IT SERVICES GENERAL CONDITIONS OF CONTRACT These IT Services General Cnditins f Cntract shall gvern the prvisin f (i) Sftware, (ii) Sftware Maintenance, (iii) Sftware Hsting and/r (iv) related Training Services, in each case as specifically set frth in a Statement f Wrk, by Vendr t Ameren. ARTICLE 1. DEFINITIONS 1.1 Definitins. Certain terms used in this Cntract are defined in Exhibit 1. Other terms used in this Cntract are defined where they are used and have the meanings there indicated. Unless therwise specifically defined, thse terms, acrnyms and phrases in this Cntract that are utilized in the IT services industry r ther pertinent business cntext shall be interpreted in accrdance with their generally understd meaning in such industry r business cntext. The wrd "and" shall mean "and" as well as "r," unless therwise specified. ARTICLE 2. THE SERVICES 2.1 Services Descriptin The Services t be prvided hereunder shall be set frth in a Statement f Wrk which shall incrprate the terms and cnditins f this Cntract. Each such Statement f Wrk shall define and set dwn specific terms and cnditins applicable t the IT Services, which may be further defined by attachments. A Statement f Wrk will be binding nly upn issuance f a Purchase Order by Ameren and acceptance theref by Vendr. Vendr will prvide the IT Services which are designated in the Statement f Wrk, within the installatin build timeframe set frth therein. Infrmatin cllectively cntained in Schedule A (Statement f Wrk), Schedule B (Fees), Schedule C (IT Services Implementatin Plan), Schedule D (Training) and Schedule E (Service Level Cntract), shall cllectively define the Services. 2.2 Sftware Services Fr Sftware Services furnished by Vendr t Ameren's, the fllwing prvisins shall apply: (a) Grant f License: (i) Except as may be expressly mdified in the SOW, Vendr hereby grants t Ameren a perpetual, nnexclusive, ryalty-free, wrldwide, and nntransferable license (the "License") t use and cpy the Sftware during the Term. The License includes the use and cpying f the Sftware by Ameren Affiliates. All use and cpying by Ameren Affiliates shall, fr the purpses f this Cntract, be deemed t be use and cpying by Ameren. Rev. 12-15 (ii) Ntwithstanding any ther prvisin in this Cntract t the cntrary, and fr n additinal r incremental license fees, Ameren may: (a) make a reasnable number f cpies f the Sftware fr back-up r archival purpses, (b) perate the Sftware n additinal cmputers slely fr testing the Sftware in a nn-prductin envirnment, (c) perate the Sftware n additinal cmputers slely fr disaster recvery r business cntinuity planning and implementatin purpses, and (d) transfer the Sftware t anther CPU r server withut permissin f Vendr, prvided hwever, that Ameren shall delete the Sftware frm the CPU r server frm which it is
transferred. Further, during the term f this Cntract the license granted hereunder gverning the use f Sftware is extended t emplyees, agents, subcntractrs, cntractrs, utsurcing vendrs, cnsultants and thers wh have a need t use and cpy the Sftware in accrdance with the terms f this license fr the benefit f Ameren. T the extent any third-party service prvider has used r cpied the Sftware fr the benefit f Ameren, such third-party service prvider will be bligated t agree t prtect the cnfidentiality f the Sftware t the same extent this Cntract bligates Ameren t prtect the cnfidentiality f the Sftware. The lcatin f the Sftware may be changed by Ameren upn prir written ntice. (iii) At Ameren's request, Vendr shall prmptly prvide t Ameren, at n additinal charge, the versin(s) f the Sftware made available t the public fr use n different machines and platfrms. (b) Surce Cde: (i) Escrw f Surce Cde. At n additinal cst t Ameren, Vendr will keep n depsit with such escrw agent as determined by Vendr the Surce Cde, Dcumentatin and applicable cmpilers, and ther infrmatin and tls necessary t mdify, upgrade, imprve, r create derivative wrks frm, the Surce Cde fr the Sftware (cllectively, the "Escrw Materials"). Thrughut the Term, Vendr shall assure that such Escrw Materials reflect the mst current versin f the Sftware licensed t Ameren. In the event that (a) Vendr shall becme inslvent r cease t carry n business, r (b) Vendr discntinues supprt fr the Services then Ameren will have the right t acquire a cpy f the Surce Cde fr the Sftware licensed t Ameren at n cst t Ameren fr the sle purpse f cntinuing Ameren's authrized use f the Sftware, as set frth in this Cntract. Such use will include the right fr Ameren t make mdificatins t the Sftware t enable Ameren's use as authrized in this Cntract. Vendr will prvide Ameren with a cpy f Vendr's ntificatin t the escrw agent f Ameren's license and rights hereunder as a beneficiary under the escrw arrangement with such escrw agent. Under the terms f the agreement with the escrw agent (the "Escrw Cntract"), Ameren may itself r have designated third-parties audit the escrwed Surce Cde fr cmpliance with the terms f this Cntract and the Escrw Cntract. The Parties desire any agreement with said escrw agent t be supplementary t this Cntract pursuant t 11 United States Bankruptcy Cde, Sectin 365(n). (ii) Use f Surce Cde. If Vendr fails t prvide supprt fr the Sftware in accrdance with any maintenance agreement between the Parties due t inslvency, abandnment f licensing r supprting the Sftware as a line f business, r therwise, (a) Ameren may access and use the Sftware's Surce Cde, applicable cmpilers, and ther infrmatin and tls necessary t mdify, upgrade, imprve, r create derivative wrks frm, the Surce Cde, either directly frm Vendr r thrugh the third-party escrw agent, as necessary fr Ameren t make cntinued use f the Sftware in its business, which access and use will therwise be gverned by the terms f this Cntract and by the Escrw Cntract, and (b) the License will be deemed t have been autmatically amended t include the right t mdify, and t authrize a third-party t mdify n Ameren's behalf, the Surce Cde as prvided herein. Ameren's use f the Surce Cde under the terms f this Article shall nt cnstitute a terminatin f this Cntract. (c) Open Surce r Cpyleft Licenses. Rev. 12-15 Withut Ameren's prir written apprval, Vendr will nt use in perfrming the Services, and Sftware will nt incrprate, link t, call, r depend in any way upn, any sftware r ther intellectual prperty that is subject t an Open Surce r Cpyleft license (including the GNU General Public License) r any ther Cntract that may give rise t any third party's right t use Sftware r t limit Ameren's rights under this Cntract r t Ameren's Intellectual Prperty Rights.
2.3 Hsting Services Fr Hsting Services furnished by Vendr, the fllwing prvisins shall apply: (a) N Cmmingling Ameren's data may nt be cmmingled with the data f any ther custmer f Vendr. Unless therwise agreed in a Statement f Wrk, all Ameren data shall reside n shared Equipment. Ameren's prcess will be run in separate system regins and all Ameren data shall be stred n files lgically separate frm thse f ther custmers f Vendr. Vendr shall use cmmercially reasnable effrts t ensure that Ameren data and systems are nt accessible t unauthrized parties fr any reasn and shall prmptly reprt any breaches f security regarding Ameren data t Ameren. Vendr will use cmmercially reasnable effrts t maintain Ameren's Internet server's availability twenty-fur (24) hurs a day, seven (7) days a week. (b) Back-up and Recvery. If Vendr is furnishing Hsting Services, Vendr shall prvide back-up, disaster recvery and strage capabilities s as t maximize availability f the Services during an event that wuld therwise affect the delivery f the Services. At a minimum, such capabilities will prvide fr restratin f Services within the timeframes set frth in the Disaster Recvery Plan. As a part f its recvery requirements, Ameren and Vendr will meet t determine and define the "Recvery Time Objective", i.e., hw lng the system can be unavailable, and the "Recvery Pint Objective", i.e., hw much data is lst. Vendr's respnsibilities shall include the fllwing: (i) Back-up and stre Ameren Data (n tapes r ther strage media as apprpriate) n-site fr efficient data recvery and ff-site t prvide prtectin against disasters and t meet file recvery needs. (ii) Cnduct incremental and full back-ups (in accrdance with mutually agreed upn timeframes) t capture data and changes t data. (iii) Develp and maintain a Disaster Recvery Plan apprved by Ameren. In the event f a disaster, Vendr shall assume respnsibility fr prviding the services in accrdance with the Disaster Recvery Plan. (iv) Maintain the ability t prvide full "ht-site" recvery fr the ASP System in accrdance with the Disaster Recvery Plan. A ht-site is a fully-equipped cmputer center which prvides ne (1) r mre cmputer mdels, netwrk cnnectins, and the necessary peripheral equipment t replicate the data prcessing frm the primary cmputer site, including uninterruptible pwer supplies, printers, cnsles, tape drives, redundant envirnmental cnditining, fire prtectin and warning devices, intrusin detectin devices, physical security, and adequate ffice space fr persnnel t cnduct nrmal data center peratins. (v) Prvide "cld-site" facility in case f extended utage, including sme r all f the develpment envirnment. (vi) Plan and cnduct disaster recvery tests quarterly each year f the term in crdinatin with Ameren. Vendr shall dcument results and prvide analysis and recmmendatins fr imprvements in recvery capabilities. Rev. 12-15
(vii) Generate a reprt fllwing each and any disaster measuring perfrmance against the Disaster Recvery Plan and identificatin f prblem areas and plans fr reslutin. (c) Cmpliance with Legal Hlds (i) Vendr agrees t cmply with any and all legal hlds as issued by Ameren's Legal Department. A legal hld suspends all dcument destructin prcedures in rder t preserve apprpriate recrds under special circumstances, such as litigatin r gvernment investigatins. Ameren's Legal Department determines and identifies what types f recrds, dcuments, r data are subject t legal hld. Ameren's Legal Department will ntify the Vendr if a legal hld is placed n recrds, dcuments, r data the Vendr cntrls. Vendr must then preserve and prtect the specified recrds, dcuments, r data in accrdance with instructins frm Ameren's Legal Department. A legal hld remains effective until it is fficially released in writing by Ameren's Legal Department. If Vendr is uncertain whether specific recrds, dcuments, r data is subject t a legal hld, thse recrds, dcuments, r data shuld be preserved and prtected until such time Ameren's Legal Department can cnfirm their relevancy. (ii) In the event recrds, dcuments, r data placed n legal hld are required fr review by Ameren's Legal Department, Vendr will wrk diligently t exprt all relevant recrds, dcuments, r data in a frm that is reasnably reviewable. (d) Equipment Unless therwise specifically stated in an Statement f Wrk, the price fr the Hsting Services prvided by Vendr, as defined in the Statement f Wrk and Fee Schedules, shall include all necessary equipment, devices, sftware, fees and charges fr the Services (excluding any Ameren -wned r Ameren -licensed cmputer hardware and ther tangible equipment placed by Ameren in a hsting envirnment fr Ameren's use f the Services). (e) Cmpliance. Vendr will adhere t applicable regulatry requirements as utlined in Nuclear Regulatry Cmmissin (NRC) t the NERC Cyber Security Plicy t include Critical Infrmatin Prtectin (CIP) Standards using an infrmatin security standards-based framewrk such as IEC 62443 r ISO 27001-2. Where applicable per SOW, Ameren may require Factry Acceptance Test Measures (FAT) t verify that security features functin prperly and prvide the expected levels f functinality. In additin, Site Acceptance Test Measures (SAT) after system installatin with additinal integrated functins t validate that the site installatin is equivalent t the system tested at the factry. (f) Netwrk Architecture. The Vendr shall prvide and dcument secure netwrk architecture where the higher-security znes riginate cmmunicatin t less-secure znes. The Vendr shall prvide and dcument the design fr all cmmunicatin paths between netwrks f different security znes thrugh a DMZ. The Vendr shall verify and dcument that discnnectin pints are established between the netwrk partitins and prvide the methds t islate subnets t cntinue limited peratins. The Vendr shall prvide and dcument tailred filtering and mnitring rules fr all security znes and alarm fr unexpected traffic. The Vendr shall prvide and dcument a DMZ that is restricted t cmmunicatins where all traffic is mnitred, alarmed, and filtered. The Vendr shall prvide and dcument utbund filtering and alarms fr unexpected traffic thrugh security znes. The Vendr shall define all surces and destinatins with enfrced cmmunicatin riginatin even during restart cnditins between security znes. The Vendr shall prvide and dcument duel DMZ architectures using different prducts perfrming the same Rev. 12-15
