The URL can be used to link to this page

Home My WebLink AboutReports - 2023.07.20 - 40266 AGENDA ITEM: Extension with Carahsoft Technology for OKTA Identity and Access Management DEPARTMENT: Information Technology MEETING: Board of Commissioners DATE: Thursday, July 20, 2023 8:35 PM - Click to View Agenda ITEM SUMMARY SHEET COMMITTEE REPORT TO BOARD Resolution #2023-3105 Motion to approve the five-year contract with Carahsoft Technology for OKTA Identity and Access Management through November 1, 2028, with the option to extend an additional five years through November 1, 2033 for an amount not to exceed 3,500,000; further, that a budget amendment is not required as there is sufficient funding within Information Technology’s FY 2023 – FY 2025 operating budget to cover the cost of the expenditure. ITEM CATEGORY SPONSORED BY Contract Gwen Markham INTRODUCTION AND BACKGROUND Oakland County has been using Okta Identity and Access Management (IAM) service through the vendor, Carahsoft Technology, for approximately 5 years as a result of a competitive bid. The Okta IAM service plays a critical role in securing all aspects of County data, services, and information. Okta is still considered best-in-class, and Carahsoft Technology is Okta’s designated reseller. Carahsoft Technology is the preferred reseller of Okta services. The current contract between Oakland County and Carahsoft Technology expires on 11/1/2023. The Purchasing Terms and Conditions state in Section 2400.6 the Duration of Contracts and under the Procedure, it states “The Board of Commissioners shall approve contracts beyond five years." The current cost is $326,000/year, and because of inflation and market forces, we are planning for around $350,000/year at renewal time. The submitted FY24 IT budget included this amount. BUDGET AMENDMENT REQUIRED: No Committee members can contact Michael Andrews, Policy and Fiscal Analysis Supervisor at 248.425.5572 or andrewsmb@oakgov.com, or the department contact persons listed for additional information. CONTACT Rod Davenport, Chief Information Officer ITEM REVIEW TRACKING Aaron Snover, Board of Commissioners Created/Initiated - 7/20/2023 AGENDA DEADLINE: 07/30/2023 8:35 PM ATTACHMENTS 1. AMENDMENT OF CONTRACT 005546 AMENDMENT 01 AMENDMENT DATE: January 24, 2019 2. AMENDMENT OF CONTRACT 005546 AMENDMENT 02 AMENDMENT DATE: April 4, 2022 3. AMENDMENT OF CONTRACT 008467 AMENDMENT 03 AMENDMENT DATE: February 6, 2023 4. CONTRACT NUMBER:005546 CONTRACT Not To Exceed Amount: $1,629,849.95 Effective Date: 11/2/2018 Expiration Date: 11/1/2023 COMMITTEE TRACKING 2023-07-12 Finance - Recommend to Board 2023-07-20 Full Board - Adopt Motioned by: Commissioner Robert Hoffman Seconded by: Commissioner Angela Powell Yes: David Woodward, Michael Spisz, Michael Gingell, Penny Luebs, Karen Joliat, Kristen Nelson, Christine Long, Robert Hoffman, Philip Weipert, Gwen Markham, Angela Powell, Marcia Gershenson, Janet Jackson, Charles Cavell, Brendan Johnson, Ajay Raman (16) No: None (0) Abstain: None (0) Absent: Gary McGillivray, William Miller III, Yolanda Smith Charles (3) Passed AMENDMENT OF CONTRACT 005546 Page 1 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com IT RLB AMENDMENT OF CONTRACT 005546 AMENDMENT 01 AMENDMENT DATE: January 24, 2019 This AMENDMENT OF CONTRACT (hereafter this "Amendment") is made and entered into by and between the Contractor named and identified below, (hereafter “Contractor”) and the COUNTY OF OAKLAND (hereafter “County”) whose address is 2100 Pontiac Lake Rd, Waterford, MI 48328. CONTRACTOR ADDRESS Carahsoft Technology 1860 Michael Faraday Drive, Suite 100 Reston, Virginia 20190 Vendor Number: 11962 The County and Contractor agree and acknowledge that the purpose of this Amendment is to modify as provided herein and otherwise continue the present contractual relationship between the Parties as described in their current contract with the same contract number as above. In consideration of the extension of the mutual promises, representations, assurances, agreements, and provisions in the Contract and this Amendment, the adequacy of which is hereby acknowledged by the Parties, the County and Contractor hereby agrees to amend the current Contract as follows: 1.0 The County and Contractor agree that any and all defined words or phrases in the current Contract between the parties will apply equally to and throughout the amendment. 2.0 The Parties agree that any and all other terms and conditions set forth in the current Contract between the Parties shall remain in full force and effect and shall not be modified, excepted, diminished, or otherwise changed or altered by this Amendment except as otherwise expressly provided for in this Amendment. 3.0 Description of Change: a. The Parties are adding additional services, to utilize the Okta product for the County’s IAM Project, which are described in the attached and incorporated Exhibit II, Scope of Contractor Deliverables/Financial Obligations. b. Exhibit I Insurance requirements which are described in the attached and incorporated Exhibit I, are added to the Contract. c. The Not to Exceed amount shall be increased from $1,629,850 to $2,000,000, AMENDMENT OF CONTRACT 005546 Page 2 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com For and in consideration of the mutual assurances, promises, acknowledgments, warrants, representations, and agreements set forth in the Contract and this Amendment, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged , the undersigned hereby execute this Amendment on behalf of the County, and Contractor and by doing so legally obligate and bind the County and Contractor to the terms and conditions of the Contract and this Amendment. THE CONTRACTOR: SIGN / DATE: Carahsoft Technology THE COUNTY OF OAKLAND: SIGN / DATE: Pamela L. Weipert, CPA CIA, Compliance Officer or Scott N. Guzzy, CPPO, MBA, Purchasing Administrator aec Steve Jacyna (Jan 24, 2019) Steve Jacyna Scott N. Guzzy (Jan 24, 2019) AMENDMENT OF CONTRACT 005546 Page 3 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com EXHIBIT I CONTRACTOR INSURANCE REQUIREMENTS During this Contract, the Contractor shall provide and maintain, at their own expense, all insurance as set forth and marked below, protecting the County against any Claims, as defined in this Contract. The insurance shall be written for not less than any minimum coverage herein specified. Primary Coverages Commercial General Liability Occurrence Form including: (a) Premises and Operations; (b) Products and Completed Operations (including On and Off Premises Coverage); (c) Personal and Advertising Injury; (d) Broad Form Property Damage; (e) Independent Contractors; (f) Broad Form Contractual including coverage for obligations assumed in this Contract; $1,000,000 – Each Occurrence Limit $1,000,000 – Personal & Advertising Injury $2,000,000 – Products & Completed Operations Aggregate Limit $2,000,000 – General Aggregate Limit $ 100,000 – Damage to Premises Rented to You (formally known as Fire Legal Liability) Workers’ Compensation Insurance with limits statutorily required by any applicable Federal or State Law and Employers Liability insurance with limits of no less than $500,000 each accident, $500,000 disease each employee, and $500,000 disease policy limit. 1. ☒ Fully Insured or State approved self-insurer. 2. ☐ Sole Proprietors must submit a signed Sole Proprietor form. 3. ☐ Exempt entities, Partnerships, LLC, etc., must submit a State of Michigan form WC-337 Certificate of Exemption. Commercial Automobile Liability Insurance covering bodily injury or property damage arising out of the use of any owned, hired, or non-owned automobile with a combined single limit of $1,000,000 each accident. This requirement is waived if there are no company owned, hired or non -owned automobiles utilized in the performance of this Contract. Commercial Umbrella/Excess Liability Insurance with minimum limits of $2,000,000 each occurrence. Umbrella or Excess Liability coverage shall be no less than following form of primary coverages or broader. This Umbrella/Excess requirement may be met by increasing the primary Commercial General Liability limits to meet the combined limit requirement. AMENDMENT OF CONTRACT 005546 Page 4 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Supplemental Coverages (Required as Checked) 1. ☐ Professional Liability/Errors & Omissions Insurance (Consultants, Technology Vendors, Architects, Engineers, Real Estate Agents, Insurance Agents, Attorneys, etc.) with minimum limits of $1,000,000 per claim and $1,000,000 aggregate. 2. ☐ Commercial Property Insurance. The Contractor shall be responsible for obtaining and maintaining insurance covering their equipment and personal property against all physical damage. 3. ☐ Liquor Legal Liability Insurance with a limit of $1,000,000 each occurrence shall be required when liquor is served and/or present. 4. ☐ Pollution Liability Insurance with minimum limits of $1,000,000 per claim and $1,000,000 aggregate when cleanup & debris removal are part of the services utilized. 5. ☐ Medical Malpractice Insurance with minimum limits of $1,000,000 per claim and $1,000,000 aggregate. 6. ☐ Garage Keepers Liability Insurance with minimum limits of $1,000,000 per claim and $1,000,000 aggregate. 7. ☒ Cyber Liability Insurance with minimum limits of $1,000,000 per claim and $1,000,000 aggregate. 8. ☐ Other Insurance Coverages as may be dictated by the provided product/service and deemed appropriate by the County Risk Management Department. AMENDMENT OF CONTRACT 005546 Page 5 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com General Insurance Conditions The aforementioned insurance shall be endorsed, as applicable, and shall contain the following terms, conditions, and/or endorsements. All certificates of insurance shall provide evidence of compliance with all required terms, conditions and/or endorsements. 1. All policies of insurance shall be on a primary, non -contributory basis with any other insurance or self-insurance carried by the County; 2. The insurance company(s) issuing the policy(s) shall have no recourse against the County for subrogation (policy endorsed written waiver), premiums, deductibles, or assessments under any form. All policies shall be endorsed to provide a written waiver of subrogation in favor of the County; 3. Any and all deductibles or self-insured retentions shall be assumed by and be at the sole risk of the Contractor; 4. Contractors shall be responsible for their own property insurance for all equipment and personal property used and/or stored on County property; 5. The Commercial General Liability and Commercial Automobile Liability policies along with any required supplemental coverages shall be endorsed to name the County of Oakland and it officers, directors, employees, appointees and commissioners as additional insured where permitted by law and policy form; 6. The Contractor shall require its contractors or sub-contractors, not protected under the Contractor’s insurance policies, to procure and maintain insurance with coverages, limits, provisions, and/or clauses equal to those required in this Contract; 7. Certificates of insurance must be provided no less than ten (10) Business Days prior to the County’s execution of the Contract and must bear evidence of all required terms, conditions and endorsements; and 8. All insurance carriers must be licensed and approved to do business in the State of Michigan and shall have and maintain a minimum A.M. Best’s rating of A- unless otherwise approved by the County Risk Management Department. AMENDMENT OF CONTRACT 005546 Page 6 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com EXHIBIT II SCOPE OF CONTRACTOR DELIVERABLES / FINANCIAL OBLIGATIONS 1. Project Summary 1.1. Contractor shall perform the tasks described in this Exhibit and summarized below to utilize its product known as “Okta”: 1.1.1. Conduct a three-day architectural workshop to clearly define requirements for all activities within the scope of this Exhibit. 1.1.2. Create a high-level Design Document. 1.1.3. Basic setup of the Okta tenant, to include multi-factor authentication, Branding, Desktop single sign-on, and password self-service. 1.1.4. Integrate three (3) Active Directory (“AD”) domains with Okta. 1.1.5. Integrate one (1) MS Office 365 (“O365”) tenant with Okta, to include life-cycle management use cases and single sign-on. 1.1.6. Support the replacement ADFS by integrating eight (8) applications with a SAML 2.0 connection to Okta via the Application Integration Wizard. 1.1.7. Support the County's migration to Amazon Web Services (“AWS”) by integrating one (1) applications with an LDAP connection to Okta. 1.1.8. Support the County's migration to AWS by integrating four (4) Okta integration network applications with a Security Assertion Markup Language (“SAML”) 2.0 connection to Okta. 1.1.9. Support the rapid expansion of the County's Identity and Access Management (“IAM”) initiatives by Integrating five (5) legacy SiteMinder applications to connect with Okta via SAML 2.0. 1.1.10. Conduct a single one-time migration of a security question set from legacy system(s) into Okta. 1.2. Items 1.1.1 through 1.1.12 comprise the IAM Project which shall be identified as the “Project”. 2. Project Scope The following activities shall be within the scope of this Exhibit. 2.1. Project Readiness 2.1.1. Contractor and County Project Managers will meet to review the following: 2.1.1.1. Project charter 2.1.1.2. Statement of work 2.1.1.3. Project schedule 2.1.1.4. Resource management AMENDMENT OF CONTRACT 005546 Page 7 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.1.1.5. Risks management 2.1.1.6. Okta deployment methodology 2.1.1.7. County’s IT methodology 2.1.1.8. Communication plan 2.1.1.9. Technical readiness assessment 2.1.1.10. Application integration questionnaire 2.1.1.11. Enablement and adoption plan 2.1.2. County Obligations for Project Readiness Meeting 2.1.2.1. Actively participate in Project readiness sessions and kickoff meeting. 2.1.2.2. Collaborate with Contractor Project Manager on creating a high-level Project schedule, Project communication plan, and kickoff meeting agenda. 2.1.2.3. Provide to Contractor all relevant User Acceptance Testing (“UAT”) and production practices, processes and polices. 2.1.2.4. Provide required resources for participation: Contract Administrator, Project Manager, and technical resources. 2.1.2.5. To facilitate the successful completion of the service described in this Exhibit, County will complete administrative training activities before deployment activities begin. This will ensure that both Parties are able to communicate effectively and minimize any knowledge gaps during working sessions as this service is delivered remotely. 2.1.3. Assumptions 2.1.3.1. Project readiness sessions will be conducted remotely. 2.1.3.2. The kickoff meeting will be delivered remotely unless otherwise scheduled in advance. 