The URL can be used to link to this page

Home My WebLink AboutWorkday HR Management Software Subscription, Training and Consulting workday 00395662.0-Confidential SIGNATURE DOCUMENT Documents Agreement Number Main Subscription Agreement (v23.11) Agreement#: 00395662.0 Subscription Order Form Order Form#: 00433288.0 Training Order Form Order Form#: 433285 *Delivery Assurance Order Form#: 431530 *Professional Services Agreement PSA#: *Statement of Work Statement of Work#: *Add related agreement number if applicable. By executing this document ("Signature Document"), the undersigned agree they are duly authorized signatories and all documents listed in the above table are entered into between the parties, effective as of the later of the dates beneath the parties'signatures below("Effective Date"). References to Signature Document and Effective Date in the Main Subscription Agreement shall mean those terms as defined in the preceding sentence. City of Meridian 33 E Broadway Ave Workday, Inc. Meridian, Idaho 83642-2619 6110 Stoneridge Mall Road United States Pleasanton, CA 94588 Signature Signature J—dle Gohzatez Julie Gonzalez(Jan 12,202416:42 PST) Name Name Robert E. Simison Julie Gonzalez Title Title Mayor Senior Vice President,Financial Planning&Analysis Date Signed 1-23-2024 Date Signed Jan 12,2024 Attest Approved as to Legal Form by: Chris Johnson, City Clerk 1-23-2024 Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 0 of 14 / workday.. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT This Main Subscription Agreement, effective as of the Effective Date set out in the Signature Document, is by and between Workday, Inc. ("Workday")a Delaware corporation with offices at 6110 Stoneridge Mall Road, Pleasanton, CA 94588 and City of Meridian ("Customer"), with offices at 33 E Broadway Ave, Meridian, Idaho 83642-2619, United States. Whereas Workday provides a subscription Service to which Customer intends to subscribe, this Agreement establishes the business relationship and allocation of responsibilities regarding the Service and the parties therefore agree as follows: 1. Provision of Service. 1.1 Workday Obligations. During the Term, Workday shall: (i) make the Service and Improvements available to Customer in accordance with the Documentation, the SLA and pursuant to the terms of this Agreement; and (ii) not use Customer Data except to provide the Service, prevent or address service or technical problems, or verify Improvements, in accordance with this Agreement and the Documentation, or in accordance with Customer's instructions. 1.2 Customer Obligations. Customer may enable access to the Service for use only by Authorized Parties solely for the Internal Business Purposes of Customer and its Affiliates in accordance with the Documentation and not for the benefit of any third parties for a level of use not exceeding the Pricing Metrics on the applicable Order Form. Customer is responsible for all Customer Affiliate and Authorized Party use of the Service and their compliance with this Agreement. Customer shall: (a) have sole responsibility for the accuracy, quality, and legality of all information submitted to Workday, including, but not limited to Customer Data; (b)take commercially reasonable efforts to prevent unauthorized access to or use of the Service through login credentials of Authorized Parties, and notify Workday promptly of any unauthorized access or use; and (c) take commercially reasonable efforts to prevent the sending of or storage of Malicious Code in connection with use of the Service. Customer shall not: (i)use the Service in violation of Laws; (ii)in connection with use of the Service, send or store infringing, obscene, threatening, or otherwise unlawful or tortious material, including material that violates privacy rights; (iii) send or store Malicious Code in connection with use of the Service; (iv) interfere with or disrupt performance of the Service or the data contained therein; or(v)attempt to gain access to the Service or its related systems or networks in a manner not set forth in the Documentation. 2. Fees. 2.1 Invoices and Payment. Subscription Fees and all other fees due hereunder will be invoiced to Customer in the United States and payment will be remitted by Customer from the United States. Except where indicated otherwise on an applicable Order Form, all fees due hereunder (except fees subject to good faith dispute) shall be due and payable within thirty (30) days of invoice date. Workday will send all Customer invoices electronically (by email or otherwise). Workday shall email invoices to Customer within two business days of the date of the invoice. All fees are quoted and payable in United States Dollars and are based on access rights acquired and not actual usage. Customer shall provide Workday with complete and accurate billing and contact information including a valid email address. Upon Workday's request, Customer will make payments via electronic bank transfer. All remittance advice and invoice inquiries can be directed to Accounts.Receivable(@workday.com. 2.2 Non-cancelable and non-refundable. Except as specifically set forth to the contrary under Section 6.2"Warranty Remedies", Section 7 "Indemnification", Section 9.3 "Effect of Termination", and for credits due pursuant to Section 10.12 "Workday SLA Service Credits",all payment obligations under any and all Order Forms are non-cancelable and all payments made are non-refundable. 2.3 Overdue Payments. Except with respect to charges subject to a reasonable and good faith dispute, any payment not received from Customer by the due date may accrue, at Workday's discretion, late charges at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. 2.4 Non-Payment and Suspension of Service. Except with respect to charges subject to a reasonable and good faith dispute, if Customer's account is more than 30 days past due, in addition to any other rights or remedies it may have under this Agreement or by law, Workday reserves the right to suspend the Service upon 30 days written notice, without liability to Customer, until such amounts are paid in full. Such notice shall clearly and prominently state that the Service is at risk of suspension and shall not solely take the form of an invoice with an overdue notice, and shall state Customer has 30 days to make payment in full before Workday can suspend the Service. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 1 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 2.5 Taxes. This section applies only if Customer has not provided Workday with a tax exemption certificate authorized and honored by applicable taxing authorities that covers all Taxes. Subscription Fees and all other fees invoiced pursuant to this Agreement do not include, and may not be reduced to account for, any taxes, which may include local, state, provincial, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including, but not limited to, value-added taxes, excise, use, goods and services taxes, consumption taxes or similar taxes and foreign withholding taxes (collectively defined as "Taxes"). Customer is responsible for paying all Taxes imposed on the Service or any other services provided under this Agreement. If Workday has a legal obligation to pay or collect Taxes for which Customer is responsible under this Agreement, the appropriate amount shall be computed based on Customer's address listed in the Signature Document which will be used as the ship-to address on the Order Form, and invoiced to and paid by Customer, unless Customer provides Workday with a valid tax exemption certificate authorized by the appropriate taxing authority. 3. Proprietary Rights. 3.1 Ownership and Reservation of Rights to Workday Intellectual Property. Workday and its licensors own all right,title and interest in and to the Service, Documentation, and other Workday Intellectual Property Rights. Subject to the limited rights expressly granted hereunder, Workday reserves all rights, title and interest in and to the Service and Documentation, including all related Intellectual Property Rights. No rights are granted to Customer hereunder other than as expressly set forth herein. 3.2 Grant of Rights. Workday hereby grants Customer (for itself and those of Customer's Affiliates and Authorized Parties for whom Customer enables access to the Service) a non-exclusive, non-transferable, right to use the Service and Documentation solely for the Internal Business Purposes of Customer and its Affiliates and solely during the Term, subject to the terms and conditions of this Agreement within the scope of use defined in the relevant Order Form. The Service is provided in U.S. English. Workday has translated portions of the Service into other languages and unless otherwise indicated in the applicable Order Form, Customer may use any available translated portions of the applicable Service. 3.3 Restrictions. Customer shall not (i) modify or copy the Service or Documentation or create any derivative works based on the Service or Documentation; (except for archival copies of the Documentation for use consistent with this Agreement); (ii)license, sublicense, sell, resell, rent, lease,transfer, assign, distribute,time share, offer in a service bureau, or otherwise make the Service or Documentation available to any third party, other than to Authorized Parties as permitted herein; (iii) reverse engineer or decompile any portion of the Service or Documentation, including but not limited to, any software utilized by Workday in the provision of the Service and Documentation, except to the extent required by Law; or (iv)access the Service or Documentation in order to build any commercially available product or service except as otherwise provided in an applicable Order Form. Ownership of Customer Data. As between Workday and Customer, Customer owns the Customer Data. 3.4 Customer Input. Workday shall have a royalty-free, transferable, sub-licensable, irrevocable, perpetual license to use, and incorporate into its services, any Customer Input. Workday shall have no obligation to make Customer Input an Improvement. Customer shall have no obligation to provide Customer Input. 4. Confidentiality. 4.1 Confidentiality. A party (the "Recipient") shall not disclose or use any Confidential Information of the other party (the"Discloser")except as reasonably necessary to perform its obligations or exercise its rights pursuant to this Agreement or with the Discloser's prior written permission. Either party may disclose Confidential Information on a need-to-know basis to its Affiliates, contractors and service providers, including third party submission tools or online portal providers required by the Discloser for proposal (or related) submissions ("Representatives"), who are bound by confidentiality obligations at least as restrictive as those in this section.The Recipient shall be responsible for any acts or omission of its Representatives with respect to protection of the Discloser's Confidential Information. The parties agree that (1) the Recipient's or its Representatives' online portal terms conflicting with the terms of Section 4 of this Agreement shall not be binding on the Discloser submitting its Confidential Information to the Recipient through the Recipient's or its Representative's online portal, (2) this Section 4.1 applies to all such Confidential Information disclosed to the Recipient through such online portals; and (3)this Agreement supersedes any such "click-through" or other online terms. 4.2 Protection. Each party agrees to protect the Confidential Information of the other party in the same manner that it protects its own Confidential Information of like kind, but in no event using less than a reasonable standard of care. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 2 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 4.3 Compelled Disclosure. A disclosure by the Recipient of the Discloser's Confidential Information to the extent required by Law shall not be considered a breach of this Agreement, provided the Recipient promptly provides the Discloser with prior notice of such compelled disclosure(to the extent legally permitted),follows the process set forth in any applicable public records law(s), and provides reasonable assistance, at the Discloser's cost, if the Discloser wishes to contest the disclosure. Subject to the foregoing, in the event of any request by a government agency or law enforcement authority for access to Customer Data, Workday will seek to redirect the inquiry to Customer. In all such cases, Workday will take all reasonable and legally permissible measures to protect the Customer Data and to inform Customer of such demand. 4.4 Business Associate Exhibit. If Customer concludes that the Service will include access to Customer Data that is protected by the Health Insurance Portability and Accountability Act of 1996 ("HIPAX), and Customer is a Covered Entity as defined under HIPAA, the parties agree to attach Workday's Business Associate Exhibit to this Agreement, which shall apply to Workday's receipt, maintenance or transmission of Protected Health Information from, or on behalf of Customer, as described in such Exhibit. 4.5 Remedies. If the Recipient discloses or uses (or threatens to disclose or use) any Confidential Information of the other party in breach of confidentiality protections hereunder, the Discloser shall have the right, in addition to any other remedies available, to seek injunctive relief to enjoin such acts, it being acknowledged by both parties that any other available remedies may be inadequate. 4.6 Exclusions. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation between the parties; (ii)was known to the Recipient prior to its disclosure by the Discloser without breach of any obligation between the parties; (iii)was independently developed by the Recipient without breach of any obligation between the parties; or (iv) is received by the Recipient from a third party without breach of any obligation owed to the other party. Customer Data shall not be subject to the exclusions set forth in this section. 5. Customer Data. 5.1 Protection and Security. Workday maintains a security program that conforms to the Workday Universal Security Exhibit attached hereto ("Security Exhibit") and is further described in Workday's most recently completed Service Organization Control 1 (SOC1) and Service Organization Control 2 (SOC2) audit reports or industry-standard successor reports. The most recently completed SOC1 and SOC2 (or industry standard successor audit reports) as of the Effective Date are referred to as the"Current Audit Reports".The Security Exhibit may be updated from time to time to reflect changes in technology and law. In no event during the Term shall Workday materially decrease the protections provided by the controls set forth in the Security Exhibit and the Current Audit Reports. Upon Customer's request, Workday will provide Customer with a copy of Workday's Current Audit Reports or comparable industry-standard successor reports prepared by Workday's independent third-party auditor. The Universal Data Processing Exhibit attached hereto (the "Data Processing Exhibit"or"DPE")will apply to the processing of Personal Data. The DPE may be updated by Workday from time to time to reflect changes in technology and law. No update shall materially decrease the protections that are in the attached DPE. Customer understands that its use of the Service and compliance with any terms hereunder does not constitute compliance with any Law. Customer understands that it has an independent duty to comply with any and all Laws applicable to it. 5.2 Unauthorized Disclosure. If either party believes that there has been a Security Breach, such party must promptly notify the other party, unless legally prohibited from doing so, within 48 hours or any shorter period as may be required by Law; provided, however, that Customer is not required to notify Workday in any case where Customer reasonably determines that the Security Breach presents no threat to the Service. Additionally, each party will reasonably assist the other party in mitigating any potential damage.As soon as reasonably practicable after any such Security Breach that is not clearly attributable to Customer or its Authorized Parties, Workday shall conduct a root cause analysis and, upon request, will share the results of its analysis and its remediation plan with Customer. Unless prohibited by Law, each party shall provide the other party with reasonable notice of, and the opportunity to review and comment on the content of all public notices,filings, or press releases about a Security Breach that identify the other party by name prior to any such publication. 6. Warranties and Disclaimers. 6.1 Warranties. Each party warrants that it has the authority to enter into this Agreement and shall comply with all Laws in connection with its performance of this Agreement. Workday warrants that during the Term (i) the Service shall perform materially in accordance with the Documentation; (ii)the functionality of the Service will not be materially decreased during the Term; and, (iii) to the best of Workday's knowledge, the Service does not contain any Malicious Code. Order Forms for Related Services may have warranties specific to those Related Services. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 3 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 6.2 Warranty Remedies. In the event of a breach of any of the warranties set forth in Section 6.1 (i), (ii) and (iii), (a) Workday shall correct the non-conforming Service at no additional charge to Customer, or (b) in the event Workday is unable to correct such deficiencies after good-faith efforts, Workday shall refund Customer amounts paid that are attributable to the defective Service from the date Workday received such notice (as set forth in Section 6.3 below)through the date of remedy, if any. The remedies set forth in this subsection shall be Customer's sole remedy and Workday's sole liability for breach of these warranties unless the breach of warranty constitutes a material breach of this Agreement and Customer elects to terminate this Agreement in accordance with the Section entitled "Termination." 6.3 Notice Obligations. To receive the warranty remedies set forth above, Customer must promptly report deficiencies in writing to Workday, but no later than 30 days of the first date the deficiency is identified by Customer, or, in the case of a Related Service, no later than 30 days after delivery of such Related Service. Customer's failure to notify Workday within such 30 day period shall not affect Customer's right to receive the remedy in Section 6.2(a) unless Workday is somehow unable, or impaired in its ability to, correct the deficiency due to Customer's failure to notify Workday within the 30 day period. Notice of breaches of the warranties in Section 6.1 shall be made through Workday's then-current error reporting system; notices of breaches of any other warranty shall be made in writing to Workday in accordance with the Notice provisions of this Agreement. 6.4 DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED HEREIN AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PARTIES MAKE NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE SERVICE AND RELATED SERVICES AND THE DOCUMENTATION. WORKDAY DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR FREE OR UNINTERRUPTED. THE LIMITED WARRANTIES PROVIDED HEREIN ARE THE SOLE AND EXCLUSIVE WARRANTIES PROVIDED TO CUSTOMER IN CONNECTION WITH THE PROVISION OF THE SERVICE. 7. Indemnification 7.1 Workday Indemnity. Workday shall defend Customer, as Workday's expense, from any third party Claim against Customer alleging that the use of the Service as contemplated under this Agreement infringes or misappropriates such third party's Intellectual Property Rights and Workday shall indemnify and hold Customer harmless against any Losses relating to such third party Claim. 7.2 Customer Obligations. If and only if Customer is not prohibited by Law from indemnifying its vendors, Customer shall defend Workday, at Customer's expense,from any third-party claim against Workday alleging that(1)Customer Data, or(2) data submitted by Customer, its Affiliates or its Authorized Parties used by Workday to provide the Service infringes or misappropriates such third-party's Intellectual Property Rights and Customer shall be directly and solely responsible for any Losses related to such Claim. If Customer is legally prohibited from indemnifying its vendors, any indemnification clause found in an Order Form's application-specific additional terms or click-through terms referenced in the Order Form shall be read only as an acknowledgement that Customer is responsible for materials and data it provides to Workday and for the behavior of its Authorized Parties. 7.3 Conditions. The indemnitor's obligations in Section 7.1 and 7.2 are conditioned on the indemnitee (a) promptly giving written notice of the third-party Claim to the indemnitor (although a delay of notice will not relieve indemnitor of its obligations under this Section except to the extent that the indemnitor is prejudiced by such delay), (b)giving the indemnitor sole control of the defense and settlement of the third-party Claim (although indemnitor may not settle any third-party Claim unless it unconditionally releases indemnitee of all liability); and (c) providing to indemnitor, at indemnitor's cost, all reasonable assistance. 7.4 Exceptions. Workday shall have no liability for Claims or Losses to the extent arising from (a) modification of the Service by anyone other than Workday; (b) use of the Service in a manner inconsistent with this Agreement or Documentation (c) use of the Service in combination with any other product or service not provided by Workday. 7.5 Continued Use of the Service. If Customer is enjoined from using the Service or Workday reasonably believes it will be enjoined, Workday shall have the right, at its sole option, to obtain for Customer the right to continue use of the Service or to replace or modify the Service so that it is no longer infringing. If neither of the foregoing options is reasonably Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 4 of 14 workday 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT available to Workday, then the applicable Service may be terminated at either party's option and Workday's sole obligation and liability related to the subject matter of this Section 7, in addition to the indemnification obligations herein, shall be to refund any prepaid fees for the applicable Service that was to be provided after the effective date of termination. 7.6 Exclusive Remedy. Sections 7.1 through 7.3 state each indemnitee's exclusive remedies and the indemnitor's sole obligations related to the subject matter of this Section. 8. Limitation of Liability. 