[*] = Certain confidential information contained in this document, marked by brackets, has been omitted because it is both not material and would likely cause competitive harm to the Company if publicly disclosed.
Amendment No. 3
TO
Master Supply Agreement
This Amendment No. 3 to Master Supply Agreement (the “Amendment”), having an effective date of October 1, 2019 (“Amendment Effective Date”) to the Master Supply Agreement dated June 12, 2018 (as amended, the “MSA”) is entered into by and between SunPower Corporation, a Delaware corporation with offices at 51 Rio Robles, San Jose, California 95134 (“SunPower”), and Enphase Energy, Inc., a Delaware corporation with offices at 47281 Bayside Parkway, Fremont, California 94538 (formerly at 1420 N. McDowell Blvd., Petaluma, CA 94954) (“Enphase”). Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the MSA.
WHEREAS, SunPower desires to purchase certain other Enphase microinverters for purposes of using such microinverters as field replacement units (“FRU”s) in place of existing inverters in SunPower’s Gen 1.x, Gen 2.x and Gen 3.x AC Module based solar systems (collectively, the “Legacy Systems”, and the inverter replacement program shall be referred to as, the “FRU Program”);
WHEREAS, Enphase wishes to sell such other products to SunPower for the FRU Program;
WHEREAS, the Parties have entered into the MSA for purposes of specifying the terms and conditions under which SunPower will purchase and Enphase will supply certain Enphase products to be used by SunPower;
WHEREAS, SunPower and Enphase now desire to further supplement and add additional Products (as defined below) to the scope of the MSA, including those to be used as part of the FRU Program;
AND WHEREAS; For purposes of this Amendment, “Covered Products” are defined as Enphase Products sold to SunPower hereunder as FRUs required to support Legacy Systems as further outlined in the table below:
|SunPower MI
|W-ac
|V-dc range
Enphase MI
(each a “FRU Microinverter”)
|Gateway
|Gen 3.x
|320
|20-64
|IQ7XS-96-2-US
|Sunpower PVS6
|Gen 2.x
|238
|25-50
|IQ7PD-84-2-US
|Enphase Envoy or AC Combiner
|Gen 1.x
|225
|25-50
|IQ7PD-84-2-US
|Enphase Envoy or AC Combiner
NOW, THEREFORE, for adequate consideration, the receipt of which is hereby acknowledged, the Parties agree to the following:
1. Covered Products. SunPower shall purchase and Enphase shall supply Covered Products, including those necessary for SunPower to mount the FRU Microinverter to a SunPower Legacy System as a replacement for an existing inverter that is part of the Legacy System. The applicable data sheet for the FRU Microinverters are attached hereto as Attachment A.
2. Pricing. Enphase shall supply and SunPower shall purchase Covered Products at the prices listed in Attachment B to this Amendment, attached hereto. As used in this Amendment, Covered Products does not include any other Products supplied under the terms of the MSA. All references to a quarter, or “Q”, in this Amendment means the three month calendar period, starting with Q1 being January 1st through March 31st of the respective year. For the avoidance of doubt, this Attachment B shall apply solely to the FRUs made available under this Amendment and, except as expressly set forth herein, shall in no way modify the Exhibit B agreed upon in Amendment No. 2 to the MSA.
3. Forecasts. Section 2.1 of the MSA (Forecasts) shall be applicable to the Covered Products.
4. Volume. Enphase shall sell and SunPower shall purchase the volume of FRU Microinverters set forth for each period specified in Attachment B. All Covered Products supplied to SunPower under this Amendment shall be included for purposes of calculating the Volume-Based Price Adjustment under the MSA.
