Master Services Agreement

Addendum to Master Services Agreement

Exhibit 10.1

ADDENDUM TO MASTER SERVICES AGREEMENT

Addendum, dated as of September 22, 2011, between Internap Network Services Corporation and SoundBite Communications, Inc. (“SoundBite”), to the Master Services Agreement, dated August 28, 2003 (the “Agreement”).

 

1. As the parties wish to add security requirements to the Agreement, the parties agree to add Attachment A attached to this Addendum to the Agreement.

 

2. If there is a conflict between the terms of this Addendum and the terms of the Agreement, this Addendum shall control. Except as modified by this Addendum, the Agreement shall continue to apply.

 

INTERNAP NETWORK SERVICES CORPORATION     SOUNDBITE COMMUNICATIONS, INC.
By:   LOGO     By:   LOGO
 

 

     

 

Name:  

Bruce S. Hoffman

    Name:  

Robert C. Leahy

Title:  

Director of Sales

    Title:  

COO & CFO

Date:  

9/21/2011

    Date:  

9/22/11

 

[Page 1 of 14]


ATTACHMENT A

INFORMATION SECURITY STANDARD

Introduction

This SoundBite Information Security Standard defines the information protection controls used to protect SoundBite Information and applies to any organization (Company) that stores, processes, transmits, or access that information. SoundBite uses these controls internally and, to the degree that a vendor to SoundBite handles SoundBite Information, particularly SoundBite Confidential Information or SoundBite Highly Confidential Information, SoundBite requires that Company meet these security requirements as well.

This standard is based on industry-accepted standards including, but not limited to, the PCI DSS, NIST 800-53, and ISO 27002.

This standard reflects the superset of SoundBite’s information protection requirements which originate from SoundBite’s regulatory requirements, contractual requirements, and internal risk management requirements.

 

1. Definitions

 

  1.1. Information Security Executive Sponsor – Company executive officer or director with ultimate responsibility for the Information Security Program.

 

  1.2. Information Security Officer – Person responsible for the day-to-day management of the Information Security Program.

 

  1.3. Information Security Policy – Company policy documents that outlines high-level requirements or rules that define the Information Security Program. Compliance is mandatory.

 

  1.4. Information Security Program – The people, processes, and technology required to implement, to operate, to manage, to maintain, and to assure conformance by Company with the Information Security Plan and Information Security Policies.

 

  1.5. Malicious Code – Viruses, worms, Trojans, back-doors, root kits, malware and any other software that may disrupt business or compromise data confidentiality or integrity.

 

  1.6. Security Incident – Any event including, but not limited to, a hacking attack, system compromise, information mishandling, policy violation, loss of information, theft of information, or fraud that Company knows or suspects might have resulted in a failure to protect the confidentiality of SoundBite Confidential Information.

 

  1.7. Service – Any services or work performed on behalf of SoundBite Communications.

 

  1.8. SoundBite Confidential Information – Any information or data made available to Company by SoundBite except for information contractually excluded from confidentiality obligations, such as public information. SoundBite Highly Confidential Information is a subset of SoundBite Confidential Information.

 

  1.9.

SoundBite Highly Confidential Information – Any information or data made available to Company by SoundBite that includes information that could be used to identify a person. This includes but is not limited to consumer names when provided in conjunction with identifying information such as a phone number, Card Holder Data (CHD) as defined by the Payment Card Industry (PCI) Data Security Standard (DSS), Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (P.L.104-191) (HIPAA), Non-Public Personal Information (NPI) as defined by section

 

[Page 2 of 14]


  501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA), and Personal Information (PI) as defined by the Mass Privacy Act (M.G.L. 93 H, 93 I, and 201 CMR 17.00). SoundBite Highly Confidential Information is a subset of SoundBite Confidential Information.

 

  1.10. Staff – All Company employees, contractors, sub-contractors, consultants, or other parties who may use Company’s information systems or access SoundBite’s information systems or SoundBite Confidential Information.

 

  1.11. Standard – This document: The SoundBite Communications Information Security Standard.

 

  1.12. Strong Encryption – Encryption performed using industry-standard cryptographic algorithms such as AES, 3DES, SHA, RSA, and RC4 where a minimum key length of 128 bits is used for symmetric ciphers and a minimum key length of 1024 bits is used for asymmetric ciphers.

 

  1.13. Un-trusted Networks – The Internet and any network not operated by Company alone or by Company in exclusive collaboration with SoundBite.

 

  1.14. Written Information Security Plan – A formal document that defines the objectives of the Information Security Program, assigns responsibility for the Information Security Program, and describes how the responsible parties either do or will achieve the objectives of the Information Security Program.

 

2. SoundBite Information Security Standard

 

  2.1. Information Security Program Governance

 

  2.1.1. Information Security Program Ownership

 

  2.1.2. Risk Management

 

  2.1.2.1. Company must have a formal risk analysis and management process that documents the organization’s assets, the threats against those assets, the inherent vulnerability of the assets to those threats, and the controls designed to protect the assets from the threats.

 

  2.1.2.2. Company must conduct an annual risk assessment so as to evaluate the effectiveness of the controls and ultimately determine the residual risk to the assets.

 

  2.2. Information Security Policy

 

  2.2.1. Company must have, maintain and follow a Written Information Security Plan

 

  2.2.2. Company must have and adhere to a written and comprehensive set of Information Security Policy documents. The Information Security Policy documents must, at a minimum, include the following content:

 

  2.2.2.1. The following, overarching content shall either be included in all policy documents or in an overarching policy document that governs all other security policy documents:

 

  2.2.2.1.1. A definition of information security or information security mission statement, including, but not limited to, the policy’s overall objective and scope.