2.1.3.3. The Project Communication Plan is focused on the communication of the Parties implementation efforts and is not the County's end user or business user communication plan. 2.2. Kickoff 2.2.1. Meeting Contractor and County Project Managers will conduct the kickoff meeting to communicate the following to Project stakeholders: 2.2.1.1. Project vision 2.2.1.2. Project team roles and responsibilities 2.2.1.3. Solution scope, success criteria, and exclusions 2.2.1.4. Priorities and use case validation 2.2.1.5. Timeline, milestones, high level Project plan AMENDMENT OF CONTRACT 005546 Page 8 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.2.1.6. Risks and concerns 2.2.1.7. Project Communication Plan 2.2.1.8. Project methodology 2.2.1.9. Activity plan 2.3. Architectural Workshop Contractor will communicate with County to obtain all necessary information to successfully implement the Project. The architectural workshop will define the functional and technical requirements for implementation. Contractor shall identify: 2.3.1. Okta Deployment and Settings 2.3.1.1. Confirm Okta tenant architecture and settings. 2.3.1.2. Review internal and external use cases. 2.3.2. User Deployment 2.3.2.1. Review internal and external use cases. 2.3.2.2. For external, review user migration requirements and strategy. 2.3.3. Directory Integration 2.3.3.1. Review environmental, functional and security design within County’s environment. 2.3.3.2. County to provide applicable documentation supporting requirements. 2.3.3.3. Review Okta AD agent requirements. 2.3.3.4. Review account activation processes (JIT, Import Matching, Custom). 2.3.3.5. Review AD mastered profile and password management requirements. 2.3.4. Multi-Factor Authentication (“MFA”) 2.3.4.1. Determine MFA factor types. 2.3.4.2. Review MFA factor requirements for internal use cases. 2.3.4.3. Review plan for tenant and applications policies. 2.3.5. Desktop Single Sign-On 2.3.5.1. Review requirements to support desktop single sign-on: 2.3.5.1.1. Host requirements (new or co-exist) 2.3.5.1.2. Network and domain requirements 2.3.5.1.3. Review AD to Integrated Windows Authentication (“IWA”) to verify optimal configuration. 2.3.5.2. Review failover and high availability configurations. 2.3.6. Okta Universal Directory 2.3.6.1. Review environmental, functional and security requirements. 2.3.6.2. Review AD mastered profile and password management requirements. 2.3.6.3. Review account activation processes (manual, Application Program Interface (“API”), custom). AMENDMENT OF CONTRACT 005546 Page 9 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.3.6.4. Determine profile mapping conditions and/or requirements. 2.3.7. Application Deployment 2.3.7.1. Review list of applications in scope for the Project. 2.3.7.2. Review O365 environment and functional requirements. 2.3.7.3. Determine application requirements for SSO and profile management. 2.3.7.4. Determine application JIT provisioning using SAML/Web Services Federations (“WS-Fed”). 2.3.7.5. Determine approach for application assignment and authorization 2.3.7.6. Group or dynamic group memberships. 2.3.7.7. Determine application login policies. 2.3.7.7.1. On & off network 2.3.7.7.2. MFA 2.3.8. County Obligations 2.3.8.1. Provide resources and participate in the design workshop. Resources should include, at a minimum: Project Manager, architect, subject Matter Experts (“SMEs”). 2.3.8.2. County to provide applicable documentation in support of Project requirements. 2.3.9. Assumptions 2.3.9.1. County will provide schedule and availability of County employees and contractors for an architecture workshop of up to three (3) days duration. 2.4. Project Management 2.4.1. Meeting The Contractor Project Manager will be accountable for the successful completion of all activities outlined in Exhibit. Contractor Project Manager is responsible for activities performed on time, within budget, and as specified in the Contract. Specific activities include: 2.4.1.1. Create Project Plan, monitor the execution of Project activities and coordinate any changes through the change control process. 2.4.1.2. Create and update Project issues and Risk Logs. 2.4.1.3. Manage activities of Contractor Project team. 2.4.1.4. Manage and track Project resource scheduling and Project assignments. 2.4.1.5. Work collaboratively with County Project Manager to develop the Project Communication Plan and track progress and report status throughout the Project. AMENDMENT OF CONTRACT 005546 Page 10 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.4.1.6. Leverage Okta implementation methodology, experience, and tools to rapidly enable County to adopt the Okta service. 2.4.2. County Obligations 2.4.2.1. Participate in all Project status meetings. 2.4.3. Assumptions 2.4.3.1. Project status meetings will be held on a weekly basis during the entire duration of the Project and conducted remotely. 2.4.3.2. Extended delays or higher dedication of staffing required may be considered under the change control process described in Appendix A. 2.5. Project Deliverables 2.5.1. High-Level Design Documentation 2.5.1.1. Conduct Preliminary design review meeting(s). 2.5.1.2. Produce architectural diagrams as required. 2.5.1.3. Draft a high-level Design Document. 2.5.1.4. Conduct Design Document review meeting(s). 2.5.1.5. Rework Design Document as required through not more than two revision cycles. 2.5.2. Communications Plan 2.5.2.1. The Communication Plan will be used by County and Contractor to keep County users informed about the status of the Project. 2.5.3. County Obligations 2.5.3.1. Provide an application architect with detailed County organizational knowledge. 2.5.4. User Acceptance Test Plan 2.5.5. Transition Plan 2.5.6. Closeout Notification 2.5.7. Assumptions 2.5.7.1. All documentation will be prepared using a Contractor supplied template. 2.5.7.2. Deployment phase activities will not begin until Design Document revisions are agreed to by County. 2.5.7.3. After County receives each of the following Deliverables: Detailed Project Plan, Design Document, Communications Plan, User Acceptance Test Plan, Transition Plan and, Closeout Notification, County shall have five (5) business days to review the Deliverable and notify Contractor if it is acceptable. If the Deliverable requires modifications, County shall provide Contractor with a written list of the AMENDMENT OF CONTRACT 005546 Page 11 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com sections in the Deliverable that need to be modified. Upon receipt of the revised Deliverable, County shall have five (5) business days to review the Deliverable and notify Contractor if the Deliverable is Acceptable. This process will continue until County provides written notice that each individual Deliverable is acceptable. 2.6. Okta Base Configuration – Enterprise 2.6.1. Contractor Obligations 2.6.1.1. Okta Tenant Setup Work collaboratively with County to: 2.6.1.1.1. Create and validate the County's Okta tenant. 2.6.1.1.2. Review best practices for Okta Org administration and configuration. 2.6.1.1.3. Configure global tenant settings. 2.6.1.1.4. Review best practices for Okta groups and application assignments. 2.6.1.2. Directory Integration 2.6.1.2.1. Work collaboratively with County to install and configure up to three (3) Okta Directory Agents each for up to three (3) domains. 2.6.1.2.2. Configure policies for import matching and account activations. 2.6.1.2.3. Extend the Okta Universal Directory user schema. 2.6.1.2.4. Review best practices and recommendations for handling matching conflicts. 2.6.1.2.5. Work collaboratively with County to configure Directory for users and groups. 2.6.1.2.6. Review best practices and recommendations for optimizing Directory object imports. 2.6.1.3. Desktop SSO 2.6.1.3.1. Work collaboratively with County to install and configure up to two (2) Okta desktop SSO agents for each in-scope AD domain integration. 2.6.1.3.2. Work collaboratively with County to configure failover and high availability of Desktop SSO. 2.6.1.4. Password Self-Service 2.6.1.4.1. Work collaboratively with the County to configure permission on Okta’s Active Directory service account to AMENDMENT OF CONTRACT 005546 Page 12 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com ensure the account can manage passwords for the County end users. 2.6.1.4.2. Configure up to three (3) password policies within Okta. 2.6.2. County Obligations 2.6.2.1. Responsible for the completeness and accuracy of data for the organizational units (“OUs”), groups, and user objects being integrated with Okta and any manual remediation needed. 2.6.2.2. Ensure that all Microsoft Windows Member Servers (joined to the Active Directory domain) are production ready for installation of Okta Directory Agents and Okta Desktop SSO agents. Contractor recommends two (2) servers, at a minimum, to provide server/agent redundancy. 2.6.3. Assumptions 2.6.3.1. County will plan their integration with an on-premise AD. County will review its environment and functional requirements and determine any recommended changes. 2.6.3.2. Contractor will assist County with browser configuration for a sin gle model workstation with a supported version of the following browsers (Safari, Firefox, Chrome, Internet Explorer). County will be responsible for deploying browser configurations to the remaining workstations, laptops, or mobile devices (e.g. via AD group policy for Internet Explorer). 2.6.3.3. If necessary, County will provide enterprise load balancing solution (e.g. an F5 load balancer) to ensure optimal performance in configuring failover and high availability of the Desktop SSO solution. 2.7. Multi-Factor Authentication 2.7.1. Contractor Obligations 2.7.1.1. Provide an overview of Okta MFA, policies, factor types, and integration with County use cases. 2.7.1.2. Work collaboratively with the County to configure MFA sign-on policies and enrollment policies. Contractor shall provide County with: 2.7.1.2.1. Up to three (3) sign-on policies. 2.7.1.2.2. Up to three (3) enrollment policies. 2.7.1.3. Work collaboratively with the County to configure the factor(s): 2.7.1.3.1. Okta Verify, which is the mobile phone application with which MFA can be rolled out to an end-user population. 2.7.1.3.2. Secure Message Service (“SMS”) for MFA, which is a AMENDMENT OF CONTRACT 005546 Page 13 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com common method to disseminate Multi Factor Authentication requests. 2.7.2. County Obligations 2.7.2.1. County will purchase or license separately all factors, software, and other requisite infrastructure for MFA. 2.7.2.2. County will be responsible for end user testing associated with MFA. 2.7.3. Assumptions 2.7.3.1. County is responsible for any service provider charges related to the use of SMS as an MFA Factor. 2.7.3.2. Contractor will only work on MFA devices that are currently supported by Contractor, and listed above. 2.8. Security Question Migration 2.8.1. Contractor Obligations 2.8.1.1. An Okta technical consultant will work with County to import one (1) security question and one (1) security question response into Okta. 2.8.2. County Obligations 2.8.2.1. County will make security question and security question response available to Contractor in a machine-readable format. 2.8.2.2. All Security Question/Response records will reflect the User’s Okta user ID. 2.8.3. Assumptions 2.8.3.1. Contractor will not import security question and security question responses for which there is no corresponding user record in Okta. 2.9. Okta Integration Network O365 2.9.1. Contractor Obligations 2.9.1.1. Planning and Design Work Collaboratively with the County to review the following: 2.9.1.1.1. County O365 deployment state. 2.9.1.1.2. Empty O365 tenant or fully migrated mailboxes. 2.9.1.1.3. Existing federation or SSO not currently configured. 2.9.1.1.4. County O365 license plan 2.9.1.1.5. Group requirements for license management. 2.9.1.1.6. Active Directory integration or Okta mastered only as directed by County. 2.9.1.1.7. MFA requirement. 2.9.1.1.8. MFA for web clients. 2.9.1.1.9. MFA for thick clients (Supported only for 2013 and 2016 AMENDMENT OF CONTRACT 005546 Page 14 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com clients). 2.9.1.1.10. Review O365 environment and functional requirements. 2.9.1.1.11. Review mapping rules using Okta UD profile mapping for up to eight (8) common or standardized AD fields. 2.9.1.1.12. Review the AD schema for a list of attributes that needs to be provisioned to O365. 2.9.1.2. Single Sign On 2.9.1.2.1. Work collaboratively with the County to configure the application for single sign on production deployment and testing. 2.9.1.3. Provisioning Work Collaboratively with the County to: 2.9.1.3.1. Determine which version of provisioning is suitable (Only Profile Sync or Universal Sync or License Management may be chosen). 2.9.1.3.2. Plan for migration strategy if the County is using DirSync. 2.9.1.3.3. Configure group-based provisioning. 2.9.1.3.4. Update and de-provision profiles in O365. 2.9.1.3.5. Configure Group Push. 2.9.1.3.6. Configure attribute mappings between Okta and O365. 2.9.1.4. User Imports 2.9.1.4.1. Work collaboratively with the County to configure user account linking (Existing cloud only users to directory managed users). 2.9.2. County Obligations 2.9.2.1. Provide access to third-party services, software, or metadata to facilitate configuration and testing activities. 2.9.2.2. Procure services or software with the appropriate license rights necessary to complete the configuration. 2.9.2.3. O365 specific configuration: County (users') UPN's match their Primary SMTP address in Microsoft® Active Directory as the UPN will be replicated to both Okta and O365. 2.9.2.4. O365 specific configuration: UPN domain suffix must be under the domain that County chooses to set up for single sign-on. 2.9.2.5. O365 specific configuration: All the users UPN in AD should be fixed before federating. 2.9.2.6. O365 specific configuration: The domain chosen for federation must be AMENDMENT OF CONTRACT 005546 Page 15 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com registered as a public domain with a domain registrar or within County Public DNS servers. 2.9.2.7. In certain cases, O365 account provisioning requires Azure AD Connect (DirSync) to be installed and configured according to the vendor’s deployment or installation guides. 2.9.2.8. County must own, have created, and provide access to a Microsoft administration account in the O365 tenant. 2.9.3. Assumptions 2.9.3.1. All County’s obligations under 2.9 will be completed before configuration activities will begin. 2.9.3.2. Hybrid O365 environments are not supported for profile or universal sync provisioning. 2.10. Okta Integration Network SAML Integration. 2.10.1. Contractor Obligations 2.10.1.1. Okta Production Environment For each integration listed below, a Contractor technical consultant will work collaboratively with the County to: 2.10.1.1.1. Configure the Okta Integration Network (“OIN”) application for SAML single sign-on and perform unit testing in the Okta production environment. 2.10.1.1.2. Review the final integration configuration with the County’s Okta administrator. 2.10.1.2. OIN SAML Integration 2.10.1.2.1. Integrate twelve (12) application(s) with Okta using SAML for single sign-on. 2.10.2. County Obligations 2.10.2.1. If not identified above, the County will identify the applications to be integrated by Contractor during the Project readiness phase described in Section 2.1. 2.10.2.2. Identify application SME to work collaboratively with Contractor on these integrations. 2.10.2.3. Procure services or software with the appropriate license rights necessary to complete the integration. 2.10.3. Assumptions 2.10.3.1. No custom single sign-on integrations will be built by Contractor under section 2.10, herein. Single sign-on integrations not currently available in the OIN may be able to be built using the Wizard or Template AMENDMENT OF CONTRACT 005546 Page 16 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com method. These integrations can be purchased separately by County as an amendment to the Contract. 