5. FRU Program Requirements. The Parties agree that microinverter reliability is an important aspect of the FRU Program and it is critical to ensure that each microinverter can be remotely monitored and updated in order to lead to that desired reliability. Accordingly, the Parties agree to the following:
a. Complete Legacy System Replacement. If SunPower replaces any one inverter on a Legacy System with a FRU Microinverter, SunPower shall replace each and every existing inverter on such Legacy System with an Enphase FRU Microinverter (such action referred to as a “Full Site Replacement”). Upon future review of technical feasibility and mutual agreement of both Parties, SunPower may elect to perform partial replacement at a site at a later date.
b. Required Software Updates. For systems connected to Enphase’s Envoy systems, Enphase will follow the Sunpower PCN process and notify SunPower of any updates prior to performing upgrades. For systems connected to PVS6, software updates shall be carried out in accordance with the MSA.
c. Gateway Product. For each replacement with IQ7XS-96-2-US, SunPower shall ensure that each IQ7XS-96-2-US unit is connected to a SunPower PVS6 or compatible gateway product, with the ability to remotely commission, monitor, control and provide the firmware upgrade capability on each FRU Microinverter. For each replacement with IQ7PD-84-2-US SunPower shall ensure that each IQ7PD-84-2-US unit is connected to an Enphase Envoy with the ability to remotely commission, monitor, control and provide the firmware upgrade capability on each FRU Microinverter. Enphase and Sunpower shall cooperate to develop relevant System APIs to provide performance data to SunPower.
d. Data Sharing. SunPower shall gather the performance data described in Attachment D-1 in relation to a SunPower PVS6 product (the “Data”) and make such Data available to Enphase for the previous [*] (at a minimum), on a rolling basis, refreshed no less frequently than weekly (provided that SunPower shall make available one month of Data promptly following the date this Amendment is signed and shall provide each subsequent month’s Data until the aforementioned three (3) months of Data is available), including, without limitation, the data points set forth in Attachment D-1, attached hereto and incorporated by reference. The Data is made available “as-is” and SunPower makes no representation or warranty whether express or implied, including accuracy, completeness, or any implied warranties of title, non-infringement, quiet enjoyment, integration, merchantability or fitness for a particular purpose with respect to such Data. Following the first month in which three (3) month’s Data has been made available, Enphase shall make a payment of [*] to SunPower for purposes of maintaining the database and equipment necessary to provide Data to Enphase under this Section. For the avoidance of doubt, Enphase will have no obligation to pay the [*] that SunPower fails to provide at least [*] worth of then-current data. Each party shall comply with the Data Protection Addendum (“DPA”) attached hereto as Attachment D-2. For the avoidance of doubt, the parties acknowledge that Enphase’s access to the Data is not part of the consideration exchanged by the parties in connection with the MSA. The Parties agree to discuss in good faith the feasibility of a data-porting integration enabling the provision of the Data to Enphase, after which SunPower will no longer be required to provide, and Enphase will no longer be required to pay for, the above-referenced database, and the terms of any such arrangement shall subject to mutual agreement by the parties in a separate definitive agreement.
e. Racking system. SunPower shall (i) use the Invisimount racking or other UL 2703 compliant racking system for Legacy Systems requiring this certification at the time of install and (ii) for systems installed prior to this requirement, SunPower will use an UL approved racking system. For racking
components that affix directly to the FRU Microinverter, SunPower will use UL2703 listed components. In case a suitable racking system is not available, SunPower may use approved frame mounting solutions for replacements. Notwithstanding the foregoing, SunPower will not use any racking system or frame mounting solution unless it has been approved in writing by Enphase (“Approved Racking”). All Approved Racking must ensure sufficient protection of the FRU Microinverter from the elements and ample clearance from the roof for proper thermal dissipation. The Approved Racking shall be specified in the Installation Manual and communicated to all SunPower FRU Program installation teams. A copy of the Manual is attached hereto as Attachment C.
f. Installation Manual (the “Manual”) Review. For IQ7XS-96-2-US, the Parties agree that they will jointly review the Manual from time to time, including for purposes of improving or clarifying instructions and to incorporate best-known methods. For IQ7PD-84-2-US, the standard Enphase Installation Manual (Feb 2020, 141-00043-04) will be used. The manuals described in this Section (f) are collectively referred to as the “Manual”. Enphase will follow PCN process to notify SunPower any changes on the Manual.
