The URL can be used to link to this page

Home My WebLink AboutContractPage 1 of 4 Order Form Order ID: Q-10694760 Contact your representative jacob.stine@thomsonreuters.com with any questions. Thank you. Sold To Account Address Shipping Address Billing Address Account #: 1005759584 RENTON CITY ATTYS OFFICE 1055 S GRADY WAY RENTON WA 98057-3232 US “Customer” Account #: 1005759584 RENTON CITY ATTYS OFFICE 1055 S GRADY WAY RENTON WA 98057-3232 US Account #: 1005759584 RENTON CITY ATTYS OFFICE 1055 S GRADY WAY RENTON, WA 98057-3232 US This Order Form is a legal document between Customer and A. West Publishing Corporation to the extent that products or services will be provided by West Publishing Corporation, and/or B. Thomson Reuters Enterprise Centre GmbH to the extent that products or services will be provided by Thomson Reuters Enterprise Centre GmbH. A detailed list of products and services that are provided by Thomson Reuters Enterprise Centre GmbH and current applicable IRS Certification forms are available at: https://www.tr.com/trorderinginfo West Publishing Corporation may also act as an agent on behalf of Thomson Reuters Enterprise Centre GmbH solely with respect to billing and collecting payment from Customer. Thomson Reuters Enterprise Centre GmbH and West Publishing Corporation will be referred to as “Thomson Reuters”, “we” or “our,” in each case with respect to the products and services it is providing, and Customer will be referred to as “you”, or “your” or “Client”. For Federal Customers the following shall apply: Thomson Reuters General Terms and Conditions (available here: http://tr.com/federal-general-terms-and-conditions apply to the purchase and use of all products, except print, and together with any applicable Product Specific Terms (set forth below) are incorporated into this Order Form by this reference. In the event that there is a conflict of terms among the General Terms and Conditions, the Product Specific Terms and this Order Form, the order of precedence shall be Order Form, the Product Specific Terms, and last the General Terms and Conditions. For non-federal customers the following shall apply: Thomson Reuters General Terms and Conditions (http://tr.com/us-general-terms-and-conditions) apply to the purchase and use of all products, except print, and together with any applicable Product Specific Terms (set forth below) are incorporated into this Order Form by this reference. In the event that there is a conflict of terms among the General Terms and Conditions, the Product Specific Terms and this Order Form, the order of precedence shall be Order Form, the Product Specific Terms, and last the General Terms and Conditions. ProFlex Products See Attachment for details Material # Product Monthly Charges Minimum Terms (Months) 40757482 West Proflex $1,732.03 36 Bridge Products Material # Product Quantity Unit Bridge Monthly Charges Bridge Term (Months) 40757482 West Proflex 1 Each $829.08 1 Bridge Terms Bridge Monthly Charges begin on the date we process your order and will be prorated for the number of days remaining in the calendar month, if any. The Bridge Monthly charges will continue for the number of complete calendar months listed in the Bridge Term column above and will be in addition to the Monthly Charges and Minimum Term outlined above. At the end of the Bridge Term, your Monthly Charges and the Minimum term will begin on the first full calendar month following the Bridge Term as described in the Product grid above. All other terms and conditions of the Order Form remain unchanged. For purposes of clarification, your total Term will be the Bridge Term plus the Minimum Term. Minimum Terms Your subscription is effective upon the date we process your order (“Effective Date”) and Monthly Charges will be prorated for the number of days remaining in that month, if any. Your subscription will continue for the number of months listed in the Minimum Term column above CAG-25-360 Page 2 of 4 plus any Bridge Term that may be outlined above counting from the first day of the month following the Effective Date. Your Monthly Charges during the first twelve (12) months of the Minimum Term are as set forth above. If your Minimum Term is longer than 12 months, then your Monthly Charges for each year of the Minimum Term are displayed in the Attachment to the Order Form. Post Minimum Terms Your subscription will automatically renew at the end of the Minimum Term for successive 12-month renewal terms (each, an "Automatic Renewal Term"), unless either party provides written notice of its intent to not renew at least 30 days prior to the beginning of an Automatic Renewal Term. We will notify you of any change in the Annual Charges at least 60 days before each Automatic Renewal Term begins. Submit your notice of nonrenewal to: https://www.thomsonreuters.com/en-us/help/account-management/legal/orders/request-a-subscription- cancellation.html or via postal mail to Customer Service, 2900 