Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC22-088 Zoom Zoom Master Subscription Agreement 2021 v.5 Page 1 of 24 ZOOM VIDEO COMMUNICATIONS MASTER SUBSCRIPTION AGREEMENT This Master Subscription Agreement (this "Agreement") is effective February 23, 2022 (“Effective Date”) between Eagle County, Colorado acting by and through its Board of County Commissioners (“County” or “Customer”), and Zoom Video Communications, Inc. and its Affiliates ("Zoom”) for Customer’s use of the Services (defined below) to which Customer has subscribed as specified in one or more Zoom order form(s) (“Order Form”). Additional terms may also be set forth in the Order Forms or on Exhibits to this Agreement. In the event of a conflict between the Agreement and an Order Form, the conflicting term(s) in the Order Form will not be considered an amendment to the Agreement bu t the conflicting term(s) in the Order Form will only apply to that individual order. 1. Definitions. The following definitions will apply in this Agreement and the Order Forms, and any reference to the singular includes a reference to the plural and vice versa. Service specific definitions are found on Exhibit A. “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by or is under common control with that party. For purposes of this Agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity. “Agreement” means this Master Subscription Agreement, together with all Exhibits and all Order Forms entered into pursuant to this Master Subscription Agreement, each of which is incorporated herein by reference. “Charges” is defined in Section 5. “Claim” is defined in Section 15.1. “Confidential Information” is defined in Section 8. “Customer Content” is defined in Section 4.2. “Customer Data” is defined in Section 4.1. “Downtime” means the Services were not available to the Internet due to causes within the reasonable co ntrol of Zoom other than scheduled maintenance performed between the hours of 11 pm and 3 am PT. Downtime does NOT include any inability of Customer to access the Services caused by third parties outside of the control of Zoom (such as internet service providers, network service providers or telecommunications service providers) or caused by Customer hardware, software, systems or networks. “End User” means a Host or Participant (as defined in Exhibit A) who uses the Services. “Initial Subscription Term” means the initial subscription term for a Service as specified in an Order Form. “Laws” means all U.S. or non-U.S. national, regional, state, provincial or local laws, statutes, rules, regulations, ordinances, administrative rulings, judgments, decrees, orders, directives, policies, or treaties applicable to Zoom’s provision and Customer’s use of the Services. “Order Form” is defined in the Preamble. “Service Effective Date” means the date that an Initial Subscription Term begins as specified in an Order Form. “Renewal Term” means the renewal subscription term for a Service commencing after the Initial Subscription Term or another Renewal Term as specified in an Order Form. “School Subscriber” is defined in Exhibit A. “Security Breach or Incident” means any accidental, attempted, unlawful, or unauthorized destruction, alteration, disclosure, misuse, loss, theft, access, copying, modification, disposal, compromise, or access to Customer Content. “Services” means the Zoom Meeting Services and/or Zoom Phone Services described in Exhibit A to which Customer has subscribed as specified in one or more Zoom Order Form(s). DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 2 of 24 “Taxes and Fees” and “Taxes or Fees” means all applicable sales, use, value-added or regulatory taxes, fees, duties, charges, surcharges or assessments levied on the provision of Services to Customer (exclusive of any income tax imposed on Zoom). 2. Access, Use, Customer Responsibility. 2.1 Right to Use. Zoom hereby grants to Customer a non-exclusive, non-transferable right for Customer to use the Services, subject to the terms and conditions of this Agreement for the Initial Subscription Term and any Renewal Term as specified in the Order Form. Zoom reserves the right to enhance or modify features of the Services but will not materially reduce the core functionality or discontinue any Services without providing prior written notice to Customer. Customer will receive standard updates to the Zoom Services that are made generally available by Zoom during the term specified in the Order Form. However, Zoom reserves the right to offer additional functionality or premium feature improvements for an additional cost. All rights not expressly granted herein are reserved by Zoom and its licensors. 2.2 Beta Versions. Zoom or its Affiliates may, from time to time, offer access to services that are classified as Beta version (i.e., a version that is not generally available). Access to and use of Beta versions may be subject to additional agreements. Zoom makes no representations that a Beta version will ever be made generally available and reserves the right to discontinue or modify a Beta version at any time without notice. Beta versions are provided AS IS, may contain bugs, errors or other defects, and Customer’s use of a Beta version is at the sole risk of the Customer. 2.3 Customer Use and Responsibility. Customer may only use the Services pursuant to the terms of this Agreement and all use must conform to Zoom’s Privacy Policy, Acceptable Use Policy, and to the use limits imposed by the purchased plan level. Customer is solely responsible for its and its End Users use of the Services and shall abide by, and ensure compliance with, all Laws in connection with its and each End User’s use of the Services, including but not limited to Laws related to recording, intellectual property, privacy and export control/economic sanctions. 2.4 Prohibited Use; Notification of Unauthorized Use. Customer shall not use, and shall not permit any End User to use, the Services to: (a) modify, disassemble, decompile, prepare derivative works of, reverse engineer or otherwise attempt to gain access to the source code of the Services; (b) knowingly or negligently use the Services in a way that abuses, interferes with, or disrupts Zoom’s networks, Customer accounts, or the Services; (c) engage in activity that is illegal, fraudulent, false, or misleading, (d) transmit through the Services any material that may infringe the intellectual property or other rights of third parties; (e) build or benchmark a competitive product or service, or copy any features, functions or graphics of the Services; or (f) use the Services in violation of Zoom’s Acceptable Use Policy or any other policy referenced herein, or any applicable Law. Customer shall notify Zoom immediately if it becomes aware of any unauthorized use of any password or account or any other known or suspected breach of security or misuse of the Services. If Customer becomes aware of any violation of this Agreement in connection with use of the Services by any person, Customer may contact Zoom at violation@zoom.us. Zoom will investigate any complaints of violations that come to its attention and may take any action that it believes is appropriate, in its sole discretion, including, but not limited to, issuing warnings, removing conte nt, suspending services, or terminating accounts and/or End User profiles. 2.5 Windows and Chrome OS Compatibility. Zoom shall make the Services provided compatible with the Chrome OS platform and Microsoft Windows platform. If Zoom Services are not available on the either platform, it will be deemed a material breach of the Agreement and Customer will have the right to terminate the Agreement for cause in accordance with Section 9.2(b) (Termination by Either Party). 3. Intended Use; Restrictions on Use by Children; No Commercial Transfer. The Services are intended for business use. Customer may choose to use the Services for other purposes, subject to the terms and conditions of this Agreement. Zoom is not intended for use by individuals under the age of 16, unless it is through a School Subscriber using Zoom for Education (K-12). Individuals under the age of 16 may not create accounts or use the Services except as described herein. Customer may not sublicense, sell, resell, transfer, assign, distribute, use on a timeshare or service bureau basis, or charg e fees to other parties for use of the Services. 4. Customer Data and Content; Responsibility for Use. 4.1 Customer Data. Customer Data is information provided to Zoom so that Zoom can fulfill the terms of the Agreement and provide access to the Services (e.g., Company name, billing address, contact name and information). DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 3 of 24 Customer is solely responsible for the accuracy of Customer Data, and Zoom has no liability whatsoever for errors and omissions in Customer Data. 4.2 Customer Content. Customer Content is any data or content originated by Customer, or an End User, and stored or transmitted using the Services. Customer Content includes files, documents, recordings, chat logs, meeting subject and attendees, transcripts, and any other information Customer or End Users may upload into the Services in connection with the use of the Services. Zoom collects and processes Customer Content only at the direction of Customer and for no other purposes than the provision of Services hereunder. As between Customer and Zoom, Customer shall retain ownership of all Customer Content. For the avoidance of doubt, in no eve nt shall Zoom be a Data Controller, as defined in the GDPR, or the substantial equivalent of a Data Controller under any Law. For purposes of Section 8 below, Customer Content is not “disclosed” to Zoom. 4.3 Customer Responsibility for Customer Content. As between Zoom and Customer, Customer is solely responsible for the use of the Customer Content and compliance with all Laws pertaining to the Customer Content, including, but not limited to, Laws requiring Customer to obtain the consent of a third party to u se the Customer Content and to provide appropriate notices of third-party rights. Customer grants to Zoom a limited right to modify, reproduce and distribute the Customer Content, solely in connection with providing the Services. Customer represents and warrants that it has the right to upload the Customer Content to Zoom and that such use does not violate or infringe on any rights of any third party. Under no circumstances will Zoom be liable in any way for any (a) Customer Content that is transmitted or viewed while using the Services, (b) errors or omissions in Customer Content, or (c) any loss or damage of any kind incurred as a result of the use of, access to, or denial of access to Customer Content. 4.4 Zoom Obligations for Customer Content. Zoom will maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access to Customer Content, in accordance with Zoom’s Technical Organizational & Security Measures, attached hereto as Exhibit B. Zoom will notify Customer if it becomes aware of unauthorized access to Customer Content. Zoom will not access, view or process Customer Content except (a) as provided for in this Agreement and in Zoom’s Privacy Policy; (b) as authorized or instructed by Customer, (c) as required to perform its obligations under this Agreement; or (d) as required by Law. Zoom has no other obligations with respect to Customer Content. 