g. Exclusions under the Limited Warranty. In addition to the terms set forth in Section 4.1 of the MSA, “Limited Warranty”, the following terms are added: a non-conforming FRU Microinverter shall not be eligible for the Limited Warranty if any of the following occur:
(i) Connectors other than the MC4 DC connectors set forth in the Manual are used on IQ7XS FRU units;
(ii) Connectors other than MC4 DC connectors set forth in the Manual are used on the IQ7PD FRU units unless the other connectors are identified, reviewed by both parties, such other connectors successfully complete UL compatibility testing or UL approval, and are approved in writing by both parties, in advance;
(iii) Full Site Replacement is not completed; or partial site replacement is completed without both Parties’ agreement;
(iv) It has not been connected to a SunPower PVS6, Enphase Envoy, or compatible gateway product;
(v) Its firmware has not been updated by SunPower as requested by Enphase per MSA;
(vi) It has been installed on a racking system other than an Approved Racking system;
(vii) The failure is caused by a JBOX DC connector attached to SunPower PV module; and / or
(viii) It has not been installed in accordance to the Manual and failure is caused by improper installation.
6. Payment terms. Payment for Covered Products shall be made in accordance with the MSA, except as set forth in Attachment B attached hereto.
7. Shipping & Delivery. Shipping and delivery of Covered Products shall be made in accordance with the MSA, except as set forth in Attachment B attached hereto.
8. Full Force and Effect. Except as expressly set forth herein, the terms of the MSA remain in full force and effect with respect to the Covered Products.
9. Governing Law. This Amendment shall be governed by and construed in accordance with the laws of the State of California, without regard to any conflicts of laws principles.
[signature page follows]
IN WITNESS WHEREOF, the parties have duly authorized and caused this Amendment to be executed as of the Date written below. This Amendment may be signed in counterparts, with the same effect as if each were upon a single instrument.
ENPHASE ENERGY, INC.
By: /S/ Eric Branderiz
Name: Eric Branderiz
Title: Chief Financial Officer
Date: October 28, 2020
SUNPOWER CORPORATION
By: /S/ Manavendra Sial
Name: Manvendra Sial
Title: Executive Vice President and Chief Financial Officer
Date: October 27, 2020
By: /S/ Eric Branderiz
By: /S/ Manavendra Sial
Name: Eric Branderiz
Name: Manavendra Sial
Title: Chief Financial Officer
Title: Executive Vice President and Chief Financial Officer
Date: October 28, 2020
Date: October 27, 2020
Attachments:
Attachment A – Enphase IQ™ 7 XS Data Sheet
Attachment B – Pricing, Volumes, Shipping and Payment
Attachment C – SunPower Installation Manual
Attachment D-1 – Data Specifications
Attachment D-2 – Data Protection Addendum
Attachment A – Enphase IQ™ 7 XS Data Sheet
[*]
Attachment B
Pricing, Volumes, Shipping and Payment
|Enphase MPN
|SPWR Part #
|Enphase Description
|Enphase
UoM
|Packaging
|Inco terms
|Payment Terms
|2020 Price/Unit
|2021 Price/Unit
|IQ7XS-96-2-US
|533855
|96 cell discrete IQ7XS Microinverter for replacing legacy Sunpower/Solarbridge AC modules with Q-DCC-2 and metal mounting plate included (PVS6 support only)
|1ea
|1 Box of 18 Units
|FCA Long Beach
|[*]
[*]
[*]
[*]
|[*]
|ENV-IQ-AM1-240
|535944
|IQ Envoy, single phase, metered. Revenue grade accuracy (ANSI C12.20 +/- 0.5%) with calibrated solid-core CT
|1ea
|1 Box of 12 units
|FCA Long Beach
|[*]
|[*]
|[*]
|IQ7PD-84-2-US
|535945
|IQ7 Power Down Microinverter with 220 VA peak power supporting PV modules of 250W and lower with Q-DCC-2 and metal mouting plate include (Envoy support only)
|1ea
|1 Box of 18 Units
|FCA Long Beach
|[*]
|[*]
|[*]
1. Minimum Volume Commitment. SunPower agrees to purchase and Enphase agrees to sell to SunPower, during the period from [*], a minimum of (i) [*] Enphase IQ7XS-96-2-US microinverters and (ii) [*] Enphase IQ7PD-84-2-US microinverters.