8.1 LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY LAW AND EXCEPT WITH RESPECT TO(i) INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS IN SECTION 7, (ii)EITHER PARTY'S RECKLESS MISCONDUCT, GROSS NEGLIGENCE, WILLFUL MISCONDUCT AND/OR FRAUD, (iii) WORKDAY'S REMEDIATION OBLIGATIONS IN SECTION 8.4; OR (iv) CUSTOMER'S PAYMENT OBLIGATIONS, THE MAXIMUM LIABILITY OF EITHER PARTY WHICH INCLUDES ITS RESPECTIVE AFFILIATES, AND IN THE CASE OF WORKDAY, ALSO INCLUDES WORKDAY'S THIRD PARTY LICENSORS FOR ANY AND ALL CLAIMS (INDIVIDUALLY AND IN THE AGGREGATE) ARISING OUT OF OR RELATING TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, IS LIMITED TO AN AMOUNT EQUAL TO THE FEES ACTUALLY PAID BY CUSTOMER UNDER THIS AGREEMENT DURING THE IMMEDIATELY PRECEDING 12 MONTH PERIOD FOR THE SERVICE FROM WHICH THE CLAIM(S) AROSE (OR, FOR A CLAIM(S) ARISING BEFORE THE FIRST ANNIVERSARY OF THE EFFECTIVE DATE, THE AMOUNT PAID OR PAYABLE FOR THE FIRST 12 MONTH PERIOD) ("GENERAL CAP"), EXCEPT THAT FOR BREACHES OF EITHER PARTY'S CONFIDENTIALITY, SECURITY OR PRIVACY OBLIGATIONS THE BREACHING PARTY'S MAXIMUM TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL BE INCREASED TO FEES PAID OR PAYABLE UNDER THE AGREEMENT DURING THE IMMEDIATELY PRECEDING 24-MONTH PERIOD FOR THE SERVICE FROM WHICH THE CLAIM AROSE ("ENHANCED CAP"). 8.2 EXCLUSION OF DAMAGES EXCEPT FOR WORKDAY'S IP INDEMNIFICATION OBLIGATIONS IN SECTION 7, IN NO EVENT SHALL EITHER PARTY OR ITS AFFILIATES HAVE LIABILITY FOR LOST PROFITS OR REVENUES, LOSS OF USE OR DATA (UNLESS CAUSED BY WORKDAY'S FAILURE TO BACK UP CUSTOMER DATA IN ACCORDANCE WITH ITS OBLIGATIONS HEREUNDER), BUSINESS INTERRUPTION, OR INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL, OR COVER DAMAGES, HOWEVER CAUSED,WHETHER IN CONTRACT, TORT OR OTHERWISE, EVEN IF THE PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE EXCLUSIONS IN THIS SECTION WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. CUSTOMER'S PAYMENT OBLIGATIONS SHALL NOT BE CONSIDERED WORKDAY'S LOST PROFITS. 8.3 Direct Damages. Subject to Section 8.1, and notwithstanding Section 8.2, if either party breaches its obligations under this Agreement, the following will be considered direct damages: (1) amounts paid to affected third parties as damages or settlements in response to claims arising from the breach; (2) amounts paid for fines and penalties imposed by any governmental authority arising from the breach; and (3) reasonable legal fees, to defend against third-party claims arising from the breach. 8.4 Workday Remediation of Certain Unauthorized Disclosures. In the event that any unauthorized access to or acquisition of Personal Data is caused by Workday's breach of its security and/or privacy obligations under this Agreement, Workday shall pay the reasonably necessary, documented costs incurred by Customer in connection with the following items: (a) costs of any reasonably required forensic investigation to determine the cause of the breach, (b) providing notification of the security breach to applicable government and relevant industry self-regulatory agencies, to the media (if required by Law) and to individuals whose Personal Data may have been accessed or acquired, (c) providing credit monitoring service to individuals whose Personal Data may have been accessed or acquired for a period of one year(or for a longer period if required by Law) after the date on which such individuals were notified of the unauthorized access or acquisition for such individuals who elected such credit monitoring service, and (d) operating a call center to respond to questions from individuals whose Personal Data may have been accessed or acquired for a period of one year (or for a longer period required by Law) after the date on which such individuals were notified of the unauthorized access or acquisition. NOTWITHSTANDING THE FOREGOING, OR ANYTHING IN THIS AGREEMENT TO THE CONTRARY, WORKDAY SHALL HAVE NO RESPONSIBILITY TO PAY COSTS OF REMEDIATION THAT ARE DUE TO RECKLESS MISCONDUCT, GROSS NEGLIGENCE, WILLFUL MISCONDUCT AND/OR FRAUD BY CUSTOMER OR ITS EMPLOYEES, AGENTS OR AUTHORIZED PARTIES. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 5 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 9. Term and Termination. 9.1 Term of Agreement. The Term commences on the Effective Date and continues until the stated term in all Order Forms has expired or has otherwise been terminated, unless otherwise extended pursuant to the written agreement of the parties. Subscriptions to the Service commence on the date, and are for a period, as set forth in the applicable Order Form. 9.2 Termination. Either party may terminate this Agreement: (i) upon 30 days prior written notice to the other party of a material breach by the other party if such breach remains uncured at the expiration of such notice period; or (ii) immediately in the event the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. In the event this Agreement is terminated, all Order Forms are simultaneously terminated. Upon any termination by Customer pursuant to this section, Workday shall refund Customer any prepaid fees for the affected Service(s)that were to be provided after the effective date of termination. For clarity, a breach or termination of any Professional Services Agreement, as defined in the DPE, or of any applicable statement of work and/or work order thereunder, shall not be considered a material breach or termination of this Agreement. 9.3 Effect of Termination. Upon any expiration or termination of this Agreement, all Order Forms shall immediately terminate and Customer shall, as of the date of such expiration or termination, immediately cease accessing and otherwise utilizing the applicable Service(except as permitted under the sections entitled "Retrieval of Customer Data"and"Transition Period before Final Termination") and shall also cease accessing Workday Confidential Information. Termination for any reason shall not relieve Customer of the obligation to pay any fees accrued or due and payable to Workday prior to the effective date of termination. Additionally, termination for any reason other than Workday's uncured material breach, or the reasons set forth in Section 2.2, shall not relieve Customer of the obligation to pay all future amounts due under all Order Forms. 9.4 Transition Period before Final Termination. If this Agreement is terminated and Customer submits a written request to Workday prior to any such termination for a one-time transition period, Workday will continue to provide the Service for up to 3 months after the effective date of such termination (the "Transition Period"), subject to the terms and conditions of this Agreement. Monthly fees for the Transition Period will be 1/12 of the immediately preceding 12-month period plus, only if this Agreement was not terminated by Customer for cause, an additional 5%. Notwithstanding the foregoing, if Workday is enjoined from performing,or termination of this Agreement was due to Customer's breach,Workday has no obligation to perform under this section unless it receives (i) payment of all fees not subject to reasonable and good faith dispute, (ii) prepayment of fees for further services, and (iii) certification of ongoing compliance with the terms of this Agreement during the Transition Period. 9.5 Transition Consulting Services. During a Retrieval Period or Transition Period,Workday will provide cooperation and assistance as Customer may reasonably request to support an orderly transition to another provider of similar software, services, or to Customer's internal operations. Such cooperation and assistance will be limited to consulting regarding the Workday Service and will be subject to a fee based on Workday's then-current rates for consulting services and such services will be set out in a statement of work to a professional services agreement between the parties. Notwithstanding the foregoing, in the event of termination of this Agreement by Workday for Customer's breach, Workday may withhold the provision of transition consulting services and condition further performance upon (i) payment of undisputed fees then owed and (ii) prepayment of fees for further services. 9.6 Retrieval of Customer Data. Upon written request by Customer made prior to or upon any expiration or termination of this Agreement (including any Transition Period), Workday will make Customer Data available to Customer through the Service solely to allow Customer to retrieve Customer Data for a period of up to a total of 60 days after such expiration or termination (the "Retrieval Period"). If Customer utilizes the Transition Period described in Section 9.4 above, it will still receive a total of no more than 60 days of non-cost Retrieval Period. After such Retrieval Period, Workday will have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, delete all Customer Data by deleting Customer's Tenant; provided, however, that Workday will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted, provided further that in all cases Workday will continue to protect the Customer Data in accordance with this Agreement. Customer Data will be made available in a Workday-supported format mutually agreed upon between the parties (for example, CSV, delimited text or Microsoft Excel). The foregoing deletion obligation will be subject to any retention obligations imposed on Workday by Law. Additionally, during the Term of the Agreement, Customers may extract Customer Data using Workday's standard web services. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 6 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 9.7 Surviving Provisions. The following provisions of this Agreement shall not survive and will have no further force or effect following any termination or expiration of this Agreement: (i) Section 1.1(i) "Workday Obligations"; (ii) Section 3.2 "Grant of Rights"; and (iii) those provisions granting Customer access to any SKU(s) and services referenced in any applicable Order Form(s). All other provisions of this Agreement shall survive any termination or expiration of this Agreement. 10. General Provisions. 10.1 Relationship of the Parties. The parties are independent contractors. This Agreement does not create nor is it intended to create a partnership, franchise,joint venture, agency,fiduciary or employment relationship between the parties. There are no third-party beneficiaries to this Agreement. 10.2 Insurance. Workday will maintain during the entire Term, at its own expense, the types of insurance coverage specified below, on standard policy forms and with insurance companies with at least an A.M. Best Rating of A- VII at the time of policy inception. (a) Workers' Compensation insurance prescribed by applicable local law and Employers Liability insurance with limits not less than $1,000,000 per accident/per employee. This policy shall include a waiver of subrogation against Customer. (b) Business Automobile Liability covering all vehicles that Workday owns, hires or leases with a limit of no less than $1,000,000 (combined single limit for bodily injury and property damage)for each accident. (c) Commercial General Liability insurance including Contractual Liability Coverage,with coverage for products liability, completed operations, property damage and bodily injury, including death, with an aggregate limit of no less than $2,000,000. This policy shall name Customer as an additional insured with respect to the provision of services provided under this Agreement. This policy shall include a waiver of subrogation against Customer. (d) Technology Professional Liability Errors &Omissions policy (which includes Cyber Risk coverage, internet liability, and Computer Security and Privacy Liability coverage)with a limit of no less than $10,000,000 per occurrence and in the aggregate. (e) Crime policy with a limit of no less than $5,000,000 per occurrence and in the aggregate and naming Customer(as its interests may appear)as a loss payee. (f) Excess Liability/Umbrella coverage with a limit of no less than $9,000,000 per occurrence and in the aggregate. This policy shall name Customer as an additional insured with respect to the provision of services provided under this Agreement. This policy shall include a waiver of subrogation against Customer. Limits for (a) Employers Liability only, (b) and (c) may be achieved through a combination of primary and excess liability/umbrella policies to reach the level of coverage shown above. Upon Customer's request, Workday agrees to deliver to Customer certificates of insurance evidencing the coverage specified in this section. Should any of the above described policies be cancelled before the expiration date thereof, notice will be delivered in accordance with policy provisions. Workday will be solely responsible for any deductible or self-insurance retentions. Such insurance coverage will be primary and any other valid insurance existing will be in excess of such primary insurance policies. The required insurance coverage and limits of liability set forth above shall not be construed as a limitation or waiver of any potential liability or satisfaction of any indemnification/hold harmless obligation of Workday. 