4.5 Security Breach or Incident. Zoom will notify Customer of a Security Breach or Incident at helpdesk@eaglecounty.us as soon as reasonably practicable and without undue delay, but in no event more than seventy-two (72) hours after confirming the Security Breach or Incident. To the extent known by Zoom, such notice will include (i) a description of the incident, including the type of incident (e.g., theft, loss, improper disclosure, unauthorized access), location of the incident (e.g., laptop, desktop, paper), how the incident occurred, the date the incident occurred, and the date the incident was discovered; (ii) a description of the type of Customer Content involved; (iii) a description of the potentially impacted individuals, if known; (iv) a description of the initial actions taken in response to the Security Breach or Incident; and (v) all other information reasonably requested by the Customer or reasonably necessary to provide notice to individuals or regulators. Customer acknowledges that certain information may not be immediately available and can be provided on a rolling basis as it is discovered. In facilitating the investigation and remediation of a Security Breach or Incident, Zoom will use commercially reasonable efforts to cooperate fully with Customer. Zoom will not inform any third party of any Security Breach or Incident without first notifying Customer, unless prohibited by law. 4.6 Data Processing Agreements and Similar Agreements. Upon request, Zoom will prepare and execute a data processing agreement or addendum to this Agreement further delineating the Parties’ responsibilities with respect to information that reasonably identifies a specific individual. 5. Prices and Fulfillment. For each Service subscription that Zoom provisions to Customer, Zoom will bill Customer certain non-recurring and recurring charges at prices set forth in the applicable Order Form. The prices specified in the Order Form include all Zoom charges for the right to use the Services and are exclusive of all Taxes and Fees. Prices include standard support (see Zoom Help Center) and generally available updates to the Services. Separate charges for overage amounts and per-use charges may also apply, which charges will be described in the Order Form, and Customer agrees to pay these charges if Customer incurs them. Prices for professional services, if any, will be set forth in a professional services Order Form. All such Zoom charges are referred to as “Charges”. 5.1 Price Changes. Zoom may change prices for the Services from time to time, in its sole discretion. Any price changes will be effective upon the commencement of Customer’s next Renewal Term; provided, that Zoom shall provide Customer with reasonable notice of any such fee increase prior to the expiration of the Term or any Renewal Term. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 4 of 24 5.2 Discounts and Promotional Pricing. Prices specified in the Order Form may include discounts or promotional pricing. These discounts or promotional pricing amounts may be temporary and may expire upon the commencement of a Renewal Term, without additional notice. Zoom reserves the right to discontinue or modify any promotion, sale or special offer at its sole and reasonable discretion. 5.3 Maximum Payment Obligation. Notwithstanding any other provision of the Agreement, the County’s maximum payment obligation for the Services in any one year shall not exceed $100,000 (the “Maximum Yearly Payment Obligation”). Customer is responsible for ensuring that the Maximum Yearly Payment Obligation does not exceed $100,000 during the then-current year. If Customer, in good faith, signs an additional Services or add-on Order Form where the total price for the year would exceed the then-current Maximum Yearly Payment Obligation, Customer will be responsible for payment of the applicable Order Form. For clarity, any overage or per use charges that are incurred by Customer that exceed the Maximum Yearly Payment Obligation during the then -current year, Customer will still be responsible for payment for the overage or per use charges. 6. Invoices and Payments. Unless specified otherwise in an Order Form, Customer shall pay all invoices within thirty (30) days receipt of such invoice. Invoices may be emailed to the address specified by the Customer. Except as explicitly provided in this Agreement, all payment obligations are non-cancelable and all amounts paid are non-refundable. Zoom shall invoice Customer for all non-recurring Charges, overage and per-use Charges, and associated Taxes and Fees, on the invoice following the provision of Service giving rise to such Charges; and, shall invoice Customer for all recurring Charges and associated Taxes and Fees on the invoice preceding the period in which Services will be provided. 6.1 Purchase Order Numbers. If a Purchase Order Number is required for processing an invoice, Customer will provide such Purchase Order Number with the applicable Order Form. If issuance of a Purchase Order is delayed, Customer will provide a Purchase Order Number within 5 days of the Service Effective Date via email to billings@zoom.us. Notwithstanding the foregoing, the thirty (30) day period for payment shall commence as of the applicable invoice date. Such payment period shall not restart based on any delays in issuing a Purchas e Order or any other Customer required procurement process. 6.2 VAT Invoices. If required by Law, Zoom will issue a VAT invoice to Customer. 6.3 Withholding. To the extent that any amounts payable by Customer are subject to withholding Taxes and Fees, the amount payable shall be grossed up by Customer when customer remits payment such that the amount paid net of withholding Taxes and Fees equals the amount invoiced by Zoom. 6.4 Tax Exemptions. In the event Customer is exempt from any Tax or Fee, Customer will provide Zoom with all appropriate resale certificates, VAT registration numbers, and/or other documentation satisfactory to the applicable taxing authorities to substantiate such exemption status. 6.5 Billing and Contract Information; Billing Disputes. Customer represents and warrants that the Customer Data provided to Zoom is complete and accurate. If Customer believes an invoice is incorrect, Customer must contact Zoom in writing within thirty (30) days of the date of the invoice, and identify the amount in question, to be eligible to receive an adjustment or credit, which adjustment or credit, if any, shall be determined by Zoom in Zoom’s reasonable discretion after reviews all relevant information. 7. Zoom Proprietary Rights. Zoom or its licensors own and shall retain all proprietary rights, including all copyright, patent, trade secret, trademark, trade name and all other intellectual property rights, in and to the Services. Zoom shall retain ownership of any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or any other party relating to the Services. The Services are protected by copyri ght laws and international copyright treaties, as well as other U.S. federal, state and international intellectual property laws and treat ies. Customer acknowledges that the rights granted under this Agreement do not provide Customer with title to or ownership of the Services, but only a right to use under the terms and conditions of this Agreement. 8. Confidentiality. Each party agrees to regard and preserve as confidential all non -public information provided by the other party relating to the business, systems, operations, strategic plans, clients, pricing (including, but not limited to, the pricing terms herein), methods, processes, financial data, programs, and/or products of the other party in any form, that are designated as “confidential,” or a reasonable person knows or reasonably should understand to be confidential (herein “Confidential Information”). For purposes of this Agreement, Customer’s Confidential Information shall include Customer Data, and any information disclosed to Zoom by the Customer relating to the business, systems, operations, strategic plans, clients, pricing, methods, processes, financial data, programs, and/or products of the Customer. Each party agrees to limit its disclosure of the other party’s Confidential Information to as few persons as possible and only to those persons with a need to know that are its or its Affiliates’ personnel and subject to an obligation to keep such information confidential. Except as needed to fulfill their respective obligations under this Agreement, neither party shall, without first DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 5 of 24 obtaining the other party’s prior written consent, disclose to any person, firm or enterprise, except as expressly permitted herein, or use for its own benefit, or the benefit of a third party, the Confidential Information of the other party. 8.1 Exclusions. “Confidential Information” shall not include Customer Content or information that (a) is already rightfully known to a party at the time it is obtained from the other party, free from any obligatio n to keep such information confidential; (b) is or becomes publicly known or available through no wrongful act of a party; (c) is rightfully received from a third party without restriction and without breach of this Agreement; or (d) is developed by a party without the use of any proprietary, non-public information provided by the other party under this Agreement. 8.2 Exception. Either party may disclose Confidential Information where required by law, regulation, or court order, provided that the party subject to such law, regulation or court order shall, where permitted, notify the other party of any such use or requirement prior to disclosure in order to afford such other party an opportunity to seek a protective order to prevent or limit disclosure of the information to third parties. 8.3 Confidentiality Period and Obligations. The confidentiality obligations set forth in this section of the Agreement shall remain in effect for a period of five (5) years from the disclosure of the information. Both parties agree (a) to take reasonable steps to protect the other party’s Confidential Information, and these steps must be at least as protective as those the receiving party takes to protect its own Confidential Information, and no less than a reasonable standard of care; (b) to notify the disclosing party promptly upon discovery of any unauthorized use or disclosure of Confidential Information; and (c) in the event of any unauthorized disclosure by a receiving party, to cooperate with the disclosing party to help regain control of the Confidential Information and prevent further unauthorized use or disclosure of it. 9. Term and Termination; Suspension. Each Order Form will specify a Service Effective Date, an Initial Subscription Term, and a Renewal Term for the Services subscribed to in that Order Form. 9.1 Term and Renewal; Early Termination. Unless specified otherwise in the Order Form, a Renewal Term will commence automatically upon conclusion of the Initial Subscription Term or prior Renewal Term unless either party sends written notice of termination at least thirty (30) days prior to the commencement of the next Renewal Term. 9.2 Termination by Either Party. A party may terminate this Agreement by: (a) providing written notice of termination without cause to the other party, provided that all subscription terms for all outstanding Order Forms have expired or been terminated, or (b) providing written notice of termination for cause if the other party has materially breached the Agreement and has not cured such breach within thirty (30) days of written notice of such breach. 9.3 Termination or Suspension by Zoom. In the event Zoom reasonably believes that Customer or any End User is in material breach of Sections 2 or 8, Zoom may immediately suspend or disconnect access to Customer’s or such End User’s use of the relevant Services, prior to termination for cause as provided above and until such br each is cured. Zoom may also suspend Customer’s and/or an End User’s use of or access to any Service if it reasonably believes that such suspension is necessary to prevent imminent harm to Zoom, Zoom’s network, any End User, or any third party communicating with an End User. Zoom may immediately terminate access if it reasonably believes Customer is in breach of Section 2.4. Any such suspension, disconnection, or termination shall be without liability to Zoom, and Customer will remain responsible for all recurring Charges incurred during the period of suspension or disconnection. 