2. Shipping. Covered Products shall be delivered FCA (Incoterms 2010) Long Beach Enphase warehouse. Enphase may make partial shipments of the Covered Products, and each shipment will constitute a separate sale. SunPower also will pay shipping charges in accordance with FCA. Title to Covered Products shipped under any Purchase Order shall pass to SunPower upon delivery of such Covered Products to SunPower at Long Beach Enphase warehouse.
3. Payment. SunPower shall pay each Invoice for Covered Products in accordance with the MSA, except that terms of payment for Covered Products shall be net [*] days from the date of Invoice and payment shall be made regardless of whether shipment is in whole or partial fulfillment of a Purchase Order.
Attachment C
[*]
Attachment D-1
Data Specifications
|
|
|Remarks
|Item #
|Feature
At the current polling frequency (2.5 min) or a modified polling rate as agreed upon by both parties to exceed no more than a 15 min interval
|1
|Telemetry data Microinverter [Raw]
|Fields include (temp, acv, acw, aci, dcv, dcw, dci, freq, lte, timestamp, polling freq)
|2
|Telemetry data Microinverter [Aggregated]
|Fields include (temp, acv, acw, aci, dcv, dcw, dci, freq, lte, timestamp, polling freq)
|3
|Microinverter firmware upgrade information
|Prior upgrades, upgrade date etc to be provided as part of data table, separate from the Splunk database
|Microinverter PL
|PL to be provided as decimal value in splunk
|5
|PVS status
|To be provided as part of data table, separate from the Splunk database
|6
|PVS SW Information
|Prior upgrades, upgrade date etc to be provided as part of data table, separate from the Splunk database
|7
|Events [Raw]
Enphase condition messages, including Gate fix, Grid Outage, Temp Event, Skip Event, and other events
|8
|Events [Aggregated]
|Daily count of events for individual microinverters
|9
|Location details
|AddressID and site zip code to be provided as part of data table, separate from the Splunk database
|10
|Temperature data Microinverter
|Tmax, Tmin
|11
|Grid details
|Grid profile name, settings, upgrade
|12
|Micro PN, Assly Num
|
|13
|Created Date
|To be provided as part of data table, separate from the Splunk database
|14
|First Report Date
|To be provided as part of data table, separate from the Splunk database
|15
|Last report Date
|To be provided as part of data table, separate from the Splunk database
|16
|Days flags
|To be provided as part of data table, separate from the Splunk database
|17
|Bridge fault per day
|To be provided as part of data table, separate from the Splunk database
Data parameters being provided and refreshed as appropriate in the data table titled “Enphase Distribution List of Installed Units” as of September 25, 2020 will continue to be provided unless both parties agree to add, remove, or modify fields. Such data fields include the following:
- CSV file: Contain list of all installed microinverters in the field (Updated weekly)
- Energy Link: A tool for visual analysis of microinverter/sites long term performance. Data downloadable in CSV format (polling 5 minutes)
- Splunk: Data stored in both granular level and at aggregated level as well. Contains telemetry data, events data, configuration data, power drops, bridge faults, etc. Within Splunk it is structured in indexes as below:
o dev_enp_enphasemipolldaily_summary - daily aggregation of every MI in the Enphase fleet with key daily metrics like daily power, number of reports, and temperature delta (polling 1 day)
o dev_rap_enphasealerts_summary - daily aggregation of every MI in the Enphase fleet with focus on alerts - count of different types of alerts (polling 1 day)
o dev_rap_enphasemiflag_summary - daily aggregation of MI's with questionable behavior along with some key metrics to quantify the daily behavior (polling 1 day)
o dev_rap_enphasebridgefaultcndduration_summary - daily aggregation of skip event duration and event count to focus on skip event issues (polling 1 day)
o enphase - most granular polling data for Enphase inverters, includes MIPoll, EnCnd (MI Alerts), HighSkipRate, and other enphase-specific MI messages (polling 2.5 minutes)
