The URL can be used to link to this page

Browse Search

Home My WebLink About20121872.tiff Master Software License and Support Agreement _ This Master Software License and Support Agreement("Agreement")is entered into this day of July,2012("Contract Date"),by and between Vcura Incorporated, 9800 Mount Pyramid Court,Suite 400,Englewood,Colorado 80112,(Contractor),who will provide software developed by Proofpoint,Inc.,and the Board of County Commissioners of Weld County, Colorado, 1 150"O"Street,Greeley,Colorado 80631.(Customer). Contractor agrees to furnish Customer and Customer agrees to accept,in accordance with the terms and conditions of this Agreement,the use of the software identified below. Introduction. The terms of this contract are specified in the terms of this document and in Exhibits A.B,C, and D which an integral part of this Agreement and which are specifically made a part of this contract. Exhibit A sets forth Customer's Request for Bid,which includes Customer's description of its expectations of the performance of the software being utilized,the application of the software,the software and hardware environment in which the software is expected to operate, and the number of users of the software. Exhibit B sets forth the Contractor's response to Customer's Request for Bid which includes Contractor's response to Customer's description of its expectations of the performance of the software(Proofpoint)which will be offered to Customer by subscription,the application of the software,the software and hardware environment in which the software is expected to operate,and the number of persons who may use the software.The Platinum Level of Services is being provided by Contractor in cooperation with Proofpoint,Inc. Exhibit C sets forth Contractor's and Proofpoint,Inc.'s Statements of Work. Exhibit D sets forth the terms of the Installation and Contractor's Maintenance Agreement,and the price of the services offered. Customer understands that Contractor is providing software owned and developed by Proofpoint, Inc.,and further understands that Proofpoint,Inc.,will be providing support services.However, Contractor remains the point of contact for Customer in all matters pertaining to this Agreement and remains responsible for the performance of the terms and conditions of this Agreement,as Proofpoint.Inc.,is not a signatory to this Agreement. 1. Definitions. 1.1 COMPUTER means a machine or system,which uses logical devices("central processing units")to process information,such as a multiprocessor computer system or a workstation. 1.2 DESIGNATED COMPUTER(S)means specific Computer(s),including replacements, modifications,upgrades and additions thereto,upon which the application software is compiled or installed and executed. 2012-1872 ( i o • 5}e C.CA) fi'e D 2c 5 "1/18 11 1.3 SOFTWARE DOCUMENTATION means the standard user documentation distributed by Contractor under a third party license, describing the use of the Software, including any tutorial presentation of the capabilities of the Run-Time Versions and may include technical documentation which describes the design of the Software. Software Documentation may be released in an electronic media format. Notwithstanding the foregoing, Software Documentation does not include any third party software documentation. 1.4 PRODUCT UPDATE means a change or new release of the Software or Software Documentation designed to con'ect Software Problem(s). 1.5 PRODUCT UPGRADE means a change or new release of the Software or Software Documentation designed to enhance the features of the licensed Software version or otherwise improve the functionality of the licensed Software version. 1.6 RUN-TIME VERSION means a program that is used to execute the Software and other utilities that are a part of the Software, but which does not allow a User to change the Software or to create new and different Software features. 1.7 SOFTWARE means all of the computer software program versions listed in Exhibit B, and are considered a part of the Contractor's "deliverables"and shall include all updates, enhancements, modifications, or upgrades provided under the terms of this Agreement or a related support agreement. Notwithstanding the foregoing. Software does not include any third party software, unless set forth on Exhibit B. 1.8 SOFTWARE PROBLEM(S) means defective Software distribution media and/or a failure of the Software to function substantially in accordance with the Software Documentation. Software Problems for the encryption program includes Customer's inability to communicate with third parties because said third parties are unable to open encrypted messages due to technical incompatibilities. 1.9 SOURCE CODE means a compilable copy of the Software which allows the Software installer to compile the Software into a Run-Time Version using the appropriate Development System; some portions of the Source Code may already be compiled by Contractor and provided in an executable, Run-Time or object code version. 1.10 USER means the unique combination of one log-in on one software display device. (Does not apply if a license is required for each CPU) 1.11 PUBLIC ACCESS MODULE means a unique subset of Software provided for the purpose of providing third parties read-only access to Customer data. 1.12 EXECUTION DATE means the date, after installation of the Software, upon which Customer accepts the Software in writing. 1.13 MATERIAL BREACH means the failure to achieve a milestone as set forth in Exhibit C. 1.14 SEVERE SYSTEM MALFUNCTION means the failure of the Software to perform as represented by Contractor in Exhibit B. 1.15 ACCEPTANCE means Customer's willing receipt of the products, services and Software offered by Contractor,and Customers agreement to pay for said products, services and Software. Customer shall always evidence Acceptance by a written statement, and not by payment alone. LICENSES 2.1 Subscription/Grant of License. Contractor grants to Customer the non-exclusive and non-transferable right to subscribe to and execute the Software for the Designated Users,and to use the associated Software Documentation only for Customer's internal business purposes and only with Customer's data. subject to the terms and conditions of this Agreement and in consideration of payment of the agreed upon license fees. 2.2 Rights of Customer. Customer may access the Software lawfully licensed to Customer on any configuration of computers or display devices connected to the Computer(s)of the Designated Users. Customer may transfer the Software to any electronic storage device connected to the Computer(s)of the Designated Users,provided Customer keeps the original solely for backup or archival purposes. Customer has the right to approve all personnel supplied by Contractor to perform services rendered under this Agreement. 2.3 Acceptance of Software. For each Software product licensed under this Agreement, Customer shall have a thirty (30) day"Acceptance Period"beginning on the Execution Date, or if the Software is provided with Software modifications, beginning on the third day following the installation of the Software and/or Software modifications. During the Acceptance Period, Customer may cancel the subscription by giving written notice to Contractor and returning the Software in accordance with Section 4.2. If Customer elects to accept the subscription,the subscription will be accepted by Customer at the end of the Acceptance Period,upon Customer's execution of a written acceptance. Should Customer elect to cancel this Agreement under the terms of this Section 2.3, Customer shall pay Contractor for all Implementation services provided through the accomplishment of the most recent milestone payment date, so that Contractor will be paid for its accomplishment of the steps taken to reach that milestone. The Project Plan, which is attached hereto and made a part hereof as Exhibit C, sets forth all such steps,milestones and payment obligations. 2.4 Backup Copy. Customer may make backup copies of the Software and of any portions thereof,as well as any portions thereof which are modified or merged with other programs in accordance with this Agreement. All such backup copies shall also be subject to the terms and conditions of this Agreement. Customer agrees to maintain an accurate record of the location of the backup copies at all times. 3. PROPRIETARY RIGHTS AND CONFIDENTIALITY 3.1 Ownership. All title and rights of ownership and /or licensure in the Software and Software Documentation remain with Contractor and/or its suppliers and are protected by copyright,patent, and/or trade secret laws. Customer agrees to take all reasonable steps to protect 3 Contractor's and its suppliers' proprietary rights in the Software and Software Documentation including, but not limited to, the proper display of copyright,trademark, trade secret, and other proprietary notices on any copies of the Software. Customer must reproduce and include any copyright, trade secret, trademark, or proprietary data notices, and other legends and logos on the backup copies. Customer agrees to assist Contractor in the defense of Contractor's and its suppliers' ownership of the Software and Software Documentation against all claims, liens and legal processes of creditors of Customer, and further agrees, to the extent it is able in the normal course of business, to keep the Software and Software Documentation free and clear of all such claims, liens, and processes. 3.2 Confidentiality. As Customer is a public entity, Contractor is aware that this Agreement and all of its terms and conditions constitute a public record and that Customer must disclose this Agreement and its terms and conditions to members of the public who wish to see it. In addition, Customer may disclose the Software to consultants and other third parties retained to work with the Software. 4. TERM,TERMINATION AND PAYMENT 4.1 Term. The license(s) to which Customer subscribes under this Agreement shall commence upon the Customer's Acceptance of the Software and shall continue for a one(1) year period, unless Customer does not renew in accordance with the provisions of this Agreement. However, both of the parties to this Agreement understand and agree that the laws of the State of Colorado prohibit Customer from entering into Agreements which bind Customer for periods longer than one year. Therefore. within the thirty (30) days preceding the anniversary date of this Agreement, Customer shall notify Contractor if it wishes to renew this contract. 4.2 Termination. Customer may terminate this Agreement by notifying Contractor in writing of its intention to terminate. If Customer terminates this Agreement as a result Contractor fails to install and successfully implement the Software so that Customer is able to successfully utilize said Software within sixty (60) days of the execution of this Agreement , Customer shall be relieved from all further obligations under this Agreement, and shall have no obligation to make further payment. Contractor may terminate this Agreement if Customer fails to pay any license fees owing and which are more than thirty (30) days past due. Contractor may also terminate the Agreement if Customer breaches any agreement or obligation in this Agreement and fails to remedy such breach or demonstrate a good faith effort to remedy such breach within thirty (30) days after receiving written notice of such material breach from Contractor. HOWEVER, as Contractor has no rights in Customer's continued subscription to Contractor's services under Section 9.3 and Exhibit D of this Agreement, future action by Customer to refuse to accept such services shall not give rise to any right of Contractor under this Agreement. Upon termination, both parties shall be relieved from any further obligations to one another under this Agreement. 4.3 Payment: As set forth in Exhibit D, the total amount payable by Customer to Contractor is Eighteen Thousand Seven Hundred Fifty and 96/100 Dollars, ($18, 750.96). 4 Customer shall pay one-half of the total, Nine Thousand Three Hundred Seventy-Five and 48/100, (59,375.48), within thirty (30) days of the execution of this Agreement and the balance within thirty (30) days of the date Customer executes a written acceptance, pursuant to the terms of Paragraph 1.15. 5. LIMITED WARRANTY. 5.1 Limited Warranty. Contractor warrants that after the delivery of the Software and Software modifications, if any, to Customer, the latest unmodified version of the Software released by Contractor shall substantially perform in accordance with the Software Documentation. Said Software is warranted to meet the specifications set forth as Customer's requirements, in Exhibit A, and to operate as indicated in Contractor's proposal, in Exhibit B. 5.2 Remedies. Contractor's entire liability and Customer's exclusive remedy shall be for Contractor, at Customer's option, to either: (a) replace any defective media which prevents the Software from satisfying the limited warranty described above provided such defective media is returned to Contractor: or (b) attempt to correct any errors which Customer finds in the Software during this warranty period and which prevent the Software from substantially performing as described in the Software Documentation. Any replacement Software will be warranted for the remainder of the original warranty period or for thirty (30) days, whichever is longer. 5.3 Right to License. Contractor warrants that it is the owner of the Software and/or has the right to license Software to Customer. 5.4 Limitations of Warranty. The above warranty is null and void if failure of the Software has resulted from accident, abuse, or misapplication; including unanticipated alteration or modification of the Software BY Customer. The above warranty applies only to Software Problems, which are apparent in the unmodified, standard Software, which is not merged with other software. Contractor shall not be required to correct errors during the above described warranty period attributable to: equipment malfunction; products other than the Software; use of the Software in conflict with or contravention of the Software Documentation or the terms of this Agreement; or accident, neglect, misuse, or abuse of the Software. 6. INDEMNIFICATION 6.1 Contractor's Indemnification. Contractor shall indemnify, defend and hold harmless Customer against any action to the extent such action is based on a claim that Customer's use of the Software or Software Documentation or any part thereof, under this Agreement, infringes a valid, enforceable United States patent or copyright, or misappropriated a trade secret, and Contractor shall pay all damages and costs. (including reasonable attorneys' fees), awarded or agreed to in a settlement by Contractor in respect of such action; provided that Contractor is given notice of such claim within thirty (30) calendar days of the dated Customer knows of such a claim. Contractor shall control the defense in any such action and. at its discretion, may enter into a stipulation of discontinuance and settlement thereof Customer shall cooperate with Contractor in any such defense and shall make available to Contractor all those persons. documents and things required by Contractor in the defense of any such action. Reasonable out- of-pocket expenses incurred by Customer will be reimbursed by Contractor. Customer, may, at its expense,assist in such defense. 6.2 Remedies. If, in an action described in Section 6.1 above, the Software is held to constitute an infringement or misappropriation, or the use, demonstration, distribution, marketing, or sublicensing thereof is enjoined or restricted. Contractor shall, at its option. either procure for Customer the right to continue using the Software, or modify the Software to permit Customer to exercise its rights hereunder, or if the foregoing options are not available, terminate the Agreement and promptly refund to Customer all license fees paid by Customer to Contractor for the infringing Software amortized over a five(5) year period from the date of initial delivery, (i.e., a refund pro-rated on a monthly bases over a sixty (60) month term). 6.3 Limitations of Indemnification. The foregoing indemnity shall not apply in respect of any infringement misappropriation if such infringement or misappropriation resulted from Customer's or any of its Users' use of the Software: (a) in an operating environment other than that described in the Software Documentation or under this Agreement; (b) in conjunction with an enhancement not created or owned by Contractor; or(c) in conjunction with other software not created or owned by Contractor. The foregoing states the entire obligation of Contractor with respect to the infringement of patents and copyrights, and misappropriation of trade secrets. 7. SUPPORT 7.1 Remote Access. Customer is required to establish a direct computer-to-computer remote access link with Contractor before Support is provided to Customer. Customer must assure that Contractor has access to Customer's Designated Computer(s) via the remote access link. The link must meet Contractor's current specifications for connection to its customer support network. Contractor will provide the System Administrator with a telephone number to Contractor's Support Center, a log-in to the Support Center's system, and instructions on how to establish the link. Contractor will ensure that the Support Center's system will accommodate a link with Customer's system(s). Customer will bear all costs associated with establishing and maintaining the link from Customer's site to Contractor's customer service network. Customer reserves the right to control which product is used to establish and maintain the link from Customer's site to Contractor's site. County will license their copies of the product. 7.2 Required Development Environment. To assist in the resolution of Software Problem(s), Customer is required to maintain the versions then-currently supported by Contractor. or versions compatible with the versions then-currently supported by Contractor, of "Proofpoint Enterprise Privacy-Regulatory Compliance, Digital Asset Security, Encryption" software. Customer shall also maintain a tape drive on its development systems. The requirements of this subsection are subject to reasonable change. 7.3 Support Fees for Annual Maintenance. Customer agrees to pay the current annual Support Fees for the "Platinum" level of Support Services as detailed in Exhibit D. 7.4 Vcura Incorporated and Proofpoint, Inc., Support Specialist and System Administrator. Customer shall designate a System Administrator and a Proofpoint, Inc Specialist who shall act as the primary contact between Customer and Contractor. 0 7.5 Customer's Responsibilities. Customer agrees to assist and cooperate with Contractor as reasonably required by Contractor, in the resolution of Software Problems. Such assistance will facilitate quicker and more effective problem resolution by Contractor, and may include: 7.5.1 Consultation with the System Administrator and Vcura Incorporated and Proofpoint, Inc. Software Support Specialist. 7.5.2 Providing documentation of the Software Problem(s), test data, and copies of the programs being used when the Software Problem(s) become apparent. 7.6 Support Services. The Support Services generally include resolution of Software Problem(s), support via electronic mail, ("E-mail"), and telephone, upgrades and updates of the Software. Updates to existing procedures in the Software as required by legislative action, described in Exhibit B, are also included in the Support Services. Contractor has agreed to provide the "Platinum" level of Support Services, which means that Services will be provided 24 hours per day, 365 days per year. 7.7 Email and Telephone Support. Contractor will provide assistance in identifying, confirming and providing a"workaround" for suspected Software Problem(s) in the standard, unmodified code of the Software. Contractor may require documentation of the Software Problem, test data, and copies of programs being used before confirming and resolving Software Problem(s). E-mail can and should be used to communicate support requests. 7.8 Direct User Contact. Contractor Personnel may use the remote access link to access Customer's Computer to better analyze suspected Software Problem(s) and produce a solution or "workaround" to Software Problem(s). Contractor personnel may also directly communicate with Customer regarding the suspected Software Problem(s) using any form of telecommunications. 7.9 Site Visits. In the event that: (a) data is corrupted, returned results are incorrect, or there is a severe feature malfunction without a-workaround"; (b) the Software Problem seriously disrupts Customer's primary business operations; and (c) Customer and Contractor have made every reasonable attempt to correct the Software Problem. then Contractor agrees to use it best reasonable efforts to resolve the Software Problem, first remotely through the remote access connection or otherwise provided Customer has provided Contractor adequate remote access to Customer's system.and then on-site, if necessary to resolve the Software Problem(s) at Contractor's option. 7,10 Support Hours. Contractor support services, which include direct telephone services, will be available to Customer 24 hours per day, 365 days per year. 7.11 Product Updates and Upgrades. Upon payment of Customer's annual Support Fee (detailed in Exhibit D, which attached hereto and made a part hereof), Contractor agrees to provide Customer with the Product Updates and Product Upgrades for licensed Software Produced by Contractor. 7.12 Language. Telephone and E-mail support will be provided in English, unless otherwise agreed upon in writing by both parties. 7.13 Training. Training will be provided by Contractor following final Acceptance by Customer. Training services arc included in the price paid by Customer for the Software. 8. GENERAL 8.1 Waiver, Amendment or Modification. Any waiver, amendment, or modification of any of the provisions of this Agreement or of any right, power or remedy hereunder shall not be effective unless made in writing and signed by the parties. No failure or delay by either party in exercising any right, power or remedy with respect to any of its rights hereunder shall operate as a waiver thereof in the future. 8.2 Governing Law. This Agreement shall be governed by the laws of the State of Colorado, and shall inure to the benefit of Contractor, its successors, administrators, heirs, and assigns. The United Nations Convention on the International Sale of Goods shall not apply to this Agreement. 8.3 Choice of'Forum. The parties agree that Weld County,Colorado shall be the proper forum for any action, including mediation and arbitration brought under this Agreement. 8.4 Attorney Fees. In the event an action, is brought to enforce any provision of this Agreement, neither party shall be entitled to recover legal costs, or attorney fees, in addition to any other amounts recovered. 8.5 Limitation on Actions. No actions, regardless of form, arising from the transactions under this Agreement, may be brought by an aggrieved party hereto more than two (2) years after the facts creating the cause of action are known to said party. 8.6 Severability. If any term, provision, or pan of this Agreement is to any extent held invalid, void, or unenforceable by a court of competent jurisdiction, the remainder of the Agreement shall not be impaired or affected thereby, and each remaining term, provision, or part shall remain in full force and effect. 8.7 Survival. The terms, conditions and warranties contained in this Agreement that by their sense and context are intended to survive the termination of this Agreement, shall so survive. 8.8 Notice. All notices or other communications made by one party to the other concerning the terms and conditions of this contract shall be deemed delivered under the following circumstances: (a) personal service by a reputable courier service requiring signature for receipt; or (b) five (5) days following delivery to the United States Postal Service, postage prepaid addressed to a party at the address set forth in this contract; or (c) electronic transmission via email at the address set forth below, where a receipt or acknowledgment is required by the sending party; or (d) transmission via facsimile, at the number set forth below, where a receipt or acknowledgment is required by the sending party. Either party may change its notice address (es) by written notice to the other. a Contractor Notice: Name: Cyle Coffman Position: President, Vcura Incorporated Address: 9800 Mount Pyramid Court. Suite 400 Address: Englewood, CO 80112 E-mail: cy Ice offinancr,)vcura.com Facsimile: 720- 262-8949 Customer: Name: Teri Rogers Position: Principal Functional Consultant Address: 1401 North l7th Ave. P.O. Box 758 Address: Greeley, CO 80631 E-mail: trogerslatco.weld.co.us Facsimile: (970)304-6572 8.9 Force Majeure. Neither party shall be in default nor liable for any failure in performance or loss or damage under this Agreement due to any cause beyond its control. 8.10 Board of County Commissioners of Weld County Approval. This Agreement shall not be valid until it has been approved by the Board of County Commissioners of Weld County, Colorado or its designee. 8.11 Taxes. Customer, as a governmental entity, is exempt from sales, use and other taxes or similar governmental charges or duties which might be incurred in connection with the exercise of the license(s) and rights granted herein to Customer, and therefore shall not be responsible for the payment of any taxes. Contractor shall be responsible for the payment of any sales, use or other taxes incurred when it purchase products, materials or services in the fulfillment of its obligations under this contract. Contractor is also responsible for the payment of all taxes or charges based on the income of the Contractor. 8.12 Acknowledgment. Customer and Contractor acknowledge that each has read this Agreement, understands it and agrees to be bound by its terms. Both parties further agree that this Agreement, with the attached Exhibits A, B, C, and D, is the complete and exclusive statement of agreement between the parties and supersedes all proposals or prior agreements, oral or written, and any other communications between the parties relating to the subject matter of this Agreement. 8.13 Governmental Immunity. No term or condition of this contract shall be construed or interpreted as a waiver, express or implied, of any of the immunities,rights, benefits, protections or other provisions, of the Colorado Governmental Immunity Act §§24-10-101 et seq., as applicable now or hereafter amended. 8.14 No Third Party Beneficiary Enforcement. It is expressly understood and agreed that the enforcement of the terms and conditions of this Agreement, and all rights of action relating to such enforcement, shall be strictly reserved to the undersigned parties and nothing in this Agreement shall give or allow any claim or right of action whatsoever by any other person not 9 included in this Agreement. It is the express intention of the undersigned parties that any entity other than the undersigned parties receiving services or benefits under this Agreement shall be an incidental beneficiary only. 8.15 Fund Availability. Financial obligations of the Board of County Commissioners of Weld County payable after the current fiscal year are contingent upon funds for that purpose being appropriated, budged and otherwise made available. By execution of this Agreement. County does not warrant that funds will be available to fund this Agreement beyond the current fiscal year. 8.16 Employee Financial Interest/Conflict of Interest. C.R.S. §§24-18-201 et seq. and §24- 50-507. The signatories to this Agreement aver that to their knowledge, no employee of Weld County has any personal or beneficial interest whatsoever in the service or property which is the subject matter of this Agreement. Contractor's has no interest and shall not acquire any interest direct or indirect, which would in any manner or degree with the performance of Contractor's services and Contractor shall not employ any person having such known interests. During the term of this Agreement, Contractor's shall not engage in any in any business or personal activities or practices or maintain any relationships which actually conflict with or in any way appear to conflict with the full performance of its obligations under this Agreement. Failure by Contractor's to ensure compliance with this provision may result, in Weld County's sole discretion, in immediate termination of this Agreement. 8.17 Independent Contractor. Contractor shall perform its duties hereunder as an independent contractor and not as an employee. Contractor shall be solely responsible for its acts and those of its agents and employees for all acts performed pursuant to this Agreement. Neither Contractor nor any agent or employee of Contractor shall be deemed to be an agent or employee of Customer. Contractor and its employees and agents are not entitled to unemployment insurance or workers' compensation benefits through Weld County and Customer shall not pay for or otherwise provide such coverage for Contractor or any of its agents or employees. Unemployment insurance benefits will be available to Contractor and its employees and agents only if such coverage is made available by Contractor or a third party. Contractor shall pay when due all applicable employment taxes and income taxes and local head taxes (if applicable) incurred pursuant to this Agreement. Contractor shall not have authorization, express or implied, to bind Customer to any agreement, liability or understanding, except as expressly set forth in this Agreement. Contractor shall have the following responsibilities with regard to workers' compensation and unemployment compensation insurance matters: (a) provide and keep in force workers' compensation and unemployment compensation insurance in the amounts required by law and (b) provide proof thereof when requested to do so by Customer. 8.18 Public Contracts for Services. C.R.S. §8-17.5-101. Contractor certifies, warrants, and agrees that it does not knowingly employ or contract with an illegal alien who will perform work under this contract and will confirm the employment eligibility of all employees who are newly hired for employment in the United States to perform work under this Agreement, through participation in the E-Verify program of the State of Colorado program established pursuant to C.R.S. §8-17.5-102(5)(c). Contractor shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or enter into a contract with a subcontractor that fails to certify with Contractor that the subcontractor shall not knowingly employ or contract with an illegal alien to perform work under this Agreement. Contractor (a) shall not use E- Verify Program or State of Colorado program procedures to undertake pre-employment screening or job applicants while this Agreement is being performed, (b) shall notify the subcontractor and Customer within three (3) days that Contractor has actual knowledge that a subcontractor is employing or contracting with an illegal alien and (c) shall terminate the subcontract if a subcontractor dues not stop employing or contracting with the illegal alien within three (3) days of receiving notice, and (d) shall comply with reasonable requests made in the course of an investigation, undertaken pursuant to C.R.S. §8-17.5-102(5), by the Colorado Department of Labor and Employment. If Contractor participates in the State of Colorado program, Contractor shall deliver to Customer, a written notarized affirmation that it has examined the legal work status of such employee, and shall comply with all of the other requirements of the State of Colorado program. If Contractor fails to comply with any requirement of this provision or of C.R.S. §8-17.5-101 et seq., Customer, may terminate this Agreement for breach, and if so terminated, Contractor shall be liable for damages. IN WITNESS WHEREOF, the parties have duly executed this Agreement as of the date first stated above. CONTRACTOR Vcura, Incorporated r By: Cyl)Coffman President iS- ATTEST: , , \ I BOARD OF COUNTY COMMISSIONERS 1661 kd , ' OF WELD COUNTY, G , i� ';'i STATE OF COLORADO O. / „,,.,Lip , '.'., r,. By: By: P Deputy Clerk the Board Sean P. Conway, Chair L 18 2012 11 &,0/0?- /87, EXHIBIT A Request for Proposal 'nN . SS-2012-40 If ) r DEPARTMENT OF HUMAN SERVICES 315 N 11 th AVE GREELEY, CO 80631 WEBSITE: WWW.CO.weld.co.us Weld County covers a total area of 4,000 square miles in north central Colorado. It is bordered on the north by Wyoming and Nebraska and on the South by the Denver Metropolitan area and is the third largest county in Colorado. Weld County Government is soliciting proposals for an Email Encryption software solution to provide secured handling of confidential client information as well as improve all around secured content management for all personnel on their network. I. Project Overview According to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security and privacy rules, an organization must develop policies and procedures to safeguard private health information and establish an environment of information control. Then The Financial Modernization Act of 1999 (GLBA), also known as the Gramm-Leach-Bliley Act requires that financial information is safeguarded was implemented and followed up in February of 2009 by the US Congress adoption of the Health Information Technology for Economic and Clinical Health Act(HITECH Act) that significantly expands the categories of entities subject to HIPAA. In order to meet the requirements of these governmental standards, we are requesting proposals for a County Wide Secure Email Gateway(SEG). The solution needs to provide total email content security through unified threat management, anti-spam, content security, policy enforcement and data leakage prevention, and provides real-time threat protection. Solutions: We are looking to obtain solutions for the following: - Email Filtering Monitor all incoming email to our domains for SPAM and malicious content. Actively quarantining any email identified as either. - Email encryption Encrypt outgoing email that meets the filtering requirements of our email environment (preferable from the client side out versus the appliance or hosted site out)so the entire email being stored on the internal mail server and out is encrypted. - DLP Block any content leaving our network that contains PH, HIPAA, or any other sensitive information that should be protected. Current Environment We are currently running a 2008 fully functional domain in a Windows Active Directory environment. We do not have email encryption or DLP solutions in place today.We only have email filtering provided by McAfee (MxLogic)where all our domain MX records are pointed for filtering. We manage our own public facing DNS records so we have the ability to change where our MX records point to at will. We have approximately 1,631 mailboxes (Includes users, shared, room, and equipment mailboxes)that runs on Exchange 2007 (Windows Server 2008 Enterprise) in a clustered mail environment. 1 Request for Proposal SS-2012-40 14 rI F DEPARTMENT OF HUMAN SERVICES � 3/5 N I/fhAVE GREELEY, CO 8063! -. WEBSITE: WWW.CO.weld.co.us We are very aware that government agencies have become prime malware targets, as cybercriminals seek profitable ways to infiltrate networks and steal sensitive data and/or inflict damage. Because we are a Federal Agency we share critical personal and financial information with other State agencies on a daily basis, we are seeking a solution that eliminates accidental or intentional loss of this data This solution must be easy to administer, be acceptable and easily deployable to our users as well as external recipients. It needs to be a transparent solution that offers limitless scalability, minimal administration overhead, consolidated and centralized management. It needs to provide detailed, centralized and clear reporting in one solution. II. Requirements Statement 1. Project Phases, by dept priority Provide analysis, policy configuration set-up and training for the follow departments types. Division Phase Social Services HRD II Health Department III Paramedics IV Personnel V County Attorneys VI Coroner's Office VII DA, Courts, Justice Services, Probation Office VIII Finance, Admin Offices, Accounting IX Sheriff's Office X 2. Software Expectations Our primary concern is ensuring that only those messages that need to be encrypted are actually encrypted in order to reduce the false positive rate. We are seeking a Safe-N- Secure email environment. (Check those that apply to your solution) ❑ Solution will need to provide scalable solutions for approx 1700 county wide employees who either use internal email and/or access their email via the web. ❑ Solution needs to be cost effective and easy to implement and use ❑ Solution should be easy to set and enforce a wide variety of content policies. • Solution will need to secure inbound and outbound email content using automatic deep content management for email and attachments ❑ Solution needs to protect emails from security threats in real time, regardless of whether users are onsite or in remote locations ❑ Solution needs to control intentional or accidental data loss with email monitoring and filtering • Solution can provide a Centralized Management and administration solution ❑ Solution has the ability to proactively manage risk 2 Request for Proposal ism , SS-2012-40 II r, DEPARTMENT OF HUMAN SERVICES t 4 315N11th AVE CO-v -- GREELEY,CO 80631 .r WEBSITE: www.co.weld.co.us ❑ Provides context-sensitive email archiving, such as storing all emails on a related topic ❑ Provides basic filtering templates upon initial set-up ❑ Provides Lexical dictionaries that can manage distribution of sensitive content. ❑ Restricted content must be quarantined and an alert notification needs to be sent to the user and manager. f_I Solution should protect against phishing, viruses, malware and blended threats ❑ Solution can minimize non-business email, traffic and storage. ❑ Solution should have redundant Hard disk configuration in the appliance with at least 1TB usable space ❑ The solution should have options for both software application and appliance, and should support VMware vsphere 4.x, 5.x if County chooses to virtualize the application on VM guest. • The solution should have integrated fault-tolerance features. ❑ The solution should support clustering of appliances if County chooses to add more redundancy. ❑ The product should have support and integrate with third-party load balancing and/or network bandwidth management technologies. 3. Automatic Alert Notification and Reporting Requirements: (Check those that apply to your solution) ❑ Solution provides a Secured notification Service (SnS)for alerting management ❑ Email alerts can be stored based on content, with ability to recall stored messages for auditing ❑ Provides reporting on quarantined items, available upon request, by dept, by staff ❑ Provides management with security reports that indicate attempted policy breaches and potential email abusers ❑ Solution should be able to provide bandwidth reports by sender, recipient, domain and file type 4. Interface Requirements: (Check those that apply to your solution) Li The solution should integrate with LDAP directories or with Microsoft Active Directory ❑ Integrate with our existing MS Exchange 2007 email system ❑ Solution should support MS Exchange 2010, should the county upgrade to this in the near future ❑ Desktop plug-in should be supported on outlook 2003, 2007, and 2010 ❑ Solution can easily integrate with third-party products, like Net motion etc ❑ Can provide a single central interface • Flexible Deployment Options for multiple departments, if applicable 3 Request for Proposal ,xo, SS-2012-40 DEPARTMENT OF HUMAN SERVICES 315 N 1Ith AVE CO tiWnN GREELEY,, CO 80631 WEBSITE: WWW.CO.weld.co.us 5. Security and Standards Requirements:(Check those that apply to your solution) D Solution meets regulatory HIPAA, HITECH and GLBA Standards; data cannot be transmitted accidentally or intentionally without encryption ❑ Solution meets security and achieving standards ❑ Solution Identifies data-stealing malware, including keystroke loggers, phishing attacks, Trojans and root kits, provides behavior-based malware detection technologies • Solution has the ability to filter all Web traffic on all TCP ports by URL and/or IP address, file type, HTTP, HTTPS, FTP, newsgroups (NNTP), social networking and TCP ❑ Solution "automatically" enforces content rules, including file attachments regardless of location or connection HI Solution extends full security and policy control to remote and mobile users ❑ Solutions has the ability to filter content running on Android tablets or iOS operating systems • Solution identifies applications based on what they do; then denies applications that perform functions that conflict with policy ❑ Solution will not affect the network or Internet connection if it slows or fails ❑ Solution minimizes latency and provides unmatched reliability III. Description of Weld County Computing Environment Xerox has contracted with Weld County to support and deliver information technology for the departments within the County's infrastructure. Xerox will be assisting Weld County in the selection process and will act as the Liaison between the vendor and the Human Services department. The Xerox IT consultant will provide guidance to Human Services in evaluating the proposed vendor solutions in regards to meeting User Requirements . XEROX should be included in on the distribution of invoices as well as all correspondence related to this project IV. Response Requirements and Timeline The Email Encryptions Project SS-2012-40 response is due by 10:00 AM, MST by April 1, 2012. Proposals submitted after that time and date will not be accepted 4 Request for Proposal ,,R , SS-2012-40 74 r !'- r DEPARTMENT OF HUMAN SERVICES A � � 3/S NlIthAVE C;O-"4" GREELEY..CO 80631 WEBSITE: WWW.CO.weld.co.us V. Submittal Requirements 1. Instructions to Vendors • Qualified vendors interested in performing the work described in this Request for Proposal must complete and submit the following information to Sheila Batson, IT Systems Consultant at Weld County. • Provide a statement of work (SOW), to include time to complete and costs breakouts for each phase of this project. Failure to meet the phase deadlines may result in termination of the agreement between the vendor and Weld County. • Provide acknowledgement that you have read each Requirement under Section II above by indicating with a check mark whether you can support that request—see items 2-5. o Provide "N/A"response alongside items that your solution does not support o Record the term "Add-on"alongside items that are not part of your basic package, but are supported by you via a 'Add-on"package • Completion of the Functional Requirements and Technical Requirements—Sections XII and XIII o N/A should be entered in the response column for items that are not supported by your solution • Completion of Implementation and Support, Section XIV 2. Statement of Work (SOW) Breakdown Requirements • Cost and time to complete Needs Analysis for each"Phase" noted in Section II-1 • Cost and time to complete configuration and application set-up for each phase • Cost and time to provide training to designated Security Staff, and users • Projected time line, Start to Finish for each phase, if applicable • Provide a cost breakdown for basic software package o Provide a descriptive list of what is included in basic software application package • Provide a cost breakdown for suggested additional add-on product for your software solution that are not included in the basic package price. Please provide details about how this solution will benefit us based off of our requirements. 3. Self Hosted vs Vendor Hosted Hardware Solutions • Provide separate costs breakdowns for both a hosted or self-hosted solution, if applicable 5 Request for Proposal f�, x• , SS-2012-40 F 4�4 r� r DEPARTMENT OF HUMAN SERVICES 315NIIth AVE .,,N =`"• GREELEY.CO 80631 WEBSITE: WWW.CO.Weld.co.us • Provide a Network Diagram, all firewall requirements, and all server requirements necessary to get the best results and response times and access.Provide list of Server and other Hardware Requirements to make this solution work • Vendor is required to provide Hardware recommendations to make their solution work • Chosen vendor will be required to Complete the Weld County Pre-Project Security Workbook. o If a vendor can't meet the security workbook requirements, they will not be considered for this project and another vendor will be selected. 4. Submittal Response Format • The following outline should be followed when responding to the RFP o Executive Summary o Vendor Profile o User Requirements o Functional Requirements o Technical Requirements o Implementation and Support o Training o Pricing o Appendices containing any additional/supporting information VI. Weld County Contacts Question regarding this RFP, Contact: Sheila Batson, IT Systems Consultant sbatsonco.weld.co.us 970-304-6570 ext 2539 Submit Two Hard Copies, and an Electronic Version of your Proposal to: (Either PDF or Word document formats are acceptable) Sheila Batson, IT Systems Consultant XEROX @ Weld County Information Services 1401 North 17th Avenue Greeley, Co 80631 sbatson©co.weld.co.us 970-304-6570 ext 2539 6 Request for Proposal Kt SS-2012-40 , r w, DEPARTMENT OF HUMAN SERVICES 315 N11th AVE cc,ti I t` GREELEY,CO 80631 !Y!': _ ,__ WEBS/TE: WWW.co.weld.co.US VII. Terms and Conditions No public official or employee of Weld County, Colorado, and no member of their governing bodies shall have any pecuniary interest, direct or indirect, in the approved RFP/Bid or the proceeds thereof. The response to this RFP shall assure that it will comply with all requirements of the non- discrimination provisions of Title VI of the Civil Rights Acts of 1964, as amended and its implementing regulation, Title 45 Code of Federal Regulations (CRF)Part 80; the Age Discrimination Act of 1975, as amended, and its implementing regulation, Title 45 CFR, Part 91; Section 504 of the Rehabilitation Act of 1973, as amended and its implementing regulation, Title 45 CFR Part 84; Titles 1 through V of the Americans with Disabilities Act, as amended, and its implementing regulation, Title 29 CFR, Part 1630. The response must also assure that the bidder will fully comply with Colorado Revised Statutes (C.R.S.) §§27-10.5-101 et seq. and 25.5-4- 101 et seq., the regulations promulgated thereunder, and all other applicable federal and state laws, rules and regulations. The Provider understands that the source of funds to be used under this RFP/Bid is section 1931 of Title XIX of the federal"Social Security Act". 