2.11. Application Integration Assistance – Lightweight Directory Access Protocol (“LDAP”) 2.11.1. Contractor Obligations 2.11.1.1. LDAP Integration Contractor will provide assistance to County for integration with an LDAP source to enable the following use cases: 2.11.1.1.1. Create user 2.11.1.1.2. Update user 2.11.1.1.3. Remove user 2.11.1.1.4. Create group 2.11.1.1.5. Update group 2.11.1.1.6. Remove group 2.11.1.1.7. Add users to group 2.11.1.1.8. Remove users from group 2.11.1.1.9. Custom profile from Universal Directory (“UD”), which is the Okta repository for user identity information 2.11.1.1.10. Profile transformation 2.11.1.1.11. Group memberships based on custom logic 2.11.2. County Obligations 2.11.2.1. County will provide a knowledgeable administrator to assist with creating, maintaining or updating LDAP format and schema in order to properly integrate with Okta. 2.11.2.2. County assumes all responsibilities related to target application availability; performance; security; data accuracy, completeness, and cleanliness. 2.11.2.3. County shall provide a suitable environment for hosting custom developed web applications or pages. 2.11.3. Assumptions 2.11.3.1. LDAP applications are directly accessible in reference to Okta's Provisioning Connector. 2.11.3.2. Target application must support and be licensed for the requested use cases. 2.11.3.3. County is appropriately licensed for Okta advance provisioning and any third-party APIs for target application. 2.12. Okta Integration Network SAML Application Integration Wizard 2.12.1. Contractor Obligations AMENDMENT OF CONTRACT 005546 Page 17 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.12.1.1. Okta Production Environment 2.12.1.1.1. Contractor shall provide an Okta Technical Consultant to work collaboratively with the County to: 2.12.1.1.2. Configure the application for SAML single sign-on using the Okta Application Integration Wizard and perform unit testing in the Okta production environment. 2.12.1.1.3. Review the final integration configuration with the County’s Okta administrator. 2.12.1.2. Contractor shall integrate up to five (5) SAML application(s) within Okta using the SAML application integration wizard for single sign-on. 2.12.2. County Obligations 2.12.2.1. If not identified above, the County will identify the applications to be integrated with Okta during the Project readiness session. 2.12.2.2. Identify an application SME to work collaboratively with Contractor on the integrations. 2.12.2.3. Procure services or software with the appropriate license rights necessary to complete the integration. 2.12.3. Assumptions 2.12.3.1. Integrations not identified by name in this Exhibit are identified by integration method. 2.12.3.2. No custom single sign-on integrations will be built. Single sign-on integrations not currently available in the Okta Integration Network (OIN) will be built using the Wizard or Template method. Custom integrations may be purchased separately. 2.13. Form-POST Application Integration 2.13.1. Contractor Obligations 2.13.1.1. For up to six (6) Form-POST applications, Contractor will work partner with County to define and remediate requirement for the integration with County’s Okta tenant. 2.13.1.2. For each application identified in the Design Document, Contractor shall provide a technical consultant and cloud enterprise architect to analyze, design, document and deploy the integration. 2.13.1.3. Contractor will work with County to troubleshoot Okta authentication & login issues. 2.13.2. County Obligations 2.13.2.1. If not identified above, the County will identify the applications to be integrated during the Project readiness phase described in Section 2.1. AMENDMENT OF CONTRACT 005546 Page 18 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 2.13.2.2. For each application listed in the Design Document, County will identify application subject matter experts to work collaboratively with Contractor on these integrations. 2.13.2.3. County subject matter experts will be available to work with Contractor throughout the Project. 2.13.2.4. Procure services or software with the appropriate license rights necessary to complete the integration. 2.14. SiteMinder Application Integration 2.14.1. Contractor Obligations 2.14.1.1. Contractor will provide configuration consulting services as needed to advise County on conversion of legacy SiteMinder applications to SAML 2.0. 2.14.2. County Obligations 2.14.2.1. County will work with Contractor Project Manager to schedule time with an Okta cloud enterprise architect or technical consultant. 2.14.2.2. County will work collaboratively with Contractor to identify consulting services need. 2.14.2.3. County is responsible for the support and maintenance of any custom code written as part of this Project. 2.14.2.4. County is responsible for hosting and running any custom code written as part of this Project. 2.14.3. Assumptions 2.14.3.1. County will develop all custom code and only rely on Contractor for support/troubleshooting the usage of Okta APIs. 2.15. Training 2.15.1. Contractor shall provide County with training on use of Okta. Training shall be subject to the Okta, Inc. Training Service Terms and the Okta Free Trial Service Agreement, both of which are incorporated into the Contract and are part of this Exhibit as Appendix D and Appendix E, respectively. 2.16. Go Live Support 2.16.1. Contractor Obligations 2.16.1.1. Go Live Support 2.16.1.1.1. Provide resources online supporting production launch. 2.16.1.1.2. Issue resolution support during go live. 2.16.1.1.3. Engage its support team as required. 2.16.1.1.4. Support execution of back out plan(s), which is a contingency plan to ensure continuity of operations, should AMENDMENT OF CONTRACT 005546 Page 19 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com the deployment of the platform, or a part of the solution behave other than required. 2.16.1.2. Post-Production - 16 Hours Provide up to sixteen (16) hours of post-production support to include: 2.16.1.2.1. Review reported issues from County. 2.16.1.2.2. Assist County with their response to end user questions. 2.16.1.2.3. Remediation of defects discovered for features included in the Project. 2.16.1.2.4. Conduct a 2-hour knowledge transfer (KT) review session for County. 2.16.1.2.5. Conduct a final review of configurations with County. 2.16.1.2.6. Provide troubleshooting guidance and process to engage Contractor support. 2.16.2. County Obligations 2.16.2.1. Define, managed and execute Go-Live process and event including: 2.16.2.1.1. Securing participation for subject matter experts and 3rd party vendors, as required. 2.16.2.1.2. Provide a detailed back out plan. 2.16.2.1.3. Follow County IT change advisory process for implementation. 2.16.2.1.4. Define, manage, and execute deployment and end-user communications plan. 2.16.2.1.5. Perform validation in production environment. 2.16.2.1.6. Participate in knowledge transfer session provided by Contractor. 2.16.3. Assumptions 2.16.3.1. Production systems are to be in place and verified 1 week prior to production launch. Includes (but not limited to): 2.16.3.1.1. On premise hardware. 2.16.3.1.2. Okta tenants. 2.16.3.1.3. Third party components. 2.16.3.1.4. Production launch and support outside of normal business hours to be identified during Project planning sessions or at minimum scheduled with a minimum of two (2) weeks’ notice for remote support and three (3) weeks for onsite support. 3. Out of Scope. The following items are not part of the Project. AMENDMENT OF CONTRACT 005546 Page 20 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 3.1. General Out of Scope Items 3.1.1. Any activity not specifically listed in this Exhibit or Contract amendments to this Exhibit. 3.1.2. User management features not supported within the Okta Integration Network (OIN). 3.1.3. Integration with applications not listed in the Design Document. 3.1.4. Provisioning to on premise applications not defined herein. 3.1.5. Bi-directional password synchronization. 3.1.6. Functionality that may have been demonstrated as roadmap, beta or early release programs. 3.1.7. County staging, end user communication, and change management. 3.1.8. Secondary go-live events for additional populations (Change Control Process - Section 8). 3.2. Project Specific Out of Scope Items 3.2.1. Appendix C, Authentication type 4A (SharePoint Online with O365) is a subset of authentication type 3 (O365). 3.2.2. Appendix C, authentication type 5A, requires no Okta PS work. 3.2.3. Authentication type 6 (kiosk) is not a unique authentication type. No Okta PS work is required. 3.2.4. Authentication type 7 (Native Phone Applications) is out of scope for the current PS engagement. 3.2.5. Any applications that do not conform to County’s documented authentication types are not within the scope of this Project. 3.2.6. Appendix C, authentication types not expressly addressed are out of scope for this Project. 4. Fees and Expenses 4.1. County shall pay Contractor the fees and expenses set forth on the applicable Order Form in accordance with the terms of the Contract. Actual reasonable and out-of-pocket expenses are not included herein and will be invoiced separately per the terms of the Contract. 4.2. Services described herein will be provided on a time and materials basis. Fees listed in the table below are estimates based on information the County has provided to Contractor. This estimate does not represent a commitment or guarantee of minimum or maximum hours required to complete the tasks described above. Should there be any change to the information that effects the basis of the estimate, Co ntractor will notify the County, and the Parties will work in good faith to execute an amendment to the Contract. 4.3. A potential increase in hours may occur for, but is not limited to, any of the following AMENDMENT OF CONTRACT 005546 Page 21 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com reasons: 4.3.1. Extended discovery sessions required to understand County’s requirements and determine scope. 4.3.2. County’s Project team does not meet deadlines. ROLE RATE HOURS FEES Technical Consultant $273.68 384 (USD) $105,093.12 Technical Project Manager $289.47 222 (USD) $64,262.34 Technical Engagement Manager $289.47 8 (USD) $2,315.76 Cloud Enterprise Architect $310.53 212 (USD) $65,832.36 Estimated Travel and Expenses $12,000.00 (USD) $12,000.00 Estimated Fee Total (USD) $249,503.58 4.4. Contractor will submit a Time and Activity Report for the previous month’s services that County shall promptly review. If County believes, in reasonable good faith, that any information in the Time and Activity Report is inaccurate, County shall have five (5) business days from receipt of the Time and Activity Report to dispute such inaccuracy (''Dispute Period''). If County does not dispute the Time and Activity Report during the Dispute Period, any such dispute shall be deemed waived. 4.5. Professional services described herein will be provided for a period of up to twenty (20) weeks following the initial project planning meeting. If Project delays are incurred due to County’s failure to cooperate, Contractor may terminate following the provisions in the Contract. 5. Scheduling and Invoicing 5.1. Contractor will provide services during regular business hours (8:00 a.m. to 5:00 p.m.), not to exceed forty (40) hours in any one week, Monday through Friday, except holidays (''Business Hours''). Contractor will work either onsite at the County location, or remotely based on a mutually agreed to plan. For Contractor cloud enterprise architects and technical consultants, (i) onsite work shall be charged at a minimum of eight (8) hours per day, unless mutually agreed to in advance, and (ii) remote work shall be charged at a minimum of four (4) hours per day. 5.2. Okta will designate a Project Manager as the principal point-of-contact for the project and will charge a minimum of one (1) hour per week for project administration. Should County require that an Okta resource work outside of ''Business Hours'', Okta will bill County at a premium of one and one-half (1.5) the hourly rate for each hour a resource works. For work provided on a weekend or holiday, Okta will bill County a minimum of AMENDMENT OF CONTRACT 005546 Page 22 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com eight (8) hours per day. Should County require that an Okta resource be available in an on-call or standby capacity, Okta will bill County a minimum of eight (8) hours per day at a premium of one and one-half (1.5) the hourly rate. County must cancel any professional services scheduled to be provided either remote or onsite at least two (2) business days in advance or County will be charged in full for the services scheduled. The County will be charged for any onsite travel expenses that cannot be refunded due to cancellation, such as airfare. Services and expenses will be invoiced monthly. 6. County Obligations The County will: 6.1. Actively participate, providing requested integration information, and otherwise completing its obligations as set forth herein in a timely manner. 6.2. Complete the functional and technical analysis and discovery described herein. 6.3. Establish a communication and escalation plan including assigning appropriate representatives who are knowledgeable about the technical and business aspects involved in the Project including a dedicated Project Manager. 6.4. Provide access to any third-party services or software, as required, subject to license terms. 6.5. Procure services or software and license rights necessary for the Project. 6.6. Pay any service provider costs required to enable SSO on required applications. 6.7. Provide and test all of the necessary remote access required for the Project prior to the commencement of the Project Readiness phase in Section 2.1. 6.8. Be responsible for all hardware/virtual machines operating system(s), browser(s), commercial application(s), code for custom developed applications, application/web server(s), directory(s), database, network, proxy, and firewall maintenance and security as well as an active backup and recovery strategy as applicable for the aforementioned. 6.9. Provide complete and accurate data for integration with Okta. 6.10. Prepare and manage all communications to promote greater adoption and higher satisfaction from users. Sample communication templates may be provided by Contractor for County use. 7. Project Assumptions 7.1. General Project Assumptions 7.1.1. This Project only includes activities specifically included in this Exhibit and any amendment to it. 7.1.2. The Parties will work together in good faith to resolve any project issues quickly. 7.1.3. If County is unable to cooperate in a timely manner, not to exceed five (5) business days, Contractor may suspend its performance. Should Contractor suspend its services, all fees paid or payable associated with services already AMENDMENT OF CONTRACT 005546 Page 23 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com completed shall be considered earned in full. Any services listed in this Exhibit not completed the associated fees not earned will be voided. Any and all services requested by the County following such suspension will require County to send a written request to Contractor seeking re-engagement and execution of a new SOW. Upon execution of a new SOW, Contractor will promptly resume the services. Contractor cannot guarantee that the original resources will be re - assigned. 