The URL can be used to link to this page

Home My WebLink About24805AGREEMENT INFORMATION AGREEMENT NUMBER 24805 NAME/TYPE OF AGREEMENT GRAMMARLY, INC. DESCRIPTION SUBSCRIPTION AGREEMENT & CUSTOMER BUSINESS AGREEMENT/DATA PROCESSING/MATTER ID: 23-3230 EFFECTIVE DATE ATTESTED BY TODD B. HANNON ATTESTED DATE 2/20/2024 DATE RECEIVED FROM ISSUING DEPT. 2/21/2024 NOTE DOCUSIGN AGREEMENT BY EMAIL CITY OF MIAMI DOCUMENT ROUTING FORM Department of Procurement ORIGINATING DEPARTMENT: DEPT. CONTACT PERSON: Aimee Gandarilla EXT. 1906 NAME OF OTHER CONTRACTUAL PARTY/ENTITY: Grammarly, Inc. IS THIS AGREEMENT A RESULT OF A COMPETITIVE PROCUREMENT PROCESS? I TOTAL CONTRACT AMOUNT: $ FUNDING INVOLVED? r TYPE OF AGREEMENT: ❑ MANAGEMENT AGREEMENT ❑ PROFESSIONAL SERVICES AGREEMENT ❑ GRANT AGREEMENT ❑ EXPERT CONSULTANT AGREEMENT ❑ LICENSE AGREEMENT OTHER: (PLEASE SPECIFY) YES NO ES ❑ NO ❑ PUBLIC WORKS AGREEMENT ❑ MAINTENANCE AGREEMENT ❑ INTER -LOCAL AGREEMENT ❑ LEASE AGREEMENT ❑ PURCHASE OR SALE AGREEMENT PURPOSE OF ITEM (BRIEF SUMMARY): Agreement Grammarly Subscription Agreement and Grammarly Customer Business COMMISSION APPROVAL DATE: FILE ID: ENACTMENT NO.: IF THIS DOES NOT REQUIRE COMMISSION APPROVAL, PLEASE EXPLAIN: ROUTING INFORMATION Date PLEASE PRINT AND SIGN DIRECTOR OF PROCUREMENT/CHIEF PROCUREMENT OFFICER February 9, 2024 Annie Perez, CPPO 1 14:14:16 EST SIGNATURE• � 2 Cahi RISK MANAGEMENT February 9, 2024 A<��e An n-Mari Sh rpe" 1 14:40:36 EST DocuS netl by SIGNATURE: t , C� CITY ATTORNEY matter 23-3230 February 14, 2024 ,Fs,4a Victqria Mendez I 02:37:ooL5eT SIGNATURE: -d°-"", '> ASSISTANT CITY MANAGER, CHIEF FINANCIAL OFFICER February 15, 2024 Larry Spring, CPA I 13:14:15 EST SIGNATURE: Sr ASSISTANT CITY MANAGER, CHIEF OF OPERATIONS Natasha Colebrook -Williams SIGNATURE: DEPUTY CITY MANAGER Nzeribe Ihekwaba, Ph.D., PE SIGNATURE:NN CITY MANAGER February 16, 20[4 Arthura 1 1/:47.56 EST SIGNATURE: Q ,, CITY CLERK February 20, 2024 Todd Hannon 1 12:22:14 EST SIGNATURE: ��' PLEASE ATTACH THIS ROUTING FORM TO ALL DOCUMENTS THAT REQUIRE EXECUTION BY THE CITY MANAGER IAFI I{�1AAT 11 I City of Miami Office of the City Attorney Legal Services Request To: Office of the City Attorney From: Eduardo Falcon Contact Person Procurement Contracting Manager Title 2/9/2024 Date: Procurement Requesting Client (305) 416-1901 Telephone Legal Service Requested: Matter 23-3230 - Grammarly Subscription Agreement and Grammarly Customer Business Agreement Complete form and forward to the Office of the City Attorney or e-mail to Legal Services. Do not assume that the Office of the City Attorney knows the background of the question and/or issue, such as opinions on the same or similar issues, the existence of relevant memos, correspondence, etc. Please attach to this form and/or e-mail all pertinent information relating to the subject. Once your request has been assigned, an e-mail will be sent to you with the Assigned Attorney's name and the issued matter identification number. All attorneys in the Office of the City Attorney shall fully comply with the Rules Regulating the Florida Bar. For Legal Services requesting an opinion from the Office of the City Attorney: nlssue opinion in writing. Publish opinion after issuance. Authorized by: Annie Perez Date response requested by: BELOW PORTION TO BE COMPLETED BY THE OFFICE OF THE CITY ATTORNEY Assigned Attorney: Date: File No. Approved by: Ultimate Client: Comments: D / R Date: Copy returned to Requesting Client Type: Matrix: Category: Copy to Ultimate Client rev. 04/14/2017 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 grammarly Order Form CUSTOMER INFORMATION Customer Name City of Miami HQ Address 444 Southwest 2nd Avenue, 6th Floor, Miami, Florida, United States, 33130 Quote ID Q-85180 Quote Expiration Date Feb 23, 2024 Subscription Start Date Feb 12, 2024 Master Agreement Feb 7, 2024 Grammarly Subscription Agreement BILLING INFORMATION Billing Email payables@miamigov.com Purchase Order Required? Billing Address (if different than HQ address above) 444 Southwest 2nd Avenue, 6th Floor, Miami, Florida, United States, 33130 Yes Shipping Address (if different than HQ address above) 444 Southwest 2nd Avenue, 6th Floor, Miami, Florida, United States, 33130 Payment Terms Net 45 Billing Schedule Annual SERVICE ORDERED Name of Service Term Length (Months) Start Date End Date No. of Users Annual Fee per User Total Fees (USD) Grammarly Business Team 12 Feb 12, 2024 Feb 11, 2025 225 $111.00 $24,975.00 Total Price $24,975.00 CONFIDENTIAL ©Grammarly Inc. I Order Form I Quote ID: Q-85180 1/3 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 grammarly GOVERNING TERMS. This Order Form incorporates the terms set forth in the Master Agreement identified above. Any purchase order issued by Customer is for its internal purposes only and any terms and conditions referenced or included on such purchase order will not govern the terms of this Order. SUBSCRIPTION TERM AND RENEWAL. Customer's subscription will begin on the Subscription Start Date and continue until the Subscription End Date. Orders will not automatically renew. CONFIDENTIAL © Grammarly Inc. I Order Form I Quote ID: Q-85180 2/3 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 grammarly IN WITNESS WHEREOF, the parties hereto have caused this instrument to be executed by their respective officials thereunto duly authorized on the date provided herein. BY: ATTEST: rDocuSignetl by Todd B. Hannon ` Arthur Noriega V City Clerk City Manager February 20, 2024 I 12:22:14 EST February 16, 2024 1 17:47:56 EST Date: Date: DocuSigned by: "Grammarly" GRAMMARLY, INC., a Delaware profit corporation authorized to conduct business in California BY: cDocuSignetl by: oFsaseieicnnasn_. Kourtney Keaton Name: GM of Grammarly Business Title: 2/8/2024 1 2:19 PM PST Date: "City" CITY OF MIAMI, a Florida municipal corporation BY: `c^a"tl°- APPROVED AS TO LEGAL FORM AND APPROVED AS TO INSURANCE CORRECTNESS: cuSignee by, BY: [v Victoria Mendez City Attorney (Matter 23-3230) February 14, 2024 1 02:37:51 EST Date: REQUIREMENTS: BY: runn -h Anne Marie Sharpe, Director Risk Management February 9, 2024 1 14:40:36 EST Date: CONFIDENTIAL © Grammarly Inc. I Order Form I Quote ID: Q-85180 3/3 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 GRAMMARLY CUSTOMER BUSINESS AGREEMENT This Grammarly Customer Business Agreement is entered into as of the date of last signature below (the "Effective Date") between Grammarly, Inc. ("Grammarly") and City of Miami for their Police Department ("Customer"). This agreement establishes the terms under which Customer will purchase and use the Services and Grammarly will provide the Services. 1. Provision of the Services to Customer 1.1. Right to Use the Services and Software. During the Term, Grammarly (a) will provide the Services to Customer and (b) grants Customer the right to use the Services and to install and use any software provided by Grammarly to access the Services in accordance with the Documentation, all subject to the terms of this agreement. 1.2. Restrictions on the Right to Use the Services. Customer may only use the Services (a) for its internal business purposes and (b) in accordance with this agreement and subject to the Acceptable Use Policy. 1.3. Access for End Users; Responsibility for End Users. Customer may assign End Users to use the Services. End Users may be employees or contractors of Customer or its Affiliates who are using the Services solely for the benefit of Customer or its Affiliates. Customer is responsible for its End Users' use of the Services and compliance with this agreement. Customer will obtain and maintain from End Users any consents necessary to allow Grammarly to deliver the Services. End User accounts may only be used by a single End User and may not be shared by multiple individuals. 1.4. Service -Specific Terms. To the extent Customer uses any services covered by any Service -Specific Terms, those applicable Service -Specific Terms are incorporated by reference into this agreement. 1.5. Changes to the Services. Grammarly may make changes to features and functionality of the Services during the Subscription Term. If Grammarly makes a change to the Services that has a material adverse effect on the functionality of the Services, taken as a whole, Grammarly will notify Customer in advance. 1.6. No Liability for Third -Party Platforms. Customer's use of a Third -Party Platform with the Services is governed by Customer's agreement with the provider of the Third -Party Platform, not this agreement, and Grammarly is not responsible for Third -Party Platforms. 1.7. Affiliate Orders. An Affiliate of Customer may enter its own Order(s) as mutually agreed with Grammarly. This creates a separate agreement between the Affiliate and Grammarly incorporating this agreement with the Affiliate treated as "Customer." Neither Customer nor any Customer Affiliate has any rights under each other's agreement with Grammarly, and breach or termination of any such agreement is not breach or termination under any other. 2. Payment Terms 2.1. Fees. Customer will pay the fees for the Services ("Fees") described in the Order, in U.S. dollars (unless otherwise specified in the Order). All Fees are non-refundable except as required by law or expressly set out in this agreement. 2.2. Payment Timing. The payment timing is described in Customer's Order. If the payment timing is not specified in Customer's Order, Customer will pay all Fees within forty five (45) days of when Customer receives an invoice. Late payments are subject to a service charge of the lesser of 1.5% per month or the maximum amount allowed by law. 2.3. Taxes. If there are any government -imposed sales, value-added, delivery, withholding, or similar taxes associated with the purchase of the Services (but not taxes based on Grammarly's net income, net worth, asset value, property value, or employment), Customer will pay such taxes. If Customer provides a valid tax exemption certificate, applicable taxes under this provision will be waived. 2.4. Notice of Fee Changes Prior to Renewal; Notice of Corrections. In the event Grammarly changes Customer's Fees, Grammarly will give Customer at least thirty (30) days' notice of that change prior to the renewal of Customer's then -current subscription. If Customer believes Grammarly has incorrectly billed Customer, Customer has sixty (60) days from receipt of an invoice to notify Grammarly of the error. 3. Protection of Customer Data 3.1. Security. Grammarly maintains industry standard security and privacy certification, such as a SOC II certification. Grammarly will use appropriate technical and organizational measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data and System Data. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 3.2. Data Privacy and Data Privacy Addendum. The terms of the Grammarly Data Privacy Addendum located at Exhibit "D" are incorporated by reference into this agreement. 3.3. Data Retention. Subject to the Public Records Law of Chapter 119 of the Florida Statutes, as amended, upon the end of the Term, Grammarly will, at the choice and written request of Customer, delete any Customer Data in Grammarly's possession within a commercially reasonable time unless it is required by law to retain it. Grammarly may make instructions available to Customer regarding how to submit such a request and Customer is responsible for following these instructions to request the deletion of Customer Data. 3.4. HIPAA Data. Customer agrees not to submit to the Services any HIPAA Data unless Customer has entered into a BAA with Grammarly. Unless a BAA is in place, Grammarly will have no liability under this agreement for HIPAA Data, notwithstanding anything to the contrary in this agreement or in HIPAA or any similar federal or state laws, rules or regulations. Upon mutual execution of a BAA, the BAA will be incorporated by reference into and subject to the terms of this agreement. 4. Confidentiality 4.1. Restrictions on Use and Disclosure of Confidential Information. Subject to the Public Records Law of Chapter 119 of the Florida Statutes, the recipient of Confidential Information will only use the disclosing party's Confidential Information to exercise its rights and fulfill its obligations under this agreement, and will use reasonable care to protect against the disclosure of the disclosing party's Confidential Information. The recipient may disclose Confidential Information only to its Affiliates, employees, agents, or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep it confidential. The recipient will ensure that those people and entities use the received Confidential Information only to exercise rights and fulfill obligations under this agreement. 4.2. Required Disclosure. Subject to the Public Records Law of Chapter 119 of the Florida Statutes, the recipient may disclose Confidential Information to the extent required by applicable Legal Process if the recipient uses commercially reasonable efforts to (a) promptly notify the other party of such disclosure before disclosing, and (b) comply with the other party's reasonable requests regarding its efforts to oppose the disclosure, in each case, if doing so is consistent with the Legal Process and does not obstruct a governmental investigation. 5. Intellectual Property Rights 5.1. Reservation of Intellectual Property Rights. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Grammarly owns all Intellectual Property Rights in the Services and in System Data. Except as expressly stated, this agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. 5.2. Right to Use Customer Data. Customer grants Grammarly the right to use Customer Data during the Subscription Term to provide and protect the Services, as well as to diagnose problems. 5.3. Machine Learning for Product Improvement. Customer acknowledges that a fundamental component of the Service is the use of machine learning for the purpose of providing and improving Grammarly's products and services. Customer hereby grants Grammarly the right to use, during and after the Subscription Term, aggregated and anonymized Customer Data to improve the Services, including to train Grammarly's algorithms internally through machine learning techniques. 