated trip planning and  ticketing sales channel through Transit App.  Masabi anticipates being able to deploy this within 60 days from notice to proceed.   Phase 1 – Mobile Ticketing Electronic Validation (Route-based fare rupes, SVA, cash top-ups → vendor  portal at agency locations, PDF printed tickets at agency windows) → 2021 Q2  Following the successful deployment of Justride mobile ticketing, this new phase of the proposed  deployment will involve the installation of Masabi’s electronic validation equipment and the launch of  additional sales channels. During this phase, Masabi would introduce electronic validation to increase  the security of the mobile ticketing solution using Masabi’s Justride Validator and advanced Inspect  validation software. Masabi understands that ECRTA uses differentiated vehicles for Regular and  Premium Routes, if that is indeed the case, CAD/AVL integration is not required in order to  electronically validate tickets and passes automatically as the validators are simply configured for  their respective route (the PAYG case is covered in detail in Phase 2). If vehicles are regularly switched  between routes then electronic validation will be based on audible feedback to the driver on a scan  event.   Within this phase, Masabi will also deploy stored value accounts that can be used as a funding source  to buy pre-purchased mobile tickets. This feature is one approach for serving unbanked and  underbanked passengers, and is an intermediate step to full account-based ticketing in Phase 2.  Simultaneously, Masabi will deploy additional sales channels to make tickets and passes available to  passengers through multiple means. These features will not only provide new paths for riders to  purchase fares, but also make fare products available to a broader array of passengers through  programs explicitly designed to serve business and institutional partners and cash-dependent riders.  These sales channels include:  ●Web Portal - a website that allows users to purchase mobile tickets, and optionally,  print-at-home PDF tickets  ●Partner Portal - a web-based interface that allows business and institutional partners to  manage mobile tickets for their members  ●External Orders API - an API that allows the same functionality of the Partner Portal to be  integrated into an existing website  ●Vendor Portal - an additional module within the back office that allows passengers to pay in  cash to purchase tickets or load stored value at ECRTA ticket windows  19    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Finally, the introduction of electronic validation serves as a crucial necessary prerequisite to turn on  account-based Pay-as-you-Go ticketing in Phase 2.  Phase 2 – Account Based Ticketing Pay as You Go (route & discount/entitlement based PAYG , AVL  integration if current work is reusable, smartcards, retail network, paratransit) → 2021 Q3   Once Phase 1 is fully live and passes a user-testing pilot phase, ECRTA will be ready to launch its full  account-based Pay-as-you-Go (PAYG) system. Upon boarding a bus, a passenger will simply present  the account token of their choice (a mobile barcode or smart card) and the validator will automatically  deduct the appropriate amount from the passenger’s account held in the cloud-hosted Justride back  office. Justride’s intelligent fare engine applies fare capping to ensure that passengers are always  charged the best fare. In addition, the following infrastructure will also be deployed in this phase:  ●Justride ECRTA branded smart cards   ●Optional Upgrade - InComm top-ups at retail outlets  During this phase Masabi will use an onboard integration with ECRTA’s CAD/AVL system to validate  differentiated fares on Regular and Premium Routes. For this integration, Masabi is proposing for  ECRTA the following options:  1.Implement PAYG based on the bus’ route without a CAD/AVL integration. This will incur no  additional integration cost but is only possible if the Premium Route vehicles and regular route  vehicles do not switch their route (i.e. vehicle on premium route is moved to service a regular  route).  2.Implement PAYG based on the bus’ route with a AVL route data, integrating with the Clever  Devices CAD/AVL system. This will be subject to further discussions with Clever Devices and  assumes that the Clever Devices units will be using the same API version (1.4), as previously  integrated by Masabi.   Future Expansions and Additional Functionality  Finally, with account-based-ticketing fully live and operational, future upgrades will be available to  further improve rider experience. These will include:  ●Partner card management - additional functionality to allow business and institutional partners  to directly administer all aspects of ordering, issuing, and managing Justride smart cards for  their members  ●Thermo-printed single tickets using Vendor Portal   ●Contactless Bank cards using cEMV technology as open loop payment mechanism for ABT Pay  as You Go, with best fare finding for riders.  A key advantage of Masabi’s SaaS methodology is that as the platform continues to grow and expand,  all Justride agencies benefit from the ongoing updates to the central platform. This approach ensures  that ECRTA’s fare collection system is able to scale and evolve overtime as technologies and needs  change without having to incur the costs and disruptions associated with re-procurement. Masabi has  detailed in its Additional Functionality section some of the upgrades that can be made available to  ECRTA as future updates.      20    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Functionality by Phase Table  As a summary of the presented phases above, a table is presented below for ECRTA ’s convenience  including the functionality to be provided in each of the phases.  Functionality Phase Quarter   Rapidly deployed visually validate mobile  ticketing Zero Q4 2020  Justride Hub (back office) Zero Q4 2020  Web Portal (sales channel) Zero Q4 2020  Integration Into 3rd Party Trip Planning  Application (such as the Transit App)  Zero Q4 2020  Mobile ticketing with Electronic Validation  (Justride Validator)  One Q2 2021  Paratransit Service One Q2 2021  Automatic Vehicle Location (AVL) Integration One Q2 2021  Partner Portal (sales channel) - ​if option selected One Q2 2021  Vendor Portal (sales channel) - ​if option selected One Q2 2021  Retail Networks for SVA top-ups (sales channel) Two Q4 2021  Paper Tickets, ability to print Two Q4 2021  Smart card as account token rollout Two Q4 2021       21    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  C​ORE​ S​YSTEM  1. D​ESCRIBE​ ​THE​ ​OVERALL​ ​PROPOSED​ ​SOLUTION​.  Masabi looks forward to partnering with ECRTA in order to deploy it’s multi-tenant Justride fare  payments platform to offer the riders of Eagle County a more convenient and efficient way of getting  from A to B. The solution, while being delivered in phases, is clear. Masabi, in addition to configuring  it’s Justride White Label Application (WLA) for ECRTA, will also integrate with a (or potentially  multiple) MaaS app, such as the Transit App. Masabi’s MaaS partners (Transit, Moovit, Uber, Lyft, Kytti,  etc.) are already on millions of people’s phones. For many, these are applications that your  passengers already rely and trust. Using Masabi’s Justride SDK, ECRTA will be able to quickly, easily  and cost-effectively integrate with Transit, for example, North America’s most popular journey  planning app which is already being used by thousands of residents and visitors across the state of  Colorado every day to plan their journey, track their ride, make multimodal connections. The  integration shouldn’t require any custom development and no additional costs for the ECRTA. For the  rider, purchasing ECRTA’s passes via these market-leading MaaS apps costs the same as through  existing options.  The validation device proposed by Masabi for this project is the Masabi built Justride Validator (JRV),  which utilizes Masabi’s Justride Inspect software. These units will be deployed across ECRTA’s fleet  and ensure the validity of tickets as well as supplying comprehensive journey data. The JRV is a  pole-mountable multi-format validator capable of accepting QR or Aztec media presented on mobile  devices and paper as well as smartcard media (ISO14443/MIFARE) with options that extend the  support to contactless EMV payment cards. It possesses the necessary onboard storage, processing  capability and connectivity options to support any scale of deployment and comes with various wired  and wireless interfaces to allow for flexible connectivity to other onboard systems and the internet.  The JRV also comes in variants which allow it to be affixed to a vehicle using either a vertical or  horizontal pole.   As part of the scope for ECRTA, Masabi will provide its Vendor Portal and would as an option offer a  Retail Distribution Network enabled by using InComm as a partner. Additionally, and in order to satisfy  ECRTA’s need for POS hardware, Masabi will offer its point of sales solution, the Vendor Portal.   Point of Sale Solution - Vendor Portal  Justride’s Vendor Portal is a retail solution designed for smaller stores which have a web-capable  computer available to run the user interface. It offers the ability for riders to deposit cash into their  Justride SVAs for future use, or to pay cash to purchase mobile tickets in the store.  Participating retail stores are given login credentials created by ECRTA staff in the Hub, a web page  URL and training documentation. A transaction is carried out as follows:  ●Riders have a menu option within the app that displays a barcode and human readable ID  number that they show to the retail staff in-store.  ●Retail staff either scan the barcode or type the ID directly into the Vendor Portal to identify the  account and show available options.  ●Riders hand over an appropriate amount of cash, and retail staff use the Vendor Portal to push  the requested credit and/or tickets into the rider’s account.  ●The rider receives an email receipt, and the new funds/tickets are available immediately within  their app.  ●At the end of the day the retail staff run a Cash Out report on Vendor Portal which informs  them of what sales were made since the last Cash Out report was run.  22    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  The Vendor Portal is designed as a lightweight system, which assumes that the retailer has an existing  mechanism for taking payments from the rider - it does not provide any cash drawer or card  processing facilities, or direct interface into the retailer’s systems. All sales data is collected inside the  Justride Data Warehouse and a variety of cash reports are available to ensure that all income can be  collected from retailers.  Vendor Portal sales flow  Below are the steps involved in selling mobile tickets through the Vendor Portal.     Hardware requirements   Mandatory   ●Requires a device able to run a modern web browser such as a computer or tablet  ○Vendor Portal supports on a rolling basis the current and previous major two versions of  Google Chrome, Firefox and Microsoft Edge.   ●Internet access.   Recommended  ●Barcode scanner - In order to reduce friction in the purchase experience it is recommended  that a device be mounted for use by the rider to present a barcode identifying their account. A  device such as a webcam would technically work however a specialized presentation barcode  scanner would be ideal. These devices would need to be physically connected to a computer or  tablet through which the Justride Vendor Portal is being accessed. It is worth considering the  operational realities of the interaction between the rider and customer representative when  identifying the account. For example, the feedback is given to the rider when presenting their  barcode in order to communicate that the system has successfully scanned their barcode.     23    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Printed Tickets  The Justride platform supports the fulfillment of digital tickets (scannable barcodes) on paper media  and is able to generate barcodes designed specifically for this purpose. These static barcodes can be  printed on whichever physical fare media (i.e. printed media) the agency wishes to support, making  the paper tickets available for validation by an OBV or MIV. These static barcodes can be requested  from the Justride platform via API (Justride Vendor Ticketing API) meaning ECRTA’s existing or future  vending channels that print tickets can be connected to the Justride backend to receive barcodes to  print. Justride also supports 'self-print' or 'print-at-home' tickets that allow a Rider to purchase and  print their own ticket.   2. D​ESCRIBE​ ​THE​ ​OVERALL​ ​CAPABILITIES​ ​OF​ ​THE​ ​SOLUTION​.  Justride Platform Overview  The Justride platform delivers a low cost future-proofed automated fare collection (AFC) system  capable of meeting all of the fare collection needs of a transit agency. It is built on an open  architecture that makes use of cloud hosting and commercial off the shelf hardware, and offers APIs  and Software Development Kits (SDKs) as flexible extension points. Justride integrates into the  emerging Mobility-as-a-Service ecosystem and currently processes over 40 million ticket transactions  annually, totalling over $1B.    Justide's Software-as-a-Service (SaaS) model offers significant benefits over traditional design, build,  operate and maintain projects which often see considerable cost overruns and cancellations or  unsatisfactory deployments. Delivering fare collection in a SaaS manner keeps the platform up-to-date  and secure, removes much of the management overhead from the transit agency, and future-proofs  the system as the platform will continue to evolve with the industry and broader technology market -  all of which can be demonstrated in operation in advance, and does not require a significant capital  expenditure outlay to deploy.  24    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Compliance Matrix  A matrix representing the compliance level of the proposed solution is included in this section for  ECRTA’s convenience:  # Description Complianc e Notes 1 1. PROJECT OBJECTIVES ECRTA desires to acquire a mobile application that includes a mobile fare payment system that integrates with ECRTA’s current farebox system. Objectives for the Mobile Ticketing System:  ● Provide an Application Programming  Interface (API) that would enable the ECRTA to  develop applications that could incorporate  mobile fare options.  Alternative Masabi would provide an iOS and  Android SDK to achieve this goal.  APIs are also available allowing  ECRTA to also push mobile  tickets to a rider's mobile mobile  wallet (Provided by the SDK) ● Increased Rider Convenience through a  comprehensive Mobile Ticketing Application. Full ● Improved provision of Real-Time  Information to riders via a Mobile Ticketing  Application.  Alternative Masabi could provide this via a  deep link in the retail application  to the real-time information  website. Alternatively, the  Justride SDK can be embedded  into an existing real time  information application by a third  party to enable riders to purchase  fare products directly from that  application. ● Significant Adoption of a Mobile Ticketing  Application (>50 Percent of Total Boardings). Full ● Institute a robust and flexible platform to  support Single and Multi-Agency Fare  Transactions (ticket types, prices, validity and  expiration).  Full ● Support Existing pass products and single  trip payments. Full ● Support Future pass products and programs. Full ● Ensure Convenience and Ease of use for all  riders. Full ● Make the Boarding Process Easier for bus  operators and riders. Full ● Reduce Onboard Fare Processing Time to  improve on-time performance. Full ● Address the issue of Fare Validation and  Verification of single and multi-pass tickets in  an effective approach that does not  compromise the rider’s experience.  Full 25    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ● Integrated Reporting of fare collected  through existing GFI farebox and the new  Mobile Ticketing device.  Partial  /Alternativ e Masabi can provide its Data Mart  APIs to allow data to be pulled  from the mobile ticketing back  office and consolidated with GFI  data in a third party BI tool.  Alternatively, Masabi can provide  Genfare with an API to push  farebox data into the Justride  data warehouse provided this  data is in the compatible format.  Masabi is in active discussions  with partners, such as TransTrack,  who provide products and  services for transit data  consolidation and who have the  ability to extract and consolidate  Genfare farebox data with AFC  data.    ● Achieve Cost Efficiencies through the  reduction of cash handling, number of forms of  fare media, and operating cost.  Full 4 4.0 REQUESTED MOBILE FARE SYSTEM  FEATURES / SPECIFICATIONS 4.1 1. GENERAL SYSTEM REQUIREMENTS 1. The proposer shall provide a Mobile Ticketing System that consists of a Mobile Ticketing Application (‘App’), a system administration website and all backend systems, services, and communications to support the functionality described as part of the requirements. Full 2. The proposer shall manage the certification, release and maintenance of the Apps on each operating system’s respective application store. Full 3. The system shall have the ability to handle high volume of riders downloading or using the App at any given time. This would include special events. Proposer must specify if there are any limitations on simultaneous App access. Full 4. The system and all user-facing components shall meet all current ADA guidelines for web and mobile accessibility, including built-in features on rider devices. Full 5. The system shall allow offline usage of the App when devices are not connected to a network, including offline activation for tickets on the device. Full 26    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  6. All payment processing and data storage for the system shall be Payment Card Industry Data Security Standard (PCI DSS) compliant. Full 7. The proposer shall monitor the system for security threats and notify ECRTA immediately in the event of suspected breach of rider or agency data. Full 8. The system shall support any new operating system (OS) version within five weeks of release. Full 9. The system shall provide back-end metrics, performance monitoring and reporting tools. Full 10. The system shall be able to store tickets on the cloud and on device to ensure validation in offline mode. Full 11. The system shall allow account or payment information to be stored in a rider’s account for future purchases. Full The electronic fare collection platform must be account-based and deployed as a Software-as- a-Service, cloud-hosted platform that grants ECRTA license to utilize the platform to deploy a turnkey mobile ticketing solution that can expand to serve all ticket sales options across all rider types. Full The proposer shall expect to manage the system and shall make updates to that system available to ECRTA on a regular basis. The system must be capable of handling both visual and electronic scanning verification methodologies. Full The solution shall be extendable to other token types including, but not limited to: ISO 14443 smartcards, paper barcodes, and extensible to open payments using contactless c-EMV credit cards. The solution shall also facilitate integrations with mobility services companies. The platform shall guarantee 99.9% uptime and shall be a multi-tenanted platform deployed according to ECRTA’s brand guidelines and enabling ECRTA to autonomously manage the platform and direct engagement with their riders. Full 4.2 2. REGIONAL SYSTEM INTEGRATION  REQUIREMENTS 27    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  In the next 12 months, ECRTA will be part of the deployment of an application called Transit Hub. Transit Hub is an app that enables riders to build trips through all transit systems in Eagle County. It is a one stop technology tool to find transportation connections with local providers such as ECO Transit, Avon Transit, Vail Transit, and Beaver Creek Transit, as well as the Colorado Department of Transportation’s regional bus service (Bustang) and ride sharing (Uber and Lyft) and bike sharing (Zagster) options. Transit Hub is meant to bridge schedule gaps between all transit agencies while providing the rider with the appropriate details needed to reach their destination. Transit Hub will utilize Google Transit to build trips with the ability to sort by cheapest trips, quickest trips, and the least amount of transfers. ECRTA envision that the App procured via this RFP will be able to integrate with the Transit Hub app. While not a primary system function of this RFP, ECRTA encourages proposers to consider and detail how the proposed system could be used to integrate information and access through the Transit Hub app deployment. Full Masabi proposes its Justride SDK  to be integrated within Transit  Hub to allow ECRTA tickets to be  sold and displayed. 4.3 3. MOBILE FARE PAYMENT SYSTEM DESIGN  OVERVIEW 1. The solution shall be cloud-hosted, account-based, and deployable as a Software-as-a- Service platform. Full 2. It shall be flexible and easily scalable for growth as more riders download the App, as well as for additions of new fare products, group, or individual rider types and profiles. Full 3. All Graphic User Interfaces, fare media, and public communications within or concerning the system shall meet the ECRTA brand guidelines. Full 4. Ability to link with local bike share and transportation network companies such as Uber and Lyft. Full This functionality is available  either through deep linking or  through one of Masabi’s third  party Justride SDK integrations.  