7.1.4. Scheduling for the services will be mutually agreed upon by the Parties prior to the commencement of the services hereunder. 7.1.5. Contractor will follow independent software vendor guidelines for supported and deprecated versions of a product. 7.1.6. The services will be conducted remotely and offsite. Should any work be required at County’s site, travel expenses shall be invoiced in accordance with the Contract and County will provide Contractor Employees with an adequate work environment. 7.1.7. The Contractor Project Team resources will become available not later than five (5) weeks following execution of the Contract. 7.1.8. The order of work will be determined during the Architectural Workshop. 7.2. Project Specific Assumptions 7.2.1. Prior to beginning any development work, County must agree and approve the solution Design Document provided by Contractor in the Design Workshop. 7.2.2. Linkage of Okta identities to down-stream application identities is beyond the scope of this Project. County will manually reconcile the various users' identities. 7.2.3. Provisioning, which is the non-run-time process of creating user profile within a third-party application, is beyond the scope of this Project. County's existing provisioning mechanisms and procedures will be replaced subsequent to this Project. During the workshop, County will determine if the O365 integration will leverage Okta for Life Cycle Management. 7.2.4. County’s Active Directory integration and O365 will deploy as early as possible. 7.2.5. Appendix C, Number 5 is not a separate use case and is redundant to other Authentication Types in Appendix C. 7.2.6. Appendix C, Number 6 is not a separate use case and is redundant to other Authentication Types in Appendix C. 7.2.7. Appendix C, Number 7 is not required at this point, and is out of scope for this engagement. County does not have any native phone apps currently. 8. Change Control Process 8.1. Should the scope of this Project change, the changes will be addressed through a Change AMENDMENT OF CONTRACT 005546 Page 24 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Request Form, a copy of which is attached hereto as Appendix A, provided by the Party requesting the change to the other Party. 8.2. Contractor will work with County to determine the impact to the project schedule or cost. 8.3. A Change Request Form will become effective when an amendment to the Contract is signed by all Parties. 8.4. Upon execution of a Contract Amendment, Contractor representatives will be allocated in accordance with the amendment. 8.5. A Change Request Form must be completed for every scop e change even if there is no impact on effort, resources, budget or timeline. Additional work may not be provided by Contractor until a Contract Amendment is executed. AMENDMENT OF CONTRACT 005546 Page 25 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com APPENDIX A SAMPLE COUNTY AMENDMENT AND CHANGE REQUEST FORM Department Buyer AMENDMENT OF CONTRACT [Contract Number] AMENDMENT [Change Order Number] AMENDMENT DATE: This AMENDMENT OF CONTRACT (hereafter this "Amendment") is made and entered into by and between the Contractor named and identified below, (hereafter “Contractor”) and the COUNTY OF OAKLAND (hereafter “County”) whose address is 2100 Pontiac Lake Rd, Waterford, MI 48328. CONTRACTOR ADDRESS [Vendor] Vendor Number: [Vendor Number] The County and Contractor agree and acknowledge that the purpose of this Amendment is to modify as provided herein and otherwise continue the present contractual relationship between the Parties as described in their current contract with the same contract number as above. In consideration of the extension of the mutual promises, representations, assurances, agreements, and provisions in the Contract and this Amendment, the adequacy of which is hereby acknowledged by the Parties, the County and Contractor hereby agrees to amend the current Contract as follows: 1.0 The County and Contractor agree that any and all defined words or phrases in the current Contract between the parties will apply equally to and throughout the amendment. 2.0 The Parties agree that any and all other terms and conditions set forth in the current Contract between the Parties shall remain in full force and effect and shall not be modified, excepted, diminished, or otherwise changed or altered by this Amendment except as otherwise expressly provided for in this Amendment. 3.0 Description of Change: AMENDMENT OF CONTRACT 005546 Page 26 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com For and in consideration of the mutual assurances, promises, acknowledgments, warrants, representations, and agreements set forth in the Contract and this Amendment, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowle dged, the undersigned hereby execute this Amendment on behalf of the County, and Contractor and by doing so legally obligate and bind the County and Contractor to the terms and conditions of the Contract and this Amendment. THE CONTRACTOR: SIGN / DATE: [Vendor] THE COUNTY OF OAKLAND: SIGN / DATE: Pamela L. Weipert, CPA CIA, Compliance Officer or Scott N. Guzzy, CPPO, MBA, Purchasing Administrator xxx AMENDMENT OF CONTRACT 005546 Page 27 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Instructions: Please submit one Change Request Form per change request so that they may be approved and managed individually. An Contractor Project Manager will supply the County with a change request form. Change Request: Request Details County Name: Requestor Name: Requestor Title: Date Requested: County Priority: Change Order Details Change Order # [Assigned by Contractor Technical Engagement Manager] Associated with SOW Name: Requested Change Detail: Reason for Change: Impact Analysis: Project Schedule Milestone Original Date New Date Change Remarks Project Financials Increase/Decrease in hours: Increase/Decrease in cost: Approvals: On behalf of County Name: Title: Date Signed: AMENDMENT OF CONTRACT 005546 Page 28 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Comments: On behalf of Contractor Name: Title: Date Signed: Comments: AMENDMENT OF CONTRACT 005546 Page 29 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com APPENDIX B ESCALATION PROCESS Should issues arise that cannot be quickly resolved between Okta and County regarding the change control process, delays, the quality of work, or technical implementation issues, escalation will occur in accordance with the process set forth below. Change Control –Should there be delays with the Change Control Process, the processes listed below will be followed. Situation Escalation Point Process Change Control Process has been delayed 1 to 5 business days. 1. Contractor First Executive 2. County Administrator Work jointly with Project Managers to determine remediation steps and complete Change Control Process. Change Control Process has been delayed in excess of 5 business days. 1. Contractor Executive Sponsor 2. County Chief Technology Officer Work jointly with Project Managers to determine remediation steps and complete Change Control Process. Project Delays – Should there be any project delays, the processes listed below will be followed. Situation Escalation Point Process Anticipated project delays. 1. Contractor Project Manager 2. County Project Manager Standard Change Control Process (Appendix A). Actual project delays of 5% of project plan timeline. 1. Contractor County First Executive 2. County Project Manager Work jointly with Project Managers to determine impact with possible remediation steps, and complete Change Control Process (Appendix A). Actual project delays of 5% of project plan timeline. 1. Contractor Executive Sponsor 2. County Chief Technology Officer Work jointly with Project Managers to determine impact with possible remediation steps, and AMENDMENT OF CONTRACT 005546 Page 30 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com complete Change Control Process (Appendix A). Quality of Work or Technical Implementation Issues – Should there be any concerns about the quality of work, technical implementation or solution, or any other dispute, the proces ses listed below will be followed. Situation Escalation Point Process Quality of Work. 1. Contractor County First Executive 2. County Administrator Work jointly with Project Managers to determine remediation of any issues related to quality of work. Technical Implementation. 1. Contractor Technical Specialist 2. County Administrator Work jointly with Project Managers to determine best practices for technical implementation and remediate any discrepancies. Technical Solution. 1. Contractor First Executive 2. County Administrator Work jointly with Project Managers and Technical Subject Matter Experts to determine best the best path forward to resolve conflict. Any dispute that is unresolved after 5 business days. 1. Contractor Executive Sponsor 2. County Chief Technology Officer Work jointly with Project Managers to determine remediation of any issues. AMENDMENT OF CONTRACT 005546 Page 31 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com APPENDIX C OAKLAND AUTHENTICATION TYPES Application Type Authentication Type (Current State) 1 Web application Integrated Windows Authentication (with IIS) A Custom Authentication with Form-POST and a custom user store B Demonstrate how Siteminder authentication will be replaced with proposed solution C LDAP - authenticate users to applications that have an LDAP query in the configuration, but use forms based authentication D Social Media authentication (Google, Facebook, etc.) 2 SaaS Applications SAML 2.0 A Custom Authentication with Form-POST and a custom user store 3 Office 365 Authentication to Office 365 and related services 4 SharePoint Applications Integrated Windows Authentication A SharePoint online with Office 365 5 Client Server Applications Custom client server form authentication A SSO - Windows authentication 6 Kiosk Applications Applications deployed on Kiosk machines, which require a long session timeout 7 Native Phone Applications Native Phone application 8 Secure Remote Access Access to the Oakland County network for support over connection software; VPN, GoToMyPC and Bomgar AMENDMENT OF CONTRACT 005546 Page 32 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com APPENDIX D OKTA, INC. TRAINING SERVICES TERMS Scope. The scope of the Training Services, requirements, and any materials to be provided by Okta to Customer are as set forth in the applicable Okta course description or Order Form (“Course”) for the specific session or instance selected (“Class”). Capitalized terms not otherwise defined herein shall have the meanings given them in the Agreement. Payment. Customer will pay Okta the Fees, Taxes, and other charges set forth in the applicable Course description or Order Form in accordance with the Agreement. Training Ser vices Fees are non-cancelable, except as provided herein, and non -refundable. Training Units. Okta training units are prepaid credits (“Training Units”) that can be used to acquire education products and services offered by Okta and include (a) any public or private Class from the Okta Education Services catalog, (b) any published Okta certification exam, or (c) any Course or custom training solution as detailed on either an Order Form or a Statement of Work (each an “Okta Training Class”). Training Units cannot be redeemed for any non-training Okta products or services. Training Units must be utilized within 365 days of the Effective Date of the applicable Order Form on which the Training Units were purchased (“Training Unit Expiration Date”). After such Training Unit Expiration Date any remaining Training Units shall expire and no further credit or refund will be provided for any such expired Training Units. All purchases of Training Units are non - cancelable, non-refundable, non-transferable, and non-assignable. Okta reserves the right to change the price of Training Units and to change the quantity of Training Units required to procure a particular Okta Training Class. Such change will apply to any future purchases of Training Units. Training Units already purchased and confirmed registrations for an Okta Training Class will be honored at the original purchase price. Training Units are subject to these Training Terms. Training Unit accounts will be suspended if payment is not received per the invoice terms o f payment. Training Units may not be purchased by United States federal, state, or local government entities. Cancellation Policy. Okta reserves the right to cancel or substitute any Course(s) without charge. Most Okta Courses are hosted in a virtual classroom. Okta will notify Customer of any Course cancellation at least five (5) business days prior to the scheduled start date of the Course, and will work with Customer to reschedule the Course. Should Okta cancel a Course, 100% of the Training Services Fees paid by Customer will be applied to a future training Course. Okta will not be responsible or liable for any costs incurred by Customer, including but not limited to costs related to changes or cancellations in travel plans. Attendee Reschedule/Cancellation. If an attendee is unable to attend the Course in which they have enrolled, Customer must contact Okta at least five (5) business days before the start of the AMENDMENT OF CONTRACT 005546 Page 33 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Course by emailing training@okta.com with “CANCELLATION” in the subject line. If no notice is provided or notice is provided less than five (5) business days before the start of the Course, Customer will be billed 100% of the Fees. A substitute may attend in the attendee’s place with no penalties provided that Customer emails training@okta.com at least twenty-four (24) hours prior to Class start date and time. This reschedule/cancellation policy applies to both onsite and virtual Classes. For virtual Classes containing multiple segments, attendees shall not be permitted to make-up missed segments or transfer dates from one Class segment to another Class. Private Classes: Onsite or Virtual. When private Training Services are provided onsite at a Customer location (“Onsite Private Class”), Customer is responsible for providing appropriate training facilities for the Onsite Private Class, including without limitation Internet connectivity, projector, attendee computers and other reasonable classroom amenities. Instructor travel and expenses for the Onsite Private Class shall be paid by Customer and will be invoiced after the Onsite Private Class is completed. For Onsite Private Class rescheduling or cancellation, Customer must provide a minimum of ten (10) business days’ notice by sending an email to training@okta.com. If Customer cancels less than ten (10) business days in advance, Okta will bill and Customer shall owe 100% of the Fees. Training Access. If not otherwise specified in the Course description or Order Form, Training Services are sold on a per attendee basis (“Training Access Policy”), regardless of the method by which Training Services are provided (on-demand or instructor-led, or virtual or classroom). Violation of the Training Access Policy may result in attendee access to online Courses being