5.4. Feedback. If Customer or its End Users provide Grammarly with feedback about any of Grammarly's products or services (including the Services), then Grammarly may use that feedback without restriction or obligation to Customer so long as Grammarly does not publicly identify Customer as the source of feedback, and Customer hereby assigns all rights, title, and interest in such feedback to Grammarly. 6. Customer Obligations 6.1. Terminate Unauthorized Use. Customer will use commercially reasonable efforts to prevent and terminate any unauthorized use of, or access to, the Services, and promptly notify Grammarly of any unauthorized use of, or access to, the Services of which Customer becomes aware. Grammarly reserves the right to investigate any violation or potential violation of the Acceptable Use Policy. 6.2. Provide Privacy Notices. Customer is responsible for providing any required privacy consents and notices for using the Services. 6.3. Compliance with Laws; Export Compliance. Customer (a) will comply with all export and import laws in performing this agreement and (b) represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country subject to a U.S. government embargo or designated by the U.S. government as a "terrorist supporting" country. Customer will not submit to the Services any data controlled under the U.S. International Traffic in Arms Regulations. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 6.4. Third Party Administration. Customer acknowledges that, if Customer purchases the Services through a reseller and designates any of the reseller's personnel as administrators of Customer's Services account, the reseller may be able to control account information, including Customer Data, and access Customer's Services account. 7. Term, Termination, and Suspension 7.1. Subscription Term; Agreement Term. The "Subscription Term" of Customer's subscription will begin on the date specified on the applicable Order and will continue until Customer's subscription ends or is terminated. This agreement starts on the Effective Date and continues until the end of all Subscription Terms, unless it is terminated sooner ("Term"). 7.2. Omitted. 7.3. Termination. Either party may terminate this agreement if (a) the other party materially breaches this agreement and fails to cure that breach within thirty (30) days after receipt of a written notice of the breach, or (b) the other party ceases its business operations or becomes subject to insolvency proceedings. Where the termination is caused by Grammarly's material breach, Grammarly will issue a prorated refund for Customer's unused subscription, measured from the date of breach notice. Grammarly may terminate this agreement upon notice for an egregious violation by Customer of the Acceptable Use Policy. 7.4. Suspension. Grammarly may suspend Customer's access to the Services if: (a) Customer's use of the Services poses a risk to the Services, Grammarly's other customers, or Grammarly (including Grammarly's infrastructure, security, and third -party relationships); (b) Customer's use of the Services could subject Grammarly to liability; (c) Customer's payment of Fees is late; or (d) Customer is otherwise in breach of this agreement. Grammarly will provide Customer with prompt notice of any suspension when practicable. Once the issue causing the suspension is resolved, Grammarly will take commercially reasonable efforts to promptly restore Customer's access to the Service. 7.5. Effect of Termination. When this agreement terminates, Customer will no longer have access to the Services and Grammarly may elect in its discretion to (a) terminate End Users' accounts or (b) downgrade End Users' accounts to individual subscriber accounts. All sections of this agreement that should survive termination will do so, including the confidentiality obligations, limitation of liability, and disclaimers. 8. Express Warranty and Disclaimer 8.1. Express Warranty. For the Term, the Services will perform in a manner materially consistent with Grammarly's Documentation ("Service Warranty"). Customer may provide notice of a warranty failure at any time by delivering a written, reasonably detailed description of the observed failure to Grammarly. Upon receiving such notice, Grammarly will have no fewer than 45 days to correct the failure. If Grammarly cannot do so, Customer may terminate any and all Orders immediately upon written notice and receive a prorated refund for its unused subscription, measured from the date of the warranty failure notice. The foregoing procedures are Customer's exclusive remedy and Grammarly's sole liability for breach of the Service Warranty. 8.2. Disclaimer about the Services. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, TO THE FULLEST EXTENT PERMITTED BY LAW, GRAMMARLY, ITS AFFILIATES, AND ITS SUPPLIERS (A) DO NOT MAKE ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, TITLE, NONINFRINGEMENT, OR ERROR -FREE OR UNINTERRUPTED USE OF THE SERVICES; (B) MAKE NO REPRESENTATION ABOUT THE CONTENT OR INFORMATION ACCESSIBLE THROUGH THE SERVICES; AND (C) DO NOT WARRANT THAT THE OPERATION OF THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS. 8.3. Beta Services. Grammarly may creates new service offerings that are still in development. Grammarly will mark such services as "alpha", "beta", "early access" or something similar. Customer may choose to use these beta services in its sole discretion. Grammarly may not support these beta services, may change them at any time, and they may not be as secure or reliable as Grammarly's other Services. Customer will treat the beta services and any related documentation as Confidential Information until Grammarly officially launches the beta services. Notwithstanding anything else in this agreement, Grammarly will have no liability arising out of or in connection with these beta services. 9. Limitation of Liability DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 9.1. Limitation on Liability Amount. Subject to Section 9.3 (Unlimited Liabilities), each party's total aggregate Liability arising out of or relating to this agreement is limited to the Fees Customer paid during the twelve- month period before the event giving rise to Liability (unless that amount is zero due to Customer participating in a free trial, in which case Grammarly's total liability will not exceed one hundred dollars). 9.2. Limitation on Indirect Liabilities. To the extent permitted by applicable law and subject to Section 9.3 (Unlimited Liabilities), neither party will have any Liability arising out of or relating to this agreement for any (a) indirect, consequential, special, incidental, or punitive damages or (b) lost revenues, cost of replacement services, profits, savings, or goodwill. 9.3. Unlimited Liabilities. Nothing in this agreement excludes or limits either party's Liability for: (a) its fraud or fraudulent misrepresentation; (b) its indemnification obligations under Section 10 (Indemnification); (c) its infringement of the other party's Intellectual Property Rights; (d) its payment obligations under this agreement; or (e) matters for which liability cannot be excluded or limited under applicable law. 10. Indemnification 10.1. Grammarly's Indemnification Obligations to Customer. Grammarly will defend and indemnify Customer against settlement amounts as well as damages and costs finally awarded in any third -party legal proceeding ("Indemnified Amounts") to the extent arising from an allegation that Customer's use of Grammarly's technology used to provide the Services infringes the third party's Intellectual Property Rights. 10.2. Indemnification Exclusions. These indemnification obligations will not apply to the extent the underlying allegation arises from (a) the indemnified party's breach of this agreement or (b) a combination of the indemnifying party's technology with materials not provided by the indemnifying party under this agreement, unless such combination is required by this agreement. 10.3. Notice Requirement. The indemnified party must promptly notify the indemnifying party in writing of any allegation(s) that preceded the third -party legal proceeding and cooperate reasonably with the indemnifying party to resolve the allegation(s) and third -party legal proceeding. If breach of this notification obligation prejudices the defense of the legal proceeding, the indemnifying party's obligations will be reduced in proportion to the prejudice. 10.4. Sole Control Requirement. The indemnified party must give sole control of the indemnified portion of the third -party legal proceeding to the indemnifying party, subject to the following: (a) the indemnified party may appoint its own non -controlling counsel, at its own expense; and (b) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party's prior written consent, not to be unreasonably withheld, conditioned, or delayed. 10.5. Remedies. If Grammarly reasonably believes the Services might infringe a third party's Intellectual Property Rights, then Grammarly may, at its sole option and expense, (a) procure the right for Customer to continue using the Services; (b) modify the Services to make them non -infringing without materially reducing their functionality; or (c) replace the Services with a non -infringing, functionally equivalent alternative. If Grammarly cannot reasonably offer these remedies, Grammarly may suspend or terminate Customer's use of the Services, with a pro-rata refund of prepaid and unused Fees for the Services. 10.6. Indemnification is the Sole Remedy for Third -Party Intellectual Property Rights Allegations. Without affecting either party's termination rights, this Section 10 (Indemnification) states the parties' sole and exclusive remedy under this agreement for any third -party allegations of Intellectual Property Rights infringement covered by this Section 10 (Indemnification). 11. Insurance 11.1. Coverage Scope. Grammarly shall maintain and, upon reasonable request, provide a certificate of insurance pursuant to Exhibit "A." 12. Disputes 12.1. Jurisdiction and Venue. All claims and disputes arising from or relating to this Agreement or the Services may only be brought in the State of Florida with Miami Dade County as the venue of choice for any and all legal disputes. In the case of any claims or disputes, Florida law shall be governing law. Each party shall be responsible for their own costs and attorneys' fees, except as set forth in section 10. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 12.2. Informal Resolution. Before filing a claim, Grammarly must first be contacted through the notice procedures below. The parties will try in good faith to settle any dispute. If the dispute is not resolved within thirty days of notice, a formal proceeding may be brought in accordance with this Section 12 (Disputes). 12.3. Exceptions. A lawsuit may be filed in the federal or state courts of Dade County, Florida solely for injunctive relief to stop unauthorized use or abuse of the Services or infringement of intellectual property rights without first engaging in the informal dispute resolution process described in Section 12.2 (Informal Resolution) above. Notwithstanding anything to the contrary in this agreement, if Customer represents a governmental entity or institution subject to the law of a United States' state that mandates different dispute resolution terms, governing law, or venue, Grammarly agrees to such state law requirements. 13. Miscellaneous 13.1. Authority to bind. Each of the parties represents and warrants that it has full legal authority and power to enter into this agreement. 13.2. Severability. If one or more of the provisions contained in this agreement is held invalid, illegal or unenforceable in any respect by any court of competent jurisdiction, such holding will not impair the validity, legality, or enforceability of the remaining provisions. 13.3. Assignment. Neither party may assign this agreement, or any rights or obligations established under this agreement, without the other party's written consent (not to be unreasonably withheld, conditioned, or delayed). Any attempted assignment without consent will be void. Each party hereby consents to assignments made by the other party in connection with a merger, acquisition, reorganization, or transfer of assets. 13.4. Entire agreement. This agreement, together with Customer's Order, constitutes the entire agreement between Customer and Grammarly with respect to its subject matter, and supersedes any and all prior agreements, discussions, negotiations, and offers, whether verbal or in writing. In the event of conflicting provisions, the Order will control over all other documents, and the Data Privacy Addendum and any Service - Specific Terms will control over this agreement. Excluding Work Orders, terms in a business form, purchase order, or other such document used by either party will not amend or modify this agreement. 13.5. Amendments. Any amendment to this agreement must be in writing, expressly stating that it is amending this agreement and signed by both parties. 13.6. Subcontractors. Grammarly may use subcontractors to provide the Services under this agreement, but Grammarly remains responsible and assumes liability for any such subcontractors in their performance of this agreement. This does not limit any additional terms for subprocessors under the Data Privacy Addendum. 13.7. No Third -Party Beneficiaries. This agreement does not confer any benefits on any third party unless it expressly states that it does. 13.8. Headings. Headings and captions used in this agreement are for reference purposes only and will not have any effect on the interpretation of this agreement. 13.9. Governing Law. All disputes or claims between the parties are governed by the laws of Florida. 