10.3 Notices. Unless expressly stated otherwise, all notices under this Agreement shall be in writing and shall be deemed to have been given upon: (i) personal delivery; or (ii) the third business day after first class mailing. Notices to Workday shall be sent to the address shown in the Signature Document addressed to the attention of its General Counsel with a copy sent to Iegal(a-)Workday.com. Notices to Customer shall be sent to the address shown in the Signature Document addressed to Customer's General Counsel. Each party may modify its recipient of notices by providing notice pursuant to this Agreement. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 7 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT 10.4 Background Check. Unless prohibited by law,Workday agrees to conduct(or has previously conducted)a criminal background check on personnel employed by Workday (or will require its subcontractors to conduct a background check on their own personnel) who will have access to Customer Data. Such background check shall be in the form generally used by Workday in its initial hiring of employees or contracting for contractors or, as applicable, during the employment- screening process. Workday will not allow any person performing under this Agreement on behalf of Workday to be assigned to have access to Customer Data whose background check revealed a conviction of any violent crime or crime involving theft, dishonesty, moral turpitude, breach of trust, or money laundering. 10.5 Code of Conduct. Workday has a published code of conduct available on its public web site with rules for ethical business conduct which complies with applicable law. Workday uses commercially reasonable efforts to ensure that Workday complies with its code of conduct, including but not limited to periodic training of employees about the code. 10.6 Waiver and Cumulative Remedies. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right or any other right. Other than as expressly stated herein,the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. 10.7 Force Majeure. Neither party shall be liable for any failure or delay in performance under this Agreement for causes beyond that party's reasonable control and occurring without that party's fault or negligence, including, but not limited to, acts of God, acts of government, flood, fire, civil unrest, acts of terror, strikes or other labor problems (other than those involving Workday or Customer employees, respectively) ("Force Majeure"). Dates by which performance obligations are scheduled to be met will be extended for a period of time equal to the time lost due to any delay so caused, provided that notice of the Force Majeure event is given in writing within 15 days after the Force Majeure event begins. Such notice shall identify the nature of the Force Majeure event, its expected duration and the probable impact on the performance of the affected party's obligations. 10.8 Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (which consent shall not be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms) without consent of the other party in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets (an "M&A assignment")so long as the assignee agrees to be bound by all of the terms of this Agreement in an amendment to this Agreement and all past due fees are paid in full or otherwise accounted for in the amendment. In no event shall Customer have the right to assign this Agreement to a direct Competitor of Workday. In the event of an M&A assignment, the non-assigning party shall be entitled to request from the assignee information to demonstrate that the assignee has the necessary resources and expertise to provide the Service. Failure to provide such information shall be a material breach of this Agreement. Any attempt by a party to assign its rights or obligations under this Agreement other than as permitted by this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. 10.9 Nonappropriation. Workday acknowledges that City is a governmental entity, and the validity of this Agreement is based upon the availability of public funding under the authority of its statutory mandate. Notwithstanding anything in this Agreement to the contrary, City's obligations under this Agreement to provide payment to Workday as described herein shall be subject to and dependent upon appropriations being made by City Council for such purpose. The officer or administrator charged with the responsibility of preparing the Information Technology Department shall include in its proposed budget the amount noted herein for each year in which this contract is in effect. 10.10 State of Idaho requirements. The following provisions are required by the State of Idaho. The inclusion of these provisions in this Agreement does not indicate Client's support or opposition to these provisions nor agreement by Client that these clauses are relevant to the subject matter of this Agreement. Rather, these provisions are included solely to comply with the laws of the State of Idaho. 10.10.1 Anti-Boycott Against Israel Act. Pursuant to Idaho Code § 67-2346, Workday certifies that Workday is not currently engaged in, and will not for the duration of this Agreement engage in, Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 8 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT a boycott of goods or services from Israel or territories under Israel's control. The terms "company" and "boycott Israel" shall have the meanings ascribed to them in Idaho Code § 67-2346. 10.10.2 Contract with company owned or operated by the government of China prohibited. Pursuant to Idaho Code § 67-2359, Workday certifies that Workday is not a company currently owned or operated by the government of China and will not for the duration of this Agreement be owned or operated by the government of China. The terms "company" and "government of China" shall have the meanings ascribed to them in Idaho Code § 67-2359. 10.11 Governing Law; Waiver of Jury Trial. This Agreement shall be governed exclusively by the laws of the State of Idaho,] without regard to its conflicts of laws rules. Each party hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement. 10.12 Export. Each party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Service. Without limiting the generality of the foregoing, Customer shall not make the Service available to any person or entity that: (i) is located in a country that is subject to a U.S. government embargo; (ii) is listed on any U.S. government list of prohibited or restricted parties; or(iii) is engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction, unless authorized by the United States government. 10.13 Anti-Corruption. Each party shall comply with all applicable anti-corruption Laws, in relation to this Agreement. Each party agrees that it will not offer to pay or give anything of value to anyone, including foreign governmental officials or related persons or entities on either party's behalf to corruptly: (i) influence any official act or decision; (ii)secure any improper advantage; (iii) obtain or retain business, or direct business to any person or entity; or(iv)for the purpose of inducing or rewarding any favourable action in any matter related to the subject of this Agreement or the business of either party. Each party further agrees to keep accurate books and records in relation to this Agreement. Each party further agrees to cooperate with the other party in any anti-corruption due diligence process and/or investigation in relation to this Agreement. 10.14 Workday SLA Service Credits. If, in any rolling 6-month period, Workday fails to meet the monthly Service Availability or Service Response commitments described in the SLA (a "Failure"), Customer may request the following remedies no later than 6 months after the applicable Failure occurs: (1)a meeting to discuss possible corrective actions for the first Failure; (2) a 10% Service Credit for a second Failure; (3) a 20% Service Credit for a third Failure; and (4) a 30% Service Credit for a fourth Failure. In this Agreement, "Service Credit" means a credit equal to the stated percentage of the applicable monthly Subscription Fee for the affected Service. Workday shall deduct the highest applicable Service Credit from the next invoice for Subscription Fees or, if there is no subsequent invoice, shall refund the Service Credit to the Customer. The remedies in this section are the Customer's exclusive remedies for any Failure. 10.15 Federal Government End Use Provisions (if applicable). Workday provides pre-existing, commercial Service, including related software and technology, for federal government end use solely in accordance with the terms and conditions of this Agreement, and Workday provides only the technical data and rights as provided herein. Workday's offering constitutes 'commercial items' as defined under FAR 2.101. Workday's contracting documents are in conformance with Workday's commercial item offerings and tailoring of acquisition terms is pursuant to FAR 12.302(b). If you are a FAR governed entity, Workday agrees that the resulting contract will include the mandatory FAR commercial flow downs for a subcontractor under FAR 52.244-6. If a government agency has a need for rights not conveyed under these terms, it must negotiate with Workday to determine whether there are acceptable terms for transferring additional rights. A mutually acceptable addendum specifically conveying such rights must be executed by the parties in order to convey such rights beyond those set forth herein.Additionally,the parties agree that the purpose of this Agreement is to provide a sophisticated integrated system solution, principally for the provision of a product, not a service and as such, neither the Service Contract Act nor its related statutes or regulations apply to Workday's performance hereunder. 