Ames Crossing Rd, Eagan, MN 55121. For Federal government subscribers that chose a multi-year Minimum Term, those additional years will be implemented at your option pursuant to federal law. Banded Product Subscriptions. You certify your total number of attorneys (full-time and part-time partners, shareholders, associates, contract or staff attorneys, of counsel, and the like), corporate users, personnel or full-time-equivalent students is indicated in this Order Form. Our pricing for banded products is made in reliance upon your certification. If we learn that the actual number is greater or increases at any time, we reserve the right to increase your charges to the market rate for all of your attorneys. Miscellaneous Material Change. If, at any time during the Minimum Term or the Renewal Term, there is a material change in your organizational structure including, but not limited to merger, acquisitions, combination, significant increase in the number of attorneys at a location covered by the agreement, divestitures, downsizing or dissolution, we will modify your rates proportionally. If you acquire the assets of, or attorneys from, another entity that is a current subscriber, you assume all obligations under the agreements that apply to those assets and attorneys, and you will pay the invoiced charges on both those agreements as they become due, until a superseding agreement is negotiated in good faith. Charges, Payments & Taxes. You agree to pay all charges in full within 30 days of the date of invoice. You are responsible for any applicable sales, use, value added tax (VAT), etc. unless you are tax exempt. If you are a non-government customer and fail to pay your invoiced charges, you are responsible for collection costs including attorneys' fees. Excluded Charges And Schedule A Rates. If you access products or services that are not included in your subscription you will be charged our then-current rate (“Excluded Charges”). Excluded Charges will be invoiced and due with your next payment. For your reference, the current Excluded Charges schedules are located in the below link. Excluded Charges may change from time-to-time upon 30 days written or online notice. We may, at our option, make certain products and services Excluded Charges if we are contractually bound or otherwise required to do so by a third party provider or if products or services are enhanced or if new products or services are released after the effective date of this ordering document. Modification of Excluded Charges or Schedule A rates is not a basis for termination under paragraph 9 the General Terms and Conditions. https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/other/plan-2-pro-govt-agencies.pdf http://static.legalsolutions.thomsonreuters.com/static/agreement/plan-2-pro-govt-agencies.pdf eBilling Contact. All invoices for this account will be emailed to your e-Billing Contact(s) unless you have notified us that you would like to be exempt from e-Billing. Product Specific Terms Document Intelligence Product Specific Terms: The following product specific terms shall apply to the Document Intelligence products on this order form, and are incorporated by reference: http://www.thomsonreuters.com/document-intelligence-PST. Additional Terms for Services with Generative AI Skills: The following additional terms shall apply to Thomson Reuters Services with Generative AI Skills (including but not limited to all CoCounsel branded Products; all Products with AI Assisted Research; Westlaw Advantage; Practical Law or Practical Law Connect, with Dynamic Tool Set; Practical Law UK Premium; Practical Law Global Premium; HighQ), listed on this Order Form, and are incorporated into this Order Form by reference: http://tr.com/genai-terms. CoCounsel Core and CoCounsel Drafting Product Specific Terms : The following product specific terms shall apply to CoCounsel Core and CoCounsel Drafting and are incorporated into this order form by reference: http://tr.com/cocounselcore-and-drafting-product-specific- terms. Product Specific Terms and Service Levels: The following product specific terms and service levels shall apply to the HighQ products on this order form, and are incorporated by reference: x HighQ Product Specific Terms http://tr.com/HighQ-PST x HighQ Service Levels: Thomson Reuters shall provide service availability, maintenance and support for the term of the Agreement. Details are available at: http://tr.com/HighQ-SLA. Note that Sections 3.3 of the SLA does not apply to any HighQ Light packages The Federal Product Specific Terms can be found here: http://tr.com/federal-product-specific-terms Product Specific Terms. The following products have specific terms which are incorporated by reference and made part of this Order Form if they apply to your order. They can be found at https://static.legalsolutions.thomsonreuters.com/static/ThomsonReuters-General-Terms- Conditions-PST.pdf. If the product is not part of your order, the