CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

SOFTWARE AS A SERVICE (SaaS) AGREEMENT

This SOFTWARE AS A SERVICE (SaaS) AGREEMENT (“Agreement”) is made this 1st day of November, 2015 (“Effective Date”) by and between Anthem, Inc., an Indiana corporation (“Anthem”), and Castlight Health, Inc., a Delaware corporation(“Castlight”), and describes the terms under which Castlight will provide certain software and services to Anthem.

In consideration of the covenants and agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the terms and conditions contained in this Software as a Service (SaaS) Agreement.

1.GENERAL

1.1Definitions. Capitalized terms used herein shall have the meanings ascribed to them in the body of this Agreement and/or in the Order Schedules, Exhibits and other documents attached hereto, or as defined below. Terms other than those defined herein shall be given their plain English meaning, and those terms known in the information technology industry shall be interpreted in accordance with their generally known meanings. Unless the context otherwise requires, words importing the singular include the plural and vice-versa.

1.1.1“Affiliate” means any entity controlling or controlled by or under common control with a Party, at the time of execution of the Agreement and any time thereafter, where “control” is defined as (a) the ownership of at least fifty percent (50%) of the equity or beneficial interest of such entity, or (b) any other entity with respect to which such Party has significant management or operational responsibility (even though such Party may own less than fifty percent (50%) of the equity of such entity).

1.1.2“Authorized User(s)” means with respect to the Services (other than the publicly available portal) any individual who is at least 18 years of age, and eligible as determined by Plan to receive Covered Services under a health benefit Plan, in each case solely to the extent that with respect to such person there is an effective Order Schedule for such person’s access to the Services.  Individuals accessing the publicly available portal shall be Authorized Users solely with respect to such access of the publicly available portal.  For all purposes related to this Agreement, including all schedules, attachments, exhibits, manual(s), notices and communications related to this Agreement, the term “Covered Individual” may be used interchangeably with the terms insured, Member or Enrollee, and the meaning of each is synonymous with any such other.

1.1.3BCBSA” means the Blue Cross and Blue Shield Association

1.1.4“BCBSA Requirements” means those requirements with which Anthem and its affiliates must comply pursuant to their license agreements with the Blue Cross and Blue Shield Association. These requirements include but are not limited to: (a) the requirements established by the Blue Cross Blue Shield Association (“BCBSA”), governing access to and use of the BCBS Axis Data and, as applicable, the Claims Data (the “BCBSA Axis Requirements”); and (b) co-branding requirements pertaining to the use of trade names and marks, to the extent applicable to the Services (the “BCBSA Co-branding Requirements”). The BCBSA Axis Requirements identified as of the effective date hereof are enumerated in Exhibit J to this Agreement. The BCBSA Co-branding Requirements identified as of the effective date hereof are summarized in Exhibit J to this Agreement. Castlight acknowledges the obligations of Anthem and its affiliates to comply with all applicable BCBSA requirements, which

Software as a Service (SaaS) Agreement REV. December 2014 Page 1

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

compliance is Anthem’s responsibility, and agrees to cooperate with Anthem in ensuring such compliance. Within thirty (30) days from notice unless the Parties mutually agree to a different timeframe, Castlight agrees to comply with BCBSA Requirements issued after the Effective Date and agrees to perform remediation if Anthem determines Castlight is noncompliant with applicable BCBSA Requirements, provided Anthem explains what specific rule necessitates a change and/or remediation upon each such notice.

1.1.1“Collaboration Agreement” shall mean that certain Reference Based Benefits Collaboration Agreement entered into by the Parties effective as of January 18, 2013, including all amendments thereto.

1.1.2“Confidential information” has the meaning ascribed in Section 9.2.

1.1.3“Covered Service” means a medical procedure, service, or treatment that is covered under a health plan insured or administered by an Anthem Company.

1.1.4“Documentation” shall mean all descriptions, instructions or other materials that are incorporated into this Agreement during the Term which describe the specifications, operation, functionality or other information regarding the Castlight System or Subscription Service.

1.1.5 “Exhibit” or “Exhibits” shall include, when applicable, the Business Associate Agreement (BAA), the Federal Government Services Addenda (Exhibits B and D), the Medicare Compliance Specialty Exhibit (Exhibit C), the Diversity Supplier Compliance Exhibit (Exhibit E), the Medicaid Requirements (Exhibit F) and/or any other exhibits attached hereto.

1.1.6“Force Majeure Event” has the meaning ascribed in Section 18.8 below.

1.1.7HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder at 45 C.F.R. §§ 160-164.

1.1.8 “Intellectual Property” means all concepts, inventions (whether or not protected under patent laws), works of authorship, information fixed in any tangible medium of expression (whether or not protected under copyright laws), moral rights, mask works, trademarks, trade names, trade dress, trade secrets, publicity rights, names, likenesses, know-how, ideas (whether or not protected under trade secret laws) and all other subject matter protected under patent (or which is not patented, but is subject matter that is protected under patent law), copyright, mask work, trademark, trade secret, or other laws, whether existing now or in the future, whether statutory or common law, in any jurisdiction in the world, for all media now known or later developed, including all new or useful art, combinations, discoveries, formulae, algorithms, specifications, manufacturing techniques, technical developments, systems, computer architecture, artwork, software, programming, applets, scripts, designs, processes and methods of doing business.

1.1.9“Jointly Developed Product(s)” shall mean any product that is jointly created by both Parties in the course of the collaboration pursuant to a mutually agreed separate Order Schedule.

Software as a Service (SaaS) Agreement REV. December 2014 Page 2

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

1.1.10Non-AnthemBlue Plan” means an independent Blue Cross and/or Blue Shield health plan which is a licensee of the Blue Cross and Blue Shield Association that is not an Anthem company.

1.1.11 “Nonpublic Personal Financial Information” or “NPFI” shall have the same meaning as “Nonpublic Personal Information” in 15 USC, Subchapter I, Sec. 6801-6809, of the Gramm-Leach-Bliley Act. NPFI may also be referred to herein as “Personally Identifiable Information.”

1.1.12“Notice” shall have the meaning ascribed in Section 18.5 below.

1.1.13“Order Schedule” shall mean any order document, Statement of Work, Service Order Form or purchase order executed by the Parties noting the Subscription Service and/or types of Services Castlight shall provide and corresponding pricing. Each Order Schedule will incorporate terms of the Agreement.

1.1.14“Party” means Anthem or Castlight; “Parties” means Anthem and Castlight.

1.1.15“Plan” means an Anthem Affiliate that contracts with individuals, employers, and other entities to administer, arrange, insure, provide, and underwrite health services for Covered Individuals, as that term is defined herein.

1.1.16“Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Castlight from or on behalf of Anthem.

1.1.17“Castlight System” means the software, hardware, middle ware, servers, or any other item operated by or behalf of Castlight, and communications connectivity used in conjunction with the foregoing.

1.1.18“Services” means the services to be provided by Castlight under this Agreement and any Order Schedule including, without limitation, access to, and use of, the Subscription Services, technical support and training.

1.1.19“Service Levels” means those requirements set forth on Exhibit G attached hereto.

1.1.20“Subscription Service” shall mean the online services, computer applications, associated user interfaces, help resources, and any related technology to be made available by Castlight via the Castlight System and the Internet that are specified on any Order Schedule to this Agreement, together with all security devices, and any proprietary third party software that is provided as part of or that accompanies the Subscription Service.

1.1.21“Anthem Data” means the data that Anthem agrees to release to Castlight as needed to provide the Services and which shall consist of the types of data outlined in the applicable Order Schedule.

Software as a Service (SaaS) Agreement REV. December 2014 Page 3

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

1.2The definitions contained in this Agreement shall apply to each Exhibit or Order Schedule.

1.3Each Order Schedule and each amendment thereto must be signed by both Parties and must state that it is made pursuant to this Agreement. Each Order Schedule shall constitute a separate agreement which incorporates the terms and provisions of this Agreement. The provisions of this Agreement shall control over any conflicting provisions in an Order Schedule or Exhibit, except to the extent the Order Schedule or Exhibit indicates the clear intent of the parties that such conflicting term prevail over a term or condition of this Agreement. Notwithstanding the foregoing or any other provision of this Agreement to the contrary, in the event of any inconsistency or conflict between the terms and conditions of this Agreement and the terms and conditions of any of the following exhibits, if such Exhibits are attached to this Agreement, then the terms and conditions of the following specified Exhibits shall prevail over the terms and conditions of the main body of this Agreement or Order Schedule: ( i) Business Associate Agreement; (ii) Federal Government Services Addenda; (iii) Medicare Compliance Specialty; and (iv) Medicaid Requirements. An Order Schedule may contain additional terms, provided that the terms do not conflict with the provisions of this Agreement.

1.4Interpretation. The use of the terms “including,” “include” or “includes” shall in all cases herein mean “including without limitation,” “include without limitation” or “includes without limitation,” respectively.

1.5Number and Gender. Words importing the singular include the plural and words importing the masculine include the feminine and vice versa where the context so requires.

1.6No Primary Drafter. The Parties acknowledge and agree that they have mutually negotiated the terms and conditions of this Agreement and that any provision contained herein with respect to which an issue of interpretation or construction arises shall not be construed to the detriment of the drafter on the basis that such Party or its professional advisor was the drafter, but shall be construed according to the intent of the Parties as evidenced by the entire Agreement.

1.7Benefits of this Agreement. All rights and benefits granted hereunder to Anthem may be exercised and enjoyed by any Affiliate of Anthem, and all such rights and benefits (including without limitation, all licenses granted by Castlight hereunder) shall be deemed to be granted to all Anthem Affiliates. Further, for purposes of calculating discounts available under this Agreement that are based on volume, quantity or other measurement factor, the total volume of all Anthem Affiliates shall be counted to determine whether the applicable volume, quantity or other measurement factor has been achieved.

1.8No Commitment. Unless otherwise agreed to in an executed Order Schedule, Castlight understands and agrees that Anthem offers no commitments or guarantee of any minimum volume of purchases or of revenues under this Agreement and that Castlight may not be Anthem’s sole provider of similar applications or services. This Agreement is nonexclusive and does not grant Castlight an exclusive right to provide Anthem with any kind of services, deliverables or licensed products and Anthem may use its own employees, other independent contractors and/or other suppliers to perform the same or similar services or provide the same or similar licensed products as are to be performed and/or provided by Castlight hereunder.

1.9Anthem Policies and Procedures. In addition to all other obligations contained herein, Castlight and its subcontractors shall adhere to the Anthem policies and procedures, as applicable, and further described in this Section 1.9 and this Agreement. The policies and procedures are expressly

Software as a Service (SaaS) Agreement REV. December 2014 Page 4

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

referenced and incorporated into this Agreement and are either attached as Exhibits to this Agreement and/or provided to Castlight via the web site address listed below (or any successor site or communicate designated by Anthem). Castlight shall adhere to policies and procedures as amended subsequent to the Effective Date of this Agreement necessary for statutory or regulatory compliance, provided: (a) Castlight is given reasonable written notice (email is acceptable) of such amendments prior to being required to adhere to such policies and procedures; and (b) if there are any additional costs for Castlight to comply with such amended Company policies and procedures, the parties will confer in good faith to reach a mutually agreeable resolution regarding Castlight’s additional cost of compliance. To the extent Anthem amends its policies or procedures other than as necessary for statutory or regulatory or BCBSA compliance, Anthem will provide Castlight written notice of such amendments (email is acceptable), and the parties shall discuss in good faith Castlight’s compliance with such amended policies and/or procedures.

Anthem Supplier Relations webpage:

http://www.antheminc.com/prodcontrib/groups/wellpoint/@wp_suppliers/documents/wlp_assets/pw_e226861.pdf

aProcurement Process Technology and Electronic Signatures

bSupplier Code of Conduct

cReimbursable Expense Guidelines

dExhibit A: The Business Associate Agreement entered into by the Parties on September 12, 2013 is incorporated herein by reference.

eExhibit B: Intentionally Omitted.

fExhibit C: Intentionally Omitted

gExhibit D: Intentionally Omitted.

hExhibit E: Minority and Women’s Business Enterprise Compliance

iExhibit F: Medicaid Requirements

•Exhibit F-1 California Medicaid Subcontract Exhibit

•Exhibit F-2 Medicaid Exhibit Indiana HHW HIP HCC

•Exhibit F-3 Massachusetts Medicaid Requirements for Vendors

•Exhibit F-4 New York Medicaid Requirements - Vendors

•Exhibit F-5 Medicaid Exhibit South Carolina

•Exhibit F-6 Medicaid Exhibit Texas (Anthem)

•Exhibit F-7 Virginia Medicaid Requirement

•Exhibit F-8 West Virginia Medicaid Requirements - Vendor

•Exhibit F-9 Medicaid Exhibit Wisconsin

•Exhibit F-10 Florida Medicaid Subcontract Exhibit

Software as a Service (SaaS) Agreement REV. December 2014 Page 5

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

•Exhibit F-11 Kansas Medicaid Subcontract Exhibit

•Exhibit F-12 Medicaid Exhibit Louisiana

•Exhibit F-13 Medicaid Exhibit Maryland

•Exhibit F-14 New Jersey Medicaid Subcontract Exhibit

•Exhibit F-15 Medicaid Exhibit Nevada

•Exhibit F-16 Medicaid Exhibit Tennessee

•Exhibit F-17 Medicaid Tennessee BAA – Utilize for all TN Vendors

•Exhibit F-18 Medicaid Exhibit Texas (Amerigroup)

•Exhibit F-19 Medicaid Exhibit Kentucky

•Exhibit F-20 Medicaid Exhibit Washington

•Exhibit F-21 Georgia Medicaid Exhibit

oExhibit G: Service Levels

oExhibit H: Required Information Security Controls

oExhibit I: Qualified Health Plans

oEXHIBIT J: BCBSA Requirements

§Exhibit J-1: BCBSA Axis Requirements

§Exhibit J-2: BCBSA Co-Branding Requirements

§Exhibit J-3: Patient User Review Requirements

oEXHIBIT K: NCQA Requirements – Division of Responsibilities

oEXHIBIT L: Pricing Exhibit

oEXHIBIT M: Jointly Developed Products

oEXHIBIT N: Approved Subcontractors and Service Locations

oExhibit O: Competitors

oExhibit P: Medicare Medicaid Dual Integration Regulatory Exhibits

§Exhibit P -1: New York Dual Integration Regulatory Exhibit

§Exhibit P-2: Texas Dual Integration Regulatory Exhibit

§Exhibit P-3: Virginia Dual Integration Regulatory Exhibit

2.SUBSCRIPTION RIGHTS

Software as a Service (SaaS) Agreement REV. December 2014 Page 6

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

2.1Castlight hereby grants Anthem and its Affiliates and their Authorized Users, solely to the extent described in an applicable Order Schedule, a subscription to access that portion of the Castlight System so described and access and use the Subscription Service and all related Documentation so described. Castlight acknowledges and agrees that (i) the Castlight System and Subscription Service may be accessed and used by the number of users, on the number of computers or equipment, and/or at the number of sites, for the term and limited to the functionality set forth in the applicable Order Schedule, as well any other computers owned, leased or otherwise used by Anthem or its Affiliates, and their respective employees or agents that are electronically linked to Anthem’s or its Affiliates’ servers; (ii) Anthem’s and Anthem Affiliates’ agents, contractors, consultants, suppliers, customers and third-party service providers are authorized to exercise the rights granted to Anthem and its Affiliates in this Section 2.1 in furtherance of services provided to Anthem and its Affiliates subject to requirements set forth in Section 4.3 (Cooperation With and Access by Third Parties); (iii) the Castlight System and Subscription Service may be used for Anthem’s and Anthem Affiliates’ normal business purposes solely to the extent described in an applicable Order Schedule.

2.2Service Levels. Castlight shall provide Subscription Services to Anthem in accordance with the terms set forth on Exhibit G attached hereto.

3.IMPLEMENTATION; ACCEPTANCE TESTING

3.1Implementation. A Preliminary Implementation Plan has been developed by the Parties prior to the Effective Date hereof.  A comprehensive Detailed Implementation Planfor implementation of the Castlight System (together with the Preliminary Implementation plan to be referred to collectively as the “Implementation Workplan”) shall be prepared by Castlight and approved by Anthem and incorporated into the applicable Order Schedule. The Implementation Workplan shall include where applicable, but not be limited to management and staffing resources as required by both Parties, configuration schedule and specifications, training schedule, testing schedules and implementation budget. Such project plan shall further detail any other Services to be provided by Castlight and Anthem. Failure of Castlight to perform its obligations substantially in accordance with the Implementation Workplan shall constitute a material breach of this Agreement, provided, however, that Castlight shall not be responsible for any failure to meet any obligation in the Implementation Workplan to the extent such failure is caused by the delays or other failure of Anthem to meet its obligations under the Implementation Workplan.

3.2Acceptance Testing for Castlight System and Subscription Service. Unless otherwise specifically indicated herein, Anthem shall have thirty (30) days (the “Acceptance Period”) after receipt of Castlight’s written notice (which notice shall be provided in accordance with Section 17.4 and Castight shall use best efforts to determine that Anthem received such notice) that Anthem has access to the Castlight System to test, review and evaluate the Castlight System and Subscription Service (“Acceptance”) for compatibility with Anthem’s relevant infrastructure and for conformance with the (a) published specifications for the Castlight System and Subscription Service; (b) representations made to Anthem regarding such Subscription Service; and (c) operational requirements set forth by Anthem in the Order Schedule, or if none stated, then the criteria shall be Anthem’s reasonable acceptance. During the Acceptance Period, Anthem shall provide Castlight with either written notice of acceptance or, if in Anthem’s reasonable discretion the Subscription Service does not comply in any material way with the applicable specifications, written notice of rejection, which shall specify, in reasonable detail, the reason(s) why the Subscription Service fails to meet the applicable specifications. Upon receipt of any such notice of rejection, Castlight shall exercise commercially reasonable efforts to correct the

Software as a Service (SaaS) Agreement REV. December 2014 Page 7

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

deficiencies at no cost to Anthem, and to provide Anthem with access to the modified Castlight System and Subscription Service as soon as practicable, but not to exceed forty five (45)) days from Anthem’s notice. Commencing upon Castlight’s provision of the modified Subscription Service, Anthem shall have twenty (20) days to test, review and evaluate such modifications. If Anthem does not furnish any written notice of acceptance or non-acceptance to Castlight as required above, prior to the end of the applicable Acceptance Period, then Castlight will give the Anthem and the SPCC (as defined in Section 17.1.1) written notice of Anthem’s failure to provide notice of acceptance or non-acceptance (and Castlight shall again use best efforts to determine that Anthem and the SPCC have received such notice). In the event that Castlight has not received written notice of acceptance or non-acceptance of the applicable Subscription Service within ten (10) business days after Anthem’s receipt of such notice, then and only then will Anthem will be deemed to have accepted the applicable Subscription Service. If after repeating the process set forth in the preceding sentences three times Castlight has not corrected all material deficiencies, as determined in Anthem’s reasonable good faith discretion, , Anthem may (1) terminate this Agreement immediately and/or (2) terminate any applicable Order Schedule and the Parties agree to meet and confer in good faith to determine applicable fees Castlight will pay to Anthem as a result of the failed Services.

4.TRAINING, SUPPORT AND COOPERATION

4.1Training. Castlight will provide Anthem and its Affiliates and its and their employees that primarily perform functions in the sales, account management and/or service operations functions for Anthem) with training on the Core Transparency Service. The training will consist of Castlight providing such Anthem employees with “train-the-trainer” type of training with respect to the functions, features, operation of the Core Transparency Service, which training may be provided via webinar or other remote means (and which training may be posted by Anthem and made available to other Anthem employees). Upon mutual agreement of the Parties, such training will include attendance by Anthem-identified individuals at Castlight’s internal training programs

4.2Support. Castlight shall provide Anthem and its Authorized Users technical support regarding the use of the Castlight System and the Subscription Service. Such support shall be as described in the applicable Order and as further described in the Service Levels. Castlight also will provide to Anthem any revisions to the existing Documentation necessary to reflect the foregoing.