suspended or attendees being ejected from classroom sessions. Associated Training Services Fees will be forfeited, and no refund or credit will be issued. For live instructor-led Class attendees. Each Okta Training Services seat is to be used by one individual only. Confirmed attendees are the only people who may attend the Class. Sharing the training event link with others, allowing others to look over the attendee's should er, or otherwise sharing the Class session in any way, is expressly prohibited. Confirmed attendees are the only people who will receive Course materials for the specified Class. For on-demand instructor-led (ILT) Courses. The on-demand ILT Course Fees entitle Customer to 90-day access to the specific on-demand Course purchased. Access automatically expires ninety (90) days after activation and no extensions will be permitted. Expired on-demand Courses can be renewed by re-purchasing the curriculum, in which case all learning progress will be preserved for a reasonable period of time. No rescheduling or transfers will be permitted for on -demand training Courses or lab environments once activated. Accessing Okta’s on -demand training indicates agreement to these terms. AMENDMENT OF CONTRACT 005546 Page 34 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com For on-demand lab environments. Some on-demand Courses include temporary access to a prescribed training lab environment as further described below, and access duration is as described in the Course description or Order Form, whereby such access is capped at the length of the Course as if it were being taught live (e.g. a five (5) day Course will have lab access for five (5) contiguous days). Lab access, once activated, cannot be paused and will not be extended. Due to the nature of Okta’s on-demand products and the manner that the Course information is delivered to the attendee, each on-demand Class is licensed for a single attendee and is not transferable to any other attendee. Term. All Training Services Courses must be completed or commenced no later than one (1) year from the date of initial purchase, unless otherwise specified in a Course description or Order Form. If Training Services Courses are not completed or commenced within such one (1) year period, then Customer will forfeit the right to use or schedule such Training Services Courses and will not receive any refund or credit for such forfeited Training Services. Access to Okta Training Lab Environment. In connection with Okta’s provision of Training Services hereunder, Okta may provide attending Customer and attendees (“Training Users”) with temporary and limited access to the Okta Free Trial Service and to Non-Okta Applications, solely for such Training Users’ non-commercial use and receipt of Training Services hereunder (“Training Account”). Okta may, in its sole discretion, suspend a Training User’s use of the Training Account without notice. Such Training User’s access to the Okta Training Account shall be subject to the terms and conditions set forth at https://www.okta.com/free-trial-terms.html (“Trial Agreement”). By accessing or using the Training Account, Training Users agree to the terms of such Trial Agreement in connection with use of the Training Account. Okta has no obligation to provide any maintenance, support or updates with respect to use of the Training Account. The Training Services shall not include the Okta Service or any other third-party subscription service or Non-Okta Application(s), and the Service or any such application(s) shall be licensed pursuant to a separat e agreement entered into between Customer and Okta or the applicable provider of such application(s). Materials. All title and intellectual property rights in and to the Training Services and any materials provided are owned exclusively by Okta and its partners and suppliers. The Training Services and any such materials may not be modified, copied, resold, sublicensed, or otherwise made available to third parties. The Training Services may not be used by anyone other than Training Users unless approved in writing by Okta in advance. Other than as expressly set forth herein, no license or other rights in or to the Training Services and its related materials and intellectual property rights thereto are granted, and all such licenses and rights are hereby expressly reserved. Any ideas, suggestions, modifications and the like made by Training Users with respect to the Training Services will be the property of Okta regardless of whether Okta chooses to exercise its rights to incorporate such ideas, suggestions or modifications into the Training Services or its related materials. AMENDMENT OF CONTRACT 005546 Page 35 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Customer may not record, stream or otherwise capture any performance or aspect of the Training Services. Training Services and related materials are not subject to any maintenance, support or updates. No Warranty. TRAINING SERVICES AND RELATED MATERIALS ARE PROVIDED “AS IS’ AND OKTA MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. Export. Customer represents that it is not named on any U.S. government list of persons or entities with which U.S. persons are prohibited from transacting, nor owned or controlled by or acting on behalf of any such persons or entities, and Customer will not access or use the Training Services in any manner that would cause any party to violate any U.S. or international embargo, export control law, or prohibition. Rev 11.12.2018 AMENDMENT OF CONTRACT 005546 Page 36 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com APPENDIX E OKTA, INC. FREE TRIAL SERVICE AGREEMENT THIS FREE TRIAL SERVICE AGREEMENT ("AGREEMENT") GOVERNS YOUR ACQUISITION AND USE OF ANY FREE TRIAL SERVICE MADE AVAILABLE BY OKTA, INC. BY CLICKING A BOX INDICATING YOUR ACCEPTANCE OF THIS AGREEMENT OR OTHERWISE USING THE FREE TRIAL SERVICE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE FREE TRIAL SERVICE. You may not access the Free Trial Service if You are Our direct competitor, except with Our prior written consent. In addition, You may not access the Free Trial Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes. This Agreement was last updated on May 1, 2017. It is effective between You and Us as of the date of You accepting this Agreement. 1. Definitions. 1.1 “Free Trial Service" means the application(s) and/or technology provided under this Agreement to You that We have either: (i) not made generally available to Our customers, and has been designated by Us as beta, limited release, developer preview, development or test bed environments; or by descriptions of similar import, such as, but not limited to, “Free Trial.” Free Trial Service excludes Content and Non-Okta Applications. 1.2 “Content” means information obtained by Us from Our content licensors or publicly available sources and which may be made available to You through the Free Trial Service, as may be more fully described in the Documentation. 1.3 “Documentation” means Our online user guides, documentation, and help and training materials, as updated from time to time, and which may be accessible via okta.com or login to the applicable infrastructure(s) from which the Free Trial Service otherwise operates. Your use of the Free Trial Service shall be subject to any notice and licensing information in the Documentation as may be applicable to the infrastructure from which it operates and/or the Free Trial Service itself. 1.4 "GA Service" means any successor version of the applicable Free Trial Service that We may AMENDMENT OF CONTRACT 005546 Page 37 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com make generally available. 1.5 “Marketplace” means an online directory, catalog or marketplace of applications that may interoperate with the Free Trial Service. 1.6 “Non-Okta Application” means a Web-based or offline software application that is provided by You or a third party and which may interoperate with the Free Trial Service, including, for example, an application that is developed by or for You, is listed on a Marketplace, or is identified as Okta Labs or by a similar designation. 1.7 "Users" means individuals who are authorized by You to use the Free Trial Service, and have been supplied user identifications and passwords by You (or by Us at Your request). Users may include but are not limited to employees, consultants, contractors and agents of You or Your affiliates. 1.8 "We," "Us" or "Our" means Okta, Inc. 1.9 "You" or "Your" means the company or other legal entity for which you are accepting this Agreement, and affiliates of that company or entity. 2. Use of Free Trial Service. We shall make the Free Trial Service and Content available to You subject to the terms of this Agreement and the applicable Documentation. You shall allow only Users to access the Free Trial Service, and only for the purpose(s) described b y Us. The Free Trial Service is for evaluation purposes only and is not supported, and may be subject to additional terms as communicated to You. 3. Acquisition of Non-Okta Products and Services. The Free Trial Service may contain features designed to interoperate with Non-Okta Applications. To use such features, You may be required to obtain access to Non-Okta Applications from their providers, and may be required to grant Us access to Your account(s) on the Non-Okta Applications. Any acquisition by You of such Non-Okta products or services, and any exchange of data between You and any non -Okta provider, is solely between You and the applicable non-Okta provider. If You install or enable a Non-Okta Application for use with the Free Trial Service, You grant Us permission to allow the provider of that Non-Okta Application to access any data submitted to or collected through the Free Trial Service as required for the interoperation of that Non-Okta Application with the Free Trial Service. We are not responsible for any disclosure, modification or deletion of such data resulting from access by the provider of such Non-Okta Application. 4. Removal of Content and Non-Okta Applications. If We are required by a licensor or any third- party rights holder to remove Content, or receive information that Content provided to You may AMENDMENT OF CONTRACT 005546 Page 38 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com violate applicable law or third-party rights, We may discontinue Your access to such Content through the Free Trial Service. In addition, We may, upon notice to You, require You to discontinue all use of such Content and, to the extent not prohibited by law, promptly remove such Content from its systems. If We receive information that a Non-Okta Application hosted on a Service by You may violate Our External-Facing Service Policy or applicable law or third-party rights, We may so notify You and in such event You will promptly disable such Non -Okta Application or modify the Non-Okta Application to resolve the potential violation. If You do not take required action in accordance with the above, We may disable the applicable Content, Free Trial Service and/or Non - Okta Application until the potential violation is resolved. If so requested by Us, You shall certify such deletion and discontinuance of use in writing and We shall be authorized to provide a copy of such certification to any such third-party claimant or governmental authority, as applicable. 5. Feedback & Aggregated Data. If reasonably requested by Us, You agree to provide feedback to Us regarding the Free Trial Service, and Okta may use such feedback as set forth in section 11 of this Agreement. We may use the data generated in connection with Your use of the Free Trial Service (e.g., types of web applications utilized); provided, however, in the event We provide such data to third parties, it shall be anonymized and presented in the aggregate so that it cannot be linked specifically to You or any User. 6. Confidentiality. Information that is disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party") in connection with this Agreement that is identified as confidential or that would reasonably be understood to be confidential based on the nature of the information or the circumstances surrounding its disclosure, is Confidential Information of the Disclosing Party. Notwithstanding the foregoing, the Free Trial Service and all information provided or disclosed to You relating to the Free Trial Service is Our Confidential Information. The Receiving Party shall use the same degree of care to protect such Confidential Information that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) (i) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its affiliates' employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party's Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the AMENDMENT OF CONTRACT 005546 Page 39 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information. 7. Term and Termination. This Agreement shall commence upon Your acceptance and shall remain in effect with respect to a Free Trial Service until the earlier of either (1) the generally availability of the applicable Free Trial Service, or (2) Our ceasing to make the applicable Free Trial Service functionality available to You. 8. Your Responsibilities. You are responsible for all activities that occur in User accounts and for Users' compliance with this Agreement. You shall not: (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit the Free Trial Service or Content nor make the Free Trial Service or Content available to any third party, other than as expressly permitted by this Agreement; (b) use the Free Trial Service to send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (c) use the Free Trial Service to send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or violates third party privacy rights; (d) use the Free Trial Service to send or store any virus, worm, time bomb, Trojan horse or other harmful or malicious code, file, script, agent or programs; (e) interfere with or disrupt the integrity or performance of the Free Trial Service or the data contained therein; (f) attempt to gain unauthorized access to the Content, the Free Trial Service or its related systems or networks, or permit direct or indirect access to or use of the Free Trial Service or Content in a way that circumvents a contractual usage limit; (g) modify, copy or create derivative works based on the Free Trial Service; (h) modify, copy or create derivative works based on Content except as expressly permitted under this Agreement or the Documentation; (h) frame or mirror any part of the Free Trial Service or Content, other than framing on Your own intranets or otherwise for its own internal business purposes; (i) reverse engineer the Free Trial Service (to the extent such restriction is permitted by law); (j) access the Free Trial Service in order to build a competitive product or service; (k) access the Free Trial Service or Content in order to copy any ideas, features, functions or graphics of the Free Trial Service or Content; (l) send or store any data subject to the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, or the Payment Card Industry Data Security Standards; or (m) otherwise use the Free Trial Service in manner that violates applicable laws. You shall: (i) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all information and material submitted to the Free Trial Service by You or by Users or on their behalf, the means by which You acquired such information and material, and the use of such content and data; (ii) to the extent any Documentation imposes restrictions on submission of data to services which operate on the same infrastructure as the Free Trial Service, You shall abide by such restrictions in Your submission of data to the Free Tria l Service; (iii) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Free Trial Service and Content, and notify Us promptly of any such unauthorized access or use; and AMENDMENT OF CONTRACT 005546 Page 40 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com (iv) comply with the Documentation (if applicable) and all applicable local, state, federal and foreign laws, and written or electronically provided instructions from Us in using the Free Trial Service and Content; (v) comply with terms of service of Non -Okta Applications with which You use the Free Trial Service or Content. 