product specific terms do not apply. x Campus Research x Hosted Practice Solutions x ProView eBooks x Time and Billing x West km Software x West LegalEdcenter x Westlaw Page 3 of 4 x Westlaw Doc & Form Builder x Westlaw Paralegal x Westlaw Patron Access x Westlaw Public Records Drafting Tools Product Specific Terms: The following product specific terms shall apply to the Drafting Tools products (Drafting Assistant, Clause Finder, Clause Finder: Internal Agreements) on this order form, and are incorporated by reference: https://www.thomsonreuters.com/draftingassistant-and-clausefinder-pst. Additional clause applicable to: Westlaw Advantage, Practical Law Dynamic Tool Set, CoCounsel Essentials, Westlaw Advantage with CoCounsel Essentials, Practical Law with Dynamic Tool Set with CoCounsel Essentials, CoCounsel Legal: During the term of this Agreement, Thomson Reuters may in its sole discretion issue updates, upgrades, patches, enhancements, or improvements that it makes generally available to its customers at no additional charges (collectively "Upgrades"). For the avoidance of doubt, Upgrades do not include (i) new services that are developed or acquired by Thomson Reuters or (ii) services or functionalities for which there are royalty requirements or licensing restrictions. Where your Service includes Westlaw Advantage and/or Practical Law Dynamic Tool Set, these Upgrades do not include access to additional or new content sets beyond those you have subscribed to as part of the Service. Acknowledgement: Order ID: Q-10694760 \si1\ \ti1\ Signature of Authorized Representative for order Title \na1\ \ds1\ Printed Name Date . This Order Form will expire and will not be accepted after 3/21/2026. Mayor 12/29/2025Armondo Pavone Attest:___________________________________ Jason Seth, City Clerk Page 4 of 4 Attachment Order ID: Q-10694760 Contact your representative jacob.stine@thomsonreuters.com with any questions. Thank you. Payment, Shipping, and Contact Information Payment Method: Payment Method: Bill to Account Account Number: 1005759584 This order is made pursuant to: Shipping Information: Shipping Method: Ground Shipping - U.S. Only Order Confirmation Contact (#28) Contact Name: MOLONEY, Shane Email: smoloney@rentonwa.gov eBilling Contact Contact Name Shane MOLONEY Email smoloney@rentonwa.gov ProFlex Multiple Location Details Account Number Account Name Account Address Action 1005759584 RENTON CITY ATTYS OFFICE 1055 S GRADY WAY RENTON WA 98057-3232 US New ProFlex Product Details Quantity Unit Service Material # Description 1 Each 40757482 West Proflex 11 Attorneys 42077868 Westlaw Multi-State Analytical, Enterprise access, Government 11 Attorneys 43482985 CoCounsel Legal, National Primary, Enterprise Access, Government Account Contacts Account Contact First Name Account Contact Last Name Account Contact Email Address Account Contact Customer Type Description Melissa CARASA mcarasa@rentonwa.gov EML PSWD CONTACT Lapsed Products Sub Material Active Subscription to be Lapsed 40757481 West Proflex Charges During Minimum Term Materia l # Product Name Year 1 Charges per Billing Freq % incr Yr 1- 2* Year 2 Charges per Billing Freq % incr Yr 2- 3* Year 3 Charges per Billing Freq % incr Yr 3- 4* Year 4 Charges per Billing Freq % incr Yr 4- 5* Year 5 Charges per Billing Freq Billing Freq 407574 82 West Proflex $1,732.03 7.00% $1853.27 7.00% $1983.00 N/A N/A N/A N/A Monthly Charges During Minimum Term Pricing is displayed only for the years included in the Minimum Term. Years without pricing in above grid are not included in the Minimum Term. Refer to your Order Form for the Post Minimum Term pricing. Refer to Order Form for Billing Frequency Type. Third party provider terms | Thomson Reuters https://www.thomsonreuters.com/en/resources/third-party-restrictions/g... 1 of 2 10/29/2025, 2:02 PM Third party provider terms | Thomson Reuters https://www.thomsonreuters.com/en/resources/third-party-restrictions/g... 2 of 2 10/29/2025, 2:02 PM Third party provider terms | Thomson Reuters https://www.thomsonreuters.com/en/resources/third-party-restrictions 1 of 3 10/29/2025, 1:57 PM Third party provider terms | Thomson Reuters https://www.thomsonreuters.com/en/resources/third-party-restrictions 2 of 3 10/29/2025, 1:57 PM Third party provider terms | Thomson Reuters https://www.thomsonreuters.com/en/resources/third-party-restrictions 3 of 3 10/29/2025, 1:57 PM Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page1 of8 THOMSON REUTERS DATA SECURITY ADDENDUM Addendum amends the Agreement between Thomson Reuters and Customer and sets out the obligations of both parties regarding the security of Your Data in connection with the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum will take precedence only with respect to the security of Your Data. Customer will be the same as Agreement. 