 

[Page 3 of 14]


  2.2.2.1.2. A statement of management intent to support the goals and principals of information security in line with business strategy and objectives,

 

  2.2.2.1.3. Control objectives, including, but not limited to, risk assessment and risk management.

 

  2.2.2.1.4. A brief overview of security policies, principles, and standards.

 

  2.2.2.1.5. Regulatory and industry standards compliance requirements.

 

  2.2.2.1.6. Policy maintenance requirements.

 

  2.2.2.1.7. Penalties for policy violations, which must include actions up to and including termination.

 

  2.2.2.2. The following specific security policy topics must be addressed by one or more Information Security Policy documents:

 

  2.2.2.2.1. Asset Management, including, but not limited to, hardware, software, and information

 

  2.2.2.2.2. Third Party Service Provider Security

 

  2.2.2.2.3. Access Control

 

  2.2.2.2.4. Acceptable Use, including, but not limited to, email usage, computer and communications systems access and use, and Internet/ intranet access and use

 

  2.2.2.2.5. Anti-Virus

 

  2.2.2.2.6. Authentication and Identity Management

 

  2.2.2.2.7. Background Check

 

  2.2.2.2.8. Change Management

 

  2.2.2.2.9. Incident Response

 

  2.2.2.2.10. Information Classification

 

  2.2.2.2.11. Logging and Security Monitoring

 

  2.2.2.2.12. Passwords

 

  2.2.2.2.13. Physical and Environmental Security

 

  2.2.2.2.14. Risk Assessment

 

  2.2.2.2.15. System and Network Device Configuration and Hardening

 

  2.2.2.2.16. Security Awareness

 

  2.2.2.2.17. New Hire, Role Change, and Termination

 

  2.2.2.2.18. Vulnerability Management

 

  2.2.2.2.19. Equipment Installation and Removal

 

  2.2.2.2.20. Segregation of Duties

 

  2.2.2.2.21. Third Party Connectivity

 

[Page 4 of 14]


  2.2.2.2.22. Incident Reporting

 

  2.2.2.2.23. Emergency Operations Plan

 

  2.2.2.2.24. Testing and Revision Procedures

 

  2.2.3. All policies must be communicated to staff and staff must acknowledge that they will comply with the policies.

 

  2.2.4. Company must have in place a disciplinarily process for non-compliance with the Information Security Policy.

 

  2.3. Background Checks

 

  2.3.1. Prior to assigning any individual to perform the Services in the United States, or, if Services are to be performed outside of the United States, to the maximum extent permitted under local law, Company shall perform background checks consisting of the following:

 

  2.3.1.1. SSN Verification – Search of the individual’s Social Security number, tax ID number or other applicable government-issued identifier to verify the accuracy of the individual’s identity and current and previous addresses.

 

  2.3.1.2. Criminal Checks – A criminal background search performed by an independent, professional search firm of all court records (at least National and County within the US) in each jurisdiction of the individual’s current and previous addresses over the past seven (7) years.

 

  2.3.1.3. Reference Checks – Verification of previous employers and a minimum of at least two (2) confirmed work references.

 

  2.3.1.4. Education – Verification of education listed on the candidates resume or otherwise noted by the candidate.

 

  2.3.1.5. Credit Checks – Credit Report for Finance and Senior Level Executives

 

  2.3.1.6. DMV Checks Department of Motor Vehicles for all employees in Sales positions.

 

  2.3.1.7. Citizenship – Validation of citizenship or certification to work in the country in which the individual is assigned.

 

  2.3.2. Where an individual has ended his/her employment with Company and has been re-hired by Company, irrespective of the amount of time that has elapsed, a new background check must be performed.

 

  2.3.3. Company shall utilize a specialist vetting company for the performance of background checks. The Company is wholly accountable for compliance with this Standard.

 

  2.3.3.1. Company shall retain evidence of all background checks performed for a period of at least two years. These records shall document the checks performed and their outcome.

 

  2.3.4.

In the event that any staff is found to have been convicted of and/or have any active/pending charges for any Disqualifying Offense listed below, that person shall be prevented from accessing any SoundBite Confidential Information and

 

[Page 5 of 14]


  that person shall be prevented from entering SoundBite’s facilities. Additionally, in the event that the person has already had access to any SoundBite Confidential Information, Company must notify SoundBite immediately and in no event later than the next business day.

 

  2.3.4.1. Disqualifying Offenses

 

  2.3.4.1.1. Dishonesty including, but not limited to felony convictions in the following categories:

 

  2.3.4.1.1.1. Fraud Offenses

 

  2.3.4.1.1.1.1. Credit Card Fraud

 

  2.3.4.1.1.1.2. Credit Card Fraud

 

  2.3.4.1.1.1.3. Embezzlement

 

  2.3.4.1.1.1.4. Bad/Worthless Checks

 

  2.3.4.1.1.2. Fraudulent Trading

 

  2.3.4.1.1.3. Possession of Stolen Property

 

  2.3.4.1.1.4. Forgery and Counterfeiting

 

  2.3.4.1.1.5. Proceeds of Criminal Offenses

 

  2.3.4.1.1.6. Theft

 

  2.3.4.1.1.7. Bribery and/or Corruption

 

  2.3.4.1.1.8. Money Laundering

 

  2.3.4.1.1.9. Concealment of Property

 

  2.3.4.1.1.10. Trespassing with Intent to Steal (Burglary)

 