13.10. Notices. Grammarly will provide notices under this agreement to Customer by sending an email to the email address that Grammarly has on file for Customer. Customer will provide notices under this agreement to Grammarly by sending an email to contract_notices©grammarly.com. Notice will be treated as received when the email is sent. Customer is responsible for keeping Customer's email address current throughout the Term. 13.11. Force Majeure. Except for Customer's obligation to pay Fees owed, neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control, including acts of God, natural disasters, pandemics, terrorism, riots, or war. 13.12. No Agency or Waiver. This agreement does not create any agency, partnership, or joint venture between the parties. Neither party waives any rights by not exercising (or delaying the exercise of) any rights under this agreement. 13.13. Government Rights. To the extent applicable, the Services are "commercial computer software" or a "commercial item" for purposes of FAR 12.212 for and DFARS 227.7202. To the extent permitted in this agreement, use, reproduction, release, modification, disclosure or transfer of the Services is governed solely by the terms of this agreement, and all other use is prohibited. 14. Nondiscrimination. Grammarly represents and warrants to the City that Grammarly does not and will not engage in discriminatory practices and that there shall be no discrimination in connection with the Grammarly's performance under this Agreement on account of race, age, religion, color, gender, gender identity, sexual DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 orientation, national origin, marital status, physical or mental disability, political affiliation, or any other factor. Grammarly further covenants that no otherwise qualified individual shall, solely by reason of their race, age, religion, color, gender, gender identity, sexual orientation, national origin, marital status, physical or mental disability, political affiliation, or any other factor be excluded from participation in, be denied services, or be subjected to discrimination under any provision of this Agreement. 15. Counterparts; Electronic Signatures. This Agreement may be executed in counterparts, each of which shall be an original as against either party whose signature appears thereon, but all of which taken together shall constitute but one and the same instrument. An executed facsimile or electronic scanned copy of this Agreement shall have the same force and effect as an original. The parties shall be entitled to sign and transmit an electronic signature on this Agreement (whether by facsimile, PDF, or other email transmission), which signature shall be binding on the party whose name is contained therein. Any party providing an electronic signature agrees to promptly execute and deliver to the other parties an original signed Agreement upon request. 16. E-Verify Employment Verification. By entering into this Agreement, Grammarly and its subconsultants are jointly and severally obligated to comply with the provisions of Section 448.095, Florida Statutes, as amended, titled "Employment Eligibility." Grammarly affirms that (a) it has registered and uses the U.S. Department of Homeland Security's E-Verify system to verify the work authorization status of all new employees of Grammarly; (b) it has required all subconsultants to this Agreement to register and use the E-Verify system to verify the work authorization status of all new employees of the subconsultant; (c) it has an affidavit from all subconsultants to this Agreement attesting that the subconsultant does not employ, contract with, or subcontract with, unauthorized aliens; and (d) it shall maintain copies of any such affidavits for the duration of the Agreement. Registration information is available at: http://www.uscis.gov/e-verify. If the City has a good faith belief that Grammarly has knowingly violated Section 448.09(1), Florida Statutes, then City shall terminate this Agreement in accordance with Section 448.095(5)(c), Florida Statutes. In the event of such termination, Grammarly agrees and acknowledges that it may not be awarded a public contract for at least one (1) year from the date of such termination and that Grammarly shall be liable for any additional costs incurred by the City because of such termination. In addition, if City has a good faith belief that a subconsultant has knowingly violated any provisions of Sections 448.09(1) or 448.095, Florida Statutes, but Grammarly has otherwise complied with its requirements under those statutes, then Grammarly agrees that it shall terminate the contract with the subconsultant upon receipt of notice from the City of such violation by subconsultant in accordance with Section 448.095(5)(c), Florida Statutes. Any challenge to termination under this provision must be filed in the Circuit or County Court by the City, the Grammarly, or subconsultant no later than twenty (20) calendar days after the date of said termination. For the avoidance of doubt, the sub -processors listed at the following webpage are not considered subconsultants or subcontractors for the purposes of this clause E-Verify Employment Verification: https://support.grammarly.com/hc/en- us/articles/360036884632-Does-Grammarly-use-su bprocessors-. 17. Definitions "Acceptable Use Policy" means the acceptable use policy set forth at the following link, or other link that Grammarly may provide: https://www.grammarly.com/acceptable-use-policy. "Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party. "BAA" means an addendum to this agreement covering the handling of HIPAA Data. "Confidential Information" means information that one party (or an Affiliate) discloses to the other party under this agreement, and which is marked as confidential or would normally under the circumstances be considered confidential information. It does not include information that is independently developed by the recipient, is rightfully given to the recipient by a third party without confidentiality obligations, or becomes public through no fault of the recipient. Subject to those exclusions, Customer Data is considered Customer's Confidential Information. "Control" means control of greater than fifty percent of the voting rights or equity interests of a party or the power to direct the management or operations of an entity. "Customer Data" means data submitted to the Services from Customer directly or at Customer's direction. "Documentation" means Grammarly's technical documentation, functional specifications, and usage guides for the Services made available at https://support.grammarly.com/ or through the Services. "End User" means an individual that Customer permits to use the Services. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended and supplemented. "HIPAA Data" means any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations. "including" means including but not limited to. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 "Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, and moral rights laws, and other similar rights. "Legal Process" means any information disclosure request made under law, governmental regulation, court order, subpoena, warrant, or other valid legal authority, legal procedure, or similar process. "Liability" means any liability, whether under contract, tort (including negligence), or otherwise. "Order" or "Work Order" means Grammarly's order form or, as applicable, an ordering document agreed to with Customer's reseller through which Customer has procured the Services. "Services" means the services described in Customer's Order, including any software provided by Grammarly to access the services, and includes updates and modifications that Grammarly makes to them from time to time. "Service -Specific Terms" means the then -current terms specific to one or more services (or portions thereof) set forth at the following link in the "Service -Specific Terms" section, or other link that Grammarly may provide: https://www.qrammarly.com/terms/customer-business-aqreement. "Third -Party Platform" means any product, add -on or platform not provided by Grammarly that Customer uses with the Service. "System Data" is data generated through the use of the Services, including technical logs, metadata, and user action statistics. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 IN WITNESS WHEREOF, the parties hereto have caused this instrument to be executed by their respective officials thereunto duly authorized on the date provided herein. DocuSigned by: ATTEST: () BY:Emsurnvorrns[ I Todd�B. Hannon FeSikuclF4 20, 2024 I 12:22:14 EST Date: "Grammarly" GRAMMARLY, INC., a Delaware profit corporation authorized to conduct (7°°V.Y311i min California aw BY: Name:Kourtney Keaton GM of Grammarly Business Title: Date:2/8/2024 I 2:19 PM PST "Customer" CITY OF MIAMI, a Florida municipal corporation BY: l " Nbn Arthur Noriega V Fell hAlVaitr, 2024 I 17: 47: 56 EST Date: APPROVED AS TO LEGAL FORM AND APPROVED AS TO INSURANCE CORRECTNESS: REQUIREMENTS: BY: [ Z> Victoria Mendez ,°s BY: -t-n Gnu u �o (Matter 23-3230) Anne Marie Sharpe, Director City Attorney Risk Management February 14, 2024 1 02:37:51 EST Date: Date: February 9, 2024 1 14:40:36 EST DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 EXHIBIT "A" INSURANCE REQUIREMENTS GRAMMARLY Commercial General Liability A. Limits of Liability Bodily Injury and Property Damage Liability Each Occurrence $1,000,000.00 General Aggregate Limit $2,000,000.00 Personal and Adv. Injury $1,000,000.00 Products/Completed Operations $1,000,000.00 B. Endorsements Required City of Miami listed as additional insured, blanket form acceptable. Primary Insurance Clause Endorsement, blanket form acceptable. II. Business Automobile Liability A. Limits of Liability Bodily Injury and Property Damage Liability Combined Single Limit Hired, Borrowed or Non -Owned Autos Any One Accident $1,000,000.00 B. Endorsements Required City of Miami listed as an additional insured, blanket form acceptable. III. Worker's Compensation Limits of Liability Statutory -State of Florida Employer' s Liability A. Limits of Liability $500,000.00 for bodily injury caused by an accident, each accident $500,000.00 for bodily injury caused by disease, each employee $500,000.00 for bodily injury caused by disease, policy limit IV. Umbrella Liability Combined Single Limit Each Common Cause $1,000,000.00 General Aggregate Limit $1,000,000.00 The city is listed as additional insured, blanket form acceptable. Coverage is excess follow form over all applicable policies contained herein. Blanket form acceptable. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 V Tech E&O/Cyber Liability Each Claim $5,000,000.00 Policy Aggregate $5,000,000.00 Retroactive date included Grammarly shall provide the Customer with written notice if coverage is to be non -renewed, cancelled, or materially changed in some way so as to not provide the same minimum coverages or limits of insurance as cited above. Companies authorized to do business in the State of Florida, with the following qualifications, shall issue all insurance policies required above: The company must be rated no less than "A-" as to management, and no less than "Class V" as to Financial Strength, by the latest edition of Best's Insurance Guide, published by A.M. Best Company, Oldwick, New Jersey, or its equivalent. All policies and/or certificates of insurance are subject to review and verification by the Customer's Risk Management Department prior to insurance approval. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit "B" GRAMMARLY ACCEPTABLE USE POLICY Grammarly's Acceptable Use Policy is set forth at the following link: https://www.grammarly.com/acceptable- use-policy. It is also included below. Customer will not, and will not permit its End Users to, misuse the Services. For example, the Customer and its End Users must not: • Attempt to probe, scan or test the vulnerability of the Service or any associated system or network, or to breach any security or authentication feature or measures of the Service without Grammarly's written permission. • Interfere or attempt to interfere with service to any user, host, or network, including, without limitation, by means of submitting malicious software or computer code, load testing, overloading, "flooding," "spamming," "mail bombing," or "crashing." • Attempt to access or derive the source code or architecture of any of the Service. • Attempt to derive any underlying components of Grammarly's models, algorithms, or systems. • Access content or data not intended for that End User, log onto a server or account that such End User is not authorized to access, or otherwise violate or attempt to violate any security or authentication feature or measure of the Services. • Access, search, or create accounts for our Services by any means other than our publicly supported interfaces. • Use our services for any illegal purpose, or in violation of any applicable laws. • Misuse our intellectual property. You may not, for example, copy, modify, or create derivative works based on our intellectual property or distribute, transmit, publish, or otherwise disseminate any of our intellectual property. You also may not download or store any of our intellectual property except to the extent we have permitted it. • Access or use our services for the benefit of any third party other than authorized End Users. • Impersonate any person or entity, or falsely state or otherwise misrepresent an affiliation with a person or entity. • Sell, resell, or lease the Services or purport to grant any rights under the agreement or our terms of service to third parties. • Use or access the Services in order to build a competitive product, service, or solution. • Establish an account for the Services as an individual for personal, family, or household purposes. • Harass or abuse Grammarly personnel or representatives or agents performing services on behalf of Grammarly • Transmit or upload any content that: (i) infringes any intellectual property or other legal rights of any party, (ii) Customer or End User do not have the right to upload under law; (iii) contains any malicious software or computer code; (iv) poses or creates a privacy or security risk to any person or entity; or (v) constitutes unsolicited or unauthorized materials. • Violate the privacy of others, including publishing or posting other people's private and confidential information without their express permission, or collecting or gathering other people's personal information (including account names or information) from the Services. • Harass others or advance bigotry or hatred against any person or group based on attributes such as their race, ethnicity, caste, national origin, sex, gender identity, gender presentation, sexual orientation, religious affiliation, age, serious illness, disabilities, or other protected classifications. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit C Service Specific Terms Grammarly's Service -Specific Terms are set forth at the following link: https://www.grammarly com/terms/customer-business-agreement. They are also included below. These Service -Specific Terms set forth additional terms and conditions that apply to your use of the Services listed below and are made a part of the agreement governing your use of the Services. Any terms not defined here have the meaning given to them in the agreement governing your use of the Services. Grammarly may update these Service -Specific Terms from time to time, including to add other Service -Specific Terms for new Services made available by Grammarly, by posting an updated version. If an update materially changes any Service -Specific Terms for any Services already purchased by Customer, Grammarly will notify Customer in accordance with the agreement governing your use of the Services. Generative AI 1. Service Description. "Generative AI " refers to our generative AI services and features. If you use Grammarly's Generative AI, it is included in the definition of Services. 2. Generated Output. During your Subscription Term, we grant you and your End Users the right to use Grammarly's Generative AI to submit inputs and receive generated outputs. When you or your End Users use Grammarly's Generative AI, such inputs and outputs are your Customer Data. You are responsible for your Customer Data. You acknowledge that due to the nature of machine learning and the technology powering Generative AI, outputs may not be unique and Grammarly may generate the same or similar output for third parties. You hereby irrevocably release and agree not to sue us with respect to any liability for direct or indirect copyright, trademark or other infringement, misappropriation or violation of any rights with respect to any generated output. 3. Machine Learning for Product Improvement. You acknowledge that a fundamental component of Grammarly's Generative AI is the use of machine learning for the purpose of providing and improving our products and services. Subject to the Agreement and the relevant data processing agreement, as applicable, Grammarly may use Customer Data generated by you and your End Users' use of Generative All to provide, protect, maintain, and improve the Services, comply with applicable law, and enforce our policies. 4. Usage Limits. Depending on your purchased Services, you may have a limit on your use of Grammarly's Generative AI. If you exceed the usage limit allotted by your subscription plan: (i) you may be required to purchase additional usage to continue accessing and using Grammarly's Generative AI and (ii) Grammarly may suspend or degrade performance of the Generative AI features. You acknowledge that any purchased usage for Generative AI is tied to your Grammarly subscription, and account termination will invalidate any remaining purchased usage. 5. Usage Restrictions. You and your End Users may not use Grammarlys' Generative AI: To develop foundation or large language models that compete with Grammarly. To mislead any third party that any output from Grammarly's Generative AI was solely human generated. In a way that infringes, violates, or misappropriates any of our rights or the rights of any third partY- DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 In a manner that violates these terms, Grammarly documentation, usage guidelines, or our Acceptable Use Policy. 6. WARRANTY DISCLAIMER. GRAMMARLY DOES NOT MAKE ANY WARRANTY REGARDING THE OUTPUTS THAT MAY BE GENERATED FROM USE OF GENERATIVE AI, INCLUDING WITH RESPECT TO THE FACTUAL ACCURACY OF ANY OUTPUTS OR SUITABILITY FOR YOUR USE CASE. YOU UNDERSTAND AND AGREE THAT YOUR USE OF ANY GENERATIVE AI OUTPUTS IS DONE AT YOUR SOLE RISK. DUE TO THE CURRENT NATURE OF GENERATIVE TECHNOLOGY, YOU SHOULD NOT RELY ON GRAMMARLY'S GENERATIVE AI AS A SINGLE SOURCE OF FACTUAL INFORMATION. NO INFORMATION OR ADVICE, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM GRAMMARLY OR THROUGH GRAMMARLY'S GENERATIVE AI SHALL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN. 7. Updates. From time to time, we may modify these terms. The effectiveness and our obligations to you regarding such modifications are as set forth in the agreement. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit D Grammarly Data Privacy Addendum This Data Privacy Addendum ("Addendum") is incorporated into and subject to the terms and conditions of the current version of the agreement ("Agreement") between City of Miami for their Police Department ("Customer") and Grammarly, Inc. ("Grammarly") (each a "Party" and collectively the "Parties"). All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum reflects the Parties' agreement with respect to the terms governing Grammarly's processing of Personal Data protected by Data Privacy Laws. For any other data, including admin account information, this Addendum shall not apply. In the event of any conflict or inconsistency between the terms of the main Agreement and this Addendum, the terms of this Addendum shall take precedence over the Agreement and any other associated contractual document between the Parties, to the extent of any such conflict. The Parties agree as follows: 1. Definitions. For purposes of this Addendum: a. "Data Privacy Laws" means all data protection laws and regulations applicable to a Parry's Processing of Personal Data, including and as applicable: (i) California Consumer Privacy Act and the California Privacy Rights Act (together, the "CCPA"); (ii) EU Data Privacy Laws; and (iii) UK Data Privacy Laws in each case as amended, superseded or updated from time to time. b. "Data Subject" means an identified or identifiable natural person about whom Personal Data relates. c. "EU Data Privacy Laws" means all data protection laws and regulations applicable to Europe, including: (i) General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national implementations of the GDPR; and (ii) in respect of Switzerland, The Federal Act on Data Protection of 19 June 1992 and its Ordinances (the "Swiss DPA"). d. "Europe" means, for the purposes of this Addendum, the European Union, Iceland, Liechtenstein, Norway, Switzerland, and the United Kingdom. e. "EU SCCs" means standard contractual clauses between controllers and processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (attached hereto as Exhibit C). f. "Personal Data" includes any Customer Data that is protected as "personal data," "personal information," or "personally identifiable information," under Data Privacy Laws and Processed by Grammarly on behalf of Customer via the Service in connection with the Service, as more particularly described in Exhibit A (Data Processing Description) of this Addendum. g. "Process" and "Processing" mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. h. "Security Breach" means any breach of security that leads to the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Grammarly and/or its Sub -processors in connection with the provision of the Service. i. "Standard Contractual Clauses" means, as applicable, the EU SCCs, the UK SCCs, or the Swiss SCCs. J. "Sub -processor" means any processor engaged by Grammarly or its affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Addendum. Sub -processors may include third parties or affiliates of Grammarly but shall exclude any Grammarly employee, contractor or consultant. k. "Swiss SCCs" means the standard contractual clauses as approved by the Swiss Federal Data Protection and Information Commissioner ("FDPIC"). 1. "UK Data Privacy Laws" means all data protection laws and regulations applicable to the United Kingdom, including (i) the Data Protection Act 2018 and (ii) Data Protection, Privacy, and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019, each as amended, supplemented, or replaced from time to time. m. "UK SCCs" means the standard contractual clauses as approved by the United Kingdom Information Commissioner's (attached hereto as Exhibit D). n. The terms "controller", "personal data", and "processor" shall have the meanings given to them in GDPR and the terms "personal information", "business", "business purpose", "commercial purpose", "collect", "consumer", "service provider", "sell", and "share" shall have the meanings given to them in the CCPA. 2. Scope and Purposes of Processing. a. This Addendum applies to the extent Grammarly Processes as a processor or service provider (as applicable) any Personal Data protected by Data Privacy Laws. Grammarly will only Process Personal Data as set forth in this Addendum and in compliance with Data Privacy Laws. b. The Parties acknowledge and agree that Customer is a controller or business (as applicable) with respect to the Processing of Personal Data, and Grammarly will Process Personal Data only as a processor or service provider (as applicable) on behalf of Customer, as further described in Exhibit A (Data Processing Description) of this Addendum. c. As a processor or service provider, Grammarly shall Process Personal Data only for the purposes described in this Addendum and only in accordance with Customer's written lawful DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 instructions. The Parties agree that the Agreement (including this Addendum) sets out the Customer's complete and final instructions to Grammarly in relation to the Processing of Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. d. Without prejudice to Section 3 (Customer Responsibilities), Grammarly shall immediately notify Customer in writing, unless prohibited from doing so under Data Privacy Law, if it becomes aware or believes that any Processing instructions from Customer violates EU Data Privacy Laws and UK Data Privacy Laws. 3. Customer Responsibilities. a. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. b. Customer represents and warrants that: (i) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable laws, including Data Privacy Laws, for Grammarly to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this Addendum); (ii) it has complied with all applicable laws, including Data Privacy Laws in the collection and provision to Grammarly of such Personal Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Data Privacy Laws) and that the processing of Personal Data by Grammarly in accordance with Customer's instructions will not cause Grammarly to be in breach of applicable Data Privacy Laws. 4. CCPA Processing. a. To the extent Grammarly Processes Personal Data that is protected by the CCPA, the terms in this Section 4 shall apply in addition to the terms in the remainder of the Addendum. In the event of any conflict or ambiguity between the terms in this Section 4 and any other terms in this Addendum, the terms in this Section 4 shall take precedence but only to the extent they apply to the Personal Data in question. b. Grammarly will not: i. Sell or Share Personal Data, or otherwise retain, use, disclose, or Process Personal Data, for any purpose other than for the specific purposes set forth herein or otherwise outside the direct business relationship between the Parties. ii. Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Grammarly will not Process Personal Data outside of the direct business relationship between Customer and Grammarly. iii. Attempt to link, identify, or otherwise create a relationship between Personal Data and non -Personal Data or any other data without the express authorization of Customer. c. The Parties acknowledge that Personal Data that has been de -identified is not "personal DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 information" (within the meaning of the CCPA). Grammarly may de -identify Personal Data only if it: i. Has implemented technical safeguards that prohibit re -identification of the Data Subject to whom the information may pertain; ii. Has implemented business processes that specifically prohibit re -identification of the information; iii. Has implemented business processes to prevent inadvertent release of de -identified information; and iv. Makes no attempt to re -identify the information. d. Grammarly hereby certifies that it understands its restrictions and obligations set forth in this Section 4 and will comply with them. 5. Data Subject Rights and Cooperation. a. Grammarly will promptly notify Customer of: (i) any third -party or individual (e.g. on Customer's behalf); or (ii) any government or Data Subject requests for access to or information about Grammarly's Processing of Personal Data on Customer's behalf (each a "Communication"), unless prohibited by Data Privacy Laws. In the event Grammarly receives such Communication directly, Grammarly will not respond to such Communication except as appropriate (for example, to direct the Data Subject to contact Customer) or where legally required, without Customer's prior authorization. b. Taking into account the nature of the Processing and upon written request of Customer, Grammarly will provide all reasonable co-operation to assist Customer, by appropriate technical and organizational measures, in so far as is possible, to respond to Communications. c. To the extent required under applicable Data Privacy Laws, and taking into account the nature of the Processing and the information available to Grammarly, Grammarly will provide all reasonably requested information regarding the Service to enable Customer to carry out a data protection impact assessment or prior consultation with supervisory authorities, as required by Data Privacy Laws. Grammarly shall comply with the foregoing by: (i) complying with Section 10 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub -sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer's expense). 