42 U.S.C. sec 1396u-1. An RFP/Bid which is approved by the Board shall be binding upon the parties hereto, their successors, heirs, legal representatives, and assigns, and neither party may assign any of its rights or obligations hereunder without the prior written consent of both parties. The bidder must assure and certify that it and its principals: a. Are not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from covered transactions by a Colorado or federal department or agency; b. Have not, within a three-year period preceding this RFP/Bid, been convicted of, or had a civil judgment rendered against them for commission of fraud or a criminal offense in connection with obtaining, attempting to obtain, or performing a public (federal, state, or local)transaction or contract under a public transaction; violation of federal or state antitrust statutes or commission of embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements, or receiving stolen property; c. Are not presently indicted for, or otherwise criminally or civilly charged by a government entity (federal, state, or local) with commission of any of the offenses enumerated in paragraph 12 of this certification; and d. Have not within a three-year period preceding this RFP/Bid, had one or more public transactions (federal, state, and local)terminated for cause or default. e. Have not been indicted for, or otherwise been criminally charged with any felony. The appearance of conflict of interest applies to the relationship of a service provider with the Board, or any of Weld County's Departments, when such service provider also maintains a relationship with a third party and the two relationships are in opposition. In order to create the appearance of a conflict of interest, it is not necessary for a service provider to gain from knowledge of these opposing interests. It is only necessary that the service provider know that the two relationships are in opposition. 7 Request for Proposal ,K0 SS-2012-40 ti r• mil DEPARTMENT OF HUMAN SERVICES h• 15 N AVE „w �' GREELEY,,CO 80631 WEBS/TE: WWW.CO.weld.co.us During the term of this RFP/Bid, if it is approved by the Board, the service provider shall not enter into any third party relationship that is a conflict of interest or gives the appearance of creating a conflict of interest. Upon learning of an existing appearance of a conflict of interest situation, the service provider shall submit to the Board a full disclosure statement setting forth the details that create the appearance of a conflict of interest. Failure to promptly submit a disclosure statement required by this paragraph shall constitute grounds for the Board to terminate, for cause, its contract with said service provider. The successful bidder shall be required to protect the confidentiality of all records of the children and their families whose records are processed under this RFP/Bid. A bid must state whether the potential service provider has written policies governing access to, duplication and dissemination of all such information. The bidder must state how these policies shall apply to its employees, agents and sub-Providers. The successful bidder must furnish its employees, agents, and sub-Providers, if any, with a copy or written explanation of these confidentiality requirements before access to confidential data is permitted. RFP Response Material Ownership: All materials submitted regarding this RFP become the property of the Board of Commissioners of Weld County. Responses may be reviewed by any person after the Letter of Intent has been issued, subject to the terms of Colorado Revised Statutes 24- 72-202 through 24-72-206/Public(open) Records. The Board of County Commissioners of Weld County has the right to use any or all information/material presented in reply to the RFP, subject to limitations outlined in Proprietary Information. Disqualification of a bidder does not eliminate this right. "The requirements of this Request for Proposal (RFP)will be carefully evaluated by Weld County, and each requirement is considered to be fundamental to the successful implementation of this project. Naturally, a successful response to this RFP will properly address each need and condition. Therefore, the RFP and the Bid of the successful bidder will be made an integral part of the final Agreement between Weld County and the successful Bidder. Any attempt to alter or change any requirement of the RFP or the bid in the final Agreement will be rejected by Weld County and, at the option of Weld County may result in the elimination of an otherwise successful bidder." Contract Agreement: Weld County Attorneys will submit a contract which must be agreed upon by both the vendor and Weld County before any work is initiated. a. There are finite funds available for this project in this year, and the successful bidder should expect this project to be phased in over more than one year. 8 Request for Proposal wti .r SS-2012-40 ti r ; DEPART NT OF HUMAN ERVICES`69, k ti GREELEY,,CO 80631 • WEBSITE: WWW.Co.Weld.CO.US The actual term of any agreement between Weld County and the provider who is selected will be determined based upon the funds budgeted for the project during any year. No portion of this RFP/Bid shall be deemed to create an obligation on the part of the County of Weld, State of Colorado, to expend funds not otherwise appropriated in each succeeding year. b. The payment for services, as described under the Statement of Work, shall be based upon rates as outlined in the vendor's quote and shall be based on services completed. c. If any phase is not successfully completed, payment may be partially or totally withheld . d. The submitted cost estimate per phase shall establish a "not to exceed" amount. e. The Vendor needs to provide a documented plan on how and when invoicing will occur. f. Any changes to the scope of the original contract must be formally approved by the Division Director and/or the Weld County Governance Board, as well as the Board of County Commissioners of Weld County before such work is to proceed further. VIII. RFP Timeline Weld County has established the following timeline in relation to Project SS-2012-40. Please note that dates are subject to change. Vendors will be notified, via an addendum to this RFP, of any changes in the timeframe. RFP distributed March 1, 2012 Deadline for questions submitted in relation to March 16, 2012 RFP Deadline for us to respond to questions March 21, 2012 Deadline for receipt of RFP response April 1, 2012 Governance Review of Proposal Responses April 25, 2012 Short list of vendors determined and notified May 15, 2012 Onsite vendor demonstrations TBD Contract review by Weld Attorneys TBD Approval by County Commissioners TBD System implementation (estimated) TBD 9 Request for Proposal ,Rh, SS-2012-40 t I r ' r DEPARTMENT OF HUMAN SERVICES �r If 315NIIthAVE to,,N1 u Y GREELEY,, CO 80631 WEBSITE: WWW.CO.weld.co.us IX. Competitive Analysis • Describe what generally differentiates you from your key competitors. • Describe your market share in the Email Encryption and Content Management space. X. References • How many organizations have implemented your solution overall? • How many organizations are still running your solution with an active maintenance and support contract(i.e., lifetime customer retention)? • Provide the name of the oldest, active customer of your solution. • How many organizations have implemented your solution in the past fiscal year? • Please describe the customer industries you service. • Please provide information in relation to three (3)customers who have implemented a solution similar to Weld County. Include company name, location, inception date, and solution specifics. XI. Evaluation Criteria The following criteria will be utilized when evaluating your response to Email Encryption Solution, Project SS-2012-40. This is not to be considered an inclusive list. • Organization's experience in this space • Customer reference responses • Support methodology • Response to user requirements • Response to functional requirements • Response to technical requirements • Ability to meet Weld County Security Workbook requirements • Implementation complexity • Cost 10 Request for Proposal SS-2012-40 1i rI - DEPARTMENT OF HUMAN SERVICES 315 N VAEE % 's°. GREELEY,,CO 80631 weas]TE www.co.weld.co.us XII. FUNCTIONAL REQUIREMENTS The following questions relate to the functional requirements that are required in the proposed solution. Integration Category Requirement Response MS Office Does your solution work with MS Office products? • What years of MS Office do you support MS Office Can Users easily navigate and perform their primary job tasks with little-to-no and easy access features that are based on the familiar look and feel of MS Office products. Web Client Does solution offer a SSL web-based Interface interface, Telnet, Secure Shell? Web Client Solution offers the full feature set of a Interface client-based solutions through a web deployable interface for Weld external web access Web Client Solution offers an easy open feature Interface solution through a web deployable interface whether they are other organizations or individual customers who are receiving our email. Product Encryption solution provides the ability Check all that apply Integration screen content from these locations: • BlackBerry ❑ BlackBerry • iPad 0 iPad • iPhone 0 iPhone • Windows Phone 0 Windows Phone • 0 Droid Droid ❑ Standard Client • Standard Client ❑ Outlook • Outlook ❑ Web Client • Web Client ❑ Java Web Client 11 Request for Proposal 'soS SS-2012-40 ti ry DEPARTMENT OF HUMAN SERVICES 315 N I l th AVE VT X GREELEY,CO 80631 WEBSITE: www.co.weld.co.us • Java Web Client ❑ Business Application • Business Application ❑ SharePoint • SharePoint ❑ URL string • URL string Product Does the solution automatically detect Integration recipients that are also using the same vendor's products, and does it encrypt for the product they are using? • Automatic gateway-to-gateway encryption • Automatic gateway-to-desktop encryption Product What delivery methods does the solution Integration offer to recipients who are not also using the vendor's products for: Browser Pull (secure portal) • Is the portal hosted as part of a SaaS architecture? • Can the portal be branded to match your Web site? • Is English and Spanish automatically supported? • How is registration accomplished? Product Does the solution support custom Integration password rules • Password length • Alphanumeric, special characters • Password expiration • Password re-use limitation Product What delivery methods does the solution Integration offer to recipients who are not also using the vendor's products for: Browser Push (encrypted attachments) • Can the message be customized with 12 Request for Proposal tame _SS-2012-40 ti r r - DEPARTMENT OF HUMAN SERVICES 315N11thAVE . 'C.D p td •wxs GREELEY,CO 80631 WEBSITE: www.co.wefd.co.us your company's brand? • Are English and Spanish automatically supported? • How is registration accomplished? • How are password changes and message recovery accomplished? Product Must the sender be involved to reset Integration passwords? Product Must the sender resend the message after Integration the password is reset? Product What is the maximum encrypted message Integration size supported by the solution? Product Does the solution provide a method for Integration anyone to initiate an inbound secure message to your organization (i.e. a "secure contact us"function)? Product Does the solution offer other remediation Integration actions in addition to encrypting? • Blocking/Routing • Forwarding • Cc: • Adding custom header and/or footer text • Logging Product What is done to handle potential private Integration content in bounces (to ensure the bounced message does not travel in clear-text, without encryption)? • How about in the case of a Reply to all? Product How can the your solution ensure that Integration malicious HTML is not added to messages? 13 Request for Proposal SS-2012-40 ti r DEPARTMENT OF HUMAN SERVICES lr II r 315N1Hh AVE GREELEY,CO 80631 WERSITE: www.co.weld.co.us Software Service Solution Category Requirement Vendor Response Software Is your solution delivered as a Software Solution Service model, if yes answer question below Software Does the infrastructure have any Solution certifications and accreditations, such as SysTrust or SAS70 Type II Software Will you sign a Business Associate Solution agreement to show that your solution is HIPAA, HITECH &GLBA Compliant? Software Can your solution cover our entire user- Solution base or just a subset Software What hardware and/or Software Solution components have to be deployed on your site to make this solution work Software Would there be any components that we Solution would have to supply on our own Software How are hardware failures addressed? Solution . What are the uptime guarantees Software How are updates and patches managed Solution Software How does your architecture scale to meet Solution changing environments Software Do you have a dedicated team to handle Solution lexicon-related issues Software Does the solution include automatically- Solution generated reports and alert notifications Auditing/ Reporting Category Requirement Vendor Response Auditing Solution provides the ability to access a document-level audit trail. Auditing Does your solution provide an out-of-the box audit trail Auditing Describe what is natively tracked in your out-of-the-box audit trail. 14 Request for Proposal int,,..; SS-2012-40 r ' - DEPARTMENT OF HUMAN SERVICES L �, 315N11th AVE #.t O N N T Y GREELEY,CO 80631 WEBSITE: WWW.CO.we/d.co.us XII. TECHNICAL REQUIREMENTS Deployment/Architecture Category Requirement Vendor Response Deployment Can the system cover our entire user-base Plan or just a subset Deployment What work is required to deploy your Plan solution into production Deployment How long will it take to deploy your solution Plan on our production servers Deployment Do you have a formalized deployment Plan Plan? Deployment Does your installation team provide a Plan project plan and assign a project manager Deployment How many resources are required to move Plan your solution into production? Deployment What is the deployment risk associated Plan with your solution? Deployment What are the hardware and software Plan requirements for us to host this solution ourselves Deployment What components are offered as part of Plan your solution. Architecture Which of the following technology standards are included in your solution • X.509 • RSA • AES • 3DES Architecture How does the Architecture scale meet changing requirements? Architecture How are high availability and disaster recovery handled Architecture Product based: (On-site solution or hardware) • Gateway product • Encryption product 15 Request for Proposal SS-2012-40 t' rM r ; DEPARTMENT OF HUMAN SE 315 N RtV AVE GREELEY, CO 80631 WEBSITE: WWW.CO.weld.co.uS Architecture Hosted Service: (Cloud computing) • Gateway product • Encryption product Architecture System provides a single interface for the configuration and administration. Architecture Solution allows for ease of configuration, in that most administrative tasks can be done by an internal resource as opposed to a third-party software expert. Architecture Quantify the number of configurable options in your solution. Encryption /Content Management Category Requirement Response Encryption What email encryption standards does your solution support? • TLS • S/MIME • Open PGP • SMTP • PKI • IBE • IB-PKI • Other, please explain Encryption Is Transport Layer Security (TLS)the protocol used by your solution to provide secure (encrypted and authenticated) connections. Encryption Which TLS mode is used in your solution: 1. Server only authentication mode - (In the server only authentication mode,the server is required to have an SSL certificate that enables it to authenticate itself to the client.) 2. Server and Client authentication mode - (In the case of server and client authentication, both the server and the client have an SSL 16 Request for Proposal SS-2012-40 ti ' -' w DEPARTMENT OF HUMAN SERVICES • 315 NIIhAVE EY i Id rl GREELEY.CO 80631 WEBSITE: WWW.co.we/d.co.us certificate to enable mutual authentication without the need for passwords) Encryption Is TLS used for remote users/partners to decrypt and recrieve emails via reverse proxy SSL connection? Encryption Does your TLS solution require configuring the enterprise email server to enforce the use for all connections Encryption Does your solution require the use of TLS on subsequent hops from the enterprise email server Encryption Is the solution designed for true seamless email encryption so that our internal and/ or external users will have a completely transparent user experience)? Encryption Can the solution automatically determine what messages should be encrypted? Encryption Does the solution automatically decrypt inbound messages, such as replies? Encryption Are attachments scanned and encrypted when sensitive data is identified? Encryption What methods does the solution support to trigger encryption? • Sender recipient address or domain • Keyword • Lexical content analysis • Can a custom button be installed to trigger encryption Encryption How does the solution detect protected health information, personal and financial Information? • An"identifier"that can be used to uniquely identify an individual. Examples: 17 Request for Proposal . Rfo SS-2012-40 t r , DEPARTMENT OF HUMAN SERVICES 315N11thAVE GREELEY,CO 80631 .V7.1 WEBSITE: www.co.weld.co.us • patient ID, customer ID, SSN • ii. A health or financial term or phrase Encryption If Lexicons are used, what Lexicons are Lexicons utilized in your solution: provided in your solution Cl Identifiers • Identifiers ❑ SSN • SSN • ❑ Health terms Health terms ❑ Financial terms • Financial terms ❑ Credit cards • Credit cards ❑ CA, MA and NV privacy laws • CA, MA and NV privacy laws ❑ Health research • Health research ❑ Profanity • Profanity Encryption How are encryption/decryption keys managed? Encryption Does the solution include a central public key repository? • Is it accessible globally to all of the vendor's other customers? Encryption How does the solution handle key revocation? Encryption Will you have access to your private decryption keys? Mobile Device Does the solution support delivery of Encryption encrypted messages to mobile devices? Mobile Device How is easy is it for the user to read a Encryption mobile message?Can the message be rendered directly on the mobile? Security Administration Category Requirement Response Other Content Describe your solution's ability to publish Mgmt select content onto removable media (CD/DVD) in an encrypted format, allowing access to a self-contained/runtime version of your client. 18 Request for Proposal SS-2012-40 v' r f DEPARTMENT OF HUMAN SERVICES 315 N IIh AVE ,,µ t GREELEY,,CO 80631 WEBSITE: www.Co.weld.Co.us Other Content Describe your solution's ability to send Mgmt documents as an encrypted PDF. Workflow Does the product include tools for managing policy based workflow for inbound and outbound email? If yes, which ones? E-Mail Solution allows e-mails and attachments to Attachment be automatically scanned for Content without any user intervention or data entry. E-Mail Solution allows e-mails and attachments to Attachment be automatically scanned and Encrypted if content falls within a policy based standard without any user intervention or data entry. PCI Compliance Describe how your system manages highly-sensitive information (i.e., payment card information), adhering to the PCI compliance standard. Scalability Category Requirement Response Scalability After our initial investment, if we intend to add additional departments, describe how your software could accommodate this growth Scalability Can you solution support multiple application and web servers in a load balanced configuration environment for redundancy. Scalability Please provide examples of scalability using real customer examples and metrics: • Peak number of users in a single instance at one time • Peak number of scanned content documents per hour • Peak number of documents ingested per day 19 Request for Proposal ,N SS-2012-40 t r DEPARTMENT OF HUMAN SERVICES 6.1315 N 1I th AVE tOL,NT` , GREELEY,CO 80631 WEBSITE.' WWW.CO.weld.co.us Licensing Category Requirement Response Licensing Describe how your software licensing model promotes multi-departmental adoption and/or enterprise growth. Licensing Does your solution offer both dedicated user and concurrent (pooled)Client access licenses. Licensing How does your solution handle Primary client access licenses • User that accesses the system either over the web or via a desktop • Client access license which is not bound to either web-based access or desktop(thick client)access. Licensing Does your solution require the purchase of special certificates or licensing XII. IMPLEMENTATION AND SUPPORT Implementation • Describe your implementation processes and procedures. • Provide the number of your proposed staff that will work on this project along with their job titles and qualifications • Describe the roles and responsibilities the vendor will have during an implementation. • Describe the roles and responsibilities the customer will have during an implementation. • Provide a sample of the structured project implementation plan utilized. • Describe the number of customer resources necessary for ongoing maintenance of the system. • Describe the number of environments (test, production, web) supported in an implementation of your system and the cost of each. b. Technical Support 1. Describe your technical support organization and structure. 2. How many support centers do you operate? 3. How many support staff are available daily to provide assistance? 20 Request for Proposal SS-2012-40 Ti � r - DEPARTMENT OF HUMAN ERVIIlth AES 31pj T E GREELEY CO 80631 WEBSITE: www.co.weld.co.us 4. What hours is your Technical Support department available? 5. Describe how support issues are logged. 6. Describe the designated support representative that will be assigned. 7. Provide a means to check the status of an issue online. 8. Detail your problem escalation procedure. Software Support 1. When was the first version of your solution released? 2. Describe how consistently new versions of the software are released. 3. Describe how we're notified of upcoming Version/Level/Releases 4. Describe how software changes or enhancements are incorporated into a release. 5. Explain how long a release is maintained. 6. Detail the software license costs or upgrade costs typically incurred with an upgrade to a new release. Training 1. Do you provide a train-the-trainer technique within your training offerings? 2. How many staff in each training session 21 EXHIBIT B _• , TM £ din s curs e . Y $ G 1 .1 h. t 5'�• r r, . . � dw a a RFP:• SS-2012-40, Email Filtering, Encryption, DAP April 1 , 2012 In Partnership with: pCOOfpoint> Yr -44-41,a,„ Y ©2012 Vcura Incorporated reserved.Vcura and the Vcura logo are trademarks of Vcura Incorporated All rights t„. t Email Filtering, Encryption, DLP: RFP SS-2012-40, curb Due 411/12, 10:00 am MST. Page Executive Summary & Narrative 3 Vendor Profile 4 User Requirements 13 Competitive Analysis 15 References 21 Functional Requirements 22 Technical Requirements 27 Implementation and Support 34 Training 36 Pricing: Hosted vs Self Hosted 37 Archive Option 40 Statement of Work (SOW) Breakdown 42 Architecture —Overview & Technical Details 43 Appendices Proofpoint Pre-Installation Requirements Proofpoint Support Service Program Proofpoint Education Informing your user community about email filtering Proofpoint Threat Report Proofpoint Dynamic Reputation Proofpoint Smart Search Proofpoint Spam Detection Proofpoint Virus Protection Proofpoint Zero-Hour Anti-Virus Proofpoint Digital Asset Security Proofpoint Encryption Proofpoint Regulatory Compliance Proofpoint Enterprise Archive Proofpoint Enterprise Governance Proofpoint on Demand (PoD) - PSO Proofpoint Protection Server -PSO 2 ro Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Vcura Incorporated, in partnership with Proofpoint, is pleased to offer Weld County the following response to RFP SS-2012-40; Email Filtering, Encryption, DLP. Vcura delivers industry leading IT security, operations, technology, consulting, and support with a responsibility focus.We align technology based on applicability, resulting in and maintaining your focus. Vcura understands that delivering IT enabling solutions is as much about people and processes as it is technology. The Vcura team consists of industry recognized security and access professionals committed to preserving the brand and value of our clients. With over a decade of security and access, focused interest, Vcura has established itself as the premier IT enabling and security solutions provider in the industry. We believe that Proofpoint is ideally suited to meet the requirements given by Weld County and we look forward to building a lasting and mutually beneficial relationship. As required by Weld County, Vcura and Proofpoint will meet this RFP's scope including the design, documentation, integration, and on-going support of an enterprise-wide email gateway service; encompassing: monitoring all incoming email to your domains for spam and malicious content, encrypt outgoing emails that meet the filtering requirements of your email environment, and block any content leaving your network that contains PII, HIPAA, or any other sensitive information that should be protected. The Proposal will recommend a solution that balances the richness of features and security with the lowest total cost of ownership. Features of the proposed solution are delivered on Proofpoint's unique options of a Security-as-a-Service or as an on-premise solution with hardware or virtual appliances. Proofpoint will meet all the administrative requirements such as effective, bi-directional spam /virus and content filtering with a low false positive rate while offering granular users, group, & domain policies, content-aware policies and comprehensive actions. Ease of management will include logging of all messages, tracking policy triggers, reporting all intervals and destinations in a tabular, graphical and dashboard views. Advanced inbound email processing and protection services such as Connection Management, Sender Management, Spam Management, Virus Management, Recipient Checking, IP Address/Blacklist/Whitelist Management, Attachment Management, and superior quarantine/digest options. All features are delivered on Proofpoint's robust, scalable, and easy to use platform, which is sized to protect 24,000+ users and receive 100+ million emails a month with no single point of failure. All supported by Proofpoint's world-class 24/7/365 global support network. We welcome the opportunity to further discuss the details provided herein and intend to provide a robust, enhanced, industry proven, and responsibly aligned cost to value solution.With the details provided in the solicitation, our collective solution can be up and running in as little as one to two weeks from execution of an agreement. Vcura and Proofpoint agree to and understand the evaluation criteria, conditions and requirements of this RFP. On behalf of the entire team at Vcura and Proofpoint,Thank You for your consideration of this proposal. In addition to your local client interest team, if there is anything I can do to ensure 100% satisfaction as a Vcura client, please contact me.We look forward to working with you. Sincerely, Cyle Coffman Vcura - President 303.882.4347 cylecoffman@vcura.com 3 Email Filtering, Encryption, DLP: RFP SS-2012-40, ,.� ' cur()Due 4/1/12, 10:00 am MST. Vcura Overview Vcura delivers industry leading IT security, operations, technology, consulting, and support with a responsibility focus. We align technology based on applicability, resulting in and maintaining your focus. Vcura understands that delivering IT enabling solutions is as much about people and processes as it is technology. The Vcura team consists of industry recognized security and access professionals committed to preserving the brand and value of our clients. With over a decade of security and access, focused interest, Vcura has established itself as the premier IT enabling and security solutions provider in the industry. • Core Organizational Compliance, " Risk Mitigation,Operations Z '.)ii Mobilization '*+ !,. Quality of Service ` • . "_' &Assurance /• -.� d Development Evolving Security&Access Vcura focuses exclusively on delivering IT solutions throughout the five stages of organizational development above. We support our clients' needs as a continual evolution of interest from core operations to mobilization, and therefore we offer expertise and solutions within each functional stage. The Vcura model builds on the areas of organizational compliance, risk mitigation and operations, relevant to our environment and regardless of changes in access methods or technology. We focus on these concepts, and understand the balance and demands of quality of service and assurance for your internal and external users, customers, and partners. Your industry and organization is ever changing and so does your interest in evolving security and access solutions. As your partner, we center on your business and the ideas that drive your security or access requirements. We emphasize the application of technology based on your organizational drivers, providing you our knowledge gained through discovery and observation of the industry. Vcura offers the insight, expertise, and knowledge required to guide you through the constantly changing security and access industry—maintaining your focus. Organizations today are generally aware of their posture related to compliance, quality of service, and assurance. However, many organizations are not so advanced in their strategy to support core services 4 Email Filtering, Encryption, DLP: RFP SS-2012-40, u Due 4/1112, 10:00 am MST. • Cu f Q and progressing needs of an anywhere and anytime access model. Vcura provides the strategy, technology, and services necessary to progress your organization through not only developing but also mobilization of core services. Vcura principles focus on enhancing the market and not just reaction to industry trends. We believe that there is no substitute for experience and that success requires vision and diligent execution. As your partner, we will not act without consideration, guide without evidence of success, promote without evaluation of alternatives, or implement without understanding. Period. Vcura value • End-to-end expertise from access solutions and security to operations enablement • Proven methodology providing current state and business case analysis • Solution applicability focus • Managed services • Principles of responsibility—social, economic, and environmental Vcura partners are a critical component to the overall value of our offerings.We maintain the highest level of designation with our partner organizations and support their leading ideas and technologies. Vcura is a supplier of technology but we also tailor our services to support our partner specific offerings. 5 Email Filtering, Encryption, DLP: RFP SS-2012-40, 444 Due 4/1/12, 10:00 am MST. Proofpoint Overview Proofpoint is a pioneering security-as-a-service vendor that enables large and mid-sized organizations worldwide to defend, protect, archive and govern their most sensitive data. Our security-as-a-service platform is comprised of an integrated suite of on-demand data protection solutions, including threat protection, regulatory compliance, archiving and governance, and secure communication. Our solutions are built on a flexible, cloud-based platform and leverage a number of proprietary technologies, including big data analytics, machine learning, deep content inspection, secure storage and advanced encryption, to address today's rapidly changing threat landscape. A fundamental shift in the sources of cyber crime, from hackers to organized crime and governments, combined with the emergence of international data trafficking, are driving an unprecedented wave of targeted, malicious attacks designed to steal valuable information. At the same time, the growth of business-to-business collaboration, as well as the consumerization of IT and the associated adoption of mobile devices and unmanaged Internet-based applications, have proliferated sensitive data and reduced the effectiveness of many existing security products. These factors have contributed to an increasing number of severe data breaches and expanding regulatory mandates, all of which have accelerated demand for effective data protection and governance solutions. Our platform addresses this growing challenge by not only protecting data as it flows into and out of the enterprise via on-premise and cloud-based email, instant messaging, social media and other web-based applications, but also securely archiving these communications for compliance and discovery. We address four important problems for the enterprise: • Keeping malicious content out; • Preventing the theft or inadvertent loss of sensitive information and, in turn, ensuring compliance with regulatory data protection mandates; • Collecting, retaining, governing and discovering sensitive data for compliance and litigation support; and • Securely sharing sensitive data with customers, partners and suppliers. Our platform and its associated solutions are sold to customers on a subscription basis and can be deployed through our unique cloud-based architecture that leverages both our global data centers as well as optional points-of-presence behind our customers'firewalls. Our flexible deployment model enables us to deliver superior security and compliance while maintaining the favorable economics afforded by cloud computing, creating a competitive advantage for us over legacy on-premise and cloud-only offerings. We were founded in 2002 to provide a unified solution to help enterprises address their growing data security requirements. Our first solution was commercially released in 2003 to combat the burgeoning problem of spam and viruses and their impact on corporate email systems. To address the evolving threat landscape and the adoption of communication and collaboration systems beyond corporate email and networks, we have broadened our solutions to defend against a wide range of threats, protect against outbound security risks, and archive and govern corporate information. Today, our solutions are used by approximately 2,400 customers worldwide, including 24 of the Fortune 100, protecting tens of millions of end-users. We market and sell our solutions worldwide both directly through our sales teams and indirectly through a hybrid model where our sales organization actively assists our network of distributors and resellers. We also distribute our solutions through strategic partners including IBM, Microsoft and VMware. The Proofpoint Solution: Our integrated suite of on-demand security-as-a-service solutions enables large and mid-sized organizations to defend, protect, archive and govern their sensitive data. Our comprehensive platform provides threat protection, regulatory compliance, archiving and governance, and secure communication. These solutions are built on a cloud-based architecture, protecting data not only as it flows into and out of the enterprise via on-premise and cloud-based email, instant messaging, social media and other web- 6 TV Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. based applications, but also securely archiving these communications for compliance and discovery. We have pioneered the use of innovative technologies to deliver better ease-of-use, greater protection against the latest advanced threats, and lower total cost of ownership than traditional alternatives. The key elements of our solution include: • Superior protection against advanced, targeted threats. We use a combination of proprietary technologies for big data analytics, machine learning and deep content inspection to detect and stop targeted "spear phishing" and other sophisticated attacks. By processing and modeling billions of requests per day, we can recognize anomalies in traffic flow to detect targeted attacks. Our deep content inspection technology enables us to identify malicious message attachments and distinguish between valid messages and "phishing" messages designed to look authentic and trick the end-user into divulging sensitive data or clicking on a malicious web link. Our machine learning technology enables us to detect targeted "zero-hour" attacks in real time, even if they have not been seen previously at other locations, and quarantine them appropriately. • Comprehensive, integrated data protection suite. We offer a comprehensive solution for data protection and governance through an integrated, security-as-a-service platform that is comprised of three main suites: Proofpoint Enterprise Protection, Proofpoint Enterprise Privacy and Proofpoint Enterprise Archive. Together, these solutions can improve an organization's ability to detect and mitigate inbound and outbound threats and securely archive and discover communication across all major communication channels including on-premise and cloud-based email, instant messaging, social media and other web-based applications. In addition, our common policy framework and reporting systems enable organizations to comply with complex regulatory mandates, implement consistent data governance policies and ensure end-to-end incident response across the enterprise. • Designed to empower end-users. Unlike legacy offerings that simply block communication or report audit violations, our solutions actively enable secure business-to-business and business- to-consumer communications. Our easy-to-use policy-based email encryption service automatically encrypts sensitive emails and delivers them to any PC or mobile device. In addition, our secure file-transfer solution makes it easy for end-users to share and collaborate on large documents. All of our solutions provide mobile-optimized capabilities to empower the growing number of people who use mobile devices as their primary computing platform. • Security optimized cloud architecture. Our multi-tenant security-as-a-service solution leverages a distributed, scalable architecture deployed in our global data centers for deep content inspection, global threat correlation and analytics, high-speed search, secure storage, encryption key management, software updates and other core functions. Customers can choose to deploy optional physical or virtual points-of-presence behind their firewalls for those who prefer to deploy certain functionality inside their security perimeter. This architecture enables us to leverage the benefits of the cloud to cost-effectively deliver superior security and compliance, while optimizing each deployment for the customer's unique threat environment. • Extensible security-as-a-service platform. The key components of our security-as-a-service platform, including services for secure storage, content inspection, reputation, big data analytics, encryption, key management, and identity and policy, can be exposed through application programming interfaces, or APIs, to integrate with internally developed applications as well as with those developed by third-parties. In addition, these APIs provide a means to integrate with the other security and compliance components deployed in our customers' infrastructures. Proofpoint Security-as-a-Service Platform: We provide a multi-tiered security-as-a-service platform consisting of solutions, platform technologies and infrastructure. Our platform currently includes three solutions bundled for the convenience of our customers, distributors and resellers: Proofpoint Enterprise Protection, Proofpoint Enterprise Privacy, and Proofpoint Enterprise Archive. Each of these solutions is built on our security-as-a-service platform, which includes both platform services and enabling technologies. Our platform services provide the key functionality to enable our various solutions while our enabling technologies work in conjunction with our platform services to enable the efficient construction, scaling and maintenance of our customer-facing solutions. 7 ,u 1 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Our suite is delivered by a cloud infrastructure and can be deployed as a secure cloud-only solution, or as a hybrid solution with optional physical or virtual points-of-presence behind our customers' firewalls for those who prefer to deploy certain functionality inside their security perimeter. In all deployment scenarios, our cloud-based architecture enables us to leverage the benefits of the cloud to cost-effectively deliver superior security and compliance while maintaining the flexibility to optimize deployments for customers' unique environments. The modularity of our solutions enables our existing customers to implement additional modules in a simple and efficient manner. 4� Proofpoint Enterprise Proofpoint Enterprise Proofpoint Enterprise ' 1 Protection"' Privacy' Archive 2 .�. _- _-._ ..