Masabi has a number of existing  integrations which are identified  in its proposal. 4.4 4. MOBILE TICKETING & FARE COLLECTION  SYSTEM FEATURES 4.4.1 Mobile Ticketing Application (App) 28    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  1. The App shall be available for Android and iOS. It should support at least the last two major versions of those operating systems. Full 2. The App shall be branded in line with a style guide provided by ECRTA at the time of award. Full 3. For the duration of the contract, the App shall always be fully functional on the latest version of the OS of supported platforms as new OS versions are released. If an update is required to make the App fully functional on a new version of a supported OS, the update shall be available to riders on the day of the OS launch; the developer will notify ECRTA of updates so it can inform users. Full 4. The App shall be downloadable for free. Full 5. The App shall be downloadable from the official app store of the supported platforms. Full 6. The app will be made available without using ECRTA resources or servers and maintaining updates for the duration of the contract. Full 7. It shall be possible for the App to link to online content outside of the app. Full 8. The App shall meet the ADA accessibility standards. Full 9. The App shall meet PCI DSS. Full 4.4.2 Account Registration and Login 1. A rider shall be able to purchase a single-use ticket without requiring account registration. Full 2. A rider shall be able to register for an individual ECRTA mobile ticketing account in the App or online. Full 3. The account registration process shall capture the rider’s email address. Full 4. There shall be a mechanism for amending the terms and conditions and privacy policy as needed. Full 5. Riders shall be able to change their password from the App or online. Full 6. Riders shall be able to reset their forgotten password from the App or online. Full 7. The App shall allow riders to login using native authentication services on supported iOS devices. Partial The Justride iOS app allows for a user to set up iOS’ Touch ID to login to their Justride registered account in scenarios of inactivity. The Justride app however does not support registration using Touch ID and if a rider explicitly logs out then the Touch ID session is removed 29    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  and the Rider will need to manually log in again. 4.4.3 Tickets 1. The solution shall support all types of fare passes as identified in the previous section. Full 2. Riders shall be able to view the full range of ECRTA tickets available to purchase in the App. Full 3. It shall be possible for tickets to be grouped and categorized by route and fare type so that riders select a category in order to view the range of tickets available under that category. Full 4. A short cut shall be provided in the App for the origin and destination stations of recent purchases to aid a rider in the purchase flow. Full 5. For each ticket the rider shall see the following information: ○ Ticket Name Full ○ Price Full ○ Description Full 6. Tickets shall have an expiration period after which the ticket (be it unused or active at the time) expires. This shall be configurable. Full 7. It shall not be possible to activate a ticket outside its validity period. Full 8. Return tickets shall be stored in the wallet as two, linked, single tickets requiring activation by the rider prior to each leg of the journey. Full 9. It shall be possible to configure products that are restricted so they are not available for general sale. Full 10. It shall be possible to configure the visual elements of each ticket so that different fares can display different visual elements. Full 4.4.4 Ticket Purchase Process 1. Riders shall be able to purchase the available tickets from within the App. Full 2. There is no minimum number or value of tickets a rider must purchase. Full 3. It shall be possible to set the maximum number of tickets that a rider can purchase in a single transaction for a given ticket type. Full 4. It shall be possible to set the maximum number of tickets that a rider can purchase and hold for a given ticket type within a set period of time. Full 5. Riders shall be able to purchase multiple tickets in a single transaction. Full 30    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  6. Riders shall be able to pay using all major credit, debit cards, connected bank accounts, as well as digital wallets and services such as PayPal. Alternative Riders shall be able to pay using  all major credit, debit cards, as  well as digital wallets, but not  PayPal or bank accounts. 7. Riders shall have the option to save their payment details securely for one or more payment methods. Full 8. Riders shall be able to delete their saved payment details. Full 9. A ticket purchased in the App shall be immediately available in the App’s ticket wallet. Full 10. Riders shall receive an email receipt of their purchase. Full 4.4.5 Stored Value Accounts 1. The proposer shall expect to be able to deploy stored value accounts (SVA). Full 2. The SVA shall be used for the following use case: - ○ Stored value as a funding source (to buy mobile tickets) Full ○ Stored value for tap to ride Full 3. The rider shall be able to add stored value to their account through the App or web portal. Full 4. ECRTA shall have the ability to accept cash and add that value to a rider's account. Full 5. All added/topped up value shall be available for immediate use. Full 6. Stored value shall be accepted by electronic validation options within this described mobile ticketing solution. Full 7. Stored value shall be accepted by tapping a mobile barcode or smartcards on the electronic validation units. Full 8. The SVA tap to ride solution shall automatically reduce the appropriate fare from the riders SVA, applying the best fare finding or fare capping logic. Partial As standard, this functionality is  available on flat fare tariff types.  A Tap to Ride solution where the  amount to be reduced varies by  route will be available in Q3  2021. 4.4.6 Ticket Wallet 1. Riders shall be able to view their history of used tickets. Full 2. Riders shall be able to view tickets which have not yet been activated and have not expired. Full 3. Riders shall be able to view tickets which they have activated and are currently active. Full 31    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  4. Riders shall be able to view tickets that have recently expired. Full 5. Device connectivity (either through Wi-Fi or a data plan) shall not be required to view purchased tickets of any status. Full 4.4.7 Ticket Activation 1. Riders shall be able to activate unused tickets stored in their ticket wallet. Full 2. Riders shall be able to activate multiple tickets at one time from one device. Full 3. Tickets must be able to be activated while offline (no Wi-Fi or cellular connectivity). Full 4. The date and time of the activation shall be recorded. Full 5. The App shall provide a means to make it clearly visible to ECRTA employees when a ticket has been recently activated. Full 6. The active ticket shall provide a 2D/QR barcode that can be scanned by ECRTA employees to establish ticket validity. Full 7. The active ticket shall display: ○ Ticket type. Full ○ Origin and Destination points if applicable. Full ○ Expiration date and time and/or a countdown to the ticket expiration. Full 8. The active ticket view shall include security measures which minimize the possibility of fraudulent use such as screenshotting, copying, replicating via an app or sharing of a ticket. Full 4.4.8 User-Experience Capabilities 1. Ability to use tickets for multiple riders from one device. Full 2. Ability to use more than one payment mechanism for checkout as a split purchase feature. Full 3. Ability to purchase tickets from website and have those tickets appear on the rider App. Full 4. Ability to access order history from the App and online. Partial Order history is available via the  Justride web portal. The App  provides access to the last 30  historical (used/expired) tickets  the Rider purchased. Email  receipts are also sent as a record  of order history. 5. Ability to change password for App log-in directly from the App and from website. Full 4.4.9 Ticket Validation 32    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  1. The proposer shall expect to supply a ticket validation solution for both visual and electronic validation, whichever ECRTA wishes to deploy. Full 2. The ticket validation solution will provide a means of preventing pass type tickets from being reused within a defined period of time. Full 3. The ticket validation solution includes measures to prevent fraudulent use. Full 4. The ticket validation solution will validate tickets to prevent the re-use of used, cancelled, or refunded tickets anywhere within the system. Full 4.4.10 Visual Validation 1. The proposed solution shall not require ECRTA to distribute information to bus operators. Full 2. The proposed visual validation solution shall consist of the following features: o Dynamic component to the active ticket. Full o Dynamic barcode built into the ticket. Full o Ticket must be able to be activated offline. Full o Security to protect against screen sharing or recording of the screen. Full o Complete branding and customization down to the ticket type (to match ECRTA’s branding). Full o The ability to have a digital representation of the paper ticket on the active mobile ticket. Full o Visual elements of the ticket must be configurable at the fare level so that different fares can display differences. Full 4.4.11 Electronic Validation 1. Electronic validation units shall be multi-format capable of reading 2D barcodes, Bluetooth LE, NFC, and contactless-EMV. Full 2. The electronic validation solution will record the details of tickets scanned, the validation results, the date and time of the scan event and potentially the ECRTA employee that conducted the scan. Full 3. The electronic validation solution will record the GPS location of scan events. Full 4. The electronic validation solution will record the service and/or vehicle where the ticket was scanned. Full This functionality is available if  an AVL integration is deployed.  This will be included as a priced  option in Masabi's proposal. 33    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  5. The electronic validation solution will provide clear visual and audible indicators to ECRTA employees for the scan result. This should include alerting ECRTA employees of the pass type being used audibly to determine if the correct fare type is being used without viewing the phone. Full 6. The electronic validation solution will be provided by way of mobile application available for Android and iOS operating systems. Full 7. Tickets can be scanned and validated by the electronic validation solution without a live data connection (offline). If using an internet connection, tickets can be scanned and validated using ECRTA’s onboard internet connection from AT&T cellular service. Full This is available provided an  ethernet connection is available  to the existing onboard  communications. As a future  option, the proposed validator is  capable of operating on its own  cellular data connection using a  sim card or over an on board wifi  network. 8. The electronic validation solution handheld device supports the validation of both mobile and paper barcode tickets. Full 9. The on-board electronic validation unit shall be able to integrate with the existing CAD/AVL system onboard the vehicle described in Section 3 of this RFP. Full As detailed in the ​Proposed  Approach ​section earlier in this  document this integration would  only be necessary if vehicles  move between the Premium and  Regular route. If an integration is  required then Masabi assumes it  can leverage its existing  integration with Clever Devices  based on version 1.4 of their API.  10. The electronic validation solution shall be stand-alone from the farebox but must integrate with ECRTA’s existing ITS system. Full 11. The electronic validation software shall be highly secure, ensuring that validation logic is processed by the validator and not the mobile device. Full 4.5 5. BACK-OFFICE CAPABILITIES Back-office capabilities will be browser accessible and will be role-based so that individual user access can be controlled based on the role they are assigned. Back-office will require secure login to access. Full 4.5.1 Rider Support 1. Back-office shall enable ECRTA to handle rider customer service directly. Full 34    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  2. Rider shall be able to find ECRTA's rider support contact details in the app. Full 3. Access by authorized ECRTA employees to the rider support solution shall be secure and include user authentication. Full 4. The rider support solution shall be fully compatible with a mainstream modern web browser such as Google Chrome. Full 5. Authorized ECRTA employees shall be able to view the tickets which are currently available to riders to purchase. Full 6. Authorized ECRTA employees shall be able to view the rider’s account details: - ○ Email address Full ○ Device details Full ○ Relevant funding source attached to the account Full 7. Authorized ECRTA employee shall be able to view: - ○ The rider’s ticket purchase history including the current status of the ticket (inactive/activated/expired) Full ○ When the ticket was purchased Full ○ When the ticket was activated Full 8. Authorized ECRTA employees shall be able to block or unblock a rider’s account. Full 9. Authorized ECRTA employees shall be able to change rider type to permit access to restricted tickets. Full 10. Authorized ECRTA employees shall be able to deactivate and reactivate a rider’s account. Full 11. Authorized ECRTA employees shall be able to issue full or partial refunds. Full 12. Authorized ECRTA employees shall be able to cancel unused tickets from a rider’s wallet. Full 13. Authorized ECRTA employees shall be able to issue a new ticket to a rider’s wallet without taking payment. Full 14. Authorized ECRTA employees shall be able to record and view notes on a rider’s account. Full 15. It shall be possible to have multiple authorized ECRTA employee user roles with different levels of permissions added to the rider support functions. Full 16. An ECRTA admin user role shall be able to: ○ Create new users Full ○ Assign user roles Full 35    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ○ Delete users Full 17. Each rider record shall contain an audit trail of all transactions processed, tickets used, and scans validated. Full 4.5.2 Tickets and Fare Administration 1. Access by authorized ECRTA employees to the ticket administration configuration shall be secure, including user authentication. Full 2. The ticket administration solution shall be fully compatible with a mainstream modern web browser such as Google Chrome. Full 3. Authorized ECRTA employees shall be able to create new ticket types. Full 4. Authorized ECRTA employees shall be able to set and alter ticket pricing. Full 5. New tickets, unless otherwise specified, shall be available to all riders to buy immediately after being created. Full 6. Authorized ECRTA employees shall be able to remove tickets from availability to be purchased. Full 7. ECRTA shall have the ability to issue tickets and or entitlements (changes to rider types) in bulk. Full 8. The back office shall allow for ECRTA to grant access to 3rd party corporations to issue ECRTA tickets. Full 4.5.3 Finance and Monitoring 1. Authorized ECRTA employees shall be able to generate reports on ticket sales, usage, and their associated revenue for variable date ranges. Full 2. Reports shall be in (or exportable to) a CSV format. Full 3. APIs must be available to enable ECRTA to export all relevant data in real-time or near real-time to central back office systems. Full 4. All data must be stored in an open data warehouse. Full 5. ECRTA shall own all of the data that comes through the proposed platform. Full 4.5.4 Asset Monitoring 1. Authorized ECRTA employees shall be able to monitor all validator devices deployed throughout the system. Full 2. Back-office shall display the health of all validation devices, including: - ○ Online / offline status Full ○ Diagnosis of relevant issues Full ○ Software app version Full 36    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ○ Memory Full ○ Vehicle ID Full ○ Scan history Full 4.6 6. MAINTENANCE AND SUPPORT 1. The proposer shall expect to provide support, maintenance and optimization for future OS releases. Full 2. The App shall always be fully functional on the latest version of the OS of supported platforms as new OS versions are released. Full 3. The proposer shall be responsible for releasing updates through the relevant app stores. Full 4. Any planned preventative maintenance of the solution shall be scheduled in advance with ECRTA. Full 4.7 7. SECURITY The entire solution (including the App, interfaces, business operations, hardware, applications, and physical security) shall be and remain compliant with the latest version of the PCI DSS. Full Service Management Process 1. The awarded proposer shall provide an account manager who shall be ECRTA’s main contact. Full 2. The proposer shall expect to provide on-going support directly to ECRTA. Full 3. In the event of a disaster, “normal service” should be resumed within a period not greater than 12 hours. Full 4. The proposer shall expect to record and report on performance against the agreed services levels on a determined basis by ECRTA. Full 4.8 8. SYSTEM HOSTING The proposer shall expect to host the solution within a suitable secure data center located within the United States that will provide the resilience to ensure they meet the required service levels and availability detailed in this section. Full 1. System Availability: - a. The solution shall be operational 24 hours a day, seven days a week. Full b. All supplier provided system components shall have an agreed minimum overall availability of 99%. Full 37    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  2. When any aspect of the solution is unavailable and preventing rider functionality, a clear and relevant error message shall be displayed to the rider. Full 3. ECRTA should be notified of system wide outages and other problems affecting the functionality of the App so ECRTA can also inform riders. Full 4.9 9. MARKETING The proposer shall provide ECRTA with design and templates for the following marketing collateral. The marketing collateral does not include any printing or production costs. Full a. Posters Full b. Digital ads including but not limited to social media Full c. Printed ads Full d. Inserts Full e. Cards Full f. Bus Cards Full g. Brochures Full h. Marketing materials for the launch day Full 4.10 10. PROJECT MANAGEMENT 1. The proposer will be responsible for developing and maintaining a detailed project plan and associated detailed schedule demonstrating the project will be fully delivered within the timeframes specified by ECRTA at the time of award and contract. Full ○ The schedule should show the interdependencies between deliverables, activities, milestones and resources. Full 2. The proposer will hold regular project progress meetings with ECRTA at a frequency, format, and location to be agreed upon by ECRTA. Full 3. The proposer will provide ECRTA with a release management process that shall be used to ensure that all releases to the hardware or software environment, both during testing and after implementation, are being correctly controlled by both the proposer and its partners Full 4.11 11. TRAINING 1. The proposer will provide adequate experienced training resources to support the ECRTA in producing employee training materials. Full 4.12 12. ADDITIONAL SALES FUNCTIONALITY  Mobility-as-a-Service (MAAS) Applications 38    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  1. The proposer will have the ability to offer a solution for both iOS and Android operating systems that would allow ECRTA mobile ticketing services to be embedded within select third-party applications. Full 4.12.1 Rider Customer Web Portal 1. The proposer will supply an ECRTA branded rider web portal accessible to ECRTA riders available through all modern desktop and mobile web browsers. Full 2. Rider Customer Web Portal shall enable riders to: ○ Create/register for an account. Full ○ Purchase tickets to: Full ■ Print at home Full ■ Push to mobile device Full ○ Manage smartcards. Full 3. Riders shall have the ability to purchase tickets with credit, debit, and pre-tax benefit cards. Full 4. Riders shall have the ability to review past transactions and ticket usage. Full 5. Riders shall have the ability to remove/add funding sources. Full 6. Riders shall have the ability to request receipt resend. Full 7. Riders shall have the ability to load/top up stored value to an account. Full 4.12.2 Point of Sale 1. The proposer will provide a solution to give ECRTA the ability to use the platform in an ECRTA ticket counter as a browser accessible portal. Full 2. ECRTA shall have the following functionality: a. Control secure access to the portal. Full b. Accept all payment methods: cash, credit, debit, and pre-tax benefit cards. Alternative Using the proposed browser  accessible portal, the agency can  accept payments using their  existing infrastructure and record  which payment method was used  via the portal for reporting  purposes. c. Print paper tickets. Alternative The Justride Vendor Ticketing API  provides an endpoint for devices  and systems to request one or  more one-time use barcodes that  can be printed onto paper-based  media. Each issued barcode is  recorded in the Justride platform  39    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  including to which Vendor or  channel the barcode was  provided to. In addition, the  Justride Vendor Ticketing API  provides a means of generating  single-use barcodes with long life  validity periods in a batch that  can be distributed to authorized  vendors or even allow the  vendors to request barcodes  directly. Justride provides the  means for ECRTA to control  access to the APIs per Vending  partner and track against each  ticket issued to the vendor and  sale channels.   