4.3Cooperation with and Access by Third Parties. Anthem may from time to time hire outsourcers, subcontractors, consultants, or other third Parties (“Anthem Third-Party Contractors”) to perform services or provide products relating to Anthem’s business or the business of an Anthem Affiliate. Such services and products provided by Anthem Third-Party Contractors, may be integrated with the Services or Castlight Materials provided by Castlight hereunder (an “Integrated Project”) upon Castlight’s prior written consent, which may be via email and which shall not be unreasonably withheld. Castlight shall cooperate with and work in good faith with any Anthem Third-Party Contractor(s) as requested by Anthem. Such cooperation may include knowledge sharing of standards, policies, quality assurance and testing processes, as applicable, to ensure smooth deployment of Integrated Projects and/or the smooth and efficient transition of any Services (or component of Services) to, from, or among Anthem, Castlight and any Third Party Contractor. Castlight may require such Third Party Contractors to execute direct non-disclosure agreements with terms no more restrictive than the confidentiality terms contained herein prior to accessing the Services or Castlight System (such non-disclosure agreements “Castlight NDAs”).Access shall be limited to Third Party Contractors that: (a) that have executed a Castlight NDA; (b) need access in connection with the performance of services for Anthem for an applicable SOF; and (c) are not Competitors (as defined below) of Castlight. For the purposes of this

Software as a Service (SaaS) Agreement REV. December 2014 Page 8

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Section 4.3 , Competitors shall mean entities providing direct-to-client products that enable employers to optimize the delivery of healthcare benefits and improve employee decision-making. Castlight Materials, and/or Deliverables, as applicable, as reasonably required for such Third Party Contractors to perform functions for and on behalf of Anthem or any Anthem Affiliate; and provided that such Third Party Contractors shall use or access the Castlight Materials and/or Services solely for Anthem’s benefit and shall have agreed to confidentiality provisions no less restrictive than those contained in this Agreement, and Anthem shall remain responsible for such Third Party Contractor’s use or access to the Castlight Materials and/or Services in accordance with the terms of this Agreement.

5.BUSINESS CONTINUITY/DISASTER RECOVERY; FLIP-OVER RIGHTS.

5.1Castlight represents and warrants that its enterprise business continuity program complies with ISO 22301 standards. Castlight shall also comply with the business continuity requirements set forth in the Vendor Agreement between the Parties dated September 12, 2013, as amended, incorporated herein by reference.

5.2Anthem may exercise Flip-Over Rights (as defined below) at any time during the period that the Castlight fails to restore Services in accordance with the applicable and approved BCP and included RTO(s) and, upon written request cannot provide adequate assurances that restoration of services will occur reasonably soon (as reasonably determined by Anthem), and, in doing so, may take other action as is reasonably necessary to provide similar services during the period the Services are disrupted. Castlight shall cooperate with Anthem and its agents, as applicable, in the exercise of such Flip-Over Rights and provide reasonable assistance at no charge to Anthem to promptly restore such disrupted Services. Castlight shall not be entitled to receive any charges to the extent they relate to Services performed by Anthem and all costs associated with the exercise of such Flip-Over Rights shall be borne by Castlight. Such Flip-Over Rights shall continue until Castlight demonstrates to Anthem’s reasonable satisfaction that Castlight is able to resume performance of the Services with appropriate mitigation in place designed to prevent further BCP failures for the Services. Such exercise of Flip-Over Rights shall not constitute a waiver by Anthem of any termination rights or rights to pursue a claim for damages arising out of the failure that led to the Flip-Over Rights being exercised. Flip-Over Rights shall mean that Anthem may use its own proprietary tools and/or another website or websites to provide information to Authorized Users as Anthem may determine is reasonably under the circumstances.

6.INVOICING AND PAYMENT; AUDIT.

6.1Payment of Fees and Expenses. Castlight shall invoice Anthem for the fees set forth in each Order Schedule, as applicable (“Fees”). Except for the Fees and expenses agreed to in an applicable Order Schedule and not otherwise incurred in violation of this Agreement (“Expenses”), no other amounts shall be charged by Castlight or payable by Anthem. Neither party shall not have any right of offset against amounts owed to it by the other party.

6.2Invoices. Castlight shall invoice Anthem for all Fees and, if applicable, Expenses via the Anthem Invoice online tool in accordance with the then current requirements at http://www.Anthem.com/business/policies_procedures.aspand as stated in the Procurement Process Technology and Electronic Signatures provisions therein for all invoices less than five hundred thousand dollars ($500,000.00). For all invoices greater than five hundred thousand dollars ($500,000.00), Castlight will retain the right to invoice Anthem directly, not through Anthem’s Procurement Process

Software as a Service (SaaS) Agreement REV. December 2014 Page 9

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Technology, and Anthem will pay Castlight directly.   Castlight will be solely responsible for all expenses associated with transmitting and receiving documents via Anthem’s Procurement Process Technology. Castlight shall not charge Anthem for researching, reporting or correcting errors related to invoices. The invoice date shall not be earlier than the date on which Castlight is entitled to payment under the applicable Order Schedule, or if not specified in the Order Schedule, invoices will be issued monthly in advance. Castlight shall give Anthem at least ninety (90) days prior written notice of any increase in rate. Anthem shall not be responsible for any Fees or Expenses invoiced more than four (4) months after the close of the month to which such fees or expenses relate. Each such invoice shall contain sufficient detail to allow Anthem to identify all Licensed Products and their corresponding Fee.

6.3Payment by Anthem. Upon Acceptance of the Subscription Service and/or Services, in accordance with any acceptance criteria provided in this Agreement and in each applicable Order Schedule and receipt of a correct and undisputed invoice, Anthem shall

(i) pay Fees net fifty (50) days with no discount;

(ii) if applicable, pay Expenses net fifty (50) days with no discount; and

6.4(iii) and pay the amounts in accordance with Anthem’s then-current payment policies (e.g. payment via ACH electronic payment to Castlight’s financial institution per instructions in Anthem’s ACH electronic payment form).

6.5If Anthem in good faith disputes any invoiced amount, Anthem may withhold the disputed amount and Anthem shall pay per the terms of this Agreement any undisputed amounts and will notify Castlight in detail in writing as to the nature of the disputed charges and the reason for Anthem’s disagreement. Castlight shall respond by providing documentation in reasonable detail for the disputed charges. The Parties shall make all reasonable attempts to resolve the dispute as amicably as possible within thirty (30) days. Unless otherwise agreed to by both Parties, invoices which are not sent via the Anthem invoice online tool shall automatically be deemed to be in dispute until the invoice is resubmitted via such online tool.

6.6Record Retention; Audits.

6.6.1Billing Audits. Castlight shall maintain complete, accurate and detailed records regarding all amounts charged to Anthem under this Agreement. Castlight shall retain such records for no less than three (3) years from date of the invoice for such amount charged. Castlight shall allow Anthem and/or its authorized representatives to inspect and conduct audits on such records during normal business hours upon ten business days’ day’s written notice. If discrepancies or questions arise with respect to such records, Castlight shall preserve such records until an agreement is reached with Anthem regarding their disposition. Each Party shall bear its own expenses in conducting the audit and responding to information requests and Castlight shall not pass on such costs (including employee time, overhead, research, copying charges, professional fees, etc.) to Anthem. If an audit reveals that Castlight overcharged Anthem for any Fees, expenses or any other charges under this Agreement for any logically or readily identifiable component of a Service or chargeable material (as examples for illustrative purposes only: such as a greater than an agreed upon hourly rate for one or more personnel providing services, billing in excess of actual hours worked, miscalculation of actual amount of chargeable of supplies consumed, etc.), Castlight shall promptly reimburse Anthem in full for such overcharge(s). If such overcharges exceed five percent (5%) of the Fees, expenses or any other charges under this

Software as a Service (SaaS) Agreement REV. December 2014 Page 10

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Agreement, Castlight shall also promptly reimburse Anthem for all reasonable internal and external audit expenses incurred by Anthem, including the reimbursement for any contingency fees paid by Anthem.

6.6.2SSAE16 Audit Reports. Castlight shall, at Castlight’s expense, have conducted a general (i.e., not Anthem specific) SSAE 16 audit (SOC 2, Type II Statement on Standards for Attestation Engagements) of Castlight annually and provide Anthem with a summary of the results of such audit. In the event the nature of the Services includes transactions processing, then the audit report shall be a SOC 1, Type II , Statement on Standards for Attestation Engagements). The report of the third-party auditors will be solely for the use of Castlight and Anthem, its regulators and its independent accountants and will not be distributed to or used by any other parties unless approved by Castlight, such approval not to be unreasonably withheld. If such report includes any findings that Castlight fails to comply with the SSAE16 requirements, or audit tests results in exceptions, Castlight agrees to remedy such noncompliance. Bridge letters covering the period from the end of the SSAE16 audit period through the end of Anthem’s financial reporting period will also be provided by Castlight upon request by and without cost to Anthem.  Castlight will comply with future guidance relating to SSAE16 as issued by the AICPA, the Securities and Exchange Commission or the Public Company Accounting Oversight Board. Both Parties recognize that the report of the third-party auditor does not constitute a certification or an attestation by Castlight under the Sarbanes-Oxley Act of 2002 or otherwise, but Castlight acknowledges that such report may be relied upon by Anthem and Anthem’s auditors as they deem appropriate.

6.7Performance Audits. Once in each 12 month period, or more frequently if necessary to comply with regulatory or accrediting agencies’ requests or if Anthem has a good faith reasonable belief that Castlight is not in material compliance with this Agreement, Castlight agrees to make available (including providing copies of documents requested by Anthem auditors at no additional expense to Anthem), during normal business hours and upon at least 2 weeks prior notice (unless a shorter period is required for compliance with a request from a regulatory or accrediting agency) Castlight personnel and any and all books, records or other documents in its possession pertaining to the performance of its duties under this Agreement. The foregoing audit rights shall include when applicable, audits of (i) practices and procedures, (ii) security practices and procedures, (iii) disaster recovery and backup procedures, and (iv) other areas necessary to enable Anthem to meet laws applicable to the Services. Such audits and inspections may address Castlight’s performance of the Services and compliance with the provisions of this Agreement The auditors and other representatives of Anthem will be bound by confidentiality obligations related to Castlight Confidential Information no less restrictive than the confidentiality terms hereof; provided that if the auditor or other representative is a third party, Castlight may require a reasonable confidentiality agreement from such third party.

6.8Taxes. Anthem shall pay to Castlight all applicable sales or use taxes assessed by a government authority with respect to Anthem’s use of the Subscription Service and/or Services provided by Castlight under this Agreement, provided that Castlight shall separately itemize such taxes on its invoice(s) to Anthem and that, upon request of Anthem, Castlight shall provide substantiation to Anthem confirming Castlight’s reporting and remittance of such taxes to the appropriate government entity. To the extent Anthem has timely paid Castlight for any sales or use type tax, Castlight shall indemnify, defend, and hold Anthem harmless for any such tax, and any related penalties and interest arising from any failure of Castlight to timely report and remit such tax. Anthem shall not be liable for the payment of taxes imposed upon Castlight or upon Castlight’s personnel resources, including state and federal income taxes, franchise taxes, Social Security taxes, welfare taxes, unemployment contributions, disability insurance, training taxes and any prepayments, estimated payments, reports, or withholdings required for such taxes.

Software as a Service (SaaS) Agreement REV. December 2014 Page 11

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

6.9No Effect of Payment on Castlight’s Other Obligations. Any payment by Anthem shall in no way affect Castlight’s obligations under this Agreement and shall not be construed as acceptance by Anthem of any Subscription Service or as a waiver of any of Anthem’s rights.

7.TERM AND TERMINATION; TRANSITION ASSISTANCE.

7.1Agreement. The initial term of this Agreement (the “Initial Term”) shall begin on the Effective Date and shall end three (3) years thereafter unless earlier terminated in accordance with this Agreement; provided however, that the Term shall be extended to the last completion date of any Order Schedule(s) then in effect if such Order Schedule(s) have specified a term longer than the Term stated above. Following the Initial Term of this Agreement, this Agreement shall automatically renew for an additional one year term (each a “Renewal Term”) unless either Party provides the other Party with written notice of non-renewal at least one hundred eighty (180) days prior to the end of the Initial Term or any Renewal Term. Each Party agrees to commence good faith negotiations on changes to the terms (excluding pricing for the Core Transparency Functionality) at least 90 days prior to the expiration of the Initial Term and any Renewal Term unless otherwise agreed to by the Parties.

7.2Order Schedules. Each Order Schedule is an independent obligation of the Parties, and each Order Schedule if not entered into as of the Effective Date shall commence as of the commencement date set forth in (or if not specified, as of the date last set forth in the signature area of ) the relevant Order Schedule.

7.3Termination for Breach. Either party may terminate this Agreement and any Order Schedule (in whole or in part) by providing the other party with not less than sixty (60) days' prior written notice in the event the other party materially breaches any provision of this Agreement. The notice must specify the nature of said material breach. The breaching party shall have sixty (60) days from receipt of the notice to correct the material breach. If the breaching party fails to cure the material breach within the sixty (60) day period, the non-breaching party may terminate this Agreement, effective upon completion of the aforementioned sixty (60) day notice period.

7.4Additional Termination Rights for Breach. In the event any material breach by either Party that creates a material violation of law, non-compliance with any of the organizations in which such Party or its Affiliate holds an accreditation or a situation whereby either Party is in significant jeopardy as to its ability to perform under this Agreement, then the non-breaching Party may give ten (10) business days’ notice of the material breach to the other Party. If the breaching Party fails to cure the material breach within such ten (10) business day period, the non-breaching Party may terminate this Agreement effective at the end of the ten (10) business days, notwithstanding any other provision in this Agreement.

7.5Termination Due to Insolvency. Either Party may terminate this Agreement or any Order Schedule immediately upon the occurrence of any of the following events with respect to the other Party: (a) the other Party becomes insolvent, generally unable to pay its debts as they become due, or makes an assignment for the benefit of its creditors or seeks relief under any bankruptcy, insolvency or debtor’s relief law; (b) if proceedings are commenced against the other Party under any bankruptcy, insolvency or debtor’s relief law, and such proceedings have not been vacated or set aside within sixty (60) days from the date of commencement thereof; (c) a receiver is appointed for the other Party or its material assets; or (d) if the other Party is liquidated, dissolved or ceases operations.

Software as a Service (SaaS) Agreement REV. December 2014 Page 12

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

7.6Termination Upon Competitor Change of Control of Castlight. Upon a Competitor Change in Control of Castlight (as defined below), Anthem may at its option, terminate this Agreement, by giving Castlight at least thirty (30) days’ prior written notice and designating a date upon which such termination will be effective without the payment of any early termination fees, wind-down charges or similar costs, and Castlight will make a one-time payment to Anthem to cover actual switching costs up to ten million dollars ($10,000,000.00) of moving to another solutions supplier. Any such notice must be given with forty five (45) days following the later of Castlight’s provision of written notice to Anthem of, or, if Castlight fails to give such notice, the date on which Anthem learns of such Competitor Change in Control For this purpose, “Competitor Change in Control” and its derivatives means a transactions in which a Competitor (as defined on Exhibit O has obtained the legal, beneficial or equitable ownership, directly or indirectly, of at least (50.01%) of the aggregate of all voting equity interests in an entity or equity interests having the right to at least 50.01% of the profits of Castlight or, in the event of dissolution, to at least 50.01% of the assets of an entity and, if Castlight is a partnership, also includes the holding by an entity of the position of sole general partner in Castlight.

7.7Termination for Convenience. Subsequent to the expiration of the Initial Term, either Party may terminate this Agreement, including any and all Order Schedules, for its convenience on one hundred eighty (180) calendar days prior written notice to the other Party without payment of an early termination fee or similar charges.

7.8Effect of Termination or Expiration.

7.8.1In the event that Anthem terminates an Order Schedule pursuant to the terms contained herein Anthem may, in its sole discretion, simultaneously terminate other Order Schedules that are materially and adversely affected by such termination or expiration. Notwithstanding the foregoing, the termination of a particular Order Schedule shall not result in the termination of the Agreement unless such termination explicitly provides for termination of the entire Agreement between the Parties. However, termination of the Agreement shall serve to terminate all Order Schedules unless such notice of termination specifies otherwise. All Sections identified as surviving the termination of an Order Schedule, as well as Sections 6.5 (Record Retention), 8 (Security), 9 (Confidentiality) 12 (Intellectual Property Ownership), 13 (Indemnification), 14 (Limitation of Liability) and 17 (Dispute Resolution) inclusive, shall survive the expiration or termination of the Agreement.

7.9Transition Assistance. At Anthem's request, commencing upon the termination of this Agreement or any Order Schedule hereunder, or other discontinuation of a component of the Services, for any reason, Castlight shall provide up to one-hundred eighty (180) days of assistance to Anthem for transition of the Services to Anthem or a third-party designee of Anthem. Such termination assistance shall be rendered at $150 per hour. In the event Castlight terminates the Agreement or an Order Schedule for Anthem’s uncured material breach, Anthem shall pre-pay for applicable transition assistance. Within ten (10) calendar days of Anthem’s request for transition assistance, the Parties shall meet to develop a transition plan. Such transition plan and transition assistance may include, by way of example: detail of Castlight’s then-current responsibilities for Anthem; and cooperation sufficient to assure a smooth transition and to enable Anthem or its designee to provide services similar to the Services with minimal disruption to Anthem’s business and operations. The Parties may provide for different transition assistance responsibilities, timing and payment schedules in an Order Schedule.

8.SECURITY.

Software as a Service (SaaS) Agreement REV. December 2014 Page 13

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

8.1General. Castlight shall implement reasonable security measures to prevent unauthorized access to the Castlight System, Subscription Service, Anthem Data and other Anthem Confidential information and content under Castlight’s control. Such measures shall in no event be less stringent than those used to safeguard Castlight’s own property. Such measures shall include, where appropriate, use of updated firewalls, virus screening software, logon identification and passwords, encryption, intrusion detection systems, logging of incidents, periodic reporting, and prompt application of current security patches, virus definitions and other updates. In no event shall Castlight make less stringent its security procedures, other procedures, policies or controls currently in place without the prior written agreement to such modifications by Anthem. Anthem reserves the right to terminate the Agreement, in its sole discretion and without limitation or termination liability, if Anthem reasonably determines that Castlight fails to meet its obligations under this Section. Castlight shall notify Anthem within 24 hours (a) of any breach of the security of the Castlight System or Subscription Service, (b) if the security of the Anthem Data is compromised in any way, or (c) of any unauthorized disclosure of the Anthem Data. Castlight shall cooperate with Anthem in any investigation of the foregoing and shall provide Anthem with any copies of reports of Castlight’s investigation into, or remedial efforts with respect to, any of the foregoing.

8.2Limited Access. To the extent made accessible to Castlight, Castlight shall, at all times, limit access to Anthem Data and Anthem Confidential information to those employees or subcontractors that have an actual need to access such data for purposes of providing the Services. Prior to gaining access to Anthem Data or Anthem Confidential information, Castlight shall require all employees or subcontractors to comply with confidentiality, security and intellectual property provisions no less stringent than the provisions set forth in this Agreement and, at Anthem’s request, have an officer certify in writing it has done so.

8.3Notification of Security Breaches. Castlight shall within 24 hours notify Anthem should it discover any breach of the Anthem Data and will immediately coordinate with Anthem to investigate and remedy such breach(es) in a diligent and timely manner. Except as may be strictly required by applicable law, Castlight agrees that it will not inform any third party of any such security breach, without Anthem’s prior written consent; however, if such disclosure is required by applicable law, Castlight agrees to work with Anthem, at no additional cost to Anthem, regarding the content of such disclosure so as to minimize any potential adverse impact upon Anthem and its members.