— PISecurity-as-a-Service Platform OIATHNIU Sr RVICit •Content Encryption and Notification ! Analytic : a he Inspection Reputation • Key Management and Workflow and Search c r ,a . G tNA6UIC TECHNOLOGY _ Big Data Machine • Identity i Secure j ` 1 Analytic Learning and Policy I Storage a ila. .._.Syr,.;,. rr - _ 7 a . . . .. Cloud Infrastructure r_ Network ' Operations Secure Cloud Hybrid On-Premise Control , n iii ' proofpoint' i Solutions Our security-as-a-service platform includes three solutions bundled for the convenience of our customers: Proofpoint Enterprise Protection, Proofpoint Enterprise Privacy, and Proofpoint Enterprise Archive. Proofpoint Enterprise Protection Proofpoint Enterprise Protection is our communications and collaboration security suite designed to protect customers' mission-critical messaging infrastructure from outside threats including spam, phishing, unpredictable email volumes, malware and other forms of objectionable or dangerous content before they reach the enterprise. Key capabilities within Proofpoint Enterprise Protection include: • Threat detection. Proofpoint threat detection uses our Proofpoint MLX machine learning technology and reputation data to examine millions of possible attributes in every message, including envelope headers and structure, embedded web links, images, attachments and sender reputation, as well as unstructured content in the message body, to block phishing and spear phishing attacks, spam and other forms of malicious or objectionable content. This solution also includes sophisticated policy and routing controls designed to ensure security and the effective handling of all classifications of content. • Virus protection. Our virus protection capabilities combat email-borne viruses, worms and trojans with a solution that combines efficient message handling, comprehensive reporting, and robust policy management with leading third-party anti-virus scanning engines. • Zero-hour threat detection. Protects enterprises against new phishing attacks, viruses and other 8 ro Email Filtering, Encryption, DLP: RFP SS-2012-40, aura Due 4/1/12, 10:00 am MST. - forms of malicious code during the critical period after new attacks are released and before full information is available to characterize the threat. • Smart search. Offers an easy-to-use interface that provides real-time visibility into message flows across an organization's messaging infrastructure, using built-in logging and reporting capabilities with advanced message tracing, forensics and log analysis capabilities. Key benefits of Proofpoint Enterprise Protection include: • Superior protection from advanced threats, spam and viruses. Protects against advanced threats, spam and other malicious code such as viruses, worms and spyware. • Comprehensive outbound threat protection. Analyzes all outbound email traffic to block spam, viruses and other malicious content from leaving the corporate network, and pinpoint the responsible compromised systems. • Effective, flexible policy management and administration. Provides a user-friendly, web-based administration interface and robust reporting capabilities that make it easy to define, enforce and manage an enterprise's messaging policies. • Easy-to-use end-user controls. Gives email users easy, self-service control over their individual email preferences within the parameters of corporate-defined messaging policies. Proofpoint Enterprise Privacy Our data loss prevention, encryption and compliance solution defends against leaks of confidential information, and helps ensure compliance with common U.S., international and industry-specific data protection regulations- including HIPAA, GLBA, PIPEDA and PCI-DSS. Key capabilities within Proofpoint Enterprise Privacy include: • Advanced data loss prevention. Our advanced data loss prevention solution identifies regulated private content, valuable corporate assets and confidential information before it leaves the organization via email or web-based applications. Pre-packaged smart identifiers and dictionaries automatically and accurately detect a wide range of regulated content such as social security numbers, health records, credit card numbers, and driver's license numbers. In addition to regulated content, our machine learning technology can identify confidential, organization-specific content and assets. Once identified and classified, sensitive data can be blocked, encrypted and transmitted or re-routed internally based on content and identity-aware policies. • Flexible remediation and supervision. Content, identity and destination-aware policies enable effective remediation of potential data breaches or regulatory violations. Remediation options include stopping the transfer completely, automatically forcing data-encryption, or routing to a compliance supervisor or the end-user for disposition. Proofpoint Enterprise Privacy provides comprehensive reporting on potential violations and remediation using our analytics capabilities. • Policy-based encryption. Automatically encrypts regulated and other sensitive data before it leaves an organization's security perimeter without requiring cumbersome end-user key management. This enables authorized users, whether or not they are our customers, to quickly and easily decrypt and view content from most devices. • Secure file transfer. Provides secure, large file transfer capabilities that allow end-users to send large files quickly, easily, and securely while eliminating the impact of large attachments on an email infrastructure. Key benefits of Proofpoint Enterprise Privacy include: • Regulatory compliance. Allows outbound messages to comply with national and state government and industry-specific privacy regulations. • Superior malicious and accidental data loss protection. Protects against the loss of sensitive data, whether from a cybercriminal attempting to exfiltrate valuable data from a compromised system, or from an employee accidently distributing a file to the wrong party through email, webmail, social media, file sharing, or other Internet-based mechanisms for publishing content. • Easy-to-use secure communication. Allows corporate end-users to easily share sensitive data without compromising security and privacy, and enables authorized external recipients to transparently decrypt and read the communications from any device. Our mobile-optimized interfaces provide the easiest experience for the rapidly growing number of recipients on 9 lv Email Filtering, Encryption, DLP: RFP SS-2012-40, curioDue 4/1/12, 10:00 am MST. smartphones and tablets. Proofpoint Enterprise Archive Proofpoint Enterprise Archive is designed to ensure: accurate enforcement of data governance, data retention and supervision policies and mandates; cost effective litigation support through efficient discovery; and active legal hold management. Proofpoint Enterprise Archive can store, govern and discover a wide range of data including email, instant message conversations, social media interactions, and other files throughout the enterprise. The key capabilities within the Proofpoint Enterprise Archive include: • Secure cloud storage. With our proprietary double blind encryption technology and the associated data storage architecture, all email messages, files and other content are encrypted with keys controlled by the customer before the data enters the Proofpoint Enterprise Archive. This ensures that even our employees and law-enforcement agencies cannot access a readable form of the customer data without authorized access by the customer to the encryption keys stored behind the customer's firewall. • Search performance. By employing parallel, big data search techniques, we are able to deliver search performance measured in seconds, even when searching hundreds of terabytes of archived data. Traditional on-premise solutions can take hours or even days to return search results to a complex query. • Flexible policy enforcement. Enables organizations to easily define and automatically enforce data retention and destruction policies necessary to comply with regulatory mandates or internal policies that can vary by user,group, geography or domain. • Active legal-hold management. Enables administrators or legal professionals to easily designate specific individuals or content as subject to legal hold. The Proofpoint Enterprise Archive then provides active management of these holds by suspending normal deletion policies and automatically archiving subsequent messages and files related to the designated matter. • End-user supervision. Leveraging our flexible workflow capabilities, the Proofpoint Enterprise Archive analyzes all electronic communications, including email and communications from leading instant messaging and social networking sites, for potential violations of regulations, such as those imposed by Financial Industry Regulatory Authority (FINRA) and the SEC in the financial services industry. Key benefits of Proofpoint Enterprise Archive include: • Regulatory compliance. Helps organizations meet regulatory requirements by archiving all messages and content according to compliance retention policies and enabling staff to systematically review messages for compliance supervision. • Proactive data governance. Allows organizations to create, maintain and consistently enforce a clear corporate data retention policy, reducing the risk of data loss and the cost of eDiscovery. • Efficient litigation support. Provides advanced search features that reduce the cost of eDiscovery and allow organizations to more effectively manage the litigation hold process. • Reduced storage and management costs. Helps to simplify mailbox and file system management by automatically moving storage-intensive attachments and files into cost-effective cloud storage. Platform Services Our platform services provide the key functionality to enable our various solutions, using our enabling technologies. Our platform services consist of: • Content inspection. Applies our Proofpoint MLX machine learning techniques to understand the meaning of email, documents and social networking communications and to identify and classify content as malicious, sensitive or relevant to a litigation matter for threat protection, data loss prevention and discovery. • Reputation. Leverages machine learning and big data analytics to analyze and correlate billions of requests per day to create a dynamic reputation profile of hundreds of millions of IP addresses, domains,web links and other Internet content. This database of reputation profiles is used to help identify and block malicious attacks. • Encryption and key management. Securely encrypts data and stores and indexes hundreds of 10 Email Filtering, Encryption, DLP: RFP SS-2012-40, cum Due 4/1/12, 10:00 am MST. thousands of individual encryption keys without requiring cumbersome key-exchange or other end-user set-up. Enables authorized users to quickly and easily decrypt and view content from a wide variety of devices. • Notification and workflow. Creates notifications and an enabling workflow to alert administrators and compliance officers of an incident and enable subsequent review, commentary, tracking, escalation and remediation of each event. • Analytics and search. Provides an easy-to-use, web-based interface for searching and analyzing information to enable enterprises to rapidly trace inbound and outbound messages, analyze how messages were processed by a Proofpoint Enterprise deployment, report on the disposition and status of any email message, and retrieve in real time archived communications for litigation support and eDiscovery. Enabling Technologies Our enabling technologies are a proprietary set of building blocks that work in conjunction with our application services to enable the efficient construction, scaling and maintenance of our customer-facing solutions. These technologies consist of: • Big data analytics. Indexes and analyzes petabytes of information in real time to discover threats, detect data leaks and enable end-users to quickly and efficiently access information distributed across their organizations. • Machine learning. Builds predictive data models using our proprietary Proofpoint MLX machine learning techniques to rapidly identify and classify threats and sensitive content in real time. • Identity and policy. Enables the definition and enforcement of sophisticated data protection policies based on a wide set of variables, including type of content, sender, recipient, pending legal matters, time and date, regulatory status and more. • Secure storage. Stores petabytes of data in the cloud cost-effectively using proprietary encryption methods, keeping sensitive data tamper-proof and private, yet fully searchable in real time. Infrastructure We deliver our security-as-a-service solutions through our cloud architecture and international data center infrastructure. We operate thousands of physical and virtual servers across seven data centers located in the United States, Canada, The Netherlands and Germany. Our cloud architecture is optimized to meet the unique demands of delivering real-time security-as-a- service to global enterprises. Key design elements include: • Security. Security is central to our cloud architecture and is designed into all levels of the system, including physical security, network security, application security, and security at our third-party data centers. Our security measures have met the rigorous standards of SAS 70 Type II certification. The industry is in the process of upgrading this certification program to a new standard known as Statement on Standards for Attestation Engagements No. 16 (SSAE 16). We expect to complete our transition to SSAE 16 by the end of 2011. In addition to this commercial certification program, we have also successfully completed the FISMA certification for our cloud- based archiving and governance solution, enabling us to serve the rigorous security requirements of U.S. federal agencies. • Scalability and performance. By leveraging a distributed, scalable architecture we process billions of requests against our reputation systems and hundreds of millions of messages per day, all in near real time. In addition, our grid-based storage architecture currently manages more than a petabyte of secure storage. Massively-parallel query processing technology is designed to ensure rapid search results over this vast data volume. In addition to this aggregate scalability across all customers, our architecture also scales to effectively meet the needs of our largest individual customers, each of which has millions of users and processes tens of millions of messages per day. • Flexibility. Our cloud architecture enables individual customers to deploy entirely in Proofpoint's global data centers or in hybrid configurations with optional points of presence located behind the customer's firewall. This deployment flexibility enables us to deliver security, compliance and performance tailored to the unique threat profile and operating environment of each customer. 11 • Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. • High availability. Our services employ a wide range of technologies including redundancy, geographic distribution, real-time data replication and end-to-end service monitoring to provide 24x7 system availability. • Network operations control. We employ a team of skilled professionals who monitor, manage and maintain our global data center infrastructure and its interoperability with the distributed points of presence located behind our customers'firewalls to ensure 24x7 operations. • Low cost. We deploy our services on shared, low-cost, commodity computing and storage infrastructure. In addition, we utilize multi-tenancy and hardware virtualization to further reduce hardware and management costs. Because we primarily rely on internally developed and open source technology instead of commercially licensed technology, we are able to offer a cost- effective solution to our customers. Customers As of September 30, 2011 we had approximately 2,400 customers of ail sizes across a wide variety of industries, including 24 of the Fortune 100. Our largest customers use our platform to protect millions of users and handle tens of millions of messages per day. We have a highly diversified customer base, with no single partner or customer accounting for more than 10% of total revenue in 2008, 2009 or 2010 or the nine months ended September 30, 2011. In each year since the launch of our first solution in 2003, we have retained over 90% of our customers. 12 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Software Expectations Our primary concern is ensuring that only those messages that need to be encrypted are actually encrypted in order to reduce the false positive rate.We are seeking a Safe-N-Secure email environment. (Check those that apply to your solution) ✓ Solution will need to provide scalable solutions for approx 1700 county wide employees who either use internal email and/or access their email via the web. ✓ Solution needs to be cost effective and easy to implement and use ✓ Solution should be easy to set and enforce a wide variety of content policies. ✓ Solution will need to secure inbound and outbound email content using automatic deep content management for email and attachments ✓ Solution needs to protect emails from security threats in real time, regardless of whether users are onsite or in remote locations ✓ Solution needs to control intentional or accidental data loss with email monitoring and filtering ✓ Solution can provide a Centralized Management and administration solution ✓ Solution has the ability to proactively manage risk ■ ADD-ON: Provides context-sensitive email archiving, such as storing all emails on a related topic ✓ Provides basic filtering templates upon initial set-up ✓ Provides Lexical dictionaries that can manage distribution of sensitive content. ✓ Restricted content must be quarantined and an alert notification needs to be sent to the user and manager. ✓ Solution should protect against phishing,viruses, malware and blended threats ✓ Solution can minimize non-business email, traffic and storage. ✓ Solution should have redundant Hard disk configuration in the appliance with at least 1TB usable space ✓ The solution should have options for both software application and appliance, and should support VMware vsphere 4.x, 5.x if County chooses to virtualize the application on VM guest. ✓ The solution should have integrated fault-tolerance features. ✓ The solution should support clustering of appliances if County chooses to add more redundancy. ✓ The product should have support and integrate with third-party load balancing and/or network bandwidth management technologies. Automatic Alert Notification and Reporting Requirements: (Check those that apply to your solution) ✓ Solution provides a Secured notification Service (SnS)for alerting management ✓ Email alerts can be stored based on content, with ability to recall stored messages for auditing ✓ Provides reporting on quarantined items, available upon request, by dept, by staff ✓ Provides management with security reports that indicate attempted policy breaches and potential email abusers ✓ Solution should be able to provide bandwidth reports by sender, recipient, domain and file type Interface Requirements: (Check those that apply to your solution) ✓ The solution should integrate with LDAP directories or with Microsoft Active Directory ✓ Integrate with our existing MS Exchange 2007 email system ✓ Solution should support MS Exchange 2010, should the county upgrade to this in the near future 13 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1112, 10:00 am MST. ✓ Desktop plug-in should be supported on outlook 2003, 2007, and 2010 ✓ Solution can easily integrate with third-party products, like Net motion etc ✓ Can provide a single central interface ✓ Flexible Deployment Options for multiple departments, if applicable Security and Standards Requirements: (Check those that apply to your solutiopj ✓ Solution meets regulatory HIPAA, HITECH and GLBA Standards; data cannot be transmitted accidentally or intentionally without encryption ✓ Solution meets security and achieving standards ✓ Solution Identifies data-stealing malware, including keystroke loggers, phishing attacks, Trojans and root kits, provides behavior-based malware detection technologies ✓ Solution has the ability to filter all Web traffic on all TCP ports by URL and/or IP address, file type, HTTP, HTTPS, FTP, newsgroups (NNTP), social networking and TCP ✓ Solution "automatically" enforces content rules, including file attachments regardless of location or connection ✓ Solution extends full security and policy control to remote and mobile users ✓ Solutions has the ability to filter content running on Android tablets or iOS operating systems • N/A: Solution identifies applications based on what they do; then denies applications that perform functions that conflict with policy ✓ Solution will not affect the network or Internet connection if it slows or fails ✓ Solution minimizes latency and provides unmatched reliability 14 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. • �t'hre Arai? The Email Filtering, DLP and Encryption market is highly competitive, fragmented and subject to rapid changes in technology. Proofpoint competes primarily with a broad array of data protection and governance software providers. Key competitors include: • Data protection:Cisco (through its acquisition of IronPort), Google (through its acquisition of Postini), McAfee, an Intel subsidiary (through its acquisitions of Secure Computing and MX Logic), Microsoft (through its acquisition of Frontbridge), and Symantec (through its acquisitions of Brightmail and MessageLabs) • Governance: EMC (through its acquisitions of Legato and Kazeon), Hewlett-Packard (through its acquisition of Autonomy)and Symantec (through its acquisition of KVS) Proofpoint competes and excels in this market, based upon the following factors: • level of protection against advanced threats; • comprehensiveness and integration of the solution; • flexibility of delivery models; • total cost of ownership; • scalability and performance; • customer support; and • extensibility of platform. Proofpoint helps protect your most vulnerable risk vector and your most sensitive data Block threats and attacks that are coming in via email Deep content analysis to detect your sensitive data • Protecting data when its most vulnerable: when its in motion Full-life cycle approach to threat protection, Compliance and DLP Detect, Encrypt, Incident Dashboard, Robust Reporting Modern Security-as-Service architecture Built for the real world • World-class support& threat response organization • Enables secure communication Supports all mobile devices for the way people work For the market share, Please refer to the info from Proofpoint S1: http://www.nasdaq.com/markets/ipos/filing.ashx?filingid=7918679 Proofpoint solutions are used by approximately 2,400 customers worldwide, including 26 of the Fortune 100, protecting tens of millions of end-users. We have been particularly successful selling to the largest enterprises; 19 of the 50 largest companies in the United States as ranked by Fortune Magazine are our customers. We have also had success penetrating the market leaders(as measured by revenue) in a number of significant verticals including: •4 of the 5 largest U.S. retailers •4 of the 5 largest U.S. aerospace& defense contractors • 3 of the 5 largest U.S. banks • 3 of the 5 largest global pharmaceutical companies Among our customers are: Alticor Inc., AON Corporation, Bank of America Corporation, Bank of China Limited, Burlington Coat Factory Warehouse Corporation, First Data Corporation, Grant Thornton LLP, Hospital Corporation of America, Hitachi Data Systems Corporation, Huntsman Corporation, Kaiser Permanente, Mary Kay, Inc., Petco Animal Supplies, Inc., Pitney Bowes Inc., The Radio France Group, Raymond James Financial, Inc., Royal Mail Ltd., Scottsdale Healthcare Corporation, the State of 15 Email Filtering, Encryption, DLP: RFP SS-2012.40, t V Due 4/1112, 10:00 am MST. x r �urQ California, Sub-Zero Wolf, Inc., T-Mobile Wireless USA, Inc., Tyson Foods, Inc., UCLA Health System, University of North Carolina, United States Department of Agriculture, VF Corporation, Washington State University, Weatherford International Ltd., and Zions Bancorporation. Technical Comparison between Googie Message Security(Postini)and Proofpoint Enterprise Email Security(Anti-Spam and Anti-Virus) Postini Proofpoint Unique policies and quarantine for Phish,Bulk Mail,and Spam — 99%spam effectiveness and 1:350,000 false positive SLA - 100%Anti-virus SLA — — Reputation-based spam detection — — Machine learning technology for accurate content analysis — Outbound spam detection Partial — Zero-Hour Anti-virus detection for zero-day protection — — Email Compliance(DLP and Encryption) Postini Proofpoint Policy-based encryption Partial — Pre-configured compliance policies for SSNs and all CCs Partial — Pre-configured compliance policies for HIPAA,GLBA,PCI — Smart Identifiers—algorithmic checks of structured data — Managed Dictionaries—pre-defined and updated libraries — Advanced proximity and correlation analysis Document fingerprinting for protecting digital assets — Flexible encrypted message delivery — Per-message encryption keys — — End-user encryption controls — DLP incident dashboard for administrative remediation — Management and Reporting Postini Proofpoint Real-time reporting and message tracing — Email delivery of reports — Publishing and scheduling of reports — DLP Dashboard—consolidated view of compliance activity — End User Controls Postini Proofpoint Self remediation for outbound spam and DLP violations -,_ End-user encryption controls -_,_,_ Streamlined reporting and auditing of spam messages — Deployment Options Postini Proofpolnt Appliance — Software — Private Cloud — Public Cloud — — Hybrid deployment options — Dedicated instances for segregation of data and downtime — Technical Comparison between McAfee SaaS (Mxtogic)and Proofpolnt Enterprise Defenses Against Targeted Attacks(Phishing) McAfee Proofpoint Granular and configurable policies for phishing messages — Separate quarantine for phishing messages — Real-time notification and alerting of phishing messages — Automated delivery of reports for phishing messages _ — Defenses Against Traditional Threats(Spam,Virus and DoS) McAfee Proofpoint Reputation-based spam detection — — Separate policies for Spam,Virus,Bulk,and Adult Separate quarantine for Spam,Virus,Bulk,and Adult . — 99%spam effectiveness and 1:350.000 false positive SLA - 100%Anti-virus SLA — Email connection throttling and termination — 16 Email Filtering, Encryption, DLP: RFP SS-2012-40, cur()Due 4/1/12, 10:00 am MST. • -. :'' ' Machine learning technology for accurate content analysis — Zero-Hour Anti-virus detection for zero-day protection — — Defenses Against Other Threats McAfee Proofpoint Outbound spam detection — Policy-based encryption — — Content filtering of Office 2007,Office 2010,and PDF attachments — Pre-configured compliance policies for SSNs and all CCs — —_ Pre-configured compliance policies for HIPAA,GLBA,PCI — — Smart Identifiers—algorithmic checks of structured data — Managed Dictionaries—pre-defined and updated libraries - Advanced proximity and correlation analysis — Content rules based on regular expressions — Document fingerprinting for protecting digital assets — Streamlined encrypted message delivery for mobile devices — End-user triggered encryption for sensitive data — — Per-message encryption keys — Encryption branding customization — DLP incident dashboard for administrative remediation — Management and Reporting McAfee Proofpoint Zero-hour message tracing,with ability to find phishing messages — Zero-day reporting,with summary of phishing messages — Automated publishing.scheduling.and email delivery of reports — — DLP Dashboard—consolidated view of compliance activity — End User Controls McAfee Proofpoint Self-remediation for outbound spam and DLP violations — End-user revocation controls for encrypted messages — Streamlined reporting and auditing of spam messages — — Deployment Options McAfee Proofpoint Appliances,with enterprise scalability — Private cloud(Virtual appliances-unlimited instances without charge) r — Hybrid deployment options using same platform — Public cloud(SaaS) — — Dedicated instances for segregation of data and downtime — IPv6 — Technical Comparison between Symantec(MessageLabs)and Proofpoint Enterprise='.'M Defenses Against Targeted Attacks(Phishing) MessageLabs Proofpoint Granular and configurable policies for phishing messages - _ _ Separate quarantine for phishing messages - Real-time notification and alerting of phishing messages — Detection of spoofed email addresses via DKIM and SPF — Defenses Against Anti-Spam, Anti-Virus and DoS Attack MessageLabs Proofpoint Separate policies for Spam,Virus,Bulk,and Adult — Separate quarantine for Spam,Virus,Bulk,and Adult — Spam effectiveness and false positive SLAB _ - 100%Anti-virus SLA — — Non-public reputation-based spam detection — Email connection throttling and termination - . Machine learning technology for accurate content analysis — Zero-Hour Anti-virus detection for zero-day protection — — Defenses Against Other Threats And Data Loss MessageLabs Proofpoint Outbound spam detection — Policy-based encryption Partial — Pre-configured compliance policies for SSNs and all CCs Partial — Pre-configured compliance policies for HIPAA,GLBA,PCI — Smart Identifiers—algorithmic checks of structured data - __ Managed Dictionaries—pre-defined and updated libraries - 17 Email Filtering, Encryption, DLP: RFP SS-2012-40, curQ Due 4/1/12, 10:00 am MST. . .. Advanced proximity and correlation analysis Document fingerprinting for protecting digital assets Flexible encrypted message delivery(including mobile devices) — — Per-message encryption keys — DLP incident dashboard for administrative remediation — TLS encryption between partners without a separate fee — Management and Reporting MessageLabs Proofpoint Zero-hour message tracing,with tracing of phishing messages — Zero-day reporting,with summary of phishing messages — Email delivery of reports,with summary of phishing messages — — Publishing and scheduling of reports — — DLP Dashboard—consolidated view of compliance activity — End User Controls MessageLabs Proofpoint Self remediation for outbound spam and DLP violations — End-user encryption controls — Brand-able span quarantine and digest — Personalized and streamlined configuration of safe/block lists — Deployment Options MessageLabs Proofpoint Public Cloud — — Hybrid deployment options — Dedicated instances for segregation of data and downtime — _._ ' Techdleal Comparison between Clseo(frornPort)and Proofpoint Enterp t,-. :r Defenses Against Targeted Attacks(Phishing) Cisco Proofpoint Granular and configurable policies for phishing messages �._ - Separate quarantine for phishing messages — Real-time notification and alerting of phishing messages Partial — Automated delivery of reports for phishing messages — Defenses Against Traditional Threats(Spam,Virus and DoS) Cisco Proofpoint Separate policies for Spam,Virus,Bulk,and Adult — Separate quarantine for Spam,Virus,Bulk,and Adult — Spam effectiveness and false positive SLA - - 100%Anti-virus SLA,with selection of engines — Reputation-based spam detection — — Reputation self remediation — Global safelists and blocklists -- -. Email connection throttling and termination — — Machine learning technology for accurate content analysis — Zero-Hour Anti-virus detection for zero-day protection — — Defenses Against Other Threats(Inbound and Outbound) Cisco Proofpoint Outbound spam detection Partial — Policy-based encryption — — Content filtering of Office 2007,Office 2010,and PDF attachments — — Pre-configured compliance policies for SSNs and all CCs — — Pre-configured compliance policies for HIPAA,GLBA,PCI — — Smart Identifiers—algorithmic checks of structured data — Managed Dictionaries—pre-defined and updated libraries — Advanced proximity and correlation analysis Partial — Document fingerprinting for protecting digital assets Streamlined encrypted message delivery for mobile devices — _ Encrypted messages delivered as JavaScript(Java is easily exploitable) — . _ ,_ ..a Per-message encryption keys — — Encryption branding customization Partial — ICAP integration with Web proxies for Web 2.0 compliance — Management and Reporting Cisco Proofpoint Centralized reporting and quarantine Partial — . Consolidated and aggregated logging for multiple devices — . 18 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Email firewalt policy customization Partial — Zero-hour message tracing,with ability to find phishing messages — Zero-day reporting,with summary of phishing messages — Automated publishing,scheduling,and email delivery of reports — — DLP Dashboard—consolidated view of compliance activity — End User Controls Cisco Proofpolnt Self-remediation for outbound spam and DLP violations — . End-user revocation controls for encrypted messages — — Streamlined reporting and auditing of spam messages — — Deployment Options Cisco Proofpolnt Public cloud jSaaS) Partial — . Private cloud(Virtual appliances-unlimited instances at no extra charge) — . Hybrid deployment options — — Dedicated instances for segregation of data and downtime — -- IPv6 — Technical Comparison between Barracuda and Proofpolnt Enterprise Defenses Against New Threats And Targeted Attacks(Phishing) Barracuda Proofpoint Granular policies for phishing and spear-phishing — Separate quarantine for phishing and spear-phishing —_ — Real-time notification and alerting of phishing attacks — Automated delivery of reports for phishing messages — Defenses Against Traditional Threats(Spam and Virus) Barracuda Proofpoint Reputation-based spam detection — Machine learning technology for outbound spam detection Granular spam classification and dispositions — Five minute spam updates for up-to-date protection — Zero-Hour Anti-virus detection for zero-day protection — — Rate controls for prevention of denial of service attacks — — Email Compliance(DLP and Encryption) Barracuda Proofpolnt Policy-based encryption Partial — Deployed in audit mode—deliver and quarantine violations — Pre-configured compliance policies for SSNs and all CCs Partial — Pre-configured compliance policies for HIPAA,GLBA,PCI Partial — Smart Identifiers-algorithmic checks of structured data — Managed Dictionaries-pre-defined and updated libraries — Advanced proximity and correlation analysis — Document fingerprinting for protecting digital assets — Flexible encrypted message delivery _ — Per-message encryption keys — Message annotations based on policy or detected language — — - DLP incident dashboard for administrative remediation • .-- - ICAP integration with Web proxies for Web 2.0 compliance — Management and Reporting Barracuda Proofpolnt Real-time reporting and message tracing — — Email delivery of reports — — Publishing and scheduling of reports — DLP Dashboard-consolidated view of compliance activity End User Controls Barracuda Proofpolnt Self remediation for outbound spam and DLP violations — End-user encryption controls — Streamlined reporting and auditing of spam messages — Deployment Options Barracuda Proofpoint Appliance — — Software — Private Cloud — — Public Cloud — - Hybrid deployment options — . . — 19 t IV Email Filtering, Encryption, DLP: RFP SS-2012-40, � cura Due 4/1/12, 10:00 am MST. Technical Comparison between Axway-Tumbleweed(MailGate product)and Proo/pOptEriterprlse Email Security(Antl-Spam and Anti-Virus) MaIlGate .:`Proofpoint 99%spam effectiveness and 1:350,000 false positive SLA — 100%Anti-virus SLA _ Reputation-based spam detection -- Machine learning technology for outbound spam detection — Granular spam classification and dispositions — Five minute spam updates for near real-time protection _ — � Zero-Hour Anti-virus detection for zero-day protection — — Email Compliance(DLP and Encryption) MailGate Proofpoint Poli�f-based encryption Partial Pre-configured compliance policies for SSNs and all CCs — — Pre-configured compliance policies for HIPAA,GLBA,PCI Partial — Smart Identifiers—algorithmic checks of structured data — Managed Dictionaries—pre-defined and updated libraries — Advanced proximity and correlation analysis _ . - . — . - Flexible encrypted message delivery — Per-message encryption keys — Document fingerprinting for protecting digital assets — DLP incident dashboard for administrative remediation — Management and Reporting MailGate Proofifpi tl, Real-time reporting and message tracing. — — Email delivery of reports -- — _Publishing and scheduling of reports — — DLP Dashboard—consolidated view of compliance activity — End User Controls MailGate Proofpoint Self remediation for outbound spam and DLP violations — End-user encryption controls Streamlined reporting and auditing of spam messages Deployment Options MallGate Proofpoint Appliance — — Software — Private Cloud — — Public Cloud — Hybrid deployment options — 20 TV Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. fir. • How many organizations have implemented your solution overall? 2400+ • How many organizations are still running your solution with an active maintenance and support contract (i.e., lifetime customer retention)? We have greater than 90% renewal rate. In each year since the launch of our first solution in 2003, we have retained over 90% of our customers. • Provide the name of the oldest, active customer of your solution. Kaiser was one of our first customers and continues as a customer today. • How many organizations have implemented your solution in the past fiscal year? Please refer to information on Proofpoint S1: http://www.nasdaq.com/markets/ipos/filing.ashx?filingid=7918679 • Please describe the customer industries you service. Proofpoint solutions are deployed through all industries; Financial, Healthcare, Education, Government, Retail, Energy, Technology, etc. • Please provide information in relation to three(3)customers who have implemented a solution similar to Weld County. Include company name, location, inception date, and solution specifics. State of Colorado 601 E 18th Ave Ste 250 Governor's Office Of Information Technology Denver, CO 80203-1492 Inception Date: 7/31/2009 Proofpoint Solution Specifics: Proofpoint Protection—included: (Spam Detection, Virus Protection, Zero Hour AV, Proofpoint Dynamic Reputation, Smart Search) Proofpoint Privacy— included: (Regulatory Compliance, Digital Asset Security, Proofpoint Encryption) Catholic Health Initiatives 1999 Broadway Ste 2605 Denver, CO 80202-3050 Inception Date: 6/16/2011 Proofpoint Solution Specifics: Proofpoint Protection - included: (Spam Detection,Virus Protection, Zero Hour AV, Proofpoint Dynamic Reputation, Smart Search) Proofpoint Privacy— included: (Regulatory Compliance, Digital Asset Security, Proofpoint Encryption) Country Financial 1711 Ge Rd Bloomington, IL 61704-2286 Inception Date: 9/21/2009 Proofpoint Solution Specifics: Proofpoint Protection—included: (Spam Detection, Virus Protection,Zero Hour AV, Proofpoint Dynamic Reputation, Smart Search) Proofpoint Privacy—included: (Regulatory Compliance, Digital Asset Security, Proofpoint Encryption) Simmons First National Corporation 501 Main St Pine Bluff, AR 71601-4327 Inception Date: 9/29/2011 Proofpoint Solution Specifics: Proofpoint Protection- included: (Spam Detection, Virus Protection, Zero Hour AV, Proofpoint Dynamic Reputation, Smart Search) Proofpoint Privacy- included: (Regulatory Compliance, Digital Asset Security, Proofpoint Encryption) Proofpoint Archive- (email archiving and ediscovery) 21 .µ Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. Integration Category Requirement Response MS Office Does your solution work with MS Office Yes: The Proofpoint solution works with products? Exchange 2003, 2007, 2010, Office365, • What years of MS Office do you and Active Directory support MS Office Can Users easily navigate and perform Yes:a Send Securely button can be their primary job tasks with little-to-no and provided. easy access features that are based on the If the governance options are added the familiar look and feel of MS Office user can be prompted for document products. classification information. Web Client Does solution offer a SSL web-based Yes: SSL,Web-based client interface to Interface interface, Telnet, Secure Shell? Proofpoint Encryption message access. No: Telnet protocol is not supported due to inherent security problems. Web Client Solution offers the full feature set of a Yes:The Proofpoint solution offers Interface client-based solutions through a web browser independent secure access for deployable interface for Weld external web external users. This includes access for access mobile device users. Web Client Solution offers an easy open feature Yes: The Proofpoint solution offers Interface solution through a web deployable access to any individual or organization interface whether they are other receiving an encrypted email. This access organizations or individual customers who uses the HTTPS port 443 to secure the are receiving our email. entire transaction. Product Encryption solution provides the ability Check all that apply Integration screen content from these locations: • BlackBerry ✓ BlackBerry • iPad ✓ iPad ✓ iPhone • iPhone ✓ Windows Phone • Windows Phone ✓ Droid • Droid ✓ Standard Client • Standard Client ✓ Outlook • Outlook ✓ Web Client • Web Client V Java Web Client • Java Web Client ✓ Business Application • N/A SharePoint (Proofpoint does • Business Application not encrypt data at rest) • SharePoint • N/A URL string (Proofpoint does • URL string not encrypt HTTP traffic) Product Does the solution automatically detect Yes: Both cases are supported by the Integration recipients that are also using the same Proofpoint solution. vendor's products, and does it encrypt for 22 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. the product they are using? The Proofpoint solution can also support Desktop to Gateway encryption should this • Automatic gateway-to-gateway be needed. encryption • Automatic gateway-to-desktop encryption Product What delivery methods does the solution The only requirement for a recipient of an Integration offer to recipients who are not also using email message is that the recipient have the vendor's products for: access to a WEB browser. The browser selected is the choice of the message Browser Pull (secure portal) recipient. The browser may run on almost any Operating System, on an iPhone, • Is the portal hosted as part of a SaaS Android or any smart phone or mobile architecture? device. • Can the portal be branded to match The portal may be part of an SaaS your Web site? architecture. It may also be part of an on- • Is English and Spanish automatically premises appliance or VMware appliance supported? deployment. • How is registration accomplished? The Portal can be branded to match any web site. The product also supports multiple brands for different departments or groups of users. English and Spanish deployments can be supported. Recipient registration is a fairly standard WEB commerce type of action. The Recipient supplies a name, selects a password, and selects from a list of password recovery questions. Product Does the solution support custom Yes: These requirements are Integration password rules implemented using a Password Policy. Each Password Policy can define number • Password length of characters, use (or not) of special • Alphanumeric, special characters characters, use (or not)of mixed case Password expiration characters, use (or no) of digits as a • requirements for an acceptable password. • Password re-use limitation The system also supports use of more than one Password Policy that can be applied to various users and or groups of users. There is currently no re-use limitation feature. Product What delivery methods does the solution The only requirement for a recipient of an Integration offer to recipients who are not also using email message is that the recipient have the vendor's products for: access to a WEB browser. The browser selected is the choice of the message Browser Push (encrypted attachments) recipient. The browser may run on almost any Operating System,on an iPhone, • Can the message be customized with Android or any smart phone or mobile your company's brand? device. • Are English and Spanish automatically The portal may be part of an SaaS 23 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 411/12, 10:00 am MST. supported? architecture. It may also be part of an on- • How is registration accomplished? premises appliance or VMware appliance • How are password changes and deployment. message recovery accomplished? The Portal can be branded to match any web site. The product also supports multiple brands for different departments or groups of users. English and Spanish deployments can be supported. Recipient registration is a fairly standard WEB commerce type of action. The Recipient supplies a name, selects a password, and selects from a list of password recovery questions. Product Must the sender be involved to reset No. The recipient can cause a password Integration passwords? reset. System administrators may also cause a password reset. There is no case where the message sender is involved with this process. Product Must the sender resend the message after No. Integration the password is reset? Product What is the maximum encrypted message The system default is 20 Megabytes Integration size supported by the solution? maximum size. Product Does the solution provide a method for Yes: The system can be configured to Integration anyone to initiate an inbound secure permit individuals to connect to a URL and message to your organization (i.e. a create an Encrypted message addressed "secure contact us" function)? to your domain. Product Does the solution offer other remediation Yes: All of these items are offered. Integration actions in addition to encrypting? The system also offers the feature of • Blocking/Routing Smart Send. This feature will notify an • Forwarding originator if a message contains sensitive • Cc: content. The originator will be prompted to • Adding custom header and/or footer select a remedial action such as forcing text encryption or not sending the message. • Logging Product What is done to handle potential private Messages with sensitive content can be Integration content in bounces (to ensure the bounced encrypted prior to leaving the Proofpoint message does not travel in clear-text, system. Thus even if the message were without encryption)? to bounce, it is still encrypted and no • How about in the case of a Reply to sensitive data is exposed. all? Response Profiles define how (or even if) message replies and or message forwarding are controlled. In no case will a reply or forward be sent in clear text. Product How can the your solution ensure that The SPAM detection and Anti-Virus Integration 24 Email Filtering, Encryption, DLP: RFP SS-2012-40, f CuriaDue 411/12, 10:00 am MST. malicious HTML is not added to engines do deep content inspection of all messages? messages and attachments. This includes searching for HTML content, JAVA scripting, ActiveX scripting and imbedded PERL scripts. Software Service Solution Category Requirement Vendor Response Software Is your solution delivered as a Software Yes: SaaS or Proofpoint on Demand is Solution Service model, if yes answer question an available deployment option. below Software Does the infrastructure have any Yes: Proofpoint on Demand data centers Solution certifications and accreditations, such as are audited SAS70 Type II certified. SysTrust or SAS70 Type II They are also SSAE16 certified. An additional option is a FISMA compliant deployment. Software Will you sign a Business Associate Yes: This is normal business process Solution agreement to show that your solution is HIPAA, HITECH &GLBA Compliant? Software Can your solution cover our entire user- Yes: The solution can protect an entire Solution base or just a subset user base. There is the option to restrict the solution to a sub-set of users if this is needed. Software What hardware and/or Software Proofpoint on Demand: The SaaS Solution components have to be deployed on your solution deploys everything at the site to make this solution work Proofpoint Data Center VMware or Hardware: The solution is deployed on the customer site. The only remote component of this solution is the Hosted Key Service which manages encryption keys. Software Would there be any components that we No: The Proofpoint solution is deployed Solution would have to supply on our own as a complete package. The customer needs to supply one or more SSL certificates as part of the solution. Software How are hardware failures addressed? Proofpoint on Demand: Service level Solution • What are the uptime guarantees agreements (SLAs)define system available time as 99.999%. There is a financial component to this SLA VMware or Hardware: Hardware redundancy will be configured to insure High Availability needs are met. Software How are updates and patches managed Updates and patches are configured to Solution be applied automatically. The Customer can override this in the event that defined change control systems need to be considered. Software How does your architecture scale to meet VMware or Hardware: The Proofpoint 25 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. Solution changing environments solution will scale both horizontally or vertically. The system can deploy higher capacity equipment if needed. The system can also deploy additional equipment(agents)if needed for additional capacity. Proofpoint on Demand: Capacity upgrades are provided as needed by Proofpoint as part of the SaaS deployment contract. Software Do you have a dedicated team to handle Yes Solution lexicon-related issues Software Does the solution include automatically- Yes:There are over sixty defined reports Solution generated reports and alert notifications delivered with the Proofpoint system. Any or all of these reports can be configured for automatic distribution via email and/or via HTML posting. These are easily customized, if needed, to more accurately present data that is of interest to the report consumer. Auditing/Reporting Category Requirement Vendor Response Auditing Solution provides the ability to access a N/A These features are available as an document-level audit trail. optional Proofpoint product: Enterprise Governance Auditing Does your solution provide an out-of-the N/A These features are available as an box audit trail optional Proofpoint product: Enterprise Governance Auditing Describe what is natively tracked in your N/A These features are available as an out-of-the-box audit trail. optional Proofpoint product: Enterprise Governance 26 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Deployment/Architecture Category Requirement Vendor Response Deployment Can the system cover our entire user-base Yes—entire user base. Plan or just a subset Deployment What work is required to deploy your Effort to deploy Proofpoint is minimal. For Plan solution into production PoD Deployment complete the pre deployment questionnaire (used to gather specific information for operations team to create your dedicated cluster). After this Proofpoint Professional services will schedule a series of calls to configure and test Proofpoint prior to rolling out in production. If you select an on-premise deployment(physical appliance or virtual appliance—VMware)the same series of professional services calls will take place. In the case of physical appliance you will need to rack and assign IP address. In the case of virtual appliance —you will receive a welcome letter with a download link to ISO image. Deployment How long will it take to deploy your solution Both the Proofpoint physical and virtual Plan on our production servers options are hardened appliances. You will simply need to change your MX record to point to Proofpoint for inbound mail and change your smart host to point to Proofpoint for outbound. This is accomplished very quickly once Proofpoint is configured. Deployment Do you have a formalized deployment Yes- please reference sample PSO for Plan Plan? both on-premise appliances and PoD Deployment Does your installation team provide a Yes -please reference sample PSO for Plan project plan and assign a project manager both on-premise appliances and PoD Deployment How many resources are required to move A single resource is all that is needed to Plan your solution into production? move Proofpoint into production. Deployment What is the deployment risk associated None Plan with your solution? Deployment What are the hardware and software Please reference attached pre-installation Plan requirements for us to host this solution requirements for Proofpoint appliance- ourselves based and virtual appliance based products. Each system is licensed for the Proofpoint modules selected (Proofpoint Protection/Proofpoint Privacy) Deployment What components are offered as part of Proofpoint Protection — included: (Spam Plan your solution. Detection, Virus Protection, Zero Hour AV, Proofpoint Dynamic Reputation, Smart Search)and Proofpoint Privacy— 27 Email Filtering, Encryption, DLP: RFP SS-2012-40,Due 4/1/12, 10:00 am MST. included: (Regulatory Compliance, Digital Asset Security, Proofpoint Encryption) Architecture Which of the following technology AES standards are included in your solution • X.509 • RSA • AES • 3DES Architecture How does the Architecture scale meet VMware or Hardware: The Proofpoint changing requirements? solution will scale both horizontally or vertically. The system can deploy higher capacity equipment if needed. The system can also deploy additional equipment (agents) if needed for additional capacity. Proofpoint on Demand: Capacity upgrades are provided as needed by Proofpoint as part of the SaaS deployment contract. Architecture How are high availability and disaster Proofpoint on Demand: Service Level recovery handled Agreements dictate a minimum of 99.999% uptime. VMware or Hardware: The Proofpoint system can be deployed to meet both HA and DR requirements. The systems in a cluster can be configured with sufficient capacity that even in the event of a failure, email processing will continue. The systems can also be deployed in a geographically dispersed configuration to further insulate against individual component failures. Architecture Product based: (On-site solution or Gateway—Yes hardware) Encryption —Yes • Gateway product Proofpoint Enterprise Privacy and • Encryption product Protection is available in the following deployment options: Cloud/SaaS, on Premise (physical and virtual appliances), and hydrid (combination) Architecture Hosted Service: (Cloud computing) Gateway—Yes • Gateway product Encryption -Yes • Encryption product Architecture System provides a single interface for the Yes: Configuration and administration are configuration and administration. done via a WEB based GUI Architecture Solution allows for ease of configuration, in Yes: The Proofpoint system is deployed that most administrative tasks can be done with the expectation that virtually all by an internal resource as opposed to a configuration work can be done by client third-party software expert. staff. 