d. Distribute smartcards that are associated to a rider’s account. Full Available H1 2021 e. Add value for SVA. Full Available H1 2021 4.12.3 Post Retail Distribution 1. A static ticket retailing solution will be provided to allow ECRTA ticket counter employees to sell paper barcode tickets. Alternative Justride provides a set of APIs to facilitate the sale of fare products from Point of Sales including printed barcode tickets. 2. The static ticket retailing solution will include a web or API based interface to facilitate ECRTA ticket window employees selling paper barcode tickets. Full A set of APIs is available for facilitating paper barcode tickets being sold at a ticket window. 3. The static ticket window retailing solution will include support for a printer for outputting paper barcode tickets. No comply Justride offers APIs at this time that can be used to generate barcode tickets. 4. Paper barcode tickets issued and printed by the static ticket retailing solution are securely generated, immediately usable, and scannable by the same validation solution as mobile tickets. Full 5. The web-based retailing interface should be compatible with a mainstream modern web browser such as Google Chrome or API based. Full 6. Access to the ticket retail interface support solution shall be secure, with https transport security and user authentication permitting only authorized ECRTA employees or authorized 3rd party sales agents. Full 7. Tickets sold through the static ticket window retailing solution will be tracked against the retailing employee. Full 40    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  8. APIs must be available to allow 3rd party retail networks and outlets to sell and print ECRTA secure barcode tickets. Full 9. The ticket APIs will return a barcode that can be printed on paper stock by 3rd party retail networks/outlets. Full 10. Tickets sold via the APIs will be tracked against the 3rd party retailer: a. Retail Network identifier Full b. Retail Organization Identifier Full c. Terminal Identifier Full d. Merchant identifier Full    41    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  3. D​ESCRIBE​ ​THE​ ​RIDER​ ​EXPERIENCE​ ​FOR​ ​DIFFERENT​ ​PHASES​ ​OF​ ​A​ ​BUS​ ​RIDE​ ​WHICH​ ​INCLUDE​ ​TRIP  PLANNING​, ​BOOKING​, ​PAYMENT​ ​VALIDATION​, ​TRIP​ ​UPDATES​ ​AND​ ​POST​-​TRIP​ ​SURVEY  Trip Phase Rider Experience  Trip Planning The customer pulls out their phone and taps Transit’s Instant Trip  Planner button, which knows their regular destination based on time of  day and the user’s saved Favorite Locations.  The first suggested trip combines two Eagle County bus routes. The  customer taps the first suggestion and taps “GO” to receive intelligent  trip instructions. Based on the arrival prediction of the vehicle and the  walking distance to the nearest stop, it tells her to leave in 3 minutes.   Booking The customer remembers they need to top-up their stored value for  Eagle County, so they add $20 to their Transit account. Transit GO  sends a second Push notification telling them to depart.   Payment Validation Thanks to vehicle-location and arrival-prediction information, the  customer only needs to wait a minute at the bus stop before boarding  and scanning their phone’s validation QR code in Transit, which  automatically deducts a one-ride charge from the customer’s account.  Trip Updates While on the bus, the customer receives another GO Push notification  when they are one stop away from the transfer point. At the transfer  point, they scan their phone again to deduct a residual fare to pay for a  ride on a Premium bus route. If the customer were to ride a third route  later in the day, they will be charged no more than a 1-day unlimited  pass for Premium bus routes.   Post-Trip Survey The customer has enrolled in the Customer Feedback program, and so  taps a link in Transit’s Settings page to rate their day’s journey.   4. D​ESCRIBE​ ​PROPOSED​ ​SYSTEM​ ​ARCHITECTURE  Justride delivers Fare Payments as a Service - a fully featured AFC platform delivering as much or as  little functionality as is required to many transit agencies from secure and scalable shared cloud  hosting. Masabi handles day-to-day operational IT concerns, such as ensuring the platform can sustain  peak load, resist cyber attacks and conform to data privacy laws, and provides comprehensive training  and support.   Masabi has, through its approach, helped to revolutionize the industry, bringing its solution to  agencies of all sizes, quickly and cost effectively. Masabi was at the forefront of providing powerful  configurable solutions to agencies on a pay as you go (subscription) basis.   Here are just some of the benefits associated with Fare Payments-as-a-Service:  ● ​Multi-Tenant Fare Payments Platform: ​ Each agency uses the same platform configured in  different ways for their needs. This makes it far more cost-effective (costs are amortized across  all customers), as well as being quick to deploy and constantly being updated (one update and  everyone using the platform benefits). The key thing here is that the platform is multi-tenant.  42    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●Constant Updates:​ With a fare payments platform new updates are delivered regularly,  meaning all agencies on the platform get shiny new functionality enabling them to keep up  with the pace of technology change.  ●Mobility-as-a-Service Enabled: ​Fare payments platforms help enable Mobility-as-a-Service  (MaaS) for public transit through SDKs and APIs linking tickets, fares and payments with other  best-of-breed MaaS services. Agencies can also deploy Account-Based MaaS via Account-Based  fare payments capabilities. This enables passengers to use a stored value account to tap across  multiple operators, with passengers being charged ‘best fare’ post their journey.  ●Open Integrations: ​An open API architecture means fare payment platforms can link to existing  (or new) systems and connect with other best-of-breed services. This helps make deploying  fare payment platforms easier and allows the platform to connect with existing or new  services, as required.  ●Account-Based Ticketing Experiences: ​FPaaS platforms deliver tickets to riders but they should  also enable the latest innovations for agencies by enabling account-based ticketing using a  mobile phones, smartcards (NFC) or contactless bank cards (cEMV) – meaning riders no longer  need to buy a ticket or understand fares to travel. The ultimate convenient passenger  experience.  ●F​uture-Proof Roadmap:​ With a roadmap of new features and capabilities, a platform approach  takes the complexity out of fare payments and allows experts to guide agencies on their  ticketing journey, allowing them to concentrate on what they do best, providing safe, reliable  and convenient journeys for riders.  The Justride platform makes use of a service-oriented architecture to deliver high performance, high  resilience flexible ticketing service – shown at a high-level below:    Masabi maintains best-in-class uptime using an elegant hosting design based on Amazon’s AWS cloud  hosting products, featuring multi-availability zone redundancy on all components where each  availability zone is a fully independent geographically discrete building with separate electricity  supply, cooling and internet connection.  43    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  As shown in the diagram above, traffic comes into redundant Elastic Load Balancers, which split the  traffic to a redundant set of servers in different zones running the lightweight Nginx web server.  These act as a routing layer, directing requests on to the appropriate service.  Each service then has its own redundant Elastic Load Balancers, which split traffic for that service  across multiple servers in different zones. The ELB will detect when a single service is unresponsive,  tearing it down and replacing it with a brand new server running the same service without any manual  intervention.  All databases within the system also offer multi-zone redundancy using Amazon’s RDS product,  offering a master/slave database pair where an unresponsive master can automatically be swapped  out for a slave containing identical data. In a number of services, additional read replica databases are  used to segregate heavy read load from impacting updates to the master data.  The diagram below explains both the redundancy across discrete zones for an individual service and  the ability to auto-scale to meet demand:  Uptime is tracked for SLA conformance using Pingdom, an independent 3rd party tool that calls health  checks on each service from multiple geographical locations around the world every minute. Alerts are  sent to the 24/7 support team if any health check fails, for immediate attention.  5. D​ESCRIBE​ ​FRAUD​ ​PREVENTION​ ​AND​ ​DETECTION​ ​FEATURES​ ​OF​ ​THE​ ​PRODUCT​.  Visual Validation   Masabi has spent over a decade working with conductors and revenue protection staff, including  multiple user experience sessions to develop the visual validation technology, during which some key  points were learned helping that help to make mTickets easy to validate:  44    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●Use familiar layout & symbols: minimizes training, and avoids staff needing to mentally task  switch when riders have a mix of paper and mobile tickets.  ●Block common fraud: still & video screengrabs, replica apps, phone clocks being changed, etc.  A number of mobile ticketing apps on the market fail to follow these lessons, favoring fancy animated  graphics over practical ticketing that is easy to visually confirm and difficult to replicate. Masabi’s  view is that these are gimmicky, and can be replicated flawlessly by hackers in very little time. A  simple color or image of the hour/day is easily copied by riders shoulder surfing or deliberately  sharing, and it is very simple to replicate even the most complex graphics and animation in a fake app  – as occurred in Toronto where their mobile tickets were cloned within a few days of launch.   Uniquely, Masabi tickets incorporate a visual watermark of animated elements following a  cryptographically derived unpredictable sequence of colors, which can be used by staff to confidently  and quickly determine the authenticity of tickets without barcode scanning.  The fundamental tri-color bar mechanism displays the same three colors across all active tickets at  any given point in time.    The inspector will see a continuous but changing sequence of colors on valid tickets, and will  immediately be able to spot any ticket that is wrong because the colors will not follow the sequence  and will be different from all other tickets referentially, e.g. because the clock has been deliberately  changed or the sequence shown is a recording of an earlier ticket.  The colors also pulsate and the handset’s current time scrolls over the colors, further making it  difficult for fraudulent use of static or video screen-grabs.   Color sequences make use of a time-based pRNG sequence combined with random binary seeds,  rotated regularly over time, which are attached to ticket data in a secure obfuscated way to enable  offline ticket usage – essential in a transit situation.   Because colors blend over time, the system is tolerant of legitimate small differences in user’s clocks  (ie. a minute or two early or late) and differences in screen color rendering – the conductor/inspector  45    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  just looks for the glaring differences. The underlying keys driving the colors are changed regularly to  minimize fraud potential.  To prevent riders delaying activation until they see a conductor, in the hope that they may not be  checked, tickets can be configured to show a countdown after activation that instantly indicates to the  conductor that something suspicious may be going on. This can ensure full compliance with activation  rules even in very crowded rush hour conditions.  Electronic Validation with Justride Inspect   To take advantage of the full range of Fare Media outlined above, some form of electronic validation  is required - for Account Based Ticketing the validation tracks where and when a user moved through  the system to drive back office fare calculations, while for mobile ticketing the validation ensures that  a ticket purchased for a specific type of journey is used to make that journey, and is not re-used more  times than allowed. Deployments which only offer mobile ticketing can instead make use of Justride’s  market leading visual validation system.  Justride has a flexible validation system that can work across a wide range of transit modes and fare  enforcement schemes, based on open platforms that avoid vendor lock-in:      Inspect handheld can  be used for manual  inspection by Fare  Enforcement staff.  Justride Validators are  available in on-vehicle  or platform/on-street  configurations.  Inspect software is also  available on open devices such as the AccessIS  Val100.  Several options are  available for integrating  Inspect logic into other  third party validators and  gatelines.  Inspect software works on an “opportunistically online” model, delivering maximum security by  continuously synchronizing with the Justride back office while maintaining a local database of ticket  and account validity that enables rapid validation decisions, even when the validator is offline - as  inevitably happens in vehicles moving around an urban environment.  Justride has been designed as a multi-tenant platform that allows agencies to deploy agency-specific  environments of the platform, configured to meet their individual fare collection needs. Masabi’s  Justride solution supports multiple transit agencies and can support options such as ECRTA’s route  based tariffs, in addition Masabi, through its platform can support transfer tickets which enable  passengers to transfer from one agency's mode of transport to another and can support the creation of  additional transit related products such as event admission, special-event-ticketing, most frequently  limited-time (and often specially priced) tickets for travel to the event. Examples include travel to  New England Patriot games in Boston, Los Angeles Dodger games, and travel to the recent US Open  golf in New York. These special fare products are configured in the Justride tariff in the same way as  46    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  any regular fare. For convenience, it is possible to  define these special fare products in separate files,  avoiding the need to amend the regular tariff.   All taps and scans that occur while the device is offline  are stored and forwarded to the back office once the  unit regains a connection, ensuring no data is lost and  the back office is kept continuously updated in near  real-time.  QR/barcode validation verifies a cryptographic  signature from the server, evaluates the ticket-specific  rule data that was signed inside the payload, and then  for limited use tickets checks whether the ticket has  been seen before - all of which can be handled rapidly  and reliably offline.  Masabi Validators  The Justride Validator (JRV) is a fully Masabi-designed open validation  device, leveraging Masabi’s significant experience of onboard vehicle  validation hardware and software; it is designed to provide  unparalleled functionality in a robust format, at a highly affordable  price point.  The JRV can accept MIFARE smart cards and Ultralight tickets,  QR/Aztec barcodes on mobile devices or paper, and Contactless EMV  payment cards all in a PCI PTS and EMV Level 1 & 2 certified unit.  The JRV is a pole-mountable device compatible with all commonly  found pole diameters in vehicles, mountable vertically or horizontally,  with a forward-facing large color screen for displaying completely  customizable passenger feedback. It possesses the necessary onboard  storage, processing capability and connectivity options to support any  scale of deployment, and comes complete with various wired and wireless network  interfaces to allow for flexible data connectivity. The JRV is an open hardware platform,  internally running the Linux OS on standard processors and storage cards; on contract  expiry Masabi can optionally provide an OS + driver build chain.  As an alternative Masabi offers the vertically mounted AccessIS Val100 on-board  validator, which uses the same software to validate a similar range of fare media, and  Ethernet connectivity for AVL plus Justride back-office communications. Masabi  co-developed the Val100 with AccessIS, and as an open device it is also supported by  other vendors.  Example deployments: JRVs are installed at Rochester RTS, NY and Pittsburgh PAAC, PA.  AccessIS Val100s are installed in multiple locations including Las Vegas RTC, NV and Calgary, Canada.  Benefits of deploying the JRV  ●Cost Effective -​ The JRV is available for a fraction of the cost of other multi-format ready devices  on the market.  47    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●Multi-format -​ Enabling the reading of all major ticketing formats including contactless bank cards  (cEMV), smart cards (NFC) and mobile and paper barcodes. BluetoothLE is already included should  it become a desirable medium in the future.  ●Flexible and Scalable -​ The JRV possesses the necessary onboard storage, processing capability  and connectivity options to support any scale of deployment.  Technical Specifications  Area Description  Accepted Fare Media  ●NFC (ISO14443/MIFARE) (2 SAM Slots available)  ●QR and Aztec barcodes  ●Contactless Bank cards   Certifications and Standards  ●EMV Level 1 and 2 Compliant with support for MasterCard, Visa,  American Express, Apple Pay and others.  ●PCI PTS v4 Compliant  ●FCC Class B  ●Working with RNIB to improve the accessibility of the device;   ●Accessible Design according to 2010 ADA Standards  ●Enclosure flame-retardant according to UL 94 V-0 and EN  13501-1  ●IP55 (IP rating for installed Electronic Enclosure)  Connectivity ●Ethernet, RS-232, RS-485, CAN Bus and J1708 support  ●Built in GPS  Pole mounting  ●Vertical or Horizontal (with optional stanchion)  ●Suitable to mount on a wide range of bus poles including  diameters of 1”1/2, 1”1/4 & 35mm  Temperature Ranges ●Operating Temperature: -20°C to +50°C  ●Storage Temperature: -30°C to 70°C  Dimensions ●324mm (H) x 115mm (W)  Weight ●1.64Kg  Further Technical  Specifications  ●3.5” colour LCD display  ●Auditory feedback  ●Working up to 95% relative humidity  ●Max. 20 W input power    Validator Management  All validators sold by Masabi, including the JRV and Val100, automatically boot up and connect to the  Justride back-office when powered on, synchronizing up-to-date configuration without any driver  interaction. The Inspect software application and the underlying Linux Operating System it runs on  can be remotely updated in a safe and reliable manner using a dual boot mechanism, to fix bugs and  apply security patches in the field.  Inspect devices send back a wide range of telemetry data. The Hub back-office UI identifies  problematic validators, firing alerts and graphing telemetry data to enable rapid fault diagnosis. Maps  allow validator locations to be monitored in real-time or viewed as historical location animations.  48    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System    Automatic Vehicle Location (AVL) Integrations  Justride can attach route and stop information from the vehicle’s AVL to validation events. If this is  required to drive fare engine calculations then for reliability and accuracy this should be done  on-vehicle, direct from the local AVL; this integration will be dependent on the CAD/AVL supplier. If  location information is only required for management analysis then it is also possible to source it from  a suitable GTFS-Realtime feed.  Masabi is proposing for ECRTA the following options for the second Phase:  ●Implement PAYG based on the bus’ route without a CAD/AVL integration. This will incur no  additional integration cost but is only possible if the Premium Route vehicles and regular route  vehicles do not switch their route (i.e. vehicle on premium route is moved to service a regular  route).  ●Implement PAYG based on the bus’ route with AVL route data, integrating with the Clever  Devices CAD/AVL system. This will be subject to further discussions with Clever Devices and  assumes that the Clever Devices units will be using the same API version (1.4), as previously  integrated by Masabi.  