  2.3.4.1.1.11. Blackmail/Extortion

 

  2.3.4.1.2. Business Offenses

 

  2.3.4.1.2.1. Any offense involving computer misuse

 

  2.3.4.1.2.2. Organizing or engaging in illegal work

 

  2.3.4.1.2.3. Economic, Corporate, or Business Espionage

 

  2.3.4.1.3. Crimes Against Persons

 

  2.3.4.1.3.1. Serious sexual offenses or offenses against children

 

  2.3.4.1.3.2. Racially motivated or discrimination offenses

 

  2.3.4.1.3.3. Murder or manslaughter

 

  2.3.4.1.3.4. Crimes involving assault, violence, or threatening behavior

 

  2.3.4.1.3.5. Human trafficking

 

  2.3.4.1.4. Other

 

  2.3.4.1.4.1. Felony (US) or host country equivalent serious crime

 

[Page 6 of 14]


  2.3.4.1.4.2. Producing, supplying, importing, or trafficking controlled drugs/substances

 

  2.3.4.1.4.3. Firearms and explosives offenses

 

  2.3.4.1.4.4. Terrorism

 

  2.3.4.1.4.5. Pretrial Diversions (US) for disqualifying crimes

 

  2.3.4.1.4.6. Deferred Adjudication for disqualifying crimes

 

  2.3.4.1.4.7. More than 2 misdemeanor convictions (US) or host country equivalent minor crimes relating to fraud, ethics, or other topics covered in this section, , within past 5 years.

 

  2.3.4.1.4.8. Convictions (US) involving imprisonment for terms of six months or greater (whether or not all of that term was served)

 

  2.4. Access Control

 

  2.4.1. Company must have a user identification process in place that validates the identity of each user. For example, in the United States, using the process defined by the Form I-9, Employment Eligibility Verification, as published by the Department of Homeland Security U.S. Citizenship and Immigration Services, (This is the standard employment verification process required in the U.S. wherein an employee presents certain government issued IDs to the employer to prove their identity and right to work.)

 

  2.4.2. Company shall have appropriate new-hire, role-change, and terminations processes that ensure that:

 

  2.4.2.1. User accounts are appropriately created and disabled or removed

 

  2.4.2.2. Information access privileges for all user accounts are appropriately enabled and disabled

 

  2.4.3. Company must have an access control process that:

 

  2.4.3.1. Assigns access rights based on roles

 

  2.4.3.2. Provides for segregation of duties between information owners (who approve access changes) and information custodians (who implement access changes)

 

  2.4.3.3. Updates access rights based on personnel or system changes

 

  2.4.3.4. Requires the periodic review of access rights for all systems that store, process, transmit, or access SoundBite Confidential Information. These reviews must be conducted on at least a quarterly basis. More frequent reviews may be required based on the risk to the application or system.

 

  2.4.4. Access to Company system components and SoundBite Confidential Data must be restricted based on a user’s need to know and be set to “deny all” unless specifically allowed.

 

[Page 7 of 14]


  2.4.5. All Company users must have BOTH:

 

  2.4.5.1. A unique User ID

 

  2.4.5.2. Either a password/passphrase or two-factor authentication

 

  2.4.5.2.1. Company must have an appropriate password policy in place:

 

  2.4.5.2.1.1. Passwords must contain a minimum of 8 characters

 

  2.4.5.2.1.2. Passwords must contain 3 out of 4 of the following character types:

 

  2.4.5.2.1.2.1. Uppercase letters

 

  2.4.5.2.1.2.2. Lowercase letters

 

  2.4.5.2.1.2.3. Numbers

 

  2.4.5.2.1.2.4. Special characters, for example,

 

       ~, !, @, #, $, %, ^, &, *, (, ), _, +,

 

       -, =, [, ], \, ;, ‘, ,, ., /, :, “

 

  2.4.5.2.1.3. Passwords are changed after a maximum of 60 days

 

  2.4.5.2.1.4. Previous 10 passwords are not allowed to be reused

 

  2.4.5.2.1.5. User is locked out after not more than 5 failed login attempts

 

  2.4.5.2.1.6. User is automatically logged out after not more than 15 minutes of inactivity

 

  2.4.5.2.2. Passwords/passphrases are to be encrypted with strong encryption in transit and at rest.

 

  2.4.5.2.3. Two-factor authentication is defined as the use of two of the following authentication types:

 

  2.4.5.2.3.1. Something the user knows, like a password

 

  2.4.5.2.3.2. Something the user has, like a SecurID token or digital certificate

 

  2.4.5.2.3.3. Something the user is, like a fingerprint

 

  2.5. Operational Security

 

  2.5.1. Company must have operating procedures that are documented, reviewed and maintained by an owner, and made available to all users who need them.

 

  2.5.2. Company must have a formal, documented change management and change control process.

 

  2.5.3. Changes managed according to the change management process must be documented, for example, using a change control ticketing system.

 

  2.5.4. Company must prohibit Staff from connecting to networks, systems, databases, or applications that contain SoundBite Confidential Information from any system not exclusively managed by Company according to this Information Security Standard. For example, Staff would typically not be able to access SoundBite Confidential Information from their personally-owned computers.

 

[Page 8 of 14]


  2.5.5. Company must have processes and mechanisms established for the security hardening and maintenance of servers, workstations, network devices, and off-the-shelf applications, including, but not limited to, Web server software, application server software, and database server software.