1. INFORMATION SECURITY PROGRAM 1.1 Thomson Reuters will maintain an information security program that adopts the International Organization for Standardization (ISO/IEC 27002:2013) and/or the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The program will include, but is not limited to, the following components: (i) Information security policy framework; (ii) Program documentation; (iii) Auditable controls; (iv) Compliance records; and (v) Appointed security officer and information security personnel. 1.2 Thomson Reuters will establish and maintain information security policies designed to protect the confidentiality and integrity of Your Data hosted in the Services, which will include the following: (i) Policies to restrict access to Your Data only to authorized Thomson Reuters personnel and subcontractors; (ii) Policies requiring the use of user IDs,passwords, and multi-factor authentication to access Your Data; (iii) Policies requiring connections to the internet to have commercially reasonable controls to help detect and terminate unauthorized activity prior to the firewall maintained by Thomson Reuters; (iv) Policies requiring performance of periodic vulnerability assessments; (v) Policies for the use of anti-malware and patch management controls to help protect against virus or malware infection and exploitation of security vulnerabilities; and (vi) Policies and standards for the use of auditable controls that record and monitor activity. 1.3 Thomson Reuters will train and communicate to Thomson Reuters personnel its defined information security principles and information security policies and standards in accordance with the following: (i) Applicable Thomson Reuters personnel will be required to take training, both at hire and on a regular basis, in information security practices and the correct use of Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page2 of8 information processing facilities to minimize possible security threats; (ii) Applicable Thomson Reuters personnel will be instructed to report any observed or suspected threats, vulnerabilities, or incidents to our Security Operations Center; and (iii) Thomson Reuters information security personnel will be made aware of reported information security threats and concerns and will support the Thomson Reuters information security policy in the course of their normal work. 1.4 Thomson Reuters will be responsible for its personnel s compliance with the terms of the Agreement and with Thomson Reuters standard policies and procedures. Thomson Reuters will maintain a disciplinary process to address any unauthorized access, use, or disclosure of Your Data by any Thomson Reuters personnel. 1.5 Thomson Reuters will maintain a formal plan for incident response to promptly respond to suspected or confirmed breaches of Your Data in accordance with regulatory and legal obligations. 1.6 Thomson Reuters policy with respect to user IDs and passwords for Thomson Reuters personnel accessing Thomson Reuters systems includes, but is not limited to, the following components: (i) Each user has a unique account identifier or user ID; (ii) Each user ID or account is assigned a password; (iii) User IDs are added, modified, and deleted in accordance with Thomson Reuters- approved account management processes; (iv) Verification of user identify before password resets; (v) Passwords must conform to defined criteria that included length, complexity requirements and limitations on reuse; (vi) User IDs, passwords and tokens are not shared or used by anyone other than the user to whom it was assigned; (vii) Temporary or default passwords are set to unique values and changed after first use; (viii) User ID password changes are required at least every ninety (90) days; (ix) Failed and repeated access attempts are locked for a reasonable and appropriate duration; (x) Idle sessions are locked after a commercially reasonable period of time; and (xi) User IDs are disabled after personnel termination. 2. DATA SECURITY CONTROLS 2.1 Application Strategy, Design, and Acquisition. (i) Thomson Reuters will inventory applicable applications and network components and assess their business criticality. Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page3 of8 (ii) Thomson Reuters will review critical applications regularly to ensure compliance with industry and commercially reasonable security standards. 2.2 Anti-Virus and Anti-Malware. (i) Thomson Reuters will implement and configure industry standard anti-virus and anti-malware software on systems holding or processing Your Data for regular signature updates. (ii) Thomson Reuters will implement threat management capabilities designed to protect systems holding or processing Your Data. 2.3 Network Security. (i) Thomson Reuters will configure network devices (including routers and switches) according to approved lockdown standards. (ii) Thomson Reuters will segregate the data center networks into separate logical domains with the network security controls approved by its security personnel. 