6. Data Security. a. Grammarly will: (i) implement appropriate and reasonable administrative, technical, physical, and organizational measures designed to protect Personal Data from Security Breaches and to preserve the security and confidentiality of Personal Data in accordance with the Grammarly Security Whitepaper (available at DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 https://www.grammarly.com/about/GrammarlySecurityWhitepaper.pdf or such other successor URL notified to Customer) ("Security Measures"); and (ii) ensure that person it authorizes to Process the Personal Data is under an appropriate obligation of confidentiality (whether statutory or contractual). b. Customer is responsible for reviewing the information made available by Grammarly relating to data security and making an independent determination as to whether the Service meets Customer's requirements and legal obligations under Data Privacy Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Grammarly may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer. c. Notwithstanding the above, Customer agrees that except as provided by this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service. 7. Security Breach. a. Upon becoming aware of a Security Breach, Grammarly will: (i) notify Customer promptly, and where feasible, within 48 hours of becoming aware of any Security Breach; (ii) provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Breach. b. Grammarly's notification of or response to a Security Breach under this Section 7 shall not be construed as an acknowledgment by Grammarly of any fault or liability with respect to the Security Breach. 8. Sub -Processors. a. Customer acknowledges and agrees that Grammarly may engage Sub -processors to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. A current list of Grammarly's Sub -processors is available in Annex III to the EU SCCs. and Customer hereby consents to Grammarly's use of such Sub -processors. b. Grammarly shall: (i) enter into a written agreement with each Sub -processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub -processor; and (ii) remain responsible for such Sub -processor's compliance with the obligations of this Addendum and for any acts or omissions of such Sub -processor that cause Grammarly to breach any of its obligations under this Addendum. c. Grammarly shall notify Customer if it adds or removes Sub -processors at least fourteen (14) days prior to any such changes if Customer opts in to receive such notifications using the DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 dedicated form referenced in the Sub -processor Page. Customer may object in writing to Grammarly's appointment of any new Sub -processor prior to their appointment on reasonable grounds relating to data protection (e.g. if making Personal Data available to Sub -processor may violate applicable Data Privacy Laws or weaken the protections for such Personal Data) and in such instance, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution is reached, Grammarly will, at its sole discretion, either not appoint the Sub -processor, or permit Customer to terminate or suspend the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to the fees incurred by Customer prior to suspension or termination). 9. Data Transfers. a. To the extent Grammarly is a recipient of Personal Data protected by EU Data Privacy Laws, Grammarly agrees to be bound by and Process such Personal Data in compliance with the EU SCCs, which are incorporated in full by reference and form an integral part of this Addendum. For the purposes of the descriptions in the EU SCCs Grammarly agrees that it is a "data importer" and Customer is the "data exporter" (notwithstanding that Customer may itself be an entity located in a third country). In case of conflict between the EU SCCs and this Addendum, the EU SCCs shall prevail. The Parties further agree that the EU SCCs will apply to Personal Data that is transferred by Customer via the Service from Europe to outside Europe, either directly or via onward transfer, to Grammarly located in a country not recognized as providing an adequate level of protection for personal data (as described in EU Data Privacy Law). b. To the extent Grammarly processes Personal Data governed by UK Data Privacy Law, the Parties acknowledge that data transfers originating from the United Kingdom to a third country which does not provide adequate protection for personal data (as described in UK Data Privacy Law) will be governed by the UK SCCs, which are incorporated in full by reference and form an integral part of this Addendum and shall remain valid until amended, replaced, or repealed by the United Kingdom Information Commissioner's Office. c. To the extent Grammarly processes Personal Data that is protected by the Swiss DPA, the EU SCCs will apply, with the following modifications: i. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; ii. references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and iii. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 populated using the information contained in Exhibits A and B. 10. Audits. a. Upon Customer's request, Grammarly will make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer in order to assess compliance with this Addendum. Customer acknowledges and agrees that it shall exercise its audit rights under this Addendum (including this Section 10(a) and, where applicable, the Standard Contractual Clauses) and any audit rights granted under Data Privacy Laws, by instructing Grammarly to comply with the audit measures described in Sections 10(b) below. b. Upon written request, Grammarly will supply (on a confidential basis) to Customer a summary copy of its most current audit report(s) ("Audit Report") prepared by third -party security professionals at Grammarly's selection and expense. In addition to the Audit Report, Grammarly shall respond to all reasonable requests for information made by Customer to confirm Grammarly's compliance with this Addendum, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer's written request to privacy@grammarly.com provided that Customer shall not exercise this right more than once per calendar year. 11. Return or Destruction of Personal Data. a. Upon termination or expiration of the Agreement, Grammarly will, at the choice and written request of Customer, return to Customer and/or securely destroy all Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Grammarly is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which data Grammarly shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. 12. Limitation of Liabilitv. a. Grammarly's liability arising out of or in connection with this Addendum is subject to the limitations and exclusions of liability stated in the Agreement. 13. Term. a. The effective date of this Addendum is the date of the latest signature of a Party or, if no such date exists, the effective date of the Agreement. 14. Survival. a. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Grammarly or its Sub -Processors Process Personal Data. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 IN WITNESS WHEREOF, the parties hereto have caused this instrument to be executed by their respective officials thereunto duly authorized on the date provided herein. DocuSigned by: ATTEST: "Grammarly" GRAMMARLY, INC., a Delaware profit corporation authorized to conduct c—"-briSPness in California BY: 6unt -t-afa�n Kourtney Keaton Name: Title: GM of Grammarly Business Date2/8/2024 1 2:19 PM PST "Customer" CITY OF MIAMI, a Florida municipal corporation Do .S.9ned BY: �-`�—, � � BY: Exeu,� tii.r rasa Todd B. Hannon Arthur Noriega V CityGruary 20, 2024 1 12:22:14 EST CityMaivary 16, 2024 1 17:47:56 EST Date: Date: APPROVED AS TO LEGAL FORM AND APPROVED AS TO INSURANCE CORRECTNESS: BY: J7 Date: ems; FDS Victoria Mendez (matte r 23-3230) City Attorney February 14, 2024 1 02:37:51 EST REQUIREMENTS: BY: I r G u,`"1,d° Anne Marie Sharpe, Director Risk Management February 9, 2024 1 14:40:36 EST Date: DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit A: Data Processing Description a. Subject matter, nature, and purpose of Processing: Grammarly will process Personal Data solely to fulfill its purposes under the Agreement, including Processing Personal Data: (i) to provide the Service in accordance with the Agreement; (ii) to perform any steps necessary for the performance of the Agreement; (iii) to perform any Processing activity initiated by Customer in its use of the Service; and (iv) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement and this Addendum. b. Anticipated duration of Processing: For the term of the Agreement plus the period from expiration or termination of the Agreement until deletion of all Personal Data by Grammarly in accordance with the Agreement. c. Typical categories of Data Subjects: Data subjects include the individuals about whom data is provided to Grammarly via the Service by (or at the direction of) Customer or its Users. d. Categories of Personal Data typically subject to Processing under the Agreement: The categories of Personal Data are determined by Customer in its sole discretion and include data relating to individuals provided to Grammarly via the Service, by (or at the direction of) Customer or its Users — for example in the text in electronic form submitted to the Service. e. Special categories of Personal Data: Grammarly does not intentionally collect or Process any special categories of Personal Data. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit B. Technical and organisational measures including technical and organisational measures to ensure the security of the data Grammarly performs strict administrative, contractual, and technical procedures to protect information transferred to and out, and stored on its servers for the provision of its services. All Grammarly server -side infrastructure is hosted on an industry -leading secure cloud platform through Amazon Web Services (AWS) in the United States. Only a small number of Grammarly's servers and network ports can be accessed through the internet, and they are behind load balancers and a web application firewall (WAF). All components that process user data operate in Grammarly's private network inside our secure cloud platform. Grammarly is registered for AWS Enterprise Support, the highest possible tier of AWS support. Grammarly encrypts all data transfers between itself and data exporters by up-to-date encryption protocols, including TLS 1.2. Customer data is encrypted at rest in AWS using AES-256 server -side encryption. Grammarly utilizes AWS Key Management Services (KMS) for database encryption and key management. Access to the cryptographic keys is restricted to authorized personnel. Grammarly internal services are available via its virtual private network, with the exception of services that must have access to the public internet for Grammarly's product provisioning to customers. Access to the Personal Data storage is performed only through usage of complicated passwords, multi - factor authentication and personalized user accounts of a limited number of employees who require the access to perform their job functions. Passwords are stored in encrypted databases with applied bcrypt hashing. Access to the information is logged and monitored by the Security team. Grammarly's Compliance teams define and control the collection, processing and storage of customers' Personal Data. For this, Grammarly uses data flow maps, service inventory, new service launch and other processes to track all internal and external data transfers. Detailed information about Grammarly's technical and organisational measures to ensure the security of the data are specified in the enterprise -grade attestation and regulatory compliance page https://www.grammarly.com/security and https://www.grammarly.com/trust. DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Exhibit C Standard Contractual Clauses (Controller -to -Processor) This attachment is attached to and forms part of the Grammarly Data Privacy Addendum available at https://grammarly.com/online-DPA, or other agreement between Customer and Grammarly governing the processing of Customer Data (the "Addendum"). Unless otherwise defined in this attachment, capitalized terms used in this attachment have the meanings given to them in the Addendum. SECTION I Clause 1 Purpose and scope (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)' for the transfer of personal data to a third country. (b) The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter "entity/ies") transferring the personal data, as listed in Annex I.A. (hereinafter each "data exporter"), and (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each "data importer") have agreed to these standard contractual clauses (hereinafter: "Clauses"). (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses. Clause 2 Effect and invariability of the Clauses (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub -processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. 2 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. Clause 3 Third -party beneficiaries (a) Data subjects may invoke and enforce these Clauses, as third -party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii) Clause 8.1(b), 8.9(a), (c), (d) and (e); (iii) Clause 9(a), (c), (d) and (e); (iv) Clause 12(a), (d) and (f); (v) Clause 13; (vi) Clause 15.1(c), (d) and (e); (vii) Clause 16(e); (viii) Clause 18(a) and (b). (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. Clause 4 Interpretation (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. Clause 5 Hierarchy Subject to the applicability of EU regulations, in the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. 