9.4 Termination by Zoom Due to Change in Law. In the event of any change in Law that has the effect of materially increasing Zoom’s costs to provide Service hereunder or effectively cancels, changes or supersedes any material term or provision of this Agreement (collectively “Change in Law”) either party may, on thirty (30) days’ prior written notice to the other require that they enter into good faith negotiations to revise the Agreement to appropriately address the Change in Law. If the Parties are unable to agree on such revisions within thirty (30) days from the date of notice, Zoom may terminate this Agreement with immediate effect. 10. Responsibilities upon Termination. 10.1 Cessation of Use. Upon any termination of this Agreement, Customer shall immediately cease any further use of the Services. 10.2 Return of Customer Content. For thirty (30) days following expiration or termination of the Agreement, Zoom will provide Customer access to retrieve Customer Content, after which time Customer Content will be deleted according to regularly scheduled deletion protocols. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 6 of 24 11 Service Level Agreement. Zoom shall make commercially reasonable efforts to ensure that Downtime does not exceed 0.1% in a month. In the event of any Downtime of the Services in excess of 0.1% in a month, Zoom shall provide Customer a credit in an amount equal to the Downtime percentage times Customer’s monthly subscription amount for the Service. Customer shall provide Zoom with prompt written notice of any Downtime. If Zoom fails to correct any Downtime situation within fifteen (15) business days after receipt of such notice, Customer may terminate this Agreement. 12. Zoom Marketplace. The Zoom Marketplace is a site where third party developers may make available applications that are interoperable with the Services and is further defined in Exhibit A. 13. Managed Domains. The Managed Domains functionality is made available to certain Customers and is subject to the terms as further defined in Exhibit A. 14. Warranties. 14.1 Limited Warranty. Zoom warrants to Customer that the Services will, in all material respects, conform to the functionality described in the Zoom Documentation. Zoom's sole and exclusive obligation, and Customer's sole and exclusive remedy for a breach of this warranty shall be that Zoom shall use commercially reasonable efforts to modify the Services to conform in all material respects to the Zoom documentation, and if Zoom is unable to materially restore such functionality within thirty (30) days from receipt of written notice of said breach, Customer shall be entitled to terminate the Agreement upon written notice and shall be entitled to receive a pro-rata refund of the unused Charges that have been paid in advance (if any) under this Agreement. This warranty shall be in effect for the first thirty (30) days ("Warranty Period") from the date the applicable Services are first provided to the Customer. In the event of any material non-conformance reported after the Warranty Period, Zoom's sole and exclusive obligation and Customer's sole and exclusive remedy shall be to secure assistance through Zoom's technical support services. 14.2 Warranty Disclaimer. EXCEPT AS EXPLICITLY PROVIDED IN SECTION 14.1, ZOOM AND ITS LICENSORS EXPRESSLY DISCLAIM ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR THE CONTINUOUS, UNINTERRUPTED, ERROR-FREE, VIRUS-FREE, OR SECURE ACCESS TO OR OPERATION OF THE SERVICES AND/OR ZOOM SERVICES. ZOOM EXPRESSLY DISCLAIMS ANY WARRANTY AS TO THE ACCURACY OR COMPLETENESS OF ANY INFORMATION OR DATA ACCESSED OR USED IN CONNECTION WITH THE SERVICES. TO THE EXTENT ZOOM CANNOT DISCLAIM ANY SUCH WARRANTY AS A MATTER OF APPLICABLE LAW, THE SCOPE AND DURATION OF SUCH WARRANTY SHALL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY LAW. 15. Indemnification. 15.1 Indemnification by Zoom. Provided that Customer complies with the terms of Section 15.3 below, Zoom agrees to indemnify, defend and hold harmless Customer from any third party suits, claims or demands and associated liabilities, costs, damages and expenses (including, but not limited to, attorneys’ fees, expert fees and court costs) (collectively, “Claims”) that Customer may sustain or incur arising from infringement by the Services of any copyright, trademark or trade secret of a third party, or any U.S. patent. This indemnity will not apply to any Claim that the infringement arose from the combination of the Services with software, hardware, content, data or other items not supplied by Zoom. In the event that the licensed Services are, or in Zoom’s sole opinion are likely to be, enjoined due to the type of infringement described in this Section 15, Zoom, at its option and expense, may (a) replace the applicable Services with functionally equivalent non -infringing technology or (b) obtain a license for Customer’s continued use of the applicable Services, or, if the foregoing alternatives are not reasonably available to Zoom (c) terminate this Agreement and refund any sums prepaid for Services not provided as a result of such termination. 15.2 Indemnification by Customer. Subject to applicable law and provided that Zoom complies with the terms of Section 15.3 below, Customer agrees to indemnify, defend and hold harmless Zoom and its Affiliates and their respective officers, directors, members, employees, consultants, agents, suppliers and resellers from any Claims arising from (a) Customer’s or Customer’s End Users’ use of th e Services in violation of this Agreement; (b) any infringement or violation by Customer or any End User of any intellectual property or other right of any person; and (c) Customer’s or any End User’s violation of any Law. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 7 of 24 15.3 Indemnification Procedures. In claiming any indemnification under this Section 15, the indemnified party shall promptly provide the indemnifying party with notice of any claim that the indemnified party believes is within the scope of the obligation to indemnify. The indemnified party may, at its own expense, assist in the defense if it so chooses, but the indemnifying party shall control the defense and all negotiations relative to the settlement of any such claim. Any settlement intended to bind the indemnified party shall not be final without the indemnified party’s written consent, which consent shall not be unreasonably withheld or delayed. 16. Limitation on Liability. 16.1 EXCLUSIONS. ZOOM SHALL NOT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR (a) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (b) ANY UNAUTHORIZED ACCESS TO, OR ALTERATION, THEFT OR DESTRUCTION OF THE WEB SITE, ANY CONTENT, CUSTOMER DATA, SYSTEM DATA, OTHER DATA FILES, PROGRAMS OR INFORMATION THROUGH ERROR, OMISSION, ACCIDENT OR FRAUDULENT MEANS OR DEVICES NOT DIRECTLY ATTRIBUTABLE TO ZOOM’S NEGLIGENT ACTS OR OMISSIONS, OR FOR OTHER CIRCUMSTANCES OUTSIDE OF ZOOM’S REASONABLE CONTROL, OR (c) ANY MALFUNCTION OR CESSATION OF INTERNET SERVICES BY INTERNET SERVICE PROVIDERS OR OF ANY OF THE NETWORKS THAT FORM THE INTERNET WHICH MAY AFFECT THE OPERATION OF THE SERVICES. 16.2 NO INDIRECT DAMAGES. IN NO EVENT SHALL EITHER PARTY OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF REVENUES OR PROFITS, LOSS OF USE, BUSINESS INTERRUPTION, LOSS OF DATA, BREACH OF DATA, OR THE COST OF SUBSTITUTE PRODUCTS OR SERVICES, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EACH PARTY AGREES TO TAKE REASONABLE ACTION TO MITIGATE ITS DAMAGES. 16.3 AGGREGATE LIABILITY CAP. IN NO EVENT SHALL ZOOM’S LIABILITY FOR ANY DAMAGES EXCEED AN AMOUNT EQUAL TO THE TOTAL CHARGES PAID TO ZOOM UNDER THIS AGREEMENT IN THE PRIOR TWELVE (12) MONTHS PRECEDING THE INCIDENT GIVING RISE TO THE CLAIM. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION IN THE AGGREGATE, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, MISREPRESENTATIONS, NEGLIGENCE, STRICT LIABILITY AND OTHER TORTS. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. 17. Force Majeure. Neither party hereto will be liable for defaults or delays (other than the non-payment of Charges) due to Acts of God, or the public enemy, acts or demands of any government or governmental agency, fires, floods, accidents, or other unforeseeable causes beyond its control and not due to its fault or negligence. 18. [Intentionally Omitted.] 19. Miscellaneous. 19.1 Choice of Law and Forum. This Agreement shall be governed by and construed under the laws of the State of Colorado, U.S.A. 19.2 Export Restrictions. Customer acknowledges that the Services, or a portion thereof, may be subject to the export control laws of the United States and other applicable country export control and trade sanctions laws (“Export Control and Sanctions Laws”). Customer and its End Users may not access, use, export, re-export, divert, transfer or disclose any portion of the Services or any related technical information or materials, directly or indirectly, in violation of any applicable export control or trade sanctions law or regulation. Customer represents and warrants that (i) Customer and its End Users are not citizens of, or located within, a country or territory that is subject to U.S. trade sanctions or other significant trade restrictions (including without limitation Cuba, Iran, North Korea, Syria, and the Crimea) and that Customer and its End Users will not access or use the Services, or export, re -export, divert, or transfer the Services, in or to such countries or territories; (ii) Customer and its End Users are not identified on any U.S. government restricted party lists (including without limitation the U.S. Treasury Department’s List of Specially Designated Nationals and Blocked Persons and Foreign Sanctions Evaders List, the U.S. Department of Commerce’s Denied Parties List, Entity List, and Unverified List, and the U.S. Department of State proliferation - related lists); and (iii) that no Customer Content created or submitted by Customer or its End Users is subject to any restriction on disclosure, transfer, download, export or re-export under the Export Control Laws. Customer is solely responsible for complying with the Export Control Laws and mo nitoring them for any modifications. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 8 of 24 19.3 Incorporation of Zoom Policies. Customer acknowledges and agrees that the Zoom policies disclosed at www.zoom.us/legal are incorporated herein by reference, and Customer agrees to that it has read such policies and shall comply (where applicable) with any and all obligations of Customer as set forth in such policies. Zoom reserves the right to update these policies from time to time, and will provide commercially reasonable notice of such updates. If there is a conflict between the terms of the policies located at www.zoom.us/legal and the terms of this Agreement, the terms of this Agreement will prevail, but only to the extent necessary to resolve the conflict or inconsistency. 19.4 Waiver and Severability. Failure by either party to exercise any of its rights under, or to enforce any provision of, this Agreement will not be deemed a waiver or forfeiture of such rights or ability to enforce such provision. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid or unenforceable, that provision will be amended to achieve as nearly as possible the same economic effect of the original provision and the remainder of this Agreement will remain in full force and effect. 19.5 General Provisions. This Agreement embodies the entire understanding and agreement between the parties respecting the subject matter of this Agreement and supersedes any and all prior understandings and agreements between the parties respecting such subject matter. Any modification to this Agreement must be in writing and signed by both parties. Unless specified otherwise herein, any and all rights and remedies of either parties upon breach or other default under this Agreement will be deemed cumulative and not exclusive of any other right or remedy conferred by this Agreement or by law or equity on either party, and the exercise of any one remedy will not preclude the exercise of any other. The captions and headings appearing in this Agreement are for reference only and will not be considered in construing this Agreement. No text or information set forth on any other purchase order, preprinted form or document shall add to or vary the terms and conditions of this Agreement. No joint venture, partnership, employment, or agency relationship exists between the parties as a result of this agreement or use of the Services. 19.6 Assignment. This Agreement may not be assigned by either party without the prior written consent of the other party (which consent shall not be unreasonably withheld, conditioned or delayed) except that this Agreement be assigned or transferred without such consent to (a) an Affiliate, or (b) a successor by merger. Any purported assignment in violation of this section shall be void. 19.7 Copyright Infringement. Infringement of copyrights in connection with the Services may be reported to Zoom’s Copyright Agent through the process defined at www.zoom.us/legal. 19.8 Marketing. Customer grants Zoom permission to name them as a customer and/or use their logo across Zoom marketing materials, e.g., the zoom.us website, emails, presentations, brochures, etc. Customer further grants Zoom permission to develop content around their experience as a Zoom customer, e.g., a written and/or video case study. This content will be created in cooperation with Customer and used only upon Customer’s written approval. 19.9 Notice. Zoom may give notice by electronic mail to Customer’s e-mail address on record in Customer’s account information, or by written communication sent by first class mail or pre-paid post to Customer’s address on record in Customer’s account information. Such notice shall be deemed to have been given upon the expi ration of forty-eight (48) hours after mailing or posting (if sent by first class mail or pre-paid post) or twelve (12) hours after sending (if sent by email). Customer may give notice to Zoom (such notice shall be deemed given when received by Zoom) at any time by any of the following: letter delivered by nationally recognized overnight delivery service or first class postage prepaid mail to Zoom at the following: 55 Almaden Blvd, San Jose, CA, 95113, Suite 600, USA, addressed to the attention of: Legal or by email to legal@zoom.us. 19.10 Survival. All sections of the Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty, disclaimers, indemnification and limitations of liability. 19.11 Independent Contractor. The parties intend that (i) Zoom and Customer will be independent contractors and at no time will either party be considered an employee or employer of the other in the performance of this Agreement; (ii) this Agreement and performance of the obligations herein do not constitute a joint venture, partnership, or other relationship other than that of independent contractors; and (iii) neither party will be deemed an employee or agent of the other party. 19.12 Conflict of Interest. As of the Effective Date, Zoom avers that to the best of Zoom’s knowledge and belief, no employee of the Customer has any personal or beneficial interest whatsoever in the Services described in this Agreement. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A Zoom Master Subscription Agreement 2021 v.5 Page 9 of 24 19.13 Insurance. Zoom shall, at all times during the Term of the Agreement, maintain, at its own cost, the following insurance coverages with carriers who have an AM Best rating of A-/VII or above: (i) Workers Compensation for its own employees that meets the statutory limits of the states in which Zoom operates and all federal statutes and regulations; (ii) Comprehensive General Liability with coverage of $1,000,000 per occurrence/$2,000,000 annual aggregate; (iii) Errors and Omissions/Cyber Liability with coverage of $10,000,000 in the aggregate fo r the policy period; (iv) Automobile Liability, if an automobile is used in connection with the provision of Services to Customer under this Agreement, with coverage of $1,000,000 per occurrence; (v) Crime and Fidelity Insurance with coverage of $1,000,000 per occu rrence; (vi) Employer’s Liability insurance with coverage of $1,000,000 per accident, per disease for each employee and per disease policy limit; (vii) Umbrella Liability Insurance with coverage of $10 million in the aggregate. Upon request by Customer, Zoom shall provide, a current certificate evidencing the insurance required to be maintained by this Agreement is in full force and effect. 19.14 Nonappropriations. Customer's obligation to pay for future Services under an Order Form is contingent upon funds for that purpose being appropriated by an authority not controlled by Customer and in accordance with applicable law. Customer represents and warrants that funds have been appropriated for the current fiscal year to cover the costs of the Services set forth in the initial Order Form through the end of Customer's current fiscal year. If funds are not appropriated in the future in accordance with law, then Customer may immediately terminate (i) part of the Order Form for which funding is not available or (ii) the Order Form if funding is not available for the entire Order Form. For Customer to exercise its right to terminate for non-appropriation under this Order Form, Customer must provide written notice to Zoom within thirty (30) days of the non -appropriation event or the right is waived. Customer shall employ all steps reasonably necessary to seek future appropriations for the Services, and Customer may not exercise its right to terminate for non-appropriation simply to substitute the Services of Zoom with those of an alternative provider. Customer may not rely on nonappropriation to avoid payment for Services already rendered. IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be signed by duly authorized officers or representatives as of the Effective Date. ZOOM VIDEO COMMUNICATIONS, INC. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER: Signature: Signature: Name: Name: Title: Title: Date: Date: Date: Deborah Fay Feb 23, 2022 Deputy General Counsel DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 2/24/2022 County Manager Jeff Shroll 10 Exhibit A Services Description This Exhibit A to the Master Subscription Agreement (“MSA”) describes the Services that may be ordered on an Order Form, or provided by Zoom, and sets forth further Service-specific terms and conditions that may apply to Zoom’s provision and Customer’s use of the Services. Capitalized terms not defined herein shall have the meanings assigned to them in the MSA. A. Definitions. For purposes of this Exhibit A, the following definitions will apply: “Hardware Programs” mean services or programs provided by Zoom that enable customers to procure hardware devices for use with Zoom Meeting Services or Zoom Phone Services subject to separate terms with the equipment manufacturers or otherwise as noted in the separate program terms. “Host” means an individual who is an identified employee, contractor, or agent of Customer to whom Customer assigns the right to host Meetings. A Host may hold an unlimited number of Meetings during the Initial Subscription Ter m or Renewal Term (as applicable), but the number of Meetings a Host may host concurrently shall depend on whether Customer orders a Concurrent Meetings package on an Order Form. A Host subscription may not be shared or used by anyone other than the individual assigned to be a Host. “Meeting” means a Zoom Video meeting. “Participant” means an individual, other than the Host, who accesses or uses the Services, with or without the permission and knowledge of the Host. “Zoom Documentation” means this Exhibit A, the Zoom website (www.zoom.us) and any additional description of the Services which may be incorporated into this Agreement. “Zoom Meeting Services” means the various video conferencing, web conferencing, webinar, meeting room, screensharing, chat, connectors, audio plans, cloud storage, and other collaborative services offered by Zoom Video that Customer may order on an Order Form. “Zoom Phone Services” means voice connectivity services, including, but not limited to, interconnected VoIP services, provisioning of direct dial numbers, two-way voice calling and private branch exchange (PBX) functionality and related services offered by Zoom Voice Communications, Inc. (“Zoom Voice”) that Customer may order on an Order Form. B. Zoom Meeting Services. Zoom Meeting Services enable Hosts to schedule and start Meetings and to allow Participants to join Meetings for the purpose of collaborating using voice, video, and screensharing functionality. Every meeting will have at least one Host. Chat features allow for out-of-session one-on-one or group collaboration. Further features, functionality, and solutions are described at www.zoom.us. 1. Concurrent Meetings. The Concurrent Meetings feature enables a Host to host more than one Meeting at a time, subject to the specific limitations of the Concurrent Meetings package Customer may order on an Order Form. C. Zoom for Education (K-12). Zoom for Education (K-12/Primary and Secondary Schools) allows schools and educators to use Zoom Meeting Services for educational purposes. Zoom maintains policies and procedures designed to comply with applicable requirements of student privacy laws including, without limitation, GDPR and the Family Educational Rights and Privacy Act (FERPA) and applicable state laws (the “Privacy Laws”). The Privacy Laws may provide students or their parents with certain rights in their personal information. If you are a parent or student and yo u have questions about the Privacy Laws or your related rights, please contact your school administration. Zoom will not use any student data for marketing or advertising purposes, or any other commercial purpose, except to provide Services to our School S ubscribers. If you are a “School Subscriber” — typically meaning a school or school district administrator or a teacher — you represent and warrant that you have been duly authorized by your school or school district to create an account, use the Services, and to agree to these contract terms. You further agree to use your account solely for educational purposes and solely for the benefit of your school or school district and its students. If you are a School Subscriber subject to U.S. or similar law, you consent, for yourself and your school or school district, to Zoom’s collection, use and sharing of personal information of End Users including those who are children under the age of 13 in accordance with Zoom’s K-12 Schools & Districts Privacy Policy and You instruct Zoom to process the personal data of End Users in accordance with such policy. If you are a School Subscriber subject to GDPR or similar law, you determine the legal basis, means and purposes for processing the data, and instruct Zoom to process personal information of End Users, including those who are children under the age 16, in accordance with Zoom’s K-12/Primary & Secondary Schools Privacy Statement found at . https://zoom.us/docs/en- us/schools-privacy-statement.html. 1. Addendum for Connecticut School Subscribers. This Agreement as applied to Connecticut School Subscribers incorporates by reference the Zoom Terms of Service Addendum for Connecticut School Subscribers (“Addendum”) DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 11 which is designed to comply with the requirements of the Connecticut Act Concerning Student Data Privacy, Conn. Gen. Stat. Ann. § 10-234aa-dd. D. Zoom Phone Services. The following sets forth the further terms and conditions that apply to the Zoom Phone Services. 