 

  2.5.5.1. Implement only one primary function per server

 

  2.5.5.2. Disable all unnecessary services and insecure protocols (e.g. telnet)

 

  2.5.5.3. Configure system security parameters to prevent misuse

 

  2.5.5.4. Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems and unnecessary web servers

 

  2.5.6. Company must use industry-standard anti-virus software on all applicable systems. Applicable systems shall include, at a minimum, all systems that run any version of the Microsoft Windows operating system, inbound and outbound e-mail systems, and any other systems that Company identifies, during its risk assessment process, as potentially being susceptible to Malicious Code. This antivirus requirement shall not apply to e-mail solutions the sole function of which is the sending of system-generated e-mail content.

 

  2.5.6.1. Anti-virus solutions [or combination of solutions] must address all types of Malicious Code.

 

  2.5.6.2. Systems must be maintained with daily anti-virus signature updates.

 

  2.5.6.3. Systems must use a current and supported versions of the Anti-Virus solution utilized.

 

  2.5.7. Company must utilize a reasonable process to monitor its systems for vulnerabilities. Options include vulnerability scanning and monitoring information sources for advisory and/or patch publications.

 

  2.5.7.1. In the event that Company becomes aware of a vulnerability, they will endeavor to remediate the vulnerability within 30 days.

 

  2.5.8. Company must implement an appropriate logging solution or solutions for all physical security systems. The logging solution or solutions must be appropriately secured to prevent tampering.

 

  2.5.8.1. At a minimum, the following event types must be logged:

 

  2.5.8.1.1. Individual access to SoundBite cage

 

  2.5.8.1.2. Actions taken by any individual with administrative access to physical security systems

 

  2.5.8.1.3. Access to all audit trails

 

  2.5.8.1.4. Invalid login access attempts

 

  2.5.8.1.5. Use of identification and authentication mechanisms

 

  2.5.8.1.6. Initialization of the audit logs

 

  2.5.8.1.7. Creation and deletion of system-level objects

 

  2.5.8.2. When logging events, the following information must be logged:

 

  2.5.8.2.1. User ID

 

[Page 9 of 14]


  2.5.8.2.2. Type of event

 

  2.5.8.2.3. Data and time of event

 

  2.5.8.2.4. Event success or failure

 

  2.5.8.2.5. Origination of event (for example, source IP or TTY)

 

  2.5.8.2.6. Identity or name of affected data, system component, or resource

 

  2.5.8.3. Logs must be reviewed for Security Incidents daily or generate applicable alerts which are reviewed daily.

 

  2.5.8.4. Electronic access logs must be maintained on a rolling 90 day basis and paper based sign in logs must be retained for at least one year.

 

  2.6. Network Security

 

  2.6.1. Company will put appropriate network access controls in place, including, but not limited to, the segregation of network segments by use of a firewall capable of stateful packet inspection. Application layer packet inspection (sometimes referred to as “deep packet inspection”) is also encouraged.

 

  2.6.2. Company must not allow direct wireless network access to systems storing SoundBite data.

 

  2.7. Physical Security

 

  2.7.1. Company must use appropriate facility entry controls to limit, monitor, and log physical access to systems storing, processing, transmitting, or accessing SoundBite data.

 

  2.7.2. Company will only grant access to authorized personnel.

 

  2.7.3. Company must have appropriate procedures to track visitors and to help all personnel easily distinguish between Staff and visitors.

 

  2.7.3.1. Visitors are to be escorted at all times.

 

  2.7.3.2. All Staff and visitors must wear ID badges visible at all times.

 

  2.7.4. Company shall have in place monitoring controls appropriate to the facility, including, but not limited to, staffing all unlocked entries with guards or equivalent; video surveillance at entry points, access points, and sensitive areas; and glass-break detectors.

 

  2.7.5. Company shall establish (and implement as needed) procedures that allow facility access in support of restoration of lost data in the event of an emergency.

 

  2.7.6. Company shall document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks), if the facility is used to store SoundBite data.

 

  2.7.7. Data centers housing SoundBite data must have environmental controls and redundant power (UPS and Generator or equivalent).

 

[Page 10 of 14]


  2.7.8. Company shall have an asset management policy and associated processes that apply to all assets that process, store, transmit, or access SoundBite data.

 

  2.7.8.1. Company shall maintain an accurate inventory of its assets.

 

  2.8. Incident Response

 

  2.8.1. The Company shall maintain an Incident Response process to address incidents, including, but not limited to, Security Incidents, the loss of SoundBite Information, and significant service disruptions. The Incident Response process shall include steps for:

 

  2.8.1.1. Incident identification

 

  2.8.1.2. Incident escalation

 

  2.8.1.3. Incident containment

 

  2.8.1.4. Incident investigation, including, but not limited to, the collection of forensic evidence appropriate for law enforcement purposes

 

  2.8.1.5. Incident remediation and recovery

 

  2.8.1.5.1. Company shall document responsive actions taken in connection with any incident involving a Security Incident or other breach of security.

 

  2.8.1.6. Following any Security Incident or breach of security, Company shall review events and take actions, if applicable, to make changes in business practices relating to protection of personal information.

 

  2.8.1.7. The Company shall communicate the Incident Response process to all Staff. First responders with direct responsibility for execution of the Incident Response process shall be trained on that process.

 

  2.9. Notification

 

  2.9.1. Without undue delay and in any event not later than 24 hours following the occurrence of a business interruption, or disaster affecting the Services, Company shall notify SoundBite, and implement Company’s BC/DR Plan. Company must use best efforts to reinstate the Services as soon as practicable.