Automated Anti-Fraud Pattern Matching  The Justride platform features Pattern, a powerful pattern matching system that can identify specific  fraudulent behaviours and immediately carry out appropriate reactions - for example blocking  accounts suspected of bank card fraud, or sending out an alert when unusual ticket usage indicates a  rider may be trying to share a monthly pass.   The Pattern system has been responsible for significantly reducing credit card fraud in several  locations, as well as detecting instances of riders only purchasing or activating tickets when seeing a  ticket conductor approaching.       49    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  6. D​ESCRIBE​ ​CONFIGURATION​ ​AND​ ​FUNCTIONALITY​ ​OF​ ​THE​ ​SOLUTION​.  Rider Interfaces  In today’s fast changing world riders expect zero-touch interaction with public transit via their mobile  phones or bank cards - and with the growth of Mobility-as-a-Service, sometimes they will expect to  achieve this through the third party app of their choice rather than anything provided directly by a  transit agency. At the same time all public transit must continue to serve unbanked cash riders, who  will not always have mobile phones.    The Justride platform is designed to offer a wide range of cost-effective interfaces to achieve this for  all demographics, delivered in a future-proofed manner - as the world evolves, so does the Justride  Fare Payments as a Service platform, opening up support for the latest sales channels which all  Masabi customers can make use of as they become available.  Agency Apps & Web Sites  Justride offers a wide range of mobile and web-based options for allowing riders to purchase and use  tickets, from a flexible agency-branded application to a suite of APIs and a Software Development Kit  (SDK) that allow Justride ticketing to be embedded inside a fully customized experience.  Running underneath all of these options is a flexible account model that allows users who want to  create an explicit login to move tickets securely between devices and manage them via the web, but  also allows casual users to rapidly purchase a ticket without any unnecessary sign-up. Credentials can  sit inside Justride’s back-office, or can be managed externally via standard OpenID Connect  authentication APIs - as for example used in Calgary Transit’s app where users log in using the  city-wide Calgary MyID user registry.  Justride applications and web sites are multilingual capable if desired, and are compliant with WCAG 2  accessibility guidelines and related legislation, such as ADA in the United States and equivalents in  the EU etc.    50    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  White Label Justride Application  The Justride Retail applications  for iPhone and Android allow  riders to purchase and use any  kind of ticket or pass from their  smartphone.   Masabi's tried and tested  application allows secure ticket  purchase in seconds and can be  branded to reflect ECRTA’s visual  identity and choice of colors,  logos, and text. Masabi manages  all fare payments, ticket delivery and security.  If configured, the mobile application can also manage a rider’s ABT travel, handling the registration of  smart cards, sign up to and display of mobile QR/barcode ABT tokens, fund management inside the  rider’s stored value account, viewing the rider’s ABT history and reporting lost smart cards.  Outside of the core transport functionality, the application can be highly customized to include any  agency-specific content that is required. This can include embedded text, maps and images as well as  links to embedded or external web sites, and 3rd party application deep links.  See: New York MTA eTix app, EZfare multi-agency app, Fire Island Ferries (deployed 23 days after contract  signature).  Custom Application Built Around Justride SDK  The standard Justride white label mobile application offers an excellent  ticket optimized purchase flow and ticket usage experience - however  that is sometimes not enough. The Justride Retail Software Development  Kit (SDK) offers a way to build a perfectly tailored iPhone and Android  application experience on top of the mature, secure and robust Justride  ticketing platform.  The SDK handles all interaction back to the Justride platform, and the  display of any mobile tickets bought by the rider. The SDK provides  support for the app to build any style of purchase flow required, with the  option to direct payments through the PCI-DSS certified Justride  platform or to handle them completely independently. Riders can log in  using an OpenID Connect compatible authentication system, and the  SDK gives access to the account’s transaction history and (where  relevant) ABT token management and history.  SDK apps can be deployed as the only mobile application for an agency, or they can be launched in  addition to a Justride white label app.  See: Orleans app in France; Uber and Transit in RTD Denver (see MaaS).  Justride Web Portal  The Justride Web Portal offers an accessible and responsive web experience to purchase and manage  mobile tickets, manage ABT tokens and history, add funds to stored value and manage rider accounts.  It is hosted alongside the main agency website as a ‘micro-site’, offering a visually branded experience  51    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  with some customisable options. Riders can sign up for new accounts, and also (if configured in the  tariff) purchase print-at-home PDF tickets.  If a more customized experience is required, there are multiple options for integrating an existing or  new website into Justride APIs.  See: ​https://tickets.metrolinktrains.com/​ (includes Print At Home PDF ticketing).  Mobility-as-a-Service (MaaS)  MaaS has become a key trend in recent years, as riders are offered an ever increasing range of  mobility options to complete their journeys - such as scooters, e-bikes and ride share. Masabi believes  that public transit has a key central part to play in mobility, and Justride allows transit agencies to  take part in MaaS with ease.  Several styles of MaaS exist: dedicated commissioned city and regional apps, global trip planning  applications such as Transit, mode-specific apps such as Uber which are expanding to allow  multi-modal journeys, and other MaaS pureplay options offering subscription services. Masabi is using  the Justride Retail Software Development Kit (Retail SDK) to drive ‘Practical MaaS’ across all of these -  enabling public transit ticketing in a wide range of applications today, so transit agencies do not have  to ‘pick a winner’. Several partners sell Justride today, and more are being signed up:                       Live with Masabi  customers in 18  North American  cities; ABT  coming soon to  Rochester NY.  Live with Masabi  customers in  Denver and Las  Vegas, with 14  more coming  soon in the US  and beyond.  Selling tickets  from 4 Japanese  transit agencies,  with further trials  planned.  Soon to launch  Justride ticketing  inside MaaS  applications.  At least four more  partners are  planning Justride  integrations  As Masabi signs up MaaS partners, transit agencies will be able to expose their tickets in any of them  with a minimum of paperwork. Data from Uber in Denver RTD shows that selling RTD tickets inside  the Uber app has led to a significant increase in Uber journeys starting or terminating at transit  stations, helping drive ridership.  See: Transit app for journeys in Denver, CO or St Catherine’s, Canada; Uber for journeys in Las Vegas, NV or  Denver, CO.  52    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System    Cash Riders  Cash is a critical payment mechanism for some rider demographics, and Justride has several  mechanisms to support riders who are unbanked:  Agency-Managed Ticket Windows  Agency staff can use the Justride Hub back-office to handle a range of customer service enquiries.  There is also the ability to add funds to a rider’s stored value account in exchange for cash, and issue  printable PDF tickets. A full audit trail is kept of all activity carried out by users, with reporting to  summarize activity for management.  Retail Store POS Integrations  Local stores can be harnessed to allow riders to top up stored value accounts using cash or cards,  using Justride’s integration into the Incomm retailer network. Riders show a barcode on their mobile  phones to the retailer’s existing Point Of Sale (POS) system, pay for the top up, and it is automatically  pushed into the rider’s transit wallet. Support is available through participating stores from the  following well known retailers:    In addition, smart cards can be distributed through retailer card racks, and if printed with appropriate  barcodes these cards can also be topped up through the POS system; note that there are significant  lead times to organise distribution. Justride also integrates into the Payzone cash sales network in the  UK.  Retail Distribution Network with InComm  Masabi has partnered with InComm, a retail distribution network  whose primary business offering is in stocking and maintaining  J-hook gift card racks at networks for retailers across the  nation.Masabi’s partnership with InComm’s retail network will  allow several primary use cases for passengers:  ●Top up a mobile stored value account, using cash or card.  ●Top up a rider account tied to a smart card using the smart card as the account identification  token, using cash or card.  ●Purchase and register new smartcards and check the balance of their existing smartcard.  Masabi is prioritizing the first of these use cases as part of its integration path with InComm, that will  be available during Q3 this year, as this will afford the ability for riders to top up their mobile  53    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  accounts in order to digitize cash both for the use of purchasing mobile tickets and for the purpose of  ABT Pay as you Go with a mobile barcode.  Once a second integration is complete, additionally, agencies will be able to utilize the  Masabi-InComm partnership to allow passengers to digitize cash as a funding source attached to  smart cards as well as to manage distribution of smartcards to retailers in the network. This enables  riders who don’t have mobile phones or easy access to the web can still fully manage their account,  leveraging hardware and software that retailers already have.  Account Based Ticketing - Pay as you Go (PAYG)  Justride is designed to be account based at the core meaning that the mobile first approach acts as a  stepping stone towards a full Pay as you Go Account Based Ticketing (ABT) system. Once riders are  accustomed to the platform through its mobile ticketing capabilities, the PAYG components can be  enabled to enhance their riding experience.   Account Based Ticketing enables a rider to move around the transit system, securely identifying  themselves during each leg of the journey (for example by tapping a card or scanning a QR/barcode),  with each journey either paid for directly or authorized via an already-acquired pass.  To achieve this requires two things - riders must have some means of securely identifying themselves,  and a source of funds to pay for journeys. Justride implements a core fare engine that is totally  agnostic of how identification and payment occurs, supporting a range of tokens:            MIFARE cards/fobs    Mobile QR/barcodes    NFC ​(coming soon)    Apple/GooglePay                  C-EMV bank cards      Funded from a Justride Stored Value Account      Funded by the payment card    In future this could easily be extended to other types of identification - CIBO/BIBO Bluetooth, facial  recognition, etc - and other forms of payment, as and when they become technically feasible and  desirable to riders and agencies. For example multiple recent pilot schemes have proven that  Bluetooth BIBO systems can’t effectively be trusted to work reliably with many popular Android  handsets, and riders without handsets are forced to use a very different ticketing system - but should  ubiquitous, reliable Bluetooth appear, Justride can take advantage.  ABT enables a very simple Pay As You Go experience - the rider simply taps the identity token on a  validator which ensures funds are available, and the back office calculates the appropriate fare to  charge after travel. Rider equity can be guaranteed by Best Fare Finding (also known as Fare Capping)  which, if configured, ensures that the rider is always charged the lowest amount defined in the tariff  54    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  rules for their recent travel. This allows regular riders to benefit from the price discount of, say, a  monthly pass even if they cannot afford to purchase one at the start of the month.    The fare calculations honour any entitlement to discounted travel that the rider may have - for  example, riders can register as seniors or veterans and the appropriate fares will be applied.  Registered users can also view their trip history consistently across the Justride mobile app, web  portal and any MaaS partner app that supports token registration such as Transit App.  Hub Back-Office  Justride is managed through a responsive web back-office  called the Hub, which offers a consumer-grade user  experience for securely operating the platform.  Hub functionality encompasses tariff administration,  customer services handling all types of fare media, tariff  setup, validation device management, reporting and  analytics - all aimed at putting full management control in  the hand of the transport agency.  The Hub UI adapts to multiple screen sizes and device form  factors, has a range of supported languages and is fully  compliant with accessibility best practices. Masabi follows the Google browser support policy and  maintains on a rolling basis the current and previous major two versions of Chrome, Firefox and  Microsoft Edge.  Access Control and Audit Trails  The Hub offers a granular role-based access control model, filtering the operations available to be  appropriate for the type of user accessing the system. User accounts can be fully managed within the  Hub in a hierarchical fashion - for example Customer Service Managers can manage their Customer  Service Staff, but not other roles.   55    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System    All activity carried out in the Hub, including rider searches, is fully tracked in an immutable audit trail  in the Justride Data Warehouse. Daily, weekly and monthly reports are available showing all user  activity, with summaries highlighting key metrics such as total refunds issued per Hub user to aid  vetting for internal fraud.  Hub users can be added individually or in bulk, suspended instantly, and can manage their own  accounts.  Customer Support  The Hub Customer Service tools enable agencies to handle ridership problems directly, allowing rapid  access to a customer’s full history of purchases, tickets used, and payment sources including Justride  stored value accounts, if available. The Hub also makes it easy to manage entitlements for discount  fares for qualifying passengers, such as Seniors and Students.    When dealing with mobile ticketing customers, agents can cancel tickets, issue refunds, issue  complimentary tickets, reactivate expired tickets, migrate tickets to a new mobile device, manage  stored value, and more.   56    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System    Agents can also manage all forms of Account-Based Ticketing for unregistered C-EMV and smart cards  through to any tokens attached to fully registered rider accounts. Rider’s trip and charge histories are  displayed in full, alongside the ability to rectify any problems that might occur.  Data  The Justride platform records a huge array of operational data in real-time, which is made available  through multiple channels to make it easy to solve any use case.  Reporting  The Justride Hub comes configured with a default set of daily,  weekly and monthly reports covering ticket sales, activation,  validation, account usage, and system activity audit trails. In each  area, both executive summaries and line by line data are available.  All reports are stored safely in the Hub for easy access at any time.  A client is in complete control over which Hub users have privileges  to access reports, and can suspend them at any time, enabling easy  management of access provision to customer information.  Analytics  The Justride Hub allows at-a-glance access to key analytics on a live dashboard, giving an overview of  activity updated every minute.  In addition the Justride Hub offers a range of web-based graphical analytics, providing an intuitive  57    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  interface to drill down into purchases, fare types, barcode scans, card taps, application versions in use  and more over any date range. The Analytics tooling is built directly on top of the Justride Data  Warehouse and provides up to date, near real-time data in easy to consume graphical and tabular  views, with dynamic filtering.  Data Extraction  For ad hoc analysis, direct download functionality in the Hub  allows users to extract CSV files of raw data from individual Data  Warehouse tables between date ranges, customising which fields  are present.  In addition Justride’s DataMart APIs allow near real-time  extraction of all data within the platform using RESTful APIs  returning either JSON or CSV files. This is used by many agencies,  such as New York MTA and LA Metrolink, to integrate Justride data  into external data warehouses to obtain a full cross-channel sales  view.  Finally, agencies with licences for the third party Tableau Online data analytics tool can easily obtain  a live view of all Justride data, which can be used to build custom reports and data visualisations and  perform any required data analysis.  Accessibility  Masabi’s Accessibility Philosophy  When Masabi first deployed the Justride platform, Masabi worked with the MBTA, the first customer to  deploy the platform, extensively to ensure that the platform met the agency’s accessibility guidelines  based on WCAG 2.0 and ADA requirements. Since then, Masabi has continued to work with clients to  make sure that, as the platform evolves, it continues to support this user base.   Current Accessibility Infrastructure   The Justride platform was designed with WCAG 2.0 guidelines in mind and maintains a WCAG 2.0 audit  on a regular basis as needed by clients and as the platform evolves. Most recently, Masabi has  undertaken a more in-depth audit process with one of its customers to take into consideration  additional accessibility features and is in the process of adding additional accessibility support based  on feedback from this client.  Justride is currently deployed with a variety of accessibility-supporting capabilities. Justride is fully  compliant with all relevant accessibility legislation across all of its global deployments. While the  WCAG guidelines are not directly applicable to a standalone non-browser mobile application, Masabi  has put significant effort into ensuring that the mobile applications follow all appropriate accessibility  guidelines.   A summary of the existing accessibility support can be found in the table below:  Supported Accessibility Feature Justride Retail  App  Justride Web  Portal  ‘Hub’  Back-office  Portals  Visually responsive text sizing  ✓ ✓ ✓  Clearly labelled buttons and icons ✓ ✓ ✓  58    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Menu for supporting content and FAQs ✓ ✓ ✓  Screen reader support (Android/iOS) ✓ ✓ ✓  Agency control of branding to select accessible  colors & contrast  ✓ ✓ ✓  Agency control of page set-up to select an  accessible configuration  ✓ ✓ ✓  Support of unbanked riders ✓ ✓ ✓  Support of riders without a smartphone ✓ ✓ ✓  Zoom support and magnification   ✓ ✓ ✓  Motion animation control  ✓ n/a n/a  Color filters and color inversion ✓ n/a n/a    Ongoing Commitment to Accessibility   Masabi is committed to the continuous improvement to its accessibility support and applies its agile  development methodology to this area with a regular cadence of reviews and updates to its deployed  applications. Additionally, Masabi commits to listening to any agency feedback on accessibility where  the agency does not feel the provided solution can reach the high standards suitable for their riders.  For example, in a recent deployment, a client identified areas of improvement. Masabi underwent a  robust analysis process in coordination with this client and has already deployed an updated version  of the application reflecting these necessary changes. As a SaaS platform with a central  multi-tenanted architecture, all agencies will now benefit from these accessibility updates. Masabi’s  bi-weekly software releases allow new accessibility updates to be quickly deployed for the benefit of  agencies and their riders.   7. D​ESCRIBE​ ​PROCEDURES​ ​TO​ ​ADD​ ​NEW​ ​FARE​ ​PRODUCTS​.  