IMPRIVATA MANAGED SERVICES AGREEMENT

IMPRIVATA MANAGED SERVICES AGREEMENT

 

IMPORTANT-READ CAREFULLY: Prior to acknowledging your acceptance, be sure to carefully read and understand all of the rights and restrictions described in this Imprivata Managed Services Agreement (this “Agreement”). This Agreement is a legal agreement between you (“Customer” or “you” or “your”) and Imprivata, Inc. (“Imprivata”) for the Services described herein. By purchasing the Services, you (either you as an individual or, if the Services will be used by an entity, on behalf of that entity) represent and agree that you have the capacity and authority to bind yourself or, if applicable, the applicable entity, to the terms of this Agreement and agree to be bound by the terms of this Agreement. If you do not agree to the terms of this Agreement, you may not utilize the Services. Any terms and conditions in a purchase order (or in any similar document) which are in addition to, or conflict or are inconsistent with these terms are hereby rejected and superseded by the terms contained herein.

 

RECITALS

WHEREAS, Imprivata and Customer are parties to that certain Imprivata End User License Agreement (the “EULA”);

WHEREAS, Imprivata will be providing certain managed services (the “Services”) for Imprivata Software licensed to Customer pursuant to the EULA by means of Imprivata professional services staff, engineers, project managers, program managers, implementation engineers, deployment specialists, clinical workflow specialists, business analysts, and other specialists (“Administrator(s)”) as applicable and further described herein;

WHEREAS, Administrators may be required to access certain portions of Customer’s computer network for the purpose of providing such Services; and

WHEREAS, this Agreement shall set forth the obligations of both parties with respect to the provision of the Services and access to Customer’s network.

NOW, THEREFORE, in consideration of the agreements, covenants, terms and conditions herein contained and other consideration, the sufficiency of which is hereby acknowledged, the parties hereby agree as follows:

  1. Services. Imprivata offers nine (9) Services packages: (i) Advanced Advisory Services/Customer Success Management; (ii) Enterprise Advisory Services/Technical Architecture Management; (iii) Advanced Management Services/Remote Administration Management; (iv) Enterprise Management Services/Resident Engineering Management; (v) Mobile Management Services; (vi) Starter Management Services; (vii) Identity Governance Management Services; (viii) Flexible Configuration Updates (for Imprivata OneSign® and Confirm ID® solutions); and (ix) Identity Governance Configuration + Management Services. Imprivata will provide Customer the applicable Services purchased by you (as indicated on the Imprivata Quote or its equivalent if purchasing through an authorized reseller) as further described below:
  1. Advanced Advisory Services Package

    1. Personalized Adoption, Utilization, and ROI Reporting
      1. Regular engagement with assigned Customer Success Manager, tracking to Customer goals and opportunities to accelerate Imprivata product adoption.
      2. Coach Customer on adoption best practices and personalized guidance.
      3. Provide insight into license utilization reporting and personalized assessments to maximize utilization.
      4. Facilitate annual executive business reviews to uncover opportunities to maximize solution value and mitigate potential risks.
    2. Facilitate Issue Resolution
      1. Drive collaboration with key Customer stakeholders and Imprivata staff.
      2. Track Customer initiatives, executive and business owner level roadmaps, update/expansion plans, and open product issues.
      3. Monitor satisfaction with owned products; escalate Customer needs/issues cross-departmentally.
      4. Communicate Voice of the Customer survey feedback to Imprivata upper management to help drive strategic initiatives and program improvement.
    3. Continuing Education
      1. Access to monthly remote product deep dive training sessions.
      2. Two (2) licenses for the Imprivata online Learning Management System.
      3. Two (2) seats per year in any Imprivata regional certification course.
      4. Up to two (2) annual Imprivata recertification exams included.
  1. Enterprise Advisory Services Package

    1. Imprivata Customer Support Escalation Management
      1. Create support cases on behalf of Customer and follow up with status reports on each case as needed, on a weekly basis.
      2. Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc.
      3. Summarize status, outcomes, and next steps following escalations.
      4. Act as the central point of contact and facilitator of escalations.
    2. Guidance During Product Upgrades
      1. Create a project plan for pre-upgrade testing and production cutover.
      2. Respond to calls from Customer for assistance during business hours or as agreed upon during a three-hour on-call availability period during off-hours during critical production cutover events.
    3. Change Management for System Architecture
      1. Continuously monitor change requests as shared by Customer.
      2. Participate in change management meetings, highlight potential risks to Imprivata functionality, and recommend changes.
      3. Ensure long-term adherence to reference architecture best practices.
      4. Join Customer teams tasked with resolving issues resulting from environmental changes.
      5. Collaborate with Customer in strategic or tactical planning efforts.
    4. Onsite or remote technical design & planning/solution optimization sessions
      1. Facilitate annual technical checkup.
      2. Develop strategies to drive environmental or architectural optimization and document any relevant decisions, identified risks, key assumptions, and timeline estimates.
      3. Provide direct support for testing and troubleshooting.
      4. Document technical findings and recommendations.
    5. Architectural relationship management
      1. Schedule and run checkpoint calls with Customer’s technical teams (includes preparation and completion of action items needed).
      2. Serve as Customer’s central point of contact for supportability review.
    6. Communications
      1. Customer is responsible for attending the following meetings:
        1. No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
        2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts and IT staff impacted by Imprivata solutions.
  1. Advanced Management Services Package

    1. Direct administration of Imprivata system
      1. Monitor performance, health, and stability metrics. Implement preventative and/or corrective configuration changes as needed.
      2. Alert Customer to any changes needed and facilitate any actions or support needed from Customer.
      3. Implement configuration changes and expansions to address Customer’s evolving needs.
    2. Imprivata system upgrade, migration, and application profiling projects
      1. Create a project plan for pre-upgrade testing and production cutover.
      2. Respond to calls from Customer for assistance during business hours or as agreed upon during a three-hour on-call availability period during off-hours during critical production cutover events.
      3. Identify and communicate the need for version upgrades. Plan, manage, and complete configuration, testing, and implementation tasks.
      4. Identify and communicate the need for appliance migrations. Plan, manage, and complete migration tasks as required.
      5. Identify and communicate the need for new application profiles or updates to existing profiles. Plan, manage, and complete profiling, testing, and other deployment tasks.
      6. Install and configure proof of concept (POC) environments to allow testing of requested features and enhancements.
      7. Respond to errors/issues that require fixes and own communication and issue management. Plan, manage, and complete configuration, testing, and implementation tasks.
      8. Respond to environmental, application, and integration issues requiring a new Imprivata appliance. Own communication and issue management. Plan, manage, and complete migration tasks.
      9. Respond to the need to update existing profiles and the need for enablement of new applications. Own communication and issue management, and plan, manage, and complete profiling, testing, and deployment tasks.
    3. Customer help desk escalation handling
      1. Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
      2. Receive end user issues escalated through Customer’s help desk for troubleshooting, determining root cause, and reaching a resolution.
    4. Change management: Imprivata system configuration
      1. Collaborate with Customer in strategic or tactical planning efforts.
      2. Join Customer teams tasked with resolving issues resulting from environmental changes.
      3. Interpret architecture, system, and workflow changes for configuration, testing, and implementation tasks.
      4. Own the hands-on configuration and testing tasks within the Imprivata system. Assist and support integration testing.
      5. Ensure long-term adherence to reference architecture best practices.
      6. Respond to an unanticipated need for changes and help actively remediate impacts to the Imprivata solution caused by changes to architectural components integrated with the Imprivata system.
    5. Onsite or remote technical design & planning/solution optimization sessions
      1. Facilitate twice-annual technical check-up, document findings and recommendations, own strategic planning to achieve Customer support, adoption, and expansion goals, and document sequence of technical steps and effort required.
      2. Develop strategies to drive environmental or architectural optimization and document any relevant decisions, identified risks, key assumptions, and timeline estimates.
      3. Provides direct ad hoc test support, troubleshooting, and emergency management.
      4. Clinical workflow discovery, analysis & design - Facilitate via interviews an inventory and analysis of existing workflow needs and issues, priorities, and impact of making changes; documentation of findings and recommendations.
      5. Provide onsite clinical workflow observation and analysis in response to user experience or workflow issues/errors; end user satisfaction/remediation; combine clinical findings with technical findings and document recommendations.
    6. Application & Architectural relationship management
      1. Schedule and run checkpoint calls with application and architectural teams with interdependencies between the Imprivata enterprise and other systems or infrastructures including preparation and completion of action items and follow-ups needed.
      2. Serve as the Customer stakeholders’ central point of contact for system/application needs and supportability review.
    7. Imprivata Customer Support Escalation management
      1. Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
      2. Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations
      3. Act as the central point of contact and owner of escalations.
    8. Communications
      1. Customer is responsible for attending the following meetings:
        1. No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
        2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts and IT staff impacted by Imprivata solutions.
    9. Case Priority Classification
      1. Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:

        Priority

        Definition & Customer Responsibilities

        Priority 1 – Critical production system down

        An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.

        Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 2 – Major impact

        A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.

        Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 3 – General issue

        A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

        Priority 4 – Question or minor impact

        Instructions or information are requested regarding existing product functionality.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

    10. Service Level Response Times
      1. Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.

        Priority

        Initial Response Time

        Priority 1

        Customer should contact Imprivata Customer Support directly

        Priority 2

        Initial Administrator response within 2 business hours

        Priority 3

        Initial Administrator response within 1 business day

        Priority 4

        Initial Administrator response within 2 business days

    11. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for up to six (6) Administrators to Customer’s computer network. Such access shall be provided either through individual user identification and passwords or a generic user account to be shared by the Administrator staff.
      2. Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
        1. Network account access
        2. VPN access
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
        6. User account and endpoint access to Customer's ticketing/case tracking system, and integration with Imprivata Remote Admin Case Handling system, for support of the Customer’s first-line user support or help desk team. Such access shall include defined involvement in the Customer's user support case escalation process and procedures. (Administrators may serve as escalation support for the Customer’s first-line support or help desk team on Imprivata-related queries/issues; the Administrators will not have direct end user contact.)
  1. Enterprise Management Services Package

    1. Direct administration of Imprivata system
      1. Monitor performance, health, and stability metrics. Implement preventative and/or corrective configuration changes as needed.
      2. Alert Customer to any changes needed and facilitate any actions or support needed from Customer
      3. Implement configuration changes and expansions to address Customer’s evolving needs.
    2. Imprivata system upgrade, migration, and application profiling projects
      1. Create a project plan for pre-upgrade testing and production cutover
      2. Respond to calls from Customer staff for assistance during business hours or as agreed upon during a three-hour on-call availability period during off-hours during critical production cutover events.
      3. Identify and communicate the need for version upgrades. Plan, manage, and complete configuration, testing, and implementation tasks.
      4. Identify and communicate the need for appliance migrations. Plan, manage, and complete migration tasks as required.
      5. Identify and communicate the need for new application profiles or updates to existing profiles. Plan, manage, and complete profiling, testing, and other deployment tasks.
      6. Install and configure proof of concept (POC) environments to allow testing of requested features and enhancements.
      7. Respond to errors/issues that require fixes and owns communication and issue management. Plan, manage, and complete configuration, testing, and implementation tasks.
      8. Respond to environmental, application, and integration issues requiring a new Imprivata appliance. Own communication and issue management. Plan, manage, and complete migration tasks.
      9. Respond to the need to update existing profiles and the need for enablement of new applications. Own communication and issue management, and plan, manage, and complete profiling, testing, and deployment tasks.
    3. Customer help desk escalation handling
      1. Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
      2. Receive end user issues escalated through your help desk for troubleshooting, determining root cause, and reaching a resolution.
    4. Change management: Imprivata system configuration
      1. Collaborate with your staff in strategic or tactical planning efforts.
      2. Join Customer teams tasked with resolving issues resulting from environmental changes.
      3. Interpret architecture, system, and workflow changes for configuration, testing, and implementation tasks.
      4. Own the hands-on configuration and testing tasks within the Imprivata system. Assist and support integration testing.
      5. Ensure long-term adherence to reference architecture best practices.
      6. Respond to unanticipated need for changes and help actively remediate impacts to the Imprivata solution caused by changes to architectural components integrated with the Imprivata system.
      7. Clinical workflow specialist Administrators evaluate planned changes for clinical end user impact and remain engaged throughout implementation of changes to ensure workflow efficiency and value is not compromised by technical changes made over time.
      8. Anticipate training needs for new clinical users of existing workflows or retraining clinical users that may not be fully leveraging existing workflows.
      9. Prescriptive guidance over time to align the Customer's workflows with best practices as derived from across the Imprivata Customer base.
    5. Onsite or remote technical design & planning/solution optimization sessions
      1. Facilitate twice-annual technical check-up, documents findings and recommendations, own strategic planning to achieve Customer support, adoption, and expansion goals, and document sequence of technical steps and effort required.
      2. Develop strategies to drive environmental or architectural optimization and document any relevant decisions, identified risks, key assumptions, and timeline estimates.
      3. Provide direct ad hoc test support, troubleshooting, and emergency management.
      4. Clinical workflow discovery, analysis & design
        1. Facilitate via interviews an inventory and analysis of existing workflow needs and issues, priorities, and impact of making changes.
        2. Document findings and recommendations.
      5. Provide onsite clinical workflow observation and analysis in response to user experience or workflow issues/errors; end user satisfaction/remediation; combine clinical findings with technical findings and document recommendations.
    6. Application & Architectural relationship management
      1. Schedule and run checkpoint calls with application & architectural teams with interdependencies between the Imprivata enterprise and other systems or infrastructure; includes preparation and completion of action items/ follow-ups needed.
      2. Serve as the Customer stakeholders’ central point of contact for system/application needs and supportability review.
      3. Clinical workflow specialist Administrators monitor the ongoing success of the recommended clinical workflow configurations that were recommended.
      4. Clinical workflow specialist Administrators maintain proactive regular participation in cadence calls for workflow-related issues, questions, and changes.
    7. Imprivata Customer Support Escalation management
      1. Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
      2. Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
      3. Act as the central point of contact and owner of escalations.
      4. Clinical workflow specialist Administrators are directly engaged in Imprivata Customer Support escalations and work to minimize clinical end user impact during troubleshooting efforts.
      5. Proposed resolution path and remediation options will be evaluated and planned for short- and long-term clinical end user value.
    8. Onsite or remote Implementation, Deployment, & Expansion Services
      1. Scheduled access to the full range of Imprivata implementation and education services (subject to the Project Conditions below and quantity of days included in Customer’s Services subscription,) including:
        1. Project management services
        2. Configuration and validation services
        3. Appliance setup, configuration, and migration
        4. Application enablement and integration
        5. Workstation workflow configuration
        6. Self-service password reset configuration
        7. Credential migration for SSO
        8. Authentication devices, token, and modalities enablement
        9. Connector configuration
        10. VDA configuration
        11. Remote access and mobile devices configuration
        12. End user testing
        13. Domain migration services
        14. Enterprise merge services
        15. Authentication hardware and manual agent installation and testing
        16. End user identity proofing, enrollment, and training
        17. Go-live assistance
        18. Imprivata education/training courses
        19. Project completion and optimization services
      2. Provide services in proportion to the following deployment sizes:
        1. Small (7,499 users or fewer) – Per subscription year:
          1. Four (4) days onsite or 32 hours remote
        2. Medium (7,500 – 19,999 users) – Per subscription year:
          1. Eight (8) days onsite or 64 hours remote
        3. Large (20,000 users or more) – Per subscription year:
          1. Twelve (12) days onsite or 96 hours remote
      3. Project Conditions
        1. The Customer shall contact their Administrator for information on the quantity of days included in the Customer’s Managed Services subscription, which may be used annually in proportion to the subscription term. Unless otherwise agreed in writing, services days will expire on each anniversary of the start date of the Managed Services subscription in proportion to the subscription term. For example, for a two-year term, fifty percent (50%) of the services days will expire on the first anniversary of the Managed Services subscription start date and the remaining services days will expire on the second anniversary of the Managed Services subscription start date. For example, for a three-year term, thirty-three percent (33%) of the services days will expire on the first anniversary of the Managed Services subscription start date, thirty-three percent (33%) of the services days will expire on the second anniversary of the Managed Services subscription start date and the remaining services days will expire on the third anniversary of the Managed Services subscription start date. In the event all services days have expired, Imprivata will be under no obligation to perform any additional services. No credit/refund of unused service days will be provided. Should any items require additional time to complete, the Customer may utilize the Statement of Work process (“SOW”) to purchase additional time.
        2. The scope of Services assumes that the Customer’s environment complies with current Imprivata supported components at project commencement.
        3. Prior to the testing phase, the Customer is responsible for identifying and providing to the Imprivata Administrator testing scenarios which reflect end-user workflows in the Customer’s production environment.
        4. Onsite Services are performed between the hours of 8:00 AM and 5:00 PM local Customer time, excluding weekends and normally observed holidays. Services provided outside these times will be agreed-upon in writing by both parties in advance and may be subject to additional fees.
        5. Imprivata may elect to deliver some or all of the services through one of its certified partners. The certified partner will perform the services as a subcontractor to Imprivata.
        6. Customer understands that Custom Development, such as but not limited to Extension Objects (EXO), may be implemented at the request of the Customer during a project. However, Custom Development work is not covered by the Imprivata Maintenance agreement to include updates, additions, or issues remediation.
        7. All services outlined herein are inclusive of travel and expense.
        8. Onsite services days cancelled or rescheduled with less than two (2) weeks advanced notice will be billed as delivered and debited from the Customer’s available balance. Failure to provide the appropriate notice may result in cancellation fees which are: daily rate for consultant time or the usage of a purchased services day. The Customer agrees to reimburse Imprivata for these fees if the cancellation is less than the required minimum advance notice. If the Customer needs to reschedule, they must contact their Imprivata project manager as soon as possible to reduce the scope and possibility of the above fees.
        9. Deployment specialist Administrators need to be scheduled at least 60 days in advance of planned deployment. In order to be scheduled, the physical locations, shift times and user enrollment counts must be provided to Imprivata. Once scheduled, Imprivata requires 30 days advance notice to cancel or reschedule the deployment specialist Administrators. Deployment specialist Administrator will be scheduled in a minimum of two-week increments.
    9. Communications
      1. Customer is responsible for attending the following meetings:
        1. No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
        2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
    10. Case Priority Classification
      1. Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:

        Priority

        Definition & Customer Responsibilities

        Priority 1 – Critical production system down

        An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.

        Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 2 – Major impact

        A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.

        Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 3 – General issue

        A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

        Priority 4 – Question or minor impact

        Instructions or information are requested regarding existing product functionality.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

    11. Service Level Response Times
      1. Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.

        Priority

        Initial Response Time

        Priority 1

        Customer should contact Imprivata Customer Support directly

        Priority 2

        Initial Administrator response within 2 business hours

        Priority 3

        Initial Administrator response within 1 business day

        Priority 4

        Initial Administrator response within 2 business days

    12. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for up to six (6) Administrators to Customer’s computer network. Such access shall be provided either through individual user identification and passwords or a generic user account to be shared by the Administrator staff.
      2. Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
        1. Network account access
        2. VPN access
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
        6. User account and endpoint access to Customer's ticketing/case tracking system, and integration with Imprivata Remote Admin Case Handling system, for support of the Customer’s first-line user support or help desk team. Such access shall include defined involvement in the Customer's user support case escalation process and procedures. (Administrators may serve as escalation support for the Customer’s first-line support or help desk team on Imprivata-related queries/issues; the Administrators will not have direct end user contact.)
  1. Mobile Management Services Package

    1. Implementation Services
      1. Establish and test API connections to Customer’s mobile device management (“MDM”) solution via the Imprivata GroundControl console.
      2. Configure and test device settings and GroundControl workflows.
      3. Provide additional project support in proportion to the following deployment sizes:
        1. Small (2,499 devices or fewer) – Per subscription year:
          1. Forty (40) hours of remote project management
          2. Two (2) days of onsite workflow specialist support
          3. Four (4) days of onsite go-live, hardware deployment and end user support
        2. Medium (2,500 – 19,999 devices) – Per subscription year:
          1. Sixty (60) hours of remote project management
          2. Three (3) days of onsite workflow specialist support
          3. Six (6) days of onsite go-live, hardware deployment and end user support
        3. Large (20,000 devices or more) – Per subscription year:
          1. Ninety (90) hours of remote project management
          2. Four (4) days of onsite workflow specialist support
          3. Eight (8) days of onsite go-live, hardware deployment and end user support
    2. Continuing Education
      1. Access to monthly remote product deep dive training sessions.
      2. Two (2) licenses for the Imprivata online Learning Management System.
      3. Two (2) seats per year in any Imprivata regional administrator certification course.
      4. Up to two (2) annual Imprivata recertification exams included.
    3. Direct administration of Imprivata system
      1. Proactively monitor critical events and activity logs to alert Customer’s team to any changes needed as well as facilitate remediation and any required support.
      2. Monitor utilization and adoption metrics to ensure the broadest and most consistent end-user adoption and intervene to gather user feedback as needed.
      3. Implement configuration changes to address Customer’s evolving needs, including during MDM migrations and installation of proof-of-concept environments to allow testing of requested features and enhancements.
      4. Deliver new workflow automation rules and updates to existing workflow rules, including any testing and training required.
    4. Change management: Imprivata system configuration
      1. Interpret architecture, system, and workflow changes for configuration, testing, and implementation work required.
      2. Review change requests weekly for potential impact to GroundControl and other Imprivata mobile solutions. GroundControl and such Imprivata mobile solutions are collectively referred to herein as “Imprivata Mobile Solutions”.
      3. Respond to unanticipated needs for changes and help to actively remediate any impact to Imprivata Mobile Solutions caused by changes to architectural components integrated with the Imprivata system.
    5. Imprivata Customer Support Escalation management
      1. Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
      2. Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
    6. Customer help desk escalation handling
      1. Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
      2. Receive end user issues escalated through Customer’s help desk for troubleshooting, determining root cause, and reaching a resolution.
    7. Application & Architectural relationship management
      1. Schedule and run checkpoint calls with application and architectural teams with interdependencies between the Imprivata Mobile solution and other systems or infrastructures including preparation and completion of action items and follow-ups needed.
      2. Serve as the Customer stakeholders’ central point of contact for system/application needs and supportability review.
    8. Product Advocacy
      1. Monitor advance-notice internal release documentation and alerts Customer to product enhancements that benefit their unique needs or objectives.
      2. Develop plans for implementing new features.
      3. Facilitate engagement with Imprivata development team for controlled availability and beta programs, and to provide advanced insight into product roadmap.
    9. Communications
      1. Customer is responsible for attending the following meetings:
        1. No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
        2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
    10. Case Priority Classification
      1. Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:

        Priority

        Definition & Customer Responsibilities

        Priority 1 – Critical production system down

        An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.

        Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 2 – Major impact

        A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.

        Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 3 – General issue

        A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

        Priority 4 – Question or minor impact

        Instructions or information are requested regarding existing product functionality.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

    11. Service Level Response Times
      1. Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.

        Priority

        Initial Response Time

        Priority 1

        Customer should contact Imprivata Customer Support directly

        Priority 2

        Initial Administrator response within 2 business hours

        Priority 3

        Initial Administrator response within 1 business day

        Priority 4

        Initial Administrator response within 2 business days

    12. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for up to six (6) Administrators to Customer’s computer network. Such access shall be provided through individual user identification and passwords to be used by the Administrator staff.
      2. Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
        1. Network account access
        2. VPN access
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
  1. Starter Management Services

    1. Full Remote Configuration, Testing, and Go-live
      1. Remotely install and configure Customer Imprivata OneSign/Confirm ID solution.
      2. Configure and test policies and application/system integration points.
      3. Support back-end technical configuration needs for initial production go-live event.
    2. Direct Administration of Imprivata System
      1. Implement preventative and/or corrective configuration changes as needed.
      2. Alert Customer team to any changes needed and facilitate actions or support needed.
      3. Implement configuration changes as needed.
    3. Upgrades, Migration, and Expansions
      1. Identify and communicate the need for Imprivata product version upgrades; plan, manage, and complete configuration, testing, and implementation tasks for up to one (1) Imprivata system upgrade per year, as well as any required appliance migration work.
      2. Identify, communicate, plan, manage, and complete up to ten (10) new application profiles or updates to existing profiles per year; testing and other deployment tasks included.
      3. Install and configure proof of concept (POC) environments to allow testing of requested features and enhancements.
    4. Customer Help Desk Training
      1. Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
    5. Continuing Education
      1. Access to monthly remote product deep dive training sessions.
      2. Two (2) licenses for the Imprivata online Learning Management System.
      3. Two (2) seats per year in any Imprivata regional administrator certification course.
      4. Up to two (2) annual Imprivata recertification exams included.
    6. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for up to six (6) Administrators to Customer’s computer network. Such access shall be provided through individual user identification and passwords to be used by the Administrator staff.
      2. Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
        1. Network account access.
        2. VPN access.
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
      3. Communications.
        1. Customer is responsible for scheduling and holding the following meetings:
          1. No less frequently than monthly, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
          2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
  1. Identity Governance Management Services

    1. Description of Services
      1. Basic troubleshooting. The Imprivata Administrator will be responsible for the following troubleshooting tasks related to the Imprivata Identity Governance software (“IdG”):
        1. Review error notifications, logs, and tie request table.
        2. Review end to end workflow.
        3. Trigger drops to request handling to notification.
        4. Review of bridge logs and failures (no code changes).
      2. First level support for questions related to basic error messages. The Imprivata Administrator will be the initial point of contact for issues related to the IdG solution. This includes:
        1. Understanding of customer IdG solution and architecture.
        2. Review error notifications, tie request table to success or failure.
        3. Review of trigger files and trigger translation logic.
        4. Escalation to Imprivata Support if required.
      3. Ongoing role maintenance. The Imprivata Administrator will maintain the current role database which includes:
        1. Add, modify, delete roles.
        2. Add, modify, delete entitlements for specific roles.
        3. Partial bulk role imports.
      4. IdG Server maintenance
        1. Basic upgrade support
          1. Installation and configuration for up to four (4) point (minor version) releases or one (1) major version release, per subscription year.
          2. IdG server, bridge server, trigger server.
          3. Monitor log directories – log maintenance and cleanup.
      5. Application configuration support. The Imprivata Administrator will provide support for applications that are integrated with the IdG solution, including:
        1. Minor configuration changes for existing manual apps (attribute properties only).
        2. Addition of generic apps that use shared scripting and logic that was delivered as part of the Imprivata implementation project.
        3. Addition of Microsoft Active Directory-aware applications (up to 10 per subscription year)
        4. Deployment of Customer-created Bridges
        5. Deployment of and configuration of new IdG bridges (does not include bridge development).
        6. OneSign integration (up to ten (10) per subscription year)
        7. Work with application owner/subject matter expert on validation of functionality of customer-created bridges
        8. Installation and configuration of additional bridge servers as needed.
      6. Governance, Risk Management & Compliance (“GRC”) dashboard maintenance
        1. Configure homepages and profiles.
        2. Set up compliance tasks.
        3. Minor changes for existing reports.
      7. New source trigger workflows (up to two (2) per subscription year)
        1. Define additional source feeds and SQL database trigger definitions.
        2. Trigger parsing and file transmission.
      8. Bridge development (up to one (1) per subscription year)
        1. Delivery of a bridged automation.
        2. Gather requirements, development, testing, and delivery of the bridge.
        3. Installation and configuration of additional bridge servers as needed.
        4. Deployment of bridges.
        5. Backloading of application accounts data.
      9. Training
        1. End-user workflow training.
        2. Helpdesk IdG training.
      10. Continuing education
        1. Per subscription year:
          1. Two (2) licenses for the Imprivata online Learning Management System.
          2. Two (2) seats in any Imprivata regional administrator certification course.
          3. Two (2) recertification exams.
        2. Access to monthly remote product deep dive training sessions as offered.
      11. User maintenance
        1. Set user permissions within IdG.
      12. Unsupported Tasks
        1. The Imprivata Administrator will not be responsible for tasks outside those in the Description of Services set forth above, including but not limited to:
          1. Any changes to the IdG workflows that require changes to implementation scripting or code, including any IdG bridges.
          2. Performing major version IdG upgrade including any upgrade from 5.3.X or lower to the latest version of IdG.
          3. Maintenance of non-IdG components (SQL, Hypervisor, OS, Citrix, etc.).
          4. Custom GRC report creation.
          5. Changes to role criteria that will require changes to the trigger parsing/translation scripting.
          6. Any major design related changes to the IdG solution.
          7. Normal IT Administrator tasks.
        2. Any major design related changes to the solution.
        3. Maintenance of non-Imprivata IdG components (Active Directory, AD groups creation, SQL, Hypervisor, Windows, Citrix, etc.).
    2. Case Priority Classification
      1. Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:

        Priority

        Definition & Customer Responsibilities

        Priority 1 – Critical production system down

        An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.

        Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 2 – Major impact

        A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.

        Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).

        Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.

        Priority 3 – General issue

        A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

        Priority 4 – Question or minor impact

        Instructions or information are requested regarding existing product functionality.

        Customer Instructions: Create a case for the Administrator.

        Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.