 

  2.9.2. Without undue delay and in any event not later than 24 hours following the occurrence of a Security Incident or other use or disclosure of SoundBite Confidential Information in violation of this Standard by Company or any of its officers, directors, employees, contractors, agents or other Staff, Company shall notify SoundBite, and implement Company’s Incident Response process. Company must use best efforts to prevent further breach of confidentiality of SoundBite Confidential Information and to recover or otherwise prevent abuse or fraud using lost or compromised SoundBite Confidential Information.

 

  2.9.3. Company shall notify and report to SoundBite any use or disclosure of SoundBite Confidential Information in violation of this Agreement by Company or any of its officers, directors, employees, contractors, agents or other Staff without undue delay and in any event not later than 24 hours following the disclosure.

 

[Page 11 of 14]


  2.9.4. All notifications shall be via any expedient means, followed directly by written notice, to be sent in to both of the following addresses:

 

  2.9.4.1. John Nye

Information Security Officer

SoundBite Communications

22 Crosby Drive

Bedford, MA 01730

 

  2.9.4.2. Robert C. Leahy

CFO/COO

SoundBite Communications

22 Crosby Drive

Bedford, MA 01730

 

  2.9.5. The Company shall ensure that if there are material changes to the way that SoundBite data is processed (e.g. Company engages a third Party Vendor for storing, processing, transmitting, or accessing SoundBite Information), then:

 

  2.9.5.1. These changes must be communicated to SoundBite and prior approval obtained; and

 

  2.9.5.2. These changes must be communicated to appropriate departments within the Company.

 

  2.9.6. SoundBite Contact Information:

 

  2.9.6.1. Information Security Officer:

John Nye

[email protected]

1-781-897-2570

 

  2.9.6.2. SoundBite Support:

[email protected]

1-888-807-4732

 

  2.9.6.3. SoundBite Front Desk:

1-781-897-2500

 

  2.9.6.4. SoundBite Business Contact:

Jason Temple

[email protected]

781-897-2725

 

  2.10. Software Licensing

 

  2.10.1. Company will maintain appropriate licenses for all software use to provide service to SoundBite.

 

  2.11. Data

 

  2.11.1. Company must not collect, access, use, maintain, or disclose SoundBite data.

 

  2.11.1.1. Company will take appropriate, industry-accepted measures to protect encryption keys, including, but not limited to, ensuring that encryption keys are encrypted during transit.

 

  2.11.1.2. Company shall appropriately protect an encrypted communication’s endpoints.

 

[Page 12 of 14]


  2.11.2. All data provided by SoundBite to the Company remain the property of SoundBite.

 

  2.11.3. Unless explicitly approved by SoundBite, Company may not use any SoundBite data in a testing environment. In the event that such usage is allowed, this Information Security Standard will apply in full effect to the testing environment.

 

  2.11.4. Media handling and disposal

 

  2.11.4.1. So long as account is active, current, and not in default, Company must not remove SoundBite-owned equipment from data center facilities without prior, written consent from SoundBite in the form of a Statement of Work, Remote Hands service ticket, or other method described elsewhere in an agreement between the two parties.

 

  2.11.5. The Company shall only transmit, process and store SoundBite Highly Confidential information at data centers whose location has been approved by SoundBite.

 

  2.12. Audit and Assessment

 

  2.12.1. Company management must regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements.

 

  2.12.2. On an annual basis, Company shall conduct an internal audit or assessment of all security controls, including, but not limited, to the controls required by this Standard.

 

  2.12.3. Company must have an external Information Security audit performed at least annually by an independent, reputable third party which must be provided to SoundBite upon request. This requirement shall be considered satisfied by having an independent audit firm perform procedures under applicable auditing standards such as SAS70, SSAE16, SOC audits (SysTrust), ISO, or other commonly accepted IT governance frameworks. SoundBite may audit solely at their own expense Company to monitor compliance with this Information Security Standard. Such audits will occur during normal business hours and will not occur more than once in any calendar year, unless required by applicable laws and regulations or unless Company experiences a Security Incident, in which case additional audits may be performed.

 

  2.12.3.1. SoundBite’s right to audit/inspect Company extends to SoundBite’s authorized representatives or any applicable regulator.

 

  2.12.3.2. On-site inspections of Company’s facilities may be conducted by SoundBite or SoundBite’s authorized representatives.

 

  2.12.3.3. Company will promptly correct any violation of this Standard found by SoundBite or its agents and will certify in writing that the correction has been made.

 

[Page 13 of 14]


  2.13. 3rd Party Vendors

 

  2.13.1. Where any third-party will have access to SoundBite Information in order to provide its services to Company on behalf of SoundBite, Company will ensure that such entity signs a written contract in which it agrees (i) to restrict its use of SoundBite Information to activities directly required for Company’s performance of its obligations to SoundBite; (ii) to comply with all applicable laws, rules, regulations, security requirements (as defined in this Information Security Standard); and (iii) to implement and maintain appropriate administrative, technical and physical safeguards to protect the security, confidentiality and integrity of all SoundBite Information as provided for by this Standard. Company shall be responsible for any unauthorized use or disclosure of any SoundBite Confidential Information by any entity to whom it discloses or provides access to SoundBite’s Confidential Information, to the same extent as if Company had used or disclosed such information itself.

 

  2.13.2. Company must execute a written confidentiality and non-disclosure agreements when dealing with third parties that will store, process, transmit, or access SoundBite Confidential Information.

 

  2.13.3. Company must require third parties to demonstrate that their Staff has been adequately screened if they require access to SoundBite Highly Confidential Information.