A.Masabi’s tariff configuration layer offers a great deal of flexibility​,​able to accommodate              everything from simple flat fare to complex models.The same tariff configuration layer is used                by multiple Masabi customers across the world.The following is a small subset of Masabi’s                tariff configuration capabilities:   ●Validity period​ - the length of time a ticket can remain in your wallet without being  used   ●Activation Duration​ -length of time the ticket remains active for after the first activation   ●Purchase restrictions​ - limit the ticket availability, to restrict sales of a pass towards the  end of the pass validity period. For example, one can restrict purchasing a “calendar”  monthly ticket towards the end of the month.   ●Entitlements​ - identify entitlements and their associated business rules   ●Day-start​ - this will offset the start of the day by a configurable number of hours - this is  useful if the transit property has a day which starts at 4:00 AM and goes on until 2:00  AM the following day.   B.To address the specific product types required:   ●Fare products are defined within the Justride tariff configuration which can be managed  directly by ECRTA Transit staff.​ A product can be defined as single-ride with a  59    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  time-limited validity, such as 90 minutes, and purchased using the following process:  ○Support the change to a different time value for single ride fares, e.g. from 90 to  105 minutes. ​Adjusting the validity of single ride fares would involve the  following steps (assume the fare product is configured as above):   ■Edit the row in the tariff spreadsheet relating to the fare product so that  the “activation duration” field is set to 105.   ■Upload the new tariff to the Justride server using the user interface  provided by the Justride Hub.   ■Swap the new tariff with the existing one using the user interface  provided by the Justride Hub. All tickets sold after this point will have the  new validity period.   ○Support weekly pass products.   A weekly pass product could be configured in a number of different ways,  including: Purchasable in advance, held ready for use in the ticket wallet for, say,  60, days, and usable for unlimited rides for 7 days from the day of activation; or   ■Valid for unlimited rides for 7 days from the day of purchase; or   ■Aligned to a particular day of the week (e.g. Sunday), with rules about the  week for which the pass is being purchased (e.g. buy Sunday-Tuesday:  current week; buy Thursday- Saturday: next week).   ○Support fare cap products, where users pay for a definable number of single rides  in a calendar month, after which additional rides are not charged.   ■Fare capping is not available for pre-purchased products. However, it is  available in the Account Based Ticketing extension, as described in  ‘Account Based Ticketing - Pay as you Go (PAYG).”  ○Support Low-Income fare for approved customers.   The Justride Platform supports a virtually unlimited range of eligibility products  which once created can be used to provide discounted tickets to those in need.   ○Support Senior Citizen fare for approved Senior Citizens.   A separate fare product for Senior Citizens can be defined in the tariff, with its  own rules and prices.   ○Support the creation of other agency or group transportation programs.   ■The Justride platform includes the Partner Portal - a secure, dedicated  web portal based on the Justride Hub that enables both agency staff and  staff of partner organizations (e.g. corporate or social services  organizations) to issue tickets to their users (employees or clients) either  individually or in bulk/groups.   ●By default, all customers are eligible to purchase a product. ​A single- ride ticket can be  activated only once, but it can be configured so that it can be positively validated by the  OBV or PV only once or multiple times during the activation window.  ●A monthly pass is defined in the Justride tariff as a multi-use ticket with the appropriate  validity period (typically one calendar month or 30-31 rolling days, as required by the  transit customer).​ Once activated by the rider the pass will remain active throughout the  validity period.   ●Discounted products (e.g. youth, senior, military) can be defined in the Justride tariff. ​By  default, all customers are eligible to purchase all products. Discounted products can be  made available to riders with eligibility checked by ECRTA Transit customer services  staff if configured. Where more control on the availability of discounted products is  required, discounted products can be hidden from customers who have not been  granted the appropriate entitlement. The OBV will emit a different tone when a  60    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  discounted ticket is presented if these are included in the tariff.  C.The Justride platform offers several options for granting an entitlement:   ●Via Customer Services​ - a customer can call Customer Services to request entitlement,  and if the agent accepts that request the agent can grant eligibility using the Justride  Hub.   ●Via the mobile app​ - the Justride mobile app can be configured to provide a page into  which the customer can enter their eligibility details. These are sent to the Justride  server and the eligibility is automatically granted. The eligibility details are added to  every discounted ticket purchased by the customer so that they can be checked if the  ticket is inspected by ECRTA’s staff.   ●Via the mobile app with an automated eligibility check​ - the customer enters their  eligibility details into the mobile app, as in b) above, but the Justride server makes a  real-time call to a web service provided by the agency to check that the details are  valid. If the web service replies in the affirmative, then the eligibility is granted.   8. D​ESCRIBE​ ​PLAN​ ​FOR​ ​UPGRADING​ ​SMARTPHONE​ ​APPLICATIONS​ ​IN​ ​THE​ ​FUTURE​.  The ECRTA Justride app will be available for free download from the Android and iOS app stores.  Riders can download the app and immediately begin to purchase their tickets by either registering for  an account or traveling as an un-registered user. The apps are developed using the most appropriate  methods of development available to provide both a great rider experience and flexible customization  options.  The Justride app is a hybrid Cordova application using HTML and JavaScript to power the user  interface and depends on the Justride retail SDK for core functionality. The Justride retail SDK  manages communication with the Justride platform, secure storage and ticket lifecycle. The SDK is  fully-native and developed using Java, Objective-C, Kotlin and Swift as appropriate for each platform.  Support is regularly reviewed as new versions of both operating systems are made available to ensure  that the application continues to function on the latest versions. Support is maintained for the current  and previous two versions at a minimum on iOS and for the most used versions on Android.       61    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  H​OSTING  1. P​ROVIDE​ ​A​ ​SERVICE​ ​LEVEL​ ​AGREEMENT​, ​INCLUDING​ ​TIERS​ ​OF​ ​SERVICE​, ​RESPONSE​ ​TIMES​, ​AND  STANDARD​ ​METRICS​.  Masabi has provided its standard SLA’s in appendix E along with its standard SaaS terms. Please see  tiers of service and response times along with some standard metrics below.  2. D​ESCRIBE​ ​DATA​ ​CENTER​ ​AND​ ​STORAGE​ ​FACILITIES​.  Cloud Native - Resilient and Scalable  Masabi operates Justride as a hosted multi-tenant cloud native service - one version of the software  platform handles all agencies within a given region, with configuration determining which features  each agency offers. The platform has been built to make use of the very latest cloud development  tools and support services - it is not simply legacy software that happens to be hosted on Amazon.  This accelerates development and delivers huge performance benefits.  Justride maintains best-in-class uptime using a service-oriented platform architecture focused on  efficiency and scalability. It makes maximum use of Amazon’s AWS cloud hosting products, featuring  multi-availability zone redundancy on all components, where each availability zone is a fully  independent geographically discrete building with separate electricity supply, cooling and internet  connection.  Individual services use a range of strategies to achieve redundancy, based on their workload. Frontline  high volume services make use of Application Load Balancers and auto-scaling containerisation to  ensure they can withstand peak rush hour load, with multi-zone redundancy in the managed RDS  databases which offer master/slave realtime replication and failover. The Account Based Ticketing  services make use of an Amazon Kinesis event streaming backbone and efficient horizontally scalable  components to manage unlimited load of incoming taps and fare calculations efficiently. It makes use  of an optimized DynamoDB data architecture which yields guaranteed millisecond access times for  unlimited data volumes with automatic multi-zone replication.  Load tests are run on all core systems prior to a new release, ensuring that they can handle multiples  of observed worst case peak load over an extended duration, based on real life usage profiles.  The diagram below  explains both the  redundancy across  discrete zones for an  individual service and the  ability to auto-scale to  meet demand:  All services within the  system have real time  monitoring, and alerts are  sent to the 24/7 support  team for immediate  attention if any health  check fails. In an ultimate  disaster scenario, the  automated deployment  62    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  framework can recreate an entirely new version of the entire platform on fresh servers in a matter of  days, guaranteeing that all security configuration is applied correctly.  By using AWS as the hosting platform, Masabi leverages the world-class facilities and security they  provide. Amazon provides extensive documentation and certification on security, and specifics on  physical security with respect to the data centres.  3. D​ESCRIBE​ ​SECURITY​ ​CAPABILITIES​ ​OF​ ​THE​ ​PROPOSED​ ​SYSTEM​, ​INCLUDING​ ​FIREWALLS​, ​BACKUP  STORAGE​, ​AND​ ​ANTIVIRUS​ ​SOFTWARE​ ​ENCRYPTION​.  Platform Security   The Justride platform is fully PCI DSS level 3.2 certified for unlimited transaction volumes, formally  audited with manual penetration tests on an annual basis and assessed by Masabi’s QSA on a monthly  basis.  All releases into the live environment are accompanied by formally tracked code reviews, static  analysis and a full suite of vulnerability scans. All Masabi staff are trained frequently in PCI  requirements, including development training that encompasses the latest OWASP top vulnerability  list and other appropriate sources of security information.  All databases holding sensitive customer data are encrypted at rest. Data resides within Masabi’s  firewalled Virtual Private Cloud in Amazon AWS, with live redundant copies across multiple locations  and daily offsite backups. All connections to Justride servers - via API or through the Hub UI - are  HTTPS conforming to the latest TLS 1.2 protocols, ensuring secure transit of all personal data, and  authentication is managed using asymmetrically signed secure JSON Web Tokens. Passwords are all  stored as SCrypt hashes.  First level of protection for the operating platform is hosting in AWS itself and leveraging services  such as AWS Shield and AWS Inspector. Secondly, internal to the configuration of the platform Masabi  has NGinx configurations for rate-limiting and traffic throttling that protect against certain forms of  DoS attacks. Thirdly, Masabi utilizes AlertLogic for intrusion detection and other attack detection.  All machines used within Masabi, no matter what they are used for, have continuous automated  scanning for viruses and suspect activity. Further, deployment packages are scanned for any signs of  attached viruses or unexpected code or attachments before deployment. This is all part of the PCI  compliance practices Masabi undertakes.  Masabi’s adherence to the strictest security rules should provide confidence that all data will be  handled with appropriate care and that Masabi’s internal processes are sound.  Data Privacy  Data privacy has been built into Justride from the start: minimal Personally Identifiable Information  (PII) is requested to reduce the potential for problems, and effort is made to store data in an  anonymized format wherever operationally viable. Conformance to all relevant data privacy laws is  maintained, and all hosting regions are maintained to the strictest applicable global privacy standard  to the extent possible under local law.  All new features which store additional data fields or reuse existing data in a novel way go through a  Privacy Impact Assessment to understand the impact the changes will have on privacy and ensure that  designs incorporate best practices and avoid security holes.  63    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A policy document is maintained indicating how to respond to individual rights requests - such as  GDPR’s right to be forgotten and right to data portability - and this is shared with support staff. Masabi  also maintains a Data Inventory document tracking which PII is stored in what parts of the system for  what purposes; this document is available on request.  Data for every customer remains the property of that customer - Masabi acts as a Data Processor on  behalf of the agency customer, who is the Data Controller. Each customer’s data is fully segregated  from every other customer, and rigorous automated testing ensures that there is no way for data to  pass between customers.  Masabi has not had a data breach, but if one were to occur all impacted agencies would be informed  within 48 hours using appropriate channels agreed with Masabi Account Manager during the  on-boarding process.  4. D​ESCRIBE​ ​CHANGE​ ​MANAGEMENT​, ​UPGRADE​, ​AND​ ​PATCH​ ​MANAGEMENT​ ​POLICIES​ ​AND​ ​PRACTICES​.  D​ESCRIBE​ ​SYSTEMS​ ​ADMINISTRATION​/​MANAGEMENT​ ​CAPABILITIES​ ​INCLUDING​ ​MONITORING​ ​OF  PERFORMANCE​ ​MEASURES​, ​INTRUSION​ ​DETECTION​, ​AND​ ​ERROR​ ​RESOLUTION​.  Change Management  Scope changes will be managed through the Masabi change control process. This will be fully agreed  with ECRTA during the project kick-off process, but Masabi’s general approach to Change control is:  I.Identify the nature of change  II.Write-up full scope of the proposed change  III.Identify alternative approaches to deliver change  IV.Undertake an impact assessment to identify the impact of change - pros and cons  A.Impact on schedule  B.Impact on resources  C.Impact on capabilities  D.Impact on other areas of non-connected delivery  E.How/if this impacts the budget  V.Create a risk assessment  VI.Write-up findings  VII.Present findings with alternative approaches  VIII.Agree on a proposed approach with ECRTA  IX.Determine if the nature of the change can be consumed by the existing strategic product plan  as an alternative strategy.  Assuming that there is a cost associated with an agreed change - Masabi will use the attached rate  card to identify hourly and daily costs.  Updates and Quality Assurance  The underlying Justride server software is updated regularly, with some components being updated  several times a week using an automated deployment framework. This ensures that every change is  64    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  small and low risk, and can be easily and rapidly rolled back if a problem is identified. Consequently,  no customer is ever left running old and unsupported code, and software patches and up-to-date  security configuration are applied regularly to all servers in an automated way that avoids manual  error and omissions.  End users will see small incremental changes, in the same way that Facebook and GMail are updated  slowly over time; Masabi recognizes the challenges of training staff to use business critical tools, and  ensures that the rare major user interface changes that do happen can be rolled out at an  agency-specific time, aligned with appropriate training.  This pace of releases can be safely managed because layers of comprehensive automated testing  cover all operations in the system, including end-to-end integration tests run several times a day that  will cover full system scenarios, such as installing a new app, creating an account, buying a ticket,  scanning the ticket on a validator, and then confirming the ticket is marked as used in the Hub and  that it can’t be refunded. The QA processes used are shown below:    5. D​ESCRIBE​ ​HOW​ ​THE​ ​PROPOSER​ ​WOULD​ ​HELP​ ​MOVE​ ​TO​ ​A​ ​NEW​ ​OPERATION​ ​AT​ ​THE​ ​END​ ​OF​ ​THE  CONTRACT​ ​TERM​ ​OR​ ​IF​ ​THE​ ​CONTRACT​ ​IS​ ​TERMINATED​, ​INCLUDING​ ​PROCESS​ ​FOR​ ​NOTIFYING​ ​RIDERS  OF​ ​TERMINATION​.  In the event the ECRTA required a move to a new operation, Masabi is in a perfect situation to  facilitate this need due to the fact that Masabi has performed numerous mobile ticketing migrations  onto the Justride platform (Bustang, National Express West Midlands and NICE Bus) and so has good  experience in facilitating this process.     Masabi has learned through this experience that there are two areas to be considered during a  migration:  1.The copying of rider accounts from one system to another, primarily for the purpose of  managing the migration of unused tickets.  2.The seamless setup, onboarding, and training of the agency on the new platform. For  the migration of accounts from one system to another, a lot will depend on how an  incumbent supplier formats its data and is able to share with Masabi. The primary  65    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  concern will be to manage tickets that are unused and lingering in system accounts.  This challenge is made more complex if the incumbent supplier allows for offline  tickets.    Addressing Migration Concerns  Masabi has two different approaches to migration that it has used in the past, depending on  suitable existing data formats, ticket types, and cooperation from the agency:    Approach 1:  ●Generate a report from the incumbent supplier identifying accounts with unused tickets  ●Agency staff manually email users requesting confirmation of their desire for an account  to be created and tickets migrated.  ●Create accounts for users using the same email address associated with the previous  account (requirement: an email address associated to the previous account).  ●Using a spreadsheet of tickets extracted from the old system, bulk issue new  complimentary ticket types to new accounts via the bulk issuance tool in the Justride  Hub.  ●Launch the new app in the app store as an updated app to the old app so that a  passenger just has to update their application in order to get the new app.  ●Turn off all ticket purchases in the old app to force users to upgrade.    Limitations to this approach:  While Masabi has some platform functions that support migration, there are certain limitations  inherent in this approach. Fundamentally, there is no way to control when users upgrade the  app, and whether users who do not upgrade the app are online. This approach will create a  copy of old tickets in the new system, but at that point two copies of the same tickets exist -  one in the old, one in the new - and they are not connected. An example issue this may create  is that because Masabi cannot control when the user will upgrade the app, there is a risk that  users who are slow to upgrade may use unactivated tickets in the old app, upgrade, and find  the same old tickets available for use again for free - because new tickets were created in the  Justride platform before they were used in the previous platform. Users with two devices may  also upgrade their local app with some tickets left in it, use the tickets in the new app, but then  use a copy of the old app on another phone to log back into their account which will still have  the original tickets. These holes are difficult to intentionally discover or exploit, and will be  time limited, but may well exist.    Approach 2:  ●A ticket matching process could be time consuming and therefore costly, an alternative  option could be for the agency to allow riders to continue using tickets on the legacy  platform until they expire but prevent purchase from a certain point in time when the  new app is launched.  ●The new application would be launched separately.  ●PR and marketing push to inform riders about when they will need to migrate to the  new application.  ●Eventually decrement the legacy app (no longer available in app stores). While less  seamless, this second approach is straightforward for users to understand, does not risk  duplicate tickets and requires minimal additional support from the agency.    66    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  P​ROJECT​ P​LAN  1. P​ROJECT​ E​XECUTION​ P​LAN​.  Masabi believes that the Justride platform is uniquely suited for Eagle County Regional Transit  Authority as their fare payments platform and that ECRTA will find in Masabi an ideal long-term fare  collection partner.  Two things are critical when considering how Masabi will accomplish this exciting project for the City  of San Antonio:  1.The scope of work that will be delivered will please ECRTA’s passengers while meeting the  objectives of ECRTA.  2.The methodology that Masabi will adhere to will ensure a quality solutions delivery that is  deployed on time. Masabi’s team and plan will give ECRTA confidence that its needs are being  met at every step of the program.  