HomeMy WebLinkAboutC24-323 Rule4, Inc.AGREEMENT FOR CYBERSECURITY CONSULTING SERVICES BETWEEN EAGLE COUNTY, COLORADO AND RULE4, INC. THIS AGREEMENT (“Agreement”) is effective as of _______________ by and between Rule4, Inc., a Colorado public benefit corporation (hereinafter “Contractor” or “Consultant”) and Eagle County, Colorado, a body corporate and politic (hereinafter “County”). RECITALS WHEREAS, the Country requires cybersecurity services on an hourly basis at the county building located at 500 Broadway, Eagle, Colorado (the “Property”) and via remote means as appropriate and reasonable by way of technology; and WHEREAS, Contractor is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined below in paragraph 1 hereof; and WHEREAS, this Agreement shall govern the relationship between Contractor and County in connection with the Services. AGREEMENT NOW, THEREFORE, in consideration of the foregoing and the following promises Contractor and County agree as follows: 1. Services or Work. Contractor agrees to diligently provide all services, labor, personnel and materials necessary to perform and complete the on-call services or work at the rates set forth in Exhibit A and as described in Exhibit A or in any formal proposal for specific on-call services to be provided by Contractor and approved by County in writing (“Services” or “Work”). Exhibit A is attached hereto and incorporated herein by reference. The Services shall be performed in accordance with the provisions and conditions of this Agreement. a. Contractor agrees to furnish the Services in accordance with the schedule established in each proposal approved by County. If no completion date is specified, then Contractor agrees to furnish the Services in a timely and expeditious manner consistent with the applicable standard of care. By signing below, Contractor represents that it has the expertise and personnel necessary to properly and timely perform the Services. b. In the event of any conflict or inconsistency between the terms and conditions set forth in Exhibit A and the terms and conditions set forth in this Agreement, the terms and conditions set forth in this Agreement shall prevail. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 7/31/2024 2 Eagle County On-Call General Services IT final 8/15/2022 2. County’s Representative. The I.T. Department’s designee shall be Contractor’s contact with respect to this Agreement and performance of the Services. 3. Term of the Agreement. This Agreement shall commence upon the date first written above, and subject to the provisions of paragraph 11 hereof, shall continue in full force and effect through the 31st day of December 2024. 4. Extension or Modification. This Agreement may be extended for up to three additional one year terms upon written agreement of the parties. Any amendments or modifications shall be in writing signed by both parties. No additional services or work performed by Contractor shall be the basis for additional compensation unless and until Contractor has obtained written authorization and acknowledgement by County for such additional services in accordance with County’s internal policies. Accordingly, no course of conduct or dealings between the parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any additional services, whether or not there is in fact any such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such additional services is not timely executed and issued in strict accordance with this Agreement, Contractor’s rights with respect to such additional services shall be deemed waived and such failure shall result in non-payment for such additional services or work performed. 5. Compensation. County shall compensate Contractor for the performance of the Services in accordance with the fee schedule set forth in Exhibit A. Prior to commencement of Services, Contractor shall first provide County with a written estimate which shall include an estimate of the labor, materials and any additional costs necessary to perform the Services. Each estimate must be approved by County’s Representative prior to commencement of the Services by Contractor and all rates shall be in accordance with the fee schedule set forth in Exhibit A. Total compensation for all Services under this Agreement shall not exceed $50,000. Hourly work performed outside of standard business hours (6:00 a.m. to 7:00 p.m. Mountain Time, Monday through Friday excluding holidays) at County’s request will be billed at the applicable hourly rate(s) plus an additional 50% surcharge. With express prior written approval by County, County will reimburse Contractor for reasonable, actual costs of out-of-state transportation, lodging, and meals incurred as a direct result of service delivery, if applicable. a. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. All invoices shall include detail regarding the hours spent, tasks performed, and the role of the individual who performed each task. b. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Contractor was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Contractor shall forthwith return such payment(s) to County. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 3 Eagle County On-Call General Services IT final 8/15/2022 c. County will not withhold any taxes from monies paid to the Contractor hereunder and Contractor agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. d. Notwithstanding anything to the contrary contained in this Agreement, County shall have no obligations under this Agreement after, nor shall any payments be made to Contractor in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). e. Rates for supplementary hourly work are subject to change with 30 days’ advance written notice to County. The rate for the fixed cost phase is modifiable subject to a mutually agreed upon written change order detailing the factors necessitating the change. 6. Subcontractors. Contractor acknowledges that County has entered into this Agreement in reliance upon the particular reputation and expertise of Contractor. Contractor shall not enter into any subcontractor agreements for the performance of any of the Services or additional services without County’s prior written consent, which may be withheld in County’s sole discretion. County shall have the right in its reasonable discretion to approve all personnel assigned to perform the Services during the performance of this Agreement and no personnel to whom County has an objection, in its reasonable discretion, shall be assigned to the Project. Contractor shall require each subcontractor, as approved by County and to the extent of the Services to be performed by the subcontractor, to be bound to Contractor by the terms of this Agreement, and to assume toward Contractor all the obligations and responsibilities which Contractor, by this Agreement, assumes toward County. County shall have the right (but not the obligation) to enforce the provisions of this Agreement against any subcontractor hired by Contractor and Contractor shall cooperate in such process. The Contractor shall be responsible for the acts and omissions of its agents, employees and subcontractors. 7. Insurance. Contractor agrees to provide and maintain at Contractor’s sole cost and expense, the following insurance coverage with limits of liability not less than those stated below: a. Types of Insurance. i. Workers’ Compensation insurance as required by law. ii. Auto coverage with limits of liability not less than $1,000,000 each accident combined bodily injury and property damage liability insurance, including coverage for owned, hired, and non-owned vehicles. iii. Commercial General Liability coverage to include premises and operations, personal/advertising injury, products/completed operations, broad form property damage with limits of liability not less than $1,000,000 per occurrence and $1,000,000 aggregate limits. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 4 Eagle County On-Call General Services IT final 8/15/2022 iv. Professional Liability (Errors and Omissions) including Cyber Liability with prior acts coverage for all deliverables, Services and additional services required hereunder, in a form and with insurer or insurers satisfactory to County, with limits of liability of not less than $3,000,000 per claim and $3,000,000 in the aggregate. The insurance shall provide coverage for (i) liability arising from theft, dissemination and/or use of confidential information stored or transmitted in electronic form; (ii) Network Security Liability arising from unauthorized access to, use of or tampering with computer systems including hacker attacks, inability of an authorized third party to gain access to your Software or Services including denial of access or Services unless caused by a mechanical or electrical failure; (iii) liability arising from the introduction of a computer virus into, or otherwise causing damage to, County or a third person’s computer, computer system, network or similar computer related property and the data, software and programs thereon. v. Crime Coverage shall include employee dishonesty, forgery or alteration and computer fraud. If Consultant is physically located on County premises, third party fidelity coverage extension shall apply. The policy shall include coverage for all directors, officers and employees of the Consultant. The bond or policy shall include coverage for extended theft and mysterious disappearance. The bond or policy shall not contain a condition requiring an arrest or conversion. Limits shall be a minimum of $1,000,000 per loss. b. Other Requirements. i. The automobile and commercial general liability coverage shall be endorsed to include Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and volunteers as additional insureds. A certificate of insurance consistent with the foregoing requirements is attached hereto as Exhibit B. ii. Contractor’s certificates of insurance shall