functinality running in parallel. The Vendr shall prvide and dcument a mechanism fr patching a single DMZ architecture running in a parallel cnfiguratin withut disruptin t the ther DMZ running in parallel. Pst-cntract award, the Vendr shall prvide netwrk architecture dcumentatin. (g) Security Features. Rev. 12-15 The Vendr shall prvide physical and cyber security features, including but nt limited t authenticatin, encryptin, access cntrl, event and cmmunicatin lgging, mnitring, and alarming t prtect the device and cnfiguratin cmputer frm unauthrized mdificatin r use. 2.4 Sftware Maintenance Services Fr Sftware Maintenance Services furnished by Vendr t Ameren's, the fllwing prvisins shall apply: 3. TERM 3.1 Term. (a) Services t be Prvided. Vendr shall prvide maintenance and supprt services, including upgrades, as set frth in the Statement f Wrk r, in any event, fr all Equipment as may be necessary fr Vendr t perfrm the Services in accrdance with the Service Levels. Vendr maintains a standard weekly rutine and preventative maintenance windw, t maintain and imprve Service quality, details f which will be furnished t Ameren upn request. Any changes t the maintenance windw will be cmmunicated in writing r via email. Vendr will infrm Ameren f all Vendr planned maintenance nt less than seven (7) days in advance. (b) Maintenance Hurs Vendr designates time perids during which it may limit r suspend the availability f the hardware and/r sftware invlved in prviding its Services t perfrm necessary maintenance r upgrades (each, a "Scheduled Maintenance Windw"). Vendr will use all reasnable effrts t schedule maintenance t minimize disruptins t Ameren. Scheduled Maintenance Windws, during which maintenance r upgrades may be perfrmed, currently are each [Saturday] between the hurs f [ ] pm and [ ] am lcal time, accrding t the lcatin f the Services. If planned maintenance during a Scheduled Maintenance Windw has the pssibility f making the server r servers, as the case may be, utilized by Ameren inaccessible, Vendr will prvide nt less than frty-eight (48) hurs' prir ntice t Ameren f such Scheduled Maintenance Windw. Such ntice must be given directly t an Ameren emplyee (i.e., nt acceptable t simply leave a vice mail r send an email). In additin, Vendr reserves the right t perfrm any required, emergency maintenance wrk utside f the Scheduled Maintenance Windw with prir ntice t Ameren. Vendr agrees t prvide the Services set frth in the Statement f Wrk during the term set frth therein (the "Term"). 4. PAYMENT 4.1 Fees Prvided Vendr is nt in breach f this Cntract, Ameren will pay Vendr the fees set frth in Schedule B fr the Services prvided by Vendr in accrdance with this Cntract. In the event Mnthly Recurring Charges are t be paid t Vendr, Ameren may pre-pay the Mnthly Recurring
Charges fr the entire term f this Cntract r may pay them n a mnthly basis. Charges shall be inviced t Ameren in advance at the beginning f the mnth and include sufficient detail t validate charges In all cases, payments fr charges are due within thirty (30) days f Ameren's receipt f a prperly submitted invice. If Ameren in gd faith disputes any charges, it shall timely pay all undisputed charges, and als within thirty (30) days f the invice date give Vendr ntice f the disputed amunt(s) and reasn(s) therefre. Vendr shall review any such ntice prmptly. If Vendr determines that Ameren was billed in errr, Vendr will immediately submit a crrected invice. 4.3 Incidental Expenses. Ameren will reimburse Vendr fr reasnable, dcumented travel, ldging and meal expenses f Vendr persnnel engaged in perfrming Services under this Cntract nly if such expenses are incurred in respnse t a special request by Ameren in writing r as set frth in the Statement f Wrk. In the event such request by Ameren is due t a prblem with the Services attributable t Vendr, there will be n such reimbursement. Any authrized travelrelated expenses will be reimbursable in accrdance with Ameren's plicies that apply t its wn persnnel. Except as prvided abve, all f Vendr's expenses incurred in perfrming the Services are included in the fees fr Services set frth in Schedule B r the relevant Statement f Wrk. 4.4 Taxes. (a) Each Party will be respnsible fr any taxes n prperty it wns r leases, fr any franchise r privilege tax n its business, and fr any tax based n its grss r net incme r grss receipts. (b) Vendr will pay fr any tax n gds r services it uses t prvide Sftware r Services. (c) Vendr will pay and Ameren will reimburse Vendr fr any federal, state, r lcal sales, use, excise, r similar tax applicable t the prvisin f Sftware r f the Services, if any. (d) The Parties will cperate t mre accurately determine and minimize their respective tax liability. Each Party will prvide tax infrmatin r tax dcuments reasnably requested by the ther Party. Each Party will prmptly ntify the ther f any claim fr taxes asserted by a taxing authrity with jurisdictin ver either Party. With respect t any claim arising ut f a frm r return signed by a Party t this Cntract, the signing Party may cntrl the respnse t and settlement f the claim, but the ther Party may participate t the extent it may be liable. 4.5 Mst Favred Custmer. If Vendr grants t anther custmer a Fee (including, withut limitatin, a License Fee r Mnthly Recurring Charge) lwer than that charged t Ameren under a SOW, Vendr shall s infrm Ameren prmptly and Ameren fees hereunder shall be equitably adjusted t prvide Ameren the benefit f such lwer Fees. Such adjustment shall be retractive t the first date n which the lwer charges t the ther custmer became effective. Within thirty (30) days after the Effective Date and n each anniversary f such date during the Term thereafter, Vendr shall certify in writing t Ameren that Vendr is in cmpliance with this Sectin 4.5, and shall prvide the infrmatin reasnably requested by Ameren t verify such cmpliance. 5. DELIVERY AND ACCEPTANCE 5.1 Sftware Acceptance Tests. Ameren, with all necessary cperatin and assistance frm Vendr, will perfrm Sftware acceptance tests (the "Acceptance Tests") t determine whether r nt the Sftware: (a) perfrms in accrdance with the Dcumentatin, Rev. 12-15
(b) can be used effectively in Ameren's perating business envirnment, and (c) is capable f running withut failure. The Parties will diligently endeavr t cmplete the Acceptance Tests in a timely manner. Ameren shall be deemed t have accepted Sftware upn the date f delivery t Vendr by Ameren f a ntice (the "Acceptance Ntice") t that effect ("Acceptance"). Ameren will nt be required t pay any Fees until Acceptance has ccurred. If Ameren determines that Sftware has nt successfully cmpleted the Acceptance Tests, Ameren prmptly will ntify Vendr in writing f such determinatin (the "Failure Ntice") and will describe in reasnable detail its reasns fr such determinatin. Ameren shall ask Vendr t make such necessary crrectins and mdificatins t Sftware as will cause Sftware t successfully cmplete the Acceptance Tests nt later than ten (10) business days frm the date f the mst recent Failure Ntice. Vendr will ntify Ameren in writing when it has dne s (the "Crrectin Ntice"). Prmptly after receipt f the Crrectin Ntice, Ameren, with all necessary cperatin and assistance frm Vendr, will retest Sftware using the Acceptance Tests and such ther tests (the "Additinal Acceptance Tests") as Ameren determines. If Ameren determines Sftware fails again t successfully cmplete the Acceptance Tests, r fails t successfully cmplete the Additinal Acceptance Tests, Ameren prmptly will prvide Vendr with a Failure Ntice, and will have the right t terminate this Cntract and receive a full refund f all amunts paid t Vendr hereunder. Each Party shall bear its wn csts in cnnectin with the successive Acceptance Tests and Additinal Acceptance Tests. 6. CONFIDENTIALITY AND AUDIT RIGHTS 6.1 Cnfidential Infrmatin. a) Each Party shall hld the ther Party's Cnfidential Infrmatin cnfidential and shall nt use r disclse t thers during r subsequent t the perfrmance f the Wrk (except as is necessary t perfrm the Wrk), Each Party agrees t maintain security measures designed t: (i) prtect the security and cnfidentiality f Cnfidential Infrmatin; (ii) prtect against any anticipated threats r hazards t the security r integrity f such Cnfidential Infrmatin; and (iii) prtect against unauthrized access t r use f such Cnfidential Infrmatin that culd result in substantial harm r incnvenience t any custmer f Ameren. b) In the event that the receiving Party is legally requested r required (by ral questins, interrgatries, requests fr infrmatin r dcuments, subpena, civil investigative demand r similar prcess r; in the pinin f cunsel fr such Party, by federal r state securities r ther statutes, regulatins r laws) t disclse any Cnfidential Infrmatin, such Party shall prmptly ntify the ther Party f such request r requirement prir t disclsure s that the ther Party may seek an apprpriate prtective rder and/r waive cmpliance with the terms f this Agreement. If, hwever, a prtective rder is nt btained and in the written pinin f cunsel fr the receiving Party such Party is nnetheless, in the absence f such rder r waiver, cmpelled t disclse such Cnfidential Infrmatin r therwise stand liable fr cntempt r suffer pssible censure r ther penalty r liability, then the receiving Party may disclse that prtin (and nly that prtin) f such Cnfidential Infrmatin as is legally required withut liability t the disclsing Party hereunder. c) N license t either f the Parties under any trademark, patent, cpyright r any ther intellectual prperty right is either granted r implied by the cnveying f Cnfidential Infrmatin t either f the Parties. All Cnfidential Infrmatin (including tangible cpies and cmputerized r electrnic versins theref) shall remain the prperty f the disclsing Party. Within ten (10) days fllwing the receipt f a written request referencing this Agreement and this paragraph frm either f the Parties disclsing Cnfidential Infrmatin hereunder, the receiving Party shall deliver t the disclsing Party all tangible materials cntaining r embdying the Cnfidential Infrmatin received frm the disclsing Party. That prtin f the Cnfidential Infrmatin which has been incrprated int analyses, cmpilatin, cmparisns, studies r ther dcuments prepared by the receiving Party r its Representatives shall be held by the receiving Party and kept cnfidential as prvided abve r shall be destryed. Rev. 12-15
d) Each f the Parties understands and agrees that mney damages wuld nt be a sufficient remedy fr any breach f this Agreement and that the disclsing Party shall be entitled t seek injunctive r ther equitable relief t remedy r frestall any such breach r threatened breach. Such remedy shall nt be deemed t be the exclusive remedy fr any breach f this agreement but shall be in additin t all ther rights and remedies available at law r in equity. The Parties further acknwledge and agree that the cvenants cntained herein are necessary fr the prtectin f legitimate business interests and are reasnable in scpe. e) Publicatin r advertising f infrmatin directly derived frm the Prject r the Wrk r data btained in cnnectin with services rendered under the Cntract must first be apprved in writing by Ameren. Vendr shall nt release any infrmatin fr publicatin r advertising purpses relative t the material, equipment and r services furnished under the Cntract Dcuments withut the prir written cnsent f Ameren. Ameren reserves the right t release all advertising r publicity cncerning the Prject r the Wrk. Except as t signs required by building department regulatins r any ther gvernmental requirements, Vendr shall nt display r permit any signs r advertisements t be displayed abut the Prject site nr publicize in any manner its perfrmance f the Wrk withut the express written permissin f Ameren. f) Each Party shall restrict the knwledge f all Cnfidential Infrmatin regarding the Wrk t as few as pssible f its emplyees, Subcntractrs, cnsultants and agent wh are directly cnnected with perfrmance f the Wrk and have a definite need fr such knwledge. Each such persn r grups f persns shall be under bligatin f cnfidentiality n less stringent than that set frth herein. g) Vendr shall nt have access t any f Ameren's cntrl r perating systems r sensitive electrnic r hard data withut: (i) applicatin t Ameren and its prir written cnsent, which may be withheld at Ameren's discretin, and (ii) Vendr's agreement t cmply with the terms f applicable Ameren plicies and prcedures as set ut in the Infrmatin Access and Cyber Security Agreement. h) The prvisins f this Sectin 6.1 shall survive the terminatin r expiratin f this Cntract fr any reasn. 6.2 N Requirement f Disclsure r Grant. Nthing cntained in Sectin 6.1 shall be cnstrued as bligating a Party t disclse its Cnfidential Infrmatin t the ther Party, r as granting t r cnferring n a Party, expressly r impliedly, any rights r license t the Cnfidential Infrmatin f the ther Party. Nthing cntained in this Article 7 shall be cnstrued as limiting r diminishing in any respect the scpe f any licenses granted under this Cntract. 6.3 Hsting Services Audit Rights. (a) Vendr will prvide t Ameren r its authrized representative, access at all reasnable times t any facility r part f a facility at which either Vendr r any f its subcntractrs is prviding Hsting Services, t equipment and sftware, t Vendr Persnnel, and t data and recrds relating t Vendr's perfrmance f the Services, fr the purpse f perfrming audits and inspectins f either Vendr r any f its subcntractrs t: (i) verify the accuracy f Vendr's charges and invices; and (ii) examine Vendr's perfrmance f the Services including, t the extent applicable t the Services perfrmed by Vendr and t the charges therefre, perfrming (A) audits f practices and prcedures, (B) audits f systems; (C) audits f general cntrls and security practices and prcedures, (D) audits f the efficiency and cst-effectiveness f Vendr in perfrming the Services (but nly t the extent affecting charges fr, r timing f, Services hereunder), (E) any audit necessary t enable Ameren t meet applicable regulatry requirements, and (F) audits t determine Vendr's cmpliance with the Cntract Dcuments. Vendr will prvide t such auditrs and representatives such assistance, as they reasnably require. Vendr will cperate fully with Ameren r Ameren's designees in cnnectin with audit functins. If Ameren perfrms such Rev. 12-15