    3. Service Level Response Times
      1. Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.

        Priority

        Initial Response Time

        Priority 1

        Customer should contact Imprivata Customer Support directly

        Priority 2

        Initial Administrator response within 2 business hours

        Priority 3

        Initial Administrator response within 1 business day

        Priority 4

        Initial Administrator response within 2 business days

    4. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for up to six (6) Administrators to Customer’s computer network. Such access shall be provided through individual user identification and passwords to be used by the Administrator staff.
      2. Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
        1. Network account access
        2. VPN access
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
      3. Communications.
        1. Customer is responsible for scheduling and holding the following meetings:
          1. No less frequently than monthly, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
          2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
  1. Flexible Configuration Updates Package (for Imprivata OneSign® and Imprivata Confirm ID® solutions)

    1. Eligible Update Events
      1. Appliance upgrade
        1. Plan, manage, and complete configuration, testing, and implementation tasks for up to one (1) Imprivata system upgrade per year.
        2. Limited to one (1) Imprivata enterprise and three (3) appliances per enterprise.
      2. Appliance upgrade and migration
        1. Plan, manage, and complete configuration, testing, and implementation tasks for up to one (1) Imprivata system upgrade per year, as well as any required appliance migration work.
        2. Limited to one (1) Imprivata enterprise and three (3) appliances per enterprise.
      3. Configuration of Confirm ID for Remote Access
        1. Configuration is limited to one (1) gateway. Configuration of more than one (1) gateway may be counted as the consumption of another eligible Update Event, or require the purchase of additional services.
      4. Configuration of Confirm ID for Medical Devices
        1. Configuration is limited to two (2) medical device types. Configuration of more than two (2) medical device types may be counted as the consumption of another eligible Update Event, or require the purchase of additional services.
      5. Configuration of Confirm ID for Clinical Workflows
        1. This Update Event is available for clinical workflow integration in Epic® only, and excludes configuration of Epic standalone specialty narrator.
        2. Configuration is limited to three (3) supported workflows. Configuration of more than three (3) supported workflows may be counted as the consumption of another eligible Update Event, or require the purchase of additional services.
      6. Application Profiling
        1. This Update Event is limited to configuration and testing for up to three (3) supported applications utilizing APG or WebSSO.
        2. This Update Event excludes integration with applications that do not utilize APG for SSO enablement.
        3. This Update Event includes configuration and testing only. Workflow analysis and design prior to configuration and testing, as well as user acceptance testing and deployment done following configuration and testing must be performed by Customer.
    2. Description of Services
      1. Project Management for Update Events
        1. Prior to the start of the project, the Customer will designate a project manager (“Project Manager”) who will be the primary point of contact for communications relative to the Update Events and will have the authority to act on behalf of the Customer in all matters regarding the scope, including:
          1. Managing the Customer’s personnel and responsibilities for the Update Events
          2. Serving as the interface between departments participating in the Update Events
          3. Participating in meetings relative to Update Events
          4. Helping resolve engagement issues and escalating issues within the Customer’s organization as necessary
        2. Review package offerings and Update Event options with the Customer’s Project Manager.
        3. Conduct planning meeting between the Customer’s Project Manager and the Imprivata resources to plan tasks related to scheduled Update Events.
        4. Schedule Imprivata resources, depending on availability, as needed to perform Update Events.
        5. Prepare status updates during the active periods of the Update Events.
        6. Serve as the Customer’s primary escalation point for all technical and business-related issues pertaining to and during the scoped Update Events.
      2. Appliance Upgrade Update Event
        1. The Imprivata Implementation Engineer will perform an upgrade of the Customer’s test and production environments to the latest Imprivata platform version.
        2. The upgrade will include the following:
          1. Review of any current upgrade considerations or known issues with the Customer’s Imprivata Administrator
          2. Imprivata database backup
          3. Configuration of appliances for failover and offline authentication, if required
          4. Perform a rolling reboot of all appliances
          5. Confirm that Imprivata servers, system services, and sites all are operating normally
          6. Upgrade appliance IPMs to the latest production release
        3. Validation of the upgrade will include the following:
          1. Verification that all appliances in the enterprise have successfully rebooted and been updated to the latest production release
          2. Creation of post-upgrade database backup
          3. Imprivata Agent deployment testing
          4. Review of best practices with Customer’s Imprivata Administrator
      3. Appliance Upgrade and Migration Update Event
        1. The Imprivata Administrator(s) will complete a test migration and validation of the updated Imprivata Appliance platform, followed by a cutover of the production environment to a new platform.
        2. The Imprivata Administrator(s) will meet with the Customer’s technical contact to review the setup requirements for the engagement. The following is a list of items that will be reviewed:
          1. Output from the Imprivata Deployment Report Tool to gather current usage data of the Imprivata platform
          2. Review of technical requirements before the services can commence, including files that need to be downloaded as well as the appliance configuration requirements
          3. Review of the current Imprivata enterprise, including audit servers, the number of audit records and version of the Imprivata platform
          4. Recommended changes to the Imprivata enterprise prior to the migration to the new Imprivata Appliance platform
          5. Review of plan for rollback to the prior Imprivata Appliance platform should any issues arise
        3. The new Imprivata enterprise will be built as a mirror to the current production environment. The Imprivata Administrator(s) will perform a software upgrade of the current production Imprivata enterprise to the software version/hotfix best suited for the migration, as determined jointly by the Project Manager and Imprivata Administrator(s). An export of the current production system will be performed and then imported into the new Imprivata enterprise to create the mirror environment.
        4. Validation of the new Imprivata enterprise will be performed prior to completing the migration of the new Imprivata enterprise over to production. The validation will include the following:
          1. Testing of agent connectivity including authentication modalities
          2. Appliance and agent failover
          3. An application profile will be tested to ensure proper SSO functionality and profiling capabilities
          4. A system backup, restore, and download of the system will be completed
          5. Reports will be created and exported
        5. Once the platform has been validated, the current production appliances will be powered down and the new appliances will be migrated over to the current production appliance Ips. This will require a downtime of roughly 10-15 minutes, which will be coordinated with Customer’s Project Manager.
        6. Validation testing will be performed on the new appliances after they have been cut over to production.
      4. Configuration of Confirm ID for Remote Access Update Event
        1. The Imprivata Administrator(s) will configure the Imprivata enterprise for integration with Confirm ID Push Tokens as required by the project.
        2. The Imprivata Administrators(s) will configure the Imprivata enterprise to accept incoming RADIUS messages from the Customer’s enterprise gateway(s). The Customer’s technical team will be responsible for configuring the enterprise gateway(s) to direct said messages to the Imprivata enterprise. The Imprivata Administrator(s) will assist the Customer’s technical team in testing communications between the configured gateway(s) and the Imprivata enterprise.
      5. Configuration of Confirm ID for Medical Devices Update Event
        1. The Imprivata Administrator(s) will work with the Customer to configure and test the workflow settings for up to three (3) supported medical devices. This includes:
          1. Configuration of Medical Device login workflows
          2. Configuration of Medical Device use verification workflows
          3. Configuration of Medical Device different user authentication workflows
          4. Grace Period configuration
          5. Authentication process design for proximity card, Imprivata PIN or password
      6. Configuration of Confirm ID for Clinical Workflows Update Event
        1. The Imprivata Administrator(s) and Clinical Workflow Specialist Administrator(s) will work with the Customer’s Project Manager and identified clinical and electronic medical record administrators to confirm and/or identify the clinical workflows to configure and test up to three (3) supported clinical workflows. This may include clinical workflows such as, but not limited to:
          1. E-Prescribing (non-EPCS)
          2. Witness Signing
          3. Break-the-Glass
          4. Anesthesia Attestation
          5. Medication Administration
          6. Medication Review Verification
          7. Closing Patient Encounters
          8. Integrated Badge Scanning for Specialty Narrator
      7. Application Profiling Update Event
        1. The Imprivata Administrator(s) will work with the Customer’s Project Manager and identified application owners, both the workflow and technical subject matter experts, to enable applications for Single Sign-On (SSO). The number of applications in scope for this deliverable is limited to three (3) total non-EMR (electronic medical record) applications. This enablement will include the following elements:
          1. Review Customer-provided documentation of all end-user workflows including role-specific workflows within the applications
            1. It is the Customer’s responsibility to provide account credentials for all user roles within each SSO-enabled application in scope
          2. Review of Customer-defined test cases for each application in scope
            1. It is the Customer’s responsibility to define test cases for each SSO-enabled application in scope
          3. SSO enablement of each application in scope
          4. Validation testing of each application in scope
    3. Project Conditions
      1. Four (4) Update Events are included per 12-month subscription term. The Customer shall contact their Administrator for information on the current quantity of Update Events included in its Flexible Configuration Updates Package subscription. Unless otherwise agreed in writing, any unused Update Events will expire on each anniversary of the start date of the Flexible Configuration Updates Package subscription in proportion to the subscription term. For example, a 24-month Flexible Configuration Updates Package subscription includes a total of eight (8) Update Events; a limit of four (4) of which may be used during each 12-month period, and any Update Events unused during that 12-month period will expire. At the conclusion of the 12-month period, the four (4) remaining Update Events will be eligible for use, and be subject to expiration if unused at the conclusion of the period. In the event all unused Update Events have expired, Imprivata will be under no obligation to perform any additional services. No credit/refund of unused Update Events will be provided. Should additional services or Update Events be required, the Customer may utilize the SOW process to purchase additional services beyond those remaining in the subscription.
      2. The scope of Services assumes that the Customer’s environment complies with current Imprivata supported components at project commencement.
      3. All services are performed between the hours of 8:00 AM and 5:00 PM local Customer time, excluding weekends and US federal and Imprivata company-observed holidays. Services provided outside these times will be agreed-upon in writing by both parties in advance and may be subject to additional fees.
      4. Imprivata may elect to deliver some or all of the services through one of its certified partners. The certified partner will perform the services as a subcontractor to Imprivata.
      5. Customer understands that Custom Development, such as but not limited to Extension Objects (EXO), may be implemented at the request of the Customer during a project. However, Custom Development work is not covered by the Imprivata Maintenance agreement to include updates, additions, or issues remediation.
      6. Update Events cancelled or rescheduled with less than two (2) weeks advanced notice will be billed as delivered and debited from the Customer’s available balance.
    4. Communications
      1. Customer is responsible for attending the following meetings:
        1. No less frequently than semi-annually (twice per year), hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
        2. No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
    5. Customer Obligations
      1. Access to Network. Customer shall provide technical access as further set forth below for Imprivata Implementation Engineers to Customer’s computer network. Such access shall be provided either through individual user identification and passwords or a generic user account to be shared by Imprivata Implementation Engineers.
      2. Customer shall provide the following technical access to Imprivata Implementation Engineers utilizing its IT staff and resources:
        1. Network account access
        2. VPN access
        3. Existing token service (for secure two-factor authentication) access or setup of ImprivataID/CIDRA, as needed.
        4. Dedicated endpoint or virtual desktop access from which all required systems can be accessed, and/or VDI access.
        5. User account and endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
  1. Identity Governance Configuration + Management Services

