The URL can be used to link to this page

Home My WebLink AboutC-10028-1 - PSA for Penetration TestPROFESSIONAL SERVICES AGREEMENT WITH TEC-REFRESH, INC FOR PENETRATION TEST THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into as of this 26th day of November, 2025 ("Effective Date"), by and between the CITY OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and TEC-REFRESH, INC, a California corporation ("Consultant"), whose address is 100 Bayview Circle, Suite 230, Newport Beach, CA 92660, and is made with reference to the following: RECITALS A. City is a municipal corporation duly organized and validly existing under the laws of the State of California with the power to carry on its business as it is now being conducted under the statutes of the State of California and the Charter of City. B. City desires to engage Consultant to provide Internal/External Pen Test, Web App Test, Physical Security Assessment ("Project"). C. Consultant possesses the skill, experience, ability, background, certification and knowledge to provide the professional services described in this Agreement. D. City has solicited and received a proposal from Consultant, has reviewed the previous experience and evaluated the expertise of Consultant, and desires to retain Consultant to render professional services under the terms and conditions set forth in this Agreement. NOW, THEREFORE, it is mutually agreed by and between the undersigned parties as follows: TERM The term of this Agreement shall commence on the Effective Date, and shall terminate on June 30, 2026, unless terminated earlier as set forth herein. 2. SERVICES TO BE PERFORMED Consultant shall diligently perform all the services described in the Scope of Services attached hereto as Exhibit A and incorporated herein by reference ("Services" or "Work"). City may elect to delete certain Services within the Scope of Services at its sole discretion. 3. TIME OF PERFORMANCE 3.1 Time is of the essence in the performance of Services under this Agreement and Consultant shall perform the Services in accordance with the schedule included in Exhibit A. In the absence of a specific schedule, the Services shall be performed to completion in a diligent and timely manner. The failure by Consultant to strictly adhere to the schedule set forth in Exhibit A, if any, or perform the Services in a diligent and timely manner may result in termination of this Agreement by City. 3.2 Notwithstanding the foregoing, Consultant shall not be responsible for delays due to causes beyond Consultant's reasonable control. However, in the case of any such delay in the Services to be provided for the Project, each party hereby agrees to provide notice within two (2) calendar days of the occurrence causing the delay to the other party so that all delays can be addressed. 3.3 Consultant shall submit all requests for extensions of time for performance in writing to the Project Administrator as defined herein not later than ten (10) calendar days after the start of the condition that purportedly causes a delay. The Project Administrator shall review all such requests and may grant reasonable time extensions for unforeseeable delays that are beyond Consultant's control. 3.4 For all time periods not specifically set forth herein, Consultant shall respond in the most expedient and appropriate manner under the circumstances, by hand -delivery or mail. 4. COMPENSATION TO CONSULTANT 4.1 City shall pay Consultant for the Services on a time and expense not -to - exceed basis in accordance with the provisions of this Section and the Schedule of Billing Rates attached hereto as Exhibit B and incorporated herein by reference. Consultant's compensation for all Work performed in accordance with this Agreement, including all reimbursable items and subconsultant fees, shall not exceed Forty Three Thousand Two Hundred Dollars and 00/100 ($43,200.00), without prior written authorization from City. No billing rate changes shall be made during the term of this Agreement without the prior written approval of City. 4.2 Consultant shall submit monthly invoices to City describing the Work performed the preceding month. Consultant's bills shall include the name of the person who performed the Work, a brief description of the Services performed and/or the specific task in the Scope of Services to which it relates, the date the Services were performed, the number of hours spent on all Work billed on an hourly basis, and a description of any reimbursable expenditures. City shall pay Consultant no later than thirty (30) calendar days after approval of the monthly invoice by City staff. 4.3 City shall reimburse Consultant only for those costs or expenses specifically identified in Exhibit B to this Agreement or specifically approved in writing in advance by City. 4.4 Consultant shall not receive any compensation for Extra Work performed without the prior written authorization of City, As used herein, "Extra Work" means any Work that is determined by City to be necessary for the proper completion of the Project, but which is not included within the Scope of Services and which the parties did not reasonably anticipate would be necessary at the execution of this Agreement. Tec-Refresh, Inc. Page 2 Compensation for any authorized Extra Work shall be paid in accordance with the Schedule of Billing Rates as set forth in Exhibit B. 5. PROJECT MANAGER 5.1 Consultant shall designate a Project Manager, who shall coordinate all phases of the Project. This Project Manager shall be available to City at all reasonable times during the Agreement term. Consultant has designated Matt Tammaro to be its Project Manager. Consultant shall not remove or reassign the Project Manager or any personnel listed in Exhibit A or assign any new or replacement personnel to the Project without the prior written consent of City. City's approval shall not be unreasonably withheld with respect to the removal or assignment of non -key personnel. 5.2 Consultant, at the sole discretion of City, shall remove from the Project any of its personnel assigned to the performance of Services upon written request of City. Consultant warrants that it will continuously furnish the necessary personnel to complete the Project on a timely basis as contemplated by this Agreement. 5.3 If Consultant is performing inspection services for City, the Project Manager and any other assigned staff shall be equipped with a cellular phone to communicate with City staff. The Project Manager's cellular phone number shall be provided to City. 6. ADMINISTRATION This Agreement will be administered by the Ctiy Manager. City's IT Engineer- Cybersecurity or designee shall be the Project Administrator and shall have the authority to act for City under this Agreement. The Project Administrator shall represent City in all matters pertaining to the Services to be rendered pursuant to this Agreement. 7. CITY'S RESPONSIBILITIES To assist Consultant in the execution of its responsibilities under this Agreement, City agrees to provide access to and upon request of Consultant, one copy of all existing relevant information on file at City. City will provide all such materials in a timely manner so as not to cause delays in Consultant's Work schedule. 8. STANDARD OF CARE 8.1 All of the Services shall be performed by Consultant or under Consultant's supervision. Consultant represents that it possesses the professional and technical personnel required to perform the Services required by this Agreement, and that it will perform all Services in a manner commensurate with community professional standards and with the ordinary degree of skill and care that would be used by other reasonably competent practitioners of the same discipline under similar circumstances. All Services shall be performed by qualified and experienced personnel who are not employed by City. By delivery of completed Work, Consultant certifies that the Work conforms to the requirements of this Agreement, all applicable federal, state and local laws, and legally recognized professional standards. Tec-Refresh, Inc. Page 3 8.2 Consultant represents and warrants to City that it has, shall obtain, and shall keep in full force and effect during the term hereof, at its sole cost and expense, all licenses, permits, qualifications, insurance and approvals of whatsoever nature that is legally required of Consultant to practice its profession. Consultant shall maintain a City of Newport Beach business license during the term of this Agreement. 