8.4Access to Anthem Systems. If Castlight is given access, whether on-site or through remote facilities, to any Anthem computer or electronic data storage system, in order for Castlight to perform any of its obligations hereunder, Castlight shall limit such access and use solely to perform such obligations and will not attempt to access any computer system, electronic file, software or other electronic services other than those specifically required to perform the obligations. Castlight shall limit such access to those of its personnel with an express requirement to have such access in connection with this Agreement or the applicable Order Schedule, shall advise Anthem in writing of the name of each such personnel who will be granted such access (and identifying whether each is an employee or subcontractor of Castlight), and shall strictly follow all requirements noted in the Castlight Code of Conduct and/or any other Anthem policy (including without limitation the Anthem Information Security Policy and the Required Information Security Controls, attached hereto as Exhibit H), as made available to Castlight, regarding the use of Anthem’s electronic resources and systems. All user identification numbers and passwords disclosed to Castlight and any information obtained by Castlight as a result of Castlight’s access to, and use of, Anthem computer and electronic storage systems shall be deemed to be, and shall be treated as Confidential information (under applicable provisions of this Agreement. Castlight shall cooperate with Anthem in the investigation of any apparent unauthorized access by Castlight to Anthem computer or electronic data storage systems or unauthorized release of Confidential information

Software as a Service (SaaS) Agreement REV. December 2014 Page 14

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

by Castlight. Castlight’s access shall be subject to such other business control and information protection policies, standards, and guidelines as may be provided to Castlight by Anthem from time to time. Any other use by Castlight of any other Anthem assets or property or systems is strictly prohibited. Castlight warrants and agrees that its personnel will not remotely access Anthem’s system from a networked computer unless the network is protected from all third party networks by a firewall that is maintained with all patches up to date by a 7x24 administrative staff. Said firewall must be certified by the International Computer Security Association (ICSA) (or an equivalent certification as determined by Anthem) if the connection to Anthem’s network is an ongoing connection such as frame relay or T1 line.

9.CONFIDENTIALITY AND DATA USE.

9.1HIPAA, Medicare, FEP, Medicaid. The provisions set forth in this Section 9 are in addition to and not in lieu of any confidentiality, privacy, security and other requirements imposed on Castlight if Exhibit A (Business Associate Addendum), Exhibit B (Federal Government Services Addendum for Non-Commercial Items), Exhibit C (Medicare Compliance Specialty), Exhibit D (Federal Government Services Addendum for Commercial Items), Exhibit F (Medicaid Requirements), Exhibit H (Required Information Security Controls) and/or Exhibit I (Qualified Health Plans) are included among the Exhibits that form part of this Agreement.

9.2Confidential information.

9.2.1During the Term, a Party (the “Receiving Party”) may be exposed to or acquire information regarding the business, projects, operations, finances, activities, affairs, research, development, products, technology, technology architecture, business models, business plans, business processes, marketing and sales plans, customers, finances, personnel data, health plan rating and reimbursement formulas, computer hardware and software, computer systems and programs, processing techniques and generated outputs, intellectual property, procurement processes or strategies or providers of the other Party or their respective directors, officers, employees, agents or clients (collectively, the “Disclosing Party”), including, without limitation, any idea, proposal, plan, procedure, technique, formula, technology, or method of operation (collectively, “Confidential information”). With respect to Anthem only, Confidential information shall include all Anthem Data and all Confidential information of Anthem Affiliates.

9.2.2In the case of Anthem, “Confidential Information” shall expressly include the following types of information:

9.2.2.1Anthem’s proprietary information consisting of non-public, trade secret, commercially valuable, or competitively sensitive information or other material and information relating to products, projects, operations, customers, finances, business, affairs, or activities, including but not limited to: (i) information about systems, technologies, procedures, methodologies, and practices used in performing its services; and (ii) financial information, market analyses and forecasts, sales and marketing research, proposed products or services, provider and beneficiary demographics, and customer lists and other customer-specific information; (iii) information about provider networks, provider negotiated fees, provider discounts, and provider contract terms (including combinations of data elements that could enable such information to be derived, calculated, or reverse-engineered); and (iv) information about activities such as underwriting, claims processing, claims payment, and health care management.

9.2.2.2Information that Anthem is obligated by law or contract to protect, including without limitation: (i) Social Security Numbers; (ii) provider tax identification numbers (TINs);

Software as a Service (SaaS) Agreement REV. December 2014 Page 15

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

(iii) National Provider Identification Numbers (NPIs); (iv) provider names, provider addresses, and other identifying information about providers; and (v) drug enforcement administration (DEA) numbers, pharmacy numbers, and other identifying information about pharmacies.

9.2.3 In the case of Castlight, “Confidential Information” shall expressly include the following types of information:

9.2.3.1Castlight’s proprietary information consisting of non-public, trade secret, commercially valuable, or competitively sensitive information or other material and information relating to products, projects, operations, customers, finances, business, affairs, or activities, including but not limited to: (i) information about systems, technologies, procedures, methodologies, and practices used in performing its services; and (ii) financial information, market analyses and forecasts, sales and marketing research, proposed products or services, provider and beneficiary demographics, and customer lists and other customer-specific information;.

9.2.4Confidential information shall not include any information that a Party can demonstrate: (i) was in the public domain at the time of disclosure to such Party; (ii) was published or otherwise became part of the public domain after disclosure to such Party through no fault of such Party; (iii) was previously disclosed to such Party without a breach of duty owed to the other Party by a third-party who had a lawful right to such information; or (iv) was independently developed by such Party without reference to Confidential information of the other Party.

9.2.5In addition, either Party may disclose Confidential information to the extent disclosure is based on the good faith opinion of such Party’s legal counsel that disclosure is required by law or by order of a court or governmental agency; provided that, the Party that is the recipient of such Confidential information shall give prompt notice to the Disclosing Party, use all commercially reasonable efforts to maintain the confidentiality of the Confidential information, and cooperate with the owner of such Confidential information, in efforts to protect the confidentiality of such Confidential information by an appropriate protective order. The owner of such Confidential information reserves the right to obtain a protective order or otherwise protect the confidentiality of such Confidential information. Each Party shall be responsible for its own costs with respect to the performance of its obligations under this Section. Either Party may disclose the existence of this Agreement and the terms of this Agreement to the extent required to enforce its terms or the rights of such Party hereunder or to comply with its legal obligations (but in the event either Party files this Agreement or portions thereof with any public agency it shall redact sensitive portions hereof, to the mutual written agreement of the other Party, which agreement shall not be unreasonably withheld or delayed).

9.2.6Anthem Non-Disclosable Information. With respect to Anthem only, Confidential information shall also include the following: (i) PHI and NPFI; (ii) other medical information and personal information regarding Anthem’s or its Affiliates’ health plan members, employees, or medical or hospital service providers; (iii) other information that Anthem or its Affiliates are required by law, regulation or company policy to maintain as confidential; (iv) other financial information concerning Anthem’s or its Affiliates’ health plan members, employer groups and other health plan groups or medical or hospital service providers that is disseminated by Anthem or its Affiliates internally for staff use; (v) personnel and payroll records, patient accounting and billing records, and information contained in those records; (vi) Anthem’s or its Affiliates’ trade secrets; and (vii) information that could aid others to commit fraud, sabotage or otherwise misuse Anthem’s or its Affiliates’ products or services or damage their business, including without limitation Exhibit H attached

Software as a Service (SaaS) Agreement REV. December 2014 Page 16

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

hereto and other Anthem security policies (collectively, the “Anthem Non-Disclosable Information”). Due to the sensitive nature of the Anthem Non-Disclosable Information and due to Anthem’s obligations to maintain the privacy of its customers and providers, Castlight acknowledges and agrees that Anthem Non-Disclosable Information shall at all times remain confidential and shall not be subject to exceptions, except as set forth in the BAA.

9.2.7General Obligations. Each Party agrees to hold the Confidential information of the other Party in strict confidence, to use such information in the course of performing its obligations hereunder, and to make no disclosure of such information except as authorized in accordance with the terms of this Agreement. To the extent a Party may be exposed to the Confidential information of a third party (for example, because Castlight may be maintaining Anthem systems on which third party software is loaded), the Parties agree to accord such third party Confidential information the same protections accorded a Party’s Confidential information hereunder. A Party may disclose Confidential information to its personnel and the personnel of its subcontractors who have an absolute need to know such Confidential information in order to fulfill its obligations hereunder and who have previously executed a written confidentiality agreement imposing confidentiality obligations no less restrictive than those applicable hereunder.In addition, either Party may disclose Confidential information of the other Party to third party professional advisors  (including accountants, auditors, attorneys, financial or other advisors) which are acting solely for the Party’s benefit and on such Party’s behalf, provided: (i) such professional advisors have previously executed a written confidentiality agreement imposing confidentiality obligations no less restrictive than those applicable hereunder; (ii) such professional advisors have a need to know such information in order to provide advice or services to the disclosing Party and agree to use the disclosing party’s Confidential information solely for the purpose of providing such advice or services; (iii) such professional advisors agree not to disclose the Confidential information to any other party without the disclosing Party’s prior written consent; and (iv) notwithstanding anything to the contrary, no Anthem Non-Disclosable Information is disclosed by the other Party to its professional advisors. Each Party shall be primarily responsible and liable for any confidentiality breaches by its personnel and the personnel of its subcontractors. Each Party shall immediately advise the other Party of any actual or potential violation of the terms of this Section 10, and shall reasonably cooperate with the Disclosing Party in relation thereto.

9.2.7.1Castlight shall not, without Anthem’s advance written consent: (i) use or display Anthem’s Confidential Information, or reports or summaries arising therefrom, for any other purpose; (ii) except as permitted by subsection 9.2.7.2 combine Anthem’s Confidential Information with other data to create or add to an aggregated database for use in producing information, analyses, reports, extracts, or summaries; (iii) combine Anthem’s Confidential Information provided under the terms of this Agreement with Confidential Information provided to Castlight by Anthem under other agreements entered into between Anthem and Castlight for other purposes, if any; (iv) sell or disclose Anthem’s Confidential Information to any other person or entity, including without limitation affiliates of Castlight, except as expressly permitted herein; or (v) except to provide the Services, use Anthem’s Confidential Information for its own internal use and analysis.

9.2.7.2Permitted Aggregation of Health Plan Confidential Information. Castlight may add Anthem’s Confidential Information to its aggregated database, and, in addition to the permitted uses of such De-identified Information (as defined herein) from such database as are set forth in other operative agreements between Anthem and Castlight, may use and disclose such De-identified Information to provide the Services. For purposes of this provision, “De-identified Information” means information that:

Software as a Service (SaaS) Agreement REV. December 2014 Page 17

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

i.Has been de-identified in accordance with the specifications and requirements set forth in HIPAA, specifically 45 C.F.R. Part 164.514(a)-(c); and

ii.Has been stripped of any identifier(s) that could directly or indirectly be used to identify: (i) an employer, trade group, union, healthcare purchasing coalition, or other healthcare purchaser; or (ii) an insurance company, health maintenance organization, health plan, third party administrator, or other healthcare payor.

9.2.7.3BCBSA Permitted Aggregation. If the BCBSA revises the BCBSA Requirements regarding data aggregation such that aggregation across Blues is permitted, the Parties will meet and discuss in good faith whether such aggregation may improve the experience of an Authorized User under any then existing SOF of using the applicable Castlight Services, and the timing and actual and substantiated implementation charges by Castlight to Anthem of achieving any such improved Authorized User experience of the applicable Castlight Services.

9.2.8Continuing Obligations. A Party’s obligation to maintain the confidentiality of Confidential information shall remain in force until information falls within one of the exceptions noted in Section 9.2.2. Castlight’s obligation to maintain the confidentiality of Anthem Non-Disclosable Information shall neither terminate nor expire.

9.2.9Destruction of Confidential information. Promptly following written notice upon expiration or termination of the entire Agreement or of an Order Schedule (with regard to the Confidential information disclosed under the Agreement or through such Agreement or Order Schedule, as the case may be) and the applicable transition assistance period, the Receiving Party shall destroy within 45 days (but 135 days for information stored on backup media) all (or, if the Disclosing Party so requests, any part) of the Confidential information, and all copies, summaries and redactions thereof and other materials containing such Confidential information, including deletion from such Party’s files and systems and the Receiving Party shall certify in writing its compliance with the foregoing. Notwithstanding the foregoing, except for PHI or NPFI (which shall be promptly destroyed), each Party may, subject to the obligations of confidentiality as described in this Section 9, retain (i) one (1) copy of the other Party’s Confidential information for archival purposes only, but such retained Confidential information shall only be accessed by the retaining Party on a limited need basis to, for example, defend a claim by the other Party or for auditing purposes and (ii) reasonable archival records of payments, invoices and similar information for tax compliance, regulatory compliance, accounting, audit or similar purposes but only for the period of time required by this Agreement or applicable law; in each instance, all such retained Confidential information shall remain the Confidential information of the Disclosing Party and shall be subject to all of the restrictions contained in this Agreement.

9.3Injunctive Relief. Each Party acknowledges that in the event of a breach of this Section 9 damages may not be an adequate remedy and the Disclosing Party may be entitled to seek, in addition to any other rights and remedies available under the Agreement or at law or in equity, injunctive relief to restrain any such breach, threatened or actual, without proof of irreparable injury and without the necessity of posting bond even if otherwise normally required.

10.INSURANCE.

10.1Minimum Requirements. Castlight shall, at all times during the term of this Agreement keep in force with insurers with an A.M. Best rating of A- or better:

Software as a Service (SaaS) Agreement REV. December 2014 Page 18

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

10.1.1Commercial General Liability insurance with a limit of $1,000,000 per occurrence and $2,000,000 in the aggregate for bodily injury and property damage to include personal injury and contractual liability coverage;

10.1.2Business Automobile Liability insurance with a $1,000,000 per occurrence combined single limit for non-owned and hired automobiles;

10.1.3Workers’ Compensation coverage with statutory limits and employers liability insurance with a $1,000,000 limit;

10.1.4Errors and Omissions insurance with a $1,000,000 limit for each wrongful act and aggregate of $3,000,000, including an extended reporting period endorsement (“tail policy”) for the term of three years in the amount of not less than $1,000,000 per claim if professional services are being rendered;

10.1.5Employee Fidelity Bond with a limit of $500,000; and

10.1.6Network Security and Privacy liability coverage with a $1,000,000 aggregate limit if Castlight has access to Anthem systems or PHI or Personally Identifiable Information; and

10.1.7Umbrella Liability Coverage with a $5,000,000 limit.

The forgoing coverage amounts, with the exception of the Umbrella Liability coverage, may be met in part by an appropriate umbrella or excess liability policy.

10.2Any materials or equipment brought on jobsite shall be insured under an all risk property insurance policy and shall be the sole responsibility of Castlight.

10.3Castlight agrees that any subcontractors coming on the jobsite shall maintain workers’ compensation insurance coverage. Castlight is solely responsible and liable for its subcontractors and any actions or inactions, damages or injuries by or to its subcontractors.

10.4Proof of Insurance; Notice of Cancellation. Castlight shall, prior to execution of this Agreement, provide to Anthem certificates of insurance indicating the coverage required, naming Anthem as an additional insured under the commercial general liability, and containing a waiver of subrogation with respect to Anthem for commercial general liability and workers’ compensation. Also, when applicable, under its commercial crime coverage program, Castlight will name Anthem, Inc. as Loss Payee to the extent their interests may appear. Anthem shall be the certificate holder. Promptly upon Anthem’s written request for same, Castlight shall cause its insurers or insurance brokers to issue certificates of insurance evidencing that the coverages required under this Agreement are maintained and in force. In addition, Castlight will use reasonable efforts to give thirty (30) days prior written notice to Anthem prior to cancellation or non-renewal of any of the policies providing such coverage; provided, however that Castlight shall not be obligated to provide such notice if, concurrently with such cancellation or non-renewal, Castlight provides self-insurance coverage as described below or obtains coverage from another insurer meeting the requirements described above.

10.5Castlight Right to Self-insure Coverage. Notwithstanding the foregoing, Castlight reserves the right to self-insure coverage, in whole or in part, in the amounts and categories designated

Software as a Service (SaaS) Agreement REV. December 2014 Page 19

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

above, in lieu of Castlight’s obligations to maintain insurance as set forth above, at any time. A qualified self-insurance program will include the following: Actuarially validated reserve adequacy for incurred claims, IBNR claims and future claims based on past experience; Designated Claim TPA or appropriately licensed and employed claims professional or attorney; Excess Insurance/Re-insurance above self insured layer; Self insured retention and insurance combined must meet minimum limit requirements; and Evidence of Surety Bond, Reserve or LOC as collateral for the self-insured limit. Promptly upon Anthem’s written request for same, Castlight shall deliver certificates of insurance to confirm what coverage is in place. This section does not replace or otherwise amend, in any respect, the limitations on Castlight’s liability as set forth elsewhere in this Agreement. Failure to maintain the required insurance coverage shall be deemed a material breach of the Agreement by Castlight. If Castlight fails to keep in effect the insurance coverage required, Anthem may, in addition to and cumulative with any other remedies available at law, equity, or hereunder, acquire such insurance and deduct the cost thereof from its payment of any amounts owed Castlight hereunder or terminate this Agreement for cause.

11.REPRESENTATIONS, WARRANTIES, AND COVENANTS.

11.1General Warranties of Both Parties

11.1.1Compliance with Laws. Each Party shall at all times comply with all applicable laws, rules and regulations in the performance of this Agreement.

11.1.2Existence. Each party is duly organized and existing and is in good standing and is qualified to do business under the laws of any jurisdiction where the ownership of assets or conduct of its business require it to be so qualified, and each party possesses any and all licenses and/or governmental approvals required to perform the Services and/or to provide the Subscription Service contemplated by this Agreement, and is qualified to perform such Services and/or provide such Subscription Service.

11.1.3Duly Authorized. Each party’s execution, delivery and performance of this Agreement has been duly authorized by all appropriate corporate action and this Agreement constitutes a valid, binding and enforceable obligation.

11.1.4No Conflict. Neither the execution, delivery, nor performance of this Agreement will conflict with or violate any other agreement, license, contract, instrument or other commitment or arrangement to which either party is a party or is bound.

11.1.5No litigation. There is no litigation, and neither Party knows of any material threat of litigation, in each case that will affect the performance of its obligations hereunder.

11.1.6Compliance with Laws and Regulations. Each Party shall perform its obligations hereunder in accordance with all applicable law and regulations, and shall be responsible for obtaining all licenses, authorizations, permits and the like required by applicable laws and regulations, and any fees, costs or expenses incurred by such Party shall be borne solely by such Party. Each Party shall be solely responsible for any fines and penalties imposed on it or the other Party resulting from such Party’s failure to comply with any such applicable laws and regulations.

11.1.7Data Quality Governance. Anthem and Castlight will establish a data quality governance and escalation process, to include senior technical leadership from each organization.

Software as a Service (SaaS) Agreement REV. December 2014 Page 20

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

11.2Castlight’s Representations, Warranties and Covenants.  Castlight hereby represents, warrants and covenants:

11.2.1No Material Defects; Conformity with and Completeness of Documentation. The Castlight System, Subscription Service and/or Services to be provided shall be free from material errors or other material defects; and shall substantially conform to the Documentation. The Documentation and other materials describing the Services and/or Subscription Service hereunder completely and accurately reflect their operation and functionality.

11.2.2All Rights; No infringement. Castlight has all rights and authorizations necessary to grant access and use rights to the Castlight System and the Subscription Service, and to perform any Services as contemplated herein. Further, if applicable, Castlight shall pass through to Anthem any software and third party end-user warranties and indemnities relating to the Subscription Services. To the extent Castlight is not permitted to so pass-through, Castlight agrees to enforce such warranties and indemnities on behalf of Anthem. The Castlight System, the Subscription Service, and all elements thereof to be provided by Castlight, and any Services performed by Castlight, will not violate, misappropriate or infringe upon any Intellectual Property right of any person or entity; and there are no claims of any third party against Castlight relating to any Intellectual Property that is the subject of, to be provided under, or to be used directly or indirectly pursuant to this Agreement.

11.2.3Performance. To the extent Castlight is performing Services, at all times during the performance of such Services, Castlight has and will maintain the experience and skill to perform the Services required to be performed by it hereunder and will perform such Services in a timely, workmanlike manner. At a minimum, Castlight will maintain staffing levels and continuity of personnel consistent with its obligations to perform the Services hereunder and in the event of a delay or other problem, Castlight will train and staff additional personnel as needed.

11.2.4Personnel Qualifications. Each of Castlight’s personnel assigned to perform Services or any other obligations under the Agreement shall have the proper skill, training and background so as to be able to perform in a competent and professional manner and all work will be so performed.

11.2.5Castlight’s Employees. Castlight shall perform all obligations of an employer with respect to all personnel hired by Castlight in connection with any Services to be provided, if any, including, but not limited to the withholding and reporting of contributions, insurance deductions and applicable taxes (including payroll and unemployment insurance taxes) required by applicable law.

11.2.6Subscription Service Functionality. The Subscription Service will accept input, perform processes, and provide output in a manner that is consistent with all applicable specifications.

