City of Portland Shared Electric Scooter Permit Application Bird Rides Inc. 406 Broadway Ave # 369 Santa Monica, CA 90401 www.bird.co hello@bird.co 1-866-205-2442 Imagine a world with fewer cars. 065% @040 M) 640% $10 040% About Bird Bird is a last-mile electric vehicle sharing company dedicated to bringing affordable, environmentally friendly transportation solutions to communities across the world. It is the first company in the world to provide a fleet of shared electric scooters that can be accessed via smartphone. Birds give people looking to take a short journey across town or down that “lastmile” from the subway or bus to their destination a way to do so that does not pollute the air or add to traffic. Bird is a reliable and affordable transportation option for people who live and work across the country. Current Bird Operations Bird currently operates in Los Angeles, San Diego, San Jose, Washington DC, Austin, Atlanta, Scottsdale, Tempe, Charlotte, Memphis, San Antonio, Oakland, Arlington, Milwaukee, Baltimore, Dallas, Minneapolis, St. Paul, Columbus, Kansas City MO, Raleigh and Santa Monica. Bird began operations in our first City, Santa Monica in September 2017. The number of scooters operating in each city varies depending on a variety of reasons, especially ridership levels. With about 1,500 scooters currently in Santa Monica, the city has proposed to regulate fleet size based on the number of average rides per day per vehicle rather than a static, arbitrary limit on the number of scooters in their city. This allows fleets to slowly grow in size as more people adopt sustainable modes of transportation. There are pitfalls that come with both oversupplying and undersupplying fleets. If there are too few scooters available and riders are not able to easily find one, it encourages them to seek out other, less sustainable transportation modes such as Transportation Network Companies (TNCs) or simply driving themselves. San Francisco, for example, is imposing a highly restrictive static cap of 250 scooters per permit. This will ultimately undermine their goal to have equitable distribution of sustainable transportation options throughout the city and force service into a limited, highly trafficked area. Legal Actions • • • • • People of the State of California v. Bird Rides, Inc. (Los Angeles Superior Court, Case No. 7AR24425) (dismissed February 13, 2018) Nader Modgeddi v. Bird Rides, Inc. (Los Angeles Superior Court, Case No. 18STSC01892) (Small claims) Carolyn Matteo et. al. v. Bird Rides, Inc. (Los Angeles Superior Court, Case No. BC709628) Certain Underwriters at Lloyd’s, London v. Bird Rides, Inc. (Third Judicial District Court - Salt Lake County, UT, Case No. 180904322) City of Milwaukee v. Bird Rides, Inc. et al (Milwaukee County Circuit Court: Case No. 18CV005630) Regulatory Enforcement Actions • None Bird Scooter Our vehicle is completely electric and provides a comfortable yet efficient ride. With a top speed of 15 miles per hour, the Bird scooter will get the rider to their destination on time. The four-digit identification is located in between the handle bars. 690% @640 J10 040% M) 660% (55% ago 11? 640% M) 643% (52,9? @040 J29 (90% 3:10) 590% 690% @6430 1:19 660% M) 660% ?ma, J19 660% 319 cm Customer Service Operations Our customer service operations are run out of southern California. Bird’s 24-hour customer service number is 1.866.205.2442, and riders can also report any safety issues or maintenance concerns through our app. Translation services are available through our customer service number in several languages, with more being added each week. @040 J29 640% 3:10) 560% Safety History Report Complaint History Report @040 J19 040% M) 660% (52,9? @040 J29 (90% 3:10) 590% (52,9? @040 J29 (90% 3:10) 590% Venzo" TAKE PHOTO TO END RIDE Taxe a photo of the 81rd to help the next rider find It. 3:10) 590 M) 660% (55% ago 11? 640% Private Policy The Bird App requires use of the riders smartphone camera and location services. Bird takes pride in their protection of user data. We do not use this data for any commercial purposes. Privacy Policy Last Changes to Privacy