10.16 Use by other Entities. The parties agree that other public entities, including state agencies, local governments, courts, and public institutions of higher education may utilize the terms of this Agreement to purchase the Service from Workday for agreements commencing no later than 5 years after the Effective Date of this Agreement. Workday may extend the availability of this Agreement for such use in its sole and reasonable discretion. The parties understand that pricing is Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 9 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT specific to Pricing Metrics and the choice of Workday Service components and other entities will not necessarily pay the same price as Customer. Any such other entity shall be responsible for complying with its relevant procurement rules and regulations. Customer will in no way whatsoever incur any liability to Workday, such entities, or others in relation to specifications, delivery, payment, or any other aspect of actions or omissions by such entities. An entity wishing to utilize this Agreement will have a copy of this Agreement executed in its own name and any Order Forms will be in such entity's name. The parties agree that Workday can disclose this Agreement, all exhibits, and any applicable Order Forms to an entity seeking to make use of this Section. 10.17 Publicity. Except as set forth herein, Workday shall not use Customer's name, logos or trademarks, without the prior written consent of Customer, in any written press releases, advertisements and/or marketing materials. Notwithstanding the foregoing, Workday may use Customer's name and logo in lists of customers and on its website, including, but not limited to, Workday's community portal; however, such usage shall not be classified as an advertisement but only identification as an entity who receives the Service from Workday. For the avoidance of doubt, this section does not prohibit Workday from referencing Customer's name in a verbal format. 10.18 Miscellaneous. This Agreement, including all exhibits and attachments hereto and all Order Forms, constitutes the entire agreement between the parties with respect to the subject matter hereof. In the event of a conflict, the provisions of an Order Form shall take precedence over provisions of the body of this Main Subscription Agreement and over any other exhibit or attachment to this Main Subscription Agreement except as specified in Section 7.3 of this Agreement and no choice of law clause in an Order Form shall take precedence over Section 10.9. This Agreement supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter and is entered into without reliance on any promise or representation other than those expressly contained in this Agreement. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by both parties. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law,the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other non-negotiated Customer order documentation shall be incorporated into or form any part of this Agreement,and all such terms or conditions shall be null and void. This Agreement may be executed in counterparts, which taken together shall form one binding legal instrument. The parties hereby consent to the use of electronic signatures in connection with the execution of this Agreement, and further agree that electronic signatures to this Agreement shall be legally binding with the same force and effect as manually executed signatures, provided that such signatures must be made using a technology designed for electronic signatures and include appropriate certificates to verify the identity of the signatory. For avoidance of doubt, emails stating consent to an Agreement or action shall not be considered an electronic signature. 10.19 Exhibits. The following exhibits to this Agreement are attached and incorporated by reference and made a part of hereof as if the exhibits were set forth in their entirety herein: Universal Data Processing Exhibit, Universal Security Exhibit, and Workday Production Support and Service Level Availability Policy (SLA). 11. Definitions. "Affiliate" means any entity which directly or indirectly controls, is controlled by,or is under common control by either party. For purposes of the preceding sentence, "control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. "Agreement" means this Main Subscription Agreement, including the Signature Document, any exhibits, addenda or attachments hereto, and any fully executed or attached and referenced Order Form(s). "Authorized Party" and/or "Authorized Parties" means Customer's or its authorized Affiliate's employees, third party providers authorized by Customer, and as appropriate for the applicable Service, students and their parents or guardians, prospective employees, prospective students and their parents or guardians, former students, and/or retirees authorized to access Customer's Tenants and/or to receive Customer Data (i) in writing, (ii)through the Service's security designation, or (iii) by system integration or other data exchange process. "Claim" means any claim, demand, suit, or other legal proceeding made or brought against a party to this Agreement. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 10 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT "Confidential Information" means (a)any software utilized by Workday in the provision of the Service and its respective source code; (b) Customer Data; (c)each party's business or technical information, including but not limited to the Documentation, training materials, any information relating to software plans, designs, costs, prices and names, finances, marketing plans, business opportunities, personnel, research, development or know-how that is designated by the disclosing party as "confidential" or"proprietary" or the receiving party knows or should reasonably know is confidential or proprietary; and (d)the terms, conditions and pricing of this Agreement(but not its existence or parties). "Customer Data" means the electronic data or information submitted by Customer or Authorized Parties to the Service. "Customer Input" means suggestions, enhancement requests, recommendations or other feedback provided by Customer, its Employees or Authorized Parties relating to the operation or functionality of the Service. "Documentation" means Workday's electronic Administrator Guide for the Service, which may be updated by Workday from time to time. "Employee" or "Worker" means employees, consultants, contingent workers, independent contractors, and retirees of Customer and its Affiliates whose business record(s) are or may be managed by the Service and for which a subscription to the Service has been purchased pursuant to an Order Form. "Improvements" means all improvements, updates, enhancements, error corrections, bug fixes, release notes, upgrades and changes to the Service and Documentation, as developed by Workday and made generally available for Production use without a separate charge to Customers. "Intellectual Property Rights" means any and all common law, statutory and other intellectual property rights, such as copyright, trademarks, trade secrets, patents and other proprietary rights issued, honored or enforceable under any applicable laws anywhere in the world, and inclusive of all moral rights related thereto. "Internal Business Purposes" means use for Customer's internal operations associated with the functionality of the Service, as opposed to Customer using the products or Service for customers, clients, or prospective customers of the Customer. As illustrative examples: (1)use of recruiting functionality to assist with the recruitment of Customer's employees is an Internal Business Purpose but a placement firm's use of recruiting functionality to find employees for its third-party clients is not an Internal Business Purpose; and (2) Workday's Student Service is clearly designed to assist educational institutions manage the records of students; even though students are technically the "clients" or "customers" of the institution. Nevertheless, use of Workday's Student Service to manage these student records is still an Internal Business Purpose. "Law" means any local, state, national and/or foreign law, treaties, and/or regulations applicable to a respective party. "Losses" means any damages or costs finally awarded or entered into in settlement (including, without limitation, reasonable attorneys'fees). "Malicious Code" means viruses,worms,time bombs, ransomware, Trojan horses and other malicious code,files, scripts, agents or programs intended to do harm. "Order Form" means the separate ordering documents under which Customer subscribes to the Service or other services pursuant to this Agreement which are fully executed by the parties. "Personal Data" has the definition set forth in the Data Processing Exhibit. "Pricing Metrics" means the specific measure identified on the applicable Order Form used for determining the Subscription Service Fee on that Order Form, such as FSE Worker or FTE Student. "Production" means the Customer's or an Employee's use of or Workday's written verification of the availability of the Service (i) to administer Employees; (ii) to generate data for Customer's books/records; or (iii) in any decision support capacity. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 11 of 14 workday. 00395662.0-Confidential MAIN SUBSCRIPTION AGREEMENT "Related Service" means any professional services provided by Workday pursuant to an Order Form subject to this Agreement and related to the Service. "Security Breach" means (i) any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of, Customer Data; provided that an incidental disclosure of Customer Data to an Authorized Party or Workday, or incidental access to Customer Data by an Authorized Party or Workday, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a "Security Breach" for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any Law, (ii) any Personal Data Breach as defined in the DPE; and (iii) any security breach (or substantially similar term) as defined by Law affecting Customer Data. "Service" means Workday's software-as-a-service applications and Improvements as described in the Documentation and subscribed to under an Order Form. "SLA" means the Workday Production Support and Service Level Availability Policy, located at httr)s://www.workday.com/en-us/legal/contract-terms-and-conditions/index/exhibits.htm1, which may be updated by Workday from time to time. No update shall materially decrease Workday's responsibilities under the Workday SLA. "Subscription Fee" means all amounts invoiced and payable by Customer for the Service. "Tenant" means a unique instance of the Service, with a separate set of Customer Data held by Workday in a logically separated database (i.e., a database segregated through password-controlled access). "Tenant Base Name" is a naming convention that will be used in all of the Tenant URLs provided by Workday, as specified in Customer's initial Order Form subscribing to the Service, and which shall remain constant throughout the Term. Main Subscription Agreement-City of Meridian ©2023 Workday v23.11 Page 12 of 14 �[7 o r'` Qy. 00395662.0-Confidential UNIVERSAL SECURITY EXHIBIT This Workday Universal Security Exhibit applies to the Covered Service and Covered Data. Capitalized terms used herein have the meanings given in the Agreement, including attached exhibits, that refers to this Workday Universal Security Exhibit. Workday maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of Covered Data as well as the associated risks, are appropriate to(a)the type of information that Workday will store as Covered Data; and (b) the need for security and confidentiality of such information. Workday's security program is designed to: • Protect the confidentiality, integrity, and availability of Covered Data in Workday's possession or control or to which Workday has access; • Protect against any anticipated threats or hazards to the confidentiality,integrity,and availability of Covered Data; • Protect against unauthorized or unlawful access,use,disclosure,alteration,or destruction of Covered Data; • Protect against accidental loss or destruction of,or damage to,Covered Data;and • Safeguard information as set forth in any local,state or federal regulations by which Workday may be regulated. Without limiting the generality of the foregoing,Workday's security program includes: 1. Security Awareness and Training. Mandatory employee security awareness and training programs,which include: a) Training on how to implement and comply with its information security program;and b) Promoting a culture of security awareness. 