The proposed approach for this project will enable ECRTA to meet both their near-term needs and  long-term objectives from one single SaaS platform. Masabi will provide ECRTA with a market leading,  state-of-the-art fare payments platform that can be utilized to deploy mobile ticketing, allow the  unbanked population to digitize cash, and facilitate integrations with alternative mobility services  providers. In Phase 1 of the project, Masabi will work with ECRTA to deploy electronic validation, the  proposed hardware would provide a future-proofed path towards a modern account-based fare  collection system using the same platform to further deploy smartcards and, if ECRTA elects to move  forward with it, cEMV (2021).   Masabi’s fare payment platform can support this functionality today, and would be able to simply  configure the Justride platform to serve these use cases (cEMV and smartcards) to ECRTA when ready  to do so. Extending functionality from a common, existing platform suggests that Masabi’s roadmap is  perfectly aligned with ECRTA’s broader objectives for this project.  In the near term, ECRTA can take advantage of Masabi’s best-in-class mobile ticketing capabilities. For  this initial deployment, Masabi will not only deliver a ECRTA branded app, but also an integrated fare  purchasing and trip tools experience within the Transit app or one of Masabi’s other numerous 3rd  party application partners.  In summary, Masabi proposes to deliver the following solution for ECRTA:  ●Mobile ticketing:​ Masabi will roll out its mobile ticketing for ECRTA through both the Transit  app and a ECRTA branded mobile ticketing application within ECRTA’s desired time frame.   ●Trip tools: ​through the Transit app (or other Trip Planning Application) additional features can  be included, such as parking, APC integrations, and real-time information. Masabi’s SDK allows  for integration within other mobility apps creating new sales channels for ECRTA while  providing a convenient one stop location where riders can plan and pay for a journey, all from  within their favorite third-party application.  ●Cash digitization: ​ Masabi proposes two different alternatives for cash digitization with ticket  office windows. The first option is using its own technology, the Vendor Portal. The second  option leverages Masabi’s Integration with InComm Vanilla Direct for physical retail outlets.  ●Electronic validation: ​Masabi can work with ECRTA to deploy electronic validation as described  in the Proposed Approach - Phased Deployment, Phase 1.  ●Additionally, several alternative enhancements are included in this proposal for ECRTA’s  consideration, such as:  67    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●Pay as you Go Experience  ●Best Fare Finding for Smart Card users (also known as Fare Capping)  ●Paper Tickets  ●Cash Digitization   ●Integration via SDK into 3rd Party Applications such as the Transit App    Given that the Justride platform is deployed as a SaaS solution, as Masabi enhances the platform with  additional functionality and improvements, new features will continuously be made available to  ECRTA. Masabi considers input from all its clients to be vital and welcomes the opportunity to partner  with ECRTA in order to identify future enhancements that will meet and even exceed ECRTA’s  expectations.  In partnering with Masabi, ECRTA will benefit from the current capabilities of Justride as described in  the section​ Justride Platform Overview​, while also reaping the value from a continuously improving  platform. As a result, ECRTA, by being hosted on Masabi’s multitenant or multi-agency platform will  receive continuous software updates as well as the exciting product roadmap developments that  Masabi is constantly working to deploy. The elements outlined above are just a high-level overview of  what Masabi can deliver for ECRTA.   In the following section, Masabi will describe the project delivery plan and approach it will take in  order to accomplish ECRTA’s stated goals for this project. Additionally, a requirements matrix is  included which clearly outlines Masabi’s high level of compliance for the proposed solution and a full  description of the Justride platform that would be deployed.  2. P​ROJECT​ ​APPROACH​ ​TO​ ​INCLUDE​ ​DESCRIBING​ ​INTERACTION​ ​WITH​ ​AND​ ​REVIEW​ ​CYCLE  REQUIREMENTS​.  Project Management Approach   Masabi has the experience, capabilities and commitment to deliver the Justride platform within the  accelerated schedule proposed. The fastest implementation Masabi has undertaken to date has been  completed in under a month; setting up payment credentials and training staff take up the majority of  that time. Masabi has included a relatively detailed schedule demonstrating how the Masabi team will  deliver Justride through an accelerated phased methodology.   Please refer to the project schedule below where Masabi has provided a schedule of how the program  will meet and, in some cases, exceeds expectations. The schedule provided is based on Masabi’s  experience in deploying many global customers quickly and easily from its Justride platform which is  built upon a robust and flexible configuration layer. This approach removes the need for  time-intensive custom development and thereafter the ongoing overhead of maintaining a bespoke  fare collection solution. Masabi has included in ​Appendix C​ the resumes of its experienced project  team who will be responsible for deploying and supporting .  Masabi is hoping that the schedule conveys the level of experience, control, professionalism and  collaboration that Masabi will utilize to ensure that this implementation is delivered successfully. The  Masabi approach also provides a framework for further expansion and integration capabilities,  providing a robust platform from which to introduce new services in line with changing technology  and rider demands..  Collaboration is at the core of Masabi’s project delivery philosophy. Masabi understands that during  the project delivery lifecycle requirements may subtly change; this may be as a result of an associated  project, or simply because Masabi is offering an option or feature that was not previously aware of.  68    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  This project schedule outlines an approach which is streamlined, but also adjustable during phases to  accommodate any future change or requirement. Masabi’s Services team will lead through each stage  using best practices in the industry which have been used throughout some of the largest North  American deployments to great success and development of key customer relationships which  continue after the initial implementation.  Masabi looks forward to working directly with ECRTA during the initial project design phase to  confirm scope, expectations and requirements to expand upon the submitted schedule into a detailed  and comprehensive project control and set of deliverables.   Masabi will assist in all aspects of this mobile payments platform launch, which includes assistance  across technology, integrations, partnerships, change management and stakeholder engagement,  marketing assistance with representative publicity examples, marketing materials and preparedness  for all aspects of go-live. Masabi will continue post implementation to monitor the success of the  program through customer engagement, app reviews and metric reviews.  P​ROJECT​ M​ANAGEMENT​ M​ETHODOLOGY  Masabi has the experience, proof points, and capabilities to deliver the Justride platform for ECRTA.  The Services team will lead through workshops to quickly determine the configuration options, setup  payment processing, and prepare ’s organization and staff to transition to Masabi’s fare payment  platform with minimal disruption.   Benchmarked Best Practices  Please refer to the Appendix A here Masabi has provided a schedule of how the program will meet ’s  expectations and provide a foundation for expansion.. The schedule provided is based on Masabi’s  standard methodology and best practices in deploying global customers quickly and easily. The  Masabi team is focused on making the best decisions, benchmarked across key US agencies and has  extensive knowledge of how to take agencies through the full life cycle of deployment, including  cultural adoption, user readiness and marketing messaging.  The project schedule provided conveys the level of experience, control, professionalism and  collaboration that Masabi will utilize to ensure that this implementation is delivered successfully. The  Masabi approach also provides a framework for further expansion and integration capabilities,  providing a robust platform from which to introduce new services in line with changing technology  and rider demands. Above all, the schedule demonstrates Masabi’s ability to deliver a full solution  meeting ’s requirements by mid November 2020.  Configuration Workshops  Masabi Services brings simple to use decision support templates and standard work plans to each  deployment which accelerates the project timeline as the project team leads everyone through the  Configuration Workshops. Each Configuration Workshop layers upon each stage to quickly build out a  “First-Look UAT build” so that can quickly and easily envision the final implementation and spend  more time on customer migration, adoption, training rather than waiting for code to be delivered, and  having to wade through multiple versions of designs and wireframes.   Team Based Collaboration  Masabi assigns a team of experienced transit savvy people to each engagement. This team based  approach ensures that there is project knowledge built into all roles that interact with the agency  whether it is the training person talking to customer care, a technical consultant speaking with  maintenance and operations or the business analyst understanding fare products and policies.   69    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Masabi Services becomes part of an agency’s internal team; the focus is on understanding the  strategies, culture, operational process and geographic dynamics of each agency, and using this  information to drive the best decisions, and quickly based upon similar situations that the team has  experienced.  Project Control and Planning  The Masabi Services team keeps rigorous control of each project through project management,  planning strategies, detailed documentation, and risk management. Team members are certified  project manager or Agile Scrum certified and use these disciplines to manage project risk quickly and  effectively. At each project stage, the team will communicate project requirements, assist in removing  internal barriers, effectively control inputs and outputs as required to move through each stage in the  project lifecycle as outlined in Appendix A.   Masabi looks forward to working directly with Eagle County Regional Transportation Authority during  the initial project design phase to confirm scope, expectations and requirements to expand upon the  submitted schedule into a detailed and comprehensive project control and set of deliverables.   3. W​ORK​ ​PLAN​ ​TO​ ​INCLUDE​ ​A​ ​TIMELINE​ ​FOR​ ​WHEN​ ​CERTAIN​ ​CORE​ ​SYSTEM​ ​FEATURES​ ​WILL​ ​BE  AVAILABLE  This was described in the proposed approach section of Masabi’s proposal. For ECRTA’s convenience,  this is duplicated below.   Proposed Approach – Phased Deployment   Mobile First Approach  Masabi’s SaaS platform is built to be flexible, extensible, and scalable. Utilizing a mobile first  approach allows Masabi to offer rapid deployment to agencies for its core mobile ticketing  functionality with additional features and capabilities being activated on a modular basis. A key  advantage of this approach is that not only agencies can go live with mobile ticketing technology  much faster than a custom-built solution. In addition, it allows agencies and its riders to become  accustomed to the new system over time through incremental deployment phases. The scope of these  phases is easily adjustable to meet ’s needs.   Phase 0 – Accelerated Mobile Ticketing (visval, web portal) → 2020 Q4 (October/Nov)  In order to meet ECRTA’s desire to launch a new solution as quickly as possible, Masabi proposes an  accelerated first phase (which is entitled Phase 0) consisting of mobile ticketing with Masabi’s  industry-leading visual validation technology. This deployment would entail pre-purchase mobile  ticketing in a -branded Justride Retail application and an optional integrated trip planning and  ticketing sales channel through Transit App.  Masabi anticipates being able to deploy this within 60 days from notice to proceed.   Phase 1 – Mobile Ticketing Electronic Validation (Route-based fare rupes, SVA, cash top-ups → vendor  portal at agency locations, PDF printed tickets at agency windows) → 2021 Q2  Following the successful deployment of Justride mobile ticketing, this new phase of the proposed  deployment will involve the installation of Masabi’s electronic validation equipment and the launch of  additional sales channels. During this phase, Masabi would introduce electronic validation to increase  the security of the mobile ticketing solution using Masabi’s Justride Validator and advanced Inspect  validation software. Masabi understands that ECRTA uses differentiated vehicles for Regular and  Premium Routes, if so, no CAD/AVL integration is required to electronically validate tickets and passes  automatically as the validators are simply configured for their respective route (the PAYG case is  70    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  covered in detail in Phase 2). If vehicles are regularly switched between routes then electronic  validation will be based on audible feedback to the driver on a scan event.   Within this phase, Masabi will also deploy stored value accounts that can be used as a funding source  to buy pre-purchased mobile tickets. This feature is one approach for serving unbanked and  underbanked passengers, and is an intermediate step to full account-based ticketing in Phase 2.  Simultaneously, Masabi will deploy additional sales channels to make tickets and passes available to  passengers through multiple means. These features will not only provide new paths for riders to  purchase fares, but also make fare products available to a broader array of passengers through  programs explicitly designed to serve business and institutional partners and cash-dependent riders.  These sales channels include:  ●Web Portal - a website that allows users to purchase mobile tickets, and optionally,  print-at-home PDF tickets  ●Partner Portal - a web-based interface that allows business and institutional partners to  manage mobile tickets for their members  ●External Orders API - an API that allows the same functionality of the Partner Portal to be  integrated into an existing website  ●Vendor Portal - an additional module within the back office that allows passengers to pay in  cash to purchase tickets or load stored value at ECRTA ticket windows  Finally, the introduction of electronic validation serves as a crucial necessary prerequisite to turn on  account-based Pay-as-you-Go ticketing in Phase 2.  Phase 2 – Account Based Ticketing Pay as You Go (route & discount/entitlement based PAYG , AVL  integration if current work is reusable, smartcards, retail network, paratransit) → 2021 Q3   Once Phase 1 is fully live and passes a user-testing pilot phase, ECRTA will be ready to launch its full  account-based Pay-as-you-Go (PAYG) system. Upon boarding a bus, a passenger will simply present  the account token of their choice (a mobile barcode or smart card) and the validator will automatically  deduct the appropriate amount from the passenger’s account held in the cloud-hosted Justride back  office. Justride’s intelligent fare engine applies fare capping to ensure that passengers are always  charged the best fare. In addition, the following infrastructure will also be deployed in this phase:  ●Justride ECRTA branded smart cards   ●Optional Upgrade - InComm top-ups at retail outlets  During this phase Masabi will use an onboard integration with ECRTA’s CAD/AVL system to validate  differentiated fares on Regular and Premium Routes. For this integration, Masabi is proposing for  ECRTA the following options:  ●Implement PAYG based on the bus’ route without a CAD/AVL integration. This will incur no  additional integration cost but is only possible if the Premium Route vehicles and regular route  vehicles do not switch their route (i.e. vehicle on premium route is moved to service a regular  route).  ●Implement PAYG based on the bus’ route with AVL route data, integrating with the Clever  Devices CAD/AVL system. This will be subject to further discussions with Clever Devices and  assumes that the Clever Devices units will be using the same API version (1.4), as previously  integrated by Masabi.     71    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Future Expansions and Additional Functionality  Finally, with account-based-ticketing fully live and operational, future upgrades will be available to  further improve rider experience. These will include:  ●Partner card management - additional functionality to allow business and institutional partners  to directly administer all aspects of ordering, issuing, and managing Justride smart cards for  their members  ●Thermo-printed single tickets using Vendor Portal   ●Contactless Bank cards using cEMV technology as open loop payment mechanism for ABT Pay  as You Go, with best fare finding for riders.  A key advantage of Masabi’s SaaS methodology is that as the platform continues to grow and expand,  all Justride agencies benefit from the ongoing updates to the central platform. This approach ensures  that ECRTA’s fare collection system is able to scale and evolve overtime as technologies and needs  change without having to incur the costs and disruptions associated with re-procurement. Masabi has  detailed in its Additional Functionality section some of the upgrades that can be made available to  ECRTA as future updates.  Functionality by Phase Table  As a summary of the presented phases above, a table is presented below for ECRTA ’s convenience  including the functionality to be provided in each of the phases.  Functionality Phase Quarter   Rapidly deployed visually validate mobile ticketing Zero Q4 2020  Justride Hub (back office) Zero Q4 2020  Web Portal (sales channel) Zero Q4 2020  Integration Into 3rd Party Trip Planning Application  (such as the Transit App)  Zero Q4 2020  Mobile ticketing with Electronic Validation (Justride  Validator)  One Q2 2021  Paratransit Service One Q2 2021  Automatic Vehicle Location (AVL) Integration One Q2 2021  Partner Portal (sales channel) - ​if option selected One Q2 2021  Vendor Portal (sales channel) - ​if option selected One Q2 2021  Retail Networks for SVA top-ups (sales channel) Two Q4 2021  Paper Tickets, ability to print Two Q4 2021  Smart card as account token rollout Two Q4 2021  72    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  4. S​CHEDULE  The project schedule is included in the Appendix A of this document.  5. T​ESTING​ ​AND​ V​ALIDATION​ A​PPROACH  Quality assurance is an integral part of the Masabi Deployment program and the Justride SaaS  platform due to the critical nature of ridership use and service uptime requirements. There are four  distinct Testing and QA cycles for any given customer:  A.Initial Setup and Configuration of the Justride Platform  B.Justride Roadmap of new features continuously developed and tested, to be added to the  Platform, some of which may be Customer-specific following Change Requests; this is a fairly  standard Agile development process.  C.Rollout of code updates, either as updated Client Apps on the relevant app stores or as Server  updates pushed onto the Justride Cloud.  D.Maintenance of a live service for the Agency, including receipt of NonConformance Reports.  Through its deployment methodology Masabi conducts a standard set of deployment gates. These  deployment gates release incremental functionality, stage the user experience, create a controlled  rollout program for quality and testing assurance in active ridership markets, allow for stakeholder  review and feedback and facilitate early adopter programs to remove usability risk in a successful  launch. An agency may decide to adopt one or all Deployment Gates:  1.Prototype App – A wireframe click-through app which demonstrates standard expected  workflows in mobile ticketing (Select Fares, Routes, Buy Ticket and Store Tickets) and a degree  of branding.  2.Preview App – An app which is configurable to an initial set of requirements based 100% on  standard Justride Platform functionality. Will demonstrate initial Branding, Workflows, and  Agency Fares & Tariffs.  3.UAT (User Acceptance Test) – Full mobile ticketing functionality including any customized  components; a release viable candidate ready for internal testing and quality assurance  reviews. End to end workflows including dummy payment transactions  4.Pilot – A controlled, user group release who act as early adopters in an open, day-to-day  ridership experience. Pilot programs are also used to phase and stage a wider-deployments  into smaller phased deployments to mitigate any risk or issues in sensitive markets or where  there might be other infrastructure involved in the ridership   5.GoLive – Operational Release – A complete end to end application and mobile ticketing  program which is a public release across all routes, lines and stations.  