3 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Clause 6 Description of the transfer(s) The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B. Clause 7 - Optional Not used SECTION II — OBLIGATIONS OF THE PARTIES Clause 8 Data protection safeguards The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses. 8.1 Instructions (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. 8.2 Purpose limitation The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter. 8.3 Transparency On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679. 8.4 Accuracy If the data importer becomes aware that the personal data it has received is inaccurate, or has become 4 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data. 8.5 Duration of processing and erasure or return of data Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data 4 importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a). 8.6 Security of processing (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter "personal data breach"). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. (b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it 5 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 becomes available, subsequently be provided without undue delay. (d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. 8.7 Sensitive data Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter "sensitive data"), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B. 8.8 Onward transfers The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter "onward transfer") if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if: (i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question; (iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation. 8.9 Documentation and compliance (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. (b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter. (c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter's request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. (d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. (e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. 6 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Clause 9 Use of sub -processors (a) The data importer has the data exporter's general authorisation for the engagement of subprocessor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of subprocessors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. (b) Where the data importer engages a sub -processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under Section 6 of these Clauses, including in terms of third -party beneficiary rights for data subjects.2 The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub -processor complies with the obligations to which the data importer is subject pursuant to these Clauses. (c) The data importer shall provide, at the data exporter's request, a copy of such a subprocessor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. (d) The data importer shall remain fully responsible to the data exporter for the performance of the sub -processor's obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub -processor to fulfil its obligations under that contract. (e) The data importer shall agree a third -party beneficiary clause with the sub -processor whereby -- in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent -- the data exporter shall have the right to terminate the sub -processor contract and to instruct the sub -processor to erase or return the personal data. Clause 10 Data subject rights (a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter. (b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects' requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the 2 This requirement may be satisfied by the sub -processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. 7 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 scope and the extent of the assistance required. (c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. Clause 11 Redress (a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. (b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. (c) Where the data subject invokes a third -party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; (ii) refer the dispute to the competent courts within the meaning of Clause 18. (d) The Parties accept that the data subject may be represented by a not -for -profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. (e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law. (f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws. Clause 12 Liability (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. (b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non -material damages the data importer or its sub -processor causes the data subject by breaching the third -party beneficiary rights under these Clauses. (c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non -material damages the data exporter or the data importer (or its sub -processor) causes the data subject by breaching the third - party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. (d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub -processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer's responsibility for the damage. (e) Where more than one Party is responsible for any damage caused to the data subject as a result of 8 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. (f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage. (g) The data importer may not invoke the conduct of a sub -processor to avoid its own liability. Clause 13 Supervision (a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority. (b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken. SECTION III — LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES Clause 14 Local laws and practices affecting compliance with the Clause (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society 9 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses. (b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; (ii) the laws and practices of the third country of destination— including those requiring the disclosure of data to public authorities or authorising access by such authorities — relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards'; (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination. (c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses. (d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request. (e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). (f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply. 3 As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative timeframe. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. 10 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Clause 15 Obligations of the data importer in case of access by public authorities 15.1 Notification (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses. 15.2 Review of legality and data minimisation (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the 11 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. SECTION IV — FINAL PROVISIONS Clause 16 Non-compliance with the Clauses and termination (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). (c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a 11 reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. (d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. 12 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Clause 17 Governing law Subject to applicability, these Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third -party beneficiary rights. The Parties agree that this shall be the law of Ireland. Clause 18 Subject to Applicability, Choice of forum and jurisdiction (a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. (b) The Parties agree that those shall be the courts of Ireland. (c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. (d) The Parties agree to submit themselves to the jurisdiction of such courts. 13 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 ANNEX I A. LIST OF PARTIES Data exporter(s): Name: The entity identified as "Customer" in the Addendum. Address: The address for Customer specified in the Addendum or the Agreement. Contact person's name, position and contact details: The contact details associated with the Customer's account, or as otherwise specified in the Addendum or the Agreement. Activities relevant to the data transferred under these Clauses: The activities specified in the Exhibit "A" of the Addendum. Signature and date: By using the Grammarly services to transfer Customer Data to third countries, the data exporter will be deemed to have signed this Annex I. Role (controller / processor): Controller Data importer(s): Name: "Grammarly" as identified in the Addendum. Address: The address for Grammarly as specified in the Agreement. Contact person's name, position and contact details: The contact details for Grammarly specified in the Addendum or the Agreement. Activities relevant to the data transferred under these Clauses: The activities specified in the Exhibit "A" of the Addendum. Signature and date: By transferring Customer Data to third countries on Customer's instructions, the data importer will be deemed to have signed this Annex I. Role (controller / processor): Processor B. DESCRIPTION OF TRANSFERS Categories of data subjects whose personal data is transferred Categories of data subjects are specified in Exhibit "A" of the Addendum. Categories of personal data transferred The personal data is described in Exhibit "A" of the Addendum. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. The data exporter might include sensitive personal data in the personal data described in Exhibit A of the Addendum. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) Personal data is transferred in accordance with Customer's instructions as described in Section 9 of the Addendum. 14 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Nature of the processing The nature of the processing is described in Exhibit "A" of the Addendum. Purpose(s) of the data transfer and further processing To provide the Services. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period The data exporter determines the duration of processing in accordance with the terms of the Addendum. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The subject matter, nature and duration of the processing are described in Exhibit "A" of the Addendum. C. COMPETENT SUPERVISORY AUTHORITY Identify the competent supervisory authority/ies in accordance with Clause 13 The data exporter's competent supervisory authority will be determined in accordance with the GDPR. 15 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. The technical and organizational measures (including the certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects' requests, are described in the Addendum. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub -processor, to the data exporter. The technical and organisational measures that the data importer will impose on sub -processors are described in the Addendum. 16 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 ANNEX III Sub -processor List 1. AWS. Address: 410 Terry Avenue North, Seattle, WA 98109-5210, USA. Contact person's name, position and contact details: https://console.aws.amazon.com/support/home Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Data hosting; Product infrastructure. 2. Zendesk. Address: 1019 Market Street, San Francisco, CA 94103, USA Contact person's name, position and contact details: privacy@zendesk.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Customer support ticketing management. 3. Twilio Address: 375 Beale Street Suite 300 San Francisco, CA 94105 USA Contact person's name, position and contact details: privacy@twilio.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Cloud communications platform. 4. Sumo Logic Address: 305 Main Street, Redwood City, CA 94063, USA Contact person's name, position and contact details: emea-privacy@sumologic.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Survive monitoring, security event management. 5. Salesforce Address: 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA Contact person's name, position and contact details: privacy@salesforce.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Client relationship management; marketing campaign management. 6. Outreach Address: 1441 N. 34th Street, Suite #100 Seattle, WA 98103, USA Contact person's name, position and contact details: security@outreach.io DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Lead generation management; email campaign management. 7. PayPal Address: 2211 North First Street San Jose, California, U.S. Contact person's name, position and contact details: https://www.paypal.com/ua/smarthelp/contact-us/privacy Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Financial transactions. 8. Braintree Address: 222 W Merchandise Mart Plaza STE 800, Chicago, IL 60654, USA Contact person's name, position and contact details: https://www.braintreepayments.com/contact Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Financial transactions. 9. Thomson Reuters Address: 1 Station P1 Ste 6 Stamford, CT, 06902-6893 USA Contact person's name, position and contact details: privacy.issues@thomsonreuters.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Tax payments processing. 10. Kount Address: 1005 W Main St, Boise, ID 83702, USA Contact person's name, position and contact details: privacy@equifax.com Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Payment fraud prevention. 