2. Access Controls. Policies,procedures,and logical controls: a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; b) To prevent those workforce members and others who should not have access from obtaining access;and c) To remove access in a timely basis in the event of a change in job responsibilities or job status. 3. Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the data centers housing Covered Data is limited to properly authorized individuals and that environmental controls are established to detect,prevent and control destruction due to environmental extremes. 4. Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any security breach of any application or system directly associated with the accessing, processing, storage or transmission of Covered Data. 5. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence(for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Covered Data or production systems that contain Covered Data. 6. Audit Controls. Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies. 7. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Covered Data and to protect it from disclosure,improper alteration,or destruction. 8. Storage and Transmission Security. Security measures to guard against unauthorized access to Covered Data that is being transmitted over a public electronic communications network or stored electronically. 02019 Workday 19.5 Page 1 of 2 �[� o r'` Q 00395662.0-Confidential UNIVERSAL SECURITY EXHIBIT 9. Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Covered Data, taking into account available technology so that such data cannot be practicably read or reconstructed. 10. Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of its information security program,including: a) Designating a security official with overall responsibility; and b) Defining security roles and responsibilities for individuals with security responsibilities. 11. Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified. 12. Monitoring. Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes: a) Reviewing changes affecting systems handling authentication,authorization,and auditing; b) Reviewing privileged access to Workday production systems processing Covered Data;and c) Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis. 13. Change and Configuration Management. Maintaining policies and procedures for managing changes Workday makes to production systems,applications,and databases processing Covered Data. Such policies and procedures include: a) A process for documenting,testing and approving the patching and maintenance of the Covered Service; b) A security patching process that requires patching systems in a timely manner based on a risk analysis;and c) A process for Workday to utilize a third party to conduct web application level security assessments. These assessments generally include testing,where applicable,for: i) Cross-site request forgery ii) Services scanning iii) Improper input handling(e.g.cross-site scripting, SQL injection,XML injection,cross-site flashing) iv) XML and SOAP attacks v) Weak session management vi) Data validation flaws and data model constraint inconsistencies vii) Insufficient authentication viii)Insufficient authorization 14. Program Adjustments. Workday monitors,evaluates,and adjusts,as appropriate,the security program in light of: a) Any relevant changes in technology and any internal or external threats to Workday or the Covered Data; b) Security and data privacy regulations applicable to Workday;and c) Workday's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements,and changes to information systems. 02019 Workday 19.5 Page 2 of 2 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT This Universal Data Processing Exhibit is an exhibit to the Agreement between Workday and Customer and sets forth the obligations and rights of the parties regarding the Processing of Personal Data pursuant to such Agreement. 1. Definitions Unless otherwise defined below, all capitalized terms have the meaning given within the applicable Agreement and/or exhibits thereto. "Agreement" means the MSA, the Professional Services Agreement, and Order Forms, including any exhibits or attachments applicable to the Covered Service. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., its implementing regulations, and amendments, including the California Privacy Rights Act ("CPRA") and its implementing regulations. "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. "Covered Data" means (i) Customer Data, (ii) Professional Services Data, and (iii) any other electronic data or information submitted by or on behalf of Customer to a Covered Service. "Covered Service" means (i) any Service provided under an Order Form that specifically refers to this DPE, and/or (ii) any Professional Services. "DPE" means this Universal Data Processing Exhibit including any appendices, or documents incorporated by reference. "Data Protection Laws" means all data protection laws applicable to the Processing of Personal Data under this DPE, including local, state, national and/or foreign laws, treaties, and/or regulations, including without limitation the GDPR, and implementations of the GDPR into national law, and CCPA, in each case as may be amended or superseded from time to time. "Data Subject" means the person to whom the Personal Data or Personal Information relates. "Europe" or"European" means the European Economic Area ("EEX), the United Kingdom ("UK"), and Switzerland. "GDPR" means either or both the (i) General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), and (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal)Act 2018 ("UK GDPR") as the context may require. "Personal Data" means any Covered Data that relates to an identified or identifiable natural person. "Personal Data Breach" means (i) a `personal data breach' as defined in the GDPR affecting Personal Data, and (ii) any Security Breach affecting Personal Data. "Processing" or "Process" means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. "Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA. "Professional Services" means the professional or consulting services provided to Customer under a Professional Services Agreement. "Professional Services Agreement" means any agreement between the parties for the provision of consulting or professional services, including but not limited to the following agreements or terms: the Professional Services Agreement, the Delivery Assurance terms, the Professional Services Addendum, and/or the Consulting and Training Addendum and Amendment. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 1 of 12 workday. 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT "Professional Services Data" means electronic data or information that is provided to Workday under a Professional Services Agreement for the purpose of being input into a Service, or Covered Data accessed within or extracted from the Customer's tenant or instance to perform the Professional Services. "Subprocessor" means a Workday Affiliate or third-party entity engaged by Workday or a Workday Affiliate as a Processor under this DPE. "Subprocessor List" means the subprocessor list identifying the Subprocessors that are authorized to Process Personal Data, accessible through Workday's website (currently located at https://www.workday.com/en- us/legal/subprocessors.html). 2. Processing Personal Data 2.1 Scope and Role of the Parties. This DPE applies to the Processing of Personal Data by Workday to provide the Covered Service. For the purposes of this DPE, Customer is a Controller or a Processor and Workday is a Processor. 2.2 Instructions for Processing. Workday shall Process Personal Data in accordance with Customer's documented instructions. Customer instructs Workday to Process Personal Data to provide the Covered Service in accordance with the Agreement (including this DPE) and as further specified via Customer's use of the Covered Service. Workday will comply with additional written instructions issued by Customer if they are consistent with the terms and scope of the Agreement. To the extent Workday Processes Personal Information under the CCPA, the terms of the California Privacy Addendum to this DPE will apply to the Processing of such Personal Information. 2.3 Compliance with Laws. Workday shall comply with all Data Protection Laws applicable to Workday in its role as a Processor Processing Personal Data. Customer shall comply with all Data Protection Laws applicable to Customer as a Controller and shall obtain all necessary consents, and provide all necessary notifications, to Data Subjects to enable Workday to carry out lawfully the Processing contemplated by this DPE. Customer shall ensure that any instruction it issues to Workday complies with applicable Data Protection Laws. Workday shall inform Customer without undue delay if, in its reasonable opinion, an instruction issued by Customer violates applicable European Data Protection Laws. 2.4 Description of Processing. The agreed subject-matter, the nature, purpose and duration of data processing, the types of Personal Data and categories of Data Subjects are set forth in Addendum B to this DPE. 3. Subprocessors 3.1 Use of Subprocessors. Customer hereby agrees and provides a general authorization that Workday and Workday Affiliates may engage Subprocessors. Workday or the relevant Workday Affiliate engaging a Subprocessor shall ensure that such Subprocessor has entered into a written agreement that is no less protective than this DPE. Workday shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by Workday. 3.2 Notification of New Subprocessors. Workday shall make available to Customer a Subprocessor List and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. At least thirty (30) days prior to authorizing any new Subprocessor to Process Personal Data, Workday shall provide notice to Customer by updating the Subprocessor List. 3.3 Subprocessor Objection Right. Customer may object to Workday's use of a new Subprocessor on reasonable grounds relating to data protection by providing written notice to Workday within fourteen (14) days following Workday's notification pursuant to Section 3.2 above. Should Workday choose to retain the objected-to Subprocessor, Workday will notify Customer at least fourteen (14) days before authorizing the Subprocessor to Process Personal Data and Customer may terminate the relevant portion(s) of the Covered Service within thirty (30) days. Upon any termination by Customer pursuant to this Section, Workday shall refund Customer any prepaid fees for the terminated portion(s) of the Covered Service that were to be provided after the effective date of termination. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 2 of 12 workday. 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT 4. Data Subject Rights 4.1 Assistance with Data Subject Requests. Workday will, in a manner consistent with the functionality of the Covered Service and Workday's role as a Processor, provide reasonable support to Customer to enable Customer to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). 