audits via an independent audit firm, Ameren shall cause such audit firm t agree in writing t prtect the cnfidentiality f Vendr's Prprietary Infrmatin in a manner substantially equivalent t that required f Ameren under this Cntract prir t perfrming the audit. Ameren's auditrs and ther representatives will cmply with Vendr's reasnable security requirements. (b) If an audit uncvers any vercharge, Vendr shall immediately refund such vercharge (net f any undercharges uncvered by the audit). (c) Vendr shall maintain and prvide access, bth electrnic and physical, upn request t cpies f Ameren Data, cntent, and ther prperty as Ameren requires fr update, mdificatin, dwnlading, r ther purpses. Such access shall include escrted access t the physical lcatin where the ASP System is maintained. (d) Vendr shall maintain and prvide access upn request t recrds, dcuments and ther infrmatin required t meet Ameren's audit rights under this Cntract until the later f: (i) three (3) years after expiratin r terminatin f this Cntract, r (ii) all pending matters relating t this Cntract (e.g., disputes) are clsed. 6.4 SAS 70 Audit In lieu f an audit as set frth in Sectin 6.3 abve, Vendr, in its sle discretin, may retain and underg a Type II independent service audit examinatin (SAS 70), which cncludes n bth design and perating effectiveness f the service rganizatin's internal cntrls, n an annual basis. In respect t the examinatin: (i) Cntrl bjectives t be cvered by the examinatin including thse under the respnsibility f the Vendr and thse that fall within the areas f Ameren respnsibility, will be develped with input frm Ameren t ensure Ameren's financial statement and peratinal assertins are achieved and that risks and crrespnding cntrls are cnsidered. (ii) Scpe f examinatin cverage will encmpass all services prvided t Ameren necessary t meet the cntrl bjectives that are under respnsibility f the Vendr. (iii)timing f examinatin and subsequent release f the examinatin reprt will be set in cnsideratin f Ameren's calendar year-end financial clse and reliance theren fr cmplying with the Sarbanes Oxley Act (suggested examinatin perid Octber 1 - September 30). (iii) Ameren will be supplied a cpy f the examinatin reprt upn release by the independent service auditr. (iv) Vendr will prvide respnses t all identified cntrl deficiencies reprted as a result f the independent service examinatin, including backgrund and cause f cntrl breakdwn, extent f breach due t the cntrl deficiency, and intended reslutin t remediate the cntrl deficiency. Ntwithstanding the freging, Ameren shall retain the right t audit as set frth in Sectin 6.3 abve fr any areas where the Vendr's SAS 70 des nt satisfy Ameren's requirements as described herein. 7. REPRESENTATIONS AND WARRANTIES 7.1 Sftware Services. Vendr represents, warrants and cvenants that (a) n the Acceptance Date and fr a cumulative perid f twelve (12) mnths thereafter (the "Warranty Perid"), and fr s lng after the Warranty Perid as Ameren shall purchase frm Vendr maintenance and supprt services in respect theref, the Sftware will be free f material prgramming errrs and will perate and cnfrm t the Dcumentatin; and (b) n the acceptance date specified in the relevant Scpe f Wrk and fr a perid f twelve (12) mnths thereafter, and fr s lng thereafter as Ameren shall purchase frm Vendr maintenance and supprt services in respect theref, Rev. 12-15
each Custm Mdificatin will be free f material prgramming errrs and will perate and cnfrm t the Dcumentatin.. 7.2 Media. Vendr warrants that fr a perid f twelve (12) mnths frm the date f delivery that the media used t stre and deliver Sftware t Ameren shall be free frm defects in manufacture and material. Shuld the media fail t be free f defects in manufacture r material during such twelve (12) mnth perid, Vendr shall replace the defective media. Defective media shipped t the Vendr with a shipping date within the warranty perid will be replaced at n charge including shipping. 7.3 IT Services. Vendr represents, warrants and cvenants that all Services will be perfrmed with prmptness and diligence and will be executed in a wrkmanlike and prfessinal manner, in accrdance with the practices and high prfessinal standards used in well-managed peratins perfrming services similar t the Services. Vendr represents, warrants and cvenants that it shall use adequate numbers f qualified individuals with suitable training, educatin, experience and skill t perfrm the Services. 7.4 Perfrmance Warranty Vendr warrants that it will perfrm the Services in accrdance with the Service Levels as set frth in the Statement f Wrk, as set frth in r incrprated by reference int this Cntract. In the event Vendr des nt fulfill its bligatins with respect t prviding Services at the warranted Service Levels, Ameren shall have the rights as set frth in this Cntract and the applicable Service Level Cntracts, and any ther apprpriate remedies in law r in equity nt expressly excluded by this Cntract 7.5 Maintenance Cmpany represents, Warrants and cvenants that it shall maintain any equipment and Sftware s that they perate in accrdance with their Specificatins, including (i) Maintaining equipment in gd perating cnditin, subject t nrmal wear and tear; (ii) undertaking repairs and preventative maintenance n equipment in accrdance with the applicable equipment manufacturer's recmmendatins; and (iii) perfrming reasnable sftware maintenance. 7.6 Dcumentatin. Vendr represents, warrants and cvenants that the user Dcumentatin fr Sftware will accurately describe in terms understandable by a typical end user the functins and features f such Sftware and the prcedures fr exercising such functins and features. 7.7 Ownership. Vendr represents, warrants and cvenants that Vendr is the lawful wner r licensee f Sftware and the materials used in the perfrmance f the Services, that Sftware and such materials have been lawfully develped r acquired by Vendr and Vendr has the right t grant Ameren the rights t Sftware and such materials, including the rights f access t and use f Sftware and such material and the prprietary rights in the Custm Mdificatins which it grants under this Cntract, withut the cnsent f any ther persn r entity. 7.8 Nn-Infringement. Vendr represents, warrants and cvenants that (a) Vendr is nt subject t any bligatin that wuld prevent it frm entering int this Cntract, and Vendr's ffer t prvide Sftware and the Services t Ameren and Ameren's acceptance f such ffer has in n way caused r induced Vendr t breach any cntractual bligatin t any ther persn r entity, and (b) nne f Sftware r any ther materials prvided by Vendr r used in cnnectin with the perfrmance f any Services, nr the pssessin r use f any f the freging by Ameren as cntemplated by this Cntract, will infringe any Intellectual Prperty Right f any third party, r cntain cnfidential r prprietary material misapprpriated by Vendr frm any third party. The freging warranties in clause (b) will nt apply t the extent infringement is caused by mdificatins t Sftware cnfrming t designs, specificatins r instructins prvided by r at the directin f Ameren (as ppsed t the manner in which such designs, specificatins r instructins are
implemented by Vendr). 7.9 Viruses and Disabling Cde. Vendr represents, warrants and cvenants that (a) Vendr will ensure that n cmputer viruses r similar items are cded r intrduced int Sftware r any systems used t perfrm the Services, and Vendr will nt insert int any Sftware any cde which wuld have the effect f disabling r therwise shutting dwn all r a prtin f such Sftware r damaging any infrmatin r functinality. 7.10 Cmpliance with Ameren Infrmatin Technlgy Standards. The Vendr will maintain and apply security plicies that meet r exceed infrmatin technlgies security cntrls as required fr and by Ameren wned/managed data and systems t ensure cnfidentiality, integrity, and availability. As Ameren required security cntrls significantly change, are identified, r as new cntrls are defined, the Vendr shall be ntified and expected t cmply. Ameren may audit such cntrls as defined in Sectin 6.3 (Audit Rights) and Sectin 6.4 (SAS 70 Audit) f the IT Services Cntract. 7.11 Mdificatins. The representatins, warranties and cvenants prvided by Vendr under this Cntract will nt be affected by Ameren's mdificatin f Sftware, including the Surce Cde fr Sftware, s lng as Vendr can discharge its bligatins despite such mdificatins, r fllwing their remval by Ameren. 7.12 Warranty Disclaimer. OTHER THAN AS PROVIDED IN THIS CONTRACT, AND OTHER THAN WARRANTY OF TITLE, THERE ARE NO EXPRESS WARRANTIES AND THERE ARE NO IMPLIED WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 8. INSURANCE Withut limiting the scpe r extent f the prtectin affrded Ameren r the liabilities assumed by Vendr herein, Vendr and any subcntractrs shall btain and maintain in frce fr the entire life f this Cntract the fllwing insurance and name Ameren Crpratin, its subsidiaries and affiliates as additinal insured n primary and nn-cntributry basis and include a severability f interest prvisin: (A) Cmmercial General Liability insurance n the premises and Services cvered by this Cntract and specifically including, withut limitatin, cntractual liability insurance t cver liability assumed by Vendr with cmbined single limits, per accident, f nt less $1,000,000 fr bdily injury, including death and prperty damage. (B) Wrker's Cmpensatin insurance with statutry limits and emplyer's liability insurance with limits f nt less than $1,000,000. (C) Cmprehensive Aut Liability insurance which has minimum cmbined single limits fr bdily injury and prperty damage f $1,000,000 per accident. The Cmprehensive Aut Liability plicy shall include wned and blanket nn-wned and hired cverage. (D) Cmmercial Umbrella Liability insurance with limits f nt less than $2,000,000 per ccurrence. Such umbrella shall be excess ver all ther cverage required in this sectin, except Wrker's Cmpensatin. (E) Prfessinal Liability insurance with limits f nt less than $1,000,000. Vendr shall require their insurance carriers, with respect t all insurance plicies, t waive all rights f subrgatin against Ameren, its directrs, fficers, agents and emplyees, and Vendr shall indemnify Ameren against any lss r expense, including reasnable attrneys' fees, resulting frm the failure t btain such waiver.
Vendr shall, befre the cmmencement f any Services, furnish Ameren with a certificate frm an insurance carrier acceptable t Ameren stating that plicies f insurance carrier acceptable t Ameren have been issued by it t Vendr and any subcntractrs prviding fr the insurance listed abve and that such plicies are in frce. Vendr shall ntify Ameren f any Ntice received r knwledge acquired by Vendr f any cancellatin r threat f cancellatin f any plicy issued t meet the requirements f this Article 14. Such Ntice shall be in writing (by first class mail) given in n less than thirty (30) days frm receipt f such Ntice r knwledge. Failure t s ntify Ameren shall cnstitute a material breach f this Cntract. Upn receipt f Ntice r acquiring knwledge f cancellatin f any plicy issued t meet the requirements f this Article 14, Ameren may terminate this Cntract r may prhibit Vendr frm prceeding with r cmpleting the Services until such time as Vendr has prvided Ameren with a certificate f insurance as required under this prvisin. Such Ntice shall be addressed t: Ameren, Prcess & Perfrmance (MC 1105), PO Bx 66149,St. Luis, Missuri 63166-6149. 9. INDEMNITIES 9.1 Indemnificatin. Vendr will indemnify, defend and hld harmless Ameren and its Affiliates and their respective fficers, directrs, emplyees, agents, successrs, and assigns, frm any and all Lsses and threatened Lsses arising frm, in cnnectin with, r based n allegatins f, any f the fllwing: (a) any third party claim resulting frm the acts r missins f Vendr; (b) any claims arising ut f r related t Vendr's breach f Sectin 2.4 (Open Surce r Cpyleft Licenses); (c) any breach r alleged breach f any representatin, warranty r cvenant under any f Sectin 7.7 (Ownership), Sectin 7.8 (Nn-Infringement), and Sectin 7.9 (Viruses and Disabling Cde), including any Lsses arising frm r in cnnectin with any third party claim t the extent such claim is based n allegatins which, if true, wuld cnstitute a breach f any such representatin, warranty r cvenant; and (d) any claims arising ut f r related t Vendr's imprper terminatin f this Cntract r Vendr's abandnment f its wrk hereunder. (e) any claim, damage, lss r expense arising frm r in cnnectin with any act by a cntractr, subcntractr, r emplyee f Vendr which results in, r is intended by such cntractr, subcntractr, r emplyee t result in malicius access int any f Ameren's systems r data. 9.2 Indemnity. (a) Vendr shall defend, indemnify and save harmless Ameren, its parent, Ameren Affiliates and subsidiaries, and their respective directrs, fficers and emplyees (the "Ameren Indemnified Parties"), frm and against any and all claims, demands, lsses, damages, attrney fees and expenses caused by r resulting frm any negligent r willful act r missin f Vendr, its agents, emplyees, r subcntractrs, including cnsultants, arising ut f r in cnnectin with the Services and the Wrk Prduct t the fullest extent permitted by law. (b) The abve indemnificatin bligatin shall nt be limited by virtue f wrker's cmpensatin acts, disability benefit acts, r ther emplyee benefit acts in claims made by an emplyee f the Vendr r any subcntractr. (c) Vendr further agrees t defend Ameren Indemnified Parties at Vendr's wn cst and expense r, at the sle ptin f Ameren, t reimburse Ameren fr any reasnable cst and expense, including attrneys' fees, which they r either f them may incur r be put t fr the defense by them, r either f them, frm any such demand, claim r suit.