1. Definitions: For purposes of the Zoom Phone Services, the following definitions apply: “Device” means the device assigned to a virtual extension or individual digital line set up within an account or by Zoom at Customer’s direction or request. “Phone Host” means the individual assigned to a number which enables use of the Zoom Phone Service. A Phone Host is a “Host” for purposes of the definition of End User. “Zoom Phone Calling Plan” means the pricing structure that enables Phone Hosts and End Users to access the PSTN. Calling plans may be “Metered” or “Unlimited” as defined on the Order Form. “Zoom Phone Commitment” means the minimum monthly bundle of minutes that a Zoom Phone Metered Calling Plan Customer commits to use in connection with Zoom Phone Services. 2. Zoom Phone Service Provider. Zoom Voice is the provider of Zoom Phone Services and sets the terms, conditions and rates for Zoom Phone Services. 3. Description of Services. Zoom Phone Services are cloud-based phone services that use voice over internet protocol (VoIP) to provide Customer with the following services and functionalities (as selected by Customer on an Order Form): a. Zoom Phone Service. Zoom Phone Service is a cloud-based phone service that allows two-way voice calling and private branch exchange (PBX) functionality, and a feature set as described on the zoom.us website. b. Public Switched Telephone Network Communications (PSTN) Access. Phone Hosts and End Users can be enabled to make and receive calls to the PSTN and be assigned a direct inward dialing phone number (DID) via a Zoom Phone Calling Plan. c. Bring Your Own Carrier (BYOC). BYOC allows customers to use the telecommunications provider of their choice to provide PSTN access and inward DID numbers. Zoom provides BYOC customers with software that enables On Net Access and access to a range of Zoom call management features and functions. BYOC enables customers to (i) have PSTN capability in regions where Zoom does not offer PSTN Access; (ii) maintain relationships with currently deployed carriers; and/or (iii) configure deployments for flexibility and redundancy. Customer must ensure that its carrier provides all regulated telecommunications services and is responsible for telecommunications regulatory compliance. d. Additional Zoom Phone Services. Additional functionality such as enabling common area phones, and additional Toll Free and DID phone numbers may be purchased as described on the Order Form. 4. Billing and Invoicing. Zoom will bill Customer on behalf of Zoom Voice based on the Charges set forth on the Order Form. Charges based on usage, or overage amounts that exceed the Zoom Phone Commitment, will be billed in arrears, the month following the month a Charge is incurred. No adjustment will be made, or credit or refund given, for usage that is less than the Zoom Phone Commitment. a. On Net Access. On Net capability will be provisioned by default for all Zoom Meeting Services. Phone Hosts may access and use On Net services at no charge for so long as the underlying license to the Zoom Meeting Service remains active. b. Taxes. Customer acknowledges and agrees that Zoom Phone Services are subject to certain Taxes and Fees (including, but not limited to, assessments for universal service) that are not applicable to Zoom Meeting Services. Accordingly, Zoom shall invoice Customer for Taxes and Fees associated with the Charges. 5. Reasonable Use and Right to Review. Zoom Voice offers unlimited and metered Phone Calling Plans. These plans are subject to this Zoom Voice Communications, Inc. Reasonable Use Policy. Zoom Phone Calling Plans are for normal and reasonable business use; unreasonable use is prohibited. Use of Zoom Phone may qualify as unreasonable if Customer (a) engages in business activities that involve continual, uninterrupted, or consistently excessive use of Zoom Phone Services, (b) makes any misrepresentations to Zoom Voice that materially affect volume or type of use of Zoom Phone Services, (c) engages in fraudulent or illegal use of Zoom Phone Services, including any activity that violates telemarketing laws or regulations, or (d) uses Zoom Phone Services in any manner that harms Zoom Voice’s DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 12 network or facilities or interferes with the use of the service by other Customers. Use that is inconsistent with the types and levels of usage by typical business customers on the same plan may be used as an indicator of abnormal or unreasonable use, including but not limited to abnormal call lengths; abnormal call frequency; abnormal call duration; abnormal calling patterns that indicate an attempt to evade enforcement of this Zoom Voice Communications, Inc. Reasonable Use Policy. Zoom reserves the right to review Customer use to determine if it is consistent with this Zoom Voice Communications, Inc. Reasonable Use Policy. In the event Zoom Voice determines that You may be engaging in unreasonable use, Zoom Voice will determine the appropriate remedy and will take action to remedy any unreasonable use, including, at its sole discretion, discussing the use with You, moving You to an appropriate Zoom Phone Calling Plan, terminating certain Hosts, and/or otherwise modifying, suspending or terminating Your Zoom Phone services. 6. Termination of Zoom Meeting Services. Access to Zoom Phone Services requires a corresponding license to Zoom Meeting Services. In the event that the Zoom Meeting Service license is terminated, the equivalent access to Zoom Phone Services will also be terminated. At such time, Customer will be billed for any incurred usage charges, and will not be credited for any pre-paid amounts toward the Zoom Phone Commitment. 7. Zoom Voice Policies. Customer acknowledges and agrees that the Zoom Voice Communications, Inc. policies found at https://zoom.us/legal apply to Customer’s use of Zoom Phone Services. 8. Zoom Emergency Calling (E911) Customer Obligations. Customer acknowledges and agrees that Customer has read and understood Zoom Voice Communications, Inc.’s Emergency Calling or 911 Customer Notification, found at www.zoom.us/legal, which sets forth specific limitations of Zoom Phone’s emergency calling capabilities and Customer’s obligations with respect to its End Users. Such obligations include, but are not limited to: a. ensuring that all Phone Hosts receive Zoom Voice’s Emergency Calling or 911 Customer Notification; b. ensuring that all assigned phone numbers are registered for emergency calling purposes through the E911 link within Customer’s account, and that all registration information remains accurate and up to date; and c. distributing warning stickers or other appropriate labels warning End Users that emergency service may be limited or not available and instructing Phone Hosts to place such stickers on or near the Devi ces and other equipment used in conjunction with Zoom Phone Services. Zoom Voice reserves the right at any time to update the Zoom Voice Communications, Inc. Emergency Calling or 911 Customer Notification as necessary to reflect changes in law or technology that affect the emergency calling capabilities of Zoom Phone Services, and any such updates shall be effective immediately upon Customer’s receipt of notice. 9. Equipment. Except as expressly provided through a Hardware Program, neither Zoom nor Zoom V oice supplies any Devices or other equipment used in connection with the Zoom Phone Services, and accordingly Zoom Voice does not provide any guarantees as to the quality or operability of such Devices and equipment when used to access Zoom Phone Services. However, Zoom Voice does test certain Devices and equipment to determine whether such Devices and equipment are supported on the Zoom Phone platform (although it has not tested all possible Devices and equipment available in the marketplace). The summary of Devices and equipment to date that Zoom Voice has determined are supported by the Zoom Phone platform may be provided on request. Customer should consult with Zoom Voice prior to deploying any other Devices and equipment. 10. Contract Variations. In the event that the “Contract Variations” Exhibit is included in this MSA, it identifies, by country, certain terms and conditions that vary from or are in addition to the terms and conditions otherwise set forth in this Exhibit A (collectively, “Contract Variations”). Such Contract Variations are incorporated herein by reference and shall govern Zoom’s provision of Zoom Phone Services in the identified countries. E. Zoom Rooms. Zoom Room service is a software defined video conferencing system that allows conference rooms of any size, with minimum compatible hardware, to connect to the Zoom Meeting Service. Zoom Rooms include conference room specific features such as scheduling display, digital signage, and remote room management. F. Hardware Programs. Hardware Programs enable customers to procure hardware products that work with and provide access to Zoom Meeting Services or Zoom Phone services, subject to additional terms and conditions. A separate license to the Zoom Meeting Services or Zoom Phone Services, as applicable, is required. 1. HaaS Program. Zoom’s Hardware-as-a-Service Program (“HaaS Program”) enables customers to sub-lease certain leased devices in conjunction with and for the same subscription term as an associated underlying license for Zoom Meeting Services or Zoom Phone Services. Additional HaaS Program terms are found here. 2. Zoom For Home. The Zoom for Home (“ZfH”) program enables customers to access devices, through a Zoom Meeting Services license, that support remote work, and allows customers to deploy a dedicated personal DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 13 collaboration device for video meetings, phone calls, and interactive whiteboarding (a “ZfH Device”). Devices offered under the ZfH program are determined in the sole discretion of Zoom. ZfH is available for use with all Zoom Meeting Services licenses, including Basic, except that use of a ZfH Device in a shared space in a commercial office environment requires a Zoom Rooms license. Zoom reserves the right to suspend or terminate a Customer’s access to the Services in connection with any violation of this provision. ZfH Devices and use of the ZfH program may be subject to additional terms and conditions specified on an Order Form. Zoom acts as a payment collection agent for the ZfH Device manufacturer or distributor (“ZfH Distributor”), and is not a seller, distributor or reseller of any hardware component or device. The ZfH Distributor is solely responsible for all obligations, including availability, fulfillment, delivery and warranties regarding the device, except as specified below. i. Warranties. All warranties and warranty information are provided by the ZfH Distributor and not by Zoom. Please refer to the ZfH Distributor’s website for more information. Zoom is not responsible for ZfH Device warranties. ii. Returns and Refunds. All returns are subject to the ZfH