11.2.7Government Programs; Ineligible Persons. Neither Castlight nor its employees, subcontractors or agents providing Services or Products under this Agreement has been, nor shall be during the term of this Agreement, (i) excluded from participation in the Medicare, Medicaid and/or any state health care program; (ii) listed on any General Services Administration List of parties Excluded from Federal Procurement and Non-procurement Programs; (iii) sanctioned by the United States Department of Health and Human Services, Centers for Medicare and Medicaid Services, Office of Inspector General, or any other federal agency; and (iv) under a corporate integrity agreement with the United States

Software as a Service (SaaS) Agreement REV. December 2014 Page 21

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Department of Health and Human Services, Office of Inspector General, or any other federal agency; in the event Castlight or any employees, subcontractors or agents thereof becomes an ineligible person after entering into this Agreement or otherwise fails to disclose its ineligible person status, Castlight has an obligation to (i) immediately notify Anthem of the person’s status as an ineligible person and (ii) within ten (10) days of Castlight receiving such notice, Castlight will remove such individual from responsibility for, or involvement with, Castlight’s business operations related to the federal government healthcare contracts. Anthem shall have the right to immediately terminate this Agreement or applicable Order Schedule in the event it receives notification of the person’s ineligible person status. Castlight also covenants and represents that it complies with the rules set forth by the Office of Foreign Assets Control of the United States Department of Treasury.

11.2.8Criminal Convictions. Neither Castlight nor its employees, subcontractors or agents has been, nor shall be during the Term, convicted of a criminal offense related to the delivery of an item or service under Medicare, Medicaid and/or under any state health care program.

11.2.9Location of Work. All such locations shall be in the United States and at no other location, unless otherwise agreed in writing by Anthem in advance in each instance. Anthem agrees to the locations set forth on Exhibit N.

11.2.10Warranty against Harmful Code. Castlight warrants that it will use commercially reasonable efforts to ensure that the Subscription Service will not relay computer viruses or other harmful code to the network or computing environment of Anthem of its Affiliates. If the foregoing warranty is breached, then in addition to any other remedies available to Anthem, Castlight shall at its expense: (a) reimburse Anthem for all costs (including personnel costs) incurred by Anthem in restoring all data lost as a result of the breach and/or removing such harmful code; and (b) if requested by Anthem, provide and install a new copy of the Subscription Service without the presence of the code that caused the breach.

11.2.11Electronic Self-Help. Except for termination by Castlight in accordance with Article 7 above or as provided in the last sentence of Section 17.4 (Continued Services; Enforcement) (and in either case this Section 11.2.11 shall not apply), Castlight agrees that in the event of any dispute with Anthem regarding an alleged breach of this Agreement or for any other reason, Castlight will not use any type of electronic means to prevent or interfere with Anthem’s use of the Castlight System or any Subscription Service under this Agreement or any Order Schedule without first obtaining a valid court order authorizing same. Anthem shall be given proper notice and an opportunity to be heard in connection with any request for such a court order. Castlight understands that a breach of this provision could foreseeably cause substantial harm to Anthem and to numerous third parties having business relationships with Anthem. No limitation of liability shall apply to a breach of this paragraph.

11.2.12Compliance with Foreign Corrupt Practices Act. Castlight and its subsidiaries, affiliates, directors, officers, shareholders, employees, representatives and agents have not and shall not, during the term of this Agreement, in connection with the transactions contemplated by this Agreement or in connection with any other business transactions involving Anthem, make, or offer to make, payments of money or anything of value, directly or indirectly, to a Foreign Official, as that term is defined in the Foreign Corrupt Practices Act (FCPA), for the purpose of obtaining or retaining business in violation of the FCPA.

Software as a Service (SaaS) Agreement REV. December 2014 Page 22

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

11.2.13Certain Employment Obligations. When Castlight provides services or goods to Anthem relating to one of its federal contracts, Castlight agrees to comply with the following federal regulations, as applicable: Castlight shall abide by the requirements of 41 CFR §§ 60-1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, protected veteran status or disability.

11.2.14Website Accessibility Standards. To the extent that Castlight is providing development, design and/or maintenance of any electronic and information technology, including, without limitation, any consumer facing web and mobile experiences, Castlight shall ensure that all such electronic and information technology meets, to the extent possible, the accessibility requirements set forth in Section 508 of the Rehabilitation Act (29 USC 794(d)), the related Technical Standards issued by the Architectural and Transportation Barriers Compliance Board (aka the “Access Board”), success level AA or higher of the most current Web Content Accessibility Guidelines issued by the Worldwide Web Consortium, and any other federal or state law which requires specific design elements to accommodate disabled individuals.

11.2.15Certification of Compliance. Once in each 12 month period, upon request by Anthem, Castlight shall provide Anthem with reasonable assurances of Castlight’s compliance with the terms of this Agreement and any Exhibit(s). Reasonable assurances may include, but are not limited to, Castlight’s signed certification of such compliance, as it applies to certain requirements, and/or the Agreement or Exhibit(s) generally.

11.3Anthem’s Representations and Warranties. Anthem hereby represents and warrants that (i) it shall not modify, translate, reverse engineer, decompile or disassemble the Subscription Service, other than to the extent Castlight is required by law to permit Anthem to do so; and (iii) it shall use the Subscription Service in compliance with applicable laws, rules and regulations.

11.3.1All Rights; No infringement. Anthem has all rights and authorizations necessary to grant access and use rights to Anthem Data, as contemplated herein. The Anthem Data and all elements thereof to be provided by Anthem, will not violate, misappropriate or infringe upon any Intellectual Property right of any person or entity; and to the best of Anthem’s knowledge, there are no claims of any third party against Anthem relating to any Anthem Data that is the subject of, to be provided under, or to be used directly or indirectly pursuant to this Agreement.

11.3.2 Anthem Data Quality. Anthem represents that Anthem Data shall be at least the same quality as the data that Anthem uses for its own internal purposes.

11.4Disclaimer of Warranties. EXCEPT FOR THE EXPRESS WARRANTIES MADE OR REFERENCED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE.

11.5Certain Warranty Remedies. Should Anthem be prevented from using the Castlight System, Subscription Service or receiving any Service due to a breach of the aforementioned warranties by Castlight, and in addition to all other obligations and remedies herein, Castlight shall at its expense,

Software as a Service (SaaS) Agreement REV. December 2014 Page 23

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

and in addition to any other rights or remedies available to Anthem under the Agreement, at law or in equity, promptly remedy the non-compliance Should Castlight be prevented from providing the Castlight System, Subscription Service or providing any Service due to a breach of the aforementioned warranties by Anthem, and in addition to all other obligations and remedies herein, Anthem shall at its expense, and in addition to any other rights or remedies available to Castlight under the Agreement, at law or in equity, promptly remedy the non-compliance

12.INTELLECTUAL PROPERTY OWNERSHIP

12.1Overview of Materials and Ownership.The performance of Castlight Services may require use of and/or access to intellectual property owned or created (a) by Anthem, (b) by Castlight independent of its obligations to Anthem, or (c) by Castlight (either independently or in cooperation with Anthem) pursuant to its obligations under this Agreement. This Section 12 - Ownership -sets forth the Party’s respective intellectual property rights of such materials.

12.2Anthem Materials.In the course of Castlight’s provision of Castlight Services, Anthem may provide to Castlight Anthem’s proprietary information and/or Intellectual Property, including, but not limited to, technical data, creative designs and concepts, web designs, trade secrets and know-how, customer or vendor lists and information, business plans, software, algorithms, programming techniques, business rules, business methods, inventions, drawings, engineering, hardware configuration information, marketing and strategic plans, financial data, processes, technology and designs which it maintains (the “Anthem Materials”). As between the parties, Anthem shall own all rights, title, and interest in and to: (1) the Anthem Materials and (2) any and all Anthem Data. In addition, all Anthem Material shall be deemed Confidential Information subject to Section 8 (Security) Security and Section 9 (Confidentiality) - herein. Anthem hereby grants Castlight a perpetual (during the term of this Agreement), revocable (to the extent of termination rights in this Agreement), royalty-free (subject to any payment obligations herein), fully paid-up, non-transferable (except to permitted Castlight assignees hereunder), non-sublicensable, non-exclusive, worldwide license to use, the Anthem Data and Anthem Materials to the extent necessary in a manner consistent with its intended use as set forth in this Agreement and only during the term of this Agreement. Except in accordance with this Section 12.2 and Section 12.4 below, Anthem does not grant Castlight any interests in, or ownership of, any of the Anthem Data or Anthem Materials and all rights not expressly granted are reserved by Anthem in Anthem Data and Anthem Materials. The parties recognize that Castlight may provide services to other Castlight clients and may use or duplicate certain materials as templates or sources for other projects

12.3Castlight Materials.The Parties acknowledge that materials provided by Castlight may incorporate technology or content previously developed by Castlight, or which Castlight has developed (i) without the use of any Anthem intellectual property, and (ii) for services unrelated to the Castlight Services (collectively, the “Castlight Materials”). In addition to the foregoing, for purposes of this Agreement, “Castlight Materials” shall include: (1) Castlight’s proprietary technology platform and system (including without limitation software, algorithms and proprietary and technical information therein) for gathering, analyzing, modifying and making available to users certain health-related user and provider data and related information, guidance and services (the “Castlight Platform”); and (2) Castlight’s technical data, creative designs and concepts, web designs, trade secrets and know-how, business plans, software, algorithms, programming techniques, business rules, business methods, inventions, drawings, engineering, hardware configuration information, marketing and strategic plans, financial data, processes, technology and designs which it maintains for purposes of providing its consumer transparency services, any pre-developed communication and marketing templates (the “Castlight Service”); and (3) all intellectual property rights within the foregoing. As between the parties,

Software as a Service (SaaS) Agreement REV. December 2014 Page 24

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Castlight shall own all rights, title, and interest in and to the Castlight Materials, and all Castlight Materials shall be deemed Confidential Information subject to Section 8 (Security) and Section 9 (Confidentiality) - herein. Subject to the provisions of this Agreement , Castlight hereby grants to Anthem a perpetual (during the term of this Agreement), revocable (to the extent of termination rights in this Agreement), royalty-free (subject to any payment obligations herein), fully paid-up, non-transferable (except to Anthem Affiliates and assignees), sublicensable (only to Authorized Users, Anthem and its Affiliates’employees, agents, contractors, consultants, suppliers and third-party service providers subject to Section 4.3) ), non-exclusive, worldwide license to use, reproduce, distribute, display and perform (whether publicly or otherwise), offer to sell the Buy-Up Products (in conjunction with Castlight) and otherwise use the Castlight Materials to the extent necessary to allow Anthem the right to fully enjoy the Castlight Services solely in a manner consistent with their intended use as set forth in this Agreement and an applicable SOF provided they are fully paid for by Anthem in accordance with this Agreement and only during the term of this Agreement. Nothing contained herein shall restrict Castlight’s use of materials, techniques and skills which are generic in nature and not specifically related to an Anthem project or do not incorporate Anthem Confidential Information. Unless otherwise agreed to in writing by the Parties and subject to Section 12.4 below, it is understood that Castlight shall own all modifications, improvement, enhancements, derivative works, additional modules or features made by Castlight to the Castlight Materials (collectively “Modifications”), whether or not such Modifications were made by Castlight on the basis of any feedback, ideas, suggestions, or information provided by Anthem.

12.4Works. It is not anticipated by either Party that Castlight will ever create “Works” as defined below. Nonetheless, solely to the extent set forth in a subsequent writing executed by an authorized officer (or his designee) of each Party that the Parties intend for Castlight to create Works, the following provisions shall apply: excluding all Castlight Materials and any Modifications thereto (as those terms are defined in Section 12.3), “Works” shall mean all work product and related documentation, if any, in whatever stage of completion, created in connection with and during the performance of this Agreement. Works, in whatever stage of completion, shall be deemed a work-made-for-hire specially ordered and/or commissioned by Anthem. Anthem, its successors and assigns, shall exclusively own all now known or hereafter existing rights of every kind and nature throughout the universe (including, but not limited to, all copyrights, moral rights and mask-works; trademarks, service marks, trade names and similar rights; patents, design rights, algorithms and other industrial property rights; trade secret rights; all contract, assignment and licensing rights; and all rights in registrations, applications, renewals, extensions, continuations, divisions or reissues thereof now or hereafter in force in the foregoing), in perpetuity and in all languages, pertaining to the Works, tangible and intangible, for all now known or hereafter existing uses, and Castlight hereby irrevocably assigns and agrees to assign to Anthem, in perpetuity, without additional consideration, all such Works (to the extent and in the event they are not deemed work-made-for-hire). Castlight shall not have and shall not purport to have any rights in the Works. In the event Castlight has any rights in and to the Works (including, but not limited to, the “droit moral” or “moral rights of authors” or any similar rights in and/or to the Works) that cannot be assigned to Anthem as provided above, whether now known or hereafter to become known, Castlight hereby unconditionally waives such rights and the enforcement thereof, and all claims and causes of action of any kind with respect to any of the foregoing. In the event Castlight has any rights in and to the Works that cannot be assigned to Anthem and cannot be so waived, Castlight hereby grants to Anthem a perpetual, irrevocable, royalty-free, fully paid-up, transferable, sublicensable, exclusive, worldwide license to use, reproduce, distribute, display and perform (whether publicly or otherwise), prepare derivative works of and otherwise modify, make, sell, offer to sell, import and otherwise use and exploit such Works in a manner consistent with their intended use.

Software as a Service (SaaS) Agreement REV. December 2014 Page 25

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

12.5Anthem Intellectual Property. Notwithstanding anything to the contrary contained in Article 12 above, as between Anthem and Castlight, Anthem is deemed to own the Intellectual Property embodied in the Anthem Data and Anthem Materials.

12.6Castlight Intellectual Property. Notwithstanding anything to the contrary contained in Article 12 above, as between Anthem and Castlight, Castlight is deemed to own the Intellectual Property embodied in the Castlight Services, Castlight Materials and Castlight Platform.

13.INDEMNIFICATION

13.1Indemnification. Anthem and Castlight shall each indemnify, defend and hold harmless the other party, and its directors, officers, employees, agents, permitted subcontractors and assignees, subsidiaries, from and against any and all losses, claims, damages, liabilities, costs and expenses (including, without limitation, reasonable attorneys’ fees and costs up to one million dollars ($1,000,000.00) per claim) arising from third party claims resulting from (i) the indemnifying party’s failure to perform or negligent performance of its obligations under this Agreement, and/or (ii) the indemnifying party’s violation of any law, statute, ordinance, order, standard of care, rule or regulation, including Exhibits A (Business Associate Agreement), C (Medicare Compliance Specialty), F (Medicaid Requirements), Exhibit I (Qualified Health Plan), Exhibit J (BCBSA Requirements), Exhibit K (NCQA Requirements), and/or Exhibit P (Medicaid Medicare Dual Integration Regulatory Exhibits) hereunder, and/or (iii) the indemnifying party's breach of any promise, agreement or representation made in this Agreement, and/or (iv) in the case of Castlight, (a) any allegation that any portion of the Subscription Service, Castlight System, Documentation and/or Services, provided by Castlight to Anthem pursuant to this Agreement, infringes, misappropriates or violates any intellectual property right of any person or entity, (b) a breach of Castlight’s security obligations hereunder and/or (c) any act or conduct by a Castlight subcontractor based on a claim falling within the foregoing categories (i) through (iv)(b), inclusive; provided that in the event of a claim for infringement pursuant to this subclause (iv)(a), Castlight may, at its sole option and expense: (i) procure for Anthem the right to continue using the Service under the terms of the Agreement or (ii) replace or modify the Service to be non-infringing; and/or (v) in the case of Anthem, (a) any allegation that any portion of the Anthem Data provided by Anthem to Castlight pursuant to this Agreement, infringes, misappropriates or violates any intellectual property right of any person or entity, and (b) any act or conduct by an Anthem subcontractor based on a claim falling within the foregoing categories (i) through (iii) and (v)(a), inclusive.; provided that in the event of a claim for infringement pursuant to this subclause (v)(a), Anthem may, at its sole option and expense: (i) procure for Castlight the right to continue using Anthem Data under the terms of the Agreement or (ii) replace or modify Anthem Data to be non-infringing.  The obligation to provide indemnification under this Agreement shall be contingent upon the party seeking indemnification (i) providing the indemnifying party with prompt written notice of any claim for which indemnification is sought, (ii) allowing the indemnifying party to control the defense and settlement of such claim, provided however that the indemnifying party agrees not to enter into any settlement or compromise of any claim or action in a manner that admits fault or imposes any restrictions or  obligations on an indemnified party without that indemnified party’s prior written consent which will not be unreasonably withheld, and (iii) cooperating fully with the indemnifying party in connection with such defense and settlement.

13.2In addition to the indemnification obligations set forth in this Section as well as any remedies under applicable law or set forth in this Agreement, including, without limitation, performance guarantees and performance penalties, in the event of a security breach as described  in this Agreement and to the extent such breach was caused by Castlight and excluding any breach to the extent arising from the actions or inactions of Anthem, Castlight shall indemnify Anthem  for all costs related to the

Software as a Service (SaaS) Agreement REV. December 2014 Page 26

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

investigation as well as, at Anthem’s  election, furnishing notice to affected Covered Individuals  and/or the offer of ongoing identity theft monitoring services to such affected Covered  Individuals.

13.3Notice and Participation. The indemnified Party may, at its own expense, assist in the defense of any indemnifiable claim described in this Section 13 if it so chooses, provided that, as long as indemnifying Party can demonstrate sufficient financial and legal resources, indemnifying Party shall control such defense and all negotiations relative to the settlement of any such claim, and further provided that any settlement intended to bind the indemnified Party or which may adversely affect the indemnified Party shall not be final without such indemnified Party’s prior written consent, not to be unreasonably withheld or delayed. Notwithstanding the foregoing, if the claim relates to a violation of governmental law or regulation or to a breach of Castlight’s obligations relating to PHI and NPFI under Exhibit A (Business Associate Agreement), and Anthem determines in its own discretion it has a compelling interest in conducting its own defense, then Castlight shall indemnify Anthem for Anthem’s reasonable costs of defense (including attorneys’ fees) and for any final award of damages, assessment of fines, penalties or other regulatory assessment, and/or settlement or compromise (and provided Anthem gives Castlight an opportunity to comment on any proposed settlement or compromise). The indemnified Party shall provide the indemnifying Party with reasonable written notice of any claim that such indemnified Party believes falls within the scope of this Section 13.3. Each Party shall use reasonable efforts to mitigate any potential damages or other adverse consequences arising from or related to the Services and/or Subscription Services.

14.LIMITATIONOF LIABILITY

14.1No Consequential Damages. Except as set forth in Section 14.3 below, in no event shall either Party be liable to the other or to any third party, whether in contract, tort (including negligence), warranty or otherwise, for any indirect, incidental, special, consequential, exemplary or punitive damages (including, without limitation, loss of profits) arising out of or relating to this Agreement, even if such Party has been advised of the possibility of such damages.

14.214.2 Limit on Direct Damages. Except as set forth in Section 14.3 below, in no event shall either Party’s aggregate liability exceed three (3) times the total amounts paid or payable by Anthem to Castlight hereunder. For the avoidance of doubt, amounts paid or payable include, but are not limited to, implementation and customization fees paid or payable by Anthem to Castlight. Any amount owed by Castlight to Anthem in the way of service credits based upon a failure to meet the Service Levels set forth on Exhibit G attached hereto, shall not count toward any calculation of damages under this section.

14.3Exceptions to Limitation of Liability. The limitations of liability in Sections 14.1 and 14.2 shall not apply to (i) a Party’s indemnification obligations under this Agreement, (ii) a breach by a Party of its confidentiality obligations under this Agreement, (iii) claims relating to willful misconduct, gross negligence, personal injury or damage to property, (iv) abandonment by Castlight of the Agreement or a breach by Castlight of the paragraph entitled “Electronic Self-Help”, or (v) any fines or penalties arising from a Party’s acts or omissions in performing in accordance with this Agreement.