11. Azure Address: 101 Herbert Dr, Boydton, VA 23917, USA Contact person's name, position and contact details: https://www.microsoft.com/en-us/concern/privacy Description of processing (including a clear delimitation of responsibilities in case several sub -processors are authorised): Plagiarism detection infrastructure. Exhibit D DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 UK INTERNATIONAL DATA TRANSFER ADDENDUM Subject to applicability, to the extent that Grammarly is a recipient of Personal Data governed by UK Data Privacy Law in a country that is not recognized as providing an adequate level of protection for Personal Data as described in the UK GDPR, the Parties agree to abide by the EU SCCs together with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B 1.0, in force March 21, 2022) available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf; as may be amended, superseded, or replaced (the "UK Addendum"). The UK Addendum is incorporated into the Addendum by reference. Capitalized terms used but not defined in this UK Addendum will have the meaning provided in the Addendum and the Agreement. The UK Addendum is deemed completed as follows: (a) Table 1 will be populated by the information in the Agreement. For the avoidance of doubt, Grammarly is acting as the Importer and Customer is acting as the Exporter. (b) Table 2: The Parties agree this UK Addendum is appended to the EU SCCs. (c) Table 3 is completed as follows: (i) Annex 1A: List of Parties: As set forth in Annex I to the EU SCCs. (ii) Annex 1B: Description of Transfer: As set forth in Annex I to the EU SCCs. (iii) Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Exhibit B of the Addendum. (iv) Annex III: List of Sub processors (Modules 2 and 3 only): As set forth in Annex III to the EU SCCs. (d) Table 4: The Parties elect that neither party may end the UK Addendum with respect to Section 19 of the UK Addendum. 3 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 GRAMMARLY SECURITY STANDARDS SECURITY GOVERNANCE AND OVERSIGHT 1. Security organization. Grammarly has established a variety of organizational units to develop and implement security throughout the organization. Dedicated teams (including Security Operations, Application Security and Governance, and Risk and Compliance) have been established to monitor and protect Grammarly's security posture. A company -wide Security Champions program enables collaboration between security specialists and each engineering team. 2. Policies. Grammarly maintains policies and procedures that apply security requirements across key business processes, including security risk assessment, information classification, vendor management, access management, and change management. 3. Information classification and handling. Grammarly has implemented an Information Classification and Handling policy as well as respective processes for identification, classification, and management of information and the respective services that process this information. 4. People. Grammarly's employees and contractors undergo background verification checks as a part of the hiring process. During the onboarding process, new employees sign a Confidentiality Agreement and an Acceptance of Grammarly Policies, which state that employees are obligated to comply with the company's information security requirements. In the event of non-compliance, Grammarly has a right to apply disciplinary measures, up to and including termination. 5. Vendor management. Grammarly has implemented a formal vendor management program for managing risks related to the third -party cloud technology services. The program includes processes for vendor onboarding and ofboarding as well as periodic review of existing vendors. 6. Security audits. On a periodic basis, Grammarly engages third -party consultancies to conduct security audits against industry best practices, including audits to the standards established by the International Organization for Standardization ("ISO") and System and Organization Controls ("SOC"). The ISMS Manager presents the security audit findings and relevant remediation plans to the Security Strategy team to review and align security strategy and to allocate appropriate funds and resources to further strengthen Grammarly's overall security posture. 7. Risk management. Through a formal risk management program, Grammarly continuously monitors, identifies, assesses, and resolves risks that could have an impact on privacy or security. Within risk management, Grammarly performs business impact analysis to identify the most critical services for customers and business operation and to prioritize risk treatment for these critical services. ACCESS MANAGEMENT 1. Secure authentication. Access to the Grammarly infrastructure and services is granted only after user authentication. Authentication is performed based on the unique login credentials issued for each individual. 2. Authentication procedures. Grammarly enables SSO for all internal services with a human login interface, with defined password complexity requirements and two -factor authentication. External services which do not support integration with Grammarly SSO are required to adhere to established password requirements. 3. Access provisioning. Access to Grammarly infrastructure and services is restricted to authorized personnel and provided following the principle of least privilege. Standard access is granted to employees after signing an NDA and other security documents. Non-standard access requires formal approval by the service owner before granting. 4. Access deprovisioning. When an employee or contractor leaves the company, access to services is blocked. 5. User access review. Access rights reviews are performed annually Contractors' access is additionally reviewed quarterly. 6. Administrative access on the corporate laptops. The IT Support team restricts administrator privileges through a 4 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 centralized mobile management solution to decrease the risk of malicious activity on end -user devices. ASSET MANAGEMENT 1. Service Inventory. Grammarly maintains an up-to-date inventory of all internally developed services, as well as third -party cloud services, used in the organization. Service inventory contains information for the proper service management and compliance with the security standards. 2. Customer data flow. Grammarly uses data flow maps to identify and manage customer data flows within internal and external IT services, adhering to the Privacy Policy when customer information is used, collected, retained, or deleted. The data flow diagram is maintained continuously and reviewed on an annual basis. 3. Corporate device inventory. Grammarly's IT team maintains a central inventory of all corporate laptops and devices. The IT team centrally applies encryption, patch management, and software blocklisting on all devices. 4. Corporate device data sanitization. Grammarly sanitizes all residual data on any company -owned device in the event of disposal, replacement, or transfer to another owner. INFRASTRUCTURE MANAGEMENT 1. Infrastructure provider. All Grammarly server infrastmcture is hosted in Amazon Web Services ("AWS") data centers and located in the United States in the US East region (North Virginia). As an infrastructure provider and solutions partner, AWS helps Grammarly in supporting scalability, availability, and durability of Grammarly's platform and services. 2. Virtual private network. With the exception of services that must have access to the public internet to provide Grammarly's product to customers, Grammarly internal services are available only via its Virtual Private Network ("VPN"). 3. Network segregation. Grammarly uses various methods for the segregation of services and environments on various infrastmcture and organizational layers, such as AWS accounts, Virtual Private Clouds ("VPCs"), Network Access Control lists, and security groups. 4. Web application firewalls. The AWS web application firewall is configured to protect public Grammarly web applications against web -based attacks, described in the Open Web Application Security Project Top 10 vulnerabilities, well-known vulnerability scanners and crawlers, and any specific threats that might arise against Grammarly services. 5. User data encryption. Grammarly encrypts all data in transit and at rest. Data transfer is protected using the industry -standard TLS 1.2 protocol, while data at rest in AWS is encrypted using AES-256 server -side encryption. Grammarly uses AWS Key Management Services for database encryption and secure key management. 6. Antivirus and cyber-threats protection. Grammarly uses an enterprise -grade Endpoint Detection and Response platform on all corporate laptops for protection, centralized reporting, and notifications on potentially malicious activities to the Security team. 7. Corporate software. Grammarly has a formal procedure to request, review, and approve software on company - issued laptops. Security and IT team periodically reviews and blocklists malicious software on the corporate laptops. 8. Patch management. Grammarly has a procedure for handling standard and critical patches. In the event that a high- level, exploitable vulnerability is detected, the procedure mandates an update to the latest stable version within 14 days of the official release. In the event that a critical or emergency security update is released by a publisher to fix a critical and exploitable vulnerability, the procedure mandates that the software update process must be initiated within 24 hours. CHANGE MANAGEMENT 1. Separation of environments. Production and non -production environments are separated, with the use of separate 5 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 accounts, virtual private clouds, and AWS security groups. Application development and testing occur outside of the production environment. 2. Secure development. Grammarly services are designed, developed, tested, and deployed against known security vulnerabilities, including those listed by the Open Web Application Security Project. Guidelines for secure development and testing are maintained and communicated to all engineers during onboarding. A variety of automated security scanning tools are used to perform a thorough security vulnerability assessment of the change before deployment to production. 3. Change testing. Grammarly maintains guidelines for creating and using tests, including security tests. Each development team must define a minimum set of tests that each build needs to pass prior to production deployment. If any test from this essential test suite fails, the whole build will fail to deploy. Test reports and other test execution artifacts (such as reports and screenshots) are stored and reviewed prior to deployment. 4. Peer review of changes. Repositories of critical services are configured to prevent any changes that have not been peer -reviewed from being merged with the main branch. Grammarly maintains guidelines on how to perform a peer review, which include definitions about who should perform such a review and what to pay attention to when conducting it. 5. Protection of data during development and testing. Grammarly does not use user -generated content that is identifiable with users' accounts for development purposes. Grammarly applies various techniques to generate datasets for development purposes, including the dissociation of datasets from users and the use of various levels of anonymization. 6. Emergency changes. Grammarly implements emergency changes only to restore availability, core functionality, or remediate a security incident. If an emergency change bypasses peer approval prior to implementation, it is retrospectively peer -reviewed. SYSTEM OPERATIONS 1. Service performance monitoring. Service monitoring is conducted via a number of specialized services. Grammarly uses a central alerting system to notify on -call engineers and their respective teams regarding any deviation from an expected service behavior. 2. Security monitoring. Automated systems have been implemented to continuously monitor Grammarly's production environment and detect issues relating to security. 3. Security vulnerability management. The Security teams, along with teams across the Engineering organization, perform a vulnerability assessment of Grammarly services before deployment to production and post -release with self -monitoring service. Vulnerabilities have to be addressed within the timeframes defined in the SLAs in accordance to their severity levels. 4. Penetration testing. Grammarly engages a third party to conduct an external network penetration test along with AWS infrastructure and corporate security assessments on an annual basis. The Security team reviews the findings from these assessments, categorizes findings by their severity, and tracks issues for resolution in accordance with defined timelines. 5. Bug bounty program. Grammarly maintains a private bug bounty program with HackerOne. The program supports ongoing assessment of potential security vulnerabilities. Reported vulnerabilities are assessed by the HackerOne Triage Team and by Grammarly's Application Security team for applicability and severity score and are tracked for resolution in accordance with defined timelines. 6. Security incident management. Grammarly has procedures in place for managing security incidents to minimize downtime, service degradation, or security risks to customers and internal users. Incidents are categorized according to severity, which determines the necessary resolution and remediation activities. 7. Breach notification process. For incidents that impact customers' personally identifiable information ("PII"), the GRC and Legal teams investigate the incident and perform a breach notification to the relevant parties according to 6 DocuSign Envelope ID: 59AA5E65-F9C2-480E-A176-E1 FF62EDF525 an established workflow. AVAILABILITY MANAGEMENT 1. Multiple availability zones. Grammarly services are built with a high -availability mode supposing usage of multiple availability zones of AWS. By default, Grammarly's services run in three availability zones within a single region and share traffic between all three. 2. Fault tolerance. Grammarly services are deployed in clusters and designed to tolerate failure of any instance of a service without degradation of system performance or function. Scaling strategy is implemented primarily based on native AWS ECS, AWS RDS, AWS S3. 3. Scaling capabilities. Grammarly users scaling and auto scaling practices to respond to changes in the demand for compute power and to provide steady, predictable performance even during peak hours. 