The Quality Assurance process for Justride deployments is designed to ensure that everything is  extensively tested both as a configurable platform and as the end configuration deployed for ECRTA.  Automated software tests start with individual low-level unit test coverage of all features added to  the system. Automated and manual User Interface-level tests and automated API test suites for each  service in the system ensure that individual components work correctly.  High level end-to-end integration tests ensure that all parts work together as a coherent platform  across all configurable options. This enables Masabi to release all services in the platform on a regular  (usually bi-weekly) basis with confidence, keeping the number of changes in each release small and so  decreasing the risk of any breaking problems.  73    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  App releases are handled on a slightly less frequent basis (recommended every 6-8 weeks) due to the  overhead of app store management and are subjected to manual regression tests to ensure that the  platform works correctly for ECRTA specifically.  6. S​YSTEM​ R​ECOVERY​ P​LAN​.  Disaster Recovery  An overview of Masabi’s disaster recovery plan can be found below. Upon selection, as part of its SLAs,  a full and comprehensive disaster recovery plan will be provided.   Masabi’s Locations:    Current Masabi AWS Region deployment:  ●UW2 - US West 2 - Oregon - North American clients  ●EW1 - EU West 1 - Ireland - European clients  ●EW2 - EU West 2 - London - Secondary VPN entry point  ●EC1 - EU Central 1 - Frankfurt - Backups / DR Site  ●AS1 - Asia Pacific 1 - Singapore - Asian clients   ●AS2 - Asia Pacific 2 - Sydney - Australian clients  Summary of current strategy:  All Masabi services are deployed to multiple availability zones (AZ’s). Availability Zones are designed  for physical redundancy and provide resilience, enabling uninterrupted performance, even in the event  of power outages, Internet downtime, floods, and other natural disasters. This means if one of the  AWS ‘locations’ within a region were to be taken offline, Masabi services could continue to operate as  normal. This holds true for server instances and database backends.   AWS builds its data centers in multiple geographic Regions as well as across multiple AZs within each  Region. Each Region is isolated from the others. And AWS AZs are true AZs: completely separate  buildings kilometers apart for complete redundancy.  74    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Masabi also takes automatic daily database backups of all production databases, these are kept for 7  days.  Regular snapshots are taken of all data to a separate AWS account, which has limited login access to  ensure Masabi can recover should the account be compromised.   If an entire AWS region was taken offline (meaning the complete loss of 3 physically separate  availability zones) Masabi would bring that production stack up within the secondary AWS account  using our automated provisioning tools. This process would take approximately half a day to  complete.  What can Masabi’s current plan mitigate against:  ●AZ Failure - TTR - 2-3 minutes (time take to automatically failover to standby database)  ●Malicious damage to main production account - TTR - 1 day  ●Data loss or corruption - Daily DB backups kept for 7 days  7. T​RAINING​.  Masabi offers a variety of customizable training programs to enable agency staff to successfully  administer and support ECRTA’s mobile ticketing program. Most often, training sessions are delivered  via live webinars that include presentations, demonstrations, and Q&A.  Webinars are effective, convenient, and budget-friendly. Masabi can host from 1 to 45 participants per  training session. The assigned account manager will work with ECRTA to develop a training schedule  that meets their needs. With advanced requests, Masabi can provide ECRTA with a recording of the  live sessions along with copies of the slide decks.  Training can also be delivered in-person, as pre-recorded videos (eLearning), as reference guides and  job aids, or as train-the-trainer sessions. Additionally, agency staff can find an ever-expanding library  of articles, tutorials, and other information via the Online Help Center.  Masabi’s training programs are designed to enable agency’s staff to perform their job functions at the  completion of the training session. Masabi does this by explaining concepts (the “what”),  demonstrating functions (the “how”), discussing scenarios (the “why”), and checking for understanding  (the “what if”). Masabi also tailors all standard training content to reflect the agency's functions and  applications. In this way, Masabi provides a realistic simulation of participants’ actual work  environment.  Masabi recognizes that as its platform continues to improve and develop, and as the mobile ticketing  program grows, staff will continue to need training. To address this need, Masabi offers quarterly  webinars for both beginner and advanced level audiences. These webinars are open to all Masabi  customers and cover a wide range of topics including basic functionality, new features, and advanced  troubleshooting.  In addition to the standard training offerings listed below, Masabi offers additional services to  customize training materials and programs to meet ECRTAs specific needs.  The following are examples of courses recommended as part of the go-live preparations (this is a  non-exhaustive list):    75    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System    Module/  Session Name  Intended  Audience Type of Training  Length  of  Training  Session  Max People  Per Module  Session  # of  Sessions  What is mobile  ticketing?  Beginner; all  job functions  Introduction to the benefits of mobile  ticketing for the agency and its riders, an  overview of the mobile ticketing platform  components, and a description of basic  user requirements.  15 min 15 1  How to use  the mobile  ticketing app  Beginner; all  job functions  Walkthrough of purchasing and using  mobile tickets, including a live  demonstration of ECRTA’s mobile ticketing  application.  30 min 15 1  Delivering  Customer  Service in the  Hub  Intermediate;  Customer  service  agents and  Managers  This in-depth look at the Hub starts with a  description of the customer service  process and how to find and interpret  information on the Manage Customer  page. It includes detailed walk-throughs of  all customer service functions and a  discussion of use cases. A live  demonstration of the Hub and mobile  ticketing app will show how customer  service functions appear to both the rider  and the customer service agent.  90 min 15 1  Hub  Administration  and Reporting  Intermediate;  Managers  Demonstrates Hub administration  functions including bulk operations and  management of users and assets. It then  examines four ways of viewing and  interpreting information in the Hub, from  the high-level dashboard through detailed  reports and customized data extracts. This  session includes a live demonstration of  the Hub.  90 min  Or 2X 45  min  15 1  Visual  Validation of  Mobile Tickets  Intermediate;  Ticket  inspectors,  Customer  service  agents, and  Managers  Describes how to rapidly and accurately  validate mobile tickets by sight. Several  use cases are presented using  pre-recorded or live demonstrations of  ECRTA’s mobile tickets.  45 min 15 1  Marketing  Mobile  Ticketing  Beginner;  Managers  Discussion of how ECRTA can introduce  and promote mobile ticketing. Several  examples are shown.  30 min 15 1  Incident  Monitoring  and Escalation  Intermediate;  Customer   Describes Masabi’s incident management  process. It includes a demonstration of  how to use the Online Help Center  30 min 15 1  76    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  service  agents and  Managers  (Zendesk) to create and manage support  requests.  Partner  Programs  Intermediate;  Customer  service  agents and  Managers  Discussion of the benefits of Partner  Programs and provides examples of how  they can be designed and implemented. In  the Hub, Masabi will walk through how  the program is administered and  supported.  60 min  Or 2X 30  min  15 1  An  Introduction  to Tariffs  Advanced;  Managers  Overview of tariffs. Using fictional  agencies as examples, it looks at many of  the required values in flat-fare and simple  A-to-B tariffs. A simulated walk-through of  managing tariffs in the Hub is included.  60 min 15 1  Using Transit  app for  journey  planning and  ticketing  Beginner;  Customer  service  agents;  Managers; all  job functions  Introduction to Transit app features,  walkthrough of trip planning in the app.  Walkthrough of purchasing and using  mobile tickets in the app. Overview of how  customer service works at Transit.  45 min 15 1     77    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  P​ROJECT​ T​EAM  Masabi was founded with a passion for transportation and integrity as one of its core principles. Since  its early days, the team has grown, but these components have stayed the same. The selected project  team has a diversity of experience in mobile ticketing and transportation developed over many years  of experience. As a company focused solely on fare payments for transit, members of the Masabi team  individually have a minimum of five years of experience in the space. Since the company was founded,  over 100 person-years of effort has been invested into the company’s products and services.  Behind the leadership team and the proposed project team, Masabi has a wealth of mobile developers,  server technology developers, testers, graphic designers, and account managers with experience on  Masabi’s Justride deployments. With years of experience in developing an application for  transportation, Masabi’s team has full command of the drivers of success in the high-demand mobile  ticketing space for transit.   Based on the unparalleled fare payments experience, Masabi has all necessary resources to ensure the  on-time, on-budget implementation of this project. Behind this team will be the deployment  hardened Justride platform designed specifically with the flexibility to support deployments of any  scale in transit.   In developing a project plan and schedule, this team will ensure that appropriate resources are  assigned to the development of each component of the Justride based solution. Masabi runs an agile  cross-functional development process focused on bi-week iterations, aiming to provide incremental  feature previews to ECRTA after each component of the project is complete. QA is embedded within  the development team to ensure that all aspects of the solution are fully tested from design through  delivery.  For ECRTA, Masabi will work closely with Transit to deploy the Transit App as integrated journey  planning and mobile payments front-end.  Going to the specifics of the team members, Masabi has selected the following nominated personnel  to make of this project a success, in case of being selected by ECRTA:  -Nayeli Velez​ will be acting as​ Project Manager, ​an area where she brings eight years of  experience in payments and technical projects.  -Ko-Shin will be supported by ​Sara Poulton​, ​VP of Services​, who brings close to thirty years of  experience as a Senior Executive in the strategic development of high performing professional  services, product management and marketing organizations, and who has being responsible for  the Masabi part of the organization delivering the Justride and supporting agencies for the last  five years.  -Providing technical consulting to the project team will be ​Jorgen Pedersen, Director Technical  Consulting Services, ​who bring over twenty years of experience on transportation technology  projects acting as project manager and technical consultant.  -Finally, ​Chip Whitman​ will be providing support to ECRTA as Senior Account Manager, an area  where he has twenty years of experience having managed institutions of all sizes and  complexities - both in the US and worldwide.    78    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Org Chart with     O​NGOING​ S​UPPORT​ S​ERVICES  1. P​OST​ “​GO​ ​LIVE​” ​SUPPORT​ ​THAT​ ​IS​ ​INCLUDED​ ​IN​ ​THE​ ​PROPOSAL​ ​RESPONSE​.  Masabi integrates Customer Support Incident Management solutions with the agency to assist in a one  customer view and an audit trail for any support or incident management.  Once the Justride system is operational, Masabi provides access to its Customer Support Center staffed  by a team of qualified support engineers in the US and London from 8:00 am to 6:00 pm local time.  Agents can call Support Operations during these hours or directly submit support tickets. In addition,  IT support for operational issues is available 365 days a year, 7 days a week and 24 hours a day.  Internal agency teams are provided access to Zendesk, Masabi’s Internal Support Management  solution. Tickets are automatically acknowledged and assigned a tracking number which is escalated  to Masabi Support Engineers, and if required, Masabi Quality Assurance and Engineering. Updates to  tickets are posted online and monitored in accordance with a support escalation timeline established  between the agency and Masabi.  An online portal provides white papers, How To guides, Frequently Asked Questions and general  educational content for customer care and support teams. It also has Release Notes for each key  release so that agencies can identify new features quickly and easily.  2. T​ELEPHONE​ ​SUPPORT​.  US Phone (Local)*  +1 (917) 810-7644  (Critical Support Option # 1 & 1)  3. H​ELP​ D​ESK​ ​SERVICES​.  Support Contacts  Standard Support Email: ​support@masabi.com   79    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Critical Support Email: ​criticalsupport@masabi.com   4. T​OLL​-​FREE​ ​SUPPORT​ ​LINE​.  US Phone (Toll-Free)  +1 (800) 290-8851  (Critical Support Option # 1 & 1)  5. U​SERS​ ​GROUP  R​EFERENCES  Company Name: Regional Transportation Commission of Southern Nevada (RTC)  Address: ​600 S. Grand Central Parkway Suite 350, Las Vegas, NV, 89106  Contact Name: ​ Scott Mazick, Director of IT  Telephone:​ (702) 676-1573  Email:​ ​Mazicks@rtcsnv.com   Describe products/services provided: ​Mobile Ticketing services for the RTC urban buses (including  electronic validation).  Provided from August, 2016 to Date.  Company Name: Regional Transportation District (RTD)  Address: ​1660 Blake Street, Denver, CO 80202  Contact Name: ​Tonya Anderson, Electronic Fare Operations Manager  Telephone: ​(720) 984-3308  Email:​ ​Tonya.Anderson@rtd-denver.com   Describe products/services provided: ​Mobile Ticketing services with visual validation for public transit  services in eight out of the twelve counties in the Denver-Aurora-Boulder Combined Statistical Area in  Colorado. Recently extended to include MaaS ticket sales through both Uber and Transit apps.  Provided from November 2017 to date  Company Name: NEORide - EZfare  Address: ​1 Park Centre Drive #300 Wadsworth, OH 44281  Contact Name & Title: ​ Katherine Manning, Director of Client Services  Telephone: ​330-334-6877  Email: ​katherinem@otrp.org   Describe products/services provided: ​EZfare - Regional mobile ticketing project that allows riders to  purchase and use tickets across 10+ agencies in the Ohio area.  Provided from January 2019 to Date  Company Name: Calgary Transit  Address: ​Bow Parkade, 234 - 7 Avenue S.W.  Contact Name & Title: ​Steve Waters, Leader, Development Support Centre, Client Solutions,  Information Technology, CFOD  Telephone: ​403.815.7235  Email:​ ​Steve.Waters@calgary.ca   Describe products/services provided:​ Calgary Transit is the public transit service owned and operated  by the city of Calgary, Alberta, Canada. Masabi deployed a Mobile ticketing solution for the City of  Calgary.  Provided from January 2019 to Date    80    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ADDITIONAL SUBMISSION REQUIREMENTS TO DETERMINE      PROPOSER RESPONSIBILITY  1. L​ITIGATION​ H​ISTORY  Masabi does not have any pending litigation.   A claim for alleged patent infringement was filed in the District Court for the Eastern District of Texas  in the United States of America against the company in May 2016. A subsequent action was filed by  the Directors with the United States Patent and Trademark Office (USPTO), to contest validity of the  claimant's parent patent. This is a common strategy in US patent litigation known as an inter partes  review. In December 2018, the Patent Trial and Appeal Board of the USPTO ruled that material  components of the claimant's subject parent patent were unpatentable. In February 2019, the patent  infringement claim in front of the District Court was dismissed with prejudice, and the claimant's  subject patents were held to be invalid. The claimant then initiated appeals of these decisions to the  US Court of Appeals for the Federal Circuit (CAFC), which were both dismissed on February 10th 2020,  as the CAFC affirmed the previous judgements of both the USPTO and the District Court. The  claimant's right to further appeal is now exhausted, and the Company is free from any prospect of  liability for damages in relation to this matter.  2. F​INANCIAL​ I​NFORMATION  Masabi has attached to its proposal in appendix B its most recent audited financial statements along  with a letter from its CFO with regards to its financial capabilities.   3. I​NSURANCE​ R​EQUIREMENTS  Masabi has attached in appendix D its insurance certificates.    81    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A​PPENDIX​ A: P​ROJECT​ S​CHEDULE     82    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A​PPENDIX​ B: M​OST​ R​ECENT​ A​UDITED​ F​INANCIAL​ S​TATEMENT     83    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A​PPENDIX​ C: R​ESUMÉS  Sara Poulton, VP of Global Services  Sara has 28 years of experience as a Senior Executive in the strategic development of high performing  professional services, product management and marketing organizations. Sara is entrepreneurial and has  creative leadership skills balanced by drive for growth, sales achievement and operational excellence.  PROFESSIONAL SUMMARY   As Head of Services for Masabi, Sara is responsible for service delivery, account management and  support services, ensuring that Masabi's customers receive seamless implementation and ongoing  support for their mobile ticketing platform initiatives. Sara has successfully developed professional  services and consulting teams, and has also served as a VP of Marketing and Director of Product in a  variety of enterprise B2B companies, and also successfully launched mobile applications for sales  enablement.   Prior to Masabi, Sara was VP of Global Professional Services at Avention (formerly OneSource), data  solutions for sales and marketing, including mobile application delivery for sales enablement and  relationship managers; project management, application development, pre-sales engineering.  PROFESSIONAL EXPERIENCE  VP of Global Services, Masabi, New York, 2015 - Present   ●Oversees global service organization supporting Justride mobile ticketing solution for large public  and private transportation agencies worldwide, including New York, Los Angeles, Boston  ●Manages all project and program management teams responsible for client deployment, including  custom solution implementation.  ●Leads the global account management team responsible for agency retention, adoption and  growth.  ●Manages the operational excellence of a worldwide support organization servicing a managed  support operation and direct second level advanced support.   VP of Global Professional Services, Avention (formerly OneSource, Inc.), Cambridge, MA, 2012 - 2015  ●Global leadership for Avention’s Professional Services organization, including custom application  development, master data management, commercial excellence solutions, sales and marketing  analysis, and CRM/Marketing Automation integration.  ●Global P/L responsibility for bookings and revenue attainment, utilization/profitability and  performance management of a $12 million professional services organization; grew revenues from  $3 million.  ●Operational management and leadership of project managers, application consultants, business  analysts, pre-sales solution architects, application developers, and project managers.  ●Executive sponsor for Enterprise Accounts including GE Capital Americas, Iron Mountain, AOL, ADP,  Bank of America, Price-Waterhouse, EMC, Royal Bank of Scotland, Orange-French Telecom for the  implementation and development of enterprise level custom and data solutions.  Senior Director of Global Sales Operations, Thermo Fisher, Waltham, MA, 2010 - 2012  Led global sales operations for Thermo Fisher’s handheld analysis division, including sales planning,  channel marketing and inside sales. Key achievements include:  ●Managed all annual and quarterly global sales planning processes including annual operating  plans, sales compensation planning, and demand management.  ●Derived and managed the company's “Channel Excellence” strategy to improve global channel  distribution and marketing models, including channel management, channel marketing, technical  84    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  development and sales training. Hired and developed a channel operations and management  team.   VP of Global Marketing, DigitalGlobe Inc., Longmont, CO, 2006 - 2010  Led the global marketing organization for DigitalGlobe,a $275 million NYSE listed company,the               leading provider of world imagery solutions for governments,enterprises and consumer technology.             