15.SUBCONTRACTORS

15.1Subcontractors. Except as to the subcontractors listed in Exhibit N (Approved Subcontractors), Castlight shall not subcontract any of its obligations under this Agreement without (i) providing Anthem in writing the scope of the proposed subcontract and the identity and qualifications of the proposed subcontractor (and allowing Anthem a reasonable period of time to evaluate the

Software as a Service (SaaS) Agreement REV. December 2014 Page 27

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

subcontracting proposal), (ii) obtaining Anthem’s prior written approval; and (iii) causing the approved subcontractor to agree in writing to perform and be subject to all of Castlight’s obligations under this Agreement; and (iv) prohibiting the subcontractor from further subcontracting without Anthem’s prior written approval. Notwithstanding Anthem’s approval of a subcontracting arrangement, Castlight shall remain primarily liable for the performance of all subcontracted obligations and shall remain Anthem’s sole point of contact under this Agreement. At Anthem’s reasonable request, Castlight shall promptly remove and/or replace any subcontractor.

16.ROUTINE MODIFICATIONS AND ENHANCEMENTS

16.1Castlight may implement routine enhancements to The Transparency Web Site and the Core Transparency Functionality when such enhancements are intended to improve user experience, provided that (i) such modifications and enhancements have no adverse material impact on the Services or on the security of the Anthem Data or of Anthem’s systems; and (ii) such modifications and enhancements cause no increase in fees or other costs chargeable to Anthem hereunder; and (iii) Anthem has received prior notification of the proposed implementation of such enhancements. Except for such routine enhancements and other modifications as may be necessary on an emergency basis as reasonably determined by Anthem, no changes, modifications or enhancements to the Transparency Web Site or the Core Transparency Functionality shall be made without Anthem’s prior written consent, which consent shall not be unreasonably withheld. Changes that are necessary for the security of the Services or for compliance with applicable laws, licenses, regulations, or government orders shall be deemed to be changes that are necessary on an emergency basis. As to any such changes made on an emergency basis, Castlight shall notify Anthem thereof as soon as practicable, and the parties shall work together in good faith to resolve any concerns, problems, or performance issues created by such changes.

If, after the execution of this SOF, Anthem determines that it desires Castlight to materially customize the Transparency Web Site Core Transparency Functionality, the parties shall negotiate in good faith and shall memorialize any further customization and associated cost in writing. Customizations undertaken by Castlight shall be billed to Anthem on a time and materials basis at a blended rate not to exceed $150 per hour.

17.DISPUTE RESOLUTION

17.1Informal Dispute Resolution

17.1.1Promptly after the Effective Date, the Parties will establish a Services Planning and Coordination Committee (“SPCC”). The SPCC will include qualified employees from each Party and will meet regularly as needed during the Term of the Agreement at a cadence to be mutually agreed upon by the Parties. The SPCC will consist of three representatives identified by Anthem and three representatives identified by Castlight, and will be responsible for establishing and periodically revising implementation timelines and roadmaps for the Services, that takes into account the requirements the Parties’ respective product development plans and customer needs. The SPCC will also be responsible for establishing and periodically revising a sales and marketing activity plan, for coordinating the Parties’ respective sales and marketing activities. The SPCC will attempt to reach all decisions on matters under the SPCC’s authority by unanimous agreement of the SPCC’s members, provided that if the SPCC cannot unanimously agree on a matter within the SPCC’s authority within ten (10) business days after a SPCC member has first raised such issue to the SPCC for a decision, then either Party may, by written or email notice to the other, have such issue be decided by in accordance with Section 17.1.2 (Good Faith Efforts) below. Each Party may designate

Software as a Service (SaaS) Agreement REV. December 2014 Page 28

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

and replace its representatives on the SPCC at any time, by written or email notice to the other Party. For the avoidance of doubt the SPCC has no authority to alter the terms and conditions of this Agreement and any such change must be in the form of an amendment to this Agreement signed by both Parties.

17.1.2Good Faith Efforts The Parties agree that they will make a good faith attempt to resolve any dispute arising under this Agreement before instituting legal action. Such good faith attempt shall include, but not be limited to, elevating the issue to management personnel of each Party who have the power to settle the dispute on behalf of that Party and, failing that, to a vice president level executive for each Party, as noted in 16.1.2, below.

17.1.3Escalation to Executives. To the extent any disagreements arising under this Agreement are not resolved by the management personnel of each party within a reasonable time after the occurrence of the disagreement, either Party may give to the other a Notice that a dispute has arisen. The Notice shall contain (i) a detailed description of the dispute and all relevant underlying facts, and (ii) a detailed description of the amount(s) in dispute and how they have been calculated. Within fourteen (14) days after the date of the Notice, such dispute shall be referred to a vice president level executive for each Party.

17.1.4Failure of Informal Efforts. If such executive officers of both Parties are unable to resolve the dispute within fourteen (14) days of the referral to them, either Party shall be free to pursue any claim in court.

17.1.5No Power to Alter Agreement. Either Party may seek interim measures of protection concerning any subject matter of the dispute subject to arbitration, including but not limited to interim injunctive relief, in a court of competent jurisdiction.

17.2Disputes Involving Confidential information or Intellectual Property. Notwithstanding the foregoing, in any dispute concerning Confidential information and Intellectual Property, a Party may elect to have the dispute resolved by a court of competent jurisdiction in Marion County, Indiana, and upon a Party’s commencement of any such action, any informal resolution then pending shall be stayed, insofar as it concerns Confidential information or intellectual property. Without limiting the generality of the foregoing, each Party acknowledges that irreparable injury may result to a Party in the event that the other Party fails to perform its obligations under this Agreement with respect to Confidential information or Intellectual Property and each Party agrees that, in such event, each Party shall be entitled, in addition to any other remedies and damages available to it, to seek interim injunctive relief to restrain the breach or compel the performance of this Agreement.

17.3Waiver of Jury Trial. Each of the parties hereby unconditionally waives any right to a jury trial with respect to and in any action, proceeding, claim, counterclaim, demand, dispute or other matter whatsoever arising out of this agreement.

17.4Continued Services; Enforcement. Notwithstanding any dispute, Castlight shall continue timely performance of the Services or its other obligations under this Agreement (including the continued provisions of all rights of access and use to Anthem, its Affiliates and their Authorized Users) and, if it discontinues or does not timely perform such obligations, Anthem may seek a temporary and/or permanent injunction or similar order in any state or federal court within the State of Indiana for the sole purpose of compelling continued and timely performance of Castlight’s obligations hereunder. The

Software as a Service (SaaS) Agreement REV. December 2014 Page 29

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

provisions of this Section may be enforced by any court of competent jurisdiction, and the prevailing Party in any such action shall be entitled to an award of all costs, fees and expenses, including attorneys’ fees. Notwithstanding the foregoing, nothing in this section 17.1 shall prohibit Castlight from suspending Services under an Order Schedule in the event Anthem has failed to pay any undisputed amounts that are outstanding more than ninety (90) days under such Order Schedule after Anthem’s receipt of an invoice and notice of failure to pay on a timely basis from Castlight.

18.MISCELLANEOUS

18.1Assignment. Neither Party may assign its rights or obligations under the Agreement to any third party without the prior written consent of the other Party; provided however, that (i) Anthem may assign this Agreement to any Affiliate (provided that Anthem shall remain fully liable for the performance of all obligations hereunder) and (ii) either Party may assign this Agreement without the consent of the other Party, in the case of a merger or acquisition of all or substantially all of the assigning Party’s assets. The Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.

18.2NCQA Certification.Castlight shall make reasonable efforts to obtain the NCQA certification applicable to the Castlight Services, shall commence such efforts within 30 days following the Effective Date of this Agreement, and shall periodically provide progress updates to Anthem upon request. Castlight shall also comply with Exhibit K - NCQA Division of Responsibilities, attached hereto.

18.3Trademarks and Branding/No Publicity.

18.3.1Except as may be explicitly set forth in this Agreement (or otherwise expressly approved in writing by Anthem in advance, neither Party shall use the name, logo, service marks, domain names, symbols or any other name or mark of the other Party or the other Party’s Affiliates, without the prior written consent of the other Party (which may be via email). Except: (a) as may be explicitly set forth in this Agreement; (b) otherwise expressly approved in writing by Anthem in advance; or (c) as may be required by applicable law or legal process, Castlight shall not at any time either during the Term or at any time after any expiration or termination of this Agreement: (i) disclose in advertising campaigns, public relation campaigns or otherwise publicize or disclose the existence of this Agreement, or any terms or conditions of this Agreement, or Anthem’s or its Affiliates’ status as a customer of Castlight or (ii) provide a hyperlink from any Internet site that it maintains to any Internet site maintained by Anthem or any Anthem Affiliate. The Parties shall periodically meet to discuss necessary and appropriate disclosures in connection with the Parties’ obligations under this Agreement, and agree on talking points and/or other communications acceptable by the Parties without the need for further approvals,provided content of and usage parameters for the approved talking points and communications are not altered prior to re-use. Castlight shall not extract any information or other data from any Internet site maintained by Anthem or any Anthem Affiliate, including framing and deep linking, without the express written consent of Anthem.

18.3.2In addition, Castlight has no license to use the Blue Cross and/or Blue Shield names, symbols, or derivative marks (the “Brands”) and nothing in the Agreement shall be deemed to grant a license to Castlight to use the Brands. Any references to the Brands made by Castlight in its own materials are subject to review and approval by Anthem.

Software as a Service (SaaS) Agreement REV. December 2014 Page 30

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

18.3.3Castlight shall have the sole right to label and brand its services and products (including all Buy-Up Products, except to the extent that such Buy-Up Products are co-branded at such time and in such a manner as to be mutually-acceptable by the Parties and compliant with all then-applicable BCBSA Requirements) and shall have the sole right to use its service and product names and brands. Anthem shall have the sole right to label and brand its services and products that are provided by Castlight or that use Castlight Intellectual Property as permitted under this Agreement.

18.4Governing Law and Consent to Jurisdiction. The Agreement shall be governed by and construed in accordance with the laws of the State of Indiana, without giving effect to its conflict of laws principles. The Parties consent and agree to the exclusive jurisdiction of the tribunals Marion County, Indiana and waive any and all objections to such forums, including but not limited to objections based on improper venue or inconvenient forum. Notwithstanding the foregoing, the Parties agree that the Uniform Computer Information Transactions Act (UCITA) as enacted in any Commonwealth or State of the United States shall not apply to this Agreement or any performance hereunder and the Parties expressly opt-out of the applicability of UCITA to this Agreement.

18.5Notices. All notices, requests, claims, demands, and other communications (each a “Notice”) under the Agreement shall be in writing and shall be given or made by delivery in person, by facsimile, by courier service, or by certified mail (postage prepaid, return receipt requested) to the respective Party at the following address set forth below or at such other address as such Party may hereafter notify the other Party in accordance with this Section. Each such Notice will be effective as follows: (a) as of the day transmitted by facsimile if receipt has been electronically confirmed; (b) as of the date emailed if receipt has been electronically confirmed or so long as a duplicate copy is contemporaneously provided by another Notice methodology set forth in this Section; (c) as of the date actually delivered if sent by a recognized commercial express delivery service that uses delivery tracking technology; (d) four (4) business days after the date actually deposited with the U.S. mail if sent postage-paid First Class; and (e) as of the date actually delivered if delivered by personal courier to the office location of the recipient during normal business hours.

For Anthem:

Anthem, Inc.

120 Monument Circle

Indianapolis, IN 46204

Attention: General Counsel

With a mandatory copy to:

Anthem, Inc.

120 Monument Circle

Indianapolis, IN 46204

Attention: Procurement - Contract Administration

For Castlight:

Castlight Health, Inc.

Two Rincon Center

Software as a Service (SaaS) Agreement REV. December 2014 Page 31

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

121 Spear Street, Suite 300

San Francisco, CA 94105

Attention: CEO

Fax number:

With a courtesy copy to:

Castlight Health, Inc.

Two Rincon Center

121 Spear Street, Suite 300

San Francisco, CA 94105

Attention: Legal

18.6Modification; Waiver.

18.6.1No modification to the Agreement shall be valid unless in writing and signed by each Party. No delay or omission by either Party to exercise any right or power it has under this Agreement shall impair or be construed as a waiver of such right or power. A waiver by any Party of any breach or covenant shall not be construed to be a waiver of any succeeding breach or any other covenant. All waivers must be in writing and signed by the Party waiving its rights.

18.6.2Nothing on any invoice, purchase order acknowledgment, click wrap, shrink wrap license or any other “boilerplate” or standard terms issued by Castlight at any time during the Term shall contradict, vary or amend the terms of this Agreement and any contrary or differing term shall have no force or effect.

18.7No Gratuities or Kickbacks. Anthem may, by written notice to Castlight, terminate the Agreement, any SOW, and some or all rights of Castlight hereunder, if Anthem has a reasonable cause to believe that gratuities (in the form of entertainment, gifts or otherwise that are of inappropriate value and/or not in accordance with Anthem’s policies in excess of that which is reasonable and customary in Anthem’s industry, or which would not be considered in good taste if publicly scrutinized) were offered or given by Castlight, or any employee, subcontractor, agent or representative of Castlight, to an officer or employee of Anthem or any Anthem Affiliate in a position to secure or influence the awarding of, or amendment to, the entire Agreement or any SOW, or any determination with respect to Castlight’s performance hereunder, or any decision or action favorable to Castlight.

18.8Force Majeure.

18.8.1General. A delay by a Party in the performance of its obligations under this Agreement shall not be deemed a default of this Agreement to the extent that such delay is attributable to a Force Majeure Event and could not have been prevented or minimized by the non-performing Party by means of the exercise of reasonable precautions, or cannot reasonably be circumvented by the non-performing Party in a commercially reasonable manner, including through the use of alternate sources or work-around plans. Notwithstanding the foregoing, Castlight acknowledges and agrees that this Section 18.8 shall not limit Castlight’s obligation to initiate and provide timely and effective disaster recovery or business continuity for the Services described in this Agreement, the applicable Statement of Work, or any Exhibits and schedules thereto.

18.8.2Right to Terminate. If a Force Majeure Event prevents, hinders or delays a Party's ability to perform for more than 45 days and materially and adversely affects the other Party,

Software as a Service (SaaS) Agreement REV. December 2014 Page 32

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

then in such event the other Party may, in its reasonable discretion, choose to terminate the applicable Statement of Work upon written notice.

18.8.3Force Majeure Event. The term “Force Majeure Event” shall mean a fire, flood, earthquake, terrorism, or similar act beyond the reasonable control of a Party. A strike, lockout or similar labor dispute by a Party’s personnel shall be deemed to be within such Party’s reasonable control. In addition, if Castlight reasonably believes that an act of war, riot, civil disorder, or rebellion is likely, either Party may request that certain changes to the Services be proposed in light of such Force Majeure Event. Unless otherwise mutually agreed by the Parties, if Anthem agrees to changes initiated by Castlight due to an act of war, riot, civil disorder, or rebellion, Castlight shall bear all costs and expenses to perform and implement the changes. If Anthem does not agree to so change the Services, or if the event of war, riot, civil disorder, or rebellion occurs, such event shall be deemed to be a Force Majeure Event.

18.8.4Allocation of Resources. If a Force Majeure Event causes Castlight to allocate limited resources between or among Castlight’s customers, and if the Services are disrupted by such Force Majeure event, Castlight shall not treat any other customer better than Anthem nor reduce process capacity or performance below the business continuity requirements stipulated above. If a Force Majeure Event causes Castlight to allocate limited resources between or among Castlight’s customers, and if the Services are not disrupted by such Force Majeure Event, Castlight shall not reduce process capacity or performance below the level of the process capacity and performance immediately prior to the Force Majeure Event. In addition, Castlight shall not redeploy or reassign any key personnel to another Castlight account in the event of a Force Majeure Event without Anthem’s prior written consent.

18.9Severability. If any provision of the Agreement is held to be invalid, illegal or unenforceable in any respect under applicable law, such provision shall be excluded from the Agreement and the balance of the Agreement shall be interpreted as if such provision were so excluded and shall be enforceable in accordance with its terms.

18.10Relationship of Parties. The Parties intend to be, are, and shall at all times be independent contractors with respect to this Agreement and all performance under this Agreement. Under no circumstances shall Castlight, any Castlight personnel, or any other of Castlight’s employees, subcontractors, agents, or representatives be considered to be employees or agents of Anthem or any of Anthem’s Affiliates, or be entitled to participate in any of Anthem’s or its Affiliates’ employee benefit programs including workers compensation and disability insurance, group health, dental and vision insurance, unemployment insurance, retirement plans, or stock-based benefits or plans. Neither Party is an agent, partner or employee of the other Party, or its Affiliates, and neither Party has any right or any other authority to enter into any agreements or undertaking in the name of or for the account of the other Party or to create or assume any obligations of any kind, express or implied, on behalf of the other Party nor will the act or omissions of either create any liability for the other Party. No form of joint employer, joint venture, partnership, or similar relationship between the Parties, or between either Party and any Affiliate of the other Party, is intended or hereby created. This Agreement shall in no way constitute or give rise to a partnership or joint venture between the Parties.

18.11Titles and Subtitles. The titles and subtitles used in the Agreement are used for convenience only and are not to be considered in construing or interpreting the Agreement.

Software as a Service (SaaS) Agreement REV. December 2014 Page 33

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

18.12Counterparts. The Agreement and any Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which, when taken together, shall constitute one and the same instrument.

18.13Electronic Signatures. The Parties agree electronic signatures may be utilized for execution of this Agreement and any attachments hereto, including but not limited to, Statements of Work.The Parties acknowledge and agree that (i) the issuance of an electronic signature shall be valid and enforceable as to the signing Party to the same extent as an inked original signature; and (ii) these documents shall constitute “original” documents when printed from electronic files and records established and maintained by either Party in the normal course of business. Unless otherwise agreed to by the Parties, the purchase order number (issued by Anthem) shall constitute Anthem’s electronic signature and consent to any purchase order and the Castlight’s invoice number shall constitute Castlight’s electronic signature and consent to provide the Subscription Service and/or other related services.  Each Party agrees that the Anthem purchase order number or the Castlight invoice number, as issued by the respective Party, shall be sufficient to verify that such Party originated the document.  Neither Party shall disclose to any unauthorized person the purchase order Number or the invoice number.

18.14Deficit Reduction Act Notification to Castlight. Section 6032 of the Deficit Reduction Act of 2005 (“DRA”) and state laws enacted pursuant to the DRA require certain entities such as Anthem to establish policies and procedures to help the entity, and its contractors and agents, detect and prevent fraud, waste and abuse relating to services provided for certain government funded programs, including Medicaid. The DRA and state laws also require certain entities to make their suppliers aware: (a) of the provisions of the False Claims Act and similar state statutes prohibiting anyone from knowingly submitting or causing another person or entity to submit false claims for payment of government funds; and (b) that any person in violation is potentially liable for three times the damages or loss to the government plus substantial civil penalties (currently $5,500 to $11,000). In addition, the False Statements Act prohibits anyone from making false statements or withholding material information in connection with the delivery of services to, or payments from, the government. Violations of these acts can also result in criminal convictions and imprisonment of up to five (5) years. As part of Anthem’s policies designed to prevent fraud, waste and abuse, Anthem does not retaliate against personnel who report violations (or suspected violations) of state of federal False Claims Acts. .

18.15Covenant Not to Trade on Insider Knowledge. Each Party acknowledges that the other Party is a publicly traded corporation. Each Party agrees that it will not purchase or sell any stock of the other Party based on the other Party’s Confidential information. Each Party further agrees that, if it discloses the other Party’s Confidential information to any other person or entity in accordance with this Agreement, it will advise that other person or entity of the duty not to trade based on such Confidential information.

18.16Cumulative Remedies. Except as otherwise expressly provided in this Agreement, all remedies provided for in this Agreement shall be cumulative and in addition to, and not in lieu of, any other remedies available to either Party at law, in equity or otherwise.

18.17No Third Party Beneficiaries. This Agreement shall not benefit, or create any right or cause of action in or on behalf of, any person or entity other than Anthem, its Affiliates and assignees, or Castlight; provided that if either Party’s Affiliates’ has a cause of action under this Agreement against the other Party, such action must be initiated by a Party to this Agreement against the other Party, and not against such Party’s Affiliates directly.