8.3 Consultant shall not be responsible for delay, nor shall Consultant be responsible for damages or be in default or deemed to be in default by reason of strikes, lockouts, accidents, acts of God, or the failure of City to furnish timely information or to approve or disapprove Consultant's Work promptly, or delay or faulty performance by City, contractors, or governmental agencies. 9. HOLD HARMLESS 9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend and hold harmless City, its City Council, boards and commissions, officers, agents, volunteers, employees and any person or entity owning or otherwise in legal control of the property upon which Consultant performs the Project and/or Services contemplated by this Agreement (collectively, the "Indemnified Parties") from and against any and all claims (including, without limitation, claims for bodily injury, death or damage to property), demands, obligations, damages, actions, causes of action, suits, losses, judgments, fines, penalties, liabilities, costs and expenses (including, without limitation, attorneys' fees, disbursements and court costs) of every kind and nature whatsoever (individually, a Claim; collectively, "Claims"), which may arise from or in any manner relate (directly or indirectly) to any breach of the terms and conditions of this Agreement, any Work performed or Services provided under this Agreement including, without limitation, defects in workmanship or materials or Consultant's presence or activities conducted on the Project (including the negligent, reckless, and/or willful acts, errors and/or omissions of Consultant, its principals, officers, agents, employees, vendors, suppliers, consultants, subcontractors, anyone employed directly or indirectly by any of them or for whose acts they may be liable, or any or all of them), and/or if it is subsequently determined that an employee of Consultant is not an independent contractor. 9.2 Notwithstanding the foregoing, nothing herein shall be construed to require Consultant to indemnify the Indemnified Parties from any Claim arising from the sole negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity shall be construed as authorizing any award of attorneys' fees in any action on or to enforce the terms of this Agreement. This indemnity shall apply to all claims and liability regardless of whether any insurance policies are applicable. The policy limits do not act as a limitation upon the amount of indemnification to be provided by Consultant. 10. INDEPENDENT CONTRACTOR 10.1 It is understood that City retains Consultant on an independent contractor basis and Consultant is not an agent or employee of City. The manner and means of conducting the Work are under the control of Consultant, except to the extent they are limited by statute, rule or regulation and the expressed terms of this Agreement. No civil Tec-Refresh, Inc. Page 4 service status or other right of employment shall accrue to Consultant or its employees. Nothing in this Agreement shall be deemed to constitute approval for Consultant or any of Consultant's employees or agents, to be the agents or employees of City. Consultant shall have the responsibility for and control over the means of performing the Work, provided that Consultant is in compliance with the terms of this Agreement. Anything in this Agreement that may appear to give City the right to direct Consultant as to the details of the performance of the Work or to exercise a measure of control over Consultant shall mean only that Consultant shall follow the desires of City with respect to the results of the Services. 10.2 Consultant agrees and acknowledges that no individual performing Services or Work pursuant to this Agreement shall: work full-time for more than six (6) months; work regular part-time service of at least an average of twenty (20) hours per week for one year or longer; work nine hundred sixty (960) hours in any fiscal year; or already be a CalPERS member. 11. COOPERATION Consultant agrees to work closely and cooperate fully with City's designated Project Administrator and any other agencies that may have jurisdiction or interest in the Work to be performed. City agrees to cooperate with the Consultant on the Project. 12. CITY POLICY Consultant shall discuss and review all matters relating to policy and Project direction with City's Project Administrator in advance of all critical decision points in order to ensure the Project proceeds in a manner consistent with City goals and policies. 13. PROGRESS Consultant is responsible for keeping the Project Administrator informed on a regular basis regarding the status and progress of the Project, activities performed and planned, and any meetings that have been scheduled or are desired. 14. INSURANCE Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement or for other periods as specified in this Agreement, policies of insurance of the type, amounts, terms and conditions described in the Insurance Requirements attached hereto as Exhibit C, and incorporated herein by reference. 15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS Except as specifically authorized under this Agreement, the Services to be provided under this Agreement shall not be assigned, transferred contracted or subcontracted out without the prior written approval of City. Any of the following shall be construed as an assignment: The sale, assignment, transfer or other disposition of any Tec-Refresh, Inc. Page 5 of the issued and outstanding capital stock of Consultant, or of the interest of any general partner or joint venturer or syndicate member or cotenant if Consultant is a partnership or joint -venture or syndicate or co -tenancy, which shall result in changing the control of Consultant. Control means fifty percent (50%) or more of the voting power or twenty-five percent (25%) or more of the assets of the corporation, partnership or joint -venture. 16. SUBCONTRACTING The subcontractors authorized by City, if any, to perform Work on this Project are identified in Exhibit A. Consultant shall be fully responsible to City for all acts and omissions of any subcontractor. Nothing in this Agreement shall create any contractual relationship between City and any subcontractor nor shall it create any obligation on the part of City to pay or to see to the payment of any monies due to any such subcontractor other than as otherwise required by law. City is an intended beneficiary of any Work performed by the subcontractor for purposes of establishing a duty of care between the subcontractor and City. Except as specifically authorized herein, the Services to be provided under this Agreement shall not be otherwise assigned, transferred, contracted or subcontracted out without the prior written approval of City. 17. OWNERSHIP OF DOCUMENTS 17.1 Each and every report, draft, map, record, plan, document and other writing produced, including but not limited to, websites, blogs, social media accounts and applications (hereinafter "Documents"), prepared or caused to be prepared by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Additionally, all material posted in cyberspace by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Consultant shall, at Consultant's expense, provide such Documents, including all logins and password information to City upon prior written request. 17.2 Documents, including drawings and specifications, prepared by Consultant pursuant to this Agreement are not intended or represented to be suitable for reuse by City or others on any other project. Any use of completed Documents for other projects and any use of incomplete Documents without specific written authorization from Consultant will be at City's sole risk and without liability to Consultant. Further, any and all liability arising out of changes made to Consultant's deliverables under this Agreement by City or persons other than Consultant is waived against Consultant, and City assumes full responsibility for such changes unless City has given Consultant prior notice and has received from Consultant written consent for such changes. 