28 Email Filtering, Encryption, DLP: RFP SS-2012-40, CLJ("Q Due 4/1/12, 10:00 am MST. Architecture Quantify the number of configurable As an extensive, highly customizable options in your solution. solution, Proofpoint can be configured in basic to advanced functionality. The options and defined policy are essentially unlimited. Encryption I Content Management Category Requirement Response Encryption What email encryption standards does The following are supported: your solution support? TLS, SMTP, Other • TLS Other: 256 bit AES symmetrical • S/MIME encryption. • Open PGP • SMTP • PKI • IBE • IB-PKI • Other, please explain Encryption Is Transport Layer Security (TLS)the Yes/no: TLS encryption is available protocol used by your solution to provide where this is appropriate. secure (encrypted and authenticated) Proofpoint Encryption using FIPS certified connections. crypto libraries is available for all other cases. Encryption Which TLS mode is used in your solution: Both cases are available. These can be configured on a domain specific basis. 1. Server only authentication mode- (In the server only authentication mode,the server is required to have an SSL certificate that enables it to authenticate itself to the client.) 2. Server and Client authentication mode- (In the case of server and client authentication, both the server and the client have an SSL certificate to enable mutual authentication without the need for passwords) Encryption Is TLS used for remote users/partners to TLS is used as part of the delivery decrypt and recrieve emails via reverse process. Proofpoint Encryption uses a proxy SSL connection? symmetric key encryption/decryption process for protecting the actual message content. Encryption Does your TLS solution require No: Selected domains can be configured configuring the enterprise email server to to require TLS. In other cases, TLS will enforce the use for all connections be used if available. Encryption Does your solution require the use of TLS No: Proofpoint has no control of systems on subsequent hops from the enterprise with which it does not directly email server 29 Email Filtering, Encryption, DLP: RFP SS-2012-40, ,. �. CLIlIrO Due 4/1/12, 10:00 am MST. communicate. Encryption Is the solution designed for true seamless Internal (originators) use can be email encryption so that our internal and/ configured for a completely transparent or external users will have a completely experience. transparent user experience)? External (recipients)users will need to authenticate prior to accessing encrypted messages. Encryption Can the solution automatically determine Yes: There are several mechanisms what messages should be encrypted? which assist in making this determination. Encryption Does the solution automatically decrypt The system is usually configured to inbound messages, such as replies? provide auto decryption of these messages. Note: This configuration could be altered to meet the requirement implied on RFP Page 1, Solutions, Email Encryption paragraph. Encryption Are attachments scanned and encrypted Yes: The entire message, headers, when sensitive data is identified? Subject line, Body, and any attachments are all scanned for content. Encryption What methods does the solution support Yes: All of these methods are available in to trigger encryption? the Proofpoint solution. • Sender recipient address or domain • Keyword • Lexical content analysis • Can a custom button be installed to trigger encryption Encryption How does the solution detect protected Each of these examples are supported. health information, personal and financial Proofpoint's Smart Identifiers can very Information? accurately identify Credit Card numbers, • An "identifier"that can be used to Social Security numbers and other uniquely identify an individual. content. Examples: Proofpoint also supplies and maintains • patient ID, customer ID. SSN HIPAA required dictionaries • ii. A health or financial term or phrase Encryption If Lexicons are used,what Lexicons are Lexicons utilized in your solution: provided in your solution ✓ Identifiers • Identifiers ✓ SSN • SSN ✓ Health terms • Health terms ✓ Financial terms • Financial terms ✓ Credit cards • Credit cards ✓ CA, MA and NV privacy laws — • CA, MA and NV privacy laws components of these laws are • Health research included in other dictionaries and 30 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. • Profanity Smart Indentifiers ✓ Health research ✓ Profanity Encryption How are encryption/decryption keys The Proofpoint Hosted Key Service (HKS) managed? provides key management. The HKS is resident in and redundant across the Proofpoint SAS70 Type II data centers. There is a 99.999% uptime SLA associated with this service. Encryption Does the solution include a central public Encryption Keys are accessable (and key repository? usable) only to the system that encrypted • Is it accessible globally to all of the the message and produced that specific vendor's other customers? key. Encryption How does the solution handle key A system administrator can select specific revocation? keys for revocations. Key can be expired by age based on policy defined by the system. The system can be configured so that message originators can manage keys that were generated for their own messages. Encryption Will you have access to your private No: This is a symmetric key encryption decryption keys? system. As such, there is no separate decryption key. Mobile Device Does the solution support delivery of Yes Encryption encrypted messages to mobile devices? Mobile Device How is easy is it for the user to read a The user must authenticate prior to Encryption mobile message? Can the message be reading any encrypted message. rendered directly on the mobile? The message is decrypted and presented to the user. The encryption key is never distributed to any device for message decryption. Security Administration Category Requirement Response Other Content Describe your solution's ability to publish N/A Mgmt select content onto removable media (CD/DVD) in an encrypted format, allowing access to a self-contained/runtime version of your client. Other Content Describe your solution's ability to send The Proofpoint system will encrypt and Mgmt documents as an encrypted PDF. send any attachment type. Workflow Does the product include tools for N/A-We do have the ability to assign a managing policy based workflow for severity level ( low, medium, or high)to inbound and outbound email? an incident. We can also limit which If yes, which ones? administrators can access specific DLP 31 IM Email Filtering, Encryption, DLP: RFP SS-2012-40, ; cur()Due 4/1/12, 10:00 am MST. incident Folders. E-Mail Solution allows e-mails and attachments to Yes:Any message (with or without Attachment be automatically scanned for Content attachment)can be scanned as it transits without any user intervention or data entry. the system. E-Mail Solution allows e-mails and attachments to Yes: This is a core portion of the Attachment be automatically scanned and Encrypted if Proofpoint solution. content falls within a policy based standard without any user intervention or data entry. PC1 Compliance Describe how your system manages The Regulatory Compliance Module can highly-sensitive information (i.e., payment accurately detect Credit Card numbers, card information), adhering to the PCI ABA routing numbers, Social Security compliance standard. Numbers and many other types of sensitive information. When this type of information is detected system policies can be applied. For example, the message could be rejected, automatically encrypted, redirected to a compliance officer for further action, or even send a notification to the originator for direction of message disposition. Scalability Category Requirement Response Scalability After our initial investment, if we intend to Up to the processing capacity of the add additional departments, describe how deployed Cluster(s), additional your software could accommodate this departments can be added from the growth Administrative interface. Scalability Can you solution support multiple Yes application and web servers in a load balanced configuration environment for redundancy. Scalability Please provide examples of scalability Individual users do not generally access using real customer examples and the Proofpoint system directly as part of metrics: email processing. • Peak number of users in a single Proofpoint Clusters are deployed that instance at one time process as few as several hundred • Peak number of scanned content messages per hour. The Cluster concept scales up to customers who process more documents per hour than half a million messages per hour. • Peak number of documents ingested per day Licensing Category Requirement Response Licensing Describe how your software licensing Licensing is based upon an aggregate model promotes multi-departmental total of user in the environment. As adoption and/or enterprise growth. additional user licenses are required a prorated license cost is determined at the 32 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. overall volume level of the account.These licenses are then aggregated together annually for a co-terminus renewal. Licensing Does your solution offer both dedicated Yes— based upon user count we "true up" user and concurrent(pooled) Client access licensing on an annual basis. licenses. Licensing How does your solution handle Primary Licensing is tied to overall user count and client access licenses is therefore independent of access method • User that accesses the system either or user definition. over the web or via a desktop • Client access license which is not bound to either web-based access or desktop (thick client)access. Licensing Does your solution require the purchase of Domain specific SSL certificates will be special certificates or licensing required. 33 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. Implementation • Describe your implementation processes and procedures. Implementation processes and procedures depend upon the deployment method selected by Weld County. Please refer to "Proofpoint Protection Server — PSO and Proofpoint on Demand PoD - PSO" as attached in the appendices. • Provide the number of your proposed staff that will work on this project along with their job titles and qualifications Please see "Proofpoint Protection Server — PSO and Proofpoint on Demand PoD — PSO" as attached in the appendices. • Describe the roles and responsibilities the vendor will have during an implementation. Please see "Proofpoint Protection Server — PSO and Proofpoint on Demand PoD — PSO" as attached in the appendices. • Describe the roles and responsibilities the customer will have during an implementation. Please see "Proofpoint Protection Server — PSO and Proofpoint on Demand PoD — PSO" as attached in the appendices. • Provide a sample of the structured project implementation plan utilized. Please see "Proofpoint Protection Server — PSO and Proofpoint on Demand PoD — PSO" as attached in the appendices. • Describe the number of customer resources necessary for on-going maintenance of the system. A single administrator can maintain the on-going operations of the Proofpoint solution. • Describe the number of environments (test, production, web) supported in an implementation of your system and the cost of each. At the election of Weld County, test and development scenarios can be tested outside of production. There would be no cost to the County to setup these scenarios outside of production. Technical Support 1. Describe your technical support organization and structure. Proofpoint has Two levels of technical support: Level 1, Level 2. Our Level 1 support is highly skilled and can be compared to the industry Level 2. Over 85% of all cases are resolved at Level 1. Level 2 deals with longer timeframe, more complex issues and potential bugs. We believe that our customer service and support provide a competitive advantage and are critical to retaining and expanding our customer base. We conduct regular third-party surveys to measure customer loyalty and satisfaction with our solutions. Proofpoint Support Services We deliver 24x7x365 customer support. We offer a wide range of support offerings with varying levels of access to our support resources. Proofpoint Professional Services and Training With our security-as-a-service model, our solutions are designed to be implemented, configured, and operated without the need for any training or professional services. For those customers that would like to develop deeper expertise in the use of our solutions or would like some assistance with complex configurations or the importing of data, we offer various training and professional services. Many implementation services can be completed in one day and are primarily provided remotely using web-based conferencing tools. If requested, our professional services organization also provides additional assistance with data importing, design, implementation, customization, or advanced reporting. We also offer a learning center for both in-person and 34 Email Filtering, Encryption, DLP: RFP SS-2012-40, cur()Due 4/1/12, 10:00 am MST. online training and certification. 2. How many support centers do you operate? Proofpoint support centers are around the world: Rochester NY, Sunnyvale CA, Salt Lake UT, Monterey Mexico, London UK, Malaysia, Tokyo Japan. 3. How many support staff are available daily to provide assistance? 50 Technical Support Engineers are available. 4. What hours is your Technical Support department available? 24/7/365 5. Describe how support issues are logged. Each support issue is assigned a priority by the customer through Proofpoints support tracking system (CTS)which can be utilized on-line or via Proofpoints 800 support line. CTS offers four priority levels (P1-P4). Based on the priority level given to the issue will determine the guaranteed callback time. Realistic callback times are more immediate then stated in support SLA'S. Please see attached documents: (Technical Support Guide and Proofpoint Support Service Program) All service incidents and support requests are tracked and managed in Proofpoint's Call Tracking System (CTS). This is a web-based support portal available to customers. Customers, Proofpoint Support Personnel and Proofpoint Account Managers can make comments and add attachments to the support case. The complete history of support cases is maintained, and the customer has access to search through their cases. Additional resources on CTS include an extensive knowledge base, news channels, user forums, FAQ's, product updates, and access to Proofpoint documentation. 6. Describe the designated support representative that will be assigned. If you elect to upgrade your support contract to Premium Lite or full Premium, you will be assigned with a designated Technical Account Manager. More information about the Premium Lite and Premium programs can be found at http://www.proofpoint.com/support/premium- servicesphp. 7. Provide a means to check the status of an issue online. Proofpoint utilizes an online support tracking system (CTS)which allows customers and engineers to interact and respond to issues. The Proofpoint Call Tracking System (CTS) is designed to facilitate easy and open communication between our customers and the different departments within Proofpoint. Support involves as many team members as necessary to resolve your issues in a timely manner. 8. Detail your problem escalation procedure. In the event that a customer experiences difficulties contacting technical support, not receiving the level of support that is expected or feels the need to escalate an issue beyond its current level, please use the following escalation procedure: 1. Indicate that you would like your call to be escalated by making a comment in the CTS call tracking your issue or by telling the technical support engineer over the phone that you would like your issue to be escalated 2. The technical support engineer will acknowledge the request to escalate, make a corresponding comment in the CTS call, will notify the support manager of the escalation and copy the support manager on the CTS call 3. The support manager will work with the customer to formulate a course of action that are acceptable by both parties to bring the issue to resolution 4.The support manager will document the agreed upon course of action in the CTS call 35 TY Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 4/1/12, 10:00 am MST. 5. Once a call has been escalated, the issue will be reviewed with Proofpoint management 6. If during the resolution of the issue you are unsatisfied with the results you are seeing, you may indicate to the support manager that you would like your issue to be further escalated 7. The support manager will acknowledge the request to escalate, make a corresponding comment in the CTS call, will notify the support director of the escalation and copy the support director on the CTS call 8. The support director will work with the customer to formulate a course of action that are acceptable by both parties to bring the issue to resolution... repeat to VP of Client Services, SVP of Sales, CEO Software Support 1. When was the first version of your solution released? Proofpoint email security platform was introduced in 2003. Proofpoint encryption was released in 2009. 2. Describe how consistently new versions of the software are released. New versions are released three times per year—Spring, Summer, and Fall. 3. Describe how we're notified of upcoming Version/Level/Releases Announcements are sent via email from the Proofpoint support portal (CTS). Additional methods such as marketing email and webinars are also utilized. 4. Describe how software changes or enhancements are incorporated into a release. Input is gathered from many sources: market analysis, customer feature requests, and requests from internal teams (support, development, etc). These items are prioritized and planned into upcoming releases based on the size of effort and the primary theme of the given release. 5. Explain how long a release is maintained. Releases are supported for 2 years from time of initial release. 6. Detail the software license costs or upgrade costs typically incurred with an upgrade to a new release. Upgrades are included with the subscription cost. The only additional cost would be if you wish for Vcura or Proofpoint to perform the upgrade on your behalf. 1. Do you provide a train-the-trainer technique within your training offerings? Yes, train-the-trainer options are available. Please refer to "Proofpoint Education" in appendices for additional class level and delivery method information. Additionally, please refer to document "Informing your user community about email filtering" in appendices. 2. How many staff in each training session? Typical onsite classes are provided in units of eight participants with 24 being the maximum recommended. More participants can attend, however, access to the software labs could be limited with more than 24 attendees. 36 ry Email Filtering, Encryption, DLP: REP SS-2012-40, Due 4/1/12, 10:00 am MST. Y. Proofpoint Hosted— Proofpoint On Demand Item Qty Price Enterprise Privacy— 12 Months: 1700 $41,802.00 (Regulatory Compliance, Digital Asset Security, Encryption) Enterprise Protection — 12 Months: 1700 $30,716.00 (Spam Detection, F-Secure Virus Protection, Zero-hour Anti-Virus, Dynamic Reputation, Smart Search) Platinum Level Support— 12 Months: 1700 $0.00 Proofpoint Enterprise Security Associate Training (WBT) 1 $0.00 Proofpoint Enterprise Service SaaS Initiation 1 $2,400.00 Total $74,918.00 PLEASE NOTE: Training—proposed training is for(1)resource to obtain Enterprise Security Associate—Web Based Training. Based upon design/configuration of solution,we believe this single resource can then provide instruction to remainder of Weld County team and users. Should Weld County desire Professional/Certified Engineer training a separate proposal will be provided. 37 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. Weld County Hosted—Virtual Appliance Option Item Qty Price Enterprise Privacy— 12 Months: 1700 $26,598.00 (Regulatory Compliance, Digital Asset Security, Encryption) Enterprise Protection— 12 Months: 1700 $27,215.00 (Spam Detection, F-Secure Virus Protection, Zero-hour Anti-Virus, Dynamic Reputation, Smart Search,Virtual Edition Technology) Bronze Level Support— 12 Months: 1700 $0.00 Proofpoint Enterprise Security Associate Training (WBT) 1 $0.00 Remote Installation Services—Virtual Edition Appliances 1 $2,400.00 (up to 3 Virtual Appliances) Total $56,213.00 PLEASE NOTE: ESX Server required— Pricing does not include license for ESX Server.Weld County would be responsible for providing. Training - proposed training is for(1)resource to obtain Enterprise Security Associate—Web Based Training. Based upon design/configuration of solution, we believe this single resource can then provide instruction to remainder of Weld County team and users. Should Weld County desire Professional/Certified Engineer training a separate proposal will be provided. 38 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. Weld County Hosted-Appliance Option Item Qty Price Enterprise Privacy- 12 Months: 1700 $26,598.00 (Regulatory Compliance, Digital Asset Security, Encryption) Enterprise Protection— 12 Months: 1700 $23,664.00 (Spam Detection, F-Secure Virus Protection, Zero-hour Anti-Virus, Dynamic Reputation, Smart Search) Bronze Level Support— 12 Months: 1700 $0.00 P650 Messaging Security Gateway Appliance 1 $8,500.00 Proofpoint Enterprise Security Associate Training (WBT) 1 $0.00 Remote Installation Services— New Appliance 1 $1,200.00 (Per Appliance) Total $59,962.00 PLEASE NOTE: Training— proposed training is for(1)resource to obtain Enterprise Security Associate—Web Based Training. Based upon design/configuration of solution,we believe this single resource can then provide instruction to remainder of Weld County team and users. Should Weld County desire Professional/Certified Engineer training a separate proposal will be provided. 39 Email Filtering, Encryption, DLP: RFP SS-2012-40, Due 411112, 10:00 am MST. Enterprise Archiving Option Item Qty Price Enterprise Archive- 12 Months: 1700 $84,150.00 (eDiscovery & End User Access— Unlimited Storage) A360 Email Archiving Appliance 1 $3,995.00 (Platinum Level Support— 12 Months: 1700 $0.00 Remote Installation Services— New Appliance 1 $1,200.00 (Per Appliance) Total $89,345.00 Why should your organization be archiving email? The majority of a company's business-critical data is stored in email — data that impacts revenue, business decisions, corporate reputations and end-user productivity. With all of this at stake, it's not surprising that email is subject to a growing range of legal, regulatory compliance, and business requirements. It's also not surprising that email can cause serious storage issues for businesses. By providing a secure, searchable, and centralized repository for email, an archive can address the full range of legal, regulatory, business and storage challenges presented by email. In recent years, the archiving of email messages has become a business requirement driven by numerous federal and state regulations including Sarbanes-Oxley, SCE 17a 3-4, HIPAA, and NASD rules. With more than 10,000 regulations on data and record retention currently in force in North America, very few business are exempt from some form of regulatory scrutiny. With a policy-driven archiving system in place, email can be checked for compliance with regulations, and then retained for the appropriate amount of time based on email content. These solutions can also reduce the risk of inappropriate content being exchanged, as employees can be alerted when an email doesn't comply with company policy. Proofpoint Archive is an on-demand email archiving solution that addresses three key challenges — email storage management, legal discovery and regulatory compliance — without the headaches of managing an email archive in-house. As a software-as-a-service solution, it can be deployed in days, with minimal upfront costs and planning. And because Proofpoint takes care of everything from storage to security issues, the archive can be easily managed by your existing IT staff. Why Emait Archiving? Here are some common requirements that drive email archiving initiatives: 1. Storage Optimization 2. Regulatory Compliance 3. eDiscovery 4. Retention Policies 5. Litigation hold 6. Early case assessment 7. Supervision for Regulatory Compliance 8. Eliminate PST use with end-user access to archive Requirements for an email archiving solution: The volume of email communication is exploding. Advances in application technology and architecture make solving very large data problems easier than ever before. It's now possible to deploy an enterprise email archiving solution that enforces flexible data retention policies and supports rapid eDiscovery without impacting IT resources with disruptive tasks—and entail tangible legal risk. 40 Email Filtering, Encryption, DLP: RFP SS-2012-40, cura Due 4/1/12, 10:00 am MST. The solution must meet several stringent requirements: Flexibility: The ability to quickly automate and enforce retention policies as they evolve, as well as the ability to scale and provide linear performance as a business evolves and grows. Security: The solution should archive messages in a secure tamper=proof repository according to detailed retention policies, as required by FINRA and other regulations. If the solution takes advantage of cloud storage, it must adhere to the highest security standards and be audited by third parties as evidenced by SAS 70 II, ensuring that data is secure in transit and at rest. Precision and Agility: A solution must be able to quickly execute legal holds in anticipation of litigation, and then enforce the holds with complete transparency and documented audit trails to ensure maximum defensibility of process. Storage-savvy Architecture: To avoid runaway storage costs, the solution should take advantage of technologies that can reduce the size of stored data without jeopardizing the archive's integrity. Additional, solutions that leverage cloud-based storage should be considered in order to cost effectively partition and distribute the data load so that performance does not deteriorate as the archive grows. Ease of Use: • The solution needs to be easy to use so compliance officers, HR managers, legal counsel, and other authorized users can search archives without passing all requests through otherwise-occupied IT engineers. • End users can take advantage of the archive to perform daily searches of their own archives so they can find the business information they need to do their jobs. Ease of Integration: The system must integrate easily with enterprise email infrastructure, such as MS Exchange and Active Directory, and support evolving eDiscovery standard protocols such as EDRM XML, so that data can be seamlessly passed for downstream legal review. Up-front and Lifetime Cost: The system should be deployed in weeks or days, rather than months or years. Enterprises need to be able to address archiving and eDiscovery requirements today, not a year from now. • To meet this requirement, enterprises should consider the advantage of SaaS architectures that manage and store email communications at a secure, third-party data center in the "cloud". SaaS solutions can typically be brought online much faster than internal systems, which depend on already busy IT departments testing and provisioning new hardware and software. • Equally important, SaaS solutions typically cost far less that internal systems, both in terms of initial investment as well as lifetime total cost of ownership (TCO). SaaS archiving solutions eliminate the need for investments in dedicated hardware, expensive professional services, and additional IT staff, allowing enterprises a lower TCO than an on-premise solutions. With a SaaS solution, the increased need for data archiving can be accomplished on-demand, without any performance issues or downtime. • Enterprise email storage requirements are growing roughly 35% annually, so reducing expenses of on-premise hardware, storage, software upgrades, annual maintenance, and associated staffing and overhead costs through SaaS can have a significant impact on the total cost to address at enterprise's email archiving requirements. 41 Email Filtering, Encryption, DLP: RFP SS-2012-40, curd Due 4/1/12, 10:00 am MST. • Cost and time to complete Needs Analysis for each"Phase" noted in Section II-1 Included in this proposal is the primary remote setup and configuration of the system. Including needs analysis and strategy.As noted below, full deployment should take from two to five days (start to finish). Pricing provided is scheduled based upon full deployment of 1700 users. Should the County wish to break this schedule down into smaller phases we can provide pricing based upon the user volume of each phase. • Cost and time to complete configuration and application set-up for each phase Included in this proposal is the primary remote setup and configuration of the system. Configuration and application setup for each phase can be completed by the Weld County Administrator. Time to complete each phase depends upon policy and user count but should not exceed a couple hours per phase. • Cost and time to provide training to designated Security Staff, and users Included with each deployment option is Web Based training for the Weld County Administrator, this can be accomplished in a couple hours. The primary administrator can then educate Security Staff or arrangements can be made for additional Web Based sessions. Users are typically educated through notice from the administrator. Please reference "Informing your user community about email filtering" in the appendices as an example. • Projected time line, Start to Finish for each phase, if applicable Overall implementation of Proofpoint solution, independent of deployment method, is expected to take two to five days (start to finish). Phase deployment plan will be at the election of Weld County and simply entails defining policy and adding the Phase group to the system. Minimal time is required of the Weld County administrator to make these additions. • Provide a cost breakdown for basic software package Please refer to Pricing in selection of preferred deployment method. • Provide a descriptive list of what is included in basic software application package Please refer to Pricing for details of solution. • Provide a cost breakdown for suggested additional add-on product for your software solution that are not included in the basic package price. Please provide details about how this solution will benefit us based off of our requirements. Please refer to optional Archiving pricing and benefits. 42 Email Filtering, Encryption, DLP: RFP SS-2012-40, curb Due 4/1/12, 10:00 am MST. ,o, i® g4,1, so IC) Elii x - a i cn rx a w (I ik-- I R .4p C 9 na 2. o F s. 0 w i — - i \__. p I 13 9 , N 1 z Q mli II spout0 t1 i ll O 1I; ,a c W = O. lit 43 Email Filtering, Encryption, DLP: RFP SS-2012-40, curb' Due 4/1/12, 10:00 am MST. 111 T. Ill 1 i f v..,.., E C ? 1 f i i i . _______._.__,._z_._____ --- Do] i ----__AiE4---- __ P F I liCrY—I- I ' I { i _ ------♦- ----I.-. -*- -'�--+------- tai -71 II? I lafr.--1--L-T-I Ei .---1 0 8 I % CI 0 i il I to i h- in I {I I 1 I 3 .'. ii, ii f 1 . I i N I 1 ii c i [1 iliTi 1)1111 1 I I a .! • E , - -1 xtf fly ° St O 1, Y i>: 11 8O C A IL i if ,i 0 ....% et 44 proof point Proofpoint Product Family Pre-Installation Requirements This document summarizes the pre-installation requirements for Proofpoint appliance-based and virtual appliance- based products.To easily integrate an appliance into your network,ensure the ports listed in each table are open for the master and each agent(if you have a cluster of master and agents). IP addresses and other installation requirements are listed where applicable. Proofpoint Messaging Security GatewayTM and Proofpoint Messaging Security GatewayTM Virtual Edition — Release 7.0 This section describes the hardware specifications, IP address requirements, and port requirements for the appliance and virtual appliance. Requirements • A static IP address and hostname for each appliance. • The IP addresses of at least two DNS servers. DNS servers must be accessible by each system in the cluster:master and every agent. • The hostname, MX record or IP address of the internal system that will receive filtered mail from the appliance. • The list of domains for which you receive email. Hardware Specifications for the P-Series Appliance P-360 P-650 P-850 P-850M Form Factor:2 U Rack Form Factor: 1 U Rack Form Factor: 1 U Rack Form Factor: 1 U Rack ) Height: 1.68"(4.27 cm) Height:1.68"(4.26 cm) Height:1.68"(4.26 cm) Height: 7.44 ((4441 c 9 g Width:17.44"(44.31 cm) Chassis Width: 16.60"(44.70 cm) Width: 78.99"(48.24 cm) Width: 18.99"(48.24 cm) Depth:26.80"(68.07 cm) Depth:21.50"(54.61 cm) Depth:30.39"(77.20 cm) Depth:30.39"(77.20 cm) V,/ei9 ht:57.54 lbs(26.1 Weight:26 lbs(11.80 kg) Weight:39 lbs(17.69 kg) Weight:39 lbs(17.69 kg) kg) Single 250 Watt Power Dual 502 Watt Power Dual 502 Watt Power Dual 870 Watt Power Power Supply Auto switching Supplies(Energy Smart) Supplies(Energy Smart) Supplies Auto switching 110/220V Auto switching 110/220V Auto switching 110/220V 110/220V lx 64-bit Dual-Core/4T Single Quad-Core Intel Dual Quad-Core Intel Dual Quad-Core Intel Processors Intel 13-2100,3 MB Xeon E5530 Xeon X5560 Xeon X5560 Cache,3.1 GHz Memory 8 GB 6 GB 12 GB 24 GB RAID Battery Backed RAID Battery Backed RAID Battery Backed RAID Battery Backed RAID controller-RAID 1 Controller-RAID 1 Controller-RAID 1 Controller-RAID 0+ 1 Disks 2 x 250 GB SATA Disks 2 x 300 GB SAS Disks 2 x 300 GB SAS Disks 6 x 300O8 SAS Disks Network 2 x Gigabit BaseT 4 x Gigabit BaseT 4 x Gigabit BaseT 4 x Gigabit BaseT 1 of 3 Proofpoint Confidential and Proprietary©2012 Revision B—March 2012 Virtual Appliance Supported platforms for the virtual appliance: VMware ESX Server 4.0, ESXi 4.0, ESX 4.1, ESXi 4.1,and ESXi5 See the Proofpoint Messaging Security Gateway Virtual Edition Installation Guide for system requirements and download information. Ports Ensure the following ports are open for the master and each agent(if you have a cluster of master and agents). Note: Please see https://support.proofpoint.com/article.cgi?article id=132318 for information about the IP addresses that need to be accessible from your Proofpoint master and agents. Port Direction IP Addresses Explanation 25(SMTP) Inbound and Outbound All Required to send and receive email. 53 Outbound All Required for DNS in all cases.Required (UDP/TCP) for Proofpoint Dynamic Reputation if you are using this feature. 80(HTTP) Outbound All Required for the Zero-Hour Anti-Virus Module to communicate with the Proofpoint Attack Response Center. 443(HTTPS) Outbound from master All Required for product upgrades and Optional— for upgrades and updates.The IP addresses for Proofpoint 10020 updates. update servers will change as-needed in (HTTPS) Outbound from master order to provide the most reliable update and all agents for service possible. Proofpoint Encryption. Required for Proofpoint Encryption and Inbound for Secure Secure Reader,if you have licensed this Reader nodes. module. To take advantage of the End User Digest feature and Web Application,you will need to enable HTTP commands and allow port 443 access to the server. Optional-for backward compatibility,you can choose port 10020 for these purposes. 22(SSH) Inbound 208.86.202.10 Required for Proofpoint support. (Access 10000 208.84.66.21 may be disabled when not in use.) (HTTPS) 208.84.67.21 3306(DB) Inbound Proofpoint agents to the Proof point Required for database synchronization master,and if applicable,also the from agents to master. Quarantine master. 10010 Required for message transfer from (HTTPS) agents to master. 10000 Inbound All Internal IPs to the Proofpoint Required for web-based administrative (HTTPS) master. access. From master to agents,and if applicable,also from master to Required for log consolidation and Quarantine master. If you have a configuration synchronization. Quarantine master-for quarantine consolidation. 2 of 3 Proofpoint Confidential and Proprietary©2012 Revision B—March 2012 Port Direction IP Addresses Explanation 110 Outbound Internal POPS downstream mall To set up a dedicated email address and POP3 account (POP3) server(not on the appliance). on your existing mail system for the server to poll for end user Digest commands. If you choose to set up a POP3 mailbox,we recommend calling it spamdigest or something similar.The POP3 usemame,password and server information will be required during configuration. 1344 Inbound To the servers running the ICAP (Optional)Required to filter,block,and quarantine HTTP (HTTP)- service from the HTTP proxy traffic and general web traffic and HTTP posts. Optional servers. 161 Inbound SNMP management station to (Optional)Required to use Simple Network UDP/TCP Proofpoint servers. Management Protocol(SNMP)to monitor and manage (SNMPd) the appliance on your network.Inbound is required to have the Proofpoint appliance listen for polling requests 162 Outbound Proofpoint servers to SNMP from your SNMP installation. Outbound Is required to UDP/TCP management station. have the Proofpoint appliance send traps to the SNMP (SNMP) monitoring host. 389 Outbound Proof point master server to LDAP (Optional)Required for user import from LDAP or Active (LDAP) server. Directory server. 636 (LDAPS) 123(NTP) Outbound All Proofpoint servers to an internal Required for synchronization of system clocks. NTP server or to ntp.proofpoint com. 10946 Inbound From the Config Master to the Required for searches,search results,and Smart (TCP) Smart Search node. Search settings.Required only if Smart Search is licensed. 10947 Inbound From the Log node to the Smart Required to transfer sendmail logs and filterd logs to (TCP) Search node. If you do not have a Smart Search for indexing.Required only if Smart Log node,it is from the Config Search is licensed. Master to the Smart Search node. If you do not have a dedicated Smart Search node,but you do have a Log node,this port is for communication from the Config Master to the Log node. 3 of 3 Proofpoint Confidential and Proprietary©2012 Revision B—March 2012 SUPPORT SERVICES PROGRAM FOR PROOFPOINT CUSTOMERS Overview: The support services described herein are provided by Proofpoint to each Proofpoint customer ("Customer') pursuant to the terms and conditions of the applicable license agreement ("Agreement") between each customer and Proofpoint or between a customer and an authorized Proofpoint partner. Capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement. Subject to customer paying the applicable support related fees, Proofpoint will provide the support described herein. 1. Bronze Support services consist of the following: 1.1 Error Corrections. Proofpoint shall use commercially reasonable efforts to correct and/or provide a work-around for any error reported by Customer in the current unmodified release of the Software in accordance with the priority level reasonably assigned to such error by Customer. 1.2 Software and Documentation Updates. Proofpoint shall provide to Customer one (I) electronic copy of all updated revisions to the Documentation and one (1) electronic copy of generally released bug fixes, maintenance releases and updates of the Software (collectively, "Updates"). Updates do not include products or options that are designated by Proofpoint as new products or options for which Proofpoint charges a separate fee. Software releases are supported for the current and prior release that are designated by a change to the right of the decimal (e.g. 1.1 to 1.2). Prior to discontinuing support services for any Software product line, Proofpoint shall provide at least six (6) months advance notice on its support website. 1.3 Support Requests and Named Support Contacts. Technical support is available during the technical support hours for the primary support center specified on the Product Order Form. Technical support hours for the US are Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern Time (excluding Proofpoint holidays). Technical support hours for Europe are Monday through Friday, 7:30 a.m. to 5:30 p.m. CET (excluding Proofpoint holidays). Technical support hours for Asia Pacific are Monday through Friday, 7:30 a.m. to 5:30 p.m. JST (excluding Proofpoint holidays). Customer may initiate electronic Support requests through Proofpoint's web-based call submission and tracking system ("CTS") at any time. Support request submitted via CTS will be addressed by Proofpoint during the Support hours listed above. Customer will promptly identify two internal resources who are knowledgeable about Customer's operating environment and operation of the Proofpoint Products (collectively, "Named Support Contacts"). Named Support Contacts will serve as primary contacts between Customer and Proofpoint and are the only persons authorized to interact with Proofpoint Technical Support, including accessing CTS to submit and track cases. All Support requests will be tracked in CTS and Customer can view the status of Customer's cases on CTS at any time. 1.4 Platinum Support. In addition to the Bronze support services defined above, for an additional charge, Customer shall receive (i) two additional Named Support Contacts (for a total of four) and Proofpoint shall provide assistance for Priority I errors, as reasonably determined by Proofpoint, 24x7, 365 days per year; and (H) a dedicated phone line for submitting cases. Handling of non-Priority I errors will take place during the support hours specified in Section 1.3 above. 