(d) Vendr shall nt be relieved frm its bligatins hereunder by the fact that Vendr r subcntractr is using equipment wned, leased, r licensed by Ameren and used by Vendr at the time f injury r damage. 9.3 Infringement. If Sftware becmes, r in Vendr's reasnable pinin is likely t becme, the subject f any infringement r misapprpriatin claim r prceeding, Vendr shall, at its sle cst and expense, in the fllwing rder f pririty, and in additin t indemnifying Ameren as prvided in this Article 9 and t the ther rights Ameren may have (a) btain fr Ameren the right and license t cntinue t use Sftware fr the Term in the manner permitted under this Cntract; (b) mdify Sftware in a manner that makes such Sftware nn-infringing while nt degrading perfrmance, functinality r quality in any material respect; r (c) replace Sftware with a cmpatible, functinally equivalent, and nn-infringing prduct in a manner that des nt degrade perfrmance, functinality r quality in any material respect. If nne f these actins can be accmplished by Vendr, and nly in such event, Vendr, upn return f Sftware by Ameren, and in additin t indemnifying Ameren as prvided in this Article 9 and t the ther rights Ameren may have, will refund t Ameren a pr rata prtin f the fees paid under this Cntract, r ten (10) years, whichever is less. 10. LIMITATION OF LIABILITY 10.1 Limitatin f liability (a) EXCEPT AS PROVIDED IN SECTION 10.1(c), IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY PUNITIVE, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OF THE OTHER PARTY ARISING UNDER OR IN CONNECTION WITH THIS CONTRACT, WHETHER BASED UPON CONTRACT, TORT, BREACH OF WARRANTY OR ANY OTHER LEGAL OR EQUITABLE GROUNDS, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (b) Except as prvided in Sectin 10.1(c), each Party's ttal liability t the ther Party in cnnectin with this Cntract, whether in cntract r in trt, shall be limited t the greater f (i) the ttal charges payable t Vendr fr the IT Services r (ii) $100,000.00. (c) The limitatins set frth in Sectins 10.1(a) and 10.1(b) shall nt apply with respect t: (i) claims that are the subject f indemnificatin pursuant t Article 9, (ii) damages ccasined by the grss negligence r willful miscnduct f a Party, (iii) damages ccasined by a Party's breach f Sectin 6.1 (Cnfidential Infrmatin), (iv) damages ccasined by Vendr's breach f Sectin 7.9 (Cmpliance with Ameren Infrmatin Technlgy Standards); (v) damages ccasined by Vendr's breach f Sectin 6.4 (Safeguarding Persnal Identifying Infrmatin) r (iv) damages ccasined by a Party's vilatin f the Intellectual Prperty Rights f the ther Party. 11. TERMINATION 11.1 Terminatin fr Cause. (a) Ameren may terminate this Cntract if Vendr breaches any f its material bligatins under this Cntract, and fails t cure such material breach within fifteen (15) days fllwing written ntice frm Ameren. (b) Vendr may terminate this Cntract nly if Ameren breaches any f its material bligatins under this Cntract, and fails t cure such material breach within fifteen (15) days fllwing written ntice frm Vendr. 11.2 Sectin 365(n) f the Bankruptcy Cde.
All rights and licenses granted under r pursuant t this Cntract by Vendr t Ameren (including any Sftware License) are, and shall therwise be deemed t be, fr the purpses f Sectin 365(n) f the United States Bankruptcy Cde (the "Bankruptcy Cde"), licenses t rights in "intellectual prperty" as defined under the Bankruptcy Cde. As licensee f such rights under this Cntract, Ameren shall retain and may fully exercise all f its rights and electins under the Bankruptcy Cde. Upn the event f the cmmencement f bankruptcy prceedings by r against Vendr under the Bankruptcy Cde, Ameren shall be entitled t retain all f its rights under this Cntract (including the License). 11.3 Terminatin fr Acceptance Test Failure. Ameren may terminate this Cntract as prvided in Sectin 5.1 (Acceptance Tests). 11.4 Terminatin fr Cnvenience Ameren may terminate this Cntract withut liability fr any reasn, r n reasn, upn sixty days written ntice t Vendr. 11.5 Cnsequences f Terminatin. (a) Terminatin f this Cntract shall nt affect any rights that any Party may have (whether at law r in equity), with respect t any breach f this Cntract ccurring prir t r fllwing such terminatin. Upn terminatin f this Cntract, each Party shall prmptly return t the ther Party the prperty f the ther Party (including dcumentatin, sftware, equipment, and Cnfidential Infrmatin) which is in each Party's pssessin r under its cntrl. (b) Upn terminatin f this Cntract, Ameren shall (i) pay all amunts due and wing t Vendr, (ii) remve frm Vendr's premises all prperty wned by Ameren after first prviding Vendr ntice f its intentin t d s, and (iii) return t Vendr all sftware, access keys and any ther prperty prvided t Ameren by Vendr under this Cntract. (c) In the event f terminatin r expiratin f this Cntract fr any reasn, Vendr shall prvide all reasnable assistance requested by Ameren, including the right t extend end date up t (ninety) 90 days, and 1) dwnlad all materials n the applicable web site t a medium f Ameren's reasnable and feasible chsing and deliver such materials t Ameren as sn as practicable, 2) at the request f Ameren, return t Ameren all Ameren-supplied cntent and Ameren data and cpies theref at Ameren's cst, 3) at the request f Ameren, keep the applicable web site publicly accessible fr a perid f thirty (30) days fllwing the date f terminatin r expiratin f this Cntract at the rates in effect immediately prir t such terminatin r expiratin, 4) cperate with Ameren in assigning a new internet prtcl address t the applicable dmain name as Ameren may request, and 5) cperate with Ameren in transferring all peratins t Ameren r a third party designated by Ameren. Vendr shall remve all cpies f the cntent, sftware and Ameren data frm its servers within its cntrl. Vendr shall use reasnable effrts t remve any references t Ameren r Ameren-supplied cntent frm any web site within Vendr's reasnable cntrl which caches, indexes, r links t the applicable web site. Exit management assistance prvided by Vendr may be subject t a time and materials charge, 6) Vendr will cpy Ameren's prductin database, and any and all ther databases, scripts, utilities r files maintained by Vendr n behalf f Ameren, and frward the cpies t Ameren n machine-readable magnetic tape in a frmat acceptable t Ameren. 12. GENERAL 12.1 Chice f Law; Interpretatin; Severability. This Cntract shall be gverned by Missuri law, and shall be deemed t have been executed and perfrmed in the State f Missuri. The parties heret submit t the exclusive jurisdictin f and venue in the state curts lcated in St. Luis Cunty, Missuri r the U.S. District Curt, Eastern District f Missuri, Eastern Divisin fr purpses f any suit arising hereunder instituted by any party. Any party heret nt dmiciled in the State f Missuri expressly assents t extra-territrial service f prcess. The prvisins f this Cntract shall be interpreted where pssible in a manner t sustain their legality and enfrceability. The
unenfrceability f any prvisin f this Cntract in a specific situatin shall nt affect the enfrceability f that prvisin in anther situatin r the remaining prvisins f this Cntract. The rights and remedies specifically stated herein shall be in additin t and nt a limitatin f the rights and remedies therwise available by law. In additin, it is agreed that this Cntract is nt subject t the Unifrm Cmputer Infrmatin Transactins Act (UCITA, frmerly the prpsed Article 2B f the Unifrm Cmmercial Cde) r any versin r revisin f UCITA. 12.2 Cmpliance with Laws. In the perfrmance f its bligatins under the Cntract, Vendr shall cmply with all applicable laws, rdinances, rules, regulatins, restrictins and requirements f all gvernmental authrities, (cllectively, "Laws") in the rendering Services hereunder, including, but nt limited t, thse relating t envirnmental prtectin and health and safety. Withut limiting the freging, Vendr will nt discriminate against any f its emplyees, ther suppliers' emplyees, subcntractrs' emplyees, r Ameren's emplyees, and will nt discriminate against any applicant fr emplyment because f race, age, clr, religin, sex, natinal rigin, r disability, r because f any ther factr prtected by applicable law. Vendr will nt harass, r permit the harassment f, any persn n the basis f his race, age, clr, religin, sex, natinal rigin, disability, r any ther factr prtected by applicable law, and will nt participate in creating r tlerating a hstile wrk envirnment n Ameren's Premises r an envirnment which culd be perceived as hstile. Vendr agrees t cmply with all applicable lcal, state, and federal laws and statutes, Executive Orders and Regulatins relating t nn-discriminatin in emplyment. Vendr agrees t abide by the fllwing, t the extent applicable t Vendr, its business and this Cntract: all federal, state and lcal prhibitins against discriminating and harassing against any emplyee fr emplyment because f race, age, clr, religin, sex, natinal rigin, disability status, r any ther factr prtected by applicable law r retaliating against any emplyee fr ppsing an unlawful emplyment practice r because the emplyee has made a charge, testified, assisted r participated in any manner in an investigatin, prceeding r hearing regarding any alleged unlawful emplyment practice. Vendr further agrees t cmply with all applicable Federal Acquisitin Regulatins (FARs), including FAR Sec. 52.212-3, FAR Sec. 52.212-5, FAR Sec. 52.222.22, FAR Sec. 52.222-25, and FAR Sec. 52.223-13, which are reprduced, in full text, at Internet Address: http://www.acquisitin.gv/cmp/far/index.html and which are incrprated herein by reference. Ameren is an equal pprtunity emplyer and federal cntractr r subcntractr. Cnsequently, the parties agree that, as applicable, they will abide by the requirements f 41 CFR 60-1.4(a), 41 CFR 60-300.5(a) and 41 CFR 60-741.5(a) and that these laws are incrprated herein by reference. These regulatins prhibit discriminatin against qualified individuals based n their status as prtected veterans r individuals with disabilities, and prhibit discriminatin against all individuals based n their race, clr, religin, sex, r natinal rigin. These regulatins require that Ameren and its cntractrs, vendrs and suppliers take affirmative actin t emply and advance in emplyment individuals withut regard t race, clr, religin, sex, natinal rigin, prtected veteran status r disability. Certain prjects invlving federal funding are subject t the prvisins under 49 U.S.C. 5323(j) (49 CFR 661) relating t Buy America requirements. In the event the Prject is identified by Ameren as subject t the Buy America Act, Vendr shall prvide a definitive statement f the rigin f all irn, steel, and manufactured prducts permanently incrprated int the Prject. The Vendr als agrees t cmply with the prvisins f Executive Order 13496 (29 CFR Part 471, Appendix A t Subpart A), as applicable, relating t the ntice f emplyee rights under federal labr laws. Vendr and its Subcntractrs shall als cmply with the requirements f the Federal Energy Regulatry Cmmissin (FERC) Cde f Cnduct and Standards f Cnduct requirements (18 C.F.R. Part 358) with respect t the exchange f Nn-Public Market Infrmatin between Ameren Crpratin's regulated (Missuri) subsidiaries and Ameren's nn-regulated (Illinis) subsidiaries. Fr all cntracts invlving (i) services assciated with Callaway Plant and (ii) equipment purchased fr Callaway Plant using an Ameren specificatin, Vendr agrees t fully cmply with all exprt cntrl regulatins with regard t any dcuments, drawings and ther infrmatin transmitted t it by Ameren (Infrmatin) and certifies that every wrker assigned t Ameren fr nuclear services under this cntract is