Software as a Service (SaaS) Agreement REV. December 2014 Page 34

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

18.18Entire Agreement. This Agreement sets forth the entire agreement of the Parties with respect to the subject matter of such Agreement, and except as set forth in the following sentence, supersedes any and all prior proposals, agreements, understandings, and contemporaneous discussions, whether oral or written, between the Parties with respect to the subject matter of this Agreement. Notwithstanding the foregoing, that certain Confidentiality Agreement entered into by the Parties effective March 24, 2011 (the “Confidentiality Agreement”) shall remain in effect and shall continue to govern Castlight’s uses and disclosures of Anthem’s Proprietary and Confidential Information when released thereunder via Data Release Specifications Forms associated with and incorporated into such Confidentiality Agreement. In addition, the following other agreements entered into by the Parties (as amended) shall remain in effect: (1) the Reference-Based Benefits Collaboration Agreement effective as of January 18, 2013; (2) the Amended and Restated Transparency Data Agreement effective as of August 31, 2015; (3) the Data Mining and Analytics Services Agreement effective as of March 1, 2013; (4) the Vendor Agreement effective as of September 12, 2013; and (5) the Blue Cross and Blue Shield Association Data Access Agreement for Transparency Services effective as of July 18, 2014.

IN WITNESS WHEREOF, the undersigned have read, understood and executed this Agreement and agree to be bound by its provisions as of the Effective Date.

Castlight Health, Inc.	Anthem, Inc.	Anthem, Inc.
Castlight	Anthem, Inc.	Anthem, Inc. (Procurement)
By: /s/ Gio Collela	By: /s/ Brian Griffin	By: /s/ Shane O’Reilly
Signature	Signature	Signature
Gio Collela	Brian Griffin	Shane O’Reilly
Printed Name	Printed Name	Printed Name
Co-Founder and CEO	President NY and Pharmacy	Staff VP Strategic Sourcing
Title	Title	Title
10/28/2015	10/29/2015	10/28/2015
Date	Date	Date

Software as a Service (SaaS) Agreement REV. December 2014 Page 35

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT E

Diversity Supplier Compliance

The Castlight agrees to comply fully with Anthem’s Castlight Diversity Initiative, as further described in the Guidelines for Prospective Suppliers (found at http://www.Anthem.com/prodcontrib/groups/Anthem/@wp_suppliers/documents/wlp_assets/pw_d015001.pdf) and any participation plan that may have been submitted to Anthem. The following certified diverse suppliers will be participating in this Contract.

Diverse Suppliers Phone Email Anthem Name Scope of Goods and/or Services Utilization Date Amount or Percent

The Castlight must obtain the approval of Anthem’s Supplier Diversity Director before changing any Castlight Diversity participation plan submitted in connection with this Agreement.

Software as a Service (SaaS) Agreement REV. December 2014 Page 36

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT F

Medicaid Requirements

The following Attachments are applicable to all of the services performed by Castlight for any member enrolled in a Medicaid program in the particular state to which the Attachment pertains.  Notwithstanding the foregoing, all provisions contained in the Attachments may not be applicable to certain services provided by administrative services Castlight as certain provisions are applicable solely to providers of medical services.  Only those provisions applicable to the specific services provided by Castlight shall be deemed to be incorporated into the Agreement.  State-specific requirements may be added from time to time without need for additional amendment when an existing program is expanded to include a new Affiliate or a new program encompasses a new Affiliate. In the following documents, “subcontractor”, “Vendor” and “Supplier” refer to the “Castlight” under the Agreement.

Exhibit F-1 California Medicaid Subcontract Exhibit

Exhibit F-2 Medicaid Exhibit Indiana HHW HIP HCC

Exhibit F-3 Massachusetts Medicaid Requirements for Vendors

Exhibit F-4 New York Medicaid Requirements - Vendors

Exhibit F-5 Medicaid Exhibit South Carolina

Exhibit F-6 Medicaid Exhibit Texas (Anthem)

Exhibit F-7 Virginia Medicaid Requirement

Exhibit F-8 West Virginia Medicaid Requirements - Vendor

Exhibit F-9 Medicaid Exhibit Wisconsin

Exhibit F-10 Florida Medicaid Subcontract Exhibit

Exhibit F-11 Kansas Medicaid Subcontract Exhibit

Exhibit F-12 Medicaid Exhibit Louisiana

Exhibit F-13 Medicaid Exhibit Maryland

Exhibit F-14 New Jersey Medicaid Subcontract Exhibit

Exhibit F-15 Medicaid Exhibit Nevada

Exhibit F-16 Medicaid Exhibit Tennessee

Exhibit F-17 Medicaid Tennessee BAA – Utilize for all TN Vendors

Exhibit F-18 Medicaid Exhibit Texas (Amerigroup)

Exhibit F-19 Medicaid Exhibit Kentucky

Exhibit F-20 Medicaid Exhibit Washington

Exhibit F-21 Georgia Medicaid Exhibit

Software as a Service (SaaS) Agreement REV. December 2014 Page 37

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT G

SERVICE LEVELS

I. Castlight Service Levels. Castlight’s performance shall be measured against the Performance Standards set forth in this Exhibit G and Castlight shall be assessed penalties, if applicable, as stated below. Performance Standard measurements and Castlight’s obligation to achieve the Performance Standards set under this Exhibit G are in addition to any and all other rights and remedies provided under the Agreement and/or applicable law.

A.Definitions. The capitalized terms used herein shall have the meanings ascribed to them in this Section A or, if not defined below, in Section 1 of the Agreement.

1.“Uptime” shall mean all times when the Castlight System is running and is available to be accessed by Authorized Users.

2.“Available Time” shall mean the number of hours in any given calendar month less the amount of Downtime (excluding Standard Maintenance Window hours) related to events outside of Castlight’s control, such as force majeure events, internet-wide disruptions or denial of service attacks.

3.“Downtime” shall mean all times in which the Castlight System fails HTTP checks, content verification checks and a service check

4.“Standard Maintenance Window” shall mean a biweekly maintenance period between 1:00 a.m. and 5:00 a.m. Eastern Time, every second and fourth Friday of each month. Twice annually this maintenance period may be six hours between 12:00 a.m. and 6:00 a.m. Eastern Time, provided Anthem is notified at least ten days in advance of the period.

5.“End Users” shall mean Authorized Users for which there is an effective SOF in place and for which a Launch Date has occurred.

6.“Emergency Maintenance Window” means emergency updates as result of vendor recommended patches to deal with high risk security threats as well as hardware replacement, which maintenance Castlight will use commercially reasonable efforts to perform maintenance during periods of low usage (such as evenings) and to promptly notify customers of emergency maintenance. Anthem would be notified within 90 minutes of determination that the emergency maintenance will occur and before the actual emergency maintenance would begin.  Thereon, Anthem would be updated regularly throughout the time period through resolution.

B.Measurements and Reporting

Software as a Service (SaaS) Agreement REV. December 2014 Page 38

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

1.Throughout the Term of the Agreement, Castlight shall measure its performance of Services against the Performance Standards set forth below.

2.Castlight shall report such performance results, and any applicable penalties incurred, to Anthem via a “Performance Standards Report,” shall be provided in a template in a format mutually agreed to by the Parties Such Castlight Reporting shall, when applicable, contain in writing the cause of any performance failure(s) and the steps taken by Castlight to remediate. With respect to each Castlight failure to provide the Services in accordance with the applicable Service Levels, Castlight shall, as soon as reasonably practicable but not later than five (5) days after such failure unless otherwise agreed to:

a.perform a root-cause analysis to identify the cause of such failure;

b.provide Anthem with a written report detailing the cause of such failure, and procedure for correcting such failure

c.correct the problem and begin meeting the Service Level; and

d.to the extent within Castlight’s ability to control, take appropriate preventive measures so that the problem does not reoccur.

Castlight agrees it will inform Anthem of its corrective procedures, and Anthem can provide input into such procedures. For the avoidance of doubt, if the root-cause analysis cannot conclusively prove whether Castlight was not the cause of or responsible for a Service Level failure, then the Parties shall discuss an appropriate resolution to such failure. As part of such efforts, the Castlight Personnel shall work in a collaborative environment (including within reliability meetings and by coordinating with Anthem): (i) to identify offending system(s) contributing to such failures or outages, and (ii) to determine the singular point of failure and reason for that failure.

3.Performance Standards Reports shall be furnished to Anthem on a monthly basis within two (2) weeks after the end of the month (the “Monthly Report Date”), for results for the preceding month and a year-end review.

C.Calculation and Payment of Penalties

1.If at any time Castlight fails to meet any Performance Guarantee, Castlight shall calculate the applicable Performance Guarantee Penalty as identified below.

2.Castlight shall remit the total Performance Guarantee Penalty amount to Anthem on a quarterly basis following the quarter to which the Penalty applies.

3.If Castlight fails to meet an applicable Performance Standard two (2) times within a quarter or for two (2) consecutive months, Castlight shall provide Anthem with a corrective action plan, subject to Anthem’s review, collaboration and provision of input, which shall include, at a minimum, root cause analysis, scheduled meetings with Anthem to report on progress, weekly reporting to Anthem with associated backup information, and service level performance monitoring to remedy any failures.

Software as a Service (SaaS) Agreement REV. December 2014 Page 39

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

4.Notwithstanding anything herein or in the Agreement to the contrary, the Parties agree that the Performance Guarantee Penalties described in this Exhibit G payable by Castlight in any month, shall not exceed [***].

D.Adverse Performance Trends

1.If, during the course of any month (e.g., by reviewing performance data), Anthem becomes aware of adverse performance trends (e.g., trends indicating Castlight may not meet the Performance Standards for the month and provided the adverse trend is not the result of data being received in an incorrect format, incomplete or not timely), at Anthem’s request, Castlight shall promptly prepare corrective action plans to address such adverse performance trends, and with Anthem’s approval, promptly implement such plans, even though the applicable measurement period has not been completed and, accordingly, there has not yet been a Performance Standard default.

2.Nothing herein is meant to waive Anthem’s rights to demand corrective action plans or take any other action that is permitted by the terms of the Agreement.

E.Material Breaches

1.In the event of a material breach of the Agreement by Castlight, Anthem in its sole discretion may elect to impose a Performance Guaranty Penalty, which shall be in lieu of any other remedy for such material breach.

2.To make such election, Anthem shall provide written notice to Castlight that:

a.identifies the material breach,

b.provides Castlight with a reasonable cure period or not less than fifteen (15) calendar days, and

c.informs Castlight of the Performance Guaranty Penalty that will be imposed at the end of the cure period if the material breach has not been cured.

F.Performance Guarantee Data Requirements. Notwithstanding any provision herein, the failure by Anthem to provide data to Castlight as set forth in the Agreement, as applicable, and as required for the Performance Guarantees contained in this Exhibit G, shall \relieve Castlight of those guarantees under this Exhibit G that are dependent on Anthem’s provision of such data, for the period of such failure by Anthem, and only if the lack of or late delivery of data materially impacts Castlight’s ability to comply with such Performance Guarantees.

G.Reporting Timeliness Performance Guarantee. The following specifications shall apply to the timeliness of Castlight’s satisfaction of the reporting requirements set forth in the Agreement and in this Attachment, including its Addendum B:

1.Performance Guarantee Standards

a.Monthly Reports – All reports received by Anthem within two (2) weeks after the end of the month.

Software as a Service (SaaS) Agreement REV. December 2014 Page 40

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

b.Root Cause Analysis Reports – As specified in Section B.2., above.

c.Severity1 Impact Reports – Summarizing the event shall be distributed to the Anthem Business Lead and IT Lead within one (1) business day of the event.

2.Performance Guarantee Penalty –[***].

H.User Satisfaction Survey Results Performance Guarantee

1.Performance Guarantee Standards. Castlight shall satisfy the following elements:

a.Evaluate User satisfaction with the Services, using sound mechanisms for data collection and reliable methodologies for evaluating and analyzing satisfaction data, including documentation of areas of dissatisfaction. Anthem shall have reasonable input into the content of the satisfaction survey, if Anthem so requests.

b.Take actions that Anthem and Castlight mutually agree are likely to improve the identified areas of dissatisfaction.

2.Performance Guarantee Penalty –[***] .

I.Escalated Issue Response Performance Guarantee. The following specifications shall apply to the timeliness of Castlight’s response to issues raised by Anthem Customer Service and Account Management:

1.Performance Guarantee Standards. Except for Severity 1 issues, which must be reported upon discovery, Castlight must respond to 95% of issues within one (1) business day after receiving notification thereof, measured monthly. For ordinary questions, Castlight shall respond in no less than three (3) business days. In the event Escalation is required for a Severity 1, 2 or 3, Castlight will escalate the Incident to its management and Castlight’s Anthem account team for further action, resolution and/or escalation, as necessary to resolve the Incident. In addition, once the Time Allowed Prior to Escalation has passed, Anthem may escalate an Incident to the following Castlight personnel, contacting each escalation point in the order they appear below:

Castlight Account Representative: [***]

email: [***], Phone: m: [***]

Castlight Executive: [***]

email: [***], Phone: m: [***]

2.Performance Guarantee Penalty – [***].

J.System Availability Performance Guarantee. The following specifications shall apply to the availability of the Castlight Web Site other than during normally scheduled maintenance and downtime:

Software as a Service (SaaS) Agreement REV. December 2014 Page 41

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

1.Performance Guarantee Standard. In each month during the Term of the Agreement, Uptime shall constitute at least – 99.9% of Available Time; and

2.Castlight shall remedy Severity 1 defects in an average Mean Time to Recover (“MTTR”) of 1.68 hours per incident. This shall be measured by dividing the total number incidents by the total time to recover for all incidents during the measuring period, excluding any such incidents for which the root cause was determined as arising from Anthem Data or Anthem systems and services.

3.Performance Guarantee Penalty – [***].

K.Application Maintenance Performance Guarantees.

1.The following specifications shall apply:

Software as a Service (SaaS) Agreement REV. December 2014 Page 42

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Priority	Description	Castlight Response Times
Severity 1 Critical Anthem Support Incidents	Critical Business Impact. A critical problem with the Castlight Services in which any of the following occur: the Castlight Services are down, inoperable, inaccessible or unavailable, or otherwise materially cease operation; or the performance or nonperformance of the Castlight Services prevents useful work from being done. Complete loss of service or resources & work cannot reasonably continue, or PHI or sensitive data breaches.	•Within 45 minutes of discovery •Castlight to provide regular updates (minimum hourly) to Anthem on the issue identification and resolution status.  •Web Support tool updated as information is available •Castlight contact will notify the Anthem contact, who will then join Castlight’s open conference bridge line, and Castlight will provide Anthem regular updates to Anthem on the issue identification and resolution status.
Severity 2 High Urgent Anthem Support Incidents	Serious Business Impact. A problem with the Castlight Services in which any of the following occur: the Castlight Services are severely limited or degraded, major functions are not performing properly, the situation is causing a significant impact to certain portions of Customer and/or Castlight Services users’ operations or productivity; or the Castlight Services have been interrupted but recovered, and in Customer’s opinion there is high risk of reoccurrence.	•If via Phone Hotline: 8 Hours •If via Web Support: 1 Business Day •Web Support tool updated as information is available
Severity 3 Medium Service Impacting	Minor Business Impact. A minor or cosmetic problem with the Castlight Services in which any of the following occur: the problem is an irritant, affects non-essential functions, has minimal impact to business operations; the problem is localized or has isolated impact; the problem is an operational nuisance; the problem results in documentation errors; or the problem is any other problem that is not a Severity 1 or a Severity 2, but is otherwise a failure of the Castlight Services to conform to its Specifications	•If via Phone Hotline: 5 Business Days •If via Web Support: 5 Business Days •Web Support tool updated as information is available

a.Performance Guarantee Penalty – For Severity 1, [***].

b.Performance Guarantee Penalty – For Severity 2, [***].

c.Performance Guarantee Penalty – For Severity 3, [***].

2.Eligibility Loading Performance Guarantee

a.Performance Guarantee Standard – Castlight must load 100% of the incremental changes in Eligibility Data within 85% will be 24 hours (15% at 48 hours) hours after receipt of such changes from Anthem, measured monthly provided that this metric shall not apply to the extent that the data is not received in the agreed-upon format or is incomplete.

Software as a Service (SaaS) Agreement REV. December 2014 Page 43

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

b.Performance Guarantee Penalty – [***].

3.Claim Loading Performance Guarantee

a.Performance Guarantee Standard – Castlight must load 100% of the incremental changes in Claim Data within 72 hours after receipt of such changes from Anthem, measured monthly; provided that this metric shall not apply to the extent that the data is not received in the agreed-upon format or is incomplete. As part of the monthly reporting package, Castlight shall provide Anthem a file loading report, including such items as the timestamp of receipt of each file, timestamp of load of each file, count of records received, updated, and with errors in each file, and the file identification information. In addition, Castlight shall notify Anthem within 24 hours of receipt of files for any data formatting issues or with 24 hours if the file is not received by Castlight from the time agreed for exchange.

b.Performance Guarantee Penalty –[***] .

L.Client Support. Castlight shall provide the following services in support of their product:

1.Support Hours: Castlight shall provide Anthem support from 3:00 PM Sunday through 9:00 PM Friday EST for all Severity levels indicated in Section 1 above.

2.Access to Support; Response Times. Anthem may report Downtime at any time (“24x7x365”) by telephoning Castlight at [***]for live issue reporting which shall be staffed with a live individual at Castlight’s Network Operations Center (“NOC”), or submitting an incident through Castlight’s web-based customer support portal.

3.Account Support. Castlight will assign an individual to serve as the sole point of contact for the purposes of minimizing the impact of downtime and upgrades and maximizing support response times. In addition, Castlight shall not implement upgrades or migrations during the fourth quarter of any calendar year that would exceed the maximum duration of any scheduled downtime, unless the Parties mutually agree in advance prior to such event.

4.Maintenance and Technical Standards. Castlight agrees to maintain the accessibility and performance of the Hosting Services in a manner consistent with capacity and performance standards set forth herein and current telecommunications and Internet industry standards, as the same may change from time to time. For measurements required herein, Castlight may assume a stable, standard T1 connection to the Internet and measurements made at random times throughout the day. Upon request, Castlight will provide Anthem with a list of minimum recommended and technical PC standards for access to and use of the Castlight System, and Anthem acknowledges that optimal performance will not be available if recommended standards are not met by users of the Castlight System.

Software as a Service (SaaS) Agreement REV. December 2014 Page 44

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

5.Hosting Location. The Hosting Services will be rendered in a facility that is consistent with high industry standards for fireproofing, power and backup generation, structural integrity, seismic resistance and resistance to other natural and man-made disruptions (the “Facility”). In addition, the Facility shall be secured against physical and electronic intrusion in a manner consistent with high industry standards. Castlight shall provide Anthem with at least ninety (90) days written notice of a change in the location from which Castlight delivers the Hosting Services. Upon ten (10) days prior notice, Anthem may inspect the Hosting location to assess compliance with requirements set forth in this Agreement.

6.Multiple Telecommunications Providers. The Facility shall be served by no less than two separate high-speed telecommunications providers and Castlight shall have the ability to switch between telecommunications providers to reduce outages.

7.No Commingling. Castlight prevents the co-mingling of data through the use of logical and technical controls. Anthem Confidential Data from Castlight production systems shall not be exported for any reasons and shared with any customers/vendors for any purposes.

8.Performance Guarantee Penalty. Failure to comply with the requirements of this Section more than one time per calendar month shall result in a penalty of [***] .

M.Data Load, Back Up and Retention.

1.Back-Up of Anthem Data. Castlight will perform back-up and archiving of Anthem Data, which includes transactional data (tasks, activities) and documents (files) according to the schedule set forth in the table below:

Type of Back-Up	Description	When does back-up occur?
Daily Incremental Back-Up	All Anthem Data	Daily
Full Back-Up	Full server backup	Monthly

2.Back-Up Retention: Castlight will retain data files and full back-up copies of the Anthem Data at a secure storage location set forth below and in accordance with the retention periods set forth in the following table:

Software as a Service (SaaS) Agreement REV. December 2014 Page 45

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Type of Back-Up	Retention Period	Storage Location
Daily Incremental Files	60 days	(i)DData centers: production and DR/BCP
Full Back-Up	60 days	(ii)DData centers: production and DR/BCP

3.Recovery of Archived Data:Castlight will restore data files from archived copies as quickly as reasonably practicable, as necessary as a result of system failure or data corruption or losses. Anthem acknowledges that the amount of time required to restore archived data files is dependent upon numerous factors, including, but not limited, severity or the relevant data corruption or loss. Notwithstanding the foregoing, per Castlight’s disaster recovery plan, Castlight shall have systems and processes in place to resume business within forty eight (48) hours.