9. No Warranty. THE FREE TRIAL SERVICE IS PROVIDED "AS-IS," EXCLUSIVE OF ANY WARRANTY WHATSOEVER. WE DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The Free Trial Service may contain bugs or errors. Any production use of the Free Trial Service is at Your sole risk. You acknowledge that We may discontinue making the Free Trial Service available to You at any time in Our sole discretion, and may never make the Free Trial Service generally available. 10. No Damages. IN NO EVENT SHALL WE HAVE ANY LIABILITY HEREUNDER TO YOU FOR ANY DAMAGES WHATSOEVER, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR DAMAGES BASED ON LOST PROFITS, DATA OR USE, HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT YOU HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 11. Proprietary Rights. Subject to the limited rights expressly granted hereunder, We reserve all rights, title and interest in and to the Free Trial Service, including all related intellectual property rights. No rights are granted to You hereunder other than as expressly set forth herein. We shall have a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the Free Trial Service and/or any GA Service any suggestions, enhancement requests, recommendations or other feedback provided by You, including Users, relating to the operation of the Free Trial Service. 12. Relationship to Other Agreements. You may be or become entitled to receive access to other of Our online services or a generally available version of the GA Service under a separate agreement with Us, including but not limited to the Master Subscription Agreement. In such case, that separate agreement will govern Your access to Our other online services or generally available version of the GA Service, but will not govern Your access to the Free Trial Service, and th is Agreement will govern Your access to the Free Trial Service but not Your access to Our other online services or any generally available versions of the GA Service. If during the Term of this Agreement We make a GA Service generally available, then following such general availability, the use of such GA Service shall thereafter be governed by the terms and conditions of the Master Subscription Agreement (and not this Agreement) unless We give You notice of the applicability of different terms and conditions for such GA Service. The use of a GA Service may require Your payment of subscription or other usage fees as applicable to Our customers generally for use of such GA Service. AMENDMENT OF CONTRACT 005546 Page 41 Rev 2015/12/02(v2) OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com 13. Communications. By registering for and using the Free Trial Service, You thereby consent to receiving information about Okta and its products and services, via the contact information that You provide to Okta. You may opt-out of any such communications at any time, by providing Okta with notification of Your intent to opt-out in accordance with the instructions contained in such communications. 14. General Provisions. You may not assign any of Your rights or obligations hereunder, whether by operation of law or otherwise, without Our prior written consent . This Agreement shall be governed exclusively by the internal laws of the State of California, without regard to its conflicts of laws rules. Each party hereby consents to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California to adjudicate any dispute arising out of or relating to this Agreement. This Agreement constitutes the entire agreement between the parties, and supersedes all prior and contemporaneous agreements, proposals or representat ions, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and either signed or accepted electronically by the party against whom the modification, amendment or waiver is to be asserted. AMENDMENT OF CONTRACT 005546 Page 1 Rev 2020/09/16 Information Technology WKP AMENDMENT OF CONTRACT 005546 AMENDMENT 02 AMENDMENT DATE: April 4, 2022 This AMENDMENT OF CONTRACT (hereafter this "Amendment") is made and entered into by and between the Contractor named and identified below, (hereafter “Contractor”) and the COUNTY OF OAKLAND (hereafter “County”) whose address is 2100 Pontiac Lake Rd, Waterford, MI 48328. CONTRACTOR ADDRESS CARAHSOFT TECHNOLOGY 11493 SUNSET HILLS RD STE 100 RESTON VA 20190 Vendor: 11962 The County and Contractor agree and acknowledge that the purpose of this Amendment is to modify as provided herein and otherwise continue the present contractual relationship between the Parties as described in their current contract with the same contract number as above. In consideration of the extension of the mutual promises, representations, assurances, agreements, and provisions in the Contract and this Amendment, the adequacy of which is hereby acknowledged by the Parties, the County and Contractor hereby agrees to amend the current Contract as follows: 1.0 The County and Contractor agree that any and all defined words or phrases in the current Contract between the parties will apply equally to and throughout the amendment. 2.0 The Parties agree that any and all other terms and conditions set forth in the current Contract between the Parties shall remain in full force and effect and shall not be modified, excepted, diminished, or otherwise changed or altered by this Amendment except as otherwise expressly provided for in this Amendment. 3.0 Description of Change: Amend Exhibit II, Scope of Contractor Deliverables/Financial Obligations incorporated in Amendment 01 dated 01/24/2019. Section 4.3.2. to be amended as follows: Technical Consultant hours now 304 and Project Manager hours now 297.5, taking the estimated fee to $237,464.17 as per attached Attachment A. AMENDMENT OF CONTRACT 005546 Page 2 Rev 2020/09/16 For and in consideration of the mutual assurances, promises, acknowledgments, warrants, representations, and agreements set forth in the Contract and this Amendment, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the undersigned hereby execute this Amendment on behalf of the County, and Contractor and by doing so legally obligate and bind the County and Contractor to the terms and conditions of the Contract and this Amendment. THE CONTRACTOR: SIGN / DATE: CARAHSOFT TECHNOLOGY THE COUNTY OF OAKLAND: SIGN / DATE: Scott N. Guzzy, CPPO, MBA, Purchasing Administrator CLA David Niedfeldt (Apr 4, 2022 10:28 EDT) David Niedfeldt Scott N. Guzzy (Apr 4, 2022 10:41 EDT) Scott N. Guzzy Professional Services CHANGE REQUEST FORM CHANGE REQUEST Customer: County of Oakland Requestor: Heidi Flack Requestor Title: IT Project Manager Date Requested: February 24, 2022 Project Name (Okta Project ID): PR-058066 SOW Execution Date: January 28, 2019 Change Request Reference: #2 Change Description: Based on newly identified deliverables (including initial CIAM setup support and the integration of Citrix VPN) and extension of project duration (for six months until September 30th, 2022). This SOW will expire on September 30, 2022 and Okta will be relieved of any further Professional Services which have not been completed under this SOW. Based on remaining deliverables, estimated hours will be adjusted as follows: Estimated Hours per SOW (and CR#1): ROLE RATE ESTIMATED HOURS ESTIMATED FEES Cloud Enterprise Architect $310.53 212 $65,832.36 Technical Engagement Manager $289.47 8 $2,315.76 Technical Project Manager $289.47 278 $80,472.66 Technical Consultant $273.68 324 $88,672.32 ATTACHMENT A Professional Services Travel & Expense Pass through Estimated Fee Total $237,293.10 Revised estimated hours with CR#2: ROLE RATE ESTIMATED HOURS ESTIMATED FEES Cloud Enterprise Architect $310.53 212 $65,832.36 Technical Engagement Manager $289.47 8 $2,315.76 Technical Project Manager $289.47 297.5 $86,117.33 Technical Consultant $273.68 304 $83,198.72 Travel & Expense Pass Through Estimated Fee Total $237,464.17 Change Reason: Realign hours to remaining deliverables and extending the project. All activities under this Statement of Work must be completed prior to that date. Any additional scope will require a new Statement of Work. Project Financials Hours/Cost Change Increase Technical Project Manager hours by 19.5 Decrease Technical Consultant hours by 20 Project duration will be extended to September 30, 2022 working within available Professional Services hours. AUTHORIZATION Carahsoft CUSTOMER Name: ______________________________________ Name: ______________________________________ Signed: _____________________________________ Signed: _____________________________________ Dated: ______________________________________ Dated: ______________________________________ David Niedfeldt (Apr 4, 2022 10:28 EDT) David Niedfeldt David Niedfeldt Apr 4, 2022 Scott N. Guzzy (Apr 4, 2022 10:41 EDT) Scott N. Guzzy Scott N. Guzzy Apr 4, 2022 AMENDMENT OF CONTRACT 008467 Page 1 Rev 2022/05/11 IT WKP AMENDMENT OF CONTRACT 008467 AMENDMENT 03 AMENDMENT DATE: February 6, 2023 This AMENDMENT OF CONTRACT (hereafter this "Amendment") is made and entered into by and between the Contractor named and identified below, (hereafter “Contractor”) and the COUNTY OF OAKLAND (hereafter “County”) whose address is 2100 Pontiac Lake Rd, Waterford, MI 48328. CONTRACTOR ADDRESS Carahsoft Technology 11493 Sunset Hills Rd Ste 100 Reston, VA 20190 Vendor Number: 11962 The County and Contractor agree and acknowledge that the purpose of this Amendment is to modify as provided herein and otherwise continue the present contractual relationship between the Parties as described in their current contract with the same contract number as above. In consideration of the extension of the mutual promises, representations, assurances, agreements, and provisions in the Contract and this Amendment, the adequacy of which is hereby acknowledged by the Parties, the County and Contractor hereby agrees to amend the current Contract as follows: 1.0 The County and Contractor agree that any and all defined words or phrases in the current Contract between the parties will apply equally to and throughout the amendment. 2.0 The Parties agree that any and all other terms and conditions set forth in the current Contract between the Parties shall remain in full force and effect and shall not be modified, excepted, diminished, or otherwise changed or altered by this Amendment except as otherwise expressly provided for in this Amendment. 3.0 Description of Change: Due to conversion to Workday financial system, Oakland County is assigning a new contract number. The old contract number 005546 will be replaced by 008467. Add $70,000.00 to the Contract Not to Exceed (NTE) amount. AMENDMENT OF CONTRACT 008467 Page 2 Rev 2022/05/11 For and in consideration of the mutual assurances, promises, acknowledgments, warrants, representations, and agreements set forth in the Contract and this Amendment, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the undersigned hereby execute this Amendment on behalf of the County, and Contractor and by doing so legally obligate and bind the County and Contractor to the terms and conditions of the Contract and this Amendment. THE CONTRACTOR: SIGN / DATE: Carahsoft Technology THE COUNTY OF OAKLAND: SIGN / DATE: Scott N. Guzzy, CPPO, MBA, Purchasing Administrator cmk 2/14/23 2-14-2023 OAKLAND COUNTY COMPLIANCE OFFICE – PURCHASING CONTRACT NUMBER Page 1 Rev 05/10/2018 V2 OAKLAND COUNTY EXECUTIVE, L. BROOKS PATTERSON COMPLIANCE OFFICE PURCHASING Compliance Office | Purchasing 248-858-0511 | purchasing@oakgov.com Buyer: RLB CONTRACT NUMBER:005546 Event # 003889 CONTRACT between the COUNTY OF OAKLAND and CONTRACTOR The Parties agree to the attached terms and conditions: FOR THE CONTRACTOR: SIGN: FOR THE COUNTY: SIGN: SIGN: Contract Administrator Pamela L. Weipert, CPA, CIA, Compliance Officer or Scott N. Guzzy, CPPO, MBA, Purchasing Administrator Not To Exceed Amount: $1,629,849.95 Effective Date: 11/2/2018 Expiration Date: 11/1/2023 Contract Description: Okta Implementation - P Contractor Information: Contract Administrator: Carahsoft Technology 1860 Michael Faraday Drive Suite 100 Reston, Virginia 20190 Vendor No: 11962 Compliance Office Purchasing Information: Contract Administrator and Using Department: Richard Brower OAKLAND COUNTY 2100 Pontiac Lake Rd., Bldg. 41W Waterford, MI 48328-0462 248-858-0511 purchasing@oakgov.com Michael Timm Director Information Technology 1200 N Telegraph Rd Bldg 49W Pontiac, MI 48341 248-858-0857 timmmr@oakgov.com aec Eric Pankau (Nov 2, 2018) Eric Pankau Michael R Timm (Nov 2, 2018) Michael R Timm Scott N. Guzzy (Nov 2, 2018) 00005592.0 10/19/2018 18:05:13 Carahsoft Rider to Manufacturer Commercial Supplier Agreements (for U.S. Government End Users) Revised 20160504 1. Scope. This Carahsoft Rider and the Manufacturer’s Commercial Supplier Agreement (CSA) establish the terms and conditions enabling Carahsoft to provide Software and Services to U.S. Government agencies (the "Client" or “Licensee”). 