legally qualified and eligible t perfrm such services under such regulatins, including, but nt limited t, cmpliant with the U.S. Department f Energy's "deemed exprt" restrictins, 10 CFR Part 810. Further, Vendr will nt disclse any Infrmatin received frm Ameren, r any prduct f such Infrmatin, directly r indirectly, withut the prir written permissin f Ameren, t any f the prhibited cuntries designated in the United States Gvernment regulatins as issued frm time t time relating t the exprtatin f technical data, including any cmputer prgrams. In the event Vendr perfrms the Services n Ameren premises, Vendr shall, during the perfrmance f such n-site Services, cmply with all f Ameren's rules and plicies in effect at the lcatin where the Services are t be perfrmed including, but nt limited t, the Ameren Crpratin Equal Emplyment Opprtunity and Anti-Harassment Plicy, the Ameren Crpratin Wrkplace Vilence Plicy, Ameren's "Rules t Live By", each f which is available n www.ameren.cm/businesspartners, any wrkplace cnduct guidelines and wrk rules. Vendr will review Ameren's rules and plicies with its emplyees and all Subcntractr emplyees befre they prvide Services n Ameren's premises. 12.3 Ameren Crprate Cmpliance Plicy Statement. Ameren has adpted certain rules and principals cntained in its Crprate Cmpliance Plicy which, amng ther things: (1) generally prhibits Ameren directrs and emplyees frm seeking r accepting, directly r indirectly, persnal gain frm anyne sliciting r ding business with Ameren (ther than fr items f nminal r mdest value); (2) prhibits directrs and emplyees frm knwingly accepting any gifts (even f a mdest value) frm third parties wh are invlved in negtiatins t d business with Ameren r if the emplyee is part f a surcing team; (3) requires the disclsure f a directr's r emplyee's (r f a family member f a directr r emplyee) investment in, r ther business relatinship with, third parties wh d business with, r are invlved in negtiatins t d business with, Ameren, except thse investments r ther business relatinships which are immaterial t bth the emplyee and the third party; and (4) requires the disclsure f a familial relatinship between an Ameren directr, executive emplyee, r an emplyee wh is part f a surcing team and an emplyee r directr f a third party wh des business with, r is invlved in negtiatins t d business with, Ameren. Vendr agrees that it will reprt any knwn attempted r actual vilatins f the prhibitins cntained in paragraphs (1) r (2) abve, at any time during the negtiatin, executin r perfrmance f any agreement r ther business arrangement between the Parties, t Ameren's ethics reprting service which can be reached by calling 1-866-294-5492. Vendr further agrees that it will prvide Ntice t Ameren f any knwn business r familial relatinships described in paragraphs (3) r (4) abve, whether currently existing r which develp during the negtiatin, executin r perfrmance f any agreement r ther business arrangement between the Parties, pursuant t the requirements f Sectin 12.10, Ntices. 12.4 Cntinued Perfrmance. Each Party agrees t cntinue perfrming its bligatins under this Cntract while any dispute is being reslved unless and until such bligatins are terminated by the terminatin r expiratin f this Cntract. 12.5 Relatinship f the Parties. Vendr is perfrming the Services as an independent cntractr. Vendr has the sle right and bligatin t supervise, manage, direct, and perfrm all wrk t be perfrmed by its persnnel and subcntractrs under this Cntract. Persns wh perfrm the Services are emplyees f Vendr (r its subcntractrs) and Vendr will be slely respnsible fr (a) the acts and missins f all such persns and entities, (b) payment f cmpensatin t such persns and entities, and (c) any injury t such persns in the curse f their
emplyment. Vendr will assume full respnsibility fr payment f all federal, state and lcal taxes, withhlding r cntributins impsed r required under unemplyment insurance, scial security and incme tax laws with respect t such persns and entities. Shuld Ameren be required t pay any amunt t a gvernmental agency fr failure t withhld any amunt as may be required by law, Vendr agrees t indemnify Ameren fr any amunt s paid, including interest, penalties and fines. Vendr is nt an agent f Ameren and thus has n authrity t represent Ameren as t any matters, except as may be expressly authrized in this Cntract. 12.6 N Waiver f Default. N waiver will be effective unless in a writing signed by an authrized representative f the Party against which enfrcement f the waiver is sught. Neither the failure f either Party t exercise any right f terminatin, nr the waiver f any default will cnstitute a waiver f the rights granted in this Cntract with respect t any subsequent r ther default. 12.7 Remedies Cumulative. All remedies specified in this Cntract will be cumulative and in additin t any ther remedies available under this Cntract r at law r in equity. 12.8 Publicity. Vendr may nt annunce r release any infrmatin regarding this Cntract r its relatinship with Ameren withut Ameren's express prir written apprval (which may be withheld in Ameren's sle discretin). Vendr shall nt use any trade name, trademark, service mark r any ther infrmatin which identifies Ameren r any Ameren Affiliate in Vendr's sales, marketing and publicity activities, including pstings t the Internet, interviews with representatives f any written publicatin, televisin statin r netwrk, r radi statin r netwrk withut Ameren's express prir written apprval. 12.9 Assignment. Vendr will nt assign, transfer r therwise cnvey r delegate any f its rights r duties under this Cntract t any ther Party withut the prir written cnsent f Ameren, and any attempt t d s will be vid. This Cntract shall be binding upn the respective successrs and permitted assigns f the Parties. 12.10 Ntices. All ntices, requests and demands, ther than rutine cmmunicatins under this Cntract, will be in writing and will be deemed t have been duly given when delivered, r when transmitted by cnfirmed facsimile (with a cpy prvided by anther means specified in this Sectin 12.11), r ne (1) business day after being given t an vernight curier with a reliable system fr tracking delivery, r three (3) business days after the day f mailing, when mailed by United States mail, registered r certified mail, return receipt requested, pstage prepaid, and addressed as fllws: In the case f Vendr t the address set frth in Ameren's Purchase Order, and, in the case f Ameren: Ameren Services Cmpany Attn: [ ] Either Party may frm time t time change the individual(s) t receive ntices under this paragraph and its address fr ntificatin purpses by giving the ther prir written ntice f the new individual(s) and address and the date upn which the change will becme effective. 12.13 Severability. If any prvisin f this Cntract is held invalid by a curt with jurisdictin ver the Parties t this Cntract, such prvisin will be deemed t be restated t reflect as nearly as pssible the riginal intentins f the Parties in accrdance with applicable law, and the remainder f this Cntract will remain in full frce and effect.
12.14 Third Party Beneficiaries. This Cntract is entered int slely between Ameren and Vendr and, except fr the Parties' indemnificatin bligatins under Article 9 and the rights f Ameren Affiliates t use the Services, will nt be deemed t create any rights in any third parties r t create any bligatins f either Ameren r Vendr t any third parties. 12.15 Survival. Any prvisin f this Cntract which cntemplates perfrmance subsequent t any terminatin r expiratin f this Cntract will survive any terminatin r expiratin f this Cntract and cntinue in full frce and effect.. 12.16 Entire Cntract; Amendments. (a) This Cntract cntains the entire Cntract f the Parties and supersedes all prir Cntracts and representatins, whether written r ral, with respect t the subject matter f this Cntract. Mdificatin r amendment f this Cntract r any part f this Cntract may be made nly by a written instrument executed by authrized representatives f bth Parties. In the case f Ameren, nly the individual hlding the psitin f Categry Manager r a mre senir fficer at Ameren shall be cnsidered t be an authrized representative f Ameren, authrized t make mdificatins r amendments t this Cntract.
EXHIBIT 1 Definitins When used in this Cntract, the terms set frth belw shall have the meaning indicated: 1 "Acceptance" shall have the meaning set frth in Sectin 5.2. 2 "Acceptance Date" shall mean the date f delivery t Vendr f the Acceptance Ntice. 3 "Acceptance Ntice" shall have the meaning set frth in Sectin 5.2. 4 "Acceptance Tests" shall have the meaning set frth in Sectin 5.1. 5 "Additinal Acceptance Tests" shall have the meaning set frth in Sectin. 6 "Affiliate" means, with respect t any entity, any ther entity Cntrlling, Cntrlled by r under cmmn Cntrl with such entity. 7 "Ameren" shall mean Ameren Services Cmpany, as agent fr Ameren Crpratin and its subsidiaries. 8 "Cntract" shall mean this IT Services Cntract, and all schedules, exhibits, and Statements f Wrk heret. 9 "Cntract Dcuments" shall mean, cllectively, the Ameren Purchase Order, this Cntract, the Cmpleted Statement f Wrk and all ther dcuments identified as "Cntract Dcuments" in ne f the freging. In the event f a cnflict between any f the Cntract Dcuments, the fllwing rder shall prevail: (i) the mst recent revisin f Ameren's Purchase Order, (ii) the Statement f Wrk, and (iii) this Cntract. 10 "Cde" shall mean cmputer prgramming cde cntained in Sftware. If nt therwise specified, Cde shall include bth Object Cde and Surce Cde. Cde shall include Maintenance Mdificatins and Enhancements licensed by Ameren. 11 "Cnfidential Infrmatin" shall mean any and all data, dcumentatin, methds, prcesses, materials, and all ther infrmatin relating t the past, present, and future business f either Party. Cnfidential Infrmatin als includes all infrmatin wned by custmers, suppliers, r ther third parties t whm such Party wes an bligatin f cnfidentiality. Cnfidential Infrmatin des nt include any infrmatin which (i) is already knwn t the receiving Party at the time it is disclsed t the receiving Party, prvided that such prir knwledge can be substantiated by written recrds and dcuments r (ii) is r has becme generally knwn t the public thrugh n wrngful act f the receiving Party, r (iii) is btained by the receiving Party frm a third party wh has the right, t the best f the receiving Party's knwledge, t disclse the infrmatin, r (iv) is r has been apprved fr release by a written authrizatin by the disclsing Party, r (v) is independently develped by the receiving Party withut use directly r indirectly f the Cnfidential Infrmatin received frm the disclsing Party prvided that such independent develpment can be substantiated by written recrds and dcuments. 12 13 "Cntrl" and its derivatives mean with regard t any entity the legal, beneficial r equitable wnership, directly r indirectly, f fifty percent (50%) r mre f the capital stck (r ther wnership interest, if nt a crpratin) f such entity rdinarily having vting rights. 14 "Crrectin Ntice" shall have the meaning set frth in Sectin 5.1. 15 "Data Center" shall mean any Vendr building and staff administering the IT Services prvided t Ameren including Ameren's prprietary data. 16 "Dcumentatin" shall mean (a) the user manuals, Statements f Wrk and ther written materials (regardless f the medium in which they are stred r displayed) that relate t Sftware, including (i) the materials identified n Schedule A as Dcumentatin, (ii) the materials identified in any Statement f Wrk as Dcumentatin and (iii) the specificatins, perfrmance standards and ther functinal requirements set frth n Schedule A, and (b) any and all amendments, mdificatins and supplements t such user manuals, Statements f Wrk and written materials. 17 "Enhancements" shall mean mdificatins, additins, r substitutins, ther than Maintenance Mdificatins, made t the Cde that accmplishes incidental, structural, r functinal imprvements. Enhancements als include all versins and releases f Sftware subsequent t the Effective Date. 18 "Effective Date" shall mean the date n which Ameren issues a Purchase Order fr the IT Services unless an alternate date is set frth in the Cntract Dcuments. 19 "Equipment" means cmputer hardware and ther tangible equipment supplied by the Vendr as part f the IT Services.