2.4 Web and Application Security. (i) Thomson Reuters will maintain commercially reasonable security measures for internet-accessible applications, including: a. Implementing processes for developing secure applications; b. Performing pre-deployment and ongoing security assessments of internet- accessible applications; c. Developing internet-accessible applications based on secure coding guidelines such as those found in the Open Web Application Security Project (OWASP) Development Guide; and d. Validating the input, internal processing, and output of data in internet- accessible application(s). (ii) Thomson Reuters will implement a change management process for documenting and executing operational changes in Services. 2.5 Compliance. (i) Thomson Reuters will establish and adhere to policies that comply with laws and regulations that are applicable to Thomson Reuters and its provision of Services. Thomson Reuters does not determine whether Your Data includes information subject to any specific law or regulation and compliance with any such law or regulation is the sole responsibility of the Customer. (ii) To the extent legally permitted, Thomson Reuters will endeavor to notify Customer promptly after Thomson Reuters receives correspondence or a complaint from a government or regulatory official or agency related to the security of Your Data. For purposes of the foregoing, a correspondence or complaint excludes normal customer service correspondence or inquiries. 2.6 Physical and Environmental Security. Thomson Reuters Services will be housed in secure facilities protected by a secure Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page4 of8 perimeter, with generally accepted industry standard security barriers and entry controls for providers of similar services, including: (i) Such Thomson Reuters facilities will be physically protected from unauthorized access, damage, and interference; (ii) Access to such facilities will be logged and logs will be maintained; (iii) Procedures will be maintained for visitors and guests accessing such Thomson Reuters facilities; and (iv) Thomson Reuters will employ physical safeguards designed to protect Thomson Reuters Services systems from security threats and environmental hazards. 2.7 Security Testing and Patching. (i) Thomson Reuters will perform security testing for common security coding errors and vulnerabilities against systems holding or processing Your Data in line with generally accepted industry standards. (ii) Thomson Reuters will regularly scan systems holding or processing Your Data for security vulnerabilities. (iii) Thomson Reuters will follow a commercially reasonable and industry standard security patching process. 2.8 Exchange, Transfer, and Storage of Information. (i) Thomson Reuters shall ensure that all account usernames and authentication credentials are stored and transmitted across networks and protected with a minimum of 128 AES encryption. Thomson Reuters shall not store user credentials in clear text under any circumstances. Your Data shall be encrypted at a minimum of 256 AES when in transit and at rest. Thomson Reuters will also use encryption for Your Data being transmitted across the public Internet or wirelessly, and as otherwise required by applicable laws. Thomson Reuters will hold such encryption keys in the strictest of confidence and limit access to only named individuals with a need to have access. (ii) Your Data will not be stored or transported on a laptop or any other mobile device or storage media, including USB, DVDs, or CDs, unless encrypted using a commercially reasonable encryption methodology. All electronic data transfers of YourDatabyThomsonReuterswillbetransmittedviaSFTPorothercommercially reasonable encrypted form. 2.9 Penetration Testing, Monitoring, Vulnerabilities. (i) Thomson Reuters or an appointed third party may periodically perform penetration testing on the Thomson Reuters systems supporting the Services. Upon written request, Thomson Reuters shall make available to Customer a summary on the outcome of such relevant penetration testing or an executive summary of the penetration testing results. (ii) Thomson Reuters will monitor the relevant Thomson Reuters information systems forsecuritythreats,misconfiguredsystems, and vulnerabilitiesonanongoingbasis. Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page5 of8 (iii) Thomson Reuters will classify any vulnerability findings identified as emergency, critical, high, medium, or low in accordance with generally accepted industry standards for providers of similar services, and in accordance with Thomson Reuters risk assessment policies. Although the actual timeframe needed to affect such remediation will depend on the nature of the finding, Thomson Reuters will undertake commercially reasonable efforts to correct vulnerabilities according to the following timeframes: Vulnerability Classification Definition Remediation Goal Emergency A vulnerability that has a high probability of being widely exploited in a manner disruptive to normal business operations Begin deployment of patches and mitigations promptly, without undue delay, and complete remediation activities within seven (7)days Critical A vulnerability that has a high probability of being exploited that could result in broad exposure of confidential information or disruption of service, but the nature of the vulnerability does not Without undue delay and in any event within thirty (30) days High Risk A vulnerability that has a reasonably high probability of being exercised that could allow broad exposure or compromise of confidential information or disruption of service. Without undue delay and in any event within sixty (60) days Medium Risk A vulnerability that has a medium probability of being exercised. Without undue delay and in any event within ninety (90)days Low Risk A vulnerability that has a low probability of being exercised. Best efforts to address vulnerability in accordance with Thomson Reuters risk management policies. Depending on the scope of the vulnerability, correction maybeaddressedinthe next scheduled update. 2.10 Personnel Access. Thomson Reuters will implement controls designed to manage its -to-know basis consistent with assigned job responsibilities, which may include the use of role-based Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page6 of8 access controls to help ensure appropriate access rights, permissions, and segregation of duties. 2.11 Segregation of Data. Thomson Reuters agrees that Your Data hosted within the Services in a production environment is maintained so as to preserve logical segregation of Your Data from data of others. 2.12 Data Removal, Deletion and Destruction.If not otherwise set forth in the applicable Agreement, upon conclusion or termination of the Services at the written request of the Customer, Thomson Reuters will securely destroy and, upon request, confirm the destruction of all copies of Your Data in any electronic or non-electronic form, except (i) for backup or archival copies kept in the normal course of business, including as part of a defined data retention program; or (ii) to the extent necessary to comply with applicable law and regulations. 2.13 Adjustment of Data Security Controls. Thomson Reuters will evaluate and may adjust its data security controls in light of: (i) the results of the testing monitoring; (ii) any material changes to Thomson Reuters operations or business arrangements; (iii) the results of risk assessments performed; or (iv) any other circumstances that Thomson Reuters knows or has reason to know may have a material impact on its data security controls. 3. SECURITY QUESTIONNAIRES AND ASSESSMENTS 3.1 No more than once per calendar year, Customer may request Thomson Reuters in writing to complete an information security questionnaire, or by way of a secure portal, be provided with a pre-populated security questionnaire in an industry recognized format. Thomson Reuters agrees to respond to such questionnaire as soon as commercially reasonable. Customers who purchase multiple products under one or more agreements will coordinate requests into a single questionnaire per calendar year. You agree that the information contained in such responses are the proprietary and confidential information of Thomson Reuters. 3.2 To the extent Thomson Reuters performs and makes available to customers an independent third-party assessment or certification with respect to that service (e.g., ISO 27001, SOC 2), upon Custo available executive summary of the results of such security assessments for the Services containing Your Data. You agree that the information contained in such assessment, certification, or executive summary are the proprietary and confidential information of Thomson Reuters. 4. NOTIFICATION OF SECURITY BREACH 4.1 Thomson Reuters will, without undue delaybut in any event within seventy-two (72) hours of discovery, notify Customer of a Security Breach. Thomson Reuters agrees that it will not inform any third party of any Security Breach naming you without first obtaining Customer's prior written consent, unless if (i) required by applicable law or regulation; or (ii) such disclosure is in furtherance of a Thomson Reuters security breach investigation or the execution of its response plan. 4.2 In the event of any such Security Breach, Thomson Reuters will take commercially reasonable measures and actions to remedy or mitigate the effects of the Security Breach and will perform a root cause analysis to identify the cause of such Security Breach. Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page7 of8 4.3 related to such Security Breach, including, to the extent known, a summary of the cause of such Security Breach and steps taken to remedy the Security Breach and to prevent a reoccurrence. Thomson Reuters will reasonably cooperate with Customer in seeking injunctive or other equitable relief against any third party deemed responsible or complicit in the Security Breach. 