Managed a staff of 19 worldwide with budgetary responsibility of $8 million.  VP of Marketing, Tego Inc., Waltham, MA, 2005 -   2006  Co-Founder and VP of Marketing for Radio Frequency Identification (RFID)company designing and              developing innovative tag technology for the global aerospace and automotive markets.  VP of Marketing, CenterStone Software Inc., Westwood, MA, 2002-2005  Directed the strategic and product marketing activities for a leading provider of internet workplace               resource management (WRM)solutions including product marketing,product management,marketing           communications and demand generation.  VP of Marketing, Sprockets, Inc., Boston, MA, 2001-2002  Responsible for product strategy,marketing communications and business development for an ASP             web-collaboration platform serving corporate marketing, advertising and public relation agencies.  VP of Services & Solutions, eRoom Technology Inc., Cambridge, MA 1998-2001  Defined,created and marketed a multi-faceted Services and Solutions organization for the leader in               collaborative Digital Workspace applications which evolved the company’s strategy into an enterprise             solution for the Fortune 100.  VP of Professional Services, Advanced Visual Systems, Waltham, MA,  1997-1998  Responsible for the development and strategy of a worldwide professional services organization             providing visualization enterprise solutions to technical and commercial markets.  Director of Product Management, OneSource Information Services, Cambridge, MA, 1991-1997  Led product management and engineering teams for business intelligence and marketing solutions  Investment Research Consultant, Datastream International Inc., London, UK, 1989-1997  Managed a portfolio of investment banking and financial management accounts for a financial              information solution company  Senior Mergers & Acquisitions Analyst, Extel Financial Ltd, London, UK, 1986-1989   Performed mergers and acquisition research for a financial information services company.  EDUCATION  ●Simmons College- Masters in Business Administration  ●University of London - BSc Economic History    85    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Nayeli Velez - Project Manager  8 years experience as a project, program and content manager for payments and other technically-oriented  projects. Experience with Scrum, working with developers across multiple time zones. Track record of  building trusted partnerships with clients and cross-functional stakeholders. An empathetic problem solver,  bringing a strong perspective to identify the gaps and drive positive change.  PROFESSIONAL SUMMARY   Nayeli is an experienced project manager who will be working alongside Ko-Shin on project control  and management of all facets of the platform deployment. Prior to Masabi, Nayeli was a product  manager at Visa, and project manager for more than seven years in different engineering  organizations.  PROFESSIONAL EXPERIENCE  Senior Project Manager - Masabi, Denver, Co Dec. 2019 – Present  Acting agent to transportation agencies worldwide, integrating software and hardware for fare  collection. Taking a consultative approach to advise beyond technical implementation: adoption  management, community planning and awareness, partner management and operations control.   ●Working with agencies at all levels to develop full-fare collection and MaaS  (Mobility-as-a-Service) solutions  ●Creating and manage delivery schedules and budgets  ●Negotiating critical roadmap requirements with internal development teams  ●Managing complex projects and relationships at the most senior levels  ●Working with business development and account managers to scope requirements, define  feasibility and cost estimation for new or existing opportunities  ●Leading status meetings, steering committees, to represent the agency voice and negotiate  strongly for the agency on timelines, requirements, customization, integration and  enhancements  ●Assessing project and executive risk to implement controls, communication and risk  management strategies  Product Manager - Visa Inc., Foster City, CA Aug. 2018 - Sept. 2019  Managed 15+ Visa consumer websites. Facilitated smooth client on-boarding from gathering  requirements through build, launch and ongoing maintenance. Managed Agile development team  backlog and product roadmap. Triage enhancements to prioritize based on severity, contractual  obligation and team workload.  ●Collaborating closely with the engineering team to create client-specific layout needs and  launch new features such as, single sign-on and API integrations then creating training,  documentation, and marketing assets. Created a new on-boarding process, successfully  launching four new sites.   ●Identified product gaps to help shape the broader product roadmap and strategy to solve  problems for customers. Guided the engineering team through over 20 product releases.  ●Primary point of contact helped cross-functional teams like marketing, sales, operations  support answering any questions as a true “product expert”.  ●Tracked and defined KPIs leveraging Google Analytics tags, reporting quarterly to all  stakeholders.  Senior Project Manager - Lieberman Research Worldwide, Los Angeles, CA, Jul. 2014 – Aug. 2018  Worked in a fast paced environment to plan, execute and complete projects. Set project milestones  and identified key wins and risks. Acted as an internal consultant to the company, guiding them  86    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  through best practices, use of proprietary software and created new process rules to increase  operational efficiency to maximize project outcome and cut waste.   ●Allocated engineering resources across all company projects based on project scope, timing,  personnel outages and changing needs. Managing distribution of 100+ projects across 30 local  and off-site developers.   ●Solved company wide operations problems through a deep understanding of projects and  people's needs. Then implementing an empathetic solution through documentation and  training. Solved company wide issues with translating surveys by hiring new translation  partners, created and documented new processes and ran company wide training. Saved the  company $200K+ in translation inefficiencies.   ●Communicated tactical process decisions and plans, project status, issues and workarounds, in  order to achieve alignment across all stakeholders. Managing 25+ projects at a time with  various levels of complexity.   Qualitative Research Associate   Main analyst for market research projects with various clients (CPG,finance,beauty,electronics,              non-profit)to understand customer journeys,brand perceptions,subject matter insights using various             qualitative research methodologies to uncover business solutions.   ●Experience as an analyst and moderator in various qualitative methodologies; user experience  research, blogging, focus groups, one-on-one interviews, and shop-alongs. Uncovering deep  consumer insights to generate recommendations to solve business problems and user issues.   ●Managed target population screening, recruitment, and project logistics to ensure the  appropriate respondents were selected according to the research proposal and objectives.  Created a new process for reporting recruitment and managing vendors, creating a new  standard for efficient screening.   Program Manager - Distance Learning Providers, Inc. Los Angeles, CA Nov. 2011 – Jul. 2014  Conducted on-boarding of pharmaceutical companies to use SaaS proprietary software.Consulting            during sales meetings,gathering requirements,planning,managing launch and ongoing operational            support.Managed the client relationship,software maintenance and internal operations team to             ensure the product experience was running optimally.   ●Juggled responsibility of serving as the voice of the client interest and internal team by  focusing on promised scope and budget, avoiding scope creep and considering enhancements  when necessary. On-boarded two pharmaceutical companies, each with 1000+ users, including  setting up accounts, making software enhancements and creating FDA approved training.   SKILLS  Experience managing technically complex, cross-organizational, global, and multi-stakeholder  projects. Knowledge of Software Development Life Cycle (SDLC), waterfall, Agile (Scrum), use of JIRA.  Strong analytical, mediation and problem resolution skills. Excellent time management,  communication, collaboration and organization skills.   EDUCATION  ●UCLA - Sociology, Aug. 2008   ●Beijing Normal University - Mandarin Chinese Language Intensive Concentration, Aug. 2008  ●General Assembly - User Experience Design, May 2018   ●The Braintrust Consulting Group - Product Owner Certificate, Sept. 2018   87    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Jorgen Pedersen, Director Technical Consulting Services   Jorgen has more than 20 years of experience in transportation technology and acts as both a senior                  program manager as well as the technical consulting liaison specifically assisting with system integrations               and technical support.   PROFESSIONAL SUMMARY   Jorgen has been responsible for the delivery of many cutting-edge technology platforms and  approaches within the traffic and transit sectors. He served as Vice President for Innovative solutions  identifying and delivering new technologies to further promote the delivery of real-time and  predictive solutions for both road and rail-based transportation. He was invited, and subsequently  served as the UK lead for several European Union led initiatives to further promote the delivery of  travel information through mobile technologies. Technical responsibilities therefore included  hardware and software integration across a wide range of transport related programs including ATIS  (Advanced Traveler Information Systems), ATMS (Advanced Transport Management Systems), EAM  (Enterprise Asset Management), ICM (Integrated Corridor Management), Predictive Transportation  Systems, and many more.    PROFESSIONAL EXPERIENCE  Masabi – Director – Technical Consulting Services October 17- Current  ●Responsible for the delivery of customer specific solutions supporting the Masabi mobile  ticketing platform, including hardware integration static and on vehicle validators, software  integration to external solutions providers such as CAD/AVL systems, TVM’s, MDT’s integrated  Fareboxes etc.  ●Also responsible for the delivery of SDK implementations and supporting third parties to  integrate mobile ticketing into third-party mobile based platforms.   MTA - Director EAM Program Manager (Metro North & MTA) January 15 – October 17  ●Responsible for the delivery of an Enterprise Asset Management (EAM) program for the MTA  and Metro North Railroads.  ●Transitioning the program from conceptual design to solutions delivery within a framework of  programmatic risk minimization.  ●Also responsible for the definition, design and delivery of MTA HQ’s EAM Enterprise projects,  including the delivery of cross agency IT infrastructure, data hierarchies, external systems  integration activities, and an approach to maximize cross agency synergies through a process  of Business Process Reengineering (BPR).  Program Manager (Allied Vision Technologies)March 14 – January 15  Operational responsible for the design, development and manufacturing of an ITS IP Smart camera, to  revolutionize ITS camera technology, enabling a single camera to be used for a number of different  tasks. The introduction of smart technologies enables a camera to undertake on-board processing at  the front end, thereby reducing overall bandwidth requirements while providing real-time ANPR  (Automatic Number Plate Recognition) data.  Vice President, Program Manager, Advanced Technologies (Iteris) June 12 – March 14   ●Responsible for the investigation and assessment of new and emerging technologies, as well  as identifying how technologies, processes and approaches can be leveraged within the traffic  and transportation arena to deliver quantifiable improvements over current systems.  ●Responsible for Advanced Traveler Information Systems (ATIS) and the delivery of programs to  promote real-time and predictive information availability.  88    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System     89    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Vice President, North American Products (Telvent) January 10 – May 12  ●Responsible for all Advanced Traveler Information Programs, the creation and delivery of  Telvent Transportations SaaS and IaaS initiatives and the delivery of novel, well-conceived  travel information and travel related customer facing programs. Responsible for the delivery of  the Information strategy, R+D programs for all products and the delivery of new innovative  technologies, including (NFC) Near Field Communications. Delivered algorithms and processes  to maximize the utilization of real-time information, and through trend analysis deliver very  accurate predictive assessments which are then used to monitor, manage and inform.   ●As part of this role I have presented at a number of conferences, as well as delivered webinars  on a number of topics ranging from ITS Revenue Generation to ICM Integrated Corridor  Management.  Senior Program Manager (Consultant, TfL/London Underground) January 91 – Oct 08   ●Refurbishment and Technology upgrade of London Underground’s Network Operations Centre  (NOC). This program took account of all elements of delivery including a multi-redundant  operational environment, completely new infrastructure including, new data center,  multi-redundant infrastructure and telecommunications and the delivery of a number of  bespoke applications. The environment accepts CCTV images from all cameras across London  through an adapted feed from the BTP (British Transport Police).  ●Responsible for several business transformation and improvement programs which included  the TfL London Journey Planner, the delivery of the real-time IT/IS strategy and technical  architect for the London’s i-us AVL program, fares apportionment, information dissemination  across e-enabled channels, and electronic data collection.  Senior Program Manager (Consultant, bd Systems)August 06 – May 09   ●Delivering the technical solution for the San Francisco 511 web portal (multi-modal Journey  Planner utilizing Interactive Voice Recognition IVR). This involved the full understanding and  implementation of real-time and predictive systems, communications, infrastructure, IVR,  hosting environments and system integration activities.   ●The contract required a multi-redundant high availability (99.999%) hosting environment. Two  data warehouses were created in a hot-hot configuration, ensuring that even in the event of  failure one was more than sufficient to take the complete load.  ●This solution won several awards for best government system and a Webby for web design.  Senior Program Manager (Consultant, BT) - Essex County Council December 04 - June 05  Responsible for Highways & Transportation programs. This included office restructuring and a  business realignment program, covering multiple offices in multiple locations and relocating 800+  users and included the delivery of new networked environments. A major cross-group change  program was initiated, covering communications across stakeholders and users and required  influencing at the highest levels.   EDUCATION  BSc equivalent in Transportation Engineering and Planning (Assessed 2009)  AWARDS AND NOMINATIONS  ●ITS awards for Innovation, best of breed, design and implementation.  ●London Journey Planner – Best Improvement in Customer Information 2001  ●Nominated BCS Project Manager of the Year 2001.  ●San Francisco Trip Planner – Best Government System 2004; Webby – website  design/usability 2004  90    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●NOC Operations Center – 3​rd​ place Best Operations Center 2008       91    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  Chip Whitman, Senior Account Manager  Chip has 20 years of experience having managed institutions of all sizes and complexities -both in the US                    and worldwide.Based in Denver CO,he provides day-to-day close support and availability to Agencies to                 ensure successful Masabi deployments.  PROFESSIONAL SUMMARY  Chip is responsible for Account Management in the western US, working closely with agencies to get  the most value from their investment in the Justride platform. He helps Agencies expand adoption of  mobile ticketing into new channels, provide strategic guidance to new product functionality and its  use at an agency, creating new business partnerships with SDK applications and providing the senior  customer interface and the voice of Masabi to the agency on day to day issues. Chip brings extensive  experience in client relationship management, project management, and managing implementation of  complex solutions to the Masabi Services Team.  PROFESSIONAL EXPERIENCE  Senior Account Executive, MASABI LLC, London, UK/Denver CO 2018 – present  ●Account Management responsibility in the western US, working closely with agencies to get  the most out of their Masabi implementation.   ●Responsible for helping client agencies to expand adoption of JustRide across their customer  base and be the main interface between the client and Masabi.  Sales Consultant, DUN & BRADSTREET (D&B) INC. (formerly Avention Inc.), Concord, MA,2014 – 2017  ●Delivery of custom data solutions and pre / post- sales support.  ●Built strong relationships with key accounts (Waste Management, PwC, EMC/Dell, Citrix, etc) for  custom data solutions.   ●Became trusted technical solutions advisor for both key external and internal customers.   ●Led multiple internal &amp; external projects including data cleansing and augmentation,  trigger/signal delivery, DataVision, MDM and API solutions utilizing Agile methodologies.   ●Initiated and led both daily project management calls and weekly meetings to identify  problems, increase cross communication/learning and ensure timely delivery of custom  projects.   ●Developed customer- and inward-facing technical requirements and implementation  documents for clarity, cross-selling/up-selling and improved customer satisfaction.   Director, Sales Operations, ACRONIS INC., Burlington, MA 2013 – 2014  ●Managed a three-person team in all aspects of Sales Operations and Sales  Enablement/Improvement.  ●Implemented improved process for more streamlined and effective customer implementations  by working closely with both internal and external customers.  ●Achieved improved account management and sales performance through development and  implementation of Key Account Plans.  ●Initiated key customer days for improved voice of customer, consistent communication and  discussion about existing/future needs   Manager, Partner Management & Sales Operations, THERMO FISHER SCIENTIFIC, Tewksbury, MA  2010 – 2013  ●Managed team of two in partner enablement and sales operations. Added responsibility of  Inside Sales with a team of four.  ●Managed Partner program including recruitment, on-boarding, and on-going engagement of  +125  ●distributors and representatives.   92    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  ●Developed and led monthly and quarterly partner meetings for improved communication and  delivery of solutions.   ●Introduced annual Partner Business Plans for a stronger relationship, identification of both  existing and future needs, identification of key accounts and setting expectations.   Director of Alliances, ECOPY, Nashua, NH 2006 – 2010  ●Managed three person team. Directed all aspects of channel (partner) operations for Americas /  APAC including sales strategy and solution implementations.  ●Developed and implemented Key Account Plans which resulted in more consistent  communication, improved understanding, and a closer relationship.  ●Provided training and technical know-how for partners and customers becoming the “go-to”  product expert and resource.  Director of Sales Channel/Biz Development, NECST INC., Boxborough, MA 2001 – 2006  ●Built and managed US/EMEA key account team of three, including both direct and partner  sales.  ●Teamed with Japan headquarters in coordinating and leveraging on-going sales activities  outside Japan for improved key account relationships.  ●Increased ongoing revenue stream from $1M to $5M+ through key account management and  leveraging existing NECST customer relationships into new business units.  EDUCATION  ●MBA, Tuck School of Business Administration, Dartmouth College, Hanover, NH  ●Bachelor of Science (BS), Civil Engineering, Lehigh University, Bethlehem, PA  ●Intensive Japanese Language Program, Nanzan University, Nagoya,Japan   PROFESSIONAL MEMBERSHIP  ●Registered Professional Engineer     93    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A​PPENDIX​ D: I​NSURANCE​ C​ERTIFICATES                                                        94    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3 Eagle County Regional Transportation Authority - Transit Mobile Fare Payment System  A​PPENDIX​ E: M​ASABI​ S​TANDARD​ S​AA​S A​GREEMENT​ - ​WITH​ SLA​S  95    DocuSign Envelope ID: 7F88C3A5-31B3-48FE-8620-DD8B167E75D3