20 "Failure Ntice" shall have the meaning set frth in Sectin 5.1. 21 "Implementatin" shall mean implementatin f Sftware as prvided in Schedule C. 22 "Implementatin Services " shall mean Sftware implementatin services t be prvided under this Cntract. 23 "Include", "includes", and "including" when fllwing a general statement r term, shall mean "include withut limitatin", "includes withut limitatin", and "including withut limitatin". 24 "Intellectual Prperty Rights" shall mean, n a wrldwide basis, any and all: (a) rights assciated with wrks f authrship, including cpyrights, mral rights and mask-wrks; (b) Marks; (c) trade secret rights; (d) patents, designs, algrithms and ther industrial prperty rights; (e) ther intellectual and industrial prperty rights f every kind and nature, hwever designated, whether arising by peratin f law, cntract, license r therwise; and (f) registratins, initial applicatins, renewals, extensins, cntinuatins, divisins r reissues theref nw r hereafter in frce (including any rights in any f the freging). 25 "IT Services" r "Services" shall mean, cllectively, the Sftware, Sftware Maintenance, Hsting and/r Training Services t be furnished by Vendr t Ameren as set frth in a Statement f Wrk. 26 "Vendr" shall mean t which Ameren issues a Purchase Order fr the IT Services set frth herein. 27 "Lsses" shall mean all lsses, liabilities, damages and claims, and all related csts and expenses (including reasnable legal fees and disbursements and csts f investigatin, litigatin, settlement, judgment, interest and penalties). 28 "Maintenance Mdificatins" shall mean mdificatins, updates, r revisins made by Vendr t the Cde that crrect errrs, supprt new releases f perating systems, r supprt new mdels f input-utput devices with which the Cde is designed t perate. 29 "Marks" means all trademarks, service marks, trade names, trade dress, symbls, lgs, designs, and ther surce identifiers. 30 "Mnthly Recurring Charges" shall mean thse fees, if any, wed by Ameren t Vendr n a mnthly basis in payment fr the IT Services. 31 "Ntice f Electin" shall have the meaning set frth in Sectin 9.4. 32 "Object Cde" shall mean Cde in machine-readable frm generated by cmpilatin f the Surce Cde and cntained in a medium that permits it t be laded int and perated n the specified equipment. 33 "Statement f Wrk" means a written rder, authrizatin frm, r exhibit frm Ameren t Vendr fr Services (including withut limitatin any Exhibits and Amendments already in place and executed by bth parties), in a frm designated by Vendr and signed by bth parties. 34 "Party" r "Parties" shall have the meanings set frth in the preamble t this Cntract. 35 "Persnal Identifying Infrmatin" shall mean any name r number that may be used, alne r in cnjunctin with any ther infrmatin, t identify a specific persn, including any (1) name, scial security number, date f birth, fficial State r gvernment issued driver's license r identificatin number, alien registratin number, gvernment passprt number, emplyer r taxpayer identificatin number; (2) unique bimetric data, such as fingerprint, vice print, retina r iris image, r ther unique physical representatin; (3) unique electrnic identificatin number, address, r ruting cde; r (4) telecmmunicatin identifying infrmatin r access device. 36 "Prducts" shall mean the all hardware, sftware and ther equipment necessary t prvide the Services. 37 "Prject Plan" shall have the meaning set frth in Schedule C. 38 "Service Credits" shall have the meaning set frth in Schedule E. 39 "Sftware Maintenance Services" shall mean all Maintenance Mdificatins and Enhancements that are prvided t Ameren as set frth in the Statement f Wrk. 40 "Sftware Services" shall mean (a) the sftware prduct(s) described in the Statement f Wrk; (b) all Custm Mdificatins; (c) the Cde cntained in r therwise related t each f the freging; and (d) the Dcumentatin. 41 "Specificatin Sheet" means the detailed descriptin fr each IT Service, ther than IT Services which are attached t r frms a part f an Statement f Wrk(s). 42 "Statement f Wrk" shall mean a descriptin f the Services t be prvided by Vendr t Ameren as set frth in the Statement f Wrk attached heret as Schedule A. The parties may use such ther frm (including a descriptin f the IT Services set frth in a Purchase Order issued by Ameren) and, in such event, such ther frm shall be deemed t be the Statement f Wrk fr
the IT Services. 43 "Term" shall have the meaning set frth in Sectin 3.1. 44 "Training" shall have the meaning set frth in Schedule D. 45 "Training Plan" shall have the meaning set frth in Schedule D. 46 "Training Services" shall mean the Training Services t be prvided under this Cntract. 47 "Warranty Perid" shall have the meaning set frth in Sectin 7.1. 48 "Wrk Prduct" shall have the meaning set frth in Schedule E.
SCHEDULE A Statement f Wrk Template 1 Descriptin f IT Services: [prvide a detailed descriptin f each type f IT Service t be prvided]: a. Sftware Services: b. Sftware Maintenance Services c. Hsting Services: d. Training Services: 2 Prducts [identify each Prduct that Vendr is t deliver t Ameren] 3 Due Dates: [identify the due date fr each IT Service and/r Prduct] 4 Specificatins, Perfrmance Standards, and Functinal Requirements: [Include here all f the specificatins, perfrmance standards, and functinal requirements fr the IT Services that are imprtant t Ameren. Be certain t include run and peratr respnse times (if applicable) which are part f the Acceptance criteria discussed in Sectin 5.1.] 5. Dcumentatin: [Identify here all user manuals and ther dcumentatin cncerning the Services.] 1. Fees: Fr IT Services: Flat Fees: Mnthly Recurring Charges: Fr Enhancements (e.g. custm interfaces, custm functinality): Fr Implementatin Services: 2. Payment Schedule:
ATTACHMENT A AMEREN CYBERSECURITY TERMS AND CONDITIONS These CyberSecurity Terms and Cnditins ( Cybersecurity Terms ) are issued by Ameren and agreed t by Supplier in cnnectin with Supplier s invlvement in ne r mre f the fllwing: Supplying, accessing, r maintaining electrnic data, r the IT systems r hardware that stre, prcess, r transmit electrnic data, in each case, classified as Ameren Nn-public Data. Supplying, accessing, r maintaining electrnic data, IT systems r hardware related t SCADA, industrial cntrl systems, IT infrastructure, r Ameren s financial systems. Supplying, accessing, r maintaining electrnic data, IT systems, r hardware that, if nt prtected, culd result in adverse peratinal, legal, financial, r reputatinal impact t Ameren, its custmers, emplyees, r sharehlders. In the event a Statement f Wrk r ther Cntract Dcument (as defined belw) states a higher standard than that set frth in these Cybersecurity Terms, such higher standard shall prevail ver thse set frth herein. Sectin 1: Definitins In additin t the definitins cntained in the Cntract Dcuments, the fllwing terms shall have the meanings assigned belw. Unless therwise specifically defined, thse terms, acrnyms, and phrases in this dcument that are utilized in the IT services industry r ther pertinent business cntext shall be interpreted in accrdance with their generally understd meaning in such industry r business cntext. Ameren the applicable Ameren legal entity identified in in the Cntract Dcuments r the bill t sectin f the applicable Purchase Order issued by Ameren t Supplier fr the delivery f gds r the perfrmance f services r wrk as described in the Cntract Dcuments. Ameren Cybersecurity Supplier Questinnaire the questinnaire prvided by Ameren t Supplier, cvering Supplier s infrmatin, electrnic and ther security prcedures and practices. Supplier shall nt access Ameren IT systems r Nn-public Data until review and apprval f such Questinnaire by Ameren. Once apprved, any material changes t the infrmatin set frth in the Questinnaire that affect the IT infrastructure r systems that impact Ameren systems r electrnic data must be apprved by Ameren prir t implementatin. Business Cntinuity the establishment f prcesses necessary t ensure that wrk r services are nt interrupted fr an extended perid f time due t failure f equipment, disaster r ther issues. This definitin als applies t the terms Cntinuity f Business and Business Cntinuatin when used in the same cntext. Cnfidential Data Ameren business data and infrmatin intended fr use within Ameren r by authrized third parties. The unauthrized disclsure f Cnfidential Data culd adversely impact Ameren, its custmers, suppliers, business partners, and/r emplyees.
Cntract Dcuments means all f the terms and cnditins gverning the gds t be supplied, r wrk r services t be perfrmed, by Supplier t r fr Ameren, and includes the Purchase Order, all exhibits and appendices theret, any referenced r included Scpes r Statements f Wrk r Specificatins and/r such ther dcuments as may be agreed t by Ameren and Supplier and issued in cnnectin therewith. The Cntract Dcuments include, withut limitatin, these Cybersecurity Terms. Demilitarized Zne (DMZ) a firewall cnfiguratin fr securing lcal area netwrks (LANs) which uses a physical r lgical subnetwrk t add an additinal layer f security s that an external attacker nly has access t equipment in the DMZ, rather than any ther part f the netwrk. Disaster Recvery the establishment f prcesses necessary t enable the recvery f vital data, IT infrastructure and systems fllwing equipment failure, natural r human-induced disaster, r ther issues. Factry Acceptance Test (FAT) A test cnducted at the Supplier s premise usually by a third-party t verify perability f a system accrding t specificatins. Fetch Prtectin A system-prvided restrictin t prevent a prgram frm accessing data in anther user's segment f strage. Highly Cnfidential Data Ameren business data and infrmatin that is intended fr use strictly within Ameren. The unauthrized access t r disclsure f this data wuld significantly and adversely impact Ameren, its custmers, suppliers, business partners, and/r emplyees. IT means infrmatin technlgy. Malware sftware used fr disrupting cmputer peratin, gathering unauthrized sensitive infrmatin, r gaining unauthrized access t cmputer systems. Malware is cmmnly taken t include cmputer viruses, wrms, Trjan hrses, bts, rt kits, spyware, and adware. Nn-public Data Ameren business data and infrmatin in electrnic frm which is intended fr use within Ameren r by authrized third parties, including custmer data. The unauthrized disclsure f Nnpublic Data culd adversely impact Ameren, its custmers, suppliers, business partners, and/r emplyees. Nn-public Data includes, withut limitatin, Prprietary Data, Cnfidential Data, Highly Cnfidential Data, and Privacy Data. Privacy Data means ne r mre f the fllwing types f data: a. Cardhlder data as defined in the Payment Card Industry (PCI) standards as the credit card accunt number r Primary Accunt Number (PAN), cardhlder name, card expiratin date, and the service cde; b. Electrnic Prtected Health Infrmatin (ephi) Any prtected persnal health infrmatin (PHI) which is stred, accessed, transmitted r received electrnically; c. Energy Usage Electric and natural gas usage data gathered by Ameren s metering systems; d. Persnally Identifiable Infrmatin (PII) Any infrmatin that can be used t uniquely identify, cntact r lcate a single individual. Such infrmatin includes, but is nt limited t, name, address, telephne number, scial security number, tax identificatin number, resume, financial accunt infrmatin, Ameren accunt number, birth date, driver's license number, persnnel recrds, persnal business, and financial transactin details; e. Nn-public Persnal Infrmatin as defined in the Gramm-Leach-Bliley Act f 1999; r f. Prtected Health Infrmatin (PHI) Any Health Insurance Prtability and Accuntability Act (HIPAA) r persnal health infrmatin that identifies an individual and relates t an individual s past, present r future physical r mental health, the prvisin f health care t an individual r the past, present r future payment fr health care.