 

  2.14. Regulatory Compliance

 

  2.14.1. PCI: In the event that Company stores, processes, or transmits CHD, as defined by the PCI DSS, Company shall maintain compliance with the PCI DSS, but only to the degree that the requirements of the PCI DSS are directly applicable to the services provided under contract to SoundBite.

 

  2.14.1.1. Company shall either obtain a PCI Certification or allow SoundBite to include sites that support the services provided under contract to SoundBite in SoundBite’s annual PCI Assessment at SoundBite’s sole expense.

 

  2.14.1.2. Company will provide evidence of PCI compliant controls and/or certification to SoundBite upon request.

 

[Page 14 of 14]


Internap Sales Order - Summary       LOGO

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010
To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Summary of New Services

 

Services

   Total
One-Time
     Total
Monthly
 

CDN Services

   $ —         $ —     

Colocation Services

   $ —         $ 37,055.00   

IP Services

   $ —         $ 15,750.00   

Managed Server Services

   $ —         $ —     

FCP and Value Add Services

   $ —         $ —     
  

 

 

    

 

 

 

TOTAL SOLUTION CHARGES

   $ —         $ 52,805.00   
  

 

 

    

 

 

 

Summary of Retained Services

 

Services

   Total
One-Time
     Total
Monthly
 

Renewed and Retained Services

      $ —     
  

 

 

    

 

 

 

TOTAL SERVICES

   $ —         $ 52,805.00   
  

 

 

    

 

 

 

Special Comments

Terms and Conditions

All service implementations are subject to Internap standard installation intervals. While Internap will make reasonable efforts to accommodate customer specific requests, the standard installation intervals apply for all Services being ordered and shall begin upon Internap’s formal acceptance of this Sales Order. Billing for services will commence upon delivery of the contracted services. Specific billing activations dates will be communicated and confirmed during implementation process. Internap’s formal acceptance of this Sales Order occurs when (i) Internap has received a signed Sales Order Form complete with accurate information and signed Agreement for Service, (ii) capacity has been approved, (iii) Customer’s credit has been approved, and (iv) Internap has provided countersigned order form. Changes to an accepted Sales Order, Customer-initiated delays (including those associated with Customer provisioned access), and credit approval issues will place the installation interval on hold.

The initial Term specified above shall start at the Service Commencement Date as set forth in the MSA (defined below).

The Term of this Sales Order shall automatically renew for one year periods absent contrary written notice provided by either party, delivered in accordance with this paragraph at least sixty days in advance of expiration. To be effective, Customer must give any such notice of non-renewal or any notice of disconnection by completing the form located at https://customers.Internap.com/requests/.

THE PARTIES AGREE TO BE BOUND BY THE TERMS AND CONDITIONS CONTAINED IN THE MASTER SALES AGREEMENT (“MSA”) SIGNED BETWEEN THE PARTIES, WHICH ARE INCORPORATED BY REFERENCE HEREIN, ABSENT SUCH EXECUTED MSA, THE EXECUTION OF THIS DOCUMENT IS DEEMED TO BE ACCEPTANCE OF THE TERMS AND CONDITIONS SET FORTH IN THE INTERNAP STANDARD MSA LOCATED AT http://internap.com/legal/msa.html, INCLUDING ALL ATTACHMENTS THERETO, ALL OF WHICH ARE INCORPORATED BY REFERENCE HEREIN. IN THE EVENT OF A CONFLICT BETWEEN THE MSA AND THIS SALES ORDER, THE MSA SHALL PREVAIL. THE PROVISION OF SERVICES HEREUNDER IS SUBJECT TO INTERNAP’S CONTINUING APPROVAL OF CUSTOMER’S CREDIT-WORTHINESS.

Customer Acceptance

 

Printed Name:  

Robert C. Leahy

    Title:  

COO & CFO

By:  

LOGO

 

    Date:  

2/18/10

Authorized INTERNAP Signature
By:  

LOGO

 

    Date:  

2/18/10

 

Internap Network Services Confidential    2/10/2010    Page 15 of 5


Internap Services - Service Change Order       LOGO

 

 

 

Date:    2/10/2010      Valid Thru    3/12/2010
To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM    2 Years

Summary of Services

 

Location

  SO#   5VCOID   QTY   

Description

  MRC     Treatment   Extended     Effective Date

BSN

  10000100385   149953   1.00   

Gige Dual Usage 250Mbps Monthly Fee

  $ 10,000.00      Replace   $ 10,000.00     

BSN

  10000100385   149957   1.00   

100mb Dual 4Mbps Monthly Fee

  $ 1,100.00      Replace   $ 1,100.00     

BSN

  10000100385   149955   1.00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

BSN

  10000100385   149955   1.00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

BSN

  10000100385   149958,[Illegible]   2.00   

Standard Ethernet Cross Connect Monthly Fee

  $ 150.00      Replace   $ 300.00     

WDC002

  10000106740   161674   1.00   

Standard Back Channel Ethernet Cross Connect Monthly Fee

  $ 225.00      Replace   $ 225.00     

WDC002

  10000054291   72611   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 11,770.00      Replace   $ 11,770.00     

WDC002

  10000054291   72809   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 5,835.00      Replace   $ 5,835.00     

WDC002

  10000056918   79261   1.00   

Private Cage (Square Footage) Monthly Fee

  $ [Illegible]      Replace   $ [Illegible]     

WDC002

  10000056918   [Illegible]   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 1,177.00      Replace   $ 1,177.00     