17.3 All written documents shall be transmitted to City in formats compatible with Microsoft Office and/or viewable with Adobe Acrobat. Tec-Refresh, Inc. Page 6 18. CONFIDENTIALITY All Documents, including drafts, preliminary drawings or plans, notes and communications that result from the Services in this Agreement, shall be kept confidential unless City expressly authorizes in writing the release of information. 19. INTELLECTUAL PROPERTY INDEMNITY Consultant shall defend and indemnify City, its agents, officers, representatives and employees against any and all liability, including costs, for infringement or alleged infringement of any United States' letters patent, trademark, or copyright, including costs, contained in Consultant's Documents provided under this Agreement. 20. RECORDS Consultant shall keep records and invoices in connection with the Services to be performed under this Agreement. Consultant shall maintain complete and accurate records with respect to the costs incurred under this Agreement and any Services, expenditures and disbursements charged to City, for a minimum period of three (3) years, or for any longer period required by law, from the date of final payment to Consultant under this Agreement. All such records and invoices shall be clearly identifiable. Consultant shall allow a representative of City to examine, audit and make transcripts or copies of such records and invoices during regular business hours. Consultant shall allow inspection of all Work, data, Documents, proceedings and activities related to the Agreement for a period of three (3) years from the date of final payment to Consultant under this Agreement. 21. WITHHOLDINGS City may withhold payment to Consultant of any disputed sums until satisfaction of the dispute with respect to such payment. Such withholding shall not be deemed to constitute a failure to pay according to the terms of this Agreement. Consultant shall not discontinue Work as a result of such withholding. Consultant shall have an immediate right to appeal to the City Manager or designee with respect to such disputed sums. Consultant shall be entitled to receive interest on any withheld sums at the rate of return that City earned on its investments during the time period, from the date of withholding of any amounts found to have been improperly withheld. 22. ERRORS AND OMISSIONS In the event of errors or omissions that are due to the gross negligence or professional inexperience of Consultant which result in expense to City greater than what would have resulted if there were not errors or omissions in the Work accomplished by Consultant, the additional design, construction and/or restoration expense shall be borne by Consultant. Nothing in this Section is intended to limit City's rights under the law or any other sections of this Agreement. Tec-Refresh, Inc. Page 7 23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS City reserves the right to employ other Consultants in connection with the Project. 24. CONFLICTS OF INTEREST 24.1 Consultant or its employees may be subject to the provisions of the California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et sea., which (1) require such persons to disclose any financial interest that may foreseeably be materially affected by the Work performed under this Agreement, and (2) prohibit such persons from making, or participating in making, decisions that will foreseeably financially affect such interest. 24.2 If subject to the Act and/or Government Code §§ 1090 et seq., Consultant shall conform to all requirements therein. Failure to do so constitutes a material breach and is grounds for immediate termination of this Agreement by City. Consultant shall indemnify and hold harmless City for any and all claims for damages resulting from Consultant's violation of this Section. 25. NOTICES 25.1 All notices, demands, requests or approvals, including any change in mailing address, to be given under the terms of this Agreement shall be given in writing, and conclusively shall be deemed served when delivered personally, or on the third business day after the deposit thereof in the United States mail, postage prepaid, first- class mail, addressed as hereinafter provided. 25.2 All notices, demands, requests or approvals from Consultant to City shall be addressed to City at: Attn: IT Manager Ctiy Manager City of Newport Beach 100 Civic Center Drive PO Box 1768 Newport Beach, CA 92658 25.3 All notices, demands, requests or approvals from City to Consultant shall be addressed to Consultant at: Attn: Efrem Gonzales Tec-Refresh, Inc 100 Bayview Circle, Suite 230 Newport Beach, CA 92660 Tec-Refresh, Inc. Page 8 26. CLAIMS Unless a shorter time is specified elsewhere in this Agreement, before making its final request for payment under this Agreement, Consultant shall submit to City, in writing, all claims for compensation under or arising out of this Agreement. Consultant's acceptance of the final payment shall constitute a waiver of all claims for compensation under or arising out of this Agreement except those previously made in writing and identified by Consultant in writing as unsettled at the time of its final request for payment. Consultant and City expressly agree that in addition to any claims filing requirements set forth in the Agreement, Consultant shall be required to file any claim Consultant may have against City in strict conformance with the Government Claims Act (Government Code sections 900 of seq.). 27. TERMINATION 27.1 In the event that either party fails or refuses to perform any of the provisions of this Agreement at the time and in the manner required, that party shall be deemed in default in the performance of this Agreement. If such default is not cured within a period of two (2) calendar days, or if more than two (2) calendar days are reasonably required to cure the default and the defaulting party fails to give adequate assurance of due performance within two (2) calendar days after receipt of written notice of default, specifying the nature of such default and the steps necessary to cure such default, and thereafter diligently take steps to cure the default, the non -defaulting party may terminate the Agreement forthwith by giving to the defaulting party written notice thereof. 27.2 Notwithstanding the above provisions, City shall have the right, at its sole and absolute discretion and without cause, of terminating this Agreement at any time by giving no less than seven (7) calendar days' prior written notice to Consultant. In the event of termination under this Section, City shall pay Consultant for Services satisfactorily performed and costs incurred up to the effective date of termination for which Consultant has not been previously paid. On the effective date of termination, Consultant shall deliver to City all reports, Documents and other information developed or accumulated in the performance of this Agreement, whether in draft or final form. 28. STANDARD PROVISIONS 28.1 Recitals. City and Consultant acknowledge that the above Recitals are true and correct and are hereby incorporated by reference into this Agreement. 28.2 Compliance with all Laws. Consultant shall, at its own cost and expense, comply with all statutes, ordinances, regulations and requirements of all governmental entities, including federal, state, county or municipal, whether now in force or hereinafter enacted. In addition, all Work prepared by Consultant shall conform to applicable City, county, state and federal laws, rules, regulations and permit requirements and be subject to approval of the Project Administrator and City. 28.3 Waiver. A waiver by either party of any breach, of any term, covenant or condition contained herein shall not be deemed to be a waiver of any subsequent breach Tec-Refresh, Inc. Page 9 of the same or any other term, covenant or condition contained herein, whether of the same or a different character. 28.4 Integrated Contract. This Agreement represents the full and complete understanding of every kind or nature whatsoever between the parties hereto, and all preliminary negotiations and agreements of whatsoever kind or nature are merged herein. No verbal agreement or implied covenant shall be held to vary the provisions herein. 28.5 Conflicts or Inconsistencies. In the event there are any conflicts or inconsistencies between this Agreement and the Scope of Services or any other attachments attached hereto, the terms of this Agreement shall govern. 