2. Applicability. The terms and conditions in the attached Manufacturer’s CSA are hereby incorporated by reference. (a) Contracting Parties. The Government customer (Licensee) is the “Ordering Activity”, defined as an entity authorized to order under Government contracts as set forth in Government Order 4800.2H ADM, as may be revised from time to time. (b) Audit. During the term of this CSA: (a) If Ordering Activity's security requirements included in the Order are met, Manufacturer or its designated agent may audit Ordering Activity's facilities and records to verify Ordering Activity's compliance with thi s CSA. Any such audit will take place only during Ordering Activity's normal business hours contingent upon prior written notice and adherence to any security measures the Ordering Activity deems appropriate, including any requirements for personnel to be cleared prior to accessing sensitive facilities. Carahsoft on behalf of the Manufacturer will give Ordering Activity written notice of any non- compliance, including the number of underreported Units of Software or Services ("Notice"); or (b) If Ordering Activity’s security requirements are not met and upon Manufacturer's request, Ordering Activity will run a self -assessment with tools provided by and at the direction of Manufacturer ("Self -Assessment") to verify Ordering Activity's compliance with this CSA. (c) Consent to Government Law / Consent to Jurisdiction. §1346(b)). The validity, interpretation and enforcement of this Rider and the CSA will be governed by and construed in accordance with the laws of the State of Michigan. Jurisdiction and venue will be brought in the Sixth Judicial Circuit Court for the State of Michigan, the 50 th District Court of the State of Michigan, or the United States District Court for the Eastern District of Michigan, Southern Division, as dictated by the applicable jurisdiction of the court. All clauses in the Manufacturer’s CSA referencing equitable remedies are deemed not applicable to the Government order and are therefore deemed to be deleted. (d) Waiver of Jury Trial. All clauses governing waiver of jury trial in the Manufacturer’s CSA are hereby deemed to be deleted. (e) Renewals. All of the Manufacturer’s CSA clauses that violate the Anti-Deficiency Act (31 U.S.C. 1341, 41 U.S.C. 11) ban on automatic renewal are hereby deemed to be deleted. Third Party Terms. Subject to the actual language agreed to in the Order by the Contracting Officer. Any third party manufacturer will be brought into the negotiation, or the 00005592.0 10/19/2018 18:05:13 components acquired separately, if any. Contractor indemnities do not constitute e ffective migration. (f) Installation and Use of the Software. Installation and use of the software shall be in accordance with the Rider and Manufacturer’s CSA, unless an Ordering Activity determines that it requires different terms of use and Manufacturer agrees in writing to such terms in a valid task order placed pursuant to the Government contract. (g) Limitation of Liability: Subject to the following: Carahsoft, Manufacturer and Ordering Activity shall not be liable for any indirect, incidental, special, or consequential damages, or any loss of profits, revenue, data, or data use. Further, Carahsoft, Manufacturer and Ordering Activity shall not be liable for punitive damages except to the extent this limitation is prohibited by applicable law. This clause shall not impair the U.S. Government’s right to recover for fraud or crimes arising out of or related to this Government Contract under any federal fraud statute, including the False Claims Act, 31 U.S.C. §§ 3729 -3733. (h) Advertisements and Endorsements. Unless specifically authorized by an Ordering Activity in writing, such use of the name or logo of any U.S. Government entity is prohibited. (i) Public Access to Information. Manufacturer agrees that the CSA and this Rider contain no confidential or proprietary information and acknowledges the CSA and this Rider will be available to the public. (j) Confidentiality. Any provisions that require the Licensee to keep certain information confidential are subject to the Michigan Freedom of Information Act, Public Act 442 of 1976, MCL 15.231 et. seq. (k) E-Verify. Carhasoft has registered with and will participate in, and continue to utilized, the E_Verify Program (or any successor program implemented by the federal government) to verify the work authorization status of all newly hired employees . 00005592.0 OKTA, INC. SUBSCRIPTION LICENSE AND PROFESSIONAL SERVICES AGREEMENT For Customers Purchasing Through a Reseller THIS OKTA SUBSCRIPTION LICENSE AND PROFESSIONAL SERVICES AGREEMENT ("AGREEMENT") GOVERNS THE USE OF THE SERVICE, PROFESSIONAL SERVICES, SUPPORT SERVICES, AND TRAINING SERVICES DESCRIBED HEREIN. BY ACCESSING AND USING THE SERVICE, PROFESSIONAL SERVICES, SUPPORT SERVICES, AND TRAINING SERVICES, YOU (“CUSTOMER”) ARE CONSENTING TO BE BOUND BY THIS AGREEMENT, INCLUDING ALL TERMS INCORPORATED BY REFERENCE. YOU AGREE THAT THIS AGREEMENT IS EQUIVALENT TO ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS OR A GOVERNMENT AGENCY, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS. OKTA SERVICE IS BEING LICENSED AND NOT SOLD TO YOU. OKTA PERMITS YOU TO ACCESS AND USE THE OKTA SERVICE AND PURCHASE RELATED PROFESSIONAL SERVICES AND TRAINING SERVICES ONLY IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT AND THE RESELLER ORDER FORMS(S). 1. Definitions. 1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer entity signing this Agreement. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 1.2 “Customer Data” means all electronic data submitted by or on behalf of Customer to the Service. 1.3 “Documentation” means Okta’s user guides and other end user documentation for the Service available on the online help feature of the Service, as updated by Okta from time to time. 1.4 “Professional Services” means implementation services provided by Okta in connection with the Service, as described more fully in a Statement of Work. Professional Services shall not include the Service. 1.5 “Reseller” means the authorized Okta reseller identified on the Reseller Order Form. 1.6 “Reseller Order Form” means an ordering document pursuant to which Customer shall place orders to Reseller for the Service, Training Services, Support Services, and/or 00005592.0 Professional Services, to be provided by Okta under this Agreement. Each Reseller Order Form shall include the Service ordered, capacity licensed (i.e. the number of Users, log-ins, etc.), pricing, bill to, sold to, and the Term. Reseller Order Forms shall be subject solely to and incorporate by reference the terms of this Agreement. 1.7 “Service” means the on-line, web-based identity and access management services provided by Okta, as specified on a Reseller Order Form. The Service shall not include the Professional Services. 1.8 “Statement of Work” means a document that describes certain Professional Services purchased by Customer under this Agreement. Each Statement of Work shall incorporate this Agreement by reference. 1.9 “Support Services” means the support services provided by Okta in accordance with Okta’s then -current support policy and as identified on a Reseller Order Form. In the event that the level of support is not identified on the Reseller Order Form, Customer shall receive a “basic” level of support that is included in the Service. 1.10 “Training Services” means the education and training services provided by Okta as described more fully in an applicable Reseller Order Form. 1.11 “Term” means the period identified on a Reseller Order Form, or on a renewal document, during which Customer’s Users are authorized to use or access the Service pursuant to the terms set forth in this Agreement, unless earlier terminated pursuant to Section 11. 1.12 “Users” means individuals who are authorized by Customer to use the Service, for whom a subscription to the Service has been procured. Users may include but are not limited to Customer’s and Customer’s Affiliates’ employees, consultants, clients, external user, contractors and agents. 2. Service, Professional Services, and Training Services. 2.1 Access Rights. Okta shall make the Service available to Customer pursuant to this Agreement and all Reseller Order Forms during the Term, and grants to Customer, through the Reseller, a limited, non -sublicensable, non -exclusive, non -transferable right during the Term to allow its Users to access and use the Service in accordance with the Documentation, solely for Customer’s business purposes. Customer agrees that its purchase of the Service or the Professional Services is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written public comments made by Okta with respect to future functionality or features. 2.2 Restrictions. Customer is responsible for all activities conducted under its and its Users’ logins on the Service. Customer shall use the Service in compliance with applicable law and shall not: (i) copy, rent, sell, lease, distribute, pledge, assign, or otherwise transfer, or 00005592.0 encumber rights to the Service, or any part thereof, or use it for the benefit of any third party, or make it available to anyone other than its Users; (ii) send or store any data subject to the Health Insurance Portability and Accountability Act, Gramm- Leach-Bliley Act, or the Payment Card Industry Data Security Standards; (iii) send or store infringing or unlawful material; (iv) send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs; (v) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Service or the data contained therein; (vi) modify, copy or create derivative works based on the Service, or any portion thereof; (vii) access the Service for the purpose of building a competitive product or service or copying its features or user interface; or (viii) delete, alter, add to or fail to reproduce in and on the Service the name of Okta and any copyright or other notices appearing in or on the Service or which may be required by Okta at any time. Okta may, without liability, suspend the Service to some or all of the Users to the extent necessary: (a) following a possible or actual security breach or cyber-attack on Okta, (b) in order to protect Okta’s systems; or (c) if required by a governmental entity or law enforcement agency. Customer shall receive notification of such suspension, to the extent and in the manner, that Okta provides a notification to all of its affected customers. 2.3 Professional Services; Training Services . Customer and Okta may, through the Reseller, enter into Statements of Work that describe the specific Professional Services to be performed by Okta. Okta shall provide any Training Services in accordance with Okta’s then current Training Services terms. If applicable, while on Customer premises for Professional Services or Training Services, Okta personnel shall comply with reasonable Customer rules and regulations regarding safety, security, and conduct made known to Okta, and will at Customer’s request promptly remove from the project any Okta personnel not following such rules and regulations. 2.4 Customer Affiliates. Customer Affiliates may purchase and use Service, Professional Services, Support Service, and Training Services subject to the terms of this Agreement by executing Reseller Order Forms or Statements of Work hereunder that incorporate by reference the terms of this Agreement, and in each such case, all references in this Agreement to Customer shall be deemed to refer to such Customer Affiliate for purposes of such Order or SOW. 3. Security, and Support. 3.1 Security . Okta shall: (i) maintain appropriate administrative, physical, and technical safeguards to protect the security and integrity of the Service and the Customer Data in accordance with Okta’s then current Okta Security Requirements; (ii) protect the confiden tiality of the Customer Data in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event less than reasonable care, (iii) access and use the Customer Data solely to perform its obligations in accordance with the terms of this Agreement during the Term, and as otherwise expressly permitted in this Agreement, and (iv) upon Customer’s request, no more than once per year, provide Customer with a copy of Okta’s most recent SSAE 16(SOC2)/ISAE 3402 (Type 2) or 00005592.0 similar third party annual audit report during the Term. 3.2 Support. Okta shall (i) provide Support Services to Customer during the Term; and (ii) provide Customer with at least 99.9% availability of the Service in accordance with Okta’s then- current Service Level Agreement. 4. Confidentiality. Each party (“Receiving Party”) may, during the course of its provision and use of the Service or provision of Professional Services, Support Services or Training Services hereunder, receive, have access to, and acquire technical and business information from discussions with the other party (‘Disclosing Party”) which may not be accessible or known to the general public, such as technical and business information concerning hardware, software, designs, specifications, techniques, processes, procedures, research, development, projects, products or services, business plans or opportunities, business strategies, finances, vendors, penetration test results and other security information; defect and support information and metrics; and first and third party audit reports and attestations or customers and other third party proprietary or confidential information that Disclosing Party treats as confidential, (“Confidential Information ”). Confidential Information shall not include Customer Data, and shall cease to include, as applicable, information or materials that (a) were generally known to the public on the Effective Date; (b) become generally known to the public after the Effective Date, other than as a result of the act or omission of the Receiving Party; (c) were rightfully known to the Receiving Party prior to its receipt thereof from the Disclosing Party; (d) are or were disclosed by the Disclosing Party generally without restriction on disclosure; (e) the Receiving Party lawfully received from a third party without that third party’s breach of agreement or obligation of trust; or (f) are independently developed by the Receiving Party as shown by documents and other competent evidence in the Receiving Party’s possession. For clarification obligations regarding Customer Data are solely addressed under Section 3.1 above. The Receiving Party shall not: (i) use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party's prior written permission, (ii) disclose or make the Disclosing Party’s Confidential Information available to any party, except those of its employees, contractors, and agents that have the same or similar obligations to those set forth herein and that have a “need to know” in order to carry out the purpose of this Agreement. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event shall either party exercise less than reasonable care in protecting such Confidential Information. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall use its best efforts to provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance. The Parties aknowledge that Confidential Information provided hereunder may be subject to the Michigan Freedom of Information Act , which may require disclosure of records otherwise covered by this Agreement. In the event Customer is required by law or court order to disclose Confidential Information, Customer shall provide Okta advance notice prior to such required disclosure so as to addord Okta the opportunity to pursue a protective order or other remedy, prior to disclosure, and customer shall reasonably 00005592.0 cooperate with Okta in such efforts, so long as such coop eration is legally permissible. 5. Ownership, and Aggregated Data. 5.1 Customer Data. As between Okta and Customer, Customer owns its Customer Data. Customer grants to Okta, its Affiliates and applicable contractors a worldwide, limited -term license to host, copy, transmit and display Customer Data, as reasonably necessary for Okta to provide the Service in accordance with this Agreement. Subject to the limited licenses granted herein, Okta acquires no right, title or interest from Customer or Customer’s licensors under this Agreement in or to any Customer Data. Customer shall b e responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired Customer Data. 5.2 Okta Service. Except for the rights expressly granted under this Agreement, Okta retains all right, title, and interest in and to the Service, the Professional Services, the Training Services materials, including all related intellectual property rights inherent therein. No rights are granted to Customer hereunder other than as expressly set forth in this Agreement. 5.3 Suggestions. Okta shall have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into the Service any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or its Users relating to the features, functionality or operation of the Service, the Professional Services, or the Training Services. 