Prprietary Data Nn-public Ameren data and infrmatin that des nt clearly fit int the ther data classificatins. Reseller r Value-added Reseller (VAR) Supplier wh sells prducts and/r services t Ameren as an authrized dealer f the manufacturer. The reseller, als smetimes knwn as a value-added reseller (VAR), is a cmpany that typically buys prducts such as cmputers in bulk frm a manufacturer and then "adds value" t the riginal equipment by including specific sftware applicatins r ther cmpnents. SCADA (Supervisry Cntrl and Data Acquisitin) Cmputer systems that mnitr and cntrl prcesses in electric and gas generatin r distributin systems. Site Acceptance Test (SAT) A test cnducted at an Ameren lcatin, ften by a third-party, t verify perability f a system accrding t specificatins immediately prir t cmmissining. Supplier The legal entity identified in the Cntract Dcuments as supplying gds r perfrming services r wrk t Ameren. Fr purpses f this definitin, Supplier includes Supplier s representatives, resellers and VAR s. Supplier s Representatives means the emplyees, subcntractrs, agents, and ther representatives f Supplier wh are authrized t act n the behalf f Supplier. Sectin 2: Data and Systems Prtectin A. Supplier will implement and shall, s lng as Supplier is in pssessin f r has access t, Ameren Nnpublic Data, maintain cmmercially reasnable physical, prcedural, administrative and electrnic security measures t prtect the cnfidentiality and integrity f Ameren Nn-public Data and the systems that stre, prcess, r transmit such data. B. Such security measures shall: (i) cmply with all cntractual, legal and regulatry requirements, (ii) be cnsistent with industry best practices and standards, (iii) include, withut limitatin, the use f firewalls, passwrds, encryptin technlgy, and physical and electrnic access preventin and cntrl prcedures and systems, and (iv) be designed t prevent: (a) unauthrized electrnic access t Ameren Nn-public Data frm any public r private netwrk; (b) unauthrized physical access t any infrmatin and technlgy resurces invlved in the gds prvided r the services r wrk perfrmed; and (c) interceptin and manipulatin f Ameren Nn-public Data during prcessing r transmissin. C. In additin, Supplier shall: (i) hld any and all Ameren Nn-public Data it btains in cnnectin with the Cntract Dcuments in strictest cnfidence, and use and/r permit use f this data slely fr the purpses f the Cntract Dcuments; (ii) disclse r prvide access t Ameren Nn-public Data, r the systems that stre, prcess, r transmit that data nly t authrized Supplier Representatives wh have a need t have access t such data in rder t prvide services under the Cntract Dcuments; (iii) maintain in effect and enfrce thrughut the term f the Cntract Dcuments, rules and plicies designed t prtect against unauthrized physical r electrnic access t, r unauthrized use r disclsure f, Ameren Nn-public Data and the systems that stre, prcess, r transmit such data by Supplier s Representatives including, withut limitatin, by written instructin t, and cntracts with, Supplier s Representatives t whm Nn-public Data is disclsed restricting access t such data and the systems that stre, prcess, r transmit such data;
(iv) nt exprt r share any Ameren Nn-public Data prvided t it under the terms f the Cntract Dcuments, t any cuntry utside f the United States withut the prir written cnsent f Ameren and demnstratin t Ameren s satisfactin f Supplier s capability t meet additinal prudent plicies and/r prtcls t prtect such data; and (v) upn written request frm Ameren, return r destry all f Ameren's Nn-public Data, within thirty (30) calendar days. When the data is destryed, Supplier will prvide evidence f such destructin reasnably satisfactry t Ameren, such as a certificate r attestatin f the destructin. Destructin f such data will be perfrmed using industry-apprved and certifiable methds in a manner apprpriate fr the data, device, r material type being destryed, ensuring that the destryed item(s) cannt be reassembled, recnstructed, r retrieved in any way. Sectin 3: System Hardening 1. Supplier shall take cmmercially reasnable steps t ensure that its IT systems: a. d nt have any system interfaces that wuld allw it r a user t bypass strage r Fetch Prtectin, passwrd checking, system/applicatin security, r btain unauthrized cntrl t Ameren s systems r Ameren Nn-Public data; b. cntain n design that wuld allw it r a user t cmprmise the hst system's perating system; c. d nt have any back drs that may allw unauthrized access t such system; d. cannt intrduce Malware int Ameren s systems; e. are free frm knwn defects and security vulnerabilities; and f. have apprpriate patches and updates applied within industry-accepted timeframes. 2. In the event that Malware is intrduced nt Ameren IT infrastructure, data, hardware, systems r applicatins by Supplier prvided sftware r hardware, Supplier will prmptly prvide assistance t Ameren as requested t remve r quarantine such Malware at Supplier's expense. 3. The Supplier shall emply IT system hardening fr its devices r systems using industry-standard best practices, tls, and techniques t eliminate as many security risks as cmmercially pssible t Ameren s IT infrastructure, data, hardware, systems, and applicatins. Sectin 4: Secure Cding 1. Cde Review a. All deliverables that include sftware cde r applicatins shall fllw current industry design and best practices, including, but nt limited t, thse published by the Natinal Institute f Standards & Technlgy (NIST), the SANS Institute, and ther recgnized bdies. b. Supplier shall cperate with Ameren s review f the relevant systems, sftware r applicatin deliverables: i. Prir t implementatin r acceptance f a deliverable, Supplier shall subject such deliverable, including its relevant systems, sftware cde and/r scripts, t independent applicatin review in rder t validate that all applicable enterprise IT standards and security plicies, as well as ther specificatins set frth in these CyberSecurity Terms r the relevant Cntract Dcuments, have been met. ii. Such review shall be perfrmed by independent Ameren staff r a third-party vendr subject t apprpriate agreement f cnfidentiality. Fr purpses f this requirement, "independent" means Ameren staff with n direct reprting relatinship between them and the Ameren staff wh participated in the develpment f such deliverables.
2. Functinality Ameren and Supplier acknwledge and agree that sftware supplied by Supplier shall perate in accrdance with the functinality described in the Cntract Dcuments. If the functinality f the sftware fails t meet such standards, Supplier shall crrect the functinality s that such standards are met, r, in the alternative, license t Ameren a substitute prduct that meets such standards, in each case, at n additinal cst t Ameren. 3. Passwrds and Lgin In the event that a lgin name and passwrd is required t access any prduct r system prvided by Supplier which will reside n an Ameren system, Supplier shall ensure the passwrds used meet Ameren s passwrd requirements as stated in Ameren s System Access Cntrl Plicy, a cpy f which shall be prvided t Supplier upn its request. Ameren s System Access Cntrl Plicy is Ameren Nn-public Data and shall be subject t all applicable prvisins f these CyberSecurity Terms. a. Supplier shall prvide Ameren access t the prduct using a secure lgin and passwrd; b. Ameren shall have the right t assign a lgin name and passwrd t any and all Ameren users in its sle discretin; and c. Ameren shall be respnsible fr maintaining any and all lgin names and passwrds during the term f the Cntract Dcuments. 4. Temprary Keys If Supplier uses sftware prduct authrizatin cdes ( keys ) embedded in its prduct, Supplier agrees that the expiratin f such cdes will nt result in prcessing disruptins. These cdes will be sft stp in nature (i.e., display warning messages nly). Sectin 5: Patch Management Supplier shall supprt Ameren s patch and cnfiguratin management prgram, including ensuring all relevant patches, system updates, and bug fixes are implemented n systems, applicatins, and netwrks under Supplier s care thrughut the term f the Cntract Dcuments and s lng thereafter as Supplier is in pssessin f, r has access t, Ameren Nn-public Data r its systems. Fr systems prvided by Supplier that are under Ameren s care, Supplier shall prvide t Ameren, as sn as cmmercially practicable, all relevant patches, system updates and upgrades, bug fixes and related management services (including the develpment r acquisitin, testing, and installatin f relevant patches, updates and bug fixes). Supplier shall maintain current knwledge f available patches, updates and bug fixes; aid Ameren in determining which patches, updates and bug fixes are apprpriate fr installatin n particular systems; and ensure that patches, updates and bug fixes prvided by Supplier are: (i) installed prperly, (ii) system tested after installatin, and (iii) apprpriately dcumented, including all assciated prcedures, such as specific required cnfiguratins. Supplier shall als: 1. supprt industry patch releases and prvide dcumentatin f patch, update and bug fix management and update prcesses; 2. verify and prvide dcumentatin demnstrating that all apprpriate patches, updates and patches have been installed either prir t, r as sn as reasnably practical after, they becme available; and 3. prmptly prvide t Ameren detailed infrmatin with respect t the severity f any and all knwn vulnerabilities in its prducts s the criticality f a patch can prperly be assessed. Sectin 6: Netwrk Partitining
Supplier shall ensure the security f any f its netwrk cnnectins t, partitins f, and all ther interfaces with, Ameren netwrks. Supplier shall: 1. dcument secure netwrk architecture where the higher-security znes riginate cmmunicatin t lesssecure znes; 2. dcument the design fr all cmmunicatin paths between netwrks f different security znes thrugh a DMZ; 3. verify and dcument that discnnectin pints are established between netwrk partitins and prvide the methds t islate subnets t cntinue limited peratins; 4. dcument tailred filtering and mnitring rules fr all security znes and alarm fr unexpected traffic; 5. dcument utbund filtering and alarms fr unexpected traffic thrugh security znes; 6. define all surces and destinatins with enfrced cmmunicatin riginatin even during restart cnditins between security znes; 7. dcument dual DMZ architectures using different prducts perfrming the same functinality running in parallel; and 8. dcument a mechanism fr patching a single DMZ architecture running in a parallel cnfiguratin withut disruptin t ther DMZs running in parallel. Pst-cntract award, the Supplier shall prvide netwrk architecture dcumentatin. Sectin 7: Disaster Recvery and Business Cntinuity 1. Supplier shall, if respnsible fr maintaining, hsting r string f Ameren electrnic data, sftware applicatins r IT systems, establish and maintain Business Cntinuity and Disaster Recvery plicies and prcedures t ensure Supplier s ability t cntinue perfrmance f cntracted wrk r services and where necessary, the restratin f applicable electrnic data, applicatins r systems. The Supplier shall ensure these activities are in cmpliance with the Business Cntinuity and Disaster Recvery requirements f the supprted Ameren business. 2. Supplier s Business Cntinuity and Disaster Recvery plicies and prcedures shall be in place prir t cmmencement f its perfrmance f wrk r services and such plicies and prcedures shall include, but nt be limited t, recvery strategy and dcumented and tested recvery plans cvering all peratins necessary fr Supplier s perfrmance f its wrk r services, including vital recrds prtectin. 3. Supplier s Disaster Recvery and Business Cntinuity plans shall prvide fr secure ff-site backup f data files, prgram infrmatin, sftware, dcumentatin, frms and supplies critical t the perfrmance f its wrk r services, as well as alternative means f transmitting and prcessing such infrmatin. a. Supplier s Disaster Recvery and Business Cntinuity strategy shall address bth shrt and lng term disruptins in facilities, envirnmental supprt, and data prcessing equipment. Althugh shrt term utages may be prtected with redundant resurces and netwrk diversity, Supplier s dcumented lng term Disaster Recvery and Business Cntinuity strategy shall cver ttal disruptin f Supplier s business peratins fr a perid f six (6) mnths r lnger. b. Supplier shall use cmmercially reasnable means t establish Disaster Recvery and Business Cntinuity bjectives (time t full restratin and amunt f lst data tlerated) that meet the Business Cntinuity and Disaster Recvery requirements f the supprted Ameren business. c. Supplier shall cntinue t prvide its cntracted wrk r services t Ameren in the event Ameren activates its wn Disaster Recvery and Business Cntinuity plans, including mving peratins t interim lcatin(s), and during Ameren s tests f its cntingency peratins plans. Supplier shall be reimbursed fr any additinal reasnable and actual csts incurred as a result f the freging.