4.Data Load Timeliness. Castlight warrants it will load new Anthem Data (excluding the Data already specified in K(2) and K(3) above) into the Castlight System within a mutually agreed upon timeline of receipt of Anthem Data pursuant to a Services Order Form.

5.Performance Guarantee Penalty. Failure to comply with the requirements of this Section more than one time per calendar month shall result in a penalty of [***] .

N. Latency Performance Index.

1.Web Page Response Time. Castlight further agrees that Castlight also warrants to Customer that the monthly average Web Page Response Times for login and basic search will be under five (5) seconds.  “Web Page Response Times” shall mean the time measured once the Web transaction of simulated user requests and Web page refresh requests are within a test account deployed in the production environment of the Castlight online service and are within Castlight firewall delivery of corresponding Web pages to users.

2.Performance Guarantee Penalty. [***] .

O. Data Quality Assurance.

Software as a Service (SaaS) Agreement REV. December 2014 Page 46

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

1.Castlight agrees that except as needed to provide the Castlight Services or except as necessary to correct incomplete data or data provided in an incorrect format, it will not impair, degrade or otherwise change the data sent to it by Anthem or by BCBSA on behalf of Anthem for the performance of the Services. Anthem shall have the right to audit such data upon reasonable notice to Castlight. Should the data deviate from the source data sent to Castlight other than as needed to provide the Castlight Services, Castlight shall be in violation of this provision, unless such deviation is approved or requested by Anthem, or Anthem otherwise consents to such change.

2.Performance Guarantee Penalty. [***] .

Software as a Service (SaaS) Agreement REV. December 2014 Page 47

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT H

Required Information Security Controls

Anthem requires all third parties to comply with the goals and objectives of its Information Security Program, as set forth in this addendum. These are minimum requirements of Anthem’s Information Security Program. Depending upon the nature of the engagement or the services provided, other requirements may be added in a Statement of Work or Master Services Agreement. These requirements are in addition to any other security requirements specified within the Master Services Agreement or a Statement of Work. We recognize that sound practices require continual assessment of evolving risks, technology and relevant issues related to information security. In the event that our Chief Information Security Officer deems it necessary to modify these Required Controls in order to continue to reasonably protect Anthem Confidential Information, then Supplier will be notified and a remediation plan and timeframe will be mutually agreed upon. 

SECTION 2. COMPLIANCE

2.1Supplier will comply with all applicable state and federal data security regulations and shall abide by all required security controls as stated herein, based upon the nature of the Services provided, the data involved and/or the location where such Services are rendered.

SECTION 3.INFORMATION SECURITY PROGRAM

3.1Supplier shall maintain a written Information Security Program including documented policies, standards, and operational practices that meet or exceed the applicable requirements, and controls set forth in this Exhibit to the extent applicable to the Services, and identify an individual within the organization responsible for its enforcement. Supplier shall ensure that any of its subcontractors having greater than incidental access to Anthem Confidential Information shall also be contractually bound to meet or exceed these information security provisions. If at any time during the Agreement, Supplier becomes aware that it or any of its subcontractors will or do not meet the obligations described within this Exhibit, Supplier will immediately notify Anthem Information Security at AnthemVendorInfoSec@anthem.com.

SECTION 4.AUDIT PLAN

4.1Supplier will maintain an audit plan designed to validate compliance with the controls documented in its Information Security Program by an independent qualified third party at least annually.

SECTION 5.RIGHT TO ASSESS

5.1Upon reasonable request, Supplier may be asked to complete a security assessment questionnaire and/or attestation document designed to assist Anthem in understanding and documenting Supplier’s security procedures and compliance with the requirements contained herein. Supplier shall provide Anthem with information concerning the safeguards detailed in this Exhibit and/or other information security practices as they pertain to the protection of Anthem Confidential Information. If Supplier seeks Common Security Framework (CSF) Certified status performed by

Software as a Service (SaaS) Agreement REV. December 2014 Page 48

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

an approved CSF assessment third party and is awarded certification from the Health Information Trust Alliance (HITRUST) for the services and/or applications in scope for the engagement, then that HITRUST certification will be accepted in lieu of the Anthem assessment.

5.2From time to time Supplier may be requested to respond to, advise and provide updates on the specific security gaps or exposures that exist for new or emerging security vulnerabilities that are made known for systems, applications, hardware devices, etc. In all instances Supplier will provide a response to any inquiry within 5 business days, and will provide specific details as to the questions asked to ensure that Anthem can appropriately evaluate the risk or exposure to Anthem Confidential Information.

SECTION 6.ENCRYPTION

6.1Approved Encryption must be used for (i) the electronic transmission of Anthem Confidential Information to Anthem and/or to any other third party, as directed by Anthem or permitted in accordance with this Agreement and (ii) on all workstations, communications or convergence devices, portable media and backup tapes containing Anthem Confidential Information. The integrity and confidentiality of Anthem Confidential Information in transit over an open communication network will be protected through the use of Approved Encryption.

6.2The following may be used as Anthem Approved Encryption for cryptographic hash functions:

iSHA-2

iiSHA-3

6.3The following may be used as Anthem Approved Encryption for symmetric encryption:

aAdvanced Encryption Standard (AES) - AES 256 or higher.

6.4The following may be used as Anthem Approved Encryption for public-key asymmetric encryption:

a. Rivest-Shamir-Adelman (RSA) with a 2048-bit key or higher

bElliptic Curve Cryptosystem (ECC) with a 256-bit key or higher

cEl Gamal with a 2048-bit key or higher

dDiffie-Hellman with a 2048-bit key or higher

6.5The following may be used as Anthem Approved Encryption for in-transit encryption:

a128-bit Transport Layer Security (TLS) Version 1.0+

bSecure-HTTP(S)

cIPSec

Software as a Service (SaaS) Agreement REV. December 2014 Page 49

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

dSecure Shell (SSH) Version 2.0+.

SECTION 7.NETWORK AND SYSTEMS SECURITY

7.1Supplier shall utilize and maintain a commercially available, industry standard malware detection program which includes an automatic update function to ensure detection of new malware threats.

7.2An Intrusion Detection or Prevention System which detects and/or prevents unauthorized activity traversing the network will be maintained.

7.3Data Loss Prevention tools will be implemented to detect and prevent the unauthorized movement of data from Supplier’s control.

7.4At a minimum, Supplier shall engage a qualified third party to perform annual penetration testing of Supplier’s networks containing Anthem Confidential Information. The scope of the penetration testing will include all internal/external systems, devices and applications that are used to process, store, transmit Confidential Data, physical security controls for all applicable facilities, and social engineering tests. Upon request Supplier will provide Anthem with summary results and a remediation plan if security flaws are discovered.

7.5Networks or applications that contain Anthem Confidential Information must be separated from public networks by a firewall to prevent unauthorized access from the public network.

7.6Only authorized services and protocols will be permitted access to such computing devices. All unnecessary protocols and services must be denied.

SECTION 8.SYSTEM AND APPLICATION CONTROLS

8.1All Anthem Confidential Information must be securely stored at all times to prevent loss and unauthorized access or disclosure.

8.2Laptop and workstation systems that access Anthem Confidential Information will have encryption at rest and anti-malware protection.

8.3Operating systems and application software used must be currently supported by the manufacturer.

8.4Current versions of operating system and application software must be maintained, and patches applied in a timely manner for all systems and applications that receive, maintain, process or otherwise access Anthem Confidential Information.

8.5At least quarterly vulnerability scanning will be performed. Medium and high risk vulnerabilities identified during the scanning will be promptly remediated.

8.6Anthem Confidential Information must not be used in any non-production environment such as testing or quality assurance unless de-identification of the data has been performed. In the event that de-identification is not practical or feasible compensating controls must be in place protecting the data to the same level of protection as afforded to production environment.

Software as a Service (SaaS) Agreement REV. December 2014 Page 50

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

8.7Anthem Confidential Information must be logically or physically segregated from other data controlled by Supplier or other clients of Supplier in such a way that the data may be identified as Anthem data and access controls implemented so that only those users authorized to access the data will be permitted to do so.

SECTION 9.DATA DESTRUCTION

9.1All Anthem Confidential Information, whether such information is in paper, electronic or other form, requires secure disposal or destruction when no longer required, when requested by Anthem or upon the termination or expiration of the Agreement. These measures should, at a minimum, include: (i) burning, pulverizing or cross-cut shredding to a size equal or smaller to 5/8-inch by 2-inches papers or print media so that the information cannot practicably be read or reconstructed; (ii) ensuring the destruction or erasure of floppy disk, magnetic tape, tape cartridges, hard drives or other electronic or optical media so that the information recorded or contained cannot practicably be read, recovered or reconstructed; and, (iii) ensuring that any third party who performs the activities described in (i) and (ii) on Supplier’s behalf does so in a manner consistent with these requirements.

SECTION 10.PHYSICAL CONTROLS FOR THE PROTECTION OF ANTHEM CONFIDENTIAL INFORMATION

10.1All Anthem Confidential Information received or created in paper form must be stored in lockable containers.

10.2A clean desk policy will be enforced to ensure proper safeguarding of all hard copy Anthem Confidential Information.

10.3Supplier must retain visitor logs documenting all individuals who are not employed by Supplier who gain access to the facility where services are performed.

10.4Anthem Confidential Information will not leave control of the Supplier without the written approval of Anthem.

10.5Servers, enterprise data storage devices, backup tapes and media, and other computing devices that contain Anthem Confidential Information used to support network communications must be located in a secure and restricted access location within the facility.

10.6All workstations, portable devices and removable media containing Anthem Confidential Information or accessing Anthem networks must be encrypted.

SECTION 11.ACCESS CONTROL

11.1Prior to gaining access to Anthem Confidential Information, workforce members will have appropriate background checks completed in compliance with state and federal law with no breach of trust crimes reported.

11.2Physical and logical access to Anthem Confidential Information and the systems and workspaces used to support Anthem, will only be granted as a result of a demonstrated and legitimate need to know based upon job responsibilities.

Software as a Service (SaaS) Agreement REV. December 2014 Page 51

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

11.3Security awareness training will be completed prior to access being granted to Anthem Confidential Information, and then completed on an annual basis going forward so long as access to Anthem Confidential Information continues.

11.4Physical and logical access will be granted to the minimum Anthem Confidential Information necessary to meet the requirements of the user’s scope of responsibilities.

11.5Access reviews will be performed at least quarterly for privileged user and twice annually for non-privileged user accounts.

11.6Only those individuals providing services to Anthem, or those who are responsible for administering or managing systems that contain Anthem Confidential Information shall be authorized to access systems containing Anthem Confidential Information.

11.7All users that are no longer required or authorized to access Anthem Confidential Information or systems that contain Anthem Confidential Information must have access promptly disabled.

11.8Access to Anthem Confidential Information and systems that contain Anthem Confidential Information must be access controlled through the use of individual user IDs and passwords.

11.9All user passwords must be changed at least every ninety (90) days at a minimum, or sooner if there is reasonable cause to believe that an unauthorized person has learned the password.

11.10Processes must be in place to create the appropriate audit trails to determine who has accessed Anthem Confidential Information and/or systems that contain Anthem Confidential Information.

11.11Remote access to systems or networks that contain Anthem Confidential Information must use multi-factor authentication and a connection with Approved Encryption.

11.12A report listing all individuals who have access to Anthem Confidential Information and/or systems that contain Anthem Confidential Information and the level of access granted shall be provided to Anthem within 48 hours upon request.

11.13A report listing activity associated with any user ID who has access to Anthem Confidential Information shall be provided to Anthem within 48 hours upon request.

SECTION 12.OFFSHORE SECURITY REQUIREMENTS

12.1Anthem Confidential Information is not permitted to be hosted or stored offshore. Offshore locations may be utilized for the processing of data. However, all data must reside on servers located in the United States for the duration of the processing.

12.2Backup processes at offshore locations will not receive, maintain, process, or otherwise access Anthem Confidential Information.

12.3Offshore workstation computers must adhere to baseline system security requirements defined by the organization which enforce the most restrictive mode consistent with operational requirements. All unnecessary services, features and networks must be disabled on workstations used to support Anthem operations, including:

Software as a Service (SaaS) Agreement REV. December 2014 Page 52

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

aDisabling workstations from simultaneously connecting to the Anthem network and other networks (split tunneling)

bDisabling user access to local workstation storage or supplier network storage (such as that to which Anthem Confidential Information) by employing the following technical controls:

cPlatform - external and internal firewalls configured for least port access, traffic load balancing for server masking, network switching with VLAN segregation, network intrusion detection systems (NIDS), host intrusion detection systems (HDS), application firewalls (WAF), data leakage protection (DLP) installed on all servers where Customer data reside and bastion host configured in blocking mode, server function segregation (web/application, database), encryption in transit and rest. Privileged access is controlled by a bastion host gateway, multi-factor access for user identity and authentication with unique user id’s with a least access utilizing RSA 2F and centralized LDAP. Access for running privileged activities is authorized using privileged management tools (sudo) and logged centrally for verification and auditing including keystroke logging. Change control is strictly enforced for operational and application code changes with four-eyes principle in review, tracking and approval.

dCastlight has a formal monitoring policy and procedure for all systems that process or store Anthem data that employs centralized logging of systems, network and security devices and keystroke logging.

eWorkstation – Full disk encryption at rest, 10 minute screen lock, DLP, Anti-Virus, offshore workstations restrict administrators access and read-only capability for external devices (USB, I/O ports etc)

•For offshore locations, Supplier shall employ a bastion host which includes technical controls that act as a traditional Citrix environment where the end user is limited to screen refreshes and the endpoint can do nothing more than view the information.  All read write and elevated access by the user shall be initiated within the bastion host user environment.

•No one at any offshore location will access any Anthem systems.

12.4All work from offshore locations must be performed in facilities that have received prior written approval. As of the date of the Agreement, Anthem has approved the subcontractors and locations set forth on Exhibit N of the Agreement. Any offshore subcontractors that access Anthem Confidential Information outside of an approved location, would need to be approved by Anthem Information Security prior.

SECTION 13.CLOUD COMPUTING

Anthem bases the decision of whether a service is considered a cloud based technology on several factors including the five essential characteristics defined by the National Institute of Standards and Technology (NIST), Note that the absence of one or more of these characteristics is not viewed as a final deciding factor when determining if a service is Cloud based. Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Castlight warrants that it does not utilize or place Anthem Confidential Information into an environment that meets the definition of Cloud Computing described herein to provide services to Anthem. Castlight

Software as a Service (SaaS) Agreement REV. December 2014 Page 53

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

will not utilize or place Anthem Confidential Information into a Cloud Computing environment unless the solution complies with applicable Anthem Workforce Information Security Policy.

The use of a multi-tenant environment is prohibited for hosting Confidential Information, unless a risk assessment has been performed and the appropriate Anthem Information Security approved risk mitigating controls are in place.

Logical controls, virtual machine zoning, virtualization security and segregation must be in place to help prevent attacks and exposure in multi-tenancy environments.

Anthem Confidential Information must not be stored on removable or mobile media with other non- Anthem information (e.g. shared backup tapes).

Anthem Confidential Information included in a cloud computing-based environment must be protected with Anthem Approved Cryptographic Controls in transit, storage, and at rest. Appropriate Encryption key management must also be provided.

All Anthem data hosted in a cloud environment must remain on US-based systems and may not be stored outside of the United States.

The Cloud Service Provider (CSP) must provide a detailed mechanism for how litigation holds will be implemented. This will include how metadata will be created, accessed, and stored in the cloud environment.

Cloud Service Providers must undergo an annual independent audit by an accredited auditing firm covering the scope of Anthem data. Results of this audit must be provided to Anthem along with associated remediation decisions and activities, if applicable.

Key application components must have interoperability and portability requirements outlined that would allow Anthem to assume these items if needed.

Incident response roles and responsibilities must be clearly outlined between the cloud service provider and Anthem.

Security-related reports including vulnerability scans, intrusion detection, identity management must be performed and provided to Anthem on all systems and components that handle, process, or store Anthem data. This can be accomplished by the cloud service provider or Anthem performing the scans and generating the reports. For scans performed by the Cloud Service Provider, the results must be delivered quarterly to the Anthem Information Security team representatives.

When virtual machines or instances are no longer used, moved from one physical server to another, or have been decommissioned, all data must be zeroed or destroyed using Information Security approved techniques.

Identity management for cloud computing-based services and platforms will be in place establishing the identity of the user and providing for authentication and authorization.

The CSP must have a system able to enforce or allow Anthem appointed personnel to enforce the account management capabilities, such as account lockouts for unsuccessful logon attempts, defined inactivity

Software as a Service (SaaS) Agreement REV. December 2014 Page 54

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

times, remote access allowances, specific success and failure events, and management of elevated privilege accounts.

All identity credentialing, authentication, authorization, and access control events must be logged and those logs are subject to periodic audit. At a minimum, the CSP must produce logs of all specified success and failure events associated with identity and access management in the cloud environment it manages. These logs must then be archived for at least twelve months. These archived logs must be searchable and or discoverable.

The CSP must conduct access reviews quarterly for privileged user accounts and twice yearly for non-privileged user accounts.

Technology Steering Board If upon review by Anthem’s Technology Steering Board, items are identified for remediation, such remediation must be completed in agreed upon timeframes.

SECTION 14.CONTINGENCY PLANNING

14.1Supplier will have documented Business Continuity and Disaster Recovery plans in place. Such plans will be tested at least annually.

SECTION 15.INCIDENT RESPONSE

15.1Supplier will have documented Incident Response Plan. Such plan will be tested at least annually.

SECTION 16.PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

To the extent that Supplier stores, processes or transmits cardholder Nonpublic Personal Financial Information as part of the Services, Supplier shall at all times be compliant with the Payment Card Industry Data Security Standard.

Software as a Service (SaaS) Agreement REV. December 2014 Page 55

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT I

Qualified Health Plan

Regulatory Exhibit

The following Qualified Health Plan terms and conditions shall be incorporated into the Agreement. These provisions shall only apply to services provided by Vendor to or for Health Plan’s “Qualified Health Plans” as defined in and in accordance with 45 CFR Parts 155 and 156, and any subsequent amendments or relevant provision in the regulations.

Federal Requirements - Applicable to all Health Plans that are Qualified Health Plans

1.Qualified Health Plans. Vendor acknowledges that payments Vendor receives from Health Plan may be used to provide services to Qualified Health Plan Covered Individuals. Therefore, Vendor and any of its subcontractors may be subject to certain laws that are applicable to individuals and entities providing services to Qualified Health Plans, including but not limited to, 45 CFR §§155.1210 and 156.340. Vendor agrees to comply with the requirements of 45 CFR §§155.1210 and 156.340, including but not limited to those set forth in the following sections of this Exhibit.

2.Maintenance of Books and Records. In accordance with 45 CFR §§155.1210 and 156.340, Vendor agrees that it will maintain all books and records related to its provision of services to Qualified Health Plans for ten (10) years.

3.Inspection of Books and Records. In accordance with, 45 CFR §§155.1210 and 156.340, Vendor acknowledges that the State where Health Plan is located, the Department of Health and Human Services (HHS), the Office of Inspector General, State regulatory agencies, or their designees have the right to timely access to inspect, evaluate and audit any books, contracts, medical records, patient care documentation, and other records of Vendor, or its first tier, downstream and related entities, including but not limited to subcontractors or transferees involving transactions related to Health Plan’s Qualified Health Plans through ten (10) years from the final date of the contract period or from the date of the completion of any audit. For the purposes specified in this provision, Vendoragrees to make available Vendor’s premises, physical facilities and equipment, records relating to Health Plan’s Covered Individuals, including access to Vendor’s computer and electronic systems and any additional relevant information that the State, HHS, OIG or their designees may require.

Software as a Service (SaaS) Agreement REV. December 2014 Page 56

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

4.Subcontractors. In accordance with, 45 CFR §§155.1210 and 156.340, Vendor agrees that if Vendor enters into subcontracts to perform services under the terms of the Agreement, Vendor’s subcontracts shall include an agreement by the subcontractor to comply with all of the Vendor obligations in this Qualified Health Plan Regulatory Exhibit and applicable terms in the attached Agreement. Such subcontract shall specify the delegated activities and reporting requirements.