WDC002

  10000056918   79282, 79263   2.00   

30A 208V Primary Power Circuit Monthly Fee

  $ 910.000      Replace   $ 1,620.000     

WDC002

  10000064936   [Illegible]   2.00   

30A 208V Primary Power Circuit Monthly Fee

  $ 845.00      Replace   $ 1,690.00     

WDC002

  10000067594   91405   1.00   

100mb Dual 4Mbps Monthly Fee

  $ 500.00      Replace   $ 500.00     

WDC002

  10000054291   S-83340,72612-   10.00   

20A 120V Primary Power Circuit Monthly Fee

  $ 360.00      Replace   $ [Illegible]     

WDC002

  10000054291   87896-87903   6.00   

20A 120V Primary Power Circuit Monthly Fee

  $ 325.00      Replace   $ [Illegible]     

WDC002

  10000079712   118118   [Illegible].00   

Back Channel Fiber Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

WDC002

  10000056289   77900   [Illegible].00   

Back Channel OC-X Cross Connect Monthly

  $ 200.00      Replace   $ 200.00     

WDC002

  10000071711   99303,99304   [Illegible].00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 400.00     

WDC002

  10000054291   72621   [Illegible].00   

20A 120V Redundant Power Circuit Monthly Fee

  $ [Illegible]      Replace   $ 180.00     

WDC002

  10000067594   91406, 91407   [Illegible].00   

Ethernet Cross Connect

  $ 175.00      Replace   $ 350.00     

WDC002

  10000067558   77443   [Illegible].00   

Standard Back Channel Ethernet Cross Connect Monthly Fee

  $ 175.00      Replace   $ 175.00     

WDC002

  10000064145   87264   [Illegible].00   

Back Channel [Illegible] Cross Connect Monthly Fee

  $ 125.00      Replace   $ 125.00     

WDC002

  10000060018   80590   [Illegible].00   

T-1 Cross Connect

  $ 80.00      Replace   $ 80.00     

WDC002

  10000060018   347, 155728, 11   [Illegible].00   

T-1 Cross Connect

  $ 75.00      Replace   $ 225.00     

WDC002

  10000058916   79278, 79278   [Illegible].00   

POTs Cross Connect

  $ 50.00      Replace   $ 100.00     

WDC002

  10000054291   72620, 72622   [Illegible].00   

Standard 20A [Illegible] Primary Power Circuit Monthly Fee

  $ [Illegible]      Replace   $ 1,250.00     

WDC002

  10000079712   [Illegible]   [Illegible].00   

Back Channel Fiber Cross Connect Monthly Fee

  $ 200.00      Remove   $ 200.00     

Treatment Summary

 

          Total [Illegible]  
Renew   

Renew extends terms for existing services through Effective Date at the MRC specified

   $     
Retain   

Retain maintains contract terms for existing services through Effective Date at the MRC specified

   $     
Replace   

Replace terminates existing services on the effective date and replaces them with services specified on Services Proposal [ILLEGIBLE]

   $ 50,050.00   
Remove   

Remove terminates services on the effective date

   $ 200.00   

Early Termination Fees (ETF)

 

   $                
   $     
   $     
  

 

 

 

Total ETF Fees

   $     
  

 

 

 

ETF Notes

 

Internap Network Services Confidential    2/10/2010    Page 16 of 5


Internap Sales Order - Colocation Services       LOGO

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010
To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Internap Colocation Services

 

      Qty    Design &
Engineering
Fees
     Total
One-Time
     Monthly Recurring
Charges
     Total
Monthly
 

Service Point WDC002

              

Facility address Equinix - 21715 Filigree Court, Bldg. F, Ashburn, VA 20147

              

Space (Power not Included)

              

Cabinet(s) (Shared colo not in private cage)

              

Private Cage (Square Ft)

   400    $ 0.00       $ 0.00       $ 56.00       $ 22,400.00   

Power

              

120V - 20 AMP Primary (incl Power Strip)

   21    $ 0.00       $ 0.00       $ 360.00       $ 7,560.00   

120 V - 20 AMP Redundant (incl. Power Strip)

   1    $ 0.00       $ 0.00       $ 180.00       $ 180.00   

120 V - 30 AMP Primary

              

120 V - 30 AMP Redundant

              

208 V - 20 AMP Primary

   2    $ 0.00       $ 0.00       $ 625.00       $ 1,250.00   

208V - 20AMP Redundant

              

208 V - 30 AMP Primary

   4    $ 0.00       $ 0.00       $ 935.00       $ 3,740.00   

208 V - 30 AMP Redundant

              

3 Phase 208 V - 20 AMP Primary

              

3 Phase 208 V - 20 AMP Redundant

              

3 Phase 208 V - 30 AMP Primary

              

3 Phase 208 V - 30 AMP Redundant

              

Cross Connects

              

Back Channel POTS Cross Connect

   2    $ 0.00       $ 0.00       $ 75.0       $ 150.00   

Back Channel T1 Cross Connect

   4    $ 0.00       $ 0.00       $ 75.0       $ 300.00   

Back Channel DS3 Cross Connect

   1    $ 0.00       $ 0.00       $ 125.0       $ 125.00   

Back Channel OCX Cross Connect

   1    $ 0.00       $ 0.00       $ 225.0       $ 225.00   

Back Channel Ethernet Cross Connect

   2    $ 0.00       $ 0.00       $ 225.0       $ 450.00   

Back Channel GigE Cross Connect/Fiber Cross Connect

   3    $ 0.00       $ 0.00       $ 225.0       $ 675.00   

On Demand Remote Hands Charges (Billed at $300/Hour, 30 minute minimum)

                 Usage Based   
        

 

 

       

 

 

 

TOTAL COLOCATION CHARGES

        One-Time       $ —           Monthly       $ 37,055.00   
        

 

 

       

 

 

 

Standard Configuration Notes:

 

   

Internap to provide and install (14) 4-post racks in a private cage

 

   

Internap to the supply power strip for each 20a/120v circuit. Customer to supply power strips for all other power circuits

 

   

Monthly cage pricing does not include power. Power is billed separately

 

   

Future power requests must be approved by Internap Product Management and are subject to availability

 

   

Standard Ladder racking and grounding is included in the cage construction charges

 

   

Customer may not draw more than an aggregate of 33.6 kW (the “Power Cap”) in the Cage.