include subcontractors, if any as additional insureds under its policies or Contractor shall furnish to County separate certificates and endorsements for each subcontractor. iii. The insurance provisions of this Agreement shall survive expiration or termination hereof. iv. The parties hereto understand and agree that the County is relying on, and does not waive or intend to waive by any provision of this Agreement, the monetary limitations or rights, immunities and protections provided by the Colorado Governmental Immunity Act, as from time to time amended, or otherwise available to County, its affiliated entities, successors or assigns, its elected officials, employees, agents and volunteers. v. Contractor is not entitled to workers’ compensation benefits except as provided by the Contractor, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Contractor or some other entity. The Contractor is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 5 Eagle County On-Call General Services IT final 8/15/2022 8. Indemnification. The Contractor shall indemnify and hold harmless County, and any of its officers, agents and employees against any losses, claims, damages or liabilities for which County may become subject to insofar as any such losses, claims, damages or liabilities arise out of, directly or indirectly, this Agreement, or are based upon any performance or nonperformance by Contractor or any of its subcontractors hereunder; and Contractor shall reimburse County for reasonable attorney fees and costs, legal and other expenses incurred by County in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Contractor. This paragraph shall survive expiration or termination hereof. 9. Ownership of Documents. All documents (including electronic files) and materials obtained during, purchased or prepared in the performance of the Services shall remain the property of the County and are to be delivered to County before final payment is made to Contractor or upon earlier termination of this Agreement. 10. Notice. Any notice required by this Agreement shall be deemed properly delivered when (i) personally delivered, or (ii) when mailed in the United States mail, first class postage prepaid, or (iii) when delivered by FedEx or other comparable courier service, charges prepaid, to the parties at their respective addresses listed below, or (iv) when transmitted via e-mail with confirmation of receipt. Either party may change its address for purposes of this paragraph by giving five (5) days prior written notice of such change to the other party. COUNTY: Eagle County, Colorado Attention: Scott Lingle 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-3581 E-Mail: Scott.Lingle@eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 E-Mail: atty@eaglecounty.us CONTRACTOR: Rule4, Inc. Attention: Paul Nelson Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 6 Eagle County On-Call General Services IT final 8/15/2022 3002 Bluff Street, Suite 100 Boulder, CO 80301 Telephone:720-580-5635 Email: paul@rule4.com, contracts-admin@rule4.com 11. Termination. County or Contractor may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with seven (7) calendar days’ prior written notice to the Contractor. Upon termination of this Agreement, Contractor shall immediately provide County with all documents as defined in paragraph 9 hereof, in such format as County shall direct and shall return all County owned materials and documents. County shall pay Contractor for Services satisfactorily performed to the date of termination. 12. Venue, Jurisdiction and Applicable Law. Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 13. Execution by Counterparts; Electronic Signatures. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which shall constitute one and the same instrument. The parties approve the use of electronic signatures for execution of this Agreement. Only the following two forms of electronic signatures shall be permitted to bind the parties to this Agreement: (i) Electronic or facsimile delivery of a fully executed copy of the signature page; (ii) the image of the signature of an authorized signer inserted onto PDF format documents. All documents must be properly notarized, if applicable. All use of electronic signatures shall be governed by the Uniform Electronic Transactions Act, C.R.S. 24-71.3-101 to 121. 