Distributor’s return policy, and must by authorized by the ZfH Distributor prior to processing a return. Any ZfH Device may be returned within the first thirty (30) days following delivery for a refund. After thirty (30) days, only defective devices may be returned. Refunds will be processed by Zoom only after the ZfH Distributor has notified Zoom that the ZfH Device has been returned, inspected and accepted as a return. Refunds will be reduced by any restocking fees applicable to the transaction. Zoom or the ZfH Distributor will notify Customer if a return is rejected. iii. Return Procedure. Customer may contact Zoom or the ZfH Distributor to request a return. Zoom and the ZfH Distributor will review the return request and, if eligible, will authorize the return. Please refer to the ZfH Distributor’s website for more information on return policies and qualification and requirements for return authorization. iv. Customer’s Obligation to Inspect Delivery and Notify of Nonconformity . Customer shall inspect each delivery of the ZfHDevice received from the ZfH Distributor without undue delay and notify Zoom or the ZfH Distributor if any items are damaged. v. Shipping Delays. Customer acknowledges that certain shipments may be delayed due to circumstances beyond Zoom’s or the ZfH Distributor’s reasonable control. In no event shall Zoom or the ZfH Distributor be responsible for any damages associated with shipping delays. vi. Access to Customer Data. Customer acknowledges that the ZfH Distributor will be fulfilling any order for a ZfH Device, and expressly authorizes Zoom to disclose Customer Data to the extent necessary to complete the transaction. G. Zoom for Government. Zoom for Government is the Zoom Meeting Services and Zoom Phone Services offered by Zoom in a FedRAMP-compliant cloud environment. Zoom for Government enables customers to leverage a limited version of the Services in a separate, FedRAMP-compliant cloud environment hosted in Amazon Web Services Government Cloud and Zoom’s collocated data centers (e.g. in San Jose, CA and New York), independent of the Zoom’s standard commercial cloud environment. Further features, functionality, and solutions are described at https://www.zoomgov.com/. Zoom Meeting Services and Zoom for Government are independent environments and, therefore, data cannot be exchanged between them including, without limitation, instant messaging data or chat data. 1. FedRAMP Security Features. Zoom for Government is authorized as a FedRAMP Moderate ATO. TLS 1.2 or greater is required. H. Zoom Marketplace. The Zoom Marketplace, available at https://marketplace.zoom.us, is a site hosted by Zoom to provide access to applications (the “Apps”) created by third party developers (“Publishers”) that are interoperable with Zoom Services, and make them available from both mobile and desktop client apps. Access to and use of the Zoom Marketplace and Zoom for Developers (available at https://developer.zoom.us) sites are governed by separate terms and conditions available at https://zoom.us/service. Besides testing for compatibility with Zoom, Zoom does not perform any other testing and does not warrant or support the Apps. Publishers are solely responsible for all aspects of the Apps they publish, including content, functionality, availability and support. Publishers are required to provide their own terms of service, privacy policy and support information (“Publisher Terms”). Customers who access or download Apps must enter into Publisher Terms directly with the Publisher. Zoom is not responsible for the Apps, their content, functionality, availability, or support. Apps are hosted AS IS and use of the Apps is at Customer’s own risk, subject to the Publisher Terms. Apps may become unavailable or be removed by a Publisher at any time and any data stored in them may be lost or become inaccessible. Zoom is not responsible for Customer Data transferred to a Publisher, or for any transmission, collection, disclosure, security, modification, use or deletion of Customer Data by or through an App. Publishers may use Customer Data as permitted in the Publisher Terms. Use of the Apps may require Customer Data to be transferred to the Publisher and by accessing and using the App, Customer consents to the transfer of Customer Data by Zoom as required by the Publisher. Zoom does not support the Apps. Customer should contact the Publisher for support or questions. Zoom makes no DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 14 representations and disclaims all warranties, express or implied, regarding Apps and reserves the right to remove an App from the Marketplace at any time, in its sole discretion. I. Managed Domains. Zoom permits Customers to reserve domains associated with their enterprise and to manage any accounts that are subscribed to Zoom using that domain (“Managed Domain Customer”). Customer may only associate to the Zoom Services domain(s) that they own or are legally entitled to associate for use with the Services. In the event that a Zoom account is created or exists on the reserved domain, but is not authorized by the Managed Domain Customer (the “Non-Managed Domain Account”), the person using or creating such Non-Managed Domain Account will be notified that the domain is reserved for the Managed Domain Customer and will be requested to change the domain associated with the Non-Managed Domain Account. If the person using or creating such Non -Managed Domain Account does not change the domain within the period specified, that person will be deemed to have consented to the Non-Managed Domain Account being added to the Managed Domain Customer and to have further consented for all data associated with the Non -Managed Domain Account to be shared with the Managed Domain Customer. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 15 Exhibit B Technical and Organizational Security Measures Zoom’s technical and organizational security measures for Processing Customer Personal Data will meet the Minimum-Security Control Requirements set out in this Schedule B (“Security Measures”). Customer recognizes that there may be multiple acceptable approaches to accomplish a particular minimum control requirement. Zoom must document in reasonable detail how a particular control meets the stated minimum control requirement. Zoom may revise the Security Measures from time to time. The term “should” in thes e Security Measures means that Zoom will use commercially reasonable efforts to accomplish the stated minimum control requirement and will document those efforts in reasonable detail, including the rationale, if any, for deviation. As used in these Security Measures, (i) “including” and its derivatives mean “including but not limited to”; and (ii) any capitalized terms not defined in this Schedule B shall have the same meaning as set forth in the Agreement. 1. Definitions 1.1. “Systems” means Zoom’s production systems. 1.2. “Assets” means Zoom’s production assets. 1.3. “Facilities” means Zoom’s production facilities, whether owned or leased by Zoom (e.g., AWS, data centers). 1.4 “Personal Data” means any information relating to an identified or identifiable natural person, including information that could be linked, directly or indirectly, with a particular Data Subject. 1.5 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combinatio n, restriction, erasure, or destruction. 1.6 “Data Subject” means the identified or identifiable person to whom Personal Data relates. 2. Risk Management 2.1. Risk Assessment Program. The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts. 2.2. Risk Assessment. A risk assessment must be performed annually to verify the implementation of controls that protect business operations and Confidential Information. 3. Security Policy A documented set of rules and procedures must regulate the Processing of information and associated services. 3.1. Security Policies and Exception Process. Security policies must be documented, reviewed, and approved, with management oversight, on a periodic basis, following industry best practices. 3.2. A risk-based exception management process must be in place for prioritization, approval, and remediation or risk acceptance of controls that have not been adopted or implemented. 3.3. Awareness and Education Program. Security policies and responsibilities must be communicated and socialized within the organization to Zoom personnel. Zoom personnel must receive security awareness training on an annual basis. 4. Organizational Security A personnel security policy must be in place to establish organizational requirements to ensure proper training, competent performance, and an appropriate and accountable security organization. 4.1. Organization. Current organizational charts representing key management responsibilities for services provided must be maintained. 4.2. Background Checks. Where legally permissible, background checks (including criminal) must be performed on applicable Zoom personnel. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 16 4.3. Confidentiality Agreements. Zoom personnel must be subject to written non-disclosure or confidentiality obligations. 5. Technology Asset Management Controls must be in place to protect Zoom production assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction and transfer, removal and disposal of assets. 5.1. Accountability. A process for maintaining an inventory of hardware and software assets and other information resources, such as databases and file structures, must be document ed. Process for periodic asset inventory reviews must be documented. Identification of unauthorized or unsupported hardware/ software must be performed. 5.2. Asset Disposal or Reuse. If applicable, Zoom will use industry standards to wipe or carry out physical destruction as the minimum standard for disposing of assets. Zoom must have documented procedures for disposal or reuse of assets. 5.3. Procedures must be in place to remove data from production systems in which Customer’s Personal Data are stored, processed, or transmitted. 6. Physical and Environmental Controls must be in place to protect systems against physical penetration by malicious or unauthorized people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions. 6.1. Physical and Environmental Security Policy. Physical and environmental security plans must exist for facilities and scenarios involving access or storage of Customer’s Personal Data. Additional physical and environmental controls must be required and enforced for applicable facilities, including servers and datacenter locations. 6.2. Physical Access. Physical access, to include visitor access to facilities, must be restricted and all access periodically reviewed. 6.3. Policies must be in place to ensure that information is accessed on a need-to-know basis. 6.4. Environmental Control. Facilities, including data and processing centers, must maintain appropriate environmental controls, including fire detection and suppression, climate control and monitoring, power and back-up power solutions, and water damage detection. Environmental control components must be monitored and periodically tested. 7. Communication and Connectivity Zoom must implement controls over its communication network to safeguard data. Controls must include securing the production network and implementation of encryption, logging and monitoring, and disabling communications where no business need exists. 7.1. Network Identification. A production network diagram, to include production devices, must be kept curren t to facilitate analysis and incident response. 7.2. Data Flow Diagram. A current data flow diagram must depict data from origination to endpoint (including data which may be shared with Subprocessors). 