 

   

In the event that Internap measures Customer’s draw in the Cage and such draw exceeds the Power Cap, Internap may require Customer to reduce the power draw in the Cage to the Power Cap within twenty-four (24) hours of such measurement. Internap may disconnect power circuits until the aggregate rated capacity of all circuits in the Cage equals the Power Cap.

Special Configuration Notes:

Internap Solution Notes:

Colo-Grade Colocation Facility Includes:

24x7 engineering support

Hardened security

Redundant, conditioned power

Tiered fire suppression systems

 

Internap Network Services Confidential    2/10/2010    Page 17 of 5


Internap Sales Order - IP Services       LOGO

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010
To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Internap IP Services

 

                             Design &
Engineering
Fees
    Total
One-Time
          Monthly Recurring
Charges
    Total
Monthly
 
     Port Services                                                  
    

Port Type

  Access Type   Commit     PNAP   Qty                                

1

  

100Mb Dual

  Non-CPA     10      WDC002     1      $ 0.00      $ 0.00        $ 1,000.00      $ 1,000.00   
                   Rate/Mb      $ 100.00     
                   Burst rate/Mb      $ 102.00     

2

  

Dual GigE

  Non-CPA     500      BSN     1      $ 0.00      $ 0.00        $ 11,500.00      $ 12,500.00   
  

Rate Limit per handoff

    800                Rate/Mb      $ 25.00     
                   Burst rate/Mb      $ 27.00     

3

  

100Mb Dual

  Non-CPA     5      BSN     1      $ 0.00      $ 0.00        $ 1,100.00      $ 1,100.00   
                   Rate/Mb      $ 220.00     
                   Burst rate/Mb      $ 222.00     

4

             $ 0.00           
                   Rate/Mb       
                   Burst rate/Mb        N/A     

5

             $ 0.00           
                   Rate/Mb       
                   Burst rate/Mb        N/A     
              

 

 

       

 

 

 
             TOTAL        $ 0.00          $ 14,600.00   
              

 

 

       

 

 

 
   Circuit Services                  

1

  

Copper Cross Connect

      WDC002     2      $ 0.00      $ 0.00        $ 22[Illegible]00      $ 450.00   

2

  

Fiber Cross-connect

      BSN     2      $ 0.00      $ 0.00        $ 20[Illegible]00      $ 400.00   

3

  

Copper Cross Connect

      BSN     2      $ 0.00      $ 0.00        $ 15[Illegible]00      $ 300.00   

4

                    

5

                    
              

 

 

       

 

 

 
             TOTAL        $ —            $ 1,150.00   
              

 

 

       

 

 

 
  

TOTAL IP SERVICES CHARGES

      One-Time      $ —            Monthly      $ 15,760.00   
              

 

 

       

 

 

 

Configuration Notes:

Bandwidth Charges are based on 95th percentile billing methodology, bursting charges apply for usage in excess of commit

Customer Provided Access (CPA] - Customer is responsible for all local access support associated with CPA orders, and must work directly with the access provider to resolve all issues.

Included with your service:

 

   

Full transit, route optimized TCP/IP connectivity through Internals P-NAP® facility directly to the major Internet backbones

 

   

24 x 7 Proactive circuit monitoring, outage reporting and outage troubleshooting by Internal’s own Network Operations Center (NOC)

 

   

Notification schedule and escalation procedures

 

   

Primary DNS for one (1) domain -or- Secondary DNS for up to 200 domains

 

   

Allocation of IP addresses in compliance with ARIN policy

 

Internap Network Services Confidential    2/10/2010    Page 18 of 5


Internap Services Order - Key Contacts       LOGO

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010
To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Contact Information

Customer

 

Primary Contact
Name:   Jason Temple
Title:   VP Operations
Email:   [email protected]
Phone:   (781) 897-2725
Mobile:   (617) 803-8236
Technical Contact
Name:  
Title:  
Email:  
Phone:  
Mobile:  
Billing Contact
Name:  
Title:  
Email:  
Phone:  
Mobile:  
Additional Contact
Name:  
Title:  
Email:  
Phone:  
Mobile:  

Internap

 

Account Executive
Name:   Brian Kern
Title:   Sr. Account Executive
Email:   [email protected]
Phone:   617-374-4911
Mobile:   617-947-7521
Technical Consultant
Name:   John Murphy
Title:   Sr. Sales Engineer
Email:   [email protected]
Phone:   617-374-4907
Mobile:   978-302-6657
Client Services Contact
Name:   Elena Spadazzi
Title:   Client Services Leader
Email:   [email protected]
Phone:   617-374-4910
Mobile:  
Additional Contact
Name:   Trent Collie
Title:   Sr. Sales Engineer
Email:   [email protected]
Phone:   617-374-4922
Mobile:  
 

 

Internap Network Services Confidential    2/10/2010    Page 19 of 5