14. Other Contract Requirements and Contractor Representations. a. Contractor has familiarized itself with the nature and extent of the Services to be provided hereunder and the Property, and with all local conditions, federal, state and local laws, ordinances, rules and regulations that in any manner affect cost, progress, or performance of the Services. b. Contractor will make, or cause to be made, examinations, investigations, and tests as he deems necessary for the performance of the Services. c. To the extent possible, Contractor has correlated the results of such observations, examinations, investigations, tests, reports, and data with the terms and conditions of this Agreement. d. To the extent possible, Contractor has given County written notice of all conflicts, errors, or discrepancies. e. Contractor shall be responsible for the completeness and accuracy of the Services and shall correct, at its sole expense, all significant errors and omissions in performance of the Services. The fact that the County has accepted or approved the Services shall not relieve Contractor of any of its Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 7 Eagle County On-Call General Services IT final 8/15/2022 responsibilities. Contractor shall perform the Services in a skillful, professional and competent manner and in accordance with the standard of care, skill and diligence applicable to contractors performing similar services. Contractor represents and warrants that it has the expertise and personnel necessary to properly perform the Services and shall comply with the highest standards of customer service to the public. Contractor shall provide appropriate supervision to its employees to ensure the Services are performed in accordance with this Agreement. This paragraph shall survive termination of this Agreement. f. Contractor agrees to work in an expeditious manner, within the sound exercise of its judgment and professional standards, in the performance of this Agreement. Time is of the essence with respect to this Agreement. g. This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer-employee, master-servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. h. Contractor represents and warrants that at all times in the performance of the Services, Contractor shall comply with any and all applicable laws, codes, rules and regulations. i. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all other agreements or understanding between the parties with respect thereto. j. Contractor shall not assign any portion of this Agreement without the prior written consent of the County. Any attempt to assign this Agreement without such consent shall be void. k. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective permitted assigns and successors in interest. Enforcement of this Agreement and all rights and obligations hereunder are reserved solely for the parties, and not to any third party. l. No failure or delay by either party in the exercise of any right hereunder shall constitute a waiver thereof. No waiver of any breach shall be deemed a waiver of any preceding or succeeding breach. m. The invalidity, illegality or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision hereof. n. The signatories to this Agreement aver to their knowledge no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Contractor has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Contractor shall not employ any person having such known interests. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 8 Eagle County On-Call General Services IT final 8/15/2022 15. Data Security. a. Definitions: i. “County Data” means all data created by or in any way originating with County and End Users, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with County and End Users, in the course of using and configuring the Services provided under this Agreement, and includes all records relating to County’s use of Contractor Services and Protected Information. ii. “End User” means the individuals (including, but not limited to employees, authorized agents, students and volunteers of County; Third Party consultants, auditors and other independent contractors performing services for County; any governmental, accrediting or regulatory bodies lawfully requesting or requiring access to any Services; customers of County provided services; and any external users collaborating with County) authorized by County to access and use the Services provided by Contractor under this Agreement. iii. “Protected Information” includes, but is not limited to, personally-identifiable information, student records, protected health information, criminal justice information or individual financial information and other data defined under C.R.S. §§ 24-72-101 et seq., and personal information that is subject to local, state or federal statute, regulatory oversight or industry standard restricting the use and disclosure of such information. The loss of such Protected Information would constitute a direct damage to the County. iv. “Security Incident” means the potentially unauthorized access by non-authorized persons to personal data or non-public data the Contractor believes could reasonably result in the use, disclosure or theft of County Data within the possession or control of the vendor. A Security Incident may or may not turn into a data breach. b. During the course of Contractor's performance of the Work, the Contractor may be required to maintain, store, process or control County Data. The Contractor represents and warrants that: i. Contractor will take all reasonable precautions