1.5 Premium Support. In addition to the Bronze and Platinum support services defined above, for an additional charge, Proofpoint will assign a designated Technical Account Manager to Customer's account. 2. Priority Levels of Errors and Responses In the performance of Support services, Proofpoint will apply the following priority ratings. 2.1 Priority I Errors. A "Priority I Error" means a Software program error which both (i) prevents some critical function or process from substantially meeting the Documentation and (ii) seriously degrades the overall performance of such function or process such that no useful work can be done and/or some primary major function of the Software or Appliance is disabled. Priority I Errors shall receive an initial response within one (1) hour (during standard Support hours referenced above), of the case being submitted to Proofpoint. In addressing a Priority I Error, Proofpoint shall use all reasonable efforts to develop suitable workaround, patch, or other temporary correction to restore operation as soon as possible. Proofpoint efforts to resolve a Priority 1 Error will include the following: (1) assigning one or more senior Proofpoint engineers on a dedicated basis to develop suitable workaround, patch, or other temporary correction; (2) Proofpoint Support Services Program rev 20110120 notifying senior Proofpoint management that such P1 Error has been reported; (3) providing Customer with periodic reports on the status of corrections; and (4) providing a final solution to Customer as soon as it is available. 2.2 Priority II Errors. A "Priority II Error" means a Software program error which both (i) degrades some critical function or process from substantially meeting the Documentation and (ii) degrades the overall performance of such function or process such that useful work is hindered and/or some major function of the Software or Appliance is not operating as expected but can be worked-around. Priority II Errors shall receive an initial response within four (4) hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to provide a workaround, patch, or other temporary correction as soon as possible. 2.3 Priority III Errors. Description: A "Priority III Error" means a Software program error which both (i) prevents some non-essential function or process from substantially meeting the Documentation and (ii) significantly degrades the overall performance of the Software or Appliance. Priority III Errors shall receive an initial response within eight (8) hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to provide a workaround, patch, or other temporary correction as soon as possible. 2.4 Priority IV Errors. A "Priority IV Error" means a Software program error which prevents some function or process from substantially meeting the Documentation but does not significantly degrade the overall performance of the Software or Appliance. Priority IV Errors shall receive an initial response within sixteen (16) hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to include a workaround, patch, or other temporary correction in the next Software update. 3 Customer Cooperation. Proofpoint's obligation to provide Support services is conditioned upon the following: (i) Customer's reasonable effort to resolve the problem after communication with Proofpoint; (H) Customer's provision to Proofpoint of sufficient information and resources to correct the problem, including, without limitation, remote access as further discussed in these policies, (Hi) Customer's prompt installation of all Software maintenance releases, bug fixes and/or work-around supplied by Proofpoint, and (iv) Customer's procurement and installation and maintenance of all hardware necessary to operate the Software. As related to Priority I Errors, Customer shall provide continuous access to appropriate Customer personnel and the Appliance (if applicable) during Proofpoint's response related to the Priority I Error or Proofpoint shall be permitted to change the Priority of the error. During the term of the Support services and for purposes relating to providing Support to Customer, Proofpoint may obtain information regarding Customer's e-mail communications and Customer agrees that Proofpoint may use any statistical data generated relating to Customer's e-mail. Notwithstanding the foregoing, Proofpoint shall not disclose the source and content of any such e-mail. 4. Reproducing Problems; Remote Access. Subject to the applicable Support services fees, Support services assistance is limited to Software on platforms that are fully supported, running unaltered on the proper hardware configuration. Where applicable for a reported error, Proofpoint will use commercially reasonable efforts to reproduce the problem so that the results can be analyzed. Proofpoint's obligation to provide the Support services described herein, including without limitation meeting the response times set forth in Section 2 above, is subject to Customer providing shell or Web-based remote access to Customer's computer system(s) and network. Any such remote access by Proofpoint shall be subject to Proofpoint's compliance with Customer's security and anti-virus procedures and the confidentiality requirements set forth in the license agreement between Proofpoint and Customer. Any delay occasioned by Customer's failure to provide the foregoing remote access shall extend the response time periods set forth in Section 2 accordingly and resolution of the problem may be subject to payment of additional fees. Prior to proceeding with work that will be subject to additional fees, Proofpoint will notify Customer and will not start such work until Proofpoint receives authorization from Customer. If Customer fails to provide remote access to its computer system(s) and network and Proofpoint and Proofpoint and Customer cannot agree on a mutually satisfactory alternative method of reproducing the problem, Proofpoint shall not be obligated to resolve the problem. Proofpoint Support Services Program rev 20110120 5.Support Services Conditions. 5.1 Support Issues Not Attributable to Proofpoint. Proofpoint is not obligated to provide Support services for problems related to: (i) unauthorized modifications and/or alterations of the Software, (ii) improper installation of the Software by non-Proofpoint personnel, use of the Software on a platform or hardware configuration other than those specified in the Documentation or in manner not specified in the Documentation, or (Hi) problems caused by the Customer's negligence, hardware malfunction, or third- party software. In the event Proofpoint provides Support services for problems caused by any of the above, Customer will reimburse Proofpoint for such services at the then-current time and materials rate. Proofpoint shall be entitled to discontinue Support services in the event of Customer's non-payment of Subscription Fees when due. 5.2 Exclusions from Support services. The following items are excluded from Support services: (a) In-depth training. If the Support request is deemed to be training in nature, and will require an extended amount of time, Customer will be referred to Proofpoint's training or consulting departments. (b). Assistance in the customization of the application. Support services do not include providing assistance in developing, debugging, testing or any other application customization (c). Information and assistance on third party products. Issues related to the installation, administration, and use of enabling technologies such as databases, computer networks, and communications (except an Appliance)are not provided under Proofpoint Support services. (d) Assistance in the identification of defects in user environment. If Proofpoint concludes that a problem being reported by a Customer is due to defects in Customer's environment, Proofpoint will notify the Customer. Additional support by Proofpoint personnel to remedy performance issues due to the user environment are categorized as consulting services, which are provided for an additional fee. (e). Installation. Support Services provided herein do not include the use of Proofpoint Support services resources to perform installation of updates or Customer-specific fixes. If Customer wishes to have Proofpoint perform services related to any of the above items, such services will be performed pursuant to a mutually executed SOW. 6. Description of Appliance Support Services. 6.1 Services. For as long as the Appliance purchased by Customer is under Proofpoint's Appliance warranty Customer shall contact Proofpoint for any and all maintenance and support related to the Appliance. If support for the Appliance purchased by Customer includes on-site support, Proofpoint shall provide or cause to be provided 8-hour response service during the support hours specified in Section 1.3. A technician will arrive on-site, depending on Customer's location and the availability of necessary parts, as soon as practicable (within the business hours specified in Section 1.3) after problem determination. Optional 24x7 service is available subject to Section 1.4. 6.2 Customer Obligations. Customer must also install remedial replacement parts, patches, software updates or subsequent releases as directed by Proofpoint in order to keep Customer's Appliance eligible for Support services. Customer agrees to give Proofpoint at least thirty (30) days written notice prior to relocating Appliance. It is Customer's responsibility to back up the data on Customer's system, and to provide adequate security for Customer's system. Proofpoint shall not be responsible for loss of or damage to data or loss of use of any of Customer's computer or network systems. Customer agrees to provide the personnel of Proofpoint or its designee with sufficient, free, and safe access to Customer's facilities necessary for Proofpoint to fulfill its obligations. 6.3 Exclusions. Appliance Support services do not cover parts such as batteries, frames, and covers or service of equipment damaged by misuse, accident, modification, unsuitable physical or operating environment, improper maintenance by Customer, removal or alteration of equipment or parts identification labels, or failure caused by a product for which Proofpoint is not responsible. Proofpoint Support Services Program rev 20110120 . j. Proofpoint Education — Classes and Certifications Advocate Level Course This course gives a very high level overview of Proofpoint products.The Associate level of certification is required for Proofpoint partners,but may also be obtained by any customer who is interested in our product lines. Associate Level Courses The associate level classes cover all day-to-day maintenance tasks for a given Proofpoint product. After obtaining this level of certification you should be comfortable with the interface and finding any information needed for daily tasks. Certified Engineer Courses This level of class should give a solid,working understanding of the Proofpoint product.After completing this certification you should have the ability to set up a product,do all common configuration tasks and perform basic troubleshooting. Perk: Completing this level of certification gives you the ability to have a full CTS account above the normal quota. Professional Engineer Course This level class is targeted at people who need a deeper understanding of the inner workings of a Proofpoint product.After obtaining this level of certification you should be able to create and maintain complicated r ule sets,perform in-depth troubleshooting and have a good understanding of the inner workings of the Proofpoint product. Perk:Completing this level of certification will make you eligible for the"Fast track"to support. Classroom(Proofpoint HQ or customer location) These courses are taught through a combination of presentations,demonstrations,and hands-on lab exercises.Live courses are delivered periodically at Proofpoint HQ or can be dedicated and customized for a specific customer. Web Based These courses are delivered as self-paced,web-based trainings.They allow students to interactively view both pre-recorded presentations and demonstrations,as well as interact with software simulators. _:� r .COd I I _i , e'I.' i, , ' ,• -„`t ! ,•. •16,1 , Ah,I �`... ,r ,.0 proofpolnt: Proofpoint Email Protection and Privacy Proofpoint Archive Advocate 1 hour web-based training(WBT) Gives a high level view of the entire Proofpoint product line. Recommended for Proofpoint product partners and anyone who would like to know more about Proofpoint's suite of email tools. Associate 2 hour web-based training(WBT) 2 hour web-based training(WBT) The Proofpoint Email Security Associate The Proofpoint Archive Associate course course covers the basics of Proofpoint Pro- covers the basics of Proofpoint Archive tection server administration from logging system from logging in through simple in through message tracing and working discovery,compliance and working with with support. legal holds. Recommended for all new Proofpoint Recommended for all new Proofpoint administrators,infrequent administrators Archive administrators,discovery users and and helpdesk personnel. compliance users. Certified Engineer 2 day live course or 8 hour(WBT) 1 day live course or 5 hour(WBT) The Proofpoint Email Certified Engineer The Proofpoint Archiving Certified Engineer course covers the ongoing maintenance of is a web-based training(WBT)course that the Proofpoint Protection server.It covers covers the configuration of Proofpoint log files,master-agent architecture,patches ARCHIVE.It also covers architecture,instal- and lation,setting policy,supervision and legal upgrades,software internals,system holds. troubleshooting,monitoring,typical main- tenance tasks and support issues. Recommended for system administra- tors and any other personnel who would Recommended for system administra- be responsible for actively configuring the tors,network managers,and information solution. security managers responsible for ongoing management of Proofpoint systems. Professional 2 day live course. Engineer The Proofpoint Enterprise Professional Engineer course covers the ongoing mainte- nance of the Proofpoint Protection server. It covers log files in depth,system internals and more advanced configuration and troubleshooting. Students are expected to have attended the Proofpoint Certified Engineer Training,or to already be very familiar with Proofpoint Protection Server administration. Recommended for advanced administra- tors. Proofpoint.Inc. 892 Ross Drive Sunnyvale.CA 94089 1.877.647.6488 '. proofpointcom _ u � r i ♦!.Oni I and<L r mt tN ,i rIIr I �7= 1fdv proofpoint. -I. To: Proofpoint Protection Server administrators From: Proofpoint Re: Informing your user community about email filtering Thank you for deploying the Proofpoint Protection Server. We suggest that you communicate to your user community the benefits that the Proofpoint Protection Server provides to your email infrastructure. In an effort to help you inform your user community about email filtering, we are providing you with this sample memo that you can modify and distribute. This memo explains how the Proofpoint Protection Server filters email messages at a high level and covers topics such as the Quarantine, End User Digest, the Safe Senders List, the Blocked Senders List, the Web Application, and self-services for end users. Customize the following memo, beginning with the "Introduction" to reflect your particular deployment. For example, if you do not allow the user community to add or delete Safe or Blocked senders, do not include the information that describes that feature. You can copy and paste the sections you wish to use, or modify the existing memo. Important: Remove the sections in this memo that are not relevant to your particular deployment and email community, and modify the sections to reflect your organization's setup. The information and instructions included in this memo use the product default names. If you rename links, buttons, or modules for the End User Digest, you should change them accordingly in your memo. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 1 Introduction The purpose of this memo is to explain how the email that originates from outside this organization is processed, and to describe the tools that you can use to manage your personal spam quarantine. This memo does not apply to internal email messages. To protect this organization from virus attacks and to protect you from receiving hundreds of spam messages, all incoming email is filtered by the Proofpoint Messaging Security Gateway— an anti-spam and anti-virus product. Proofpoint uses an advanced machine learning filtering technique called MLXTM' to ensure that no valid mail is improperly filtered. For more information about the Proofpoint Messaging Security Gateway and MLX, you can visit Proofpoint's web site at www.proofpoint.corn. We can also use the Proofpoint Protection Server to filter outgoing mail to deter the distribution of trade secrets or intellectual property or to filter for specific words that may indicate inappropriate content, including pornography or obscene and racist words. To further protect our organization's assets and confidentiality, we have implemented Proofpoint Encryption, technology which allows users to send and receive secure messages. How does email filtering work? All incoming (and outgoing) email is filtered by the Proofpoint Protection Server. Depending upon Proofpoint Protection Server rules and policies, messages that contain a virus, or spam, or inappropriate content can either be deleted or "scored." In the case of spam, the message score indicates the probability that the message is spam — so a message scoring 100 would have 100% chance of being spam (definite spam) and a message scoring 0 would have 0% chance of being spam (legitimate correspondence). Messages scoring high enough to probably be spam are quarantined, and messages scoring below 50 are sent directly to your inbox. What is the Quarantine? The Quarantine is a location on a server where email messages that are suspected to be spam are stored temporarily so that they can be reviewed and retrieved if necessary. System administrators have the ability to search for messages on a user's behalf. You may also review and take action on your own quarantined email through the use of the End User Digest. Messages that are not released from the Quarantine are automatically deleted after a designated period of time. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 2 What is an End User Digest? If email messages addressed to you were sent to the Quarantine, you will receive an email notification, called an End User Digest (or Digest), in your mailbox. The Digest provides you with a list of the messages addressed to you that are stored in the Quarantine. You can look at the message subject headers to determine their content and decide what actions you want to apply to the messages. You may also receive an empty Digest, which is simply an email message indicating that you have no messages in the Quarantine. You may want to receive a Digest even if it doesn't contain any messages, so you can continue to manage certain aspects of your email. How do I use the Digest? The Digest will provide you with a list of all of the spam that has been quarantined for your account since you received the last Digest update. You will see a list of these messages and columns that indicate the subject, sender, and time received for each email. You will have three separate links available to you to complete an action on each email message: • Release — releases the message from the Quarantine to your normal email inbox. • Safelist— releases the message from the Quarantine to your inbox and adds the sender to your personal Safe Senders list. All future email from this sender will not be checked for spam. • Report — reports that the message was a false positive (that is, it should not have been classified as spam). In this case, further training is done to ensure that similar messages are not caught as spam in the future. Other links in the Digest provide additional functionality. These links are not related to individual quarantined messages. The following links provide additional Digest management: • Request New End User Digest— immediately generates a new Digest with up-to-the-minute information about quarantined messages. Note: this Digest will contain a list of all messages currently in the Quarantine, not just those received since the last scheduled Digest update. • Request Safe/Blocked Senders list— sends you a list of all entries currently on your personal Safe and Blocked Senders List. • Manage My Account — allows you to change account preferences, as well as actively manage your Safe Senders and Blocked Senders lists using a web interface. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 3 What other features are available to manage my account? The Manage My Account link gives access to a separate web interface that will allow you to manage your Safe Senders and Blocked Senders lists, change the preferred language interface for your Digest, and adjust Digest preferences. To access these features, click the Manage My Account link in the Digest. A separate browser window pops up on your screen and your personalized account management page will load in this window. You do not need to authenticate to your account management page because a secure code is generated in your personalized Digest that ensures that only you have access to change your settings. You have the following options to choose from in your account management page. Click the name of the option in the left navigation pane: • Profile — controls Digest settings and language preferences. • Lists — provides tools to manage personal Safe Senders and Blocked Senders lists. Profile option to manage my account The Profile option displays a My Settings view and the Save, Request Digest, and Refresh links. Links: • Save — saves your settings each time you make any changes. • Request Digest— sends you an updated Digest. • Refresh — refreshes the view. My Settings: • Send digest with new messages — this is the default setting. You will only receive a Digest when you have new messages in the Quarantine. • Send digest even when I have no new messages —this choice will send you a Digest whether or not you have new messages in the Quarantine. If there are no new messages, you will receive an empty Digest. • Preferred Language —you can select a language from the drop-down list. This is the language that displays in your Digest and in your Manage My Account browser window. • What type of spam detection do you want? —you can select a spam policy from the listed choices. The policies determine how you want your email filtered for spam. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 4 Lists option to manage my account The Lists option displays the Safe Senders List and Blocked Senders List views where you can manage your personal lists of safe senders and blocked senders. The spam detection technology provided by Proofpoint's adaptive machine- learning engine is highly accurate and you are not required to add entries to your Safe Senders or Blocked Senders lists. This feature is available to you if want to create your own personal lists. Click Safe Senders List or Blocked Senders List in the left navigation pane to choose the list you want to manage. Links: • New— provides a text field so you can add an email address or domain to your list. • Edit— lets you make changes to an address already on your list. You need to first select (click the check box) for the address you want to change. • Delete — deletes the selected address from the list. • Select All — selects all of the addresses on the list. • Unselect All — un-selects all of the selected addresses on the list. • Request Digest— sends you an updated Digest. • Refresh — refreshes the view, Safe Senders List: Email sent from addresses or domains on the Safe Senders List will not be filtered for spam, but will be filtered for viruses. Blocked Senders List: Email sent from addresses or domains on the Blocked Senders List will automatically be discarded so that you will not receive future emails from them. Note: if a spam message does make it through to your inbox, you should not add that email address to your Blocked Senders List since spammers rarely use the same email address twice. Why do I get a warning message when I click on links in the Digest? It is normal to see an "Invalid Certificate" warning when clicking on the links in the Digest. You can safely accept the certificate warning and continue. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 5 How do I delete my messages in the Quarantine? There is no need to delete your messages in the Quarantine. If you do not release a message from the Quarantine, it will automatically be deleted after 14 days. If you look at the messages in your Digest and determine that all of them are spam, you do not need to do anything. The messages will automatically be deleted from the Quarantine. What is a Safe Senders and Blocked Senders list? There are two types of Safe Senders lists: the Global Safe Senders List and your personal Safe Senders List. Both are simply lists of legitimate senders of email. The email administrator controls the Global Safe Senders List, which applies to everyone in the organization. You control your personal Safe Senders List to which you can add the addresses of people, organizations, and mailing lists from which you do want to receive mail. If a sender's address is included in the Safe Senders List, the Proofpoint Protection Server does not filter the message for spam. (However, it still filters the message for a virus or inappropriate content.) There is also a Global Blocked Senders List and a personal Blocked Senders List. These lists contain addresses of people, organizations, and mailing lists from which you do not want to receive "junk email." What is a false positive? A false positive is an email incorrectly identified as spam. If an email message is scored as spam and sent to the Quarantine, but it really is a legitimate message from a legitimate sender, you can report it as a false positive. In the future, messages that have the same characteristics as the message you reported will not be placed in the Quarantine for containing spam. What is a false negative? A false negative is an email incorrectly identified as not spam. An email message that is incorrectly delivered to your mail box because it was not identified as spam can be reported as a false negative. Spammers are very clever and are always seeking ways to trick products like the Proofpoint Protection Server into delivering spam to your mailbox. Proofpoint sends frequent updates to our organization in an attempt to stay one step ahead of the spammers. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 6 What is a spam policy? Spam policies determine how the spam sent to you will be processed. For example, your spam could be deleted or quarantined. You can only select your own spam policy if you are allowed to Manage My Account. What is the Audit Messages section that appears in the Digest? The Audit Messages section that appears in your Digest indicates that you are a member of any group designated to audit messages. The messages listed under the Audit Messages section are all the messages that have been delivered to your mail box. If you determine that some of the messages that were delivered are actually spam (false negatives) you can report these messages to Proofpoint by clicking the "Report Spam" link next to the message. Members of the Spam Reporting Group help improve the spam identification process by reporting false negatives to Proofpoint for further analysis. What is the Web Application? The Web Application allows you to view your quarantined messages and manage your account using a web browser. Instead of waiting for a Digest in your inbox, you can log in any time to your account and release messages from the Quarantine, manage your profile settings, or manage your Safe Senders and Blocked Senders list. Your system administrator must provide the URL to the Proofpoint system so that you can use the Web Application. Bookmark the URL so you do not have to enter it each time you use the Web Application. Once you enter the URL into a browser you will be required to provide your login and password to access your profile and your quarantined messages. Use the same login and password that you use for your inbox. Login proofpoint> Username: Password: Login Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 7 If you see messages about certificates pop up, just click OK to continue. Your view to the Web Application The first view you see is My Profile, where you can change My Settings and manage your Account. On the My Settings page, you can make choices for your preferred language, whether or not you want to receive an empty Digest, and which spam policy you want applied to your email messages. proofpotnt ... � Profile My Setting* 6 D, sew T�Q tm,An,w2 m1-e,,I pee tmry f,tl l,xv Mx".. eNnOe (1 �d�t e`en wlmM1ne ronexxMeanmVfne Uu.pyeY HmW H na,m.m L+q.w Eyanwt J'iM Meof sDe dse[iv.Wfll WI?aieexe xelele,I&Ilt,mee fn to u_l Le,u b4Y iy.rn pcYr U H us 3enrye :2— _ae1Pb, The left side displays links for each of the asks you can complete in the browser: • Profile —You can change your preferences on the Settings page and view your email aliases on the Account page. • Lists — Safe Senders and Blocked Senders lists. • Quarantine — contains a list of your messages in the Quarantine. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 8 Account Click Account under Profile on the left side to view your email aliases. You cannot make any changes to this page. proof point Profile My Account my TAW r 0 Ernesoltoonntnanuom 6 Acme it Stieee Aires i'-. j Profile Y�eMM 3NoryWn I Release 7.0 Proof point, Inc. Proprietary and Confidential©2011 9 Lists Click Lists on the left side to view your Safe Senders and Blocked Senders lists. ,M„. j" x:L,. r proofpoin Lists Safe Senders List _._. MY Ride. Fnwlbfe» '9 Sae Semle»Lle,lli L' `v—•a = y Wood Senders ba y Lw. 3 eras a's— toursion To add a Safe Sender to your list: 1. Click Safe Senders List on the left side. 2. Click New on the top of the page. 3. Enter an email address into the field. 4. Click Save. Follow the same procedure to add entries to your Blocked Senders list. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 10 Quarantine Click Quarantine on the left side to view your messages in the Quarantine. This page displays messages addressed to you that were classified as spam and are sitting in the Quarantine. (Oro *Reece ,)tl Spa's a Went j a....• ,,,, proof point ,y..as..ew.Wa,MaNR.ml.ewn Ouarantlna Ouarandne NW FOSS --_. Sere --.Ikon _-_ SLLe[1 Date,' Slie _'3 Sodon a 30.. ❑ a 11O M,weep*ecaNMM O..4 Yusen You older approved 201.11.141t1k51 f lm 'J nuy Mexepex ❑ ®1n m,.4.M04-aaa .0 rowel 2001.11.141235:05 21W LI 6i 100 S.,waooloulwevWubhunean Ilia*you.ere III ready to lend aenw 54.0„et*dons or fi ,?N7.11.1412tt:lf 4 K n ®lfe &NpYnMBe1N.Ml 41Mw,aw.rem Munro leer ran! 1011-,1.Ia1MJ5:12 4 K • Li 120 X..avelooM,e.M, Raiey MI you meet a 6l who would say sMMes um*(11 .>1NA elf*WS 4RB • ®120 Muemw,wWa,enter 0 sae NI..Ca1Nmabn Md 2007.11.14 01:45:52 0KB ['I ril IN IVa4JlendallOs.lan .Add eana incise to the length en you Belo solve,Nlov.. 2N1-11.14 Ilan 4RB LI x,4101 momeetVtlpw...u.e lxyevl eNaadw,a wtlalwe }MI-If14fl:id.M 4RB [] IA 0* Mbe..lnSMya*Mksl,no,,..,Ygaade, 200141-1405:31* 01W n 21M N)NGSSv,Ne.,M 0W,PNUW attllotdtle prise }NI-11-14e26Mt 1RB :r unit 3 Prat LZ WaMMn You can apply several actions to the messages on this page. To select one or more messages, select the check box next to the message before you apply the action. 'arm .Rara,e 'w k.+ ds«a+ 44;":„., ._. _. :a,,, proofpoint� ut:wwl�.wM,. ouarv*ne Outsmart f::,new,u . .. ,.c.o 1Boo • A 4..d(yed WIN aze Iy1Mn.-_• mB.mwmB • Logout— logs you out of your Proofpoint profile and closes your session. • Select All — selects all of the messages so that you can apply the action to all of the displayed messages. (For example, you may have 100 messages in the Quarantine, but only 20 are displayed. The action applies to the displayed messages.) • Unselect All — unselects all of the selected messages. Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 11 • Request Digest— sends an updated Digest to your email inbox. • Find — displays the fields to search for a specific message using search criteria such as who sent the message, the subject line, or the age of the message. Quarantine I -lent 903 tirtsl �«I__ Look for Front ISubjed: All ,� [ Find Now [Clear ] • Refresh — refreshes the view on the page. For example, if any new messages have been added to the Quarantine while you had the browser open, they will be added to the list. • Delete — deletes the selected messages from the Quarantine. • Safelist— adds the sender of the selected message to your Safe Senders list. • Not Spam — releases the message to your inbox, and in the future, messages like this one will not be classified as spam. • Release — releases the message to your inbox. Audit Not everyone will have messages in the Audit view. Your system administrator decides who will be auditing messages. Auditing messages sends information back to your system administrators so that they can improve the email filtering process for your organization. Two additional actions are available in the Audit view: • Report Spam —this is a message that was not classified as spam, but it is indeed spam. It is a false negative. Future messages with these characteristics will be classified as spam. • Report Phish —this is a message that was sent by someone trying to (illegally) collect information about you. Typically, email messages like this one ask for credit card information or bank account information. How do I use Proofpoint Encryption? To send an encrypted email message, launch your favorite email tool and add the word [encrypt] to the Subject field. For example: To: mary@example.com CC: joe@example.com Subject: [encrypt] Meeting minutes from the quarterly review Proofpoint Encryption will automatically trigger a rule to encrypt the message because the word [encrypt] is in the Subject of the message. Release 7.0 Proofpoint, Inc.Proprietary and Confidential©2011 12 How do I decrypt and read an encrypted message? When you receive an encrypted message, you will see the following text: You have received a secure, encrypted message from the sender. Click the attachment in the message to launch a browser to authenticate so that you can decrypt and read the message. Click the attachment (SecureMessageAtt.htm) to authenticate so that you can decrypt and read the message. Note: If you see red X icons in the browser, your email client is blocking images. These images are typically the logo or images of the sender's organization. You can display the images or ignore them without affecting your ability to read the message. If you have not registered for Proofpoint Encryption, you will be prompted to create an account and choose a password on the Registration page. In the future, you will not be prompted to register. If you have already registered, or if your account already exits, you will be prompted to sign in and provide your password to decrypt the message. A More Info link is available if you need help. How do I reset my password? Your administrator can set up Proofpoint Encryption so that your password expires after a period of time. You will see a "Days until password expiration" message when you open a secure message. Click the link next to the expiration message to reset your password. If you forget your password and your administrator assigns a new temporary password for you, you will have to reset your password and select new security questions the next time you open a secure message. How do I use Smart Send? Many "violations" of email policy are not malicious violations at all — sometimes users send out an attachment by mistake, or need to send a message that includes information in it that is blocked by the Proofpoint Protection Server. Smart Send is a feature that allows users to send, send encrypted, or block the messages that were blocked by the Proofpoint Protection Server. Your administrator decides who can use Smart Send. You will receive a notification in your email inbox that indicates a message that you sent is blocked — it has not been delivered to the intended recipient. This Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 13 notification includes three links in it: Send, Send Encrypted, or Block. Click the link that is appropriate for the message that is blocked. • Send — delivers the message to the intended recipient. • Send Encrypted — encrypts the message before sending it to the intended recipient. • Block— the message is not sent. It remains in the Quarantine until it is deleted. Notification Blocked: New Message Wed 10.5'20101015 All proofpoint. Notification Blocked:New Message For - This message contains credit card numbers and may have violated company policy You can revue.v the policy here nci _S Please choose Send Send Encrypted or Block Note that this email has been logged Hely o Subject S end send Em:r,1r_I Hock - My Credit Card details-termxyzabc For more information contact your System Administrator po..•re1 0,v.arm.,•,p.mecro1 Seat' Release 7.0 Proofpoint, Inc. Proprietary and Confidential©2011 14 proofpoint' is 1 Proofpoint Threat Report January 2012 The following threat information details trends,changes,and specific threats that Proofpoint is seeing emerge across all Proofpoint customers and in the wider market place. Spam Volume Trends Spam volume in January was again essentially flat,down 1.7% Overall Message Volume-January 2012 from December.Even year over year volume was flat; it was down 62%,the same as December's Y/Y comparison.While spam volumes have dropped since the Rustock botnet went offline in March,2011,the critical nature of email attacks continue to escalate. 1/1 1/6 1/11 1/16 1/21 1/26 Overall Message Volume-February 2011 to January 2012 Mar-11 Apr-11 May-11 Jun-11 Jul-11 Aug-11 Sep-11 Oct-11 Nov-11 Dec-11 Jan-12 threat protection I compliance I archiving&governance I secure communication THREAT REPORT Source of Spam India continues its stranglehold as the world's top spam sending country. Poland and Spain appear on the list for the first time in the past 12 months. Korea,Brazil,and Pakistan continue their steady declines in spam volume. Top Spam Senders by Country 1 India 3 Indonesia 5 Korea 7 Vietnam 9 Brazil 11 Taiwan 2 EU 4 Russia 6 Pakistan 8 Poland 10 Romania 12 Spain c c c 5� ¢�'oe wee �'oe ��e a� -4-Korea "A ��ta t) ‘i^PJ% .A O&o +o e Oe�e 1# -a-Russia 1 - • ♦ A A A A A -*--India 2 }. .__. _ ' - -/e-Brazil - --EU 3 -- • A ■ ■ -0-Ukraine 4 Jo -t-Vietnam if .. 6 �♦ AUK 1 ----Taiwan 6 ---• ~<� -4k-Indonesia y ._.. . _. _.. . _. -,/-USA / �( \ -s--Romania 8 1 —.r-Belarus 9 L ___. _-__. `. — -- ..,f--- __.--Pakistan `"-. China r . \ - —4—Philippines I 4 \_ i .. ___ Poland 2/5 c'2012Rocfpimt Inc Roofpoint is a trademark of Proof point.:m_mtheUnitni Sten and oche coantde0.l other uadmarksecntmnd mein are property ofmar-eyenaeoaners @j12 THREAT REPORT Language Effectiveness Spam is of course sent in nearly every major language and the target is generally unrelated to the language of the email. For example, Indonesian spam began to appear in the United States in January. High effectiveness across languages is key regardless of the location of the organization being protected. English 99.92 I I r : 5 Japanese 9.77 Russian I II 99.87 Spanish 197.85, Chinese 97.