28.6 Interpretation. The terms of this Agreement shall be construed in accordance with the meaning of the language used and shall not be construed for or against either party by reason of the authorship of the Agreement or any other rule of construction which might otherwise apply. 28.7 Amendments. This Agreement may be modified or amended only by a written document executed by both Consultant and City and approved as to form by the City Attorney. 28.8 Severability. If any term or portion of this Agreement is held to be invalid, illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement shall continue in full force and effect. 28.9 Controlling Law and Venue. The laws of the State of California shall govern this Agreement and all matters relating to it and any action brought relating to this Agreement shall be adjudicated in a court of competent jurisdiction in the County of Orange, State of California. 28.10 Equal Opportunity Employment. Consultant represents that it is an equal opportunity employer and it shall not discriminate against any subcontractor, employee or applicant for employment because race, religious creed, color, national origin, ancestry, physical handicap, medical condition, marital status, sex, sexual orientation, age or any other impermissible basis under law. 28.11 No Attorneys' Fees. In the event of any dispute or legal action arising under this Agreement, the prevailing party shall not be entitled to attorneys' fees. 28.12 Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which shall be deemed an original and all of which together shall constitute one (1) and the same instrument. [SIGNATURES ON NEXT PAGE] Tec-Refresh, Inc. Page 10 IN WITNESS WHEREOF, the parties have caused this Agreement to be executed on the dates written below. APPROVED AS TO FORM: CITY ATTORNEY'S OFFICE Date: I �_/ Z ► �z By: Aa n C. Harp City Attorney ATTEST: Date: %T3Zv`ZOaZ-6 By: Lena Shumway City Clerk CITY OF NEWPORT BEACH, a California Tunippal corporation Date: By: G c K. Leung i Manager CONSULTANT: TEC-REFRESH, INC, a California corporation Date: Q'- '�- R 'S By: -- Efrem q5nzales Chief Executive Officer Date: I ^� s By: Je ica Gonzales Chief Financial Officer, Secretary [END OF SIGNATURES] Attachments: Exhibit A - Scope of Services Exhibit B - Schedule of Billing Rates Exhibit C - Insurance Requirements Tec-Refresh, Inc. Page 11 EXHIBIT A SCOPE OF SERVICES Tec-Refresh, Inc. Page A-1 Scope of Work Penetration Test City of Newport Beach Prepared for: City of Newport Beach Joey Bensie Prepared by: Tec-Refresh, Inc. Efrem Gonzales SOW#: QUO-2283 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Term/Schedule The following resources will perform work as outlined below: Functional Role Phone Email Efrem Gonzales - President & CEO 909-693- efrem.gonzales@tec- 4011 refresh.com Matt Tammaro - Project Manager 617-829- matt.tammaro@tec- 9617 refresh.com Miguel Martinez - Chief Technology Officer 909-366- miguel.martinez@tec- 5616 refresh.com Cory Holmes - VP of Infrastructure Services 909-366- cory.holmes@tec-refresh.com 5615 Jose Ayala - Information Technology 949-662- jose.ayala@tee-refresh.com Specialist 2755 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Scope of Work This document defines the scope of the Penetration Testing engagement for City of Newport Beach, outlining the key areas to be assessed. Conducted by Tec-Refresh's team of seasoned security professionals, this assessment aims to identify vulnerabilities, evaluate real -world attack scenarios, and provide actionable recommendations to enhance the organization's overall security posture. Tec-Refresh follows a structured, industry -standard methodology to ensure a comprehensive evaluation, including: • Intelligence Gathering - Identifying publicly available information and potential attack vectors. • Threat Modeling - Assessing risks based on the client's infrastructure, systems, and threat landscape. • Vulnerability Analysis - Identifying security weaknesses through automated and manual testing. • Exploitation - Simulating real -world attacks to determine the impact of discovered vulnerabilities. • Post Exploitation - Evaluating the extent of system compromise and potential lateral movement. • Reporting - Providing a detailed assessment of findings, risks, and prioritized remediation steps. • Remediation Testing -Verifying the effectiveness of implemented security fixes. This engagement is designed to provide City of Newport Beach with a clear understanding of its security risks and a strategic approach to mitigating potential threats. 2025 Tec-Refresh Corporation. All rights reserved Tec-Refreshe is a trademark of the Tec-Refresh Corporation in the United States. Objectives The main objectives of the penetration test are to: • Identify potential security weaknesses in the client's IT infrastructure, network architecture, and physical security measures • Evaluate the effectiveness of the client's current security controls and incident response plan • Test the client's personnel awareness and response to security threats • Provide recommendations to improve the overall security posture of the organization • Perform controlled password cracking assessment on Active Directory environment • Extract password hashes from authorized AD sources (e.g., NTDS.dit, SAM, or LSASS memory dumps), only with prior written approval • Assess password policy effectiveness (length, complexity, expiration, lockout policies) 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. External Network Testing • Identify and assess vulnerabilities in publicly accessible systems (e.g., web applications, VPN endpoints, email servers, cloud -exposed assets). • Evaluate the effectiveness of perimeter defenses including firewall rules, intrusion detection/prevention systems, and access control lists. • Attempt to exploit identified vulnerabilities to determine potential unauthorized access or data exposure risks. • Assess patch management and hardening practices for externally facing infrastructure. Web Application Testing • Perform reconnaissance and enumerate exposed endpoints, routes, and APIs. • Conduct manual testing aligned with the OWASP Top 10 (e.g., SQL injection, XSS, CSRF, insecure deserialization, broken access control). • Test both authenticated and unauthenticated paths, including MFA validation where applicable. • Manually assess for logic flaws (e.g., bypassing approval workflows, modifying transactions, privilege escalation). • Review application security controls: session management, security headers, error handling, and authorization enforcement. • Provide remediation guidance aligned to secure development lifecycle practices. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Target Environment: The Target Environment includes Web Applications and Websites. The page amounts represent the total number of unique pages to be tested within the scope of that Web Application or Website. • Quest: 55 pages approx. • Harbor: 40 pages approx. • NBJG: 40 pages approx. • Payforms (Donation) 2 pages • BillPay: 4 pages • CounterQue: 1 page • API: 2 pages • Library: 20 pages • NotifyNB: 10 pages • RSS CLASS Manager: 20 pages Internal Penetration Test • Enumerate internal assets, users, SMB shares, and trust relationships within the environment. • Identify vulnerabilities such as outdated systems, weak credentials, insecure protocols (e.g., LLMNR, NetBIOS), or poorly configured services. • Assess patching practices and system hardening effectiveness on internal systems. Ferform an Active Directory posture review: privilege escalation paths, credentiai harvesting opportunities, Kerberoasting, and lateral movement simulations. • Validate network segmentation effectiveness between different user groups or business units. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. • Provide a prioritized risk -based assessment of issues with highest potential impact on institutional data. Active Directory Password Cracking is Evaluate the strength of user passwords within Active Directory by testing recovered password hashes. • Identify weak, reused, or non -compliant passwords that could allow unauthorized access to municipal systems. • Validate compliance with the municipality's password policy and applicable best practices for password security. • Highlight risks associated with privileged or service accounts that may be protected with weak or outdated passwords. • Provide clear, actionable recommendations to strengthen password security and reduce the likelihood of compromise. Enhanced SOW Clause NTDS.DIT Access and Password Cracking If Tec-Refresh cannot obtain Active Directory (NTDS.DIT) access during the authorized penetration test, the City of Newport Beach will, with prior written approval, provide secure access or an export for offline password strength testing. Tec-Refresh will use industry -standard, non-destructive methods, disclose results only to the City, and securely destroy all artifacts after reporting. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refreshg is a trademark of the Tec-Refresh Corporation in the United States. Physical Security Testing • Test Access Controls: Assess the effectiveness of physical barriers such as doors, locks, gates, and mantraps. This includes attempts at lock picking and bypassing electronic access controls (e.g., RFID/badge readers). • Evaluate Surveillance: Determine the effectiveness of camera systems and security personnel in detecting and responding to unauthorized intrusion attempts. • Assess Employee Awareness: Test the security awareness of staff through various social engineering techniques, including impersonation, pretexting, and tailgating. • Identify Information Exposure: Attempt to gain access to sensitive areas (e.g., offices, server rooms, file rooms) and identify opportunities for data theft or system compromise via methods like USB drops. • Provide Remediation Guidance: Deliver a detailed report with prioritized, actionable recommendations to mitigate identified risks and improve the overall security posture. Testing Type Scope Details External Test -30 IP Targets Web Application Quest, Harbor, NBJG, Payforms, BillPay, Countel-Que, API, Library, NotifyNB, RSS CLASS Manager Internal Test -1800 IP Targets (Includes PC's, Servers, Printers, Phones, etc. AD Password Cracking Perform controlled password cracking assessment on Active Directory environment. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Physical Security Testing I Security audit to identify weaknesses in the municipality's physical security posture of 1 facility. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Physical Security Testing (Controlled Engagement) Tec-Refresh, Inc. ("Consultant") will perform a coordinated evaluation of the City of Newport Beach's physical security posture. All testing will be pre -authorized, scheduled, and supervised by designated City representatives to ensure safety, transparency, and minimal operational impact. Physical security testing wilt only be conducted at City Hall as authorized herein. A City representative shall be on call and reachable in real-time throughout the execution of all physical security testing to ensure immediate communication and necessary intervention if a situation warrants it, thereby protecting City assets and personnel. 1. Access Control Validation Consultant will assess the effectiveness of physical barriers such as doors, locks, gates, and badge readers. Activities will consist of observational review and controlled entry testing using City -approved credentials or mock scenarios under staff supervision. No forced entry or damage wilt occur. 2. Surveillance and Response Review Consultant will evaluate the ability of camera systems, alarm mechanisms, and security personnel to detect and respond to authorized, simulated intrusion attempts. Testing will be confined to predetermined locations and times. 3. Employee Awareness Assessment Consultant may conduct limited, City -approved awareness exercises (e.g., polite tailgating, pretexting, or visitor protocol testing) to evaluate adherence to access -control policies. Each scenario wilt be coordinated in advance. 4. Information Exposure Review Consultant will inspect authorized areas for potential information exposure —such as unattended sensitive documents, visible password notes, or unsecured removable media — without removing, copying, or tampering with any City property. 5. Remediation Guidance Following completion, Consultant will deliver a written report detailing observed risks, strengths, and prioritized, actionable recommendations to enhance the City's overall physical security posture and staff awareness. Testing Coordination & Safety Protocols To safeguard all participants and City property, Tec-Refresh adheres to strict coordination and safety procedures during physical security engagements. 1. Authorization & Notification Written authorization from the City will be obtained prior to testing. 2025 Tec-Refresh Corporation. All rights reserved. Tec-RefreshO is a trademark of the Tec-Refresh Corporation in the United States. • Testing windows, facilities, and points of contact will be mutually agreed upon in writing. • A City Point of Contact (POC) will be notified immediately before and after each test activity. 2. Identification & Credentials All Tec-Refresh personnel will carry photo identification and a City -issued letter of authorization on City letterhead. If approached by City employees, security, or law enforcement, testers will immediately identify themselves and present documentation. 3. Safety Measures No lock damage, forced entry, or system tampering will occur. No removal or duplication of City data or property will be performed. All testing is non-destructive and designed to simulate realistic conditions safely. 4. Incident Response Protocol • If any misunderstanding or confrontation arises, testers will disengage, notify the City POC, and await further instruction. • A debrief will be conducted to document the event and ensure transparency. 5. Confidentiality & Reporting All findings are confidential and shared solely with authorized City personnel. Afinal report and review meetingwill be conducted to discuss observations, recommendations, and next steps. Penetration Testing Methodology The Tec-Refresh, Inc. Penetration Testing Team uses a methodology based on the Penetration Testing Execution Standard (PTES) and further informed by the Open Web Application Security Project (OWASP) testing guidelines and ongoing research. Testing is also, if necessary, conducted in accordance with Payment Card Industry (PCI) guidelines or Health Insurance Privacy and Portability Act (HIPAA) standards. All of our testing engagements meet or exceed compliance requirements. 2025 Tec-Refresh Corporation. All rights reserved Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Testers spend on average 20% of efforts on automated techniques and 80% on manual testing. A more detailed description of the methodology is available upon request. Overview The Tec-Refresh Penetration Testing Methodology consists of five major phases of testing: • Intelligence Gathering: Using various degrees of open source intelligence (OSINT) and scanning to gather information about the target environment. Examples: OSINT - Linkedln, Twitter, Facebook o Leaked Documentation - Network drawings or information, organizational chart o DNS Records - Identifying potential targets o Generated Certificates - Identifying potential targets o Leaked Credentials - Credential stuffing • Threat Modeling: Reviewing information about the target environment and similar environments to determine major assets and possible threat agents and motivations. o Identify Primary and Secondary Targets Assets: CRM, Databases, key infrastructure, etc. • Data: SSN, CC, PH Personnel: Exec Assistants, HR, Sales o Entry points and Components Web, API, E-mail, SMS o Permissions Users • Privileges o Target Mitigations 2025 Tec-Refresh Corporation. All rights reserved. Tec-RefreshO is a trademark of the Tec-Refresh Corporation in the United States. • WAF, MFA, Firewall Policy o Attack Planning • Vulnerability Analysis: Probing guided by gathered intelligence to determine and rank potential weaknesses in the environment. o Hosts, Services, and Application Identification • Tools: Nmap, Nessus, Burp Suite, BYOS o Identify Attack Vectors • Sources: ExploitDB, Github, Google* Identify Ease of Exploitability • Time/Resources Required Severity of Vulnerability • Escalation Risk or Damage of Exploitation • DoS, Destruction of Data • Exploitation: Leveraging vulnerabilities to access sensitive information and locate potential pivot points for post -exploitation. o Exploit • Logic flaws, misconfigurations, unpatched systems o Validation of Vulnerability Analysis • Application/System Operational • Risk Successful Exploitation • Reconnaissance, Discovery, Intelligence