    1. Remote Configuration Services
      1. Project Management
        1. Review the scope of services.
        2. Conduct a project kick-off meeting to ensure project readiness, review project roles, set expectations, and confirm logistics.
        3. Provide a project plan to the Customer and update the plan during the subscription term.
        4. Coordinate a technical call with the Customer to review project tasks, schedules and resources and make changes and additions, as necessary.
        5. Prepare status reports during the active periods of the engagement, including progress-to-plan.
        6. Serve as Customer’s primary escalation point for all technical and business-related issues pertaining to Imprivata.
      2. Identity Governance Discovery and Design
        1. The Imprivata Administrator(s) will conduct Discovery and Design sessions with Customer with the objective being to understand the Customer’s current provisioning landscape and how the Identity Governance solution will integrate and improve the current workflow and security processes.
          1. The Imprivata Administrator(s) will provide recommendations based on industry best practices and prior implementation experience with Imprivata’s customer base.
          2. The Imprivata Administrator(s) will deliver and review detailed design specification which will define Identity Governance and overall automated provisioning workflows and data flow (the “Design Specification”).
          3. Customer shall review and approve the Design Specification before the project can progress to Application Integration or Automated Workflow Configuration phases.
        2. The Imprivata Administrator(s) will provide consultative guidance governing the building of the Customer’s role database and role-based access control (“RBAC”) principles and best practices, including assistance with initial design and creation of the role database, as well as ongoing maintenance of the role database.
        3. The Imprivata Administrator(s) will also provide guidance and expertise related to Customer’s multi-job environment (if applicable). This will consist of overview of IdG support and functionality and ongoing maintenance of a multi-job solution.
        4. Customer obligations:
          1. Customer shall assist Imprivata Administrator(s) with any design related decisions regardless the stage of the project.
          2. Customer shall ensure completion of initial installation and bootstrapping of the Identity Governance solution on all test servers prior to the first discovery session.
      3. Application Integration
        1. Services will include integration support for up to three (3) application integrations per subscription year (inclusive of Active Directory and Exchange), requiring:
          1. Review of requirements for application automation to support provisioning requests
          2. Creation and review bridge functional specification
          3. Development and unit testing of bridge for the agreed upon application(s)
          4. Application integration within Identity Governance to support automated create, modify, and terminate user workflows
          5. Resolution of defects found during Customer-conducted user acceptance testing of the bridged application
          6. Delivery of the bridge into the test and production environments
      4. Automated Workflow Configuration services will include:
        1. Configuration of the Identity Governance solution to support up to two (2) automated approvals per subscription year.
        2. Delivery of up to two (2) custom email notifications for specified provisioning events, including but not limited to Creation and Termination events per subscription year.
        3. Support for duplicate user handling within Active Directory.
        4. Support for rehire logic.
        5. Resolution of issues found during validation phase of the initial project implementation.
      5. Solution Planning and Account Ownership
        1. Imprivata will assign a primary Administrator that will assist the Customer throughout the Identity Governance active subscription term.
        2. Administrator will be responsible for scheduling and leading:
          1. Return On Investment (ROI) Analysis
            1. Administrator will lead an ROI analysis of the IdG solution post go-live, using Imprivata provided tools to estimate the value provided by the IdG solution post go-live. A detailed report will be compiled, delivered, and reviewed with Customer.
          2. Identity Governance Technical Check-up(s)
            1. Following the first year of the subscription term and at the beginning of each subsequent year of the subscription term, Administrator will conduct a technical check-up of the IdG solution.
            2. Administrator will facilitate a technical check-up of the IdG solution in production use at that time, consisting of a two (2) day remote session to document the following:
              1. Existing IdG functionality and maturity model assessment.
              2. Definition of gaps in solution that can be addressed by ongoing services.
              3. Recommendations for additional automation within provisioning workflow.
              4. Recommended scope, prioritization and sequencing of future improvements.
      6. Workflow Optimization Services
        1. Per subscription year, Administrator will deliver two (2) workflow enhancements to the Identity Governance solution, at a frequency of one (1) workflow enhancement per six (6) month period. These enhancements shall be defined and outlined within the technical check-up report.
        2. Workflow enhancements must be verified as sound and feasible modifications to existing business logic by an Imprivata Administrator, and mutually agreed to between the parties.
      7. Engineering Education services will include:
        1. Adding and integrating manual and generic applications into Identity Governance
        2. Effective usage of the IdG GRC auditing and reporting tool
        3. Up to one (1) bridge development training course per subscription year. This is an in-depth instructor led class focusing on development and integration of IdG bridges that support automated workflows.
    2. Management Services
      1. Includes all aforementioned services set forth in the Identity Governance Management Services package.
  1. Project Conditions.
    1. The Customer will designate an appropriate named IT resource (“Managed Services Lead”) as the principal point of contact throughout the engagement. The Managed Services Lead’s responsibilities include: scheduling and planning of the Customer’s resources, coordination of project meetings and requirements gathering sessions, point of contact for escalations and problem and conflict resolution management.
    2. Imprivata Services are performed between the business hours of 8:00 AM and 5:00 PM local Customer time, Monday through Friday, excluding normally observed holidays. The observed holidays will be specified in the Imprivata Support and Learning Center, which shall include real-time notifications. Services provided outside these times will be agreed-upon in writing by both parties in advance and may be subject to additional fees.
  1. Imprivata Obligations.
    1. Imprivata shall use all appropriate safeguards to prevent the use or disclosure of Customer data or other information from Customer’s network, other than as permitted under this Agreement and in furtherance of the Imprivata’s obligations under the Agreement;
    2. Imprivata shall promptly report any lost or stolen identification and passwords and shall insure that all terminated Administrator(s) return to Imprivata all identification and passwords prior to such Administrator(s)’ departure;
    3. Imprivata shall instruct the Administrator(s) that access to Customer’s computer network shall be limited to the minimum that it is necessary to perform the services under this Agreement;
    4. Imprivata will maintain the confidentiality of any user ID, password or other access control device provided by Customer to Imprivata and will not disclose such access control device to any third party, except as expressly authorized by Customer;
    5. Imprivata will not attempt to access any data or systems which are not necessary for Imprivata’s authorized purposes as set forth in the Agreement or in other written instructions to Imprivata by Customer and will terminate access to such data or systems whenever Imprivata ceases to have a need to know such data or systems;
    6. Imprivata will not tamper with, compromise, or attempt to circumvent or bypass any security pertaining to Customer’s systems, electronic or otherwise;
    7. Imprivata will take reasonable precautions not to allow entry of any virus or any other contaminant, including, but not limited to, codes, commands, or instructions that may be used to access, alter, delete, damage or disable the data, systems or other software or property;
    8. Imprivata will not install or download any unauthorized software;
    9. Imprivata will maintain the confidentiality of any data and/or systems to which it has access and will use such data and/or systems only as expressly authorized by the Agreement or in other written instructions to Imprivata; and
    10. Imprivata will notify Customer in the event Imprivata suspects that its network connection or any data or systems to which it has access have been compromised or in the event Imprivata suspects or knows of a breach of any of the foregoing.
  1. Payment. Imprivata shall sell to you and you shall purchase from Imprivata the Services as set forth in the applicable Imprivata Quote (or its equivalent if purchasing through an authorized reseller). All purchases of the Services are non-cancellable and non-refundable except as explicitly set forth otherwise in this Agreement. Imprivata will invoice you for the total purchase price set forth on the Imprivata Quote (or its equivalent if purchasing through an authorized reseller). You will pay invoices within 30 days of each invoice date. Imprivata may withhold providing any services until past-due payments are made. Late payments are subject to a charge of the lesser of 1.5% per month or the maximum allowed by law during such time as any payment is late as well as collection costs, including reasonable collection and attorney’s fees. Prices do not include, and you shall be responsible for, all applicable taxes of any kind due in respect of the transactions contemplated by this Agreement, except taxes on Imprivata's net income.
  1. Representations and Warranties. Imprivata represents and warrants that it will provide any Services in a good and workmanlike manner consistent with industry standards. Imprivata's sole liability, and Customer’s sole and exclusive remedy, for any breach of the foregoing Services warranty, Imprivata's sole liability, and Customer’s sole and exclusive remedy shall be for Imprivata to re-perform such services, provided Customer notifies Imprivata in writing of any such breach within thirty (30) days after the performance of any nonconforming Services.
  1. Confidentiality. Each party agrees that it will take reasonable steps, at least substantially equivalent to the steps it takes to protect its own proprietary information, to (i) prevent use of the other party’s Confidential Information for any purpose other than to carry out its rights and obligations hereunder, and (ii) prevent the disclosure of the other party’s Confidential Information other than to its employees or contractors who must have access to such Confidential Information for such party to exercise its rights and perform its obligations hereunder and who each agree to be bound by agreements with a duty of confidentiality no less protective of confidential information than provided herein, and each party shall be responsible to ensure that its employees and consultants comply with the restrictions set forth herein. “Confidential Information” shall mean information furnished or made available directly or indirectly by the disclosing party to the receiving party which (x) is marked confidential, proprietary, or with a similar designation; (y) in the case of information given orally or visually, is reduced to a written summary marked with an appropriate restrictive legend and delivered to the receiving party within two (2) weeks after it is furnished hereunder or (z) should be reasonably understood by the receiving party to be the confidential or proprietary information of the disclosing party.