$3 ' Portuguese 97.75 I German r 99.01 French I 98.76 Italian I C ' 98.41 Norwegian ) I 1 99.95 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Threat News Verisign Hit by Hackers Although reported by Verisign in an SEC filing last October,news of the 2010 security breaches was just recently highlighted by the press.At this time,there are very few details regarding the attacks.While the description given by Verisign is vague, clearly it was serious enough to warrant the SEC filing. Verisign is responsible for key internet infrastructure such as DNS and,until August 2010,was a major provider of SSL certificates.A breach in either of these areas could cause major damage and much of it would be unseen by businesses and/ or individuals. http://www.reuters.com/article/2012/02/02/u s-hacl<i ng-verisign-idU STR E8110Z820120202 Phish Arrests in India As noted above, India has been the top spam-sending country since August,2011.The arrest of six foreign nationals in early January provides some hope that India is beginning to take cybercrime more seriously.The situation appears similar to that of Brazil in 2009/2010 as internet usage ramped up quickly but with little focus on security or law enforcement.The amount of spam sent from Brazil has dropped slowly but steadily over the past year as education and enforcement have taken place. http://www.bbc.co.uk/news/technology-16392960 Compromised Accounts Over the past several months,we've discussed the use of compromised accounts to send spam,phish,and other threats. While these accounts are just a small percentage of overall malicious email volume,their effectiveness is much higher than other methods because of the increased trust between sender and recipient(on many levels). This article in The Atlantic describes a personal view of a compromised email account and the potentially devastating impact it can have on an individual.However,it also details the various forces and reasons behind the hacks;a good reminder for all of us to review our own personal passwords and policies across the internet. http://www.theatlanti c.com/magazine/arch ive/2011/11/hacked/8673/1/ 3/5 22012 Proofpomt,inc Prooipalneb a trademark of Nafpa:e Inc m the United Sratraarduther coontres All other trademarks mntalretl teen am property of iheriesrettrveavrxs.0242 THREAT REPORT DMARC Lately,an organization just needs to throw the word phish in a press release and they will get many mentions by reporters and bloggers, most of which tout the information in the release without any investigation,or even interpretation,of the product or service.The latest is DMARC,a specification intended to help increase the effectiveness of SPF and DKIM to combat phishing and other deceptive email messages.The specification is intended to be submitted to the IETF for standardization later this year. DMARC may very well be a useful tool in some respects. However,with regards to phishing effectiveness, let's look at a few concerns. Phishing emails rarely use the actual domain of the organization being used in the phish message.For example,if the phish email is simulating Paypal,it's quite unlikely that paypal.com will be used in the sending address. Instead,variations of paypal. corn such as paypa199.com or paypal.emailsecurityhost.biz will be used to bypass SPF and DI<IM checks but still trick the user into thinking it's a Paypal message. One of the proposed benefits is to allow email clients to highlight signed messages from trusted brands.But what about compromised accounts?Are you really going to decrease the level of content scanning because the message has been signed? The same goes for safelisting,of course.Trusting email because it has a certain sender address,or even comes from a trusted host,will allow dangerous email into your environment at some point in time. DMARC will almost certainly become an important part of sender authentication,but it's important to note that due to the inherit pitfalls described above, neither it nor any other sender authentication method is going to have a major impact in stopping phish messages. Threat Models Hot Topics-Stratfor Following the hack of Stratfor and statfor.com in December,emails were sent to Stratfor subscribers (the email addresses were stolen during the hack) purporting to be from George Friedman,the Stratfor CEO.Like most campaigns,the content varied but the following sample shows the general approach. However,unlike most,the examples we've seen didn't actually lead to a further phishing exploit but were instead an example of rickrolling. http://en.wikipedia.org/wiki/Rickrolling from' ystratfm:om sent Zhu 16%20121 1o: Cr. Subject Pate St error f incident Pe:ponie For the video announcement,please see Mtp://www.youtube.comtwatch?v= Read full press release:http://bol.thexfil.esr Rate 5tratfor's incident response:http://img855.imageshack.us/img855/9055/ Hello loyal Stratfor clients. ip We are still working to get our websrte secure and back up and running again as soon as possible. to show our appreciation for your continued support,we will be making available all of our premium content•as a free service'from now on. We would like to hear from our loyal client base as to our handling of the recent intrusion by those deranged,sexually deviant criminal hacker terrorist I masterminds.Please fill out the following form and return it to me My mobile: My home phone:' 4/5 a2012Proofpont,Inc PrornoinaaludemadrnhRoofpoinUnc in the United Stain and othecamtnes.al other pulerarb:NU,net leek,arepopetyofthivreili2 treowned 0212 THREAT REPORT File Transfer Applications The use of file transfer products such as Dropbox and YouSendlt as vehicles to send spam began to rise in January.These products,and there are hundreds of them,require little to no investment to create an account and begin sending email.The content of the spam can be seen in either the original message or in the document available via URL in the message. Hot Topics—US Tax Season This campaign was sent in large volume near the end of January,preying on individual's con- cern about the upcoming US tax filing season and the popular Intuit TurboTax product.The content of the message and the spoofed sending address varied widely,but one important point was consistent the spammer was very sloppy and neglected to test the insertion of the actual URL into the message.Each message contained a placeholder URL which was part of the original spam template but wasn't replaced properly with the actual URL to be used to phish the user's credentials.Whoops! ring .MIT A:..onineorggrc betierubn^Mb'otvrs+ sent. tern 1,25!..1: sw.d rnwnr 0w,„orw.n,wnemron.,rnv_.o-a Helb, wilt intent to astute that enact data is being kept up on our systems,and to be able to give you batter queasy of service;INTUIT INC.has taken part in lite Internal Revenue Service DRS]Name and TIN Matching Program. For some mason your ame and/or Emp;oyer Identification Number,that we have on yow account n different from the Idtormarmn provided by the IRS. In order(overfly the information on your account.please enter the site vhttpif/fhR linef>. Regards, INTUIT INC. Corporate Headquarters 2633 Marine Way Mountain VHe w W.CA 94613 Amazon Web Services/Browser plug-ins Have you ever wondered how spammers use those fake videos on Facebook to generate cash?Our security partner F-Secure has written up a detailed explanation of an email attack using Facebook,Amazon's 53 file hosting service,and various browsers.While none of the techniques listed here is by itself unique,the description is a fascinating look into the exploits necessary to bypass many of the security measures in place to protect users,even down to using different options depending on the browser being used. http://www.f-secure.com/weblog/archives/00002304.html proof point> Proofpoint,Inc. 892 Ross Drive,Sunnyvale,CA 94089 Tel:+1 408 517 4710 www proofpoint.com 5/5 4;2012 Rmofpmnt.Ira Prot mimeatctdemaik of Proof pant.inc thy United Stars an tithe countdr.M other hatlemarhymnalrenherein ampioperty of tllsrreipnive mimes 01/12 THREAT REPORT y* % Proofpoint Dynamic Reputation High-Performance Connection Management and Email Reputation The Proofpoint Enterprise Protection'"Suite includes the industry's most powerful connection management features,powered by Proofpoint Dynamic Reputation'."Proofpoint Dynamic Reputation is the only email reputation service that uses a combination of local data and global reputation—analyzed by powerful machine learning algorithms—to block connections from malicious IP addresses.Proofpoint Dynamic Reputation provides enterprises with an accurate,first line of defense against spam,directory harvest,denial-of-service and other email-borne attacks,while delivering substantial bandwidth savings. Proofpoint Dynamic Reputation provides additional spam protection against botnets,and reduces the sheer volume of connections hitting any type of Proofpoint deployment. Proofpoint Enterprise 'r,• `: rx Protection Suite Proofpoint Dynamic Reputation can reduce inbound connection volumes by 80%or more.Proofpoint maintains Components the industry's most accurate and up-to-date database of reputation for IP addresses sending email across the The following comprehensive protection components Internet.It's the only email reputation service that uses a combination of local,predictive behavioral data and are offered through the globally observed reputation analyzed by powerful machine learning algorithms from Proofpoint MLX'"—to block Proofpoint Enterprise iin connections from malicious IP addresses, Protection Suuite. ncom g Proofpoint Dynamic The local reputation extends reputation-based protection against malicious attacks that are targeting that Reputation organization's systems,even if that organization is the only one being attacked,and there is no global reputation Connection management for data available yet for that IP.Once those IPs are identified,they are blocked or throttled locally,and are also powerful spam protection submitted back to the global database.This feedback loop ensures that all Proofpoint customers benefit Proofpoint Email from each other with the use of local knowledge.Each minute.hundreds of data points for all IP addresses are Firewall"' parsed with advanced machine learning algorithms to generate a score that represents the sender's reputation. Detects sensitive information in message content and Proofpoint Dynamic Reputation then uses these scores,combined with local behavioral data,to make intelligent subject line decisions about accepting,throttling or rejecting incoming email connections. Proof point Spam Detection" Proofpoint Dynamic Reputation Detects and eliminates spam Benefit and phishing attacks in any Feature language Multi-layed protection with Global reputation ensures defense against IP addresses known throughout the Proofpoint Zero-Hour global reputation network,while local reputation ensures defense against IP addresses that are only Anti-Virus" targeting that organization. Protects enterprises against Less than a one in one million Blocks up to 800/a of inbound SMTP connections with less than a one in one million new viruses and malicious false-positive rate false-positive rate code moments after then --- --- --- - -- - release One-minute refresh rate A one-minute refresh rate ensures the fastest response to new botnets or spam IPs and rapid"self-healing"behavior once IP addresses return to non-malicious behavior. Proofpoint Virus -- -- - Protection"' Maximum accuracy Hundreds of reputation related attributes are analyzed for each connection, A wide variety of enterprise- providing maximum accuracy. class virus solutions Customization of policies Rate control and traffic shaping policies can be easily customized based on an organization's unique needs. proofpolnt_ Proofpoint Dynamic Reputation Unlike reactive,static reputation services that are forced to make critical trade-offs between connection shed rates,detection accuracy and response time,Proofpoint Dynamic Reputation delivers the highest performance in all three areas at once. Rapid response times Proofpoint collects information on millions of IP addresses,using data collected from Proofpoint honeypots and customer sites.Proofpoint MLX continually parses hundreds of data points for all IP addresses in real time to generate extremely timely,accurate network reputation scores.Scores are updated every minute,and Proofpoint Dynamic Reputation reacts to new spam sources,such as botnets,up to an order of magnitude faster than competing email reputation solutions.Unlike publicly available RBLs/DNSBLs,Proofpoint ensures the quality and integrity of the data available in its service. Highest connection management and anti-spam accuracy By processing hundreds of reputation-related attributes at the global level,Proofpoint Dynamic Reputation always has access to the most comprehensive,accurate assessment of IP address reputation.False positive rates are less than one in one million.Proofpoint Dynamic Reputation delivers maximum load shedding and advanced connection management in front of the Proofpoint MLX spam detection engine,which delivers 99%or higher accuracy against spam.Proofpoint MLX automatically evolves with new spamming techniques to accurately stop never-before seen attacks,making Proofpoint Dynamic Reputation highly effective over time. Most accurate IP reputation Proofpoint Dynamic Reputation analyzes a wide array of reputation related attributes,including: • SPF(standard,best guess) • Percentage of spam,virus,phish and invalid recipients associated with IP • URL and domain block lists • DHCP addresses(zombies,botnets) • Image history(fuzzy matching) • Recipient list sizes About Proofpoint Proofpoint focuses Proofpoint Dynamic Reputation is a natural email security solution component,shedding large amounts of mail exclusively on the art and traffic at the connection level.Combining local,predictive behavioral data and global reputation deliver maximum science of cloud-based protection against malicious IP addresses.All Proofpoint Enterprise Protection deployments—whether SaaS or email security,eDiscovery and compliance solutions. on-premises—benefit from this unique combination of local and global reputation analysis offered in Proofpoint Organizations around Dynamic Reputation. the world depend on Proofpoint's expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy,encrypt sensitive information, and archive messages for easier management and discovery.Proofpoint's enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging. uProofpoint.the4 892 Ross Drive 'r Sunnyvale,CA 94089 1.877.647.6488, :,..:.. x'2010 rrourpt:nt,Inc.FroofpointProofpoint ntor pax Protaation.Prohloornt Spxo Dan choir Air forma Dynamo R..ptetcn_Prhcipoint?root Fr all.Proofpnlnt Vlus Prot r' Plocfpont Zoo-I lour Anti thrur and Prourpront NIL aro tradaararld,areharir ed[adorn:.k t Prot(pont,Inc int United St der the °untrin- www.proofpoint.com All other undernrks tontarmed herein e z p°perty espative oemeo 10;10 p { Ar 4109 Proofpoint Smart Search Enterprise-class Message Tracing, Log Search and Analysis Proofpoint Smart Search`"offers easy,real-time visibility into message flows across an organization's entire messaging infrastructure,using built-in logging and reporting capabilities with advanced message tracing, forensics and log analysis capabilities.Search,analyze and export message logs from the centralized graphical user interface,even across globally distributed Proofpoint deployments. Proofpoint Smart Search can be used by IT helpdesk staff to answer the most common email troubleshooting and investigation requests, without requiring any special training or access to an organization's Proofpoint deployments.Proofpoint Smart Search is intended to be used by both technical and non-technical personnel with an easy-to-use,intuitive interface for fielding common help desk questions. Proofpoint Smart Search Feature Benefit Real-time processing,indexing Real-time processing,indexing and correlation of all Proofpoint Enterprise Privacy and Proofpoint Enterprise and correlation Protection email logs. Powerful search features Powerful search features to trace sender,recipient,message subject and content across all agents in seconds. Easy-to-use search options Easy-to-use search options that support wildcards,and enable search by rules based on company policy. Easy-to-understand search Easy-to-understand search results display the delivery,timing,rule triggering,and disposition for any inbound or results outbound message. Easy access to quarantined Quarantined messages can be easily accessed from Proofpoint Smart Search results by simply clicking a link. messages Proofpoint Smart Search features a convenient web-based interface for browsing and searching message information.A search results pane translates data from raw message logs into easy-to-read,actionable information.Results show message time,sender,recipient,subject and all filter actions.Simple drill-down on individual messages exposes a detailed view that includes the rules that were triggered,message dispositions, MTA dispositions,destination IP address,and much more.Message data can also be viewed in its original,raw log format, With the easy-to-use search interface,messages can be located with pinpoint precision in seconds.Search for messages using awide variety of criteria including message sender,message recipient,subject,relative or absolute timeframe,sendmail QID,module ID,company policy based rules and Proofpoint session ID.Extended free-text searching allows users to build custom searches using regular expressions and Boolean operators. proofpoint. Proofpoint Smart Search With Proofpoint Smart Search,email administrators or IT helpdesk staff can instantly locate messages, understand how they were handled,and quickly respond to a wide variety of email troubleshooting or investigation requests.For example: • Message tracing:Proofpoint Smart Search can quickly locate a message and report on its delivery status. • Investigation:Proofpoint Smart Search has the ability to search for all messages using a variety of attributes (subject,sender,recipient,domain.etc.)to quickly and easily find information. • Forensics:Proofpoint Smart Search provides comprehensive details about message handling and delivery that enables administrators to easily determine the outcome and location of any particular message. • Compliance:Quickly find all messages related to a specific compliance incident or an entire class of violations. Proofpoint Smart Search helps users quickly understand which Proofpoint rules were triggered,and how messages were routed as a result. • Trend analysis:Proofpoint Smart Search makes it easy to mine information from consolidated archives of large,complex log files. Proofpoint Smart Search can locate any message across an organization's entire Proofpoint deployment in seconds,unlike other solutions that take more time due to unconsolidated logs and having to search each appliance individually. Proofpoint Smart Search consolidates logs from all Proofpoint agents—even across globally deployed clusters— and indexes them for rapid searching.Logs from multiple sources are automatically correlated for a 360-degree view of message handling and disposition.Log information is continuously updated so that within minutes of a message's receipt or transmission,details about that message can be found using Proofpoint Smart Search. ._.__,. smote..>eemcn ppay°t 011, Riga iO' P!ae.. 'w µf Peum Thaw vri5ux":m-5) __. . . _ ---- -- - --- -- en= About Proofpoint na Proofpoint focuses f exclusively on the art and science of cloud-based flfial Act. email security,eDiscovery and niztionsaousolutions. . "„ ,m �•,° ° °+sr" - F '^_-' "'"' Organizations around _• , X •�.��,,, a a «rs"� mar..",".°�""�, __",•r==tr •`"°°' the world depend on •�- °i"`°° Proofpoint's expertise, • .",...,..,,=U. W•r .r_ L w.�- �_ ( patented technologies a ti,w.. r', +r•>ea km _,>^ .^w+a'•ww�m^,,,",^'°^^'°-^"°`"""' and on-demand delivery WO 10.. , , 8 system to protect N ,,,_,,, M X•.a+•m".+mwa� against spam and viruses, CID •_�>'"r="• ^°'° °°""" safeguard privacy,encrypt ':m4,l „ x"-°°`"`:""m.'"°..m'""""_`"n„"'"."u°a° sensitive information, _ oton w m�w>:•r =•mr°�+-+"•��w•�^>� •°� �^�"^° • and archive messages for A t M1 "•°, ,o_ - =w. _ easier management and I discovery Proofpoint's enterprise email solutions mitigate the challenges and amplify the benefits of • Summary:Browse time,sender,recipient,subject and Proofpoint filter actions taken on messages within a enterprise messaging. given timeframe. • Detailed:Drill-down on individual messages with easy-to-understand detail tables. Roofvorntiffc:.. • Raw logs:View message data in its original log format.Click on any log element to easily narrow search criteria. 892 Ross orlve Sunnyvale.CA • Export results:Export search results in CSV or XML format. 94089 1877.647.6488 ,.. "2050 Iiiiithcont.Inc.Proof-print arid Furlpant SMAILSc"c6:vetr , aku a,.ter It itr in,of Lrcfro tIc.in din U td States cnd nth,r iiiiintrics All nth,trAdAinaild, undid Ike(_in nre pdipeny el rewei 10/10 y/ww.proofpoint.com t } �tt•i1 n. t * it a�N Proofpoint Spam Detection Enterprise-Class Detection and Elimination of All Types of Spam Proofpoint Spam Detection',"included in the Proofpoint Enterprise Protection'"Suite,delivers the most powerful and accurate approach to detecting and eliminating spam and phishing attacks in any language. Proofpoint has combined the most effective spam filtering methods with its breakthrough Proofpoint MLX`m machine learning technology to deliver the industry's highest spam effectiveness,greater than 99.8%,and lowest rate of false positives. Proofpoint Enterprise Protection Suite Powered by a machine learningg technology,Proofpoint Spam Detection(part of the Proofpoint Enterprise Components gy" P p P p Protection Suite)examines millions of possible attributes in every email—including message envelope headers The following comprehensive protection components and structure,images,sender reputation as well as unstructured content in the message body—to block spam, are offered through the image-based spam and phishing attacks,while automatically adapting to new attacks as they appear.In addition, Proofpoint nt Suite terpnse spamprotection is automatically kept up-to-date,ensuring maximum effectiveness at all times.Individually Protection itr. P P P controllable spam and adult content,phishing and bulk scores allow an organization to enforce zero-tolerance Proofpoint Dynamic policies againstpornographic s am.Anti-Anti-phishing features(including DKIM signing of outbound email and Reputation'" g P P g g g domain-based sender authentication techniques)stop the spread of phishing,and prevent the theft of personal Connection management for powerful spam protection information from employees. Proofpoint Email Firewall'" Proof point Spam Detection Detects sensitive information Feature Benefit in message content and subject line Proofpoint MLX Proofpoint MLX automatically evolves with new spamming techniques to • Proofpoint Spam accurately stop new attacks,staying highly effective over time.It is superior to simple statistical techniques and doesn't rely on signatures or fingerprinting Detection techniques,allowing Proofpoint to provide the most accurate spam detection. Detects and eliminates spam and phishing attacks in any Proofpoint Spam Detection Proofpoint Spam Detection provides bi-directional protection,ensuring that language the inbound email channels are adequately protected against spam,and that an Proofpoint Zero-Hour __ . __ _ organization's reputation is protected by filtering the outbound channel as well Anti-Virus- Bounce management Protects against the most advanced forms of spam,phishing,and zombie attacks, Protects enterprises against as well as addresses the newest forms of blended threats where malware is being new viruses and malicious delivered through an innocuous URL contained with a spam message.Bounce code moments after their management features block 100%of"backscatter"spam. release _.. No administrative intervention Blocks the most spam by examining millions of possible structural,content and Proofpoint Virus required reputational attributes in inbound or outbound email. Protection'" ---- --- Personalized quarantines and Individual end users manage their own questionable emails with personalized A wide variety of enterprise class virus solutions personal safe/blocked lists quarantines and personal safe/blocked lists. _. proofpofnt_ Proofpoint Spam Detection Proofpoint Spam Detection provides protection across multiple layers to eliminate traffic spikes caused by spam attacks and to ensure that end user mailboxes stay spam free. Connection-level analysis Proofpoint Spam Detection starts by testing numerous connection-level data points including DNS,MX record verification,SPF,recipient verification and reputation data.Based on this analysis,SMTP rate control is used to automatically block or throttle malicious connections.This provides outstanding protection against botnets, directory harvest and denial-of-service attacks,while shedding as much as 80%of all incoming SMTP connections when combined with Proofpoint Dynamic Reputation—a part of the Proofpoint Enterprise Protection Suite. Contextual,lexical and image-based analysis Proofpoint Spam Detection uses Proofpoint MLX to examine the content and context of messages using structural tests,English and foreign language inspection,pornography detection,malicious(spyware/phishing/ pharming)URL detection,image analysis,reputation analysis and any custom policies that are defined by an organization. With full support for double-byte languages,Proofpoint MLX provides outstanding protection against even hard-to-detect Asian language spam.Proprietary image analysis techniques included in Proofpoint MLX identify image-based spam that other solutions fail to catch.Additionally,an organization's spam protection is always kept up-to-date,ensuring maximum effectiveness at all times. Bi-directional spam filtering Proofpoint MLX powerful spam detection does not rely on reputation for its effectiveness.This makes it uniquely suited to protecting your organization's reputation when filtering the outbound mail stream for spam in the event an internal system is compromised by malware and becomes a source of spam. Bounce management Backscatter—the barrage of non-delivery report messages(NDRs)and auto-responses caused by spammers spoofing an organization's email addresses—has become an increasingly serious problem for most organizations. Proof point supports the latest BATV(Bounce Address Tag Validation)specification to tag outbound messages About Proofpoint and to validate incoming NDRs against those tags to block backscatte r Proofpoint focuses exclusively on the art and Advanced anti-phishing protection science of cloud-based Advanced anti-phishing techniques protect end users from scams,fraud,identity theft and malicious code. email security,eDiscovery and compliance solutions. Destination URLs within the emails are classified and analyzed,and a statistical correlation of various attributes Organizations around are analyzed so that no single attribute is authoritative.Targeted rules and classifiers for phishing messages allow the world depend on Proofpoint's expertise, administrators to take specific actions against these messages. patented technologies and on-demand delivery Powerful end-user controls system to protect against spam and viruses, Proofpoint Spam Detection checks personal safe and blocked lists for valid and invalid senders.Proofpoint safeguard privacy,encrypt provides various options for end user controls including web,email and plug-ins.End user control features include sensitive information, language selection,individualized spam threshold settings,and safelist/blocked list management.Proofpoint also and archive messages for easier management and provides a comprehensive view into a user's personal quarantine. discovery.Proofpoint's enterprise email solutions Administrative flexibility mitigate the challenges and amplify the benefits of Different policies can easily be configured for different groups of end users or domains. All policies can be enterprise messaging. customized at a global,group,or user level with full integration to LDAP or Active Directory to simplify on-going administration. Proofpoint,Inc ua Multilin l 892 Ross Drive Multilingual Sunnyvale.CA Proofpoint Spam Detection is multilingual and offers outstanding accuracy against spam in any language, 94089 including hard-to-analyze,multi-byte character languages,such as Japanese and Chinese. 1,877,647.6488 910 Prttufpoint.Inc Prccfport.Proolyort Enter priar Putvtlion Pro:lpont Spain t,lectc ,Raulllma Dy ar n rc Reputation Proolpoirit Email F acwcll Poofpo,nt iut Pmta[ PLoi`purt Zoo!lour Anti'.Tiv and Puofuoir MiX are tradttratrIAAr retutItted tatteark '.fROYpon,Inc t laded Silt,_analmho' nmb,es WWW,pm0fR0I0t.00m Ail other trademark.,containedl_n te property At INA caspefrne orraS 10710 '!. v wsx a°`..: t3fs .� arJl �"r�'rTycj fi 11 r Proofpoint Virus Protection World-Class Anti-Virus Protection for the Enterprise Email-borne viruses,worms,and Trojans continue to pose a substantial threat to enterprise operations. Proofpoint Virus Protection;"included in the Proofpoint Enterprise Protection'°Suite,effectively and efficiently combats this threat with an industry-leading solution. Proofpoint Virus Protection combines efficient message handling,comprehensive reporting,and robust policy management with the world's leading anti-virus engines. The result is an always up-to-date anti-virus solution with convenient,centralized administration, high- performance message analysis and flexible anti-virus policy management. Proofpoint Enterprise '=..N.J.' Protection Suite When combined with Proofpoint Zero-Hour Anti-Virus,Proofpoint Virus Protection components provide an Components organization with a multi-layered defense-in-depth protection against viruses.Email is scanned for viruses using The following comprehensive protection components various technologies to cover all virus protection bases. are offered through the Proofpoint Enterprise Proofpoint Virus Protection Protection Suite .Proofpoint Dynamic Feature Benefit Reputation'" Defense-in-depth Proofpoint Virus Protection provides in-depth defense when combined with with Connection management for Proofpoint Zero-Hour Anti-Virus outbreak filters. powerful spam protection -- ---- Strategic partnerships with Strategic partnerships with leading anti-virus vendors give customers a choice of Proofpoint Email leading anti-virus vendors enterprise class solutions Firewalr" Proofpoint Dynamic Update Proofpoint Dynamic Update Service,included with Proofpoint Virus Protection, Detects sensitive information Service provides continuous updates,ensuring maximum protection,while minimizing in message content and subject line administrative burdens. Flexible policies Flexible policies allow administrators to customize the handling of messages based Proofpoint Spam Detection on the results of virus analysis Detects and eliminates spam and phishing attacks in any language Proofpoint provides multiple layers of virus protection in the Proofpoint Enterprise Protection Suite,using both Proofpoint Zero-Hour Anti-Virus'" signature-based and non-signature based anti-virus technologies.Signature-based is provided through strategic Protects enterprises against partnerships with leading anti-virus vendors,giving customers a choice of enterprise-class anti-virus solutions new viruses and malicious to be installed and configured with a Proofpoint cloud-enabled appliance or available as Software-as-a-Service code moments after their (SaaS).These world-class anti-virus engines are the same as those used in their respective commercial products, release ensuring that an organization is strongly protected against dangerous viruses and other types of malicious code. ® Proofpoint Virus Protection cl wide variety enterprise- class virus solutions The anti-virus engines are designed to efficiently scan messages and attachments for potentially malicious code. Because Proofpoint Virus Protection is fully integrated into the Proofpoint Enterprise Protection Suite,each message is opened just once and virus scanning is performed in parallel with other forms of message analysis(such as spam and other message filtering actions).This in-memory processing minimizes latency and improves the proofpoint_ system's overall scalability,thereby delivering optimal and enterprise-grade performance. Proofpoint Virus Protection As new virus definitions are created,the Proofpoint Dynamic Update Service provides updates to the deployed software or cloud-enabled appliance through a secure channel.This guarantees that Proofpoint Virus Protection is always up to date,providing maximum defense against viruses and minimizing the burden on IT administrators. Proofpoint's anti-virus partners provide some of the fastest product-ready anti-virus updates in the industry,and the Proofpoint Dynamic Update Service makes them available to organizations immediately. Proofpoint's Virus Protection is fully integrated into the Proofpoint Enterprise Protection Suite,providing complete control over virus protection through a unified interface.It allows organizations to configure all aspects of virus protection,including virus filtering activity,detection and cleaning processes,disposition options, and reporting with the same interface used for spam,content compliance and email firewall administration. Administration duties can also be optionally delegated to other groups.For example,while IT may manage general email and anti-spam settings,a corporate security group could selectively manage anti-virus settings.Proofpoint Virus Protection also includes a number of anti-virus reports,providing IT administrators with a comprehensive view of any virus scenario,and enabling them to publish and report their findings to their organization. Proofpoint Virus Protection makes it easy to define and enforce virus-related security policies for an organization. Administrators have flexible configuration options to determine how messages should be handled based on the results of the virus analysis.For example,repairable messages can be repaired,annotated and forwarded to the original recipient,while irreparable messages may be stripped of their attachments and sent to quarantine for further investigation. In addition,administrators can quickly and easily write policies and rules for specific viruses,such as automatically deleting certain types of messages(such as VBMania or SoBig).The F-Secure powered version of Proofpoint Virus Protection also allows organizations to set policies around messages that are found to contain riskware or spyware applications that may pose data leakage or privacy risks. Proofpoint Virus Protection is a natural email security solution component that effectively and efficiently provides protection against viruses.Multi-layered defense and world-class anti-virus engines from Proofpoint's strategic partners provide all Proofpoint Enterprise Protection deployments—whether SaaS or on-premises—powerful anti- About Proofpoint virus capabilities from Proofpoint Virus Protection. Proofpoint focuses exclusively on the art and science of cloud-based email security,eDiscovery and compliance solutions. Organizations around the world depend on Proofpoint's expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy,encrypt sensitive information, and archive messages for easier management and discovery.Proofpoint's enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging. Proofpoint Inc 892 Ross Drive Sunnyvale,CA 94089 1677.4476488 ll0 Prou'poott. Proolpoint lcoipoint!nterprpc ProtectionSJItt.Prl.orpOirit Hui Anti to uss Frooloctot Dy, 'lit pout]; tr;ofpotot n rulnpmt Detttiton flridp ooli., tcrux F..teao ;re t.m. , k to rtoptertplr nh lo,rtf Pt toloototl , entre United Stn .,n.i otle. er rtes All rue p w,proofpoint.com tratient.ttlts contain,cl hereto art p they .f t ern rtt;ttoctivtt o•nms.10/10 . t Proofpoint Zero-Hour Anti-Virus Protection for Emerging Virus Threats As email-borne viruses become increasingly malicious and proliferate more rapidly across the network, enterprises need new forms of protection at the very earliest stages of a new virus attack. Proofpoint Zero- Hour Anti-Virus;"included in the Proofpoint Enterprise Protection'"Suite,protects enterprises against new viruses and other forms of malicious code during the critical first minutes and hours after new viruses are released and before anti-virus signatures have been updated.It also adds an additional layer of anti-virus protection to an organization's gateway defenses. Proofpoint Enterprise Protection Suite When combined with Proofpoint Virus Protection,Proofpoint's Zero-Hour Anti-Virus provides an organization Components The following comprehensive with a multi-layered defense-in-depth protection against viruses.Email is scanned for viruses using various protection components technologies(signature-based and non-signature-based)to cover all virus protection bases. are offered through the Proofpoint Enterprise Protection Suite Proofpoint Zero-Hour Anti-Vi rus Proofpoint Dynamic Feature Benefit Reputation- Defense-in-depth Proofpoint Zero-Hour Anti-Virus provides in-depth defense when combined with Connection management for signature-based Proofpoint Virus Protection. powerful spam protection ---- --- Precise detection Precise detection,as a result of global analysis of traffic patterns,provides local Proofpoint Email containment and protection of suspicious messages. Firewall'" Complete protection from Proofpoint Zero-Hour Anti-Virus provides complete protection from malicious Detects sensitive information malicious attacks attacks during the initial minutes and hours after viruses are released in message content and subject line Minimized administrative Proofpoint Zero-Hour Anti-Virus delays,rather than blocks,messages in the Proofpoint Spam overhead and reduced overall risk quarantine containing potential viruses.They are automatically rescanned using Detection the virus engine,minimizing administrative overhead and reducing overall risk from zero day attacks. _ _... Detects and eliminates spam _.. _.. _. . and phishing attacks in any Flexible policies flexible policies allow administrators to customize the handling of suspicious language messages. • Proofpoint Zero-Hour Anti-Virus Protects enterprises against new viruses and malicious Proofpoint Zero-Hour Anti-Virus constantly analyzes millions of internet messages for anomalies that indicate a code moments after their release potential virus attack.Advanced pattern recognition technology is used to identify new viruses within minutes of their mass distribution over the Internet with high accuracy. Proofpoint Virus Protection'" At each Proofpoint Enterprise Protection deployment,Proofpoint Zero-Hour Anti-Virus analyzes incoming A wide variety of enterprise- messages for similarities with suspected virus messages.Messages and attachments that exhibit recurrent class virus solutions pattern characteristics of the emerging virus are automatically quarantined at the enterprise email gateway where they can be held until the availability of a production-ready virus signature. proofpoint Proofpoint Zero-Hour Anti-Virus Proofpoint Zero-Hour Anti-Virus identifies new virus activity and takes preventive action at the earliest stages of a virus outbreak,keeping messaging systems safe until new anti-virus signatures are updated.The solution provides protection from viruses hours before competing"outbreak filters"react. Unlike other virus outbreak technologies,Proofpoint Zero-Hour Anti-Virus accurately detects and quarantines only those messages associated with an emerging virus,without stopping legitimate email.Instead of quarantining all email with attachment types deemed to be dangerous,Proofpoint Zero-Hour Anti-Virus temporarily delays only specific messages that are classified as being part of an emerging outbreak. Organizations can easily customize their Zero-Hour Anti-Virus policies using a convenient graphical user interface.Based on these customer-configurable policies,messages that have been identified as part of a virus outbreak can be automatically re-scanned and cleaned,deleted,released or otherwise disposed of based on the availability of updated virus signatures and other conditions. Like all Proofpoint email defense solutions,Proofpoint Zero-Hour Anti-Virus includes integrated reports that provide a complete view into the operation of your Zero-Hour defenses and virus activity in general.Built-in graphical reports provide visibility into the volume of messages being classified by Zero-Hour policies,Zero-Hour virus trends,top Zero-Hour virus types(including unverified messages).and verified virus volume trends. Proofpoint Zero-Hour Anti-Virus works in conjunction with Proofpoint Virus Protection to provide comprehensive,multi-layered defense against viruses.Together,these technologies provide a proactive virus protection layer(that does not depend on signatures),and a fast and effective signature/heuristics engine to efficiently verify malicious code. ,,.. About Proof point Rules for the handling of suspicious messages can be customized in a variety of ways.Proofpoint Zero-Hour Anti- Proofpoint focuses Virus lets organizations define any number of policies including: exclusively on the art and science of cloud-based • Suspect message policies:These policies define how to handle messages that contain suspected viruses. email security,eDiscovery and compliance solutions. Unique policies can be defined based on message route(inbound.outbound,etc.),threat classification level Organizations around (medium or high probability of virus contamination),document type and/or MIME type.All standard message the world depend on disposition options(e.g.continue,block,quarantine,etc.)are available.Typically,suspect messages are sent to a Proofpoint's expertise, quarantine where they are held for rescanning by future virus signature updates. patented technologies and on-demand delivery • Probable virus policies:These policies define how to handle messages that are still suspected of virus system to protect contamination even after being quarantined and rescanned.Policies can be based on all of the previously against spam and viruses, safeguard privacy,encrypt described conditions.Typically,these messages are sent to a"probable virus"quarantine where they can be sensitive information, held for some period of time before permanent deletion. and archive messages for easier management and discovery.Proofpoint's enterprise email solutions When Proofpoint Zero-Hour Anti-Virus is activated,quarantine folders can be customized with"Zero-Hour mitigate the challenges delay"behavior that holds messages until a certain condition is met and then resubmits the messages for scanning and amplify the benefits ofenterprise messaging. by Proofpoint Virus Protection.Folders can be customized in a variety of ways,including a number of anti-virus signature updates to wait for until resubmission and minimum/maximum quarantine time for suspect messages. tProofpoint,Inc. 892 Ross Drive Sunnyvale,CA `? 94089 .1877.647648$ .-:.:. 0f 0 Proufpont .Proof-point If t nIf Trim lir rtactronStMe Pr fofpcnnt---' lI Ant Vir ry.FOnfinnintP e Ifenntaton p -fpot'marl leil V'tofpont Span,Dritaorai lmfFot Mum Peolmtron me Ind. ate rentsferrdradv sls of r oofpornt Inc iff U.ntd State and other mrtres All otherWNN/,RmOf110intcom trtomparles'yotraarned herein are property of char mpectrva owner,10/10 ,� }� fYtY{. v rT\i , tit ��/4i. +i i(jjj[[ '04; -t `�. . • 6 . \: ♦.. x.11" rY } v 'a t P .#q.. • a A 41/4$\��\�N\\trK RM1li$i� :,7::.P''' _ 4. 'IV'', ♦.‘., ' ti- Proofpoint Digital Asset Security Advanced Data Loss Prevention for Confidential Information As a part of Proofpoint's Enterprise Privacy'"Suite,Proofpoint Digital Asset Security'"keeps valuable corporate assets and confidential information from leaking outside an organization through email.As email has become the most important communications channel in today's enterprise,email systems have become the main repository for sensitive and confidential information. Enterprises are becoming increasingly concerned about this information leaving the company through email. Proofpoint Enterprise -. Privacy Suite Proofpoint Digital Asset Security goes beyond simple monitoring for classified information.When combined with Components The following comprehensive Proofpoint Regulatory Compliance,both offered in the Proofpoint Enterprise Privacy Suite,there is defense-in- data loss prevention depth as messages can be scanned for structured,as well as unstructured information.Proofpoint Digital Asset components are offered Security makes it easy to protect an organization's confidential,proprietary,and sensitive information from through the Proofpoint accidental or malicious leaks. Enterprise Privacy Suite. Proofpoint Email Proofpoint Digital Asset Security Firewall'" -.. Detects sensitive information Feature Benefit in message content and subject line Proofpoint MLX'" Proofpoint's MLX machine learning technology analyzes and classifies confidential documents and then continuously monitors for that information in the outbound Proofpoint Regulatory message stream,ensuring accurate detection of confidential information. Compliance'" --- Flexible policy customization Flexible policies allow customization at a global,group,or user level with full Detects protected information,including integration to LDAP or Active Directory. financial,healthcare,and DLP Dashboard Proofpoint Digital Asset Security includes a DLP Dashboard that provides a single, other"smart identifiers" consolidated view of all compliance activity across an organization with real-time a Proofpoint Digital statistics,the ability to drill into any specific incident and take immediate action.. Asset Security'" Secures documents Proofpoint Digital Asset Security secures more than 300 unique document types. Detects presence of with the ability to extend support to new file types confidential information -- --- -- through advanced document fingerprinting Easy training and secure document repository Proofpoint Encryption Proofpoint Digital Asset Security employs patent-pending Proofpoint MLX to analyze documents that need to Automatically applies be kept confidential.Putting documents into the system"trains"Proofpoint Digital Asset Security to recognize encryption based on an that specific document and portions of its contents. organization's policies Documents can be loaded for analysis through a graphical user interface,through file systems or document repositories,or by emailing them to a specified service email address.Proofpoint MLX then analyzes the information and stores it in a secure form in the document repository.Negative cases can also be loaded to ignore common,non-confidential content such as company boilerplate information.Access controls let an organization grant specific business users the ability to add documents to the system for training. proofpoint_ Proofpoint Digital Asset Security Multiple category document protection Supported Document Types A graphical user interface lets organizations define categories for different types of documents to secure each with different access controls and properties.For example,create separate categories for internal memos,draft • sucPlaih text and email, P P P P g such as the contents of a press releases,organizational charts,price lists,and so on.Each category can have its own properties,such as confidential email memo document expiration and document similarity matching thresholds for document similarity. • Microsoft Word and other word processing formats Flexible policy definition and management • Microsoft Excel and other spreadsheet formats Organizations can quickly define policies for handling confidential information that is detected in outgoing • Microsoft PowerPoint and messages.Each policy can trigger based on specific document type and a customizable document similarity score. other presentation formats Route-based definitions allow for the creation of different policies for protecting digital assets depending on •Adobe PDF documents whether they are found in the inbound or outbound messaging stream. •CAD drawings including Messages that are deemed to contain protected information can be handled using any of the message DWG,DWFt DXF and B other formats dispositions to encrypt,block and/or notify.For example,an outbound message containing portions of a • Documents included in confidential memo can be held and flagged for review by the appropriate manager. archives,including ZIP, GZIP,TAR,and TNEF Streamlined DLP workflow (Windows email archive) formats A dual-pane incident manager view allows administrators with the proper permissions to view suspect messages side-by-side with the original training document.Portions of the message that caused it to be captured are highlighted along with the matching regions in the"original"document,making it clear which portions Proofpoint Digital Asset Security identified as a breach.Workflow features such as automatic incident status tracking enable administrators to comment on,track and search violations in the incident manager and export matching messages. Reports Proofpoint Digital Asset Security has built-in reporting capabilities,including the ability to display trend lines showing which policies have triggered over a certain period of time,making it easy to see which types of assets are most at risk. Support for custom and proprietary document types In addition to the hundreds of built-in document types that Proofpoint Digital Asset Security natively understands,administrators can use Proofpoint's File Type Profiler to easily extend support to new,custom or filet es(e.g.,proprietary CAD/CAM formats). About Proof point proprietary YP P P Y / Proofpoint focuses exclusively on the art and Outstanding extensibility science of cloud-based Proofpoint Digital Asset Security easily integrates with file systems,databases,content management,version email security,eDiscovery and compliance solutions. control systems and other external applications to enable automatic indexing of new or modified confidential Organizations around information.Access control and policy information can be automatically imported by the system,greatly reducing the world depend on initial setup time and ongoing maintenance. Proofpoint's expertise, patented technologies and on-demand delivery Protection beyond email system to protect against spam and viruses, Proofpoint Digital Asset Security utilizes the ICAP interface along with an ICAP compatible web proxy.It can also safeguard privacy,encrypt defend against intellectual property leakage via HTTP(S)protocols,ensuring that confidential materials are not sensitive information, posted to blogs and other message boards,social media sites,and web-based email systems. and archive messages for easier management and discovery.Proofpoint's DLP Dashboard enterprise email solutions mitigate the challenges Proofpoint's DLP Dashboard,included in the Proofpoint Enterprise Privacy Suite,provides a centralized and and amplify the benefits of consolidated view of compliance activity across an organization.An incident management console allows enterprise messaging. administrators or compliance managers to view real-time statistics and trends,as well as manage any current incidents and take appropriate actions on non-compliant messages.Managers may be immediately notified of policy violations and associated severity levels,so business users can easily and effectively review all non- Proofpoint,Inc 892 Ross Drive compliant messages. Sunnyvale,CA 94089 1877.647.6488 l oPraufpnint.l Proof p t Pi oc,fpointEt=p Pnnaca. Dotal A.AntS )inoof paintE ypr Prota point V It ci r .ni Email ewm ,d Prontpnini.Mix ma o-ndt,lI,f ieRn.telealeader i, of Pronapoint.i i•<<«n Staff'.al id,i. ,onv tii,taio t,aclen.arl<n.ortamid www.yroafpoint.eom hai ar ploporty or the,ref p t nerf, 1OPu / "rte .7 n v 11+ s7�s Proofpoint Encryption SaaS-Powered, Policy-Based Email Encryption Proofpoint Encryption`"offers powerful,policy-driven encryption features that mitigate the risks associated with regulatory violations,data loss and corporate policy violations,without adversely impacting business operations. Proofpoint Encryption is ideal for any organization that needs to protect sensitive data,while still making it readily available to appropriate affiliates,business partners and end users—on their desktops and mobile devices. Proofpoint Enterprise zT Privacy Suite As email has become the preferred medium for business communications,preventing confidential information