5. Termination-Regulatory Issues. In accordance with 45 CFR §§155.1210 and 156.340, if during the term of the Agreement, the Health Plan concludes that it is necessary to cancel any of the activities to be performed under this Agreement in order to comply with Federal or State laws, regulations, or policies applicable to Qualified Health Plans, Health Plan may, at its discretion, cancel the activity and be relieved of any related obligations under the terms of the Agreement. If Health Plan or Vendor concludes that it is necessary to reorganize or restructure any of the activities to be performed under this Agreement in order to comply with Federal or State laws, regulations, or policies applicable to Qualified Health Plans, Health Plan or Vendor may request to renegotiate such terms.

6.  Revocation. Vendor agrees that Health Plan has the right to revoke this Agreement for its  Qualified Health Plans if HHS, the applicable State regulatory agency or Health Plan determines that Vendor or any of its independent contractors or subcontractors has not performed the services satisfactorily and/or if requisite reporting and disclosure requirements are not otherwise fully met in a timely manner. Such revocation shall be consistent with the termination provisions of the Agreement.

State-Specific Requirements

The following additional provisions apply if and only to the extent that Vendor provides services to or for Qualified Health Plans in the specified state.

Connecticut - If Vendor is a “Material subcontractor”, Vendor will comply with all of the applicable provisions of the contract between Health Plan and the State Exchange Board. “Material subcontractor” means “any entity from which Health Plan procures or re-procures, or proposes to subcontract with for the provision of, all or part of its administrative services for any major program area or function that relates to the delivery of care including but not limited to behavioral health, claims processing, or pharmacy benefit and/or actuarial support.”

Nevada - Vendor agrees that if it receives from or creates for Health Plan, as a Qualified Health Plan in the State of Nevada, any PHI (protected health information) or PII (personally-identifiable information), Vendor will implement reasonable and appropriate safeguards to protect such PHI or PII.  Prior to any Vendor employee or agent receiving or having access to any PHI or PII, Vendor must first have entered into a business associate agreement with Health Plan. 

New York - Vendor agrees that all work performed by it for Health Plan must be in accordance with the terms of this contract between Health Plan, as a Qualified Health Plan, and the State of New York (the “QHP Contract”), including, without limitation, the confidentiality provisions set

Software as a Service (SaaS) Agreement REV. December 2014 Page 57

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

forth therein. Under no circumstances shall Vendor subcontract any of its duties or obligations under the Agreement without the prior written approval and knowledge of the Health Plan and New York Department of Health.

Vendor shall promptly notify Health Plan in writing of any inquiry, audit, investigation, litigation, claim, examination or other proceeding involving Vendor, or any of its personnel, that is threatened or commenced by any regulatory agency or other party that a reasonable person might believe could materially affect the ability of Vendor to perform in accordance with the terms set forth in the Agreement or in the QHP Contract. Vendor shall provide such notice within ten (10) days of the date when Vendor learns of such action/event. Vendor acknowledges that Health Plan is obligated to notify the State of New York of such actions/events under the terms of the QHP Contract. Vendor shall comply with the State of New York's reasonable requests for information relating to the reported action/event; provided, however than any such exchange of information shall be subject to compliance with law and shall not occur to the extent prohibited by order of the court, administrative agency, or other tribunal or regulatory authority having jurisdiction over the matter or by the laws and regulations governing the action.

Software as a Service (SaaS) Agreement REV. December 2014 Page 58

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT J: BCBSA REQUIREMENTS

BCBS AXIS REQUIREMENTS and BCBSA CO-BRANDING REQUIREMENTS

EXHIBIT J-1

BCBS AXIS REQUIREMENTS

The use of data by Castlight is restricted as set forth below. The alteration of Network Data or BCBS AXIS Data in any manner is prohibited, except as outlined below.

Network Data

Network Data must only be used for the following:

•Account-specific geographic analyses

•Account-specific disruption analyses

•Provider finder applications

•Call center applications

•UM/UR

Network Data may only be supplemented and used in an integrated display as follows:

•When Anthem has executed an agreement to supplement the Network Data with each Non-Anthem Blue Plan; or

•By providing a link to the third party data source. (The source of the data must be clearly identified in the presentation of the data.)

BCBS AXIS Data

BCBS AXIS Data may only be used for the following:

•Blue Distinction analysis reporting

•Savings opportunity reports provided to national accounts

•Establishing benefit differentials based on the setting of service

•Integrate multiple physician office visit costs for member display

•Member out-of-pocket estimates

BCBS AXIS Data must follow the data use and display standards as outlined by BCBSA and communicated by Anthem. General categories include:

Software as a Service (SaaS) Agreement REV. December 2014 Page 59

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

•Access and Security

•Overlapping Service Areas

•Procedure Volume

•Treatment Category

•Provider Specific Display

•Office Visit Display

•Out-of-Pocket

•Messages

•Hover Text

In addition, a disclaimer/disclosure statement must be displayed to Anthem Blue Members or Non-Anthem Blue Members when accessing the BCBS AXIS Data. The disclosure/disclaimer statement must be present to clarify what the BCBS AXIS Data is what it is not. Key points must include:

•Explanation of how estimates were developed

•Estimates are a guide

•Estimates vary and actual cost may change

•Coverage, benefits and authorization for services must be checked.

•A statement that the information does not indicate medical advice, actual costs, guarantee of payment, prior approval for the service or represent an adjudicated claim.

BCBS Data Access

BCBS data assets must be accessed only via the following methods:

•Transactional web services

•Staged structured data built in a secure BCBSA environment

•Data extracts

Data Aggregation

Until and unless a change in BCBSA Policy permits such aggregation and Anthem has communicated such change to Castlight in writing, Castlight is prohibited from aggregating account-specific claims data with data from other BCBS and non-BCBS accounts for the purpose of consumer transparency solutions.

Software as a Service (SaaS) Agreement REV. December 2014 Page 60

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT J-2

BCBSA SUMMARY CO-BRANDING REQUIREMENTS

A.Definitions

1.Support Company: a company that the Licensee (Anthem) hires to help deliver products and services that a Licensee offers under the Blue Cross and Blue Shield names and symbols (each a “Blue Product”), or services in support of the Licensee’s Blue Products. For purposes of the Core Transparency Services, Castlight is a Support Company.

2.Account Vendor: a company that provides its own product or services to the account or individual without involvement by the Licensee; may have a joint marketing arrangement with the Licensee. In providing the Castlight Buy-Up Products under direct contracts with customers, Castlight acts as an Account Vendor.

2. Requirements

Software as a Service (SaaS) Agreement REV. December 2014 Page 61

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Co-Branding Requirement Categories	Support Company Requirement	Account Vendor Requirement
Logo Prominence	Licensee symbol/logo must appear to the left of Support Company logo; Support Company logo may not exceed the height of the Licensee symbol/ logo (i.e. the Licensee and Support Company logos are permitted to be the same size)	Licensee symbol/logo must appear to the left of Account Vendor logo; Account Vendor logo may not exceed the height of the Licensee symbol/ logo (i.e. the Licensee and Account Vendor logos are permitted to be the same size)
Content/ Format	Support Company co-branded content may not promote or include information about “other products” of Support Company. Support company co-branded content cannot display brands of National Competitors or entities in litigation with BCBSA regarding use of Blue marks. In the course of providing its services, Support Company may make a factual reference in its materials that it is providing services in connection with Licensee’s Blue Product(s).	Account Vendor co-branded content must include Account Vendor’s name (i.e. “blind references” are not permitted except as specifically permitted on ID cards.); Account Vendor co-branded content cannot display brands of National Competitors or entities in litigation with BCBSA regarding use of Blue marks. Co-branded communications and information about Account Vendor’s products must be presented in a segregated format such that a potential or existing Customer can discern that the Castlight Buy-Up Product is not a Blue Product.
Disclosures	Co-branded communications must state that Support Company is an independent or separate company; co-branded communications must elaborate on nature of services provided by Support Company in supporting Blue product; e.g., X, is a separate company that provides xxx services on behalf of Anthem	Co-branded communications must state that Account Vendor is an independent or separate company; co-branded communications must explicitly state that product is NOT a BlueCross and/or BlueShield product. Co-branded communications must state that Account Vendor is solely responsible for product.

3. Castlight’s Role.

Anthem and Castlight acknowledge that Castlight’s activities related to the overall arrangement contemplated by the Agreement encompass activities of both a Support Company and Account Vendor. Anthem and Castlight will develop a framework to determine whether Castlight activity should be governed by BCBSA Support Company or Account Vendor co-branding communication requirements. For example:

Software as a Service (SaaS) Agreement REV. December 2014 Page 62

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Castlight activity:	Definition of Castlight in relation to Anthem for activity:	Rationale
Sales collateral about the directly-contracted Castlight Buy-Up Products	Account vendor	Castlight is selling. No blue branding
Transparency Web Site	Support Company	Castlight is acting as Anthem’s enterprise transparency vendor in this instance.
Castlight Web Site (when/if accessed by Users of groups that have purchased one or more directly-contracted Castlight Buy-Up Products	Account vendor	Castlight is entering into a direct agreement with the group for the Castlight Buy-Up Product(s). No blue branding
Member communications about the directly-contracted Buy-Up Products	Account vendor	Castlight is the entity responsible for Member engagement activities with respect to the Buy-Up Products No blue branding

EXHIBIT J-3

Patient User Review Requirements

A.PRP Requirements.  The following requirements apply to the Patient Review of Physicians (“PRP”) program:

1.Members must be offered a patient review tool s providing them the ability to read and write reviews about their experiences with providers.

2.Adherence to the Patient Review standards in accordance with the BCBSA Inter-Plan Programs Manual is required.

3.Participating providers must be educated about the potential for members of other Blue Plans to read and write reviews about their patient experience.

4.Patient review data must be supplied to the BCBSA in accordance with the BCBSA Inter-Plan Programs Manual.

5.Patient Review data must be displayed in accordance with the Inter-Plan Programs Manual.

Software as a Service (SaaS) Agreement REV. December 2014 Page 63

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

B.PRP Standards.  Compliance with the PRP standards for consistent collection of patient review data is required.  The four PRP standards are common questions, authentication, validation, and moderation. 

1.Common Questions.  All User Review (PRP) tools must include a minimum set of common questions in their display to Members that cover the following aspects of the patient encounter with the provider. Other questions in addition to this set may be included, but only response data on the common question set or supplemental question categories are aggregated in the BCBSA’s National Patient Review Database. The text does not have to be worded exactly the same as the common question set but must be consistent in meaning with the required topic categories in order to allow for aggregation of response data from all Plans.

#	Topic	Question	Response Type	Plan	Member
1	Overall Experience	"How would you rate your overall experience and satisfaction with this doctor?"	Point Scale (e.g., five-point scale)	Display  all six Questions to  Member in tool is required.	Member required to respond to Questions 1 and 2 in order to submit their review
2	Recommend	"Would you recommend this doctor to your friends/ family?"	Yes/No
3	Communication	"How well did the doctor communicate with you about your health concerns?"	Point Scale		Optional for Member to respond
4	Availability	"How would you rate the doctor's availability for your appointment?"	Point Scale		Optional for Member to respond
5	Environment	"How would you rate the doctor's overall practice environment?"	Point Scale		Optional for Member to respond
6	Text Comments	"Have additional comments to make about this doctor?"	Open Text Field		Optional for Member to respond

2.Authentication. To ensure validity and integrity, members must be authenticated through the Anthem portal in order to write a review on a provider.

3.Validation. Validation that the member writing a review has seen the provider and determine the encounter validation method for their members is required (member attestation or claim verification are acceptable methods).

Software as a Service (SaaS) Agreement REV. December 2014 Page 64

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

4.Moderation. Reviews that contains text (non-numeric content such as comments or screen name) must be moderated (i.e., reviewed by a person) to ensure appropriateness for display. Additionally, the Restricted Terms list identifies terms that cannot be submitted to the National PRP Database.  Attempting to submit reviews containing Restricted Terms will cause a data submission error.

Software as a Service (SaaS) Agreement REV. December 2014 Page 65

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT K

NCQA REQUIREMENTS – DIVISION OF RESPONSIBILITIES

Castlight Health, Inc.

Division of Responsibilities for Online directory services, cost estimation, and provider quality / review

In scope for: NCQA RR4 and MEM 5A

Please note: The Health Plan retains responsibility for all functions unless designated below.

Basic Compliance Activity Standard	Compliance Activity Performance Measurement	Party Responsible For Compliance Activity
		Health Plan	Vendor
Physician directory Data NCQA RR4A]	The organization has a Web-based physician directory that includes the following physician information: 1.Name 2.Gender 3.Specialty 4.Hospital affiliations 5.Medical group affiliations, if applicable 6.Board certification 7.Accepting new patients 8.Languages spoken by the physician or clinical staff 9.Office locations

Software as a Service (SaaS) Agreement REV. December 2014 Page 66

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

Physician and Hospital Directories Physician Directory Updates [NCQA RR4B]	The organization updates the physician directory within 30 calendar days of receiving new information from the physician. Call out timeframe of both parties to meet the 30 days turnaround timeliness	Anthem is responsible for the intake	X Vendor is responsible for display and timeliness
Physician Information Validation [NCQA RR4C]	In each physician listing in its Web-based directory, the organization provides an explanation of the item, its source, the frequency of validation and limitations with each of the following: 10.Name 11.Gender 12.Specialty 13.Hospital affiliations 14.Medical group affiliations 15.Board certification 16.Accepting new patients 17.Languages spoken by the physician or clinical staff 18.Office locations Physician information is accessible from each listing and may be layered (e.g. pop-up or pull-down windows)	Anthem owns the content	X They need to provide a location and accept updates as needed.

Software as a Service (SaaS) Agreement REV. December 2014 Page 67

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

searchable Physician Web-Based Directory NCQA RR4D]	The organization's web-based physician directory includes search functions with instructions on how to find the following physician information: 19.Name 20.Gender 21.Specialty 22.Hospital affiliations 23.Medical group affiliations 24.Accepting new patients 25.Languages spoken by the physician or clinical staff 26.Office locations
Hospital Directory Data NCQA RR4E]	The organization has a web-based hospital directory that includes the following information to help members and prospective members choose a hospital: 27.Hospital name 28.Hospital location 29.Hospital accreditation status 30.Hospital quality data from recognized sources	Factor 4: Anthem owns the content- Hospital Quality Data	Factor 4: They need to provide a location and accept updates as needed.
Hospital Directory Updates [NCQA RR4F]	The organization updates its hospital directory information within 30 calendar days of receiving new information from the hospital. Call out timeframe of both parties to meet the 30 days turnaround timeliness	Anthem is responsible for the intake	X Vendor is responsible for display and timeliness

Software as a Service (SaaS) Agreement REV. December 2014 Page 68

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT L

[***]

Software as a Service (SaaS) Agreement REV. December 2014 Page 69

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT M

JOINTLY DEVELOPED PRODUCTS

i.Rights and Responsibilities of the Parties. The Parties may elect during the term of the Agreement to collaboratively develop new products (each a “Jointly-Developed Product” and collectively the “Jointly-Developed Products”). Except as set forth in this Agreement, the development responsibilities, pricing and contracting arrangements, data requirements, ownership and intellectual property rights, and other terms associated with each Jointly-Developed Product shall be as mutually agreed by the Parties and memorialized in a writing signed by both Parties and incorporated herein by reference upon execution by the Parties.

ii.Exclusivity. During the Exclusivity Period associated with each Jointly-Developed Product created during the term of the Agreement, the Jointly-Developed Product shall be made available only to: (a) Plan Sponsors whose group health plans are administered or insured by Anthem; (b) Anthem, for any of its customer segments; and (c) customers of Non-Anthem Blue Plans. For purposes of this provision, “Exclusivity Period” shall mean, with respect to a Jointly-Develop Product, a period of two (2) years beginning on the date on which the Parties mutually agree that the Jointly-Developed Product has passed all quality and testing regimens and is generally ready for production use.

iii.Revenue Share on Jointly-Developed Products. Anthem shall be entitled to an incentive in the form of a revenue share in the amount of 10-25% of revenue for Jointly-Developed Products purchased by Anthem clients, including the purchase of any Jointly-Developed Product(s) by Anthem for any of its customer segments. The Parties will mutually agree on the revenue share percentage on an Order basis.

Software as a Service (SaaS) Agreement REV. December 2014 Page 70

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT N

APPROVED SUBCONTRACTORS AND SERVICE LOCATIONS

The subcontractors utilized by Castlight in the performance of Castlight’s services and approved by Anthem are listed in this Exhibit Nand such list may only be modified in accordance with the terms and conditions of the Agreement:

•Persistent Systems - Pune India

•Telerex - Horsham Pennsylvania

•Indmax - Hyderabad India

•Imaginea - Hyderabad India

•AASON - Consulting Chicago, Illinois

•SunGard - Aurora Colorado and Phoenix Arizona

•DatAvail - Broomfield Colorado

•Imperva - Redwood Shores, California

•Mimecast - Watertown, Massachusetts

•Birst - San Francisco, California

Software as a Service (SaaS) Agreement REV. December 2014 Page 71

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

.

EXHIBIT O

COMPETITORS

▪.UnitedHealth Group, Inc. and its subsidiaries and affiliates

▪.Aetna Life Insurance Company and its subsidiaries and affiliates

▪.Cigna and its subsidiaries and affiliates

Software as a Service (SaaS) Agreement REV. December 2014 Page 72

CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS NOT MATERIAL AND WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.

EXHIBIT P

Medicare Medicaid Dual Integration Regulatory Exhibits

§Exhibit P -1: New York Dual Integration Regulatory Exhibit

§Exhibit P-2: Texas Dual Integration Regulatory Exhibit

§Exhibit P-3: Virginia Dual Integration Regulatory Exhibit

Software as a Service (SaaS) Agreement REV. December 2014 Page 73

AMENDMENT 7 TO THE SAAS AGREEMENT

This Amendment 7 to the SaaS Agreement (this “Amendment”) is made as of October 19, 2019 (“Amendment Effective Date”) and amends that certain SaaS Agreement executed on November 1, 2015,as amended (the “Agreement”), by and between Castlight Health, Inc. (“Castlight”) and Anthem, Inc. on behalf of itself and its Affiliates (collectively, “Anthem”).

The Parties agree as follows:

1.Conflict of Terms, Definitions. In the event of a conflict between the terms of this Amendment and the terms of the Agreement, the terms of this Amendment shall control. Unless otherwise specified in this Amendment, all capitalized terms shall have the meaning given to them in the Agreement.

2.Amendment to Section 14.2 Limit on Direct Damages. Section 14.2 of the Agreement is hereby replaced in its entirety with the following:

“14.2. Limit on Direct Damages. Except as set forth in Section 14.3 below, in no event shall either Party’s aggregate liability exceed $20,000,000 (Twenty Million Dollars). Any amount owed by Castlight to Anthem in the way of service credits based upon a failure to meet the Service Levels set forth on Exhibit G attached hereto, shall not count toward any calculation of damages under this section.”

3.Amendment to Exhibit G: Service Levels. Exhibit G: Service Levels of the Agreement is hereby amended as follows:

a.Each reference to “Authorized User” in Exhibit G is hereby replaced by a reference to “User” as defined in the Services Order Form 5 to the Agreement.

b.The definition of “End Users” in Exhibit G is hereby replaced in its entirety by the following definition of “Impacted Users”. Each reference to “End Users” in Exhibit G shall be read as a reference to “Impacted Users”.

“Impacted Users” shall mean the Users whose Service was actually affected by the failure to meet the performance standard in question.”

c.For the avoidance of doubt, where a payment that is due under Exhibit G is expressed as a percentage of fees, such payment shall be a percentage of the monthly fee amount unless expressly stated otherwise in Exhibit G.

74

4.Deletion of Exhibit L: Pricing: Exhibit L of the Agreement is hereby deleted in its entirety.

5.No Other Modifications. Except as provided herein, the terms and conditions of the Agreement shall remain the same, and in full force and effect.

IN WITNESS WHEREOF, the parties have caused this Amendment to be duly executed as of the Amendment Effective Date indicated above.

Castlight Health, Inc.		Anthem, Inc.
By:	/s/ Siobhan Nolan Mangini	By:	/s/ Jim Ardell
Name:	Siobhan Nolan Mangini	Name:	Jim Ardell
Title:	President & CFO	Title:	VP, Corporate Real Estate and CPO
Date:	10/19/2019	Date:	10/19/2019
Address:	150 Spear St. Floor 4 San Francisco, CA 94105	Address:	220 Virginia Ave Indianapolis, IN 46204

75