d. If Supplier prvides electrnic interchange f data with Ameren, Supplier shall participate, if requested in writing by Ameren, in an annual Ameren data center exercise t validate recvery cnnectivity. e. Supplier must prvide evidence f its capability t meet any applicable regulatry requirements related t Disaster Recvery and Business Cntinuity. Sectin 8: Industry, Regulatry r Legal Standards In additin t its bligatins under the Cntract Dcuments, Supplier shall adhere t all regulatry requirements applicable t the gds prvided, r services r wrk perfrmed, by Supplier including, withut limitatin, as applicable, the Nuclear Regulatry Cmmissin (NRC) regulatins, the NERC Cyber Security Plicy, including its Critical Infrmatin Prtectin (CIP) Standards, the Payment Card Industry (PCI) Standards, Sarbanes Oxley (SOX), the Health Insurance Prtability and Accuntability Act (HIPAA), IEC 62443, ISO 27001-2, and any ther applicable Federal, state, r lcal regulatry requirement using an infrmatin security standards-based framewrk. Sectin 9: Audits and Third Party Reviews 1. Supplier shall prvide t Ameren, within furteen (14) business days f its issuance, the results f each audit r third party attestatin r reprt f Supplier s security measures with respect t electrnic data at all facilities where Ameren Nn-public Data is stred r accessed during the perfrmance f the wrk r services under the Cntract Dcuments, regardless f the lcatin f such facilities. a. Supplier cnsents t the prvisin f cpies f such reprt r attestatin by Ameren t applicable regulatrs. b. The reprt r attestatin shall cntain Supplier s management s respnse t the exceptin cmments, if any are nted, tgether with apprpriate target dates fr cmpletin f recmmended r required changes. c. In additin t the freging, Ameren may, at Ameren s cst and expense, require Supplier t have such an audit r third party attestatin perfrmed by a mutually agreed independent, recgnized accunting r cnsulting firm. Such audits r third party attestatin shall cmmence within a reasnable perid f time as mutually agreed t by the parties, r if nt mutually agreed, within five (5) business days f Ameren s delivery f ntice t Supplier. 2. Supplier shall prvide reasnable assistance t Ameren in meeting Ameren s audit and regulatry requirements relating t electrnic data and system security, including: a. prviding auditrs and examiners access t relevant bks, recrds, and Ameren Nn-public Data in Supplier s pssessin; b. permitting auditrs and examiners t inspect and audit Supplier s relevant peratins; and c. permitting auditrs and examiners t cnduct reviews after any security breach experienced by Supplier that has resulted, r is reasnably likely t result, in an unauthrized use r disclsure f Ameren Nn-public Data, r the systems that huse r handle such data. All inspectins, examinatins, and audits shall be reasnable in scpe and duratin and will be cnducted, t the extent pssible, s as t minimize any interference with Supplier s nrmal business peratins. Sectin 10: Persnnel
1. Training - Upn request, Supplier will prvide summary dcumentatin attesting that its wrkfrce has received psitin-apprpriate cybersecurity training, including general training fr all members f its wrkfrce and specialized training fr its persnnel perfrming wrk r services cvered by these CyberSecurity Terms. 2. Backgrund checks - Supplier will cnduct r cause t be cnducted (by cntract r therwise) criminal backgrund checks n Supplier persnnel t be assigned respnsibilities that may allw such persn t cmprmise Ameren Nn-public Data, r the systems that huse r handle such data, r as required by law. 3. Freign Natinals - Supplier warrants and represents that: (i) it is nt a Specially Designated Natinal as defined frm time t time in regulatins issued by the Office f Freign Asset Cntrl f the United States Department f the Treasury, and (ii) it will nt emply r subcntract the perfrmance any f its bligatins under the Cntract Dcuments t any persn wh is a Specially Designated Natinal. Sectin 11: Breach Ntificatin 1. Supplier shall immediately ntify Ameren f: (i) any unauthrized pssessin, unauthrized disclsure, r unauthrized use, lss, r any ther ptential crruptin, cmprmise, r destructin, f any Ameren Nn-public Data, r the systems that huse r handle such data; (ii) the results and effect f such event; and (iii) the crrective actin taken in respnse theret. 2. Supplier acknwledges that Ameren may be required t ntify its custmers, regulatrs, and/r emplyees f such security incidents and agrees t assist and cperate with Ameren, at Supplier's expense, with any investigatin, disclsures t affected parties, and ther remedial measures, in each case, as reasnably requested by Ameren r required by any applicable regulatins r privacy laws. Ameren reserves the right t maintain a database f Supplier s r a Supplier Representative s breaches r incidents requiring the need fr a ntificatin as described herein, and t cancel any existing Cntract with Supplier fr a breach by Supplier r a Supplier Representatives f any f the requirements f these CyberSecurity Terms, r related t an incident as described in this Sectin. 3. After the ccurrence f any event described in Sectin 11(A)(i), Supplier agrees that it shall prvide ntice f such event directly t the affected parties nly after Ameren prir review and written cnsent r t the extent required by applicable privacy laws. If disclsure is required by applicable privacy laws, Supplier shall prvide Ameren with a cpy f any such ntice n less than three (3) business days (r such lesser amunt f time as is pssible under the circumstances) prir t prviding it t the affected parties. Sectin 12: Indemnificatin, Liability, and Insurance 1. Ntwithstanding any ther prvisins f the Cntract Dcuments, the Supplier shall indemnify, hld harmless, pay defense csts, and, upn Ameren's request, defend Ameren and its fficers, directrs, emplyees, parent cmpanies, agents, representatives, subsidiaries, affiliates, successrs, and assigns (cllectively, Ameren Parties ) against: a. any third party claims, damages, r lsses resulting frm any breach, r nnperfrmance by Supplier r any Supplier Representative f Supplier s bligatins under these CyberSecurity Terms; b. any claims, damages, r lsses f any Ameren Party resulting frm any breach r nnperfrmance by Supplier r any Supplier Representative f Supplier s bligatins under these CyberSecurity Terms; c. any claims, damages, r lsses resulting frm the negligent acts r missins f Supplier assciated with Supplier s invlvement, r the invlvement f any Supplier Representative, with: Supplying, accessing, r maintaining data r the systems that stre, prcess, r transmit data classified as Ameren Nn-public Data. Supplying, accessing, r maintaining data r systems related t SCADA, industrial cntrl systems, IT infrastructure, key custmer, r key financial systems.
Supplying, accessing, r maintaining data r systems that, if nt prtected, culd result in adverse peratinal, legal, financial, r reputatinal impact t Ameren, its custmers, emplyees, r sharehlders; and d. claims by gvernmental authrities fr actual r alleged failure f Supplier r any Supplier Representative t cmply with any lcal, state r federal laws r regulatins, including but nt limited t, privacy laws. 2. The Ameren Parties right t indemnificatin r recvery pursuant t Sectin 12(A) shall include reimbursement fr the reasnable, actual csts, lsses and expenses incurred by the Ameren Parties, including withut limitatin, reasnable third-party fees and expenses (including attrneys and cnsultants). 3. In the event f a claim pursuant t Sectin 12(A), and t the extent resulting therefrm, Supplier shall be respnsible fr the cst f all required ntificatins, credit mnitring services, r ther crrective actin prvided t affected third parties. 4. Supplier shall, in additin t any ther insurance cverage required by the Cntract Dcuments, carry Cyber Liability r Netwrk Liability Insurance, in frm and substance reasnably satisfactry t Ameren, and in accrdance with the Tier Level assigned by Ameren t the Cntract based n Supplier s respnse t the Ameren Cybersecurity Supplier Questinnaire as shwn belw: Tier Level Cyber Liability r Netwrk Liability Insurance Requirement 1 Limits nt less than $5,000,000 * 2 Limits nt less than $5,000,000 * 3 Limits nt less than $1,000,000 4 Nt required * Ameren reserves the right t require additinal Cyber Liability r Netwrk Liability Insurance limits depending n the scpe f the prject.
ATTACHMENT B AMEREN SUPPLIER BILLING INSTRUCTIONS Ameren pays invices accrding t agreed-upn terms. Fllwing the invicing guidelines belw will help supprt n-time payment. Exceptins usually delay payment. Purchase Order Requirement Ameren must ensure purchases f gds and services are prperly authrized, accunted fr and cmply with internal plicies. As a result, purchase rders (POs) are required fr all transactins unless they fall int ne f the fllwing exempt categries: Transactins with civic, gvernmental r financial rganizatins Purchases f mst utility services, transprtatin/freight, insurance, legal r legislative services, fuels, security, human resurce services r real estate Invices paid with a Visa crprate credit card, where apprpriate Invice submissin methds, in rder f preference 1. Oracle isupplier Prtal Oracle isupplier Prtal ffers a web-based tl fr the delivery, acknwledgement and printing f POs as well as an easy tl fr invice submissin. Users may als view the status f invices previusly submitted. isupplier Prtal invicing requirements: Valid Ameren PO May nly be used t submit invices if the related PO was delivered via isupplier Prtal The supplier submitting the invice must match the supplier named n the PO. Fr example, subcntractrs cannt submit an invice against a PO issued t cntractr. Unit f measurement (UOM) must match the PO Invice charges may nt exceed tw decimal places (n fractinal cents) isupplier Prtal may nt be used t submit invices that were already paid by credit card Fr multi-line POs, invice charges must be submitted against the crrect PO line. Charging the incrrect PO line may cause delayed payment. Fr additinal infrmatin r t request training please cntact prcess_perfrmance@ameren.cm with isupplier Prtal Registratin Inquiry in the subject line. 2. Oracle Cntractr Cst Tracking Mdule (CCTM) CCTM prvides select services suppliers with the ability t: Maintain electrnic rate cards with negtiated labr/equipment rates. Upn apprval, rate cards are the basis fr all labr and equipment charges. Submit time cards electrnically detailing charges fr labr, equipment, material and expenses. Mst cmmnly, time cards detail actual hurs and expenses incurred. Hwever, CCTM als allws fr fixed price time card reprting. CCTM time card entry requires a valid CCTM cntract, alng with an apprved rate card, and a PO referencing the cntract number. Apprved time cards create invices fr payment, and suppliers can view invice status in
isupplier Prtal. Suppliers must submit CCTM time cards using nly the CCTM applicatin (d nt submit using ther methds). Fr additinal infrmatin r t request training please cntact prcessperfrmance@ameren.cm with CCTM Registratin Inquiry in the subject line. 3. Email Invices nt submitted by isupplier Prtal r CCTM shuld be emailed t ne f tw autmated email addresses, depending n whether a PO is required. PO required (see abve) AccuntsPayablePOInvices@Ameren.cm PO nt required (see abve): AccuntsPayableNnPOInvices@Ameren.cm Fllw these guidelines t help ensure invices are prcessed as efficiently as pssible: DO Include the fllwing n the invice: - Valid PO number, release number and PO line item number(s), if applicable - Ameren legal entity being billed - Remit-T name (must match the PO supplier name) - Invice number, invice date and amunt due - Payment terms (must agree t the related PO terms) - Descriptin, unit price, and quantity - Ameren stck number, if applicable - Unit f Measure - Ameren individual requesting the gds r services - Freight/transprtatin tracking infrmatin, if applicable Submit invices in.pdf frmat nly (Wrd, Excel r ther frmats nt accepted) Submit ne invice (including supprting dcuments, cmments & special instructins) per.pdf file. Multiple.pdf files may be attached t ne email. Include charges fr nly ne PO r PO release per invice Submit invices nly nce Identify tax, freight r miscellaneus charges individually n an invice. Ensure they are included n the same invice as the charges t which they pertain. Miscellaneus charges must include a detailed descriptin with supprting dcumentatin attached. DON T D nt invice debit and credit amunts n the same invice. Credit mems must be inviced separately. D nt submit invices if they have already been paid with a credit card r by a third party D nt submit price qutes r pr frma invices Fr a clearer image, d nt use a highlighter n invices D nt invice greater quantities than what was rdered per PO Invices nt submitted electrnically r by email must fllw the abve requirements and shuld be submitted n white 8½ x 11 paper t Ameren Accunts Payable, Mail Cde 230, PO Bx 66892 St. Luis, MO 63166-6892. Invices that Ameren is unable t prcess fr any reasn will be returned by U.S. mail with an explanatry letter. Other Imprtant Infrmatin
Invices frm Suppliers Organized Outside the United States* Suppliers rganized utside the Unites States must include the fllwing infrmatin n invices in rder t determine any IRS withhlding and reprting requirements: A line stating the dllar amunt pertaining t services perfrmed r t be perfrmed. - Examples f services include (but are nt limited t) warranties & maintenance agreements, even if included in the price f the gd, sftware supprt, memberships and subscriptins. The cuntry in which any services were perfrmed r will be perfrmed. If perfrmed bth inside and utside the United States, an allcatin f the charges must be made t each cuntry in which the services were perfrmed. *A supplier is cnsidered t be rganized utside the United States if the entity r individual was required t submit the applicable IRS Frm W-8 at the time f supplier set-up. Freight Charges (Nn-Parcel) If freight charges apply, shippers must ship freight cllect unless the Terms & Cnditins prvide therwise. Ameren utilizes Lgistics Planning Services (LPS) as its agent fr transprtatin and freight payment services fr all dmestic and internatinal shipments t r frm any Ameren lcatin. Refer t the Ameren PO fr specific instructins r cntact the Ameren buyer. Freight invices must be mailed t: Ameren c/ LPS 731 Bielenberg Dr., Ste 108 Wdbury, MN 55125 Fr shipment ruting inquiries g t http:/www.keyship.net/ameren r call 877.KEY.SHIP (539.7447). The Ameren PO must be referenced n the Bill f Lading. Lien Waivers & Retainage A PO issued fr cnstructin services r materials may include lien waiver and/r retainage requirements in the Terms & Cnditins. If applicable: Lien Waivers - Failure t include fully cmpleted lien waiver dcumentatin with the invice will result in delayed payment. Retainage - Avid cmmn mistakes by clearly identifying the fllwing n invices: Grss amunt f the invice fr wrk cmpleted during the current billing perid. Retentin amunt Net amunt due T request release f retainage previusly withheld, submit the request using isupplier Prtal r submit an invice t the apprpriate Ameren cntact. D nt submit a request fr retainage release t Accunts Payable. Methd f payment Ameren pays suppliers electrnically by Visa credit card r by ACH (direct depsit). Ameren is here t help! Fr invice and payment inquiries, cntact AccuntsPayable@ameren.cm r Ameren s Supplier Htline at 314.554.4468. Fr PO inquiries, cntact the apprpriate Ameren buyer r field representative directly.