    The parties’ obligations set forth in this section shall not apply with respect to any portion of the Confidential Information that: (i) was in the public domain at the time it was communicated to the receiving party; (ii) entered the public domain through no fault of the receiving party; (iii) is rightfully received by the receiving party from a third party without a duty of confidentiality; (iv) is independently developed by the receiving party without use of the Confidential Information; (v) consists of generalized ideas, concepts, know-how or techniques in intangible form that is incidentally retained in the unaided memories of persons who have had authorized access to Confidential Information (provided that this exception shall not be construed to grant to either party a license to the other party’s copyrights or patents beyond those otherwise granted in this Agreement); (vi) is disclosed under operation of law, except that the receiving party will disclose only such information as is legally required and will use reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed and will, if legally permitted, provide the other party prompt notice of such possible disclosure prior to disclosure in order to allow an opportunity to contest such disclosure; or (vii) is disclosed with the other party’s prior written approval.
  1. Indemnification. If a third party makes a claim against either Customer or Imprivata (“Recipient” which may refer to Customer or Imprivata depending upon which party received the Material), that any information, design, specification, instruction, software, data, or material (“Material”) furnished by either Customer or Imprivata (“Provider” which may refer to Customer or Imprivata depending on which party provided the Material), and used by the Recipient infringes its intellectual property rights, the Provider, at its sole cost and expense, will defend the Recipient against the claim and indemnify the Recipient from the damages, liabilities, costs and expenses awarded by the court to the third party claiming infringement or the settlement agreed to by the Provider, if the Recipient does the following:
    1. Notifies the Provider promptly in writing, not later than 30 days after the Recipient receives notice of the claim (or sooner if required by applicable law);
    2. Gives the Provider sole control of the defense and any settlement negotiations; and
    3. Gives the Provider the information, authority, and assistance the Provider needs to defend against or settle the claim.

    If the Provider believes or it is determined that any of the Material may have violated a third party’s intellectual property rights, the Provider may choose to either modify the Material to be non-infringing (while substantially preserving its utility or functionality) or obtain a license to allow for continued use, or if these alternatives are not commercially reasonable, the Provider may end the license and/or services for, and require return of, the applicable Material and refund any fees the Recipient may have paid for any unused and prepaid license and/or services. If Customer is the Provider and such return materially affects Imprivata’s ability to meet its obligations under the relevant order, then Imprivata may, at its option and upon 30 days prior written notice, terminate the order. The Provider will not indemnify the Recipient if the information or legal pleadings do not specifically indicate that the Material is the basis of the claim. The Provider will not indemnify the Recipient if the Recipient alters the Material or uses it outside the scope of use identified in the Provider’s user documentation or if the Recipient uses a version of the Materials which has been superseded, if the infringement claim could have been avoided by using an unaltered current version of the Material which was provided to the Recipient. The Provider will not indemnify the Recipient to the extent that an infringement claim is based upon any information, design, specification, instruction, software, data, or material not furnished by the Provider. Imprivata will not indemnify Customer for any infringement claim that is based on Customer’s actions prior to the Effective Date of this Agreement. THIS SECTION PROVIDES THE PARTIES’ EXCLUSIVE REMEDY FOR ANY INFRINGEMENT CLAIMS OR DAMAGES.