o dev_enp_allalerts_summary - a dump of all Enphase alerts produced by the flexet, sent into a summary index for storage (polling 1 day)
o prod_rap_mimecfg_summary - all PVS configuration files for all PVS (use type="Enphase") (polling 1 day)
o dev_enp_enphasemipolldaily_- daily aggregation of every MI in the Enphase fleet with key daily metrics like daily power, number of reports, and temperature delta (polling 1 day)
o dev_rap_enphasemiweekly_summary - weekly aggregation of MI performance metrics - used to identify underperforming units. Currently not returning records. (polling weekly)
o dev_rap_enphasemiflag_summary - daily aggregation of MI's with questionable behavior along with some key metrics to quantify the daily behavior (polling 1 day)
o dev_rap_enphasebridgefaultcndduration_summary - daily aggregation of skip event duration and event count to focus on skip event issues (polling 1 day)
o dev_enp_allalerts_summary - a dump of all Enphase alerts produced by the flexet, sent into a summary index for storage (polling 1 day)
o prod_rap_mimecfg_summary - all PVS configuration files for all PVS (use type="Enphase") (polling 1 day)
o dev_enp_enphasemipolldaily_summary - daily aggregation of every MI in the Enphase fleet with key daily metrics like daily power, number of reports, and temperature delta (polling 1 day)
o dev_rap_enphasemiweekly_summary
Notwithstanding the foregoing, ninety (90) days following the Amendmnet Effective Date the Parties will meet in good faith to determine whether the data fields in the following “Conditions” data set are reasonably required for Enphase to conduct failure analysis in connection with its limited warranty obligations to SunPower’s end user customers. If mutually agreed upon by the Parties in good faith, some or all of the data fields below may be removed from the list of data which SunPower is obligated to provide to Enphase pursuant to Section 5(d) of the Amendment:
dev_rap_enphasemiflag_summary - daily aggregation of MI's with questionable behavior along with some key metrics to quantify the daily behavior (polling 1 day)
dev_rap_enphasebridgefaultcndduration_summary - daily aggregation of skip event duration and event count to focus on skip event issues (polling 1 day)
dev_enp_allalerts_summary - a dump of all Enphase alerts produced by the flexet, sent into a summary index for storage (polling 1 day)
prod_rap_mimecfg_summary - all PVS configuration files for all PVS (use type="Enphase") (polling 1 day)
dev_enp_enphasemipolldaily_summary - daily aggregation of every MI in the Enphase fleet with key daily metrics like daily power, number of reports, and temperature delta (polling 1 day)
dev_rap_enphasemiweekly_summary
Attachment D-2
Data Protection Addendum (“DPA”)
1. DEFINITIONS
To the extent not otherwise defined in the parties’ MSA or purchase order, terms defined in this DPA shall bear the below meanings and cognate terms shall be construed accordingly.
1.1. “Applicable Regulation” means, to the extent applicable, all regulations and applicable industry standards in force on data protection and data privacy relating to that Personal Information for each relevant jurisdiction where Supplier provides services to SunPower, e.g., federal laws, state laws (including, if applicable, the California Consumer Privacy Act (“CCPA”)), Gramm-Leach-Bliley Act (“GLBA”), California's Social Security Number Confidentiality Law, Cal. Civ. §1798.85, Nevada SB 220, New York’s Stop Hacks and Improve Electronic Data Security Act (“Shield Act”), and Payment Card Industry Data Security Standard (“PCI-DSS”)).
1.2. “Affiliate” for the purpose of data processing means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with another entity (control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise).
1.3. “Consumer” means a natural person.
1.4. “Business” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects Consumers’ Personal Information, or on behalf of whom such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of Consumers’ Personal Information.