4. DDoS protection. Grammarly uses AWS Shield, a managed Distributed Denial of Service ("DDoS") protection service, to safeguard its critical services. It provides always -on detection and automatic inline mitigations that minimize public -facing application downtime and latency. 5. Backup strategy. Grammarly uses a variety of AWS native backup and data protection solutions to restore infrastructure, applications, and data in case of disaster of any scale. 6. Disaster recovery approach. Grammarly has a General Disaster Recovery Plan ("GDRP") to guide teams to recover against disruptions caused by unexpected events in compute capacity, applications, infrastructure, and data. The GDRP is maintained and reviewed annually On top of the GDRP, service owners create and maintain a separate Disaster Recovery Plan for their service if necessary. Each critical service has a defined target time for the service restoration in case of a disaster (RTO). 7. Availability Dashboard of Grammarly product offerings. Grammarly customers and the public can identify the current availability of Grammarly product offerings on the status page (https://status.grammarly com). USER DATA MANAGEMENT 1. User data isolation. Each of Grammarly user's data is isolated logically from other users' data. Each user is assigned a unique user ID upon account creation; user data, such as documents stored in the Grammarly Editor, is associated with this user ID. 2. End -user security controls. Customers' user accounts are protected with passwords and multi -factor authentication (if enabled by user) via SAML, which can be configured by the enterprise administrators. 3. User data report. Upon request to the Support team from a user, Grammarly provides a report on any data held on that user. 4. User data retention. Grammarly has a data retention and disposal standard to regulate the timeframes within which customers' data is retained. The standard also defines the retention period for the logs and backups. 5. User data deletion. At any time, customers have the ability to cancel their Grammarly subscription and delete their account along with personal data associated with the account. 7 DocuSign Envelope ID: B083EA93-6753-4E31-BEF9-E580C22BC836 Qgrammarly Date: January 26, 2024 To Whom it May Concern, This letter confirms that Kourtney Keaton, Head of Grammarly Business, is an authorized signer for Grammarly, Inc. Best Regards, DocuSigned by: '-45C2551 E6892494... Matt Rosenberg Chief Revenue Officer Grammarly, Inc. A`GRLI CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) 2/g/2024 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER Woodruff -Sawyer & Co. 50 California Street, Floor 12 San Francisco CA 94111 CONTACT NAME: WS Certificates PHONE FAX (A/C No Ext): 844-972-6326 (A/C, No): E-MAIL ADDRESS: certificates@woodruffsawyer.com INSURER(S) AFFORDING COVERAGE NAIC # INSURERA: ACE American Insurance Company 22667 INSURED GRAMMAR-01 Grammarly, Inc. 548 Market St., #35410 San Francisco, CA 94104 INSURER B: Endurance American Specialty Insurance Company 41718 INSURER C: Zurich American Insurance Company of Illinois 27855 INSURERD: American Guarantee and Liability Insurance 26247 INSURERE: American Zurich Insurance Company 40142 INSURER F : COVERAGES CERTIFICATE NUMBER: 790570956 REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR TYPE OF INSURANCE ADDL INSD SUBR WVD POLICY NUMBER POLICY EFF (MM/DD POLICY EXP (MM/DD/YYYY) LIMITS C X COMMERCIAL GENERAL LIABILITY Y CP02381607-00 3/25/2023 40 ` _v\ 3/25/2024 EACH OCCURRENCE $ 1,000,000 CLAIMS -MADE X OCCUR DAMAGE TO RENTEDPREMISES (Ea occurrence) $ 1,000,000 MED EXP (Any one person) $ 15,000 PERSONAL &ADV INJURY $ 1,000,000 GEN'L X AGGREGATE POLICY OTHER: LIMIT APPLIES P JECTPRO PER: LOC GENERAL AGGREGATE $ 2,000,000 PRODUCTS - COMP/OP AGG $ 2,000,000 $ C AUTOMOBILE X LIABILITY ANY AUTO OWNED x SCHEDULED AUTOS NON -OWNED AUTOS ONLY Y CPO2381607-00 ^ ` 41P O `� / , V 25/2023 3/25/2024 COMBINED SINGLE LIMIT (Ea accident) $ 1,000,000 BODILY INJURY (Per person) $ BODILY INJURY (Per accident) $ PROPERTY DAMAGE (Per accident) $ACV $ D X UMBRELLA LIAB EXCESS LIAB X O OCCUR CLAIMS -MADE A 1 09-00 (� 3/25/2023 3/25/2024 EACH OCCURRENCE $ 10,000,000 AGGREGATE $ 10,000,000 DED RETENTION $`4. $ E WORKERS COMPENSATION AND EMPLOYERS' LIABILITY ANYPROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below Y / N N N/A WC2381608-00 - CA & AOS 3/25/2023 3/25/2024 X PER STATUTE OTH- ER E.L. EACH ACCIDENT $ 1,000,000 E.L. DISEASE - EA EMPLOYEE $ 1,000,000 E.L. DISEASE - POLICY LIMIT $ 1,000,000 A B Tech E&O/Cyber Excess Tech E&O/Cyber Liability D95327746 PRX30005166602 3/25/2023 3/25/2023 3/25/2024 3/25/2024 Per Claim/Aggregate: Per Claim/Aggregate: $5,000,000 $5M xs $5,000,000 DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) Re: Errors & Omissions/Cyber- Retroactive Date: 05-14-2012 City of Miami is included as additional insured as respects General Liability and Automobile Liability to the extent provided in the attached forms. Coverage is considered Primary and Non-contributory to the extent provided in the attached forms. CERTIFICATE HOLDER CANCELLATION City of Miami 444 SW 2nd Avenue, 6th Floor Miami, FL 33130 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE ac_ ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD From: Ouevedo, Terry To: Carbonell. Aileen; Gomez Jr., Francisco (Frank) Subject: RE: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Date: Friday, February 9, 2024 12:46:36 PM Attachments: imaae004.pnq image005.pnq imaae006.pnq Aileen The COI is adequate. Regards, City of Miami Risk Management Department 9th Floor 444 SW 2nd Avenue Miami, Florida 33130 (305) 416-1641 Office (305) 416-1710 Fax TquevedoPmiamigov.com Sera6v, soda 7140¢cawsc4 arvr From: Carbonell, Aileen <ACarbonell@miamigov.com> Sent: Friday, February 9, 2024 12:43 PM To: Gomez Jr., Francisco (Frank) <FGomez@miamigov.com> Cc: Quevedo, Terry <TQuevedo@miamigov.com> Subject: RE: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Good afternoon Frank/Terry, Please see revised certificate attached including Retro-Date as requested below. Thank you. Should you have any questions or concerns, please do not hesitate to contact me at information listed below. Kind regards, Aileen Carbonell, MPA Department of Procurement 444 SW 2"di Avenue, Qh Floor Miarrli, Florida 33130 Office: (305) 41 -19 2 Facsimile: (305) 416-1925 Email: acarbonell@rniami.gov Website: https://www.miami.gov/Government/Depart -Organizations/Procurement Vendor Registration: https://www.miami.gov/Busin censes/Doing-Business-with-the- City/Register-as-a-City-Supplier-Vendor 0-� "Serving, Enhancing, and Transforming our Co)��(�/�Tr, unity' �tik Mission: The City of Miami Deparcurement's mission is to ethically procure quality goods and services, desiry, stn and construction management services at the best value for the City, w�. providing excellent customer service, process efficiency, transparency, fairness, come ton, accountability, and maintaining public trust. `Please consider the environment before printing this e-mail CONFIDENTIAL COMMUNICATION The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and destroy all copies of the original message. Thank you. *Please Note: Due to Florida's very broad public records law, most written communications to or from City of Miami employees regarding City business are public records, available to the public and media upon request. Therefore, this e-mail communication may be subject to public disclosure. From: Carbonell, Aileen Sent: Friday, February 9, 2024 11:26 AM To: Gomez Jr., Francisco (Frank) <FGomezl@miamigov.com> Cc: Quevedo, Terry <TQuevedol@miamigov.com> Subject: RE: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Frank, Will do. I just requested the pending items. Should you have any questions or concerns, please do not hesitate to contact me at information listed below. Kind regards, Aileen Carbonell, IPA O Department of Procurement �� 444 SW end Avenue, eh Floor _ ` Miami, Florida 33130 ` , Office: (305) 4I i-1922 aJ Facsimile! (305) 416-i9 5•S o� Email: aearbonell _r 1ri.acI Website: https://www.miami.got/Departments-Organizations/Procurement Vendor Registration: https:// .miami.gov/Business-Licenses/Doing-Business-with-the- City/Register-as-a-City-Supa• Vendor "Serving, Enhancing, and Transforming our Community" Mission: The City of Miami Department of Procurement's mission is to ethically procure quality goods and services, design, construction and construction management services at the best value for the City, while providing excellent customer service, process efficiency, transparency, fairness, competition, accountability, and maintaining public trust. `Please consider the environment before printing this e-mail CONFIDENTIAL COMMUNICATION The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and destroy all copies of the original message. Thank you. *Please Note: Due to Florida's very broad public records law, most written communications to or from City of Miami employees regarding City business are public records, available to the public and media upon request. Therefore, this e-mail communication may be subject to public disclosure. From: Gomez Jr., Francisco (Frank) <FGomezl@miamigov.com> Sent: Friday, February 9, 2024 11:25 AM To: Carbonell, Aileen <ACarbonellPmiamigov.com> Cc: Quevedo, Terry <TQuevedol@miamigov.com> Subject: RE: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Hello, thanks. Please Best regards, have the COI revised as soon as possible. Frank Gomez, PIAM, CPI I Property & Casualty Manager City of Miami Risk Management (305) 416-174o Office (305) 416-1760 Fax fgomez@miamigov.com Q4q "Serving, Enhancing, and Transforming our Community" From: Carbonell, Aileen <ACarbonellUmiamigov.com> Sent: Friday, February 9, 2024 11:21 AM To: Gomez Jr., Francisco (Frank) <FGomez0miamigov.com> Subject: FW: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Frank, This is the last review below. We move forward with the last requested item? Should you have any questions or concerns, please do not hesitate to contact me at information listed below. Kind regards, Aileen CarboneH, MPA Dcparttncnt of Procurement 444 SW 2" `� Avenue, 6th Floor Miami, Florida 33130 Office: (305) 41$-1922 O Facsimile (305) 416-1925 �Q Email: acarbonell@miami.gov rniami.gov J Website: https://www.miami.gov/Governme9kartments-Organizations/Procurement Vendor Registration: https://www.miami.g&Bus -Licenses/Doing-Business-with-the- City/Register-as-a-City-Supplier-Vendor` O' ur"Serving, Enhancing, and Transformir r C nity" Mission: The City of Mia �► epartment of Procurement's mission is to ethically procure quality goods and services, design, construction and construction management services at the best value for the City, while providing excellent customer service, process efficiency, transparency, fairness, competition, accountability, and maintaining public trust. `Please consider the environment before printing this e-mail CONFIDENTIAL COMMUNICATION The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and destroy all copies of the original message. Thank you. *Please Note: Due to Florida's very broad public records law, most written communications to or from City of Miami employees regarding City business are public records, available to the public and media upon request. Therefore, this e-mail communication may be subject to public disclosure. From: Quevedo, Terry <TQuevedol@miamigov.com> Sent: Friday, January 19, 2024 1:04 PM To: Carbonell, Aileen <ACarbonellPmiamigov.com>; Gomez Jr., Francisco (Frank) <FGomez( miamigov.com> Cc: Aviles, Yesenia <YAvilesl@miamigov.com> Subject: RE: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Aileen Please provide retro date for the E&O coverage. Thanks, e%eYY P 1�. to ec/ City of Miami Risk Management Department 9th Floor 444 SW 2nd Avenue Miami, Florida 33130 (305) 416-1641 Office (305) 416-1710 Fax TquevedoPmiamigov.com -Sewusy, S raaccary, aad 71404cawicy ata From: Carbonell, Aileen <ACarb I miami ov.com> Sent: Friday, January 19, 2024 :49 AM To: Gomez Jr., Francisco (Frank) <FGomezc miamigov.com> Cc: Quevedo, Terry <TQuevedoPmiamigov.com>; Aviles, Yesenia <YAvilesPmiamigov.com> Subject: PROCUREMENT INSURANCE REVIEW FOR GRAMMARLY INC COI Importance: High Good morning, Please review the insurance attached at your earliest convenience and advise if adequate according to insurance requirements contained therein. Thank you! NOTE: Scope is just Software as a service. Kind regards, Aileen Carbonell, MPA Procurement Assistant Department of Procurement 444 SW 2nd Avenue, 6th Floor Miami, Florida 33130 Office: (305) 416-1922 Facsimile: (305) 416-1925 Email: acarboneWmiamigov.com Remit W9 to: PurchasingSupplierAdminsl@miamigov.com Website: https://beta.miamigov.com/Government/Departments-Organizations/Procurement "Serving, Enhancing, and Transforming ourd4 munity" CONFIDENTIAL COMMUNICATION The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please immediately contact th vder byyreply e-mail and destroy all copies of the original message. Thank you. 0) *Please Note: 0 Due to Florida's very broad public records law, most written communications to or from City of Miami employees regarding City business are public records, available to the public and media upon request. Therefore, this e-mail communication may be subject to public disclosure. Olivera, Rosemary From: Gandarilla, Aimee Sent: Wednesday, February 21, 2024 9:04 AM To: Hannon, Todd Cc: Lee, Denise; Olivera, Rosemary; Brown, Sadie; Mickens, Tania; Ewan, Nicole Subject: Grammarly Subscription Agreement (Matter 23-3230) Attachments: Grammarly Subscription Agreement (Matter 23-3230).pdf Good morning Todd, Please find attached the fully executed copy of an agreement from DocuSign that is to be considered an original agreement for your records. Thank you, Qcmee candavCitea Procurement Assistant City of Miami Procurement Department 444 SW 2' Avenue, 6thfloor, Miami, FL 33130 P (305) 416-1906 F (305) 400-5338 E agandarilla@miami.gov "Serving, Enhancing, and Transforming our Community" 1