  1. Limitation of Liability. EXCEPTING ONLY IN THE EVENT OF A BREACH BY EITHER PARTY OF SECTION F (“CONFIDENTIALITY”), NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR LOST PROFITS, FORESEEABLE OR UNFORESEEABLE, OF ANY KIND (INCLUDING, WITHOUT LIMITATION, LOSS OF GOODWILL, LOST OR DAMAGED DATA OR SOFTWARE, LOSS OF USE OF PRODUCTS, OR DOWNTIME) ARISING FROM THE SALE, DELIVERY OR PERFORMANCE OF ANY SERVICES OR ANY OTHER ACT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    IMPRIVATA'S MAXIMUM LIABILITY TO CUSTOMER, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WILL NOT EXCEED THE FEES PAID AND PAYABLE BY YOU DURING THE PRECEDING TWELVE-MONTH PERIOD. MONETARY DAMAGES AS LIMITED BY THIS SECTION SHALL SERVE AS CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM UNDER THIS AGREEMENT FOR WHICH AN EXCLUSIVE REMEDY IS NOT PROVIDED, AND AS YOUR SOLE AND EXCLUSIVE ALTERNATIVE REMEDY SHOULD ANY EXCLUSIVE REMEDY HEREUNDER BE FOUND TO FAIL OF ITS ESSENTIAL PURPOSE. NO LIMITATION AS TO DAMAGES FOR PERSONAL INJURY IS HEREBY INTENDED.
  1. Term & Termination
    1. Term. This Agreement shall commence upon the Effective Date and unless earlier terminated as provided for herein, shall extend for a period of one (1) year therefrom (“Initial Term”), after which this Agreement shall automatically renew for successive one (1)-year periods (each a “Renewal Term”), until such time as a party provides the other party with written notice of termination; provided, however, that: (a) such notice be given no fewer than thirty (30) days prior to the last day of the then-current term; and, (b) any such termination shall be effective as of the date that would have been the last day of the then-current Renewal Term.
    2. Termination for Cause. If either party materially breaches any of its duties or obligations hereunder and such breach is not cured, or the breaching party is not diligently pursuing a cure, within thirty (30) days after written notice of the breach, the non-breaching party may immediately terminate this Agreement for cause as of a date specified in such notice.
    3. Payments upon Termination. Upon the termination of this Agreement, Customer shall pay to Imprivata all amounts due and payable hereunder, if any.
    4. Return of Customer Data. Upon the termination of this Agreement and payment of any amounts due, Imprivata shall, within five (5) business days following the termination of this Agreement, return the Customer data to Customer, and thereafter shall destroy any Customer data within its possession or control.
  1. General Terms.
    1. Relationship of Parties. Each party represents and warrants that it is an independent contractor with no authority to contract for the other party or in any way to bind or to commit the other party to any agreement of any kind or to assume any liabilities of any nature in the name of or on behalf of the other party. Under no circumstances shall either party, or any of its employees, consultants and agents, hold itself out as or be considered an agent employee, joint venturer, or partner of the other party.
    2. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard for principles of conflict of laws. Each party hereby consents and submits to the jurisdiction and forum of the state and federal courts in the Commonwealth of Massachusetts in all questions and controversies arising out of this Agreement.
    3. Compliance with Laws. Both parties agree to comply with all applicable federal, state, and local laws and regulations issued, where applicable, and Customer acknowledges that the services use software and technology that may be subject to United States export controls administered by the U.S. Department of Commerce, the U.S. Department of Treasury Office of Foreign Assets Control, and other U.S. agencies. Customer further acknowledges and agrees that the services shall not be used in, and none of the underlying information, software, or technology may be transferred or otherwise exported or re-exported to, countries to which the U.S. maintains an embargo (collectively, "Embargoed Countries"), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury's List of Specially Designated Nationals or the U.S. Department of Commerce's Table of Denial Orders (collectively, "Designated Nationals"). Imprivata makes no representation that the services are appropriate or available for use in other locations. If Customer uses the service from outside the United States of America, Customer is solely responsible for compliance with all applicable laws, including without limitation export and import regulations of other countries. Any diversion of the Customer Data contrary to U.S. law is prohibited.
    4. Force Majeure. Except for the obligation to make payments, neither party will incur any liability to the other party on account of any loss or damage resulting from any delay or failure to perform all or any part of this Agreement if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control and without negligence of the parties. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, riots, acts of war, earthquakes, fire and explosions, but the inability to meet financial obligations is expressly excluded.
    5. Assignment. Imprivata may assign this Agreement, in whole or part. Customer may not otherwise assign its rights or delegate its duties under this Agreement, either in whole or in part, without the prior written consent of Imprivata, and any attempted assignment or delegation without such consent will be void and of no effect. This Agreement will bind and inure to the benefit of each party's successors and permitted assigns.
    6. Future Products. Imprivata may from time to time, prior to or during the term of this Agreement, disclose to you information related to planned future products, features or enhancements. Imprivata’s development efforts and plans are subject to change at any time, without notice; Imprivata provides no assurances that Imprivata will introduce any such future products, features or enhancements and assumes no responsibility to introduce such products, features or enhancements. You acknowledge that your current purchasing decisions are not made based on the reliance on any such future timeframes or specifics described to you.
    7. No Waiver. The failure of either party at any time to require performance by the other party of any provision of this Agreement shall in no way affect that party’s right to enforce such provisions, nor shall the waiver by either party of any breach of any provision of this Agreement be taken or held to be a waiver of any further breach of the same provision.
    8. Notice. Any notice, approval, or consent required or permitted under the terms of this Agreement or required by law shall be in writing and deemed to have been sufficiently given and received when (i) delivered in person; (ii) three (3) business days after being sent by registered mail, return receipt requested, postage pre-paid; or (iii) one (1) business day after being sent by overnight air courier or by facsimile transmission, in each case forwarded to the appropriate address as may be designated by a party from time to time.

      If to Imprivata:

      Imprivata, Inc.

      Attn: Legal Department

      20 CityPoint, 6th floor, 480 Totten Pond Rd.

      Waltham, MA 02451

    9. Amendment. No amendment, change, waiver, or discharge hereof shall be valid unless in writing and signed by the Party against which such amendment, change, waiver, or discharge is sought to be enforced.
    10. Partial Invalidity. If any term or provision of this Agreement or the application thereof to any person, entity, or circumstance shall be invalid or unenforceable, the remainder of this Agreement shall be unaffected thereby, and each remaining term or provision of this Agreement shall be valid and enforced to the fullest extent permitted by law.
    11. Headings. The headings used in this Agreement are for reference purposes only, and shall not be construed to add to, alter, or modify any provision hereof.
    12. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed to be a duplicate original, but all of which, taken together, shall be deemed to constitute a single instrument. This Agreement may be executed by facsimile or by electronic transmission of a pdf file.
    13. Entire Agreement. This Agreement and attached Exhibit A hereto constitute the entire agreement between Customer and Imprivata with respect to the subject matter hereof, and there are no related representations, understandings, or agreements that are not fully expressed in this Agreement.
    14. Survival. Any provision of this Agreement meant to survive the expiration or earlier termination of this Agreement shall so survive.