Gathering o Cleanup • Ensure no additional risk • Post -Exploitation: Collecting information on potential additional targets, from which the cycle may be repeated. Information gathering 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. o Credentials o Privilege Escalation o Sample (proof of exploitation) o Pivot o Internal (scope permitting) o Lateral Movement • Reporting: Notifications of major findings, daily progress, and final reporting of all findings along with recommended remediation steps. o Daily Reporting • Progress • Findings of the day o Reporting Platform • Securely Hosted • Bidirectional Communication with Customer and Penetration Tester. o Remediation and Recommendations o Finding Criticality • Critical • High • Medium • Low • Remediation Testing: Validating remediation of the original findings o Normally within 1-2 month after original assessment o Validated Remediation of original findings Included in all Tec-Refresh Penetration Test Assessment Every test will be different, but all tests will follow the same basic workflow below: 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. opte Enra6ernent Intelligence 40 Gathering / Z 6 n P�2 O s E 3 ) * Q a Ak i'os1 5 Threat Exploitation � Modelling i + Exploitation Vulnerability Analysis Software and Tools Various commercial and publicly available tools as well as some tools developed by Tec- Refresh are used during testing. All are subject to detailed review and evaluation. Example List of tools: 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Acunetix Custom Python/Bash Scripts BurpSuite dirs3arch Chrome Add-ons Maltego Empire theHarvester Responder eSearchy Crackmapexec Nessus SQLMap Shodan SQLNinja Skipfish Firefox Add-ons Nikto Metasploit Exploitation Protocol Testers follow a methodical approach to identify services and vulnerabilities associated with findings to determine the risk and probability of success. Using this information testers make a calculated decision on whether or not to proceed with exploitation. Testers are in constant communication with the client. The client may choose to move forward or test potentially disruptive exploits on QA or Test environments. Testers ensure no new vulnerabilities or risk is introduced by exploiting any vulnerability identified. • Exploitation: Leveraging vulnerabilities to access sensitive information and locate potential pivot points for post -exploitation. o Exploit • Logic flaws, misconfigurations, unpatched systems o Validation of Vulnerability Analysis • Application/System Operational 2025 Tec-Refresh Corporation. All rights reserved. Tec-RefreshO is a trademark of the Tec-Refresh Corporation in the United States. • Risk Successful Exploitation Reconnaissance, Discovery, Intelligence Gathering o Cleanup • Ensure no additional risk • Post -Exploitation: Collecting information on potential additional targets, from which the cycle may be repeated. o Information gathering o Credentials a Privilege Escalation o Sample (proof of exploitation) o Pivot Internal (scope permitting) o Lateral Movement Backout Procedures for Invasive Techniques During the Vulnerability Analysis phase of our methodology, testers determine the risk associated with an exploit. Testers take into account the potential to cause service/business impact and the potential to introduce additional risk with a successful exploration. Testers use this to determine whether or not to proceed with exploitation of any particular finding. Although the intent of testers is not to disrupt services. In rare occurrence, services are impacted by scans in the information gathering phase and sometimes. Testers identify targets and verify they are operational prior to begging any phase of the penetration test. In the event of service interruption testers will immediately contact City staff emergency contacts (gathered and listed in scope document). 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Deliverable Materials Upon completion of the assessment, the penetration testing team will provide a report that includes the following: • An Executive Summary of the engagement and key findings. • A narrative of the assessment activities performed. • A list of all identified vulnerabilities, documented with photographic evidence. • A risk rating (Critical, High, Medium, Low) for each finding based on impact and likelihood. • Clear, concise, and actionable recommendations for remediation for each finding. Timeline and Logistics The timeline for the penetration test will depend on the size and complexity of the client's organization and the types of tests they wish to have performed. Based on the pre -engagement calls, the following timeline has been determined based on the provided testing criteria: Test Type Test Timeline External Penetration Testing 3 Days Web Application Penetration Testing 1 Week Internal Penetration Testing 1 Week AD Password Assessment 1 Day Physical Security Testing 1 Day The wireless and physical social engineering components will be conducted onsite. The remaining assessments will be conducted remotely. The penetration testing team will coordinate with the client's IT and security teams to minimize disruption to business operations. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Assumptions and Limitations The Penetration test is designed to identify potential security weaknesses and provide recommendations for improvement. However, there are certain limitations to the assessment, including: • The assessment does not guarantee the complete security of the client's IT infrastructure and network architecture • The assessment may not identify all potential security weaknesses • The assessment is limited to the scope outlined in this document and will be further clarified Penetration Testing Scoping and Authorization document • Physical Security Testing Client Responsibilities: Provide authorization for the assessment in writing. o Provide a "Get Out of Jail Free" letter for each member of the on -site testing team. o Provide the name and 24/7 mobile phone number for at least two (2) emergency points of contact who are aware of the test. c Notify the Newport Beach Police Department and any third -party security monitoring companies of the testing window to avoid an unnecessary incident response. Physical Security Testing Rules of Engagements • Assessment Period: o The engagement will be performed over one (1) consecutive business day. Testing Hours: All on -site activities will be restricted to City Hall's normal business hours, Monday - Friday, 8:00 AM to 5:00 PM Pacific Time. • Prohibited Actions: Intentional damage to property, assets, or infrastructure is strictly prohibited. 2025 Tec-Refresh Corporation. All rights reserved. Tec-RefreshO is a trademark of the Tec-Refresh Corporation in the United States. c) No use of force to open doors, windows, or containers. o Disabling or interfering with life -safety systems (e.g., fire alarms, suppression systems) is forbidden. o No accessing or exfiltration of sensitive Personally Identifiable Information (PII), financial data, or classified city records. If such information is discovered, the team will document its location and accessibility without viewing or copying the data itself. o Testers will avoid creating significant disruption to daily municipal operations. • Permitted Actions: • Social engineering (in -person, phone pretexting), tailgating, and impersonation are permitted. • Non-destructive lock picking and bypassing of locks are permitted. Note: While every effort is made to be non-destructive, lock picking carries a minor, inherent risk of damage to lock mechanisms. • Attempts to clone or skim RFID badges are permitted. • Placing benign USB drives in public/common areas is permitted. The drives will contain a harmless file that "calls home" when opened to track engagement. • De -confliction Protocol: The Municipality will provide the assessment team with a "Get Out of Jail Free" letter on official letterhead. This letter will state the nature of the authorized testing and provide the 24/7 contact information for a designated emergency point of contact. Testers will present this letter only if directly challenged or detained by law enforcement or security personnel. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Project Change Control Procedure City shall have the right to request, in writing, changes in the Work. Any such changes mutually agreed upon by the Parties, and any corresponding increase or decrease in compensation and/or rates, shall be incorporated by written amendment to this Agreement Completion Criteria Tec-Refresh shall have fulfilled its obligations when any one of the following first occurs: • Tec-Refresh accomplishes the activities described within this SOW, including delivery to Client of the materials listed in the section entitled "Deliverable Materials," and Client accepts such activities and materials without unreasonable objections.. • The Tec-Refresh and/or the Client has the right to cancel services or deliverables not yet provided with 10 business days advance written notice to the other party. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. EXHIBIT B SCHEDULE OF BILLING RATES Tec-Refresh, Inc. Page B-1 Invoice Schedule The Client will be invoiced for the consulting services and T&L expenses. The Client will be invoiced all costs associated with out-of-pocket expenses (including, without Limitation, costs, and expenses related to meals, lodging, local transportation, and any other applicable business expenses) listed on the invoice as a separate line item. Reimbursement for out- of-pocket expenses in connection with the performance of this SOW, when authorized and up to the limits set forth in this SOW, shall be in accordance with Client's then -current published policies governing travel and associated business expenses, which information shall be provided by the Client Project Manager. The limit of reimbursable costs pursuant to this SOW is estimated to be 15% of the fees unless otherwise authorized in writing and agreed to by both parties via the project change control procedure outlined within. Invoices shall be submitted, referencing this Client's SOW Number to the address indicated above. Each invoice will reflect charges for the time period being billed and cumulative figures for previous periods. Terms of payment for each invoice are NET30. The Contractor shall provide Client with sufficient details to support its invoices, including timesheets for services performed and expense receipts and justifications for authorized expenses unless otherwise agreed to by the parties. 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. Exhibit B Billing Rates This engagement will be conducted as a fixed-rate project. The total value for the Services pursuant to this SOW shall not exceed $43,200.00 as outlined in Sales Proposal QUO-2283 unless otherwise agreed to by both parties via the project change control procedure, as outlined within. A PCR will be issued specifying the amended value if any changes are needed. Tec-Refresh, Inc. will require a 25% deposit of $10,800 before the start. The figures are based upon approved professional services to complete deliverables pursuant to the SOW. The Tec-Refresh will provide sufficient resources based on the following functional/rate structure. Name Description: Rate # of Cost Days TR-EXT-PT-S External Penetration Testing 1-Days $2,800.00 3 $8,400.00 TR-INT-PT-M Internal Penetration Testing: - Timeline $2,800.00 5 $14,000.00 1-Week TR-WEB-PS Web Application Penetration Test + $2,800.00 5 $14,000.00 Reporting Web Targets 1-Week TR-INT-AD- AD Password Cracking Assessments - $2,800.00 1 $2,800.00 PSWD 1-Day TR-PHYS-PS Physical Security Testing - 1 Day $4,000.00 1 $4,000.00 Contract not to exceed $43,200.00 total 2025 Tec-Refresh Corporation. All rights reserved. Tec-Refresh® is a trademark of the Tec-Refresh Corporation in the United States. EXHIBIT C INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES Provision of Insurance. Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement, policies of insurance of the type and amounts described below and in a form satisfactory to City. Consultant agrees to provide insurance in accordance with requirements set forth here. If Consultant uses existing coverage to comply and that coverage does not meet these requirements, Consultant agrees to amend, supplement or endorse the existing coverage. 2. Acceptable Insurers. All insurance policies shall be issued by an insurance company currently authorized by the Insurance Commissioner to transact business of insurance in the State of California, with an assigned policyholders' Rating of A- (or higher) and Financial Size Category Class VII (or larger) in accordance with the latest edition of Best's Key Rating Guide, unless otherwise approved by the City's Risk Manager. 3. Coverage Requirements. A. Workers' Compensation Insurance. Consultant shall maintain Workers' Compensation Insurance, statutory limits, and Employer's Liability Insurance with limits of at least one million dollars ($1,000,000) each accident for bodily injury by accident and each employee for bodily injury by disease in accordance with the laws of the State of California. Consultant shall submit to City, along with the certificate of insurance, a Waiver of Subrogation endorsement in favor of City of Newport Beach, its City Council, boards and commissions, officers, agents, volunteers and employees. B. General Liability Insurance. Consultant shall maintain commercial general liability insurance, and if necessary excess/umbrella liability insurance, with coverage at least as broad as provided by Insurance Services Office form CG 00 01, in an amount not less than two million dollars ($2,000,000) per occurrence, four million dollars ($4,000,000) general aggregate. The policy shall cover liability arising from bodily injury, property damage, personal and advertising injury, and liability assumed under an insured contract (including the tort liability of another assumed in a business contract). Consultant shall submit to City, along with a certificate of insurance, additional coverage as stated in Section 4. Other Insurance Requirements. C. Automobile Liability Insurance. Consultant shall maintain automobile insurance at least as broad as Insurance Services Office form CA 00 01 Tec-Refresh, Inc. Page C-1 covering bodily injury and property damage for all activities of Consultant arising out of or in connection with Work to be performed under this Agreement, including coverage for any owned, hired, non - owned or rented vehicles, in an amount not less than one million dollars ($1,000,000) combined single limit each accident, Consultant shall submit to City, along with a certificate of insurance, additional coverage as stated in Section 4. Other Insurance Requirements. D. Cyber/Technology Errors and Omissions (E&O) Insurance. Consultant shall maintain a liability policy combining cyber and technology professional E&O insurance in an amount not less than two million dollars ($2,000,000) per occurrence and four million dollars ($4,000,000) in the aggregate. Coverage shall be sufficiently broad to respond to the duties and obligations as is undertaken by the Consultant in this agreement and shall include, but not be limited to, claims involving security breach, system failure, data recovery, business interruption, cyber extortion, social engineering, infringement of intellectual property, including but not limited to infringement of copyright, trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, and alteration of electronic information. The policy shall provide coverage for breach response costs, regulatory fines and penalties as well as credit monitoring expenses or remediation services. Consultant shall submit to City, along with a certificate of insurance, additional coverage as stated in Section 4. Other Insurance Requirements. E. Excess/Umbrella Liability Insurance. If any Excess or Umbrella Liability policies are used to meet the limits of liability required by this contract, then said policies shall be "following form" of the underlying policy coverage, terms, conditions, and provisions and shall meet all of the insurance requirements stated in this contract, including, but not limited to, the additional insured and primary & non-contributory insurance requirements stated herein. No insurance policies maintained by the City, whether primary or excess, and which also apply to a loss covered hereunder, shall be called upon to contribute to a loss until the Contractor's primary and excess/umbrella liability policies are exhausted. Consultant shall submit to City, along with a certificate of insurance, additional coverage as stated in Section 4. Other Insurance