Components The following comprehensive from being leaked in outbound email messages must be a top priority in order to lower the risk of a data breach. data loss prevention In addition,the number of government and industry regulations requiring compliance and security is on the rise, components are offered with federal laws such as HIPAA,SOX and GLBA;security standards such as PCI-DSS;and state laws such as through the Proofpoint Massachusetts 201 CMR 17.Most of these regulations,whether at the regional or national level,require enterprises Enterprise Privacy Suite: to protect private data through technologies such as encryption.As policy-based email encryption is now a"must Proofpoint Email have feature among enterprises,Proofpoint Encryption meets these requirements with the industry's most Firewall" powerful and flexible solution for policy-driven email encryption. Detects sensitive information in message content and subject line Proofpoint Encryption Proofpoint Regulatory Feature Benefit Compliance"' Detects protected Policy-based encryption Encryption is automatically applied,based on your organization's policies,right at information,including the gateway.Your compliance,data-loss prevention and content security policies financial,healthcare,and are consistently and accurately applied on an as-needed basis.Internal-to-internal other"smart identifiers' encryption is available with the desktop plug-in. Proofpoint Digital Streamlined storage Key management,backup and administration burdens are eliminated through the Asset Security Proofpoint Key Service,providing secure,cost-efficient,highly available and fully Detects presence of redundant key storage facilities. confidential information Granular control Provides granular message control by allowing expiration of encrypted messages through advanced document fingerprinting and the ability to revoke any individual message to any one specific mdmidual...... a Proofpoint Encryption Secure messaging made simple Makes ad hoc,secure communication just as easy as traditional,non-encrypted messaging.Recipients can easily view their encrypted email through the Secure Automatically applies Reader,an easy-to-use web based interface encryption based on an organization's policies Training end users in the proper use of encryption systems can be a significant barrier to successful deployment of traditional secure messaging solutions,but with Proofpoint Encryption,this process is much easier and simpler to manage.Proofpoint's email encryption solution automatically and dynamically applies encryption or decryption based on an organization's policies,right at the gateway.As a result,end users don't need to take any special actions to take advantage of encryption features,and compliance and content security policies are consistently and accurately applied on an as-needed basis. proofpoint. Proofpoint Encryption Simple to administer with no loss of control Technical Details Unlike alternative approaches to encryption,Proofpoint Encryption provides effective protection for sensitive Cryptographic information without the administrative burdens and infrastructure costs typically associated with secure messaging. Algorithms Message Encryption:AES • Easy policy management:All encryption policies—whether they are driven by regulatory compliance,data (256 bit) security or internal corporate concerns—are centrally managed and enforced at the gateway.A convenient Digital Signature ECDSA (256 bit) graphical interface is provided for defining encryption policies,which can be triggered based on message content identified by Proofpoint Regulatory Compliance or Proofpoint Digital Asset Security. Interfaces. Secure Reader Web Interface. • No key management:Proofpoint Encryption eliminates the administrative overhead of key management by Accessed Ha HTTPS including the Proofpoint Key Service"As unique keys are generated by Proofpoint Encryption,they are stored, backed up and made highly available via Proofpoint's cloud computing infrastructure.The Proofpoint Key Service eliminates the need for customers to manage their own encryption keys and certificates. • Message expiration and revocation:Administrators maintain total and complete control over encrypted messages.All messages can be set with specific expiration based on policy.In addition,an individual message to a specific recipient can be revoked without affecting other users or other messages to the same recipient. Easy to use Proofpoint Encryption operates transparently to end users without requiring software downloads or the installation and maintenance of desktop encryption clients.Proofpoint's encryption solution automatically encrypts and decrypts sensitive content as required,without end users having to use and manage complicated digital certificates or encryption keys. Low total cost of ownership Proofpoint Encryption seamlessly interfaces with other components of the Proofpoint Enterprise Privacy suite, including Proofpoint Regulatory Compliance and Proofpoint Digital Asset Security.Easy deployment and minimal ongoing management requirements greatly reduce the ongoing costs associated with managing the secure messaging solution.And Proofpoint's unparalleled ease of use for end users minimizes support,training and helpdesk costs. As with Proofpoint's anti-spam,anti-virus and content security features,secure messaging policies are managed About Proofpoint and enforced on an enterprise level from a single location.Once defined,enterprise encryption policies are applied Proofpoint focuses automatically at the gateway,eliminating the risk of user error. exclusively on the art and science of cloud-based Granular control of encryption policies email security,eDiscovery and compliance solutions. Proofpoint Encryption enables extremely granular,per-message control over encrypted messages and policies. Organizations around the world depend on Encryption can be triggered by any combination of the following parameters: Proofpoint's expertise, patented technologies • Structured data matches:Proofpoint Regulatory Compliance detects the presence of protected healthcare and on-demand delivery or financial information—such as HIPAA codes,ABA routing numbers,domestic and international credit card system to protect numbers,U.S.Social Security numbers,UK National Identity Card numbers and other"smart identifiers:' against spam and viruses, safeguard privacy,encrypt • Unstructured data matches:Proofpoint Digital Asset Security detects the presence of confidential sensitive information, information through advanced document fingerprinting—with both full and partial matching capabilities. and archive messages for easier management and • Keywords and regular expressions:Proofpoint Email Firewall detects sensitive information in the subject discovery Proofpoint's line and content of messages. enterprise email solutions mitigate the challenges • Message origin or destination:Messages can be encrypted based on destination,such as a specific business and amplify the benefits of partner or supplier,on sender or on message attributes,such as attachment type. enterprise messaging. Apply inbound policies to encrypted messages Email can also be decrypted at the gateway,allowing Proofpoint's anti-spam,anti-virus and content compliance .'fAQfpomt,l olicies to be a lied to encr ted email before it is delivered to end users,ensuring that encrypted Spam, 892 Ross Drive P PP YP Sunnyvale,CA malware and noncompliant messages are properly handled. 94089 1.877.6476488 k., ) )Proofpoint l Proof p t Proolpointf twtion Pty.'point key',mat Pot{lceralplt y C pl aid Pefftn dad1 set se curdy tic liadentakt e /fait If oat mitmk Piocifooi a Int in to United fit-des Ind tante founddie AS salty tr font fired ear a potty of tler dialect utn* eme 10/16 WWW,pr00fil0Int.00nl 'MN' .',/,',.7,;,,/,- v,' �h;`"� 7' r • d t .,.fi. tit. 1 l ff� r r t� art , : ' t if �! {$$ ; � b,t ..,.k 5''gy t"...1 ,3/4,:... • 4 v > R,rL Proof point Regulatory Compliance Protect Privacy and Comply with Data Protection Regulations Proofpoint Regulatory Compliance-makes it easy to ensure that electronic communications, including email and web traffic,webmail,social network comments and blog posts do not improperly disclose sensitive data about employees,customers or patients.As a part of the Proofpoint Enterprise Privacy"Suite, Proofpoint Regulatory Compliance ensures that outbound messages comply with many different types of regulations, including HIPAA,GLBA,the UK Data Protection Act, PIPEDA(Canada), Data Protection Directive(for the EU), PCI compliance guidelines and SEC regulations. Proofpoint Enterprise _..a.:. Privacy Suite Proofpoint Regulatory Compliance makes it easy to ensure that outbound messages comply with many different Components types of email-related regulations.Enterprise organizations of all sizes and industries are now subject to a growing The following comprehensive data loss prevention number of privacy-related regulations that govern the handling of certain types of private data.These regulations components are offered extend to the content of email messages and attachments leaving an organization. through the Proofpoint Enterprise Privacy Suite Proofpoint Regulatory Compliance has predefined dictionaries and"smart identifiers"that automatically scan Proofpoint Email for a wide variety of non-public information,including PHI(protected health information as defined by HIPAA) Firewalr and PFI(personal financial information as defined by GLBA)to allow for appropriate actions on noncompliant Detects sensitive information communications. in message content and subject line Rules can be easily created or modified via a point-and-click interface to support compliance with many other ® Proofpoint Regulatory types of information privacy and data security regulations,such as state regulations(for example,California SB Compliance 1386 and Massachusetts 201 CMR 17),Canada's PIPEDA,as well as various European privacy directives. Detects protected information,including financial,healthcare,and Proofpoint Regulatory Compliance other"smart identifiers" Feature Benefit Proofpoint Digital Asset Security" Smart identifiers Detects social security numbers,credit card numbers,and more;conducts detailed _ algorithmic checks to ensure the highest degree of detection accuracy Detects presence of confidential information Advanced proximity and Delivers a high degree of confidence in personally identifiable information through advanced document correlation analysis fingerprinting Extensible policies Allow custom dictionaries to be uploaded and smart identifiers to be created to Proofpoint Encryption- address any unique requirements Automatically applies DLP dashboard Provides a centralized and consolidated view of all compliance activity across encryption based on an organization's policies an organization with real-time statistics and the ability to drill into any specific incident for review Managed dictionaries Provide pre-defined libraries for quick analysis of sensitive content(examples include healthcare code sets,ABA routing numbers,National Insurance Number (UK),Japanese Credit Card Numbers and Canadian Social Security Numbers).............. proofpoint_ Proofpoint Regulatory Compliance ,i; t.. ,.� . r -,-t• Dictionaries and Smart Identifiers Proofpoint Regulatory Compliance includes a wide variety of features to help organizations comply with today's Included are the essential information privacy rules.Proofpoint Regulatory Compliance monitors all outgoing email,including over 300 building blocks to meet attachment types to detect private information based on predefined dictionaries and other types of smart awide variety of privacy regulations(examples). )Healthcare Code Sets • Predefined dictionaries:A variety of predefined dictionaries and sample policies are included within • ICD-9-CM diagnosis and Proofpoint Regulatory Compliance.These dictionaries define common protected health information code sets, procedure codes such as standard disease,drug,treatment,and diagnosis codes used by the healthcare industry to simplify HIPAA • HCPCS common procedure compliance.Proofpoint also includes a variety of financial privacy dictionaries,such as SEC,insider trading and codes trade confirmation terms used in the financial services industry to aid with GLBA,PCI and SEC compliance. • NDC drug codes • Numerous other medical • Unlimited,custom dictionaries:New dictionaries can also be defined,which can support both exact code sets matches,as well as regular expressions.The included HIPAA dictionaries can be expanded to include terms and S codes specific to a medical environment,and new dictionaries can be added to support g ort additional regulations martIdl and Privacy Smart Identifiers such as NASD,PIPEDA.and others.Dictionary terms can be weighted to increase or decrease the matching • US Social Security, strength of any term or to allow exceptions. Canadian Social Insurance, UK National Insurance, • Automatically updated dictionaries:Through the Dynamic Update Service in Proofpoint Enterprise Privacy, Japanese residence the pre-installed managed dictionaries are always up to date with the latest codes. registration and driver's license IDs and other unique identifiers Smart identifier technology for maximum accuracy •ABA routing numbers Proofpoint Regulatory Compliance can also scan for common non-public information(NPI)including Social .Credit card numbers(US Security numbers,ABA routing numbers and credit card numbers. and international) •CUSIP securities identifiers, These"smart identifiers"are more sophisticated than simple regular expressions.They look for the correct SEC filings,trade number of digits,but also compute checksums to confirm that numerical strings that appear as NPI are actually confirmations protected information.This technique greatly reduces false positives.Custom smart identifiers can easily be Custom Smart added to support customer-specific data types,such as account numbers,patient numbers,medical record Identifiers numbers,billing codes and local forms of ID.Built-in smart identifiers and custom-created identifiers can • Medical record numbers perform complex,algorithmic processing to ensure high detection accuracy while minimizing false positives. • Financial services account numbers Flexible privacy rules and policy definitions • Local forms of ID A point-and-click interface makes defining and modifying even complex privacy rules quick and easy.Rules About Proofpoint can be configured to apply to individual occurrences of NPI or when a certain count of dictionary and smart Proofpoint focuses identifiers are reached.Proximity detection allows for advanced analysis of multiple elements.Any number of exclusively on the art and ed privacy rules can be defined to support specific compliance requirements.Multiple rules can be mapped into science mil cuof ri y,eDiscovery email security,eDiscovery policies(for example,HIPAA,CLBA,and AB 1950 policies).Policies can be set at the global level,or unique and compliance solutions. policies can be set for individual groups/departments. Organizations around the world depend on Proofpoint's expertise, Encryption support patented technologies and on-demand delivery Many regulations specify that non-public data must be secured when transmitted over public networks. system to protect Proofpoint Regulatory Compliance supports several types of encryption,including TLS(Transport Layer Security) against spam and viruses, and Proofpoint Encryption. safeguard privacy,encrypt sensitive information, and archive messages for easier management and r discovery.Proofpoint's Graphical reports show the number of regulatory breaches over a given timeframe,as well as the top offenders of enterprise email solutions these policies.Reports can be emailed on a scheduled basis or published to an intranet site. mitigate the challenges and amplify the benefits of In most enterprises,content security policies are managed by a variety of business users who own responsibility enterprise messaging. for compliance or data protection.The DLP Dashboard provides a centralized and consolidated view of compliance activity across an organization.An incident management console allows administrators or compliance ..,,, managers to view real-time statistics and trends,as well as manage any current incidents and take appropriate Proofpoint Inc. 892 Ross Driveactions on non-compliant messages.Managers may be immediately notified of policy violations and associated 'Sunnyvale,CA severity levels so business users can easily and effectively review non-compliant messages and release,re-route, 94089: approve or otherwise dispose of such messages. .1.877.6416488 12010 Pmrfpoti.inc Prrrfpont foofport nterpriecf vacy Piet nairmull,Picalpuint Ewl.t w(pont f4zulrry cnaciiarc.end Proof aunt opul Asscuc. iiy ale tam.rnarka itigutartal Pioalpoint Inc in the United Siateead other countries All attar t 1 rlis conteirieie herein .misty www,yroofpoint.eom of ve,rrespective + r.z]0/10 iff Proofpoint Enterprise Archive SaaS Email Archiving Solution Proofpoint Enterprise Archive'"is an on-demand email archiving solution that addresses three key challenges— legal discovery,regulatory compliance,and email storage management—without the headaches of managing archiving in-house.An innovative hybrid architecture allows Proofpoint Enterprise Archive to be up and running in days with minimal upfront capital investment,and provide low,predictable lifetime cost,while at the same time ensuring data security standards.Proofpoint Enterprise Archive can be utilized for search anytime- anywhere with sustainably fast, reliable performance uniquely backed by a Search Performance Guarantee. "Our staff of lawyers xj An email archive also provides a centralized, are well equipped with searchable repository that provides end users with search and discovery Email archiving addresses a variety of business access to historical email.This access should be simple capabilities for email requirements,including legal discovery readiness, and intuitive,with a familiar user experience that fits and are prepared regulatory compliance and email storage optimization. existing work habits and enables greater productivity. to meet any legal In an era defined by increasingly stringent data discovery instance on And,finally,an email archive should address all of behalf of clients. privacy requirements,complex regulatory compliance these requirements while also supporting the IT demands,and severe penalties for e-discovery objective of reducing the cost and management Since using Archive, 1 g we have saved mishaps,securely managing email is more critical complexities of exploding data volumes under approximately to your business than ever.To be prepared for legal p! Y management within Exchange. $100,000 by reducing discovery and regulatory events,organizations must our mail store." know where all their email data is stored and be Steven Heller able to search through and retrieve that data in a .. Director of Technology short period of time.Organizations must also have Graubard Miller the ability to establish and enforce email retention Proofpoint Enterprise Archive offers the most policies that reflect specific regulatory and geographic advanced features and highest performance in an market requirements,aligning with strategies for easy-to-use solution.The solution is built upon internal record management. Proofpoint CloudControl,a secure,extensible cloud platform that ensures security and compliance for Technologies used to set policy should be flexible to enterprise content. enable response to a constantly evolving set of legal and regulatory requirements,and should automate Easy-to-enforce retention policies critical tasks,such as the creation of litigation holds that Proofpoint Enterprise Archive's policy engine allows prevent data from being deleted.If not managed properly,exposure to legal risks can be significant an organization to create,maintain and—most importantly—consistently enforce a clear corporate and challenge an organization's ability to defend its retention policy for email.Enforcement of policies is Discovery processes.This can lead to costly fines, automatic—a single click from the user interface is guilty verdicts,and damaged reputations. all that's needed to make a policy active.Every policy change is tracked in an unalterable audit trail,ensuring an accurate record of an organization's policy changes. proofpolnt. Y y 3 a b o E a E _ E� E E y R OY 8 3E E . 'ii): 3 fr�� in - ooE .^ E 9E #: !. 9a igii s '��, ofr .. m DoE 6 �'Es tia ¢ kEa3� 'a1 a8 rein! “crt3aaa< $wto E � �A 9S ° n� r..a- - . `- � �g� 3 1143 P 43_utA S'_ _ o ; E; E & p c M E q E E ..; F 7,1 3E z; :urge glUll E v E ; - 1:4- EEO a °o f ...44 I sty N I i III !!Hfl Y voE� ` m t iii 5 , ..4 • J ii -, 3 3 a S ' .:417: w` ¢ E c 1 22. 22 Y • ,'',15:4 7,3 .O2 '6 lit' E 3 L ` 3 w. i e G A n Mq� ` E L L E ; E ^ E ; E m 1 E o N E 1.1 as€s€ 4144 3 63. h a -. - 0 ..ans.:d vi, -2 ,1C :, 8 § E 3 es - u in .E. EIJOI 1H1 v u E o B= c V Eo W Eli: _ - a o : Iv ` 11 o _ n v £ E w fin 't2 ,-!2, = 6 ii v w a - L¢ ` i _ c c c i u 3 r w o t E c [ e a L `o r "a F a.- 8 Dt w " Vi a .. ° goo a` " w w a o 50s 1E: ` d r d ' " ₹ Y at E ,EP ID � .` e, vsoy as , r g „`. _ " 3 t g 3dd, '22 E o,Y m E 'S li E e a a 5 v 3' E E 2 O E - Ae ° c c .c .. rfE y6. 1 Z.,,,20 w 3 c 3 o u E 3 N q o 2 3 S t a d 5 c 3 - 0 O 3 � E E - .6.4-; g606.46 - ' E rt. - 0 E,,, -E = e E 1EatsE .E § C ;2,;,,,, 23.4 . .P E 9 q n o` ¢ v_ o - E EL E c E " g 5 E .P 3 -54 A E g " $ r g SQ'.. O _ 972 _ E E c a m E E.� V H v S ti E E E C " K Q1 .z .. 2 ic ry rig c v E, O4“ 1, 6666N E _ E n s -§ E i C c e $ o 0 o v E t E E W a L C n " g E . I or E m o " N a 8 E$ ; g f E3 ViE 111O31 c dwa € I3 'a " € c E . . N C •L a " q it°,. a Cl E 'E E c 11 .06t 'i .P : 31, i-31A-F6 a e u 3 wA a c V E . ` o -Fi .e c .E.p - E a _ Y 1 a n" a N 3 E r] 3 s .. E a s m .. _ n a r o .. a E o 6 a v C W Y _ _a ne E e a s a9L C • s - Eq rat. -w r 0- i $q a e qE eana a ' d'€ E:= Gg& gxza oS ,,d, o o; ALa W E� _ p xN,. -a7E a v7. E. of pe& eoo'taC.1 a'E3 Y.`' E v q��, po EEl 2 I:11 fi bs agora Y4 Fatal! "n-, �-41 o.".. _emoo Qt0S:711 n' d o-= n �� a,.. L :11 'eS g1111i 1 .Y" _ _ b`_ OOI :E'k if, =SEE x d c. nWm" W7d . E . e . LLw=ci)310oa§2cm 3£ . • US Worldwide US Federal Office Asia Pacific EMEA Japan Canada Mexico Headquarters Proofpoint.Inc. Proofpoint APAC Proofpoint.Ltd. Proofpoint Japan lKi(. Proofpoint Canada Proofpoint Mexico Proofpoint,Inc. 13800 Coppermine Road Suntec Tower 2, 200 Brook Drive BUREX I(ojimachi 210 King Street East, Salaverry 1199 892 Ross Drive Suite 203 9 Temaselt Boulevard. Green Park I(ojimachi 3-5-2, Suite 300 Col.Zacatenco Sunnyvale,CA 94089 Herndon,VA 20171 31F Reading,Ul( Chiyoda-ku Toronto,Ontario, CP 07360 United States United States Singapore 038989 RG2 6UB Tokyo.102-0083 M5A 117 M€xico DF Tel+1 408 517 4710 Tel+1 703 885 6809 Tel+65 6559 6128 Tel+44(0)870 803 0704 Japan Canada Tel.+52 55 5905 5306 Tel+81 3 5210 3611 Tel+1 647 436 1036 Proofpoint focuses exclusively on the art and science of cloud-based email security, }eDiscovery and compliance solutions.Organizations around the world depend on p roof po I n Proofpoint's expertise,patented technologies and on-demand delivery system to protect against spam and viruses,safeguard privacy,encrypt sensitive information,and archive messages for easier management and discovery Proofpoint's enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging. www.proofpoint.com . u71‘17:71117.7..,..:-,..4.1::, ,,,...;'.....4:..;:: + l IS* ... i 3'v ` r ilk e 4 j ! !x Business Data 0 Y . Q . r ¢ r . I• prise. I5 %gym,,, x Proofpoint Enterprise Governance "In-Place" Information Governance and Records Compliance Solution The Proofpoint Enterprise GovernanceTM Suite is an information governance solution that provides organizations the ability to monitor and apply policy to unstructured information—wherever it exists across the enterprise. By proactively governing unstructured information "in-place," organizations can effectively protect brand and manage regulatory compliance, security, and confidentiality. Organizations also increase visibility and control over information; mitigate the risks of court sanctions and regulatory or government investigations; minimize eDiscovery costs; and leverage existing technical infrastructure. In addition, Proofpoint Enterprise Governance is designed to work in tandem with today's most popular collaboration platforms, including Microsoft SharePoint. proofpoint' Proofpoint Enterprise Information Governance Governance Benefits Today information is everywhere.It does not just reside in central repositories,but also in email,on laptops and • Track and have complete desktops,cloud-based file sharing services,SharePoint,and other collaboration systems.According to analyst visibility to high risk and/or firm Gartner,"Traditional content types,including unstructured data,are growing by up to 80%per year" outs de of information outside of managed (see"Information Governance:12 Things to Do in 2012"by Gartner).The vast majority of this data is transitory and repositories contains limited on-going value to the business. However,5-10%contains information that should be considered • Effectively manage the a business record,or that could create legal risk or harm to an organization's brand. Identifying these high-value disposition of unneeded files and/or high-risk files that exist outside of managed repositories is a challenge for virtually all enterprises today. and the retention of records without changing user The Proofpoint Enterprise Governance solution enables enterprises to regain control over their unstructured behavior information,empowering both administrators and end users with easy-to-use tools to manage their data. • Mitigate the risks of sanctions, minimize Full Lifecycle Approach and motions;minimize eDiscovery costs Proofpoint Enterprise Governance provides a proactive and full lifecycle solution for governing unstructured information,enabling enterprises to detect,manage,respond to,and control ever-growing file counts—simply Proofpoint Enterprise and proactively. Governance Features • Digital Thread technology to automate document tracking Detect • "In-place"compliance and Organization-wide file detection and tracking is no easy problem,but with patented Proofpoint Digital Thread'" control of unstructured technology,Proofpoint Enterprise Governance tracks information"in-place"without disrupting end users'normal information workflow.Proofpoint Enterprise Governance gives organizations visibility and control over all files and records • Hybrid architecture:tracks across disparate storage locations. and manages millions of documents Proofpoint Digital Thread Technology Customer Results Proofpoint's Digital Thread technology detects and tracks all files from the point of creation or reception,and it • Increased brand protection, monitors these files and records through their entire lifecycles—no matter where they travel across the enterprise: security,and confidentiality • Improved information risk • local drives management • shared drives • Increased compliance with legal/regulatory directions • removable drives • Reduced information • email(including Microsoft Outlook and IBM Lotus Notes) management cost • collaboration systems(including Microsoft SharePoint and IBM Lotus Domino) When users create or save files to their hard drives or removable drives,or when a record is attached and sent in an email to users in the enterprise,or even when users save files to SharePoint,every file is monitored by Proofpoint's Digital Thread. Manage Detecting files is the first step to enabling organizations to manage their unstructured information in a variety of ways including disposing of unneeded duplicate copies or unnecessary information from across platforms and users,and retaining confidential records or project files from across disparate systems. File Classification Once files are detected and tracked by Proofpoint's Digital Thread technology,Proofpoint Enterprise Governance can now manage them with the use of classifications.Classifications act as tags to help in organizing files for ease in compliance enforcement.Both end users and administrators are provided with views into classifications,with end users having a dashboard view to see the classifications they are assigned to and which of their files are tagged with the listed classifications,and administrators having global reporting to see classifications for all users and files across an organization.It should be noted that unclassified files are also visible and actionable to users and administrators. Compliance Enforcement Powerful governance policies in Proofpoint Enterprise Governance allow organizations to enforce the disposition or retention of files across all systems(hard drives,removable drives,shared drives,email,SharePoint,and Lotus Domino).Policy rules enable other various actions to be taken including moving or auto-classifying files by location.Administrators can manually execute policies or define an automated execution schedule. www.proofpoint.com Proofpoint Enterprise Governance Feature Benefit Patented Digital Thread— Tracking of files on hard drives,removable drives,emails,shared drives,Domino,and SharePoint Technology Detect all versions of files as they proliferate and identify unneeded duplicate copies,unnecessary information,and confidential records and files Policy-Based Retention and Enforces organization-wide compliance as policies execute to dispose of,or retain specified files or records Disposition Management Handle legal holds by managing the hold"in-place"or uploading to a repository for collection,including uploading to Proofpoint Enterprise Archive Dedupe Ability Ability to detect and delete unneeded duplicate files Global Reporting on Monitor organization-wide file counts on users'machines and on shared locations:monitor trends,file locations, Retention Status and and file sizes Clean-Up Efforts User Interface Ability to see and manage all files from disparate systems in one convenient interface Easy to Implement and Use Deploy in days,not weeks Storage Management Control As files proliferate and get passed through the enterprise,several unneeded The Proofpoint Enterprise Governance service creates reports that duplicates get created and saved to numerous locations including user's monitor the status of the organization's information in real-time. machines,inboxes and outboxes,removable drives,shared drives,etc. Consequently,managers or administrators can(a)understand the scale This redundant information unnecessarily consumes storage and creates of their information problem,and(b) monitor file or record counts, downstream costs to sort through if it's not addressed early.Proofpoint trends,individual file type counts,counts on each user's machines,file Enterprise Governance detects duplicates and all versions of files and names,file locations,SharePoint files,email attachments,and files per enables automatic or manual policies to either dispose of or retain classification.Reports can be emailed to administrators or managers on a the information. scheduled basis,or they can be accessed anytime online. For existing legacy information,Proofpoint Enterprise Governance detects SaaS or On-Premises Deployment legacy files and allows organizations to manage them by assigning classifications Proofpoint Enterprise Governance runs as a cloud service in Proofpoint's so that the proper policies can be applied to dispose of, cloud infrastructure.It maintains just enough system state to allow it retain,upload,or move files. to ensure global consistency of metadata across the entire Proofpoint Enterprise Governance system. The solution can also be deployed Respond on-premises or in a hybrid configuration. Proofpoint Enterprise Governance has flexible policy capabilities that allow organizations to respond to legal,regulatory,or security needs. Policies are applied to classifications and are based on business rules to Client Agents Working in tandem with the server-based service are local agents take actions on files.These actions may be to delete,retain,copy,move, installed at strategic locations within the enterprise:shared drive reclassify,or hold files. servers,SharePoint servers,Lotus Notes servers,or end user computers. For legal holds.Proofpoint Enterprise Governance captures information The advantage of being an"in-place"governance solution means that that is responsive,regardless of its storage location,and can either upload Proofpoint Enterprise Governance has the flexibility to complement many responsive files to a repository or hold the information"in-place." existing records management infrastructures and environments. Combined with Proofpoint Enterprise Archive,organizations have a complete solution for legal hold management for any responsive files. On end user computers,the Proofpoint Enterprise Governance agent performs the following functions with minimal user intervention: Retention and disposition polices administered through Proofpoint •Enterprise Governance can either take automated actions or provide Initiate tracking of files users a dashboard in which they can view all tracked files on their • Detect files in email attachments and on users'hard drives machine.Depending on the users rights and the organization's . Confirm decisions with the Proofpoint Enterprise Governance configurations,users can also see tracked files on specified shared drive service when they require global consistency locations,Domino or SharePoint.Users can then take actions such as delete,copy,move,or reclassify files. Legal hold,retention,and other policies are managed through a web- based admin console.In the console,administrators can assign users to classifications,manage policies,configure the system,and get reports. a Y ';t .k1,127,;;',,•;,'•-.1 'xG :. I N " 1 i d ill 61111ii� It ‘4-7,44:41o.;I 17, c'• 74.'11,, k!? •';'•'4,1. F ''= ;:ii ii. ,..14. .. ^ ;, I ' 3 ! ! ! 1 t !I I ,'2 -1{f f �+. 17Jr 1 1 Y Till i :p., r .414:,..,:::, 'A' �7,p, FrrA Yvj t y 4",::1111I ,lf 1 'I P^9s 17 t y ali y:. N. U.., 4 M • C• ti i v '(F1 I I y%syy fS •rtx� '•'Wll. . tit I n f N dt i x ai'•;4. 1..-• A S ,.I .I I ,,. 1n. ,'1,,,,*,11,1 I'[ ch � ` .r 1 II11i�11 y11 h. r t tlll6 At r «, t,, ..ie,r ::..'M.yr 'VIIII I I F ' .. '.i• " ,....,. .4 „• xt L Vy rit rsu 1 35 ; I«J i ° � 4X1�l N.tl H � H : y:. • Y ii i c. .'x' I+• .' r IIIII , °• If 'E.; wr i41 .� iS' j ro- �5 fi.,;;;4,,,.,• t' • }�' {, 4 f1 ..a.. . I1, �Tc, 7r ad ii . 1 a II�p I$1k ,;:�+ o• L, a „ � ;1 lelf, i ih,N1Y '.I_; ?1 ti,. y .r yl NI4 ••ys 1.t • „j}f r l P 4F � 'Iit42t Y MM1 .'.`Y:.F t 1 i• II Er 1q1 ' 1 I' 1 p '2'4 pp lY.i { ..Y' >;. t, • •• 11 ...*',:'3,,[,,!'. IN, '4,1*.;..... A s.I ". I: F # ' I Ian hh, k ! r !i. , ••,..::...,4,"4...;.. ...''. ',,I!,"'„"!. ......'#),„.•b)1 i d✓!IMieII lo 4' h Proofpoint,Inc.(US tMadquartf;ysj :^ , ., m .b r I u ` 6 �I:: &',? M1, ''r. 892 Ross 9rive.Sunnyvale CA 94p89, k 11 t I „t t N°„1'a x I ... Tel:+2,408'Si74710 Fae.eA9408`n i ,,: ..• 1ii, ' V: -@ '+ D`t •„ Yg' I' fjf „I '., www.proofpoint.com r 1 a 1 1 ,- a,A# t i 'f fib' ' f l i�'i. °' • i p' I - , "'yyyiii 66 � 'S: } j + v42 1,: x I I" . . 'I'r. st I 1 r. '*,....1;;,,,i,, ,, » I °^ i. +'S i ' � „11d �. • • N fl •i):„:ddlll4fl'1�1;', x xi. 2 i t! 1 1, 1 ! a `i F: r A �fl Cis.". C `F 1M.gr N. MJ .li 7'*-Hy� t• i'I Ill r; N'. 4'��lA - • ,#. y, 1 71VIJ L I • °" j t...., A' 121raIi a ' I. . gi • eft `">,, a r r.• r " ;r slca a I' a 3 r i ,...`11:4 1,.....; 2 $ I i 'Y.-Itv:I ) Nt ... r • riiiii . .d.°1�1 4 . ',...,,i2::.. .!.:i!t t mr e ; f'.!'1 'IN 1.Iµ . , , „c,: ,,,„! ...: !,,,..... .4r4:..ftr fl�l il!1I f t ;¢ y! •II �,k ft'' ,44,z;!...!.: .-i: ! iiir,v,,, ,4,. i 4. :4!..41.4 , . iz .,,,,,,,,, 4 , •`a, x ,w 4.-,4,...,._ as;,,I4,,,,,,.. f'"# ' # 1 ' . . 4}��, , w^ li 41 S av• a,. y k 4. � �Fr ticr {• I It ', LI 1.Y1 �f .:._ µmd5J W mhatnlnbla.M i~ � I rr;a."rI .' lslf • �`,. 92012Ra0fDpn1.6KPVo(ppmnaVddPfWitaffl00fp9jOt.�m •. " Imo. .. . ..y • to ,. +F' calIv '� ! i;••:. ja Cs. ,r xt j t • tt r1 e' I ' ,' "t • if ' ! iiii E?t fm 3 fl rt.:. Y ill xw R t .mot proof point! Proofpoint on Demand (PoD) Professional Services Overview 1. Introduction Proofpoint Professional Services works closely with customers to define a framework for project success. The measure of success is a system that is fine-tuned to the customer's specific needs, and meets the highest effectiveness on detection of spam, viruses, and inappropriate content. Proofpoint Professional Services takes a phased approach to the building and deployment of a secure messaging platform. Many of the activities in each phase overlap and occur in parallel. 1) Pilot—Proofpoint will provision the PoD environment so that administrators can become familiar with features and functionality, make informed decisions about the production configuration, and run system tests 2) Planning—define the plan, strategy, and deliverables for the project 3) Implementation—execute on the technical activities of the solution; includes the "cutover"to live production email. 4) Training —focus on ensuring that administrators are fully training on the features and functionality of the Proofpoint solution, and that the facilities needed to train the end-user population are created and delivered. (Formal training sometimes occurs during Implementation.) 5) Transition—conclude the active project, and transition into maintenance mode for the solution. 2. Sample Project Plan (PoD) Task/Milestone Responsible Party Date(s) Comments Provision PoD environment Proofpoint Familiarization with Administrative GUI Customer with Proofpoint assistance Develop and Document the Technical Design Customer with (optional) Proofpoint assistance Establish Topology Diagram Customer Technical Design and Topology Review Customer with(optional) Proofpoint assistance Develop and document the user provisioning strategy Customer with (optional) (LDAP or HFT) Proofpoint assistance Proofpoint Proprietary and Confidential Page 1 of 7 proof point! Task/Milestone Responsible Party Date(s) Comments Develop and document the default service Customer with (optional) configuration strategy, including: Proofpoint assistance • Spam policies • Virus policy • Content filtering policy • Report publishing • Spam Reporting Group • End User Digest configuration • Regulatory Compliance policy, rules, and actions • DAS policy, rules, and actions • Encryption policy and actions • Branding for encryption end-user interface • (optional)LDAP or HFT integration Develop and document the implementation steps to Customer with (optional) cut over to production email Proofpoint assistance Develop and document the backout procedure should Customer with(optional) there be a problem with the cutover Proofpoint Assistance Develop and document the test plan and test cases Customer with(optional) Proofpoint assistance Develop and document the end-user communications Customer with (optional) plan Proofpoint assistance Develop custom integration scripts/procedures if Customer needed and defined during the Planning phase Develop customizations or add-ons if needed and Proofpoint Professional Services defined during the Planning phase Perform initial configuration of PoD cluster Customer with Proofpoint assistance Install custom integration scripts/procedures(if Customer applicable) Install customizations or add-ons(if applicable) Proofpoint Professional Services Purchase and install SSL certificate for end-user Customer commands and/or encryption Execute pre-implementation test cases and log results Customer with(optional) Proofpoint assistance Review and modify system configuration as required Customer with (optional) Proofpoint assistance Execute implementation steps to cutover to production Customer with Proofpoint email(see Sample Implementation Steps below) assistance Execute end-user communications plan Customer Attend Proofpoint administrative training Customer Develop and provide end-user documentation and/or Customer with(optional) training Proofpoint assistance Develop and provide helpdesk documentation and/or Customer with(optional) training Proofpoint assistance Proofpoint Proprietary and Confidential Page 2 of 7 proof point Task/Milestone Responsible Party Date(s) Comments Review and document Proofpoint Technical Support Customer with Proofpoint procedures assistance Publish project documentation Customer Complete any project close procedures Customer 3. Sample Implementation Steps (PoD) Note: This is only a sample and should be customized to your specific environment Task/Milestone Responsible Date(s) Comments Party PoD Provisioning Proofpoint PoD cluster configuration: • Implement default service configuration • Ensure all domains we accept mail for are listed and routing mail to the correct email server Email server configuration: • Ensure email server will accept mail from Proofpoint servers Firewall changes(dependent on customer environment) Execute pre-implementation test cases(send test messages to and from PoD and observe correct actions) Review configuration with Proofpoint Professional Services Submit DNS change to have MX records point to Proofpoint servers Reconfigure email servers to route outbound mail through PoD Execute test cases(send test messages to and from PoD and observe correct actions) Provision users accounts in a phased (Group 1, Group 2,all)approach Create and execute scripts to import previous spam solution's whitelist and blacklist Observe operation of the PoD cluster for defined period of time; implement back-out procedure in case of problem Move Group 1 into non-audit mode Observe operation of the PoD cluster for defined period of time; implement back-out procedure in case of problem Move Group 2 into non-audit mode Observe operation of the PoD cluster for defined period of time; implement back-out procedure in case of problem Move all users into non-audit mode Observe operation of the PoD cluster for defined period of time; implement back-out procedure in case of problem Proofpoint Proprietary and Confidential Page 3 of 7 proofpoint.) 4. Personnel Proofpoint will supply the Customer with an Engagement Team to fulfill the following roles: • Implementation Project Manager • Professional Services Solutions Architect • Professional Services Consultant/Systems Engineer • Software Engineer • Implementation Support Engineer(s) The Engagement Team is supervised by the Director of Professional Services, who reports into the VP of Worldwide Technical Sales and Services. All members of Proofpoint's current Professional Services staff have deep experience working with the Proofpoint product and implementing the Proofpoint solution in large, Fortune 500 enterprises. Each member of the team that will be assigned to the project will have had experience with at least 10 implementation projects at Proofpoint(most members have much more experience). These roles are described below: Role Implementation Project Manager Description The Implementation Project Manager will oversee the implementation to successful completion and be the primary point of contact providing project management and coordination efforts. Responsibilities • Coordinate with multiple parties-- internal departments as well as the customer--to ensure timely and satisfactory resolution to technical issues, and completion of projects • Manage Proofpoint staffing needs for the project • Proactively identify potential customer technical issues before they become critical, and lead resolution of such issues • Responsible for account status reporting both to customer and Proofpoint management • Be a strong voice for customers into the Marketing and Engineering teams to improve the product and ensure that Proofpoint deployments successful. Skillset • 5+years industry experience in technical account management,technical support, or professional services • Experience managing large, demanding enterprise customers • Responsive to customer issues and concerns; ability to create a positive working relationship with your customer • Strong troubleshooting and problem solving skills. • Strong written and verbal communication skills. Type Onsite as needed; primarily remote Role Professional Services Solutions Architect Description The Professional Services Solutions Architect develops and recommends the technical architecture of a Proofpoint solution. This role provides hands-on technical expertise for the project Proofpoint Proprietary and Confidential Page 4 of 7 proof point! Responsibilities • Engage with newly signed enterprise customers as a Proofpoint product expert to recommend and design the solution architecture. • Actively participate in project meetings • Drive high levels of customer satisfaction • Provide technical expertise and real-life experience in creating solutions, designs, proof of concept and implementation Skillset • 5+years industry experience in technical project management, program management, professional services, or sales engineering • Leadership experience in large systems design and implementation of technical architectures for enterprise email environments • Excellent analytical, problem-solving, and decision-making skills • UNIX system administration experience • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Demonstrated experience in working with broad cross-functional teams Type Onsite as needed Role Professional Services Consultant/Systems Engineer Description The Professional Services Consultant leads implementations of Proofpoint solutions and maintains the technical relationships with our enterprise customers. This role will provide the hands-on technical expertise for the project. Responsibilities • Engage with newly signed enterprise customers as a Proofpoint product expert to implement Proofpoint solutions at their sites. • Implementation of the Proofpoint solution at the customer site. Implementation activities may include architecture and design, installation, configuration, troubleshooting, customization,testing, and documentation. • Be the primary technical contact for the deployment • Actively participate in project meetings • If requested, participate in end-user training and consulting • If requested, provide training to in-house development and support staff • If requested,write project documentation,which may include service manual documentation (detailed documentation of the infrastructure). • Providing recommendations on best practices to keep the Proofpoint product at optimal effectiveness with minimum cost • Be the primary Proofpoint technical contact for the engagement Skillset • 5+ years industry experience in technical implementations, project management, program management, professional services, and/or sales engineering • Excellent analytical, problem-solving, and decision-making skills • Experience in large systems design and project implementation for enterprise email environments • UNIX system administration experience • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Demonstrated experience in working with broad cross-functional teams • Background in Consulting • Expertise in administering the Proofpoint product Proofpoint Proprietary and Confidential Page 5 of 7 proof point! Type I Onsite as needed Role Software Engineer Description The Software Engineer develops, tests, and documents custom software or scripts that integrate with the Proofpoint Protection Server software. Responsibilities • Implementation of extended functionality required for the Proofpoint implementation project that involves development of custom software or scripts. Skillset • 4+years industry experience in software engineering • Excellent analytical, problem-solving, and decision-making skills • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Excellent command of Perl, MySQL, and Linux • Technical expertise in the Proofpoint product Type Remote Role Implementation Technical Support Engineer Description The Implementation Technical Support Engineer(TSE)provides assistance and support to the onsite customer as well as implementation team in troubleshooting and resolving technical issues that arise during the active project period (including pre- deployment and post-deployment phases). Proofpoint has a team of Technical Support Engineers available to support customers during their active Implementation project timeline. Responsibilities • Assist customers with technical issues that arise during the implementation process. • Provide proactive customer communication and rapid response in accordance to service level agreements • Perform problem troubleshooting and isolation,while working in potentially complex product and infrastructure configurations • Provide performance tuning and optimization measures • Train customers on product features • Track and document progress on all technical issues using Proofpoint's Call Tracking System (CTS) • Escalate product defects and issues internally to Proofpoint Engineering, and drive towards resolution while managing the customer • Drive high levels of customer satisfaction Skillset • 5+years industry experience in a technical role with customer support responsibilities • Expert level Sendmail system administrator experience • Strong messaging infrastructure system administrator experience • Strong UNIX system administrator experience (Linux, Solaris) • System administrator level TCP/IP networking experience. • Strong Perl experience. • Strong troubleshooting and problem solving skills • Strong written and verbal communication skills Proofpoint Proprietary and Confidential Page 6 of 7 proof point Type I Remote only 5. Consulting Services Proofpoint can provide additional consulting services upon request from customers to fulfill the roles listed above under Personnel. Proofpoint Proprietary and Confidential Page 7 of 7 proofpoint! Proofpoint Protection Server Professional Services Overview 1. Introduction Proofpoint Professional Services works closely with customers to define a framework for project success. The measure of success is a system that is fine tuned to the customer's specific needs, and meets the highest effectiveness on detection of spam, viruses, and inappropriate content. Proofpoint Professional Services takes a phased approach to the building and deployment of a secure messaging platform. Many of the activities in each phase overlap and occur in parallel. 