5.4 Aggregated Data. Okta shall be permitted to use the data generated in connection with Customer’s use of the Service (e.g., types of web applications utilized); provided, however, in the event Okta provides such data to third parties, it shall be anonymized and presented in the aggregate so that it cannot be linked specifically to Customer or User. The foregoing shall not limit in any way Okta’s confidentiality obligations pursuant to Section 4 above. 6. Fees, and Expenses. 6.1 Fees. Customer shall pay the fees set forth on the applicable Reseller Order Form (“Fees”) to Reseller in accordance with the terms and conditions set forth in the applicable Reseller Order Form. All Fees are due and payable by Customer to its Reseller and are nonrefundable by Okta to Customer unless otherwise expressly noted hereunder. Any disputes related to the Fees or invoicing shall be handled directly between Customer and the Reseller. 6.2 Expenses. Unless otherwise specified in the applicable Statement of Work, Okta may invoice Customer for all pre-approved, reasonable expenses incurred by Okta while performing the Professional Services, including without limitation, transportation services, lodging, and meal and out-of-pocket expenses related to the provision of the Professional Services. Okta will include reasonably detailed documentation of all such expenses in with each related 00005592.0 invoice. 7. Warranty, and Disclaimer. 7.1 Warranty. (a) Service . Okta warrants that during the Term: (i) the Service shall perform materially in accordance with the applicable Documentation, (ii) Okta will employ then-current industry standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service, and (iii) it owns or otherwise has sufficient rights in the Service to grant to Customer the rights to use the Service granted herein. As Customer’s exclusive remedy and Okta’s entire liability for a breach of the warranties set forth in this Section 7.1(i) and (ii), Okta shall use commercially reasonable efforts to correct the non-conforming Service, and in the event Okta fails to successfully correct the Service within a reasonable time of receipt of written notice from Customer detailing the breach, then Customer shall be entitled to terminate the applicable Service and receive an immediate refund of any prepaid, unused Fees for the non-conforming Service. For a breach of the warranty set forth in Section 7.1(iii), Okta will provide the indemnification descri bed in Section 9.1 below. The warranties set forth in this Section shall apply only if the applicable Service has been utilized in accordance with the Documentation, this Agreement and applicable law. (b) Professional Services . Okta warrants that the Professional Services will be performed in a good and workmanlike manner consistent with applicable industry standards. As Customer’s sole and exclusive remedy and Okta’s entire liability for any breach of the foregoing warranty, Okta will, at its sole option and expense, promptly re-perform any Professional Services that fail to meet this limited warranty or refund to Customer the fees paid for the non-conforming Professional Services. 7.2 Disclaimer. EXCEPT FOR ANY EXPRESS WARRANTIES SET FORTH UNDER SECTION 7.1, OKTA AND ITS SUPPLIERS HEREBY DISCLAIM ALL (AND HAVE NOT AUTHORIZED ANYONE TO MAKE ANY) WARRANTIES RELATING TO THE SERVICE, PROFESSIONAL SERVICES OR OTHER SUBJECT MATTER OF THIS AGREEMENT, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS, TITLE, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE PARTIES ARE NOT RELYING AND HAVE NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING THE SUBJECT MATTER OF THIS AGREEMENT, EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES SET FORTH UNDER SECTION 7.1. OKTA MAKES NO WARRANTY REGARDING ANY THIRD PARTY SERVICE WITH WHICH THE SERVICE MAY INTEROPERATE. 8. Limitation of Liability. 8.1 NEITHER CUSTOMER, OKTA, NOR OKTA’S SUPPLIERS, SHALL BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND 00005592.0 CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY (A) FOR ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 8.2 SUBJECT TO SECTION 8.3 BELOW, IN NO EVENT WILL OKTA NOR ITS SUPPLIER’S, OR CUSTOMER’S LIABILITY FOR DIRECT DAMAGES HEREUNDER EXCEED THE TOTAL AMOUNTS PAID/PAYABLE TO OKTA BY CUSTOMER UNDER THE APPLICABLE RESELLER ORDER FORM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING OKTA’S RECEIPT OF NOTICE OF THE APPLICABLE CLAIM. 8.3 There is no limitation on direct loss, claims or damages arising out of: (a) breach of Section 2.2, (b) breach of Section 4, (c) either party’s gross negligence or willful misconduct, (d) fraud, or (e) obligations of indemnity under Section 9. 9. Indemnification . 9.1 Okta Indemnification Obligation . Subject to Section 9.3, Okta will defend Customer from any and all claims, demands, suits or proceedings brought against Customer by a third party alleging that the Service or Professional Services, as provided by Okta to Customer under this Agreement infringe any patent, copyright, or trademark or misappropriate any trade secret of any third party (each, an “Infringement Claim”). Okta will indemnify Customer for all damages and/or costs (including but not limited to, reasonable attorneys’ fees) awarded by a court of competent jurisdiction, or paid to a third party in accordance with a settlement agreement signed by Okta, in connection with an Infringement Claim. In the event of any such Infringement Claim, Okta may, at its option: (i) obtain a license to permit Customer the ability to continue using the Service; (ii) modify or replace the relevant portion(s) of the Service with a non-infringing alternative having substantially equivalent performance within a reasonable period of time, or (iii) terminate this Agreement as to the infringing Service and refund to Customer any prepaid, unused Fees for such infringing Service hereunder. Notwithstanding the foregoing, Okta will have no liability for any infringement claim of any kind to the extent that it results from: (1) modifications to the Service made by a party other than Okta; (2) the combination of the Service with other products, processes or technologies (where the infringement would have been avoided but for such combination); or (3) Customer’s use of the Service other than in accordance with the Documentation and this Agreement. The indemnification obligations set forth in this Section 9.1 are Okta’s sole and exclusive obligations, and Customer’s sole and exclusive remedies, with respect to infringement or misappropriation of third party intellectual property rights of any kind. 9.2 Customer Indemnification Obligations . Intentionally omitted. 9.3 Indemnity Requirements.Customer must give Okta the following: (a) prompt written notice any claim for which the Customer intends to seek indemnity, (b) all cooperation and assistance reasonably requested by Okta in the defense of the claim, atOkta ’s sole 00005592.0 expense, and (c) sole control over the defense and settlement of the claim, provided that the Customer may participate in the defense of the claim at its sole expense. 10. Customer Mention. Okta may, upon Customer’s prior written consent, use Customer’s name to identify Customer as an Okta customer of the Service, including on Okta’s public website. Okta agrees that any such use shall be subject to Okta complying with any written guidelines that Customer may deliver to Okta regarding the use of its name and shall not be deemed Customer’s endorsement of the Service. 11. Term, Termination; and Effect of Termination. 11.1 Term of Agreement . This Agreement shall commence on and will remain in effect until terminated in accordance with this Section 11. Upon termination of this Agreement for any reason, all rights and subscriptions granted to Customer including all Reseller Order Forms will immediately terminate and Customer will cease using the Service. 11.2 Term of Reseller Order Form. Subscriptions for the Service commence on the Start Date specified in the applicable Reseller Order Form and continue for the subscription term specified therein unless otherwise terminated. Upon expiration of the Term, unless otherwise stated on an applicable Reseller Order Form, the Service will automatically renew for additional Terms of one (1) year each, unless and until either party gives the other notice of non-renewal at least thirty (30) days prior to the end of the then-current Term. 11.3 Termination. Either party may terminate this Agreement by written notice to the other party in the event that such other party materially breaches this Agreement and does not cure such breach within thirty (30) days of such notice. Termination due to Customer’s breach shall not relieve Customer of the obligation to pay any fees accrued or payable to Okta under the Agreement. Upon any termination for cause by Customer pursuant to this Section 11.3, Okta will refund Customer a pro-rata portion of any prepaid Fees paid by Reseller to Okta that cover the remainder of the applicable Reseller Order Form Term after the effective date of termination and a pro-rata portion of any prepaid Professional Services Fees and Training Services Fees that cover Professional Services and Training Services that have not been delivered as of the effective date of termination. The Parties understand that for Customer the funding for this Agreement is contingent upon an annual budgetary appropriation. Notwithstanding the right to terminate for breach, in the event that Customer’s legislative body does not appropriate sufficien t funding for this Agreement, Customer may terminate the Agreement upon thirty (30) days notice to Reseller, without penalty. 11.4 Return of Customer Data. Upon request by Customer made within fifteen (15) days prior to the effective date of termination, Okta will make available to Customer, at no cost, for a maximum of 30 days following the end of the Term for download a file of Customer Data in comma separated value (.csv) format along with attachments in their native format. After such 30-day period, Okta shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data in its 00005592.0 systems or otherwise in its possession or under its control. 11.5 Effect of Termination. The sections titled “Definitions,” “Confidentiality,” “Ownership, Aggregated Data,” “Fees, Expenses and Taxes,” “Warranty Disclaimer,” “Limitation of Liability,” “Indemnification,” “Term, Termination, and Effect of Termination,” and “General” shall survive any termination or expiration of this Agreement. 12. General 12.1 Assignment. Neither the rights nor the obligations arising under this Agreement are assignable or transferable by Customer or Okta without the other party’s prior written consent which shall not be unreasonably withheld or delayed, and any such attempted assignment or transfer shall be void and without effect. Notwithstanding the foregoing, either party may freely assign this Agreement in its entirety (including all Reseller Order Forms), upon notice and without the consent of the other party, to its successor in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. 12.2 Controlling Law, Attorneys’ Fees and Severability. This Agreement and any disputes arising out of or related hereto shall be governed by and construed in accordance with the laws of the State of Michigan , without giving effect to its conflicts of laws rules. In the event that any of the provisions of this Agreement shall be held by a court or other tribunal of competent jurisdiction to be unenforceable, such provisions shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable. 12.3 Notices. All legal notices hereunder shall be in writing and given upon (i) personal delivery, in which case notice shall be deemed given on the day of such hand delivery, or (ii) by overnight courier, in which case notice shall be deemed given one (1) business day after deposit with a recognized courier for U.S. deliveries (or three (3) business days for international deliveries). 12.4 Force Majeure. If the performance of this Agreement or any obligation hereunder (other than obligations of payment) is prevented or restricted by reasons beyond the reasonable control of a party including but not limited to computer related attacks, hacking, or acts of terrorism (a “Force Majeure Event”), the party so affected shall be excused from such performance and liability to the extent of such prevention or restriction. 12.5 Equitable Relief. Due to the unique nature of the parties’ Confidential Information disclosed hereunder, there can be no adequate remedy at law for a party’s breach of its obligations hereunder, and any such breach may result in irreparable harm to the non- breaching party. Therefore, upon any such breach or threat thereof, the party alleging breach shall be entitled to seek injunctive and other appropriate equitable relief in addition to any other remedies available to it, without the requirement of posting a bond. 00005592.0 12.6 Independent Contractors. The parties shall be independent contractors under this Agreement, and nothing herein shall constitute either party as the employer, employee, agent, or representative of the other party, or both parties as joint venturers or partners for any purpose. 12.7 Export Compliance. Each party represents that it is not named on any U.S. government list of persons or entities with which U.S. persons are prohibited from transacting, nor owned or controlled by or acting on behalf of any such persons or entities, and Customer will not access or use the Service in any manner that would cause any party to violate any U.S. or international emba rgo, export control law, or prohibition. 12.8 Government End User. If Customer is a U.S. government entity or if this Agreement otherwise becomes subject to the Federal Acquisition Regulations (FAR), Customer acknowledges that elements of the Service constitute software and documentation and are provided as “Commercial Items” as defined in 48 C.F.R. 2.101 and are being licensed to U.S. government User as commercial computer software subject to restricted rights described in 48 C.F.R. 2.101, 12.211 and 12.212. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR Supplement ("DFARS") and its successors. This U.S. Government End User Section 12.8 is in lieu of, and supersedes, any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data. 12.9 E-Verify. Okta has registered with and will participate in, and continue to utilized, the E_Verify Program (or any successor program implemented by the federal government) to verify the work authorization status of all newly hired employees. 12.10 Entire Agreement . This Agreement together with the capacity licensed information on the Reseller Order Form(s), and applicable Exhibit(s) constitutes the entire agreement between the parties hereto pertaining to the subject matter hereof, and any and all prior or contemporaneous written or oral agreements existing between the parties hereto and related to the subject matter hereof are expressly canceled. No modification, amendment or waiver of any provision of this Agreement will be effective unless in writing and signed by both parties hereto. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation (other than with regard to capacity licensed, Term, Service, bill to, ship to, pricing) shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void. Any failure to enforce any provision of this Agreement shall not constitute a waiver thereof or of any other provision.