4.2 Handling of Data Subject Requests. For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If Workday receives a Data Subject Request or other complaint from a Data Subject regarding the Processing of Personal Data, Workday will promptly forward such request or complaint to Customer, provided the Data Subject has given sufficient information for Workday to identify Customer. 5. Workday Personnel Workday shall require screening of its personnel who may have access to Personal Data and shall require such personnel (i)to Process Personal Data in accordance with Customer's instructions as set forth in this DPE, (ii) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data; and (iii) to be subject to confidentiality obligations which survive their termination of employment. 6. Personal Data Breach If Workday becomes aware of a Personal Data Breach, it shall without undue delay notify Customer in accordance with the Unauthorized Disclosure and Security Breach provisions of the MSA. Workday shall take appropriate measures to address and mitigate the adverse effects of the Personal Data Breach. To the extent Customer requires additional information from Workday to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, Workday shall provide reasonable assistance to provide such information to Customer taking into account the nature of Processing and the information available to Workday. 7. Security of Processing Workday shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as described in the Universal Security Exhibit. 8. Audit Where Workday has obtained third-party audit reports and certifications for its Covered Services ("Audit Reports and Certifications"), Workday will, at Customer's request and subject to the confidentiality terms set forth in the MSA, make its most recent Audit Reports and Certifications available to Customer for the applicable Covered Service. To the extent Customer reasonably determines that the Audit Reports and Certifications are not sufficient to demonstrate compliance or to respond to a regulatory audit, Workday will allow Customer or an independent auditor appointed by Customer to conduct an audit, subject to the following: (a) Customer and Workday will mutually agree upon the scope, timing, duration, and control and evidence requirements; (b) Customer is responsible for all costs and fees related to such audit and will reimburse Workday for any services performed by Workday at Workday's then-current rates; (c) to the extent the audit is conducted by a third-party audit firm, (i) the third-party audit firm is not a competitor of Workday and (ii) Customer has, prior to such audit, entered into an agreement with such third-party audit firm containing confidentiality terms no less protective than the confidentiality terms set forth in the MSA; and (e) to the extent the audit is conducted by a regulator having jurisdiction over Customer, the regulator is subject to a duty of confidentiality in relation to the findings of that audit (whether arising as a matter of law or by Customer having, prior to such audit, entered into an agreement with the regulator) such duty being no less protective than the confidentiality terms set forth in the MSA. 9. Additional European Terms Data Protection Impact Assessments. Workday will, at Customer's request and subject to the confidentiality terms set forth in the MSA, make its most recent Audit Reports and Certifications available to Customer. To the extent Customer requires additional assistance to meet its obligations under applicable Data Protection Laws to carry out a data protection Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 3 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT impact assessment and prior consultation with the competent supervisory authority related to Customer's use of the Covered Service, Workday will, taking into account the nature of Processing and the information available to Workday, provide reasonable assistance to Customer. 10. Return and Deletion of Personal Data Upon termination of the Covered Service, Workday shall return and delete Personal Data in accordance with the relevant provisions of the Agreement. 11. International Transfers of European Personal Data To the extent Customer's use of the Covered Services requires a transfer mechanism to lawfully transfer Personal Data from Europe, the terms and safeguards in Addendum A to this DPE will apply. 12. General Provisions 12.1 Customer Affiliates. Customer is responsible for coordinating all communication with Workday on behalf of its Affiliates with regard to this DPE. Customer represents that it is authorized to enter into this DPE and any transfer safeguards entered into under this DPE, issue instructions, and make and receive any communications or notifications in relation to this DPE on behalf of its Affiliates. 12.2 Termination. The term of this DPE will end simultaneously and automatically at the later of (i) the termination of the Agreement or, (ii)when all Personal Data is deleted from Workday's systems. 12.3 Conflict. This DPE is subject to the non-conflicting terms of the Agreement. With regard to the subject matter of this DPE, if inconsistencies between the provisions of this DPE and the Agreement arise, the provisions of this DPE shall prevail with regard to the parties' data protection obligations. 12.4 Customer Affiliate Enforcement. Customer's Affiliates may enforce the terms of this DPE directly against Workday, subject to the following provisions: i. Customer will bring any legal action, suit, claim or proceeding which that Affiliate would otherwise have if it were a party to the Agreement (each an "Affiliate Claim") directly against Workday on behalf of such Affiliate, except where the Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate itself bring or be party to such Affiliate Claim; and ii. for the purpose of any Affiliate Claim brought directly against Workday by Customer on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Customer. 12.5 Remedies. Customer's remedies (including those of its Affiliates) with respect to any breach by Workday, its Affiliates and Subprocessors of the applicable terms of this DPE, and the overall aggregate liability of Workday and its Affiliates arising out of, or in connection with the Agreement (including this DPE)will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement. 12.6 Miscellaneous. The section headings contained in this DPE are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPE. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 4 of 12 workday. 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT ADDENDUM A International Transfers of European Personal Data 1. Definitions "Data Privacy Framework" means the EU-U.S., Swiss-U.S., and UK-U.S. Extension to the Data Privacy Framework maintained by the United States Department of Commerce determined to provide an adequate level of protection for Personal Data transfers to certified commercial organizations in the United States under (i) the European Commission's Adequacy Decision 2023/4745 of 10 July 2023 and (ii) other applicable Data Protection Laws. "Restricted Transfer" means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country or commercial organization outside of the EEA which is not subject to a valid adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a country or commercial organization outside the UK which is not based on adequacy regulations pursuant to section 17A of the UK Data Protection Act 2018 ("UK DPA"); and (iii) where the Swiss Federal Act on Data Protection of June 19, 1992 ("Swiss FADP") applies, a transfer of Personal Data from Switzerland to a country or commercial organization outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner. "SCCs" means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the UK DPA (version B1.0 of 21 March 2022) as updated or amended ("UK Addendum"). "Workday BCRs" or "BCRs" means Workday's Processor Binding Corporate Rules. The Workday BCRs are accessible through Workday's website (currently located at http://workday.com/legal/bcrs.html). 2. Transfer Mechanisms. To the extent Customer's use of the Covered Services requires a transfer mechanism to lawfully transfer Personal Data from Europe, the following terms will apply. Where more than one transfer mechanism applies, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (i)the Data Privacy Framework, (ii)the Workday BCRs, and (iii)the SCCs. 2.1 Data Privacy Framework. Workday, Inc. is self-certified to and complies with the Data Privacy Framework and will remain certified for the term of the Agreement. 2.2 BCRs. For the Covered Services identified in the following table, the Workday BCRs apply to the Processing of Personal Data of a Customer or Customer Affiliate established in the EEA. In this event, all provisions of the Workday BCRs are incorporated by this reference and shall be binding and enforceable for Customer according to Section 1.4 of the Workday BCRs as if they were set forth in this DPE in their entirety. If any conflict or inconsistency arises between this DPE and the Workday BCRs, the Workday BCRs shall prevail. BCR Covered Services Applicable SKU Names HCM/FIN/ANALYTICS Human Capital Management, Cloud Connect for Benefits, Workday Payroll, Cloud Connect for Third Party Payroll, Time Tracking, Recruiting, Learning (excluding Media Cloud), Learning for Extended Enterprise, Core Financials, Expenses, Procurement, Inventory, Grants Management, Projects, Projects Billing, Workday Prism Analytics and Student Workday Adaptive Planning Workday Adaptive Planning SKUs, such as Planning & Analytics, Workforce Planning, Financial Planning, Sales Planning, Operational Planning, however defined in the applicable order form. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 5 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT Workday Extend Workday Cloud Platform 2.3 Standard Contractual Clauses 2.3.1 Processor-to-Processor SCCs. Where Customer is contracting with Workday Limited, all Restricted Transfers of Personal Data will be governed by SCCs Module 3 implemented between Workday Limited (as "data exporter") and its Subprocessors (as "data importers"). 2.3.2 Controller-to-Processor SCCs. Where the transfer from Customer to Workday is a Restricted Transfer, the SCCs will apply to such Restricted Transfers between Customer (as "data exporter") and Workday (as "data importer") as follows: 2.3.2.1 EU Personal Data. In relation to Personal Data protected by the EU GDPR, the EU SCCs will apply(and be incorporated into this DPE by this reference)completed as follows: i. Module 2 applies unless the Customer is a Processor in which case Module 3 applies; ii. in Clause 7, the optional docking clause will not apply; iii. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be in accordance with the notification process set out in Section 3.2 of this DPE; iv. in Clause 11, the optional redress language will not apply; v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law specified in the MSA, provided that law is an EEA Member State law recognizing third party beneficiary rights, otherwise, the laws of Ireland apply; vi. in Clause 18(b), disputes shall be resolved before the courts specified in the MSA, provided these courts are located in an EAA Member State, otherwise those courts shall be the courts of Ireland; vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Addendum B to this DPE; and viii. Annex II of the EU SCCs shall be deemed completed with the information set out in the Universal Security Exhibit to this DPE. 2.3.2.2 UK Personal Data. In relation to Personal Data protected by the UK GDPR ("UK Personal Data"), the UK Addendum will apply as follows: i. the EU SCCs, completed as set out in Section 2.3.2.1 of this Addendum A, shall also apply to transfers of UK Personal Data; ii. the UK Addendum shall be deemed executed (and incorporated into this DPE by this reference) between the transferring Customer and Workday, and the EU SCCs shall be deemed amended as specified by Part 2 (Mandatory Clauses) of the UK Addendum in respect of the transfer of UK Personal Data; iii. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from within this DPE and the EU SCCs, completed as set out in Section 2.3.2.1 of this Addendum A; iv. the start date of the UK Addendum (as set out in Table 1) shall be the effective date of this DPE; and v. Table 4 of the UK Addendum shall be deemed completed "neither party". 2.3.2.3 Swiss Personal Data. In relation to Personal Data protected by the Swiss FADP, the EU SCCs will apply amended and adapted as follows: Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 6 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT i. the Swiss Federal Data Protection and Information Commissioner is the exclusive supervisory authority; ii. the term "member state" must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and iii. references to the GDPR in the EU SCCs shall also include the reference to the equivalent provisions of the Swiss FADP. 2.3.2.4 The SCCs will be subject to the following clarifications: i. Workday will allow Customer to conduct audits as described in the SCCs in accordance with Section 8 of this DPE. ii. Customer authorizes Workday to appoint Subprocessors in accordance with Section 3 of this DPE, and Customer may exercise its right to object to Subprocessors under the SCCs in the manner set out in Section 3. iii. Workday shall return and delete Customer's data in accordance with Section 10 of this DPE. iv. Customer agrees that any assistance that Workday provides to Customer under the SCCs shall be provided in accordance with Section 8 of this DPE. v. Nothing in this Section 2.3.2 of this Addendum A varies or modifies the SCCs nor affects any supervisory authority's or Data Subject's rights under the SCCs. If any provision of this DPE contradicts, directly or indirectly, the SCCs, the SCCs shall prevail. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 7 of 12 workday. 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT ADDENDUM B Description of Processing A. LIST OF PARTIES Data exporter Data exporter: Customer Contact details: The individuals designated as named contacts by Customer in Customer's account Relevant activities: Use of Workday's enterprise cloud applications. Signature and Date: By entering into the Agreement, data exporter is deemed to have signed these SCCs incorporated herein as of the effective date of the Agreement. Data exporter role: The data exporter's role is set forth in the DPE. Data importer Data importer: Workday Contact details:Workday Privacy Team, legal(a)workday.com Relevant activities: Provide and support enterprise cloud applications, including human resource and financial management. Signature and Date: By entering into the Agreement, data importer is deemed to have signed these SCCs incorporated herein as of the effective date of the Agreement. Data importer role: Processor B. DESCRIPTION OF TRANSFER Categories of data subjects whose personal data is transferred 1. Customer's job applicants, candidates, current and former employees and other workers, as well as related persons. 2. Employees or contact persons of Customer's prospects, customers, business partners and suppliers. Categories of personal data transferred Customer determines the categories of personal data processed within Covered Services subscribed to. Typically, the transferred personal data will include the categories of data identified below: 1. Applicants, employees and other workers: Name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; web address; instant messenger; home and work email address); marital status; citizenship information; visa information; national and governmental identification information; drivers' license information; passport information; banking details; military service information; date of birth and birth place; gender; employee identification information; education, language(s) and special competencies; certification information; probation period and employment duration information; job or position title; business title; job type or code; business site; company, supervisory, cost center and region affiliation; work schedule and status (full-time or part-time, regular or temporary); compensation and related information (including pay type and information regarding raises and salary adjustments); payroll information; allowance, bonus, commission and stock plan information; leave of absence information; employment history; work experience Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 8 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT information; information on internal project appointments; accomplishment information; sentiments, personal opinions, feedback, training and development information; award information; membership information. 2. Related persons: Name and contact information of dependents or beneficiaries (including home address; home and work telephone numbers; mobile telephone numbers); date of birth; gender; emergency contacts; beneficiary information; dependent information. 3. Prospects, customers, business partners and suppliers: Name and contact information (including work address; work telephone numbers; mobile telephone numbers; web address; instant messenger; work email address); business title; company. 4. Learners: Name and contact information (including work address; work telephone numbers; mobile telephone numbers; instant messenger; work email address); business title; company; enrollment information, including completion of courses, exam results and feedback provided. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Unless otherwise agreed, the transferred Personal Data may comprise special categories of personal data, such as ethnicity, religious beliefs, trade union membership information and health data (employee sick leave, disability information). Taking into consideration the nature of the data and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Workday has implemented the technical and organizational measures as described in the Universal Security Exhibit, including specialized training of staff and system access logs, to ensure an appropriate level of protection for such sensitive data. Frequency of the transfer(e.g. whether the data is transferred on a one-off or continuous basis) Transfers will be made on a continuous basis. Nature of the processing Workday acts as a processor for the Personal Data Customer submits electronically into Workday's enterprise cloud applications or provides to Workday in connection with the Agreement. 1. Processing Personal Data to set up, operate, maintain and support the enterprise cloud applications 2. Storage of Personal Data in secure data centers 3. Provision of Covered Services Purpose(s) of the data transfer and further processing Provide and support enterprise cloud applications, including human resource and financial management. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Personal data will be retained for the duration of the Agreement in accordance with Section 12.2 of the DPE. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The subject matter and duration of the processing is outlined above within this Addendum B. The nature of the specific sub-processing services are further particularized within the Subprocessor List (currently located at: https://www.workdaV.com/en-us/legal/subprocessors.html). C. COMPETENT SUPERVISORY AUTHORITY Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 9 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT Identify the competent supervisory authoritylies in accordance with Clause 13 The competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs unless required otherwise by Addendum A Sections 2.3.2.2 (UK Personal Data) and 2.3.2.3 (Swiss Personal Data). Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 10 of 12 / workday® 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT Technical and Organizational Measures The technical and organizational measures set forth in the Security Exhibit have been implemented by the data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 11 of 12 workday, 00395662.0—Confidential UNIVERSAL DATA PROCESSING EXHIBIT ADDENDUM C Workday California Privacy Addendum This California Privacy Addendum ("Addendum") supplements the DPE to which it is attached. Any term not defined in this Addendum shall have the meaning assigned to it, if any, in the DPE or the Agreement. To the extent the Agreement and this Addendum conflict, the terms of this Addendum shall take precedence with respect to Processing of Personal Information under the CCPA. To the extent Workday Processes Personal Information under the CCPA, as defined above, the following supplemental terms shall apply to such Processing: 1. The terms "Business," "Business Purpose," "Consumer," "Sell," "Service Provider," and "Share," shall have the same meanings as provided for in the CCPA. As used in this Addendum, the term "Personal Information" shall refer to any Personal Data that constitutes Personal Information under the CCPA. 2. Roles of the Parties. Customer, as a Business under the CCPA, is disclosing Personal Information to Workday, and Workday is Processing the disclosed Personal Information solely as a Service Provider. 3. Business Purpose. Workday will Process Personal Information for the purpose of providing the Services described in the Agreement, including in the associated Order Forms. 4. Service Provider Processing Limitations. Workday will not (i) Sell Personal Information, or(ii) retain, use or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than to provide the Covered Services as articulated in the Agreement, including this Addendum, or as permitted by the CCPA 5. No Sale or Sharing.Workday will not Sell or Share Personal Information. 6. No Combining Personal Information. Workday will not combine Personal Information that it receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as otherwise permitted by CCPA. 7. Consumer Requests.Workday will, in a manner consistent with the functionality of the applicable Service and Workday's role as a Service Provider, provide reasonable support to Customer to enable Customer to respond to Consumer requests to exercise their rights under the CCPA, as set forth in Section 4 of the DPE. 8. Security of Processing. Workday will maintain technical and organizational measures to protect Personal Information as set forth in the DPE and as required by the CCPA. 9. Ongoing Compliance. Workday agrees to comply with all applicable requirements of CCPA pertaining to its role as a Service Provider, including by providing the same level of privacy protection for Personal Information as required under CCPA. Customer shall have the right to take reasonable and appropriate steps to ensure compliance with this Addendum by exercising its rights in the audit provisions of the DPE. Customer shall also have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of Personal Information by Workday, for example by requesting that Workday provide a written statement confirming that applicable Personal Information has been deleted. Workday will notify Customer if it determines that it can no longer meet its obligations under the CCPA. Workday Universal Data Processing Exhibit—City of Meridian ©2023 Workday(UDPE Global v23.7) Page 12 of 12