1) Pilot—install the Proofpoint solution in an evaluation, test, or pilot environment so that administrators can become familiar with features and functionality, make informed decisions about the production configuration, and run system tests 2) Planning —define the plan, strategy, and deliverables for the project 3) Implementation—execute on the technical activities of the solution; includes the "cutover"to live production email. 4) Training—focus on ensuring that administrators are fully training on the features and functionality of the Proofpoint solution, and that the facilities needed to train the end-user population are created and delivered. (Formal training sometimes occurs during Implementation.) 5) Transition —conclude the active project, and transition into maintenance mode for the solution. 2. Sample Project Plan (Appliance) TasklMilestone Responsible Party Date(s) Comments Install PPA in lab or pilot environment Customer with Proofpoint assistance rP,cY n Develop and Document the Technical Design Customer with (optional) Proofpoint assistance Establish Topology Diagram Customer Technical Design and Topology Review Customer with (optional) Proofpoint assistance Specify and purchase network hardware Customer Specify and purchase Proofpoint appliances Customer Develop and document the user provisioning strategy Customer with(optional) Proofpoint assistance Proofpoint Proprietary and Confidential Page 1 of 7 inwo222c8 proofpoinr Task/Milestone Responsible Party Date(s) Comments Develop and document the backup and recovery Customer with (optional) strategy Proofpoint assistance Develop and document the default service Customer with(optional) configuration strategy, including: Proofpoint assistance • Spam policies • Virus policy • Content filtering policy • Report publishing • Spam Reporting Group • End User Digest configuration • Regulatory Compliance policy,rules, and actions • DAS policy, rules,and actions • Encryption policy and actions • Branding for encryption end-user interface • LDAP integration Develop and document the implementation steps to Customer with(optional) cut over to production email Proofpoint assistance Develop and document the backout procedure should Customer with (optional) there be a problem with the cutover Proofpoint Assistance Develop and document the test plan and test cases Customer with (optional) Proofpoint assistance Develop and document the end-user communications Customer with(optional) plan Proofpoint assistance . 5i41 Develop custom integration scripts/procedures if Customer needed and defined during the Planning phase Develop customizations or add-ons if needed and Proofpoint Professional Services defined during the Planning phase Prepare Data Center for system installations Customer Install Network Equipment Customer Preliminary configuration of network hardware Customer Install Proofpoint appliances in data center(s) Customer Perform network setup of Proofpoint appliances Customer Perform initial configuration of Proofpoint appliances Customer with Proofpoint assistance Install and/or configure Monitoring Tools Customer Install custom integration scripts/procedures(if Customer applicable) Install customizations or add-ons(if applicable) Proofpoint Professional Services Purchase and install SSL certificate for end-user Customer commands Execute pre-implementation test cases and log results Customer with(optional) Proofpoint assistance Review and modify system and network configuration Customer with (optional) as required Proofpoint assistance Implement backup strategy(hardware, software, Customer procedures) Proofpoint Proprietary and Confidential Page 2 of 7 jpvi022208 proofpoint> Task/Milestone Responsible Party Date(s) Comments Execute implementation steps to cutover to production Customer with Proofpoint email(see Sample Implementation Steps below) assistance Execute end-user communications plan Customer Attend Proofpoint administrative training Customer Develop and provide end-user documentation and/or Customer with (optional) training Proofpoint assistance Develop and provide helpdesk documentation and/or Customer with(optional) training Proofpoint assistance Review and document Proofpoint Technical Support Customer with Proofpoint procedures assistance Publish project documentation Customer Complete any project close procedures Customer 3. Sample Implementation Steps (Appliance) Note: This is only a sample and should be customized to your specific environment Task/Milestone Responsible Date(s) Comments Party Proofpoint server configuration: • Implement default service configuration • Ensure all domains we accept mail for are listed and routing mail to the correct email server • Place all users into Full System Audit mode Email server configuration: • Ensure email server will accept mail from Proofpoint servers Firewall changes(dependent on customer environment) Execute pre-implementation test cases(send test messages to and from Proofpoint devices and observe correct actions) Review configuration with Proofpoint Professional Services Submit DNS change to have MX records point to Proofpoint servers Reconfigure email servers to route outbound mail through Proofpoint servers Execute test cases(send test messages to and from Proofpoint devices and observe correct actions) Provision users accounts in a phased(Group 1, Group 2, all)approach Create and execute scripts to import previous spam solution's whitelist and blacklist Observe load/operation on PPS cluster for defined period of time; implement back-out procedure in case of problem Move Group 1 into non-audit mode Observe load/operation on PPS cluster for defined period of time; implement back-out procedure in case of problem Proofpoint Proprietary and Confidential Page 3 of 7 IpwO22208 proofposnt,) Task/Milestone Responsible Date(s) Comments Party Move Group 2 into non-audit mode Observe load/operation on PPS cluster for defined period of time; implement back-out procedure in case of problem Move all users into non-audit mode Observe load/operation on PPS cluster for defined period of time; implement back-out procedure in case of problem 4. Personnel Proofpoint will supply the Customer with an Engagement Team to fulfill the following roles: • Implementation Project Manager • Professional Services Solutions Architect • Professional Services Consultant/Systems Engineer • Software Engineer • Implementation Support Engineer(s) The Engagement Team is supervised by the Director of Professional Services, who reports into the VP of Worldwide Technical Sales and Services. All members of Proofpoint's current Professional Services staff have deep experience working with the Proofpoint product and implementing the Proofpoint solution in large, Fortune 500 enterprises. Each member of the team that will be assigned to the project will have had experience with at least 10 implementation projects at Proofpoint(most members have much more experience). These roles are described below: Role Implementation Project Manager Description The Implementation Project Manager will oversee the implementation to successful completion and be the primary point of contact providing project management and coordination efforts. Responsibilities • Coordinate with multiple parties-- internal departments as well as the customer--to ensure timely and satisfactory resolution to technical issues, and completion of projects • Manage Proofpoint staffing needs for the project • Proactively identify potential customer technical issues before they become critical, and lead resolution of such issues • Responsible for account status reporting both to customer and Proofpoint management • Be a strong voice for customers into the Marketing and Engineering teams to improve the product and ensure that Proofpoint deployments successful. Skillset • 5+years industry experience in technical account management, technical support, or professional services • Experience managing large, demanding enterprise customers • Responsive to customer issues and concerns; ability to create a positive working relationship with your customer Proofpoint Proprietary and Confidential Page 4 of 7 1pw022208 proof point! • Strong troubleshooting and problem solving skills. • Strong written and verbal communication skills. Type Onsite as needed; primarily remote Role Professional Services Solutions Architect Description The Professional Services Solutions Architect develops and recommends the technical architecture of a Proofpoint solution, This role provides hands-on technical expertise for the project Responsibilities • Engage with newly signed enterprise customers as a Proofpoint product expert to recommend and design the solution architecture. • Actively participate in project meetings • Drive high levels of customer satisfaction • Provide technical expertise and real-life experience in creating solutions, designs, proof of concept and implementation Skillset • 5+years industry experience in technical project management, program management, professional services, or sales engineering • Leadership experience in large systems design and implementation of technical architectures for enterprise email environments • Excellent analytical, problem-solving, and decision-making skills • UNIX system administration experience • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Demonstrated experience in working with broad cross-functional teams Type Onsite as needed Role Professional Services Consultant/Systems Engineer Description The Professional Services Consultant leads implementations of Proofpoint solutions and maintains the technical relationships with our enterprise customers. This role will provide the hands-on technical expertise for the project. Responsibilities • Engage with newly signed enterprise customers as a Proofpoint product expert to implement Proofpoint solutions at their sites. • Implementation of the Proofpoint solution at the customer site. Implementation activities may include architecture and design, installation, configuration, troubleshooting, customization, testing, and documentation. • Be the primary technical contact for the deployment • Actively participate in project meetings • If requested, participate in end-user training and consulting • If requested, provide training to in-house development and support staff • If requested, write project documentation, which may include service manual documentation (detailed documentation of the infrastructure). • Providing recommendations on best practices to keep the Proofpoint product at optimal effectiveness with minimum cost • Be the primary Proofpoint technical contact for the engagement Skillset • 5+years industry experience in technical implementations, project management, program management, professional services, and/or sales engineering Proofpoint Proprietary and Confidential Page 5 of 7 jpw022208 proof point • Excellent analytical, problem-solving, and decision-making skills • Experience in large systems design and project implementation for enterprise email environments • UNIX system administration experience • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Demonstrated experience in working with broad cross-functional teams • Background in Consulting • Expertise in administering the Proofpoint product Type Onsite as needed Role Software Engineer Description The Software Engineer develops, tests, and documents custom software or scripts that integrate with the Proofpoint Protection Server software. Responsibilities • Implementation of extended functionality required for the Proofpoint implementation project that involves development of custom software or scripts. Skillset • 4+years industry experience in software engineering • Excellent analytical, problem-solving, and decision-making skills • TCP/IP networking experience • Broad technical knowledge of Internet products and technologies • Excellent command of Perl, MySQL, and Linux • Technical expertise in the Proofpoint product Type Remote Role Implementation Technical Support Engineer Description The Implementation Technical Support Engineer(TSE) provides assistance and support to the onsite customer as well as implementation team in troubleshooting and resolving technical issues that arise during the active project period (including pre- deployment and post-deployment phases). Proofpoint has a team of Technical Support Engineers available to support customers during their active Implementation project timeline. Responsibilities • Assist customers with technical issues that arise during the implementation process. • Provide proactive customer communication and rapid response in accordance to service level agreements • Perform problem troubleshooting and isolation, while working in potentially complex product and infrastructure configurations • Provide performance tuning and optimization measures • Train customers on product features • Track and document progress on all technical issues using Proofpoint's Call Tracking System (CTS) • Escalate product defects and issues internally to Proofpoint Engineering, and drive towards resolution while managing the customer Proofpoint Proprietary and Confidential Page 6 of 7 jI.'w022206 proofpoint • Drive high levels of customer satisfaction Skillset • 5+years industry experience in a technical role with customer support responsibilities • Expert level Sendmail system administrator experience • Strong messaging infrastructure system administrator experience • Strong UNIX system administrator experience (Linux, Solaris) • System administrator level TCP/IP networking experience. • Strong Perl experience. • Strong troubleshooting and problem solving skills • Strong written and verbal communication skills Type Remote only 5. Consulting Services Proofpoint can provide additional consulting services upon request from customers to fulfill the roles listed above under Personnel. Proofpoint Proprietary and Confidential Page 7 of 7 jpw022208 EXHIBIT C Email Filtering, Encryption, DLP: RFP SS-2012-40, F.- CUf M Due 411/12, 10:00 am MST. • Stateturra of Work (S00W1 art',kit, • Cost and time to complete Needs Analysis for each"Phase" noted in Section II-1 Included in this proposal is the primary remote setup and configuration of the system. Including needs analysis and strategy.As noted below,full deployment should take from two to five days (start to finish). Pricing provided is scheduled based upon full deployment of 1700 users. Should the County wish to break this schedule down into smaller phases we can provide pricing based upon the user volume of each phase. • Cost and time to complete configuration and application set-up for each phase included in this proposal is the primary remote setup and configuration of the system. Configuration and application setup for each phase can be completed by the Weld County Administrator. Time to complete each phase depends upon policy and user count but should not exceed a couple hours per phase. • Cost and time to provide training to designated Security Staff, and users Included with each deployment option is Web Based training for the Weld County Administrator, this can be accomplished in a couple hours. The primary administrator can then educate Security Staff or arrangements can be made for additional Web Based sessions. Users are typically educated through notice from the administrator. Please reference "Informing your user community about email filtering"in the appendices as an example. • Projected time line, Start to Finish for each phase, if applicable Overall implementation of Proofpoint solution, independent of deployment method, is expected to take two to five days (start to finish). Phase deployment plan will be at the election of Weld County and simply entails defining policy and adding the Phase group to the system. Minimal time is required of the Weld County administrator to make these additions. • Provide a cost breakdown for basic software package Please refer to Pricing in selection of preferred deployment method. • Provide a descriptive list of what is included in basic software application package Please refer to Pricing for details of solution. • Provide a cost breakdown for suggested additional add-on product for your software solution that are not included in the basic package price. Please provide details about how this solution will benefit us based off of our requirements. Please refer to optional Archiving pricing and benefits. • 42 SUPPORT SERVICES PROGRAM FOR PROOFPOINT CUSTOMERS Overview: The support services described herein are provided by Proofpoint to each Proofpoint customer ("Customer") pursuant to the terms and conditions of the applicable license agreement ("Agreement") between each customer and Proofpoint or between a customer and an authorized Proofpoint partner. Capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement. Subject to customer paying the applicable support related fees, Proofpoint will provide the support described herein. 1.Bronze Support services consist of the following: 1.1 Error Corrections. Proofpoint shall use commercially reasonable efforts to correct and/or provide a work-around for any error reported by Customer in the current unmodified release of the Software in accordance with the priority level reasonably assigned to such error by Customer. 1.2 Software and Documentation Updates. Proofpoint shall provide to Customer one (I)electronic copy of all updated revisions to the Documentation and one (1)electronic copy of generally released bug fixes, maintenance releases and updates of the Software (collectively, "Updates"). Updates do not include products or options that are designated by Proofpoint as new products or options for which Proofpoint charges a separate fee. Software releases are supported for the current and prior release that are designated by a change to the right of the decimal (e.g. 1.1 to 1.2). Prior to discontinuing support services for any Software product line, Proofpoint shall provide at least six (6) months advance notice on its support website. 1.3 Support Requests and Named Support Contacts. Technical support is available during the technical support hours for the primary support center specified on the Product Order Form. Technical support hours for the US are Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern Time (excluding Proofpoint holidays). Technical support hours for Europe are Monday through Friday, 7:30 a.m. to 5:30 p.m. CET (excluding Proofpoint holidays). Technical support hours for Asia Pacific are Monday through Friday, 7:30 a.m. to 5:30 p.m. JST (excluding Proofpoint holidays). Customer may initiate electronic Support requests through Proofpoint's web-based call submission and tracking system ("CTS") at any time. Support request submitted via CTS will be addressed by Proofpoint during the Support hours listed above. Customer will promptly identify two internal resources who are knowledgeable about Customer's operating environment and operation of the Proofpoint Products (collectively, "Named Support Contacts"). Named Support Contacts will serve as primary contacts between Customer and Proofpoint and are the only persons authorized to interact with Proofpoint Technical Support, including accessing CTS to submit and track cases. All Support requests will be tracked in CTS and Customer can view the status of Customer's cases on CTS at any time. 1.4 Platinum Support. In addition to the Bronze support services defined above, for an additional charge, Customer shall receive (i) two additional Named Support Contacts (for a total of four) and Proofpoint shall provide assistance for Priority I errors, as reasonably determined by Proofpoint, 24x7, 365 days per year: and (ii) a dedicated phone line for submitting cases. Handling of non-Priority I errors will take place during the support hours specified in Section 1.3 above. 1.5 Premium Support. In addition to the Bronze and Platinum support services defined above, for an additional charge, Proofpoint will assign a designated Technical Account Manager to Customer's account. 2. Priority Levels of Errors and Responses In the performance of Support services, Proofpoint will apply the following priority ratings. 2.1 Priority I Errors. A "Priority I Error" means a Software program error which both (i) prevents some critical function or process from substantially meeting the Documentation and (ii) seriously degrades the overall performance of such function or process such that no useful work can be done and/or some primary major function of the Software or Appliance is disabled. Priority I Errors shall receive an initial response within one (1) hour (during standard Support hours referenced above), of the case being submitted to Proofpoint. In addressing a Priority I Error, Proofpoint shall use all reasonable efforts to develop suitable workaround, patch, or other temporary correction to restore operation as soon as possible. Proofpoint efforts to resolve a Priority 1 Error will include the following: (1) assigning one or more senior Proofpoint engineers on a dedicated basis to develop suitable workaround, patch, or other temporary correction; (2) Proofpoint Support Services Program rev 20110120 notifying senior Proofpoint management that such P1 Error has been reported; (3) providing Customer with periodic reports on the status of corrections; and (4) providing a final solution to Customer as soon as it is available. 2.2 Priority II Errors. A "Priority H Error" means a Software program error which both (i) degrades some critical function or process from substantially meeting the Documentation and (ii) degrades the overall performance of such • function or process such that useful work is hindered and/or some major function of the Software or Appliance is not operating as expected but can be worked-around. Priority II Errors shall receive an initial response within four(4) hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to provide a workaround, patch,or other temporary correction as soon as possible. 2.3 Priority Ill Errors. Description: A "Priority HI Error" means a Software program error which both (i) prevents some non-essential function or process from substantially meeting the Documentation and (ii) significantly degrades the overall performance of the Software or Appliance. Priority 111 Errors shall receive an initial response within eight (6) hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to provide a workaround, patch, or other temporary correction as soon as possible. 2.4 Priority IV Errors. A "Priority IV Error" means a Software program error which prevents some function or process from substantially meeting the Documentation but does not significantly degrade the overall performance of the Software or Appliance. Priority IV Errors shall receive an initial response within sixteen (16)hours (during standard Support hours referenced above). Proofpoint shall use all reasonable efforts to include a workaround, patch, or other temporary correction in the next Software update. 3 Customer Cooperation. Proofpoint's obligation to provide Support services is conditioned upon the following: (i) Customer's • reasonable effort to resolve the problem after communication with Proofpoint; (ii) Customer's provision to Proofpoint of sufficient information and resources to correct the problem, including, without limitation, remote access as further discussed in these policies, (iii) Customer's prompt installation of all Software maintenance releases, bug fixes and/or work-around supplied by Proofpoint, and (iv) Customer's procurement and installation and maintenance of all hardware necessary to operate the Software. As related to Priority I Errors, Customer shall provide continuous access to appropriate Customer personnel and the Appliance (if applicable) during Proofpoint's response related to the Priority I Error or Proofpoint shall be permitted to change the Priority of the error. During the term of the Support services and for purposes relating to providing Support to Customer, Proofpoint may obtain information regarding Customer's e-mail communications and Customer agrees that Proofpoint may use any statistical data generated relating to Customer's e-mail. Notwithstanding the foregoing, Proofpoint shall not disclose the source and content of any such e-mail. 4. Reproducing Problems; Remote Access. Subject to the applicable Support services fees, Support services assistance is limited to Software on platforms that are fully supported, running unaltered on the proper hardware configuration. Where applicable for a reported error, Proofpoint will use commercially reasonable efforts to reproduce the problem so that the results can be analyzed. Proofpoint's obligation to provide the Support services described herein, including without limitation meeting the response times set forth in Section 2 above, is subject to Customer providing shell or Web-based remote access to Customer's computer system(s) and network, Any such remote access by Proofpoint shall be subject to Proofpoint's compliance with Customer's security and anti-virus procedures and the confidentiality requirements set forth in the license agreement between Proofpoint and Customer. Any delay occasioned by Customer's failure to provide the foregoing remote access shall extend the response time periods set forth in Section 2 accordingly and resolution of the problem may be subject to payment of additional fees. Prior to proceeding with work that will be subject to additional fees, Proofpoint will notify Customer and will not start such work until Proofpoint receives authorization from Customer, If Customer fails to provide remote access to its computer system(s) and network and Proofpoint and Proofpoint and Customer cannot agree on a mutually satisfactory alternative method of reproducing the problem, Proofpoint shall not be obligated to resolve the problem. Proofpoint Support Services Program rev 20110120 5. Support Services Conditions. 5.1 Support Issues Not Attributable to Proofpoint. Proofpoint is not obligated to provide Support services for problems related to: (i) unauthorized modifications and/or alterations of the Software, (H) improper installation of the Software by non-Proofpoint personnel, use of the Software on a platform or hardware configuration other than those specified in the Documentation or in manner not specified in the Documentation, or (iii) problems caused by the Customer's negligence, hardware malfunction, or third- party software. In the event Proofpoint provides Support services for problems caused by any of the above, Customer will reimburse Proofpoint for such services at the then-current time and materials rate. Proofpoint shall be entitled to discontinue Support services in the event of Customer's non-payment of • Subscription Fees when due. 5.2 Exclusions from Support services. The following items are excluded from Support services: (a) In-depth training. If the Support request is deemed to be training in nature, and will require an extended amount of time,Customer will be referred to Proofpoint's training or consulting departments. (b). Assistance in the customization of the application. Support services do not include providing assistance in developing, debugging,testing or any other application customization (c). Information and assistance on third party products. Issues related to the installation, administration, and use of enabling technologies such as databases, computer networks, and communications (except an Appliance)are not provided under Proofpoint Support services. (d) Assistance in the identification of defects in user environment. If Proofpoint concludes that a problem being reported by a Customer is due to defects in Customer's environment, Proofpoint will notify the Customer. Additional support by Proofpoint personnel to remedy performance issues due to the user environment are categorized as consulting services,which are provided for an additional fee. (e). Installation. Support Services provided herein do not include the use of Proofpoint Support services resources to perform installation of updates or Customer-specific fixes. If Customer wishes to have Proofpoint perform services related to any of the above items, such services will be performed pursuant to a mutually executed SOW. 6.Description of Appliance Support Services. 6.1 Services. For as long as the Appliance purchased by Customer is under Proofpoint's Appliance warranty Customer shall contact Proofpoint for any and all maintenance and support related to the Appliance. If support for the Appliance purchased by Customer includes on-site support, Proofpoint shall provide or cause to be provided 8-hour response service during the support hours specified in Section 1.3. A technician will arrive on-site, depending on Customer's location and the availability of necessary parts, as soon as practicable (within the business hours specified in Section 1.3) after problem determination. Optional 24x7 service is available subject to Section 1.4. 6.2 Customer Obligations. Customer must also install remedial replacement parts, patches, software updates or subsequent • releases as directed by Proofpoint in order to keep Customer's Appliance eligible for Support services. Customer agrees to give Proofpoint at least thirty (30) days written notice prior to relocating Appliance. It is Customer's responsibility to back up the data on Customer's system, and to provide adequate security for Customer's system. Proofpoint shall not be responsible for loss of or damage to data or loss of use of any of Customer's computer or network systems. Customer agrees to provide the personnel of Proofpoint or its designee with sufficient, free, and safe access to Customer's facilities necessary for Proofpoint to fulfill its obligations. 6.3 Exclusions. Appliance Support services do not cover parts such as batteries,frames,and covers or service of equipment damaged by misuse, accident, modification, unsuitable physical or operating environment, improper maintenance by Customer, removal or alteration of equipment or parts identification labels, or failure caused by a product for which Proofpoint is not responsible. Proofpoint Support Services Program rev 20110120 EXHIBIT D rm t jI curd SS-2012-40: Encryption Project Prepared For Weld County Created By Cyle Coffman Vcura Incorporated 877-539-6502 Cylecoffman@vcura.com http://www.vcura.com Vcura Overview Vcura Delivers industry leading 1T security, operations, technology,consulting, and support with a responsibility focus.We align technology based on applicability, resulting in and maintaining your focus. Vcura understands that delivering IT enabling solutions is as much about people and processes as it is technology. The Vcura team consists of industry recognized security and access professionals committed to preserving the brand and value of our clients.With over a decade of security and access focused interest,Vcura has established itself as the premier IT enabling and security solutions provider in the industry. Vcura focuses exclusively on delivering IT solutions throughout five stages of organizational development.We support our clients'needs as a continual evolution of interest from core operations to mobilization, and therefore we offer expertise and solutions within each functional stage.The Vcura model builds on the areas of organizational compliance,risk mitigation and operations, relevant to our environment and regardless of changes in access methods or technology.We focus on these concepts,and understand the balance and demands of quality of service and assurance for your internal and external users, customers,and partners. Your industry and organization is ever changing and so does your interest in evolving security and access solutions. As your partner,we center on your business and the ideas that drive your security or access requirements.We emphasize the application of technology based on your organizational drivers,providing you our knowledge gained through discovery and observation of the industry.Vcura offers the insight,expertise,and knowledge required to guide you through the constantly changing security and access industry—maintaining your focus. Organizations today are generally aware of their posture related to compliance,quality of service, and assurance. However, many organizations are not so advanced in their strategy to support core services and progressing needs of an anywhere and anytime access model.Vcura provides the strategy,technology, and services necessary to progress your organization through not only developing but also mobilization of core services. Vcura principles focus on enhancing the market and not just reaction to industry trends.We believe that there is no substitute for experience and that success requires vision and diligent execution.As your partner,we will not act without consideration,guide without evidence of success, promote without evaluation of alternatives,or implement without understanding. Period. Vcura value • End-to-end expertise from access solutions and security to operations enablement • Proven methodology providing current state and business case analysis • Solution applicability focus • Managed services • Principles of responsibility—social,economic,and environmental Vcura partners are a critical component to the overall value of our offerings.We maintain the highest level of designation with our partner organizations and support their leading ideas and technologies.Vcura is a supplier of technology but we also tailor our services to support our partner specific offerings. For additional information on Vcura solutions and partners, please visit us online: www.vcura.com T.2012 Vcura Incorporated All rights reserved.Vcura and the Vcura logo are trademarks of Vcura Incorporated. Cost Summary Pricing is generally valid for 30 days from receipt of proposal. Please validate with your Vcura team prior to order placement. Services ManufacturerlDescription Price Qty Subtotal PP-PST $2,400.001 Fixed $2,400.00 ?roo rJirc-rvia � n �.i,ii �, ,cr :, iorS i ( e� eotot o1 . iPi . r�.�)_O. . ror cy_ in re;j• t Work to b f .ai ed .., part 3:J Hun,_.. PP-PSP-110 $0.00/ Fixed $0.00 Subtotal: $2,400.00 Subscriptions Manufacturer/Description Price Qty Subtotal PP-B-EPV-V-B $26.21/Year 500 $13,105.00 Puu!p«nrl 1-nrE.:•rprise F"Fvac}(Pivr,c:v;-iti.;lul;itvey Compliance, D.~r1 d rt;,:8i:;ttturny, Ericryp:,.,:, Year �L•.JO Licen.;e LEA!!) PP-B-EPV-V-B $21.56/Year 24 $517.44/Year i-rootpo:nt Errre:prise P<vacy(Privacy) _Ftror•:irury c.:rirnp!!t;e:•.-'. Du;nctl As:::a Secr.icty,Fn ryptioti (-31; 750 I Tense I eve') PP-SUPPORT-PS $5.231 Year 500 $2,615.001 Year Proof pt;tot Erttr.:or;tc Pr rides/(Privnr:)'! Platinum Support tijtit)Lrcr'n'.,•!-evt:11 PP-SUPPORT-PS $4.73/Year 24 $113.52 1 Year ,'roofpoil!i Er;ti prig?Pi'v cyr li)r'ivaCy1 I'latini:m Support S'.•r.i1 750 Licef'srr $16,350.961 Subtotal: Year Total cost: $2,400.00 +$16,350.96 1 Year Terms: Net 30 (Due upon receipt unless otherwise noted) On behalf of the entire team at Vcura, Thank You for your consideration of this proposal. In addition to your local client interest team, if there is anything I can do to ensure 100%satisfaction as a Vcura client, please contact me.We look forward to working with you. Sincerely, 6.7_7(4, 1.� Cyle Coffman Vcura- President . 303-882-4347 . cylecoffman@vcura.com :r::2012 Vcura Incorporated All rights reserved.Vcura and the Vcura logo are trademarks of Vcura Incorporated. Purchase Agreement Product:Vcura Incorporated or Vcura Canada Incorporated(Vcura)will provide to the other party hereunder("Client"),the product(s)or service(s) specified in the sales proposal(the"Document")to which these Terms and Conditions are attached and made a part of(individually and collectively. the"Product"),by sale,license or sublicense,as provided under and upon the terms and conditions of this Agreement. These Terms and Conditions. along with the Document and all appendices thereto,are collectively the"Agreement". Invoicing and Payment:The purchase price for the Product will be due and payable as indicated in the attached Document. If Client's account is past due and Vcura has notified Client verbally or in writing of the past due balance,it may,without advance notice,immediately cease any and all Product sales hereunder,or revoke any and all Product licenses hereunder,without any liability for breach of this Agreement. If Client's account,after default,is referred to an attorney or collection agency for collection,Client will pay all of Vcura's expenses incurred in such collection efforts including,without limitation,court costs and reasonable attorney's fees. Expenses:Client will reimburse Vcura for any direct out-of-pocket expenses incurred in connection with the performance of services,including but not limited to:Out-of-town expenses billed at cost in addition to hourly rates.Parts and incidental hardware items necessary to perform the request services. Taxes:The customer agrees that they are responsible for payment of any sales,use tax,and duties arising from its purchase of Product under this agreement. Limitations on Warranty:Vcura makes no warranties,express or implied,with respect to the product.Vcura expressly disclaims any implied warranty of merchantability or fitness for a particular purpose or use.Client should refer to the Product license,documentation and other information provided by the manufacturer of the Product for warranty and any other information regarding any Product. Limitation of Liability: Client's exclusive remedy,and Vcura's sole liability to Client,for any cause whatsoever will be limited to any purchase price or license fees.as applicable,paid to Vcura by Client under this agreement.The forgoing limitation will apply regardless of the form of action. whether contract or tort,including without limitation,negligence.In no event will Vcura be liable for any loss of profit,revenue,data,use,or other commercial injury,or any special,incidental,indirect or consequential damages.suffered by client or any third party,whether or not Vcura has been advised of the possibility of such loss,injury,damages or third party claim,under any cause of action arising out of or relating to this agreement. Independent Contractor:Vcura and Client acknowledge that the relationship between the parties to this Agreement,as relating to services, is exclusively that of an independent contractor and that Vcura's obligations to Client are exclusively contractual in nature. This Agreement does not create any agency,employment,partnership joint venture,trust or other fiduciary relationship between the parties. Neither party shall have the right to bind the other to any third person or otherwise to act in any way as a representative or agent of the other. Enforceability: If any provision,or any part of any provision,of this Agreement will be held void,voidable,invalid,or inoperative,no other provision of this Agreement will be affected as a result thereof and accordingly,the remaining provisions of this Agreement will remain in full force and effect as though such void,voidable,Invalid or inoperative provision or part thereof had not been contained herein. Relationship: This Agreement does not create an agency,employment,partnership joint venture,trust or other fiduciary relationship between the parties. Neither party shall have the right to bind the other to any third person or otherwise to act in a way as a representative or agent of the other. Entire Agreement:This Agreement sets forth the entire agreement between the parties with respect to the subject matter herein,superseding all prior agreements,negotiations or understandings,whether oral or written,with respect to such subject matter. To the extent that any of the terms and conditions of the Document or any appendices thereof conflict with these Terms and Conditions,these Terms and Conditions will control. This Agreement may not be changed,modified or waived in whole or part except by an instrument in writing signed by both parties. Unless otherwise defined in the Document,all defined terms will have the definitions set forth in these Terms and Conditions. ©2012 Vcura Incorporated All rights reserved.Vcura and the Vcura logo are trademarks of Vcura Incorporated. Order Authorization Purchase Order Authorization: Issuance of a purchase order is the preferred method of order authorization. Based upon location, please issue orders to the following address: United States: Canada(All): Canada(BC Option): Vcura Incorporated Vcura Canada Incorporated Vcura Canada Incorporated 9800 Mount Pyramid Court 10th Floor Bankers Hall,West Tower 888 West Georgia Street Suite 400 888-3rd Street South West Suite 1500 Englewood,CO 80112 Calgary,AB T2P 5C5 Vancouver, BC V6C 3E8 sales@vcura.com sales@vcura.com sales@vcura.com Electronic Authorization: Execution of this proposal via electronic acceptance provides authorization to proceed with order processing. By authorizing this proposal via electronic acceptance or email,you agree to the terms of this proposal and acknowledge that you are duly authorized to execute such agreement and commit funding for your organization. In the event that you provide electronic authorization, but are not duly authorized by your organization to execute this order,you acknowledge personal acceptance of the terms of this proposal and associated liability. Signature Authorization: Execution of this proposal via signature provides authorization to proceed with order processing. By authorizing this proposal via signature, you agree to the terms of this proposal and acknowledge that you are duly authorized to execute such agreement and commit funding for your organization. In the event that you provide signature authorization, but are not duly authorized by your organization to execute this order,you acknowledge personal acceptance of the terms of this proposal and associated liability. Authorization to proceed with proposal/order: Authorized Name/Title: (Printed) Authorized Signature/Dated: Purchase Order Number: (please provide original copy of purchase order) Electronic/Signature Authorization: —(check if applicable, please email acknowledgement including proposal to your account representative) :�;2012 Vcura Incorporated All rights reserved.Vcura and the Vcura logo are trademarks of Vcura Incorporated. Hello