1.5. “Business Purpose” means the use of Personal Information for the Business’s or service provider’s operational purposes, or other notified purposes, provided that the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which Personal Information was collected or processed or for another operational purpose that is compatible with the context in which Personal Information was collected.
1.6. “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means.
1.7. “Commercial Purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
1.8. “Environment” means all equipment, work stations, servers, cloud environments, mobile devices, networks, storage devices, applications and other systems where SunPower’s Personal Information may be transmitted, Processed, or stored.
1.9. “Personal Information” shall have the meaning ascribed to it by the Applicable Regulations. For purposes of this DPA, Personal Information is limited to the Personal Information provided to Supplier by SunPower.
1.10. “Process,” “Processing,” and “Processes” refer to any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
1.11. “Sell” means selling, renting, licensing to others, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the Business to another Business or a third party for monetary or other valuable consideration.
1.12. “Service Provider” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that Processes information on behalf of a Business and to which the Business discloses a Consumer’s Personal Information for a Business Purpose.
1.13. “Services” means the services or other activities to be supplied to or carried out by or on behalf of Supplier for SunPower pursuant to the parties’ MSA or purchase order, including providing technical support, root cause or performance analysis, improving Supplier’s Products, maintaining records, complying with legal obligations,
exercising rights and obligations with respect to the MSA, and other related services in connection with Supplier’s warranty obligations.
1.14. “Subcontractor” means a person (but excluding any employee of Supplier) engaged or appointed by Supplier to receive or Process Personal Information on behalf of SunPower in connection with the MSA or purchase order.
1.15. “Supplier” means Enphase.
1.16. “Security Breach” means a breach of security leading to the accidental or unlawful unauthorised disclosure of, or access to, Personal Information.
2. AUTHORITY
2.1. Supplier warrants and represents that it has the requisite authority to enter into this DPA on behalf of any of its Affiliates that will Process Personal Information as an agent of Supplier and on behalf of SunPower.
2.2. SunPower warrants and represents that (i) it has the requisite authority to enter into this DPA on beahf of any of its Affiliates and that it will provide the Data to Supplier for the purposes set forth herein; and (ii) it shall at all times comply with Applicable Regulations in the provision of Personal Information to Supplier.
3. DATA PROCESSING
3.1. The parties acknowledge and agree that Supplier is a Service Provider providing Services to and Processing Personal Information on behalf of SunPower, a Business.
3.2. Supplier shall at all times comply with Applicable Regulations in the Processing of the Personal Information.
3.3. When Supplier Processes Personal Information on behalf of SunPower, Supplier shall not:
3.3.1. retain, use, or disclose Personal Information it receives, collects or Processes in connection with the Services for any purpose other than for performing the Services in the MSA and in accordance with the terms of this DPA, the parties’ MSA and SunPower’s instruction;
3.3.2. use or Process Personal Information for Commercial Purposes or direct marketing;
3.3.3. Sell or promote the sale of Personal Information; and
3.3.4. disclose or transfer Personal Information to unauthorized personnel or parties.
3.4. Supplier shall without undue delay notify SunPower in writing if it determines or reasonably suspects its inability to comply with its obligations set forth in Section 3.3 above. Upon any such notice to SunPower, Supplier shall promptly cease all use of Personal Information hereunder, but its obligations regarding safeguarding information shall remain in effect.
3.5. Supplier shall be entitled to (i) create and derive from Processing the Personal Information anonymized and/or aggregated data that does not identify SunPower or any natural person, and (ii) use, publicize or share with third parties such data to improve Supplier’s products and services and for other lawful business purposes.
4. PERSONNEL AND SUBCONTRACTORS
4.1. Supplier will take reasonable steps to ensure that each of its employees and agents who Process Personal Information are made aware of Supplier’s obligations under this DPA, and where required by Applicable Regulation, shall require that they enter into binding obligations with Supplier as appropriate to maintain the levels of security and protection required under this DPA.