4.4 If legally permitted, in the event of a Security Breach, Thomson Reuters agrees to reasonably cooperate with Customer with protecting its rights relating to the use, disclosure, protection, and maintenance of Your Data. 5. BUSINESS CONTINUITY AND DISASTER RECOVERY Thomson Reuters will, at all times while this Agreement is in effect, maintain a Business Continuity and Disaster Recovery Plan. Thomson Reuters will perform periodic testing of its Business Continuity and Disaster Recovery Plan to confirm its effectiveness. Upon Customer request, Thomson Reuters will provide a high-level report about the outcome of its latest Business Continuity and Disaster Recovery Plan test. 6. SERVICES RESILIENCE 6.1 Thomson Reuters will use commercially reasonable efforts to restore the Services by having offline backups of application data, infrastructure components and configuration settings. 6.2 Thomson Reuters will use commercially reasonable efforts to protect Services that host or process Your Data against denial-of-service attacks by implementing denial-of-service mitigation solutions. 7. SHARED SECURITY OBLIGATIONS You agree that you are responsible for all transactions that occur on your account and that it is your responsibility to ensure that you and your users use unique usernames and strong passwords for each account used to access the Services. You agree that you and your users must hold in confidence all usernames and passwords used for accessing the Services, and each user must immediately change their username/password combinations that have been acquiredby ordisclosedtoanunauthorizedthirdparty. Youalso agreeto enrollandrequire your personnel and other users to enroll in multi- made available to you, and you are responsible for all transactions and other activity that would have been prevented by the proper use of MFA. Additionally, you will notify Thomson Reuters if you become aware of any unauthorized third-party access to Thomson Reuters dataorsystems and will usereasonable efforts to remedy identified security threats and vulnerabilities to your systems. 8. BACKGROUND CHECKS Employment background checks serve as an important part of Thomson Reuters selection process. Verifying background information validates a overall employability or a particular assignment. Depending on the country and position at issue, to the extent as is customary and permitted by law, all Thomson Reuters Thomson Reuters Data Security Addendum Version 2.0 LastModified: November 3, 2023 Page8 of8 background checks may include identification verification, prior employment verification, criminal background information, global terror/sanctions checks and education verification. Thomson Reuters agrees to use qualified information security personnel to perform data security services. 9. DEFINITIONS (i)means the underlying agreement between Thomson Reuters and Customer for the provision of Services that references and incorporates this Addendum. (ii)Business Continuity and Disaster Recovery Plan contingency and disaster recovery activation plan to minimize disruption in and reinstate the operation of the use of the Services by you due to a disaster or similar event. (iii)Documentation nd other user instructions, documentation and materials available through the product or provided by us regarding the capabilities, operation, and use of our Services. (iv)Professional Services means the implementation, customization, training, consulting or other professional services we provide, as may be described in the applicable Agreement. (v)Property , but is not limited to, our products, Services, information, Documentation, data (whether tangible or intangible) and Usage Information. (vi)Security Breach means a confirmed breach of security that results in the unauthorized destruction, loss, alteration, disclosure of, or access to Your Data where such breach of security is likely to result in a significant risk of harm to you or your Data Subject(s) or where Thomson Reuters is required by applicable data protection law to notify you thereof. (vii)Services computing services, software-as-a-service, online research services, Professional Services, as well as any products, including installed software, supplied by Thomson Reuters that are detailed in the applicable Agreement. (viii)Usage Information means any information, data, or other content (including statistical compilations and performance information) related to or derived from your access to and use of our Property. (ix)Your Data that is submitted, posted, or otherwise transmitted by you or on your behalf through the Services. For clarity, Your Data does not include any information belonging to Thomson Reuters or its licensors, including without limitation: any content provided by Thomson Reuters as part of the Services, authentication and security information, billing and customer relationship information, marketing information, and Usage Information.