7.3. Data Storage. All of Customer’s Personal Data, including Customer’s Personal Data shared with subprocessors, must be stored and maintained in a manner that allows for its return or secure destruction upon request from Customer. 7.4. Firewalls. Firewalls must be used for the isolation of all environments, to include physical, virtual, network devices, production and non-production, and application/presentation layers. Firewall management must follow a process that includes restriction of administrative access, and that is documented, reviewed, and approved, with management oversight, on a periodic basis. 7.5. The production network must be either firewalled or physically isolated from the development and test environments. Multi-tier security architectures that segment application tiers (e.g., presentation layer, application and data) must be used. 7.6. Periodic network vulnerability scans must be performed, and any critical vulnerabilities identified must be remediated within a defined and reasonable timeframe. 7.7. Clock Synchronization. Production network devices must have internal clocks synchronized to reliable time sources. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 17 7.8. Remote Access. The data flow in the remote connection must be encrypted and multi-factor authentication must be utilized during the login process. 7.9. Remote connection settings must limit the ability of remote users to access both initiating network and remote network simultaneously (i.e., no split tunneling). 7.10. Subprocessors’ remote access, if any, must adhere to the same controls and must have a valid business justification. 7.11. Wireless Access. Wireless access to the Zoom corporate network must be configured to require authentication and be encrypted. 8. Change Management Changes to the production systems, production network, applications, data files structures, other system components, and physical/environmental changes must be monitored and controlled through a formal change control process. Changes must be reviewed, approved, and monitored during postimplementation to en sure that expected changes and their desired result are accurate. 8.1. Change Policy and Procedure. A change management policy, including application, operating system, network infrastructure, and firewall changes must be documented, reviewed, and approved, with management oversight, on a periodic basis. 8.2. The change management policy must include clearly identified roles and responsibilities so as to support separation of duties (e.g., request, approve, implement). The approval process must include pre - and post- evaluation of change. Zoom posts service stat us and scheduled maintenance at https://status.zoom.us. 9. Operations Documented operational procedures must ensure the correct and secure operation of Zoom's assets. Operational procedures must be documented and include monitoring of capacity, performan ce, service level agreements and key performance indicators. 10. Access Control Authentication and authorization controls must be appropriately robust for the risk of the system, data, application, and platform; access rights must be granted based on the principle of least privilege and monitored to log access and security events, using tools that enable rapid analysis of user activities. 10.1. Logical Access Control Policy. Documented logical access policies and procedures must support role- based, “need-to-know” access (e.g., interdepartmental transfers, terminations) and ensure separation of duties during the approval and provisioning process. Each account provisioned must be uniquely identified. User access reviews must be conducted on a periodic basis. 10.2. Privileged Access. Management of privileged user accounts (e.g., those accounts that have the ability to override system controls), to include service accounts, must follow a documented process and be restricted. A periodic review and governance process must be maintained to ensure appropriate provisioning of privileged access. 10.3. Authentication and Authorization. A documented authentication and authorization policy must cover all applicable systems. That policy must include password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, thresholds for inactivity, and assurance that no shared accounts are utilized. Authentication credentials must be encrypted, including in transit to and from subprocessors’ environments or when stored by subprocessors. 11. Data Integrity Controls must ensure that any data stored, received, controlled, or otherwise accessed is accurate and reliable. Procedures must be in place to validate data integrity. 11.1. Data Transmission Controls. Processes, procedures, and controls must be documented, reviewed, and approved, with management oversight, on a periodic basis, to ensure data integrity during transmission and to validate that the data transmitted is the same as data received. 11.2. Data Transaction Controls. Controls must be in place to protect the integrity of data transactions at rest and in transit. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 18 11.3. Encryption. Data must be protected and should be encrypted, both in transit and at rest, including when shared with subprocessors. 11.4. Data Policies. A policy must be in place to cover data classifications, encryption use, key and certificate lifecycle management, cryptographic algorithms and associated key lengths. This policy must be documented, reviewed, and approved with management oversight, on a periodic basis. 11.5. Encryption Uses. Customer Personal Data must be protected, and should be encrypted, while in transit and at rest. Confidential Information must be protected, and should be encrypted when stored and while in transit over any network; authentication credentials must be encrypted at all times, in transit or in storage. 12. Incident Response A documented plan and associated procedures, to include the responsibilities of Zoom personnel and identification of parties to be notified in case of an information Security Incident, must be in place. 12.1. Incident Response Process. The information Security Incident management program must be documented, tested, updated as needed, reviewed, and approved, with management ov ersight, on a periodic basis. The incident management policy and procedures must include prioritization, roles and responsibilities, procedures for escalation (internal) and notification, tracking and reporting, containment and remediation, and preservation of data to maintain forensic integrity. 13. Business Continuity and Disaster Recovery Zoom must have formal documented recovery plans to identify the resources and specify actions required to help minimize losses in the event of a disruption to the business unit, support group unit, application, or infrastructure component. Plans assure timely and orderly recovery of business, support processes, operations, and technology components within an agreed upon time frame and include orderly restoration of bus iness activities when the primary work environment is unavailable. 13.1. Business Recovery Plans. Comprehensive business resiliency plans addressing business interruptions of key resources supporting services, including those provided by subprocessors, must be documented, tested, reviewed, and approved, with management oversight, on a periodic basis. The business resiliency plan must have an acceptable alternative work location in place to ensure service level commitments are met. 13.2. Technology Recovery. Technology recovery plans to minimize service interruptions and ensure recovery of systems, infrastructure, databases, applications, etc. Must be documented, tested, reviewed, and approved with management oversight, on a periodic basis. 14. Back-ups Zoom must have policies and procedures for back-ups of Customer’s Personal Data. Backups must be protected using industry best practices. 14.1. Back-up and Redundancy Processes. Processes enabling full restoration of production systems, applications, and data must be documented, reviewed, and approved, with management oversight, on a periodic basis. 15. Third-Party Relationships Subprocessors must be identified, assessed, managed, and monitored. Subprocessors that provide material services, or that support Zoom's provision of material services to Customers, must comply with control requirements no less stringent than those outlined in this document. 15.1. Selection and Oversight. Zoom must have a process to identify subprocessors providing services to Zoom; these subprocessors must be disclosed to Customer and approved to the extent required by this Agreement. 15.2. Lifecycle Management. Zoom must establish contracts with subprocessors providing material services; these contracts should incorporate security control requirements, including data protection controls and notification of security and privacy breaches must be included. Review processes must be in place to ensure subprocessors’ fulfillment of contract terms and conditions. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 19 16. Standard Builds Production systems must be deployed with appropriate security configurations and reviewed periodically for compliance with Zoom’s security policies and standards. 16.1. Secure Configuration Availability. Standard security configurations must be established and security hardening demonstrated. Process documentation must be developed, maintained, and under revision control, with management oversight, on a periodic basis. Configurations must include security patches, vulnerability management, default passwords, registry settings, file directory rights and permissions. 16.2. System Patches. Security patch process and procedures, to include requirements for timely patch application, must be documented. 16.3. Operating System. Versions of operating systems in use must be supported and respective security baselines documented. 16.4. Desktop Controls. Systems must be configured to provide only essential capabilities. The ability to write to removable media must be limited to documented exceptions. 17. Application Security Zoom must have an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems. Zoom must ensure that web -based and mobile applications used to store, receive, send, control, or access Customer Personal Data are monitored, controlled, and protected. 17.1. Functional Requirements. Applications must implement controls that protect against known vulnerabilities and threats, including Open Web Application Security Project (OWASP) Top 10 Risks and denial of service (DDOS) attacks. 17.2. Application layer controls must provide the ability to filter the source of malicious traffic. 17.3. Restrictions must also be placed on or in front of web server resources to limit denial of service (DoS) attacks. 17.4. Zoom must monitor uptime on a hosted web or mobile application. 17.5. Software Development Life Cycle. A Software Development Life Cycle (SDLC) methodology, incl uding release management procedures, must be documented, reviewed, approved, and version -controlled, with management oversight, on a periodic basis. These must include activities that foster the development of secure software. 17.6. Testing and Remediatio n. Software executables related to client/server architecture that are involved in handling Customer Personal Data must undergo vulnerability assessments (both the client and server components) prior to release and on an on -going basis, either internally or using external experts, and any gaps identified must be remediated in a timely manner. 17.6.1. Testing must be based on, at a minimum, the OWASP Top 10 risks (or the OWASP Mobile Top 10 risks, where applicable), or comparable replacement. 17.7. Zoom must conduct penetration testing on an annual basis. 