Requirements. Tec-Refresh, Inc. Page C-2 4. Other Insurance Requirements. The policies are to contain, or be endorsed to contain, the following provisions: A. Waiver of Subrogation. All insurance coverage maintained or procured pursuant to this Agreement shall be endorsed to waive subrogation against City of Newport Beach, its City Council, boards and commissions, officers, agents, volunteers, employees or shall specifically allow Consultant or others providing insurance evidence in compliance with these requirements to waive their right of recovery prior to a loss. Consultant hereby waives its own right of recovery against City, and shall require similar written express waivers from each of its subconsultants. B. Additional Insured Status. All liability policies including general liability, excess/umbrella liability, and automobile liability, if required, but not including errors and omissions liability, shall provide or be endorsed to provide that City of Newport Beach, its City Council, boards and commissions, officers, agents, volunteers, employees shall be included as insureds under such policies. C. Primary and Non Contributory. All liability coverage shall apply on a primary basis and shall not require contribution from any insurance or self-insurance maintained by City. D. Notice of Cancellation. All policies shall provide City with thirty (30) calendar days' notice of cancellation (except for nonpayment for which ten (10) calendar days' notice is required) or nonrenewal of coverage for each required coverage. E. Subcontractors. Contractor shall require and verify that all subcontractors maintain insurance meeting all the requirements stated herein, and Contractor shall ensure that City is an additional insured on insurance required from subcontractors. For CGL coverage subcontractors shall provide coverage with a format at least as broad as CG 20 38 04 13. Limits of liability for General Liability and Cyber/Technology (Errors & Omissions) in an amount not less than one million dollars ($1,000,000) per occurrence, two million dollars ($2,000,000) Additional Agreements Between the Parties. The parties hereby agree to the following: A. Evidence of Insurance. Consultant shall provide certificates of insurance to City as evidence of the insurance coverage required herein, along with a waiver of subrogation endorsement for workers' compensation and other endorsements as specified herein for each coverage. Insurance certificates and endorsement must be approved by City's Risk Manager prior to commencement of performance. Current Tec-Refresh, Inc. Page C-3 certification of insurance shall be kept on file with City at all times during the term of this Agreement. The certificates and endorsements for each insurance policy shall be signed by a person authorized by that insurer to bind coverage on its behalf. At least fifteen (15) days prior to the expiration of any such policy, evidence of insurance showing that such insurance coverage has been renewed or extended shall be filed with the City. If such coverage is cancelled or reduced, Consultant shall, within ten (10) days after receipt of written notice of such cancellation or reduction of coverage, file with the City evidence of insurance showing that the required insurance has been reinstated or has been provided through another insurance company or companies. City reserves the right to require complete, certified copies of all required insurance policies, at any time. B. City's Right to Revise Requirements. City reserves the right at any time during the term of the Agreement to change the amounts and types of insurance required by giving Consultant sixty (60) calendar days' advance written notice of such change. If such change results in substantial additional cost to Consultant, City and Consultant may renegotiate Consultant's compensation. C. Right to Review Subcontracts. Consultant agrees that upon request, all agreements with subcontractors or others with whom Consultant enters into contracts with on behalf of City will be submitted to City for review. Failure of City to request copies of such agreements will not impose any liability on City, or its employees. Consultant shall require and verify that all subcontractors maintain insurance meeting all the requirements stated herein, and Consultant shall ensure that City is an additional insured on insurance required from subcontractors. For CGL coverage, subcontractors shall provide coverage with a format at least as broad as CG 20 38 04 13. D. Enforcement of Agreement Provisions. Consultant acknowledges and agrees that any actual or alleged failure on the part of City to inform Consultant of non-compliance with any requirement imposes no additional obligations on City nor does it waive any rights hereunder. E. Requirements not Limiting. Requirements of specific coverage features or limits contained in this Section are not intended as a limitation on coverage, limits or other requirements, or a waiver of any coverage normally provided by any insurance, Specific reference to a given coverage feature is for purposes of clarification only as it pertains to a given issue and is not intended by any party or insured to be all inclusive, or to the exclusion of other coverage, or a waiver of any type. If the Consultant maintains higher limits than the minimums shown above, the City requires and shall be entitled to coverage for higher limits maintained by the Consultant. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage Tec-Refresh, Inc. Page C-4 shall be available to the City. F. Self -insured Retentions. Any self -insured retentions must be declared to and approved by City. City reserves the right to require that self - insured retentions be eliminated, lowered, or replaced by a deductible. Self- insurance will not be considered to comply with these requirements unless approved by City. G. City Remedies for Non -Compliance. If Consultant or any subconsultant fails to provide and maintain insurance as required herein, then City shall have the right but not the obligation, to purchase such insurance, to terminate this Agreement, or to suspend Consultant's right to proceed until proper evidence of insurance is provided, Any amounts paid by City shall, at City's sole option, be deducted from amounts payable to Consultant or reimbursed by Consultant upon demand. H. Timely Notice of Claims, Consultant shall give City prompt and timely notice of claims made or suits instituted that arise out of or result from Consultant's performance under this Agreement, and that involve or may involve coverage under any of the required liability policies. City assumes no obligation or liability by such notice, but has the right (but not the duty) to monitor the handling of any such claim or claims if they are likely to involve City. Consultant's Insurance. Consultant shall also procure and maintain, at its own cost and expense, any additional kinds of insurance, which in its own judgment may be necessary for its proper protection and prosecution of the Work. Tec-Refresh, Inc. Page C-5 Mulvey, Jennifer Subject: FW: Tec-Refresh From: Yaghsezian, Lorig <LYaghsezian@newportbeachca.gov> Sent: January 13, 2026 1:04 PM To: Mulvey, Jennifer <JMuIvey@new portbeachca.gov> Subject: RE: Tec-Refresh Name Account Number. Address Status The following deficiencies are according to last validation on :011132026 Deficiencies Information Tec-Refresh n FV000014U 100 Bayview Circle, Suite 230, Newport Beach, CA, 92660 Compliant with Waived Deficiencies. Date Policy Coverage Deficiency Waived Waiver Reason Created By 1211120025 Auto Uabif tyt Auto Liability -Additional Insured Endorsement is non compliant for following reason(;): "We have not received a Yes Business Decision tgreggs required Additional Insured Endorsement. 72t122025 Auto liability Auto Liabil y -ANY Auto or'Owned, Hired Non -Owned Autos are not "rop_erty identified. Scheduled Auto NOT Yes Business Decision t re 9 49s allowed. 521122025� Auto Liability Auto LIabil y - Waiver of Subrogation Endorsement is non wmp0ant for following reasonW� ' 'We have not received Yes Business Decision tgreggs the required waiver of subrogation endorsement 12i722025 AutoL abTry Auto Liabildy PrimarvlNon Contributory Endorsement is non compliant for follovrin r a n 1: ' 'We have not Yes Business Decision tgreggs received a required Primary & Non-Contnbutory Endorsement- 1