to maintain all County Data in a secure environment to prevent unauthorized access, use, or disclosure, including industry-accepted firewalls, up-to-date anti-virus software, and controlled access to the physical location of the hardware containing County Data; ii. Contractor’s collection, access, use, storage, disposal and disclosure of County Data shall comply with all applicable data protection laws, as well as all other applicable regulations and directives; iii. Contractor will notify County of any Security Incident as soon as practicable, but no later than 24 hours after Contractor becomes aware of it; iv. Contractor will provide information sufficient to satisfy County’s legal and regulatory notice obligations. Upon notice of a Security Incident, County shall have the authority to direct Contractor to provide notice to any potentially impacted individual or entity, at Contractor’s expense, and Contractor shall be liable for any resulting damages to County. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 9 Eagle County On-Call General Services IT final 8/15/2022 v. Where Contractor has been contracted to maintain, store or process personal information on behalf of the County, it shall be deemed a “Third-Party Service Provider as defined in C.R.S. § 24-73-103(1)(i), and Contractor shall maintain security procedures and practices consistent with C.R.S §§ 24-73-101 et seq.; and vi. Contractor will promptly return or destroy any County Data upon request from the County Representative. c. Contractor’s indemnification obligations identified elsewhere in this Contract shall apply to any breach of the provisions of this Paragraph. [REST OF PAGE INTENTIONALLY LEFT BLANK] Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 10 Eagle County On-Call General Services IT final 8/15/2022 IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager CONSULTANT RULE4, INC. By: _____________________________________ Print Name: ______________________________ Title: ___________________________________ Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E Paul Nelson CTO 11 Eagle County On-Call General Services IT final 8/15/2022 EXHIBIT A Services and Fee Schedule Rule4 (Contractor) will provide cybersecurity and infrastructure consulting and advisory services in Rule4’s practice areas as requested by County. County will compensate Rule4 on an hourly basis at the following rates: Hourly work performed outside of standard business hours (6:00 a.m. to 7:00 p.m. Mountain Time, Monday through Friday excluding holidays) at County’s request will be billed at the applicable hourly rate(s) plus an additional 50% surcharge. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 12 Eagle County On-Call General Services IT final 8/15/2022 With express prior written approval by County, County will reimburse Rule4 for reasonable, actual costs of out-of- state transportation, lodging, and meals incurred as a direct result of this service delivery, if applicable. Phase Details Phase I - IR Plan, Training Workshop & Tabletop Exercise Rule4 will lead Eagle County through IR plan development, training, and testing that aligns with industry best practices. The detailed Eagle County-unique IR plan will be followed by IR training in preparation for a tabletop exercise. This training will be an in-person or virtual 60- to 90-minute workshop. After training, Rule4 will conduct one three-hour IR tabletop exercise, intended to occur in-person at the Eagle County offices pending local health regulations. The goals of the IR plan are to: • Provide Eagle County with the information required for effectively conducting incident response. • Identify roles and responsibilities of the Eagle County IR team, and order of operations for incident response. • Provide a standard framework for multi-organization, collaborative incident response. The goals of the training workshop are to: • Familiarize Eagle County staff with the organization's IR plan created earlier in this phase. • Understand what constitutes a cybersecurity incident and how to determine the appropriate response. • Train Eagle County staff on what to do and not to do during a suspected incident. • Educate the Eagle County team on evidence handling and forensic capture requirements. The goals of the tabletop exercise are to: • Provide a test scenario that is customized to Eagle County and its needs, focusing on relevant threats and existing vulnerabilities. • Provide post-mortem analysis that evaluates Eagle County's preparedness to handle an incident. • Additional training and tabletop exercises will be performed upon request by Eagle County, and estimated costs will be provided in writing prior to execution. • Deliverable. This phase will result in a detailed IR plan, customized to Eagle County's unique needs and vulnerabilities. This will be followed by a detailed written report summarizing the tabletop exercise, what was learned, and recommendations to continue to improve Eagle County's incident response preparation. Phase II – vCIRT Rule4 will provide virtual Cybersecurity Incident Response Team (vCIRT) services to Eagle County including incident response, forensic image acquisition and analysis, incident management and reporting, and expert cybersecurity guidance during an incident. These monthly retainer hours can be used towards incident response efforts and other cybersecurity services. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 13 Eagle County On-Call General Services IT final 8/15/2022 This team will work alongside Eagle County's in-house technical and security teams to perform cybersecurity incident management services and provide 7x24 access to a cybersecurity incident forensics team. Services performed through this engagement include, but are not limited to: • Incident response and reporting • Forensic imaging and analysis • On-Site Incident Command – On-site leadership and management of active incidents (where appropriate, at the request of Eagle County) • Facilitated full-scale incident response exercises • Expert witness testimony • On-site or remote incident response training • Facilitation of post-mortem analysis and discussion • Other remediation and mitigation efforts, as requested by Eagle County Incident response, forensic services, and any other cybersecurity services listed above beyond the retained hours will be billed at the additional hourly rates listed in Section 5.a. Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E 14 Eagle County On-Call General Services IT final 8/15/2022 EXHIBIT B INSURANCE CERTIFICATES Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIRED AUTOS ONLY 1/8/2024 Marsh &McLennan Agency LLC Marsh &McLennan Ins Agency LLC 1255 Treat Boulevard #950 Walnut Creek CA 94597 Felicia McAroy +1 (925)482-9337 felicia.mcaroy@marshmma.com License#:0H18131 At-Bay Specialty Insurance Company 19607 RULE4INC Rule4,Inc. 3002 Bluff Street Suite 100 Boulder CO 80301 1902341878 A Cyber Liability AB660377205 1/18/2024 1/18/2025 Aggregate Limit Retention $5,000,000 $15,000 Evidence of Coverage Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) 10/11/2023 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND,EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW.THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT:If the certificate holder is an ADDITIONAL INSURED,the policy(ies)must be endorsed.If SUBROGATIONIS WAIVED, subject to the terms and conditions of the policy,certain policies may require an endorsement.A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER NUTMEG INS AGENCY INC/PHS 76210775 The Hartford Business Service Center 3600 Wiseman Blvd San Antonio, TX 78251 CONTACT NAME: PHONE (A/C, No, Ext): (888) 925-3137 FAX (A/C, No): E-MAIL ADDRESS: INSURER(S) AFFORDING COVERAGE NAIC# INSURED RULE4, INC. 3002 BLUFF ST STE BOULDER CO 80301 INSURER A : Hartford Underwriters Insurance Company 30104 INSURER B : Hartford Insurance Company of the Southeast 38261 INSURER C : INSURER D : INSURER E : INSURER F : COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED.NOTWITHSTANDING ANY REQUIREMENT,TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN,THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR TYPE OF INSURANCE ADDL INSR SUBR WVD POLICY NUMBER POLICY EFF (MM/DD/YYYY) POLICY EXP (MM/DD/Y YYY) LIMITS A COMMERCIAL GENERAL LIABILITY 76 SBU AN5CLH 09/28/2023 09/28/2024 EACH OCCURRENCE $2,000,000 CLAIMS-MADE X OCCUR DAMAGE TO RENTED PREMISES (Ea occurrence)$1,000,000 X General Liability MED EXP (Any one person)$10,000 PERSONAL & ADV INJURY $2,000,000 GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $4,000,000 X POLICY PRO- JECT LOC PRODUCTS - COMP/OP AGG $4,000,000 OTHER: A AUTOMOBILE LIABILITY 76 SBU AN5CLH 09/28/2023 09/28/2024 COMBINED SINGLE LIMIT (Ea accident)$2,000,000 ANY AUTO BODILY INJURY (Per person) ALL OWNED AUTOS SCHEDULED AUTOS BODILY INJURY (Per accident) X HIRED AUTOS X NON-OWNED AUTOS PROPERTY DAMAGE (Per accident) A X UMBRELLA LIAB EXCESS LIAB X OCCUR CLAIMS- MADE 76 SBU AN5CLH 09/28/2023 09/28/2024 EACH OCCURRENCE $1,000,000 AGGREGATE $1,000,000 DED RETENTION $ 10,000 B WORKERS COMPENSATION AND EMPLOYERS' LIABILITY ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below N/ A 76 WEG AN5DLL 09/28/2023 09/28/2024 X PER STATUTE OTH- ER Y/N E.L. EACH ACCIDENT $1,000,000 E.L. DISEASE -EA EMPLOYEE $1,000,000 E.L. DISEASE - POLICY LIMIT $1,000,000 A Data Breach - Defense & Liab Covg 76 SBU AN5CLH 09/28/2023 09/28/2024 Limit $50,000 DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) Those usual to the Insured's Operations. CERTIFICATE HOLDER CANCELLATION For Informational Purposes 3002 BLUFF ST STE BOULDER CO 80301 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF,NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE © 1988-2015 ACORD CORPORATION. All rights reserved. ACORD 25 (2016/03)The ACORD name and logo are registered marks of ACORD Docusign Envelope ID: E356F5E3-2BF5-4D0A-BEDB-669D2FA4365E