18. Vulnerability Monitoring Zoom must continuously gather information and analyze vulnerabilities in light of existing and emerging threats and actual attacks. Processes must include vulnerability scans, anti-malware, Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), logging and security information and event management analysis and correlation. 18.1.Vulnerability Scanning and Issue Resolution . Vulnerability scans (authenticated and unauthenticated) and penetration tests must be performed against internal and external networks and applications periodically and prior to system provisioning for production systems that process, store or transmit Customer Data. 18.2. Malware. In production, Zoom must employ tools to detect, log, and disposition malware. 18.3.Intrusion Detection/Advanced Threat Protection. Network and host-based intrusion detection/advanced threat protection must be deployed with events generated fed into centralized systems for analysis. These systems must accommodate routine updates and realtime alerting. IDS/advanced threat protection signatures must be kept up to date to respond to threats. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 20 18.4.Logging and Event Correlation. Monitoring and logging must support the centralization of security events for analysis and correlation. Organizational responsibility for responding to events must be defined. Retention schedule for various logs must be defined and followed. 19. Cloud Technology Adequate safeguards must ensure the confidentiality, integrity, and availability of Customer Personal Data stored, processed or transmitted using cloud technology (either as a cloud customer or cloud provider, to include subprocessors), using industry standards. 19.1. Audit Assurance and Compliance. The cloud environment in which data is stored, processed or transmitted must be compliant with relevant industry standards and regulatory restrictions. 19.2. Application and Interface Security. Threat modeling should be conducted throughout the software development lifecycle, including vulnerability assessments, including Static/Dynamic scanning and code review, to identify defects and complete remediations before hosting in cloud environments. 19.3. Business Continuity Management and Operational Resiliency. Business continuity plans to meet recovery time objectives (RTO) and recovery point objectives (RPO) must be in place. 19.4.Data Security and Information Lifecycle Management. Proper segmentation of data environments and segregation must be employed; segmentation/segregation must enable proper sanitization, per industry requirements. 19.5. Encryption and Key Management. All communications must be encrypted in-transit between environments. 19.6. Governance and Risk Management. Comprehensive risk assessment processes and centralized monitoring that enables incident response and forensic investigation must be used to ensure proper governance and oversight. 19.7. Identity and Access Management. Management of accounts, including accounts with privileged access, must prevent unauthorized access and mitigate the impacts thereof. 19.8. Infrastructure and Virtualization Security. Controls defending against cyberattacks, including the principle of least privilege, baseline management, intrusion detection, host/network-based firewalls, segmentation, isolation, perimeter security, access management, detailed data flow information, network, time, and a SIEM solution must be implemented. 19.9. Supply Chain Management, Transparency and Accountability. Zoom must be accountable for the confidentiality, availability and integrity of production data, to include data processed in cloud environments by subprocessors. 19.10.Threat and Vulnerability Management. Vulnerability scans (authenticated and unauthenticated) must be performed, both internally and externally, for production systems. Processes must be in place to ensure tracking and remediation. 20. Audits At least annually, Zoom will conduct an independent third -party review of its security policies, standards, operations, and procedures related to the Services provided to Customer. Such review will be conducted in accordance with the AICPA's Statements on Standards for Attestation Engagements (SSAE), and Zoom will be issued a SOC 2 Type II report. Upon Customer's request, Zoom will provide Customer with a copy of the SOC 2 Type II report within thirty (30) days. If applicable, Zoom will provide a bridge let ter to cover time frames not covered by the SOC 2 Type II audit period scope within 30 days, upon request by Customer. If exceptions are noted in the SOC 2 Type II audit, Zoom will document a plan to promptly address such exceptions and shall implement corrective measures within a reasonable and specific period. Upon Customer's reasonable request, Zoom will keep Customer informed of progress and completion of corrective measures. 20.1. Customer shall rely on the third-party audit SOC 2 Type II report for validation of proper information security practices and shall not have the right to audit, unless such right is granted under applicable law, except in the case of a Security Breach resulting in a material business impact to Customer. If Customer exercises the right to audit as a result of a Security Breach, such audit shall be within the scope of the Services. Customer will provide Zoom a minimum of thirty (30) days of notice prior to the audit. Zoom shall have the right to approve any third-party Customer may choose to conduct or be involved in the audit. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 21 21. Specific Measures Measure Description Measures of pseudonymisation and encryption of personal data  Optional End-to-End Encryption for Meetings: Users may choose to enable end-to-end encryption for Zoom meetings. This provides a high level of security since no third party — including Zoom — has access to the meeting’s private keys.  Default Encryption: The connection between a given device and Zoom is encrypted by default, using a mixture of TLS 1.2+ (Transport Layer Security), Advanced Encryption Standard (AES) 256-bit encryption, and SRTP (Secure Real-time Transport Protocol). The precise methods used depend on whether a user uses the Zoom client, a web browser, a third-party device or service, or the Zoom phone product. For further information, please see our Encryption Whitepaper. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Zoom utilizes security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Zoom takes measures to facilitate the restoration of availability and access to our processing systems and services promptly in the event of a physical or technical incident. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Zoom implements a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the data we process. Measures for user identification and authorisation  Protections against unauthorised meeting participants: Zoom has implemented numerous safeguards and controls to prohibit unauthorized participants from joining meetings:  Eleven (11) digit unique meeting IDs  Complex passwords  Waiting rooms with the ability to automatically admit participants from your domain name or another selected domain DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 22  Meeting lock feature that can prevent anyone from joining the meeting  Ability to remove participants  Authentication profiles that only allow entry to registered users, or restrict to specific email domains Measures for the protection of data during transmission  Optional End-to-End Encryption for Meetings: Users may choose to enable end-to-end encryption for Zoom meetings. This provides a high level of security since no third party — including Zoom — has access to the meeting’s private keys.  Default Encryption: The connection between a given device and Zoom is encrypted by default, using a mixture of TLS 1.2+ (Transport Layer Security), Advanced Encryption Standard (AES) 256-bit encryption, and SRTP (Secure Real-time Transport Protocol). The precise methods used depend on whether a user uses the Zoom client, a web browser, a third- party device or service, or the Zoom phone product. For further information, please see our Encryption Whitepaper. Measures for the protection of data during storage  Cloud Recording Storage: Cloud Recordings are processed and stored in Zoom’s cloud after the meeting has ended; these recordings can be passcode-protected or available only to people in your organization. If a meeting host enables cloud recording and audio transcripts, both will be stored encrypted.  File transfer storage: If a meeting host enables file transfer through in-meeting chat, those shared files will be stored encrypted and will be deleted within 31 days of the meeting.  Cloud recording access: Recording access for a meeting is limited to the meeting host and account admin. The meeting/webinar host authorizes others to access the recording with options to share publicly, internal-only, add registration to view, enable/disable ability to download, and an option to protect the recording.  Authentication: Zoom offers a range of authentication methods such as SAML, Google Sign-in and Facebook Login, and/or Password based which can be individually enabled/disabled for an account.  2-Factor Authentication ("2FA"): Admins can enable 2FA for your users, requiring them to set up and use 2FA to access the Zoom web portal. Measures for ensuring physical security of locations at which personal data are processed Controls are in place to protect systems against physical penetration by malicious or unauthorized people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 23 Measures for ensuring events logging Zoom implements a standard requiring all systems to log relevant security access events. Measures for ensuring system configuration, including default configuration Zoom implements a standard specifying the minimum requirements for configuration management as it applies to Zoom’s corporate and commercial environment. Measures for internal IT and IT security governance and management Zoom implements policies and standards governing internal IT and IT security governance and management. Measures for certification/assurance of processes and products Zoom implements a Security Audit and Accountability policy. Measures for ensuring data minimisation Zoom implements a privacy review in its software development lifecycle to align product development with the principle of data minimization. Measures for ensuring data quality Zoom implements a System and Information Integrity Policy. Measures for ensuring limited data retention We retain personal data for as long as required to engage in the uses described in our Privacy Statement, unless a longer retention period is required by applicable law. The criteria used to determine our retention periods include the following:  The length of time we have an ongoing customer relationship;  Whether account owners modify or their users delete information through their accounts;  Whether we have a legal obligation to keep the data (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or  Whether retention is advisable in light of our legal position (such as in regard to the enforcement of our agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation). Measures for ensuring accountability Zoom implements a Security Audit and Accountability policy. Measures for allowing data portability and ensuring erasure Zoom’s paying customers can access their account data through their dashboard. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A 24 Data importer The data importer is a provider of communication software, services, systems, and/or technologies. DocuSign Envelope ID: E106FD3E-C0DA-4B48-A355-6E6DA59F191A