4.2. Supplier shall strictly limit access to Personal Information to those individuals who need to know, as necessary for the purpose of providing Services.
4.3. Supplier will only engage a Subcontractor provided that a written contract is executed by Supplier with the Subcontractor that includes obligations to use same degree of care in safeguarding the Personal Information as it uses to safeguard its own confidential information, but in no event less than reasonable care . Supplier acknowledges and agrees that it remains obligated and fully liable to SunPower for the acts and omissions of any Subcontractor in connection with this Section 4.3.
5. SECURITY
5.1. Supplier represents and warrants that, in connection with the Services provided to SunPower, Supplier shall at all times have in place, maintain, and use all necessary and reasonable technical, physical and organizational measures
commensurate with the industry standards for information security, applicable law, and the sensitivity of Personal Information collected, handled, stored, and otherwise Processed, in order to help ensure:
5.1.1. the security of Personal Information against any Security Breach;
5.1.2. the confidentiality of Personal Information, by ensuring that persons authorized to access, view, and/or otherwise Process Personal Information are given such rights based only on a need for such access in connection with the Services; and
5.1.3. to the extent relevant, that its access to SunPower’s systems and/or networks, including any credentials thereto, shall be properly created, secured, maintained and architected such that it shall not pose a material security risk or threat to or otherwise expose SunPower’s Environment, data, website, systems, landing pages, Consumers or customers.
5.2. Supplier shall notify SunPower, or its preferred contact, immediately and not to exceed twenty-four (24) hours, after becoming aware of the Security Breach by phone (not including a voice or text message) and in writing (but not by unsecured email) at help@sunpowercorp.com specifying the extent to which SunPower’s Personal Information was compromised or disclosed, and will take all reasonable measures required to rectify the Security Breach as soon as possible. In this regard, Supplier at a minimum will:
5.2.1. investigate the Security Breach, perform a root cause analysis thereon, and report its findings to SunPower; and
5.2.2. provide SunPower with a remediation plan to address the Security Breach and regularly keep SunPower informed as and when remedial or containment actions are implemented.
5.3. Supplier agrees that it will not inform any third party of any Security Breach without first obtaining SunPower’s prior written consent, other than to inform a complainant that the matter has been forwarded to SunPower’s legal counsel. Further, Supplier agrees that SunPower shall have the sole right to determine the contents of any such notice of a Security Breach, whether any type of remediation may be offered to affected Consumers, and the nature and extent of any such remediation.
5.4. To the extent agreements between the parties do not designate a notice contact, notices under this Section should be sent via email to LegalNoticeSunPower@sunpowercorp.com ATTN: General Counsel.
5.5. Supplier shall, at all times they are providing services to SunPower or remain in possession of Personal Information belonging to SunPower, maintain in force, at its own expense, insurance coverage appropriate to ensure proper performance of its obligations hereunder.
6. AUDITS AND INFORMATION REQUESTS
6.1. Supplier shall, for no additional compensation, (1) provide to SunPower, at its request, an Officer’s Certificate from a member of Supplier’s C-Suite confirming Supplier’s compliance with the obligations stipulated in this DPA; and (2) reasonably assist Supplier, at Supplier’s expense, in ensuring compliance with Applicable Regulation, including audits or inquiries from law enforcement or government authorities, taking into account the nature of the Processing and the information available to Supplier.
7. TERMINATION
7.1. Upon termination of the MSA Supplier shall promptly anonymize all Personal Information, as well as any existing copies. Within ten (10) days of returning or destroying such information, Supplier shall provide a certification to SunPower confirming same.
7.2. In the event Applicable Regulation does not permit Supplier to comply with the return or deletion of Personal Information, Supplier warrants that it will ensure the confidentiality and protection of Personal Information and that it will not Process Personal Information transferred after termination of the relationship.
8. INDEMNIFICATION & LIABILITY
8.1. Supplier will defend, at its own expense, any claim, suit or proceeding brought by an unaffiliated third party (a “Claim”) against SunPower to the extent it is based upon an allegation that Supplier materially breached the terms of this DPA, and, provided SunPower complies with the provisions hereof and is not otherwise in material breach of any
provision of this DPA, Supplier will pay all settlement amounts and damages, costs and expenses finally awarded to third parties against SunPower in such action.
8.2. SunPower will defend, at its own expense, any Claim against Supplier to the extent it is based upon an allegation that SunPower materially breached the terms of this DPA, and provided Supplier complies with the provisions hereof and is not otherwise in material breach of any provision of this DPA, SunPower will pay all settlement amounts and damages, costs and expenses finally awarded to third parties against SunPower in such action.
8.3. The obligation of the indemnifying party (the “Indemnifying Party”) to defend the other party (the “Indemnified Party”) is conditioned upon the Indemnified Party promptly notify Indemnifying Party in writing of any such claim or action and giving the Indemnifying Party full information and assistance in connection therewith. The Indemnifying Party shall have the sole right to control the defense and settlement of any such claim or action. The Indemnifying Party will not settle any Claim without the written consent of the Indemnified Party; provided, however, that, after reasonable notice, the Indemnifying Party may settle a claim without the Indemnified Party’s consent if such settlement (A) makes no admission or acknowledgment of liability or culpability with respect to the Indemnified Party, (B) includes a complete release of the Indemnified Party and (C) does not seek any relief against the Indemnified Party other than the payment of money damages to be borne by the Indemnifying Party. The Indemnified Party will cooperate in all reasonable respects with the Indemnifying Party and its attorneys in the investigation, trial and defense of any Claim and any appeal arising therefrom (including the filing in the Indemnified Party’s name of appropriate cross-claims and counterclaims). The Indemnified Party may, at its own cost, participate in any investigation, trial and defense of any Claim controlled by the Indemnifying Party and any appeal arising therefrom, including participating in the process with respect to the potential settlement or compromise thereof. Notwithstanding any other language in the MSA or DPA, the Indemnifying Party will have no liability under this Section 8 for any Claim to the extent arising as a result of the Indemnified Party’s material breach of its obligations under the MSA or the DPA.
9. LIMITATION OF LIABILITY
EXCEPT FOR AMOUNTS PAYABLE UNDER SECTION 8 (INDEMNIFICATION AND LIABILITY) OF THIS DPA, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES ARISING FROM ANY CLAIM OR ACTION BASED ON OR RELATED TO THIS DPA, REGARDLESS OF WHETHER SUCH CLAIM OR ACTION IS BASED ON CONTRACT, TORT, OR OTHER LEGAL THEORY, AND REGARDLESS OF WHETHER OR NOT SUCH DAMAGES WERE FORESEEABLE OR WHETHER OR NOT THE PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE LIMITATIONS OF LIABILITY DO NOT APPLY WITH RESPECT TO (i) LOSSES SUFFERED, INCURRED, OR SUSTAINED BY A PARTY OCCASIONED BY (A) THE FRAUD, WILLFUL MISCONDUCT OR GROSS NEGLIGENCE OF THE OTHER PARTY OR ITS AGENTS. EXCEPT FOR AMOUNTS PAYABLE UNDER SECTION 8 (INDEMNIFICATION AND LIABILITY) OF THIS DPA, SUPPLIER’S TOTAL CUMULATIVE LIABILITY ARISING FROM OR RELATING TO THIS DPA, WHETHER IN CONTRACT OR TORT OR OTHERWISE, WILL NOT EXCEED $100,000.
10. MISCELLANEOUS
10.1. The parties acknowledge and agree that the terms and conditions of this DPA shall survive the termination of the MSA or any other agreement between the parties and shall remain in full force and effect for the entire time Supplier remains in possession or control of Personal Information.
10.2. In the event of modifications, amendments or changes to Applicable Regulations, the parties agree to cooperate in good faith with respect to any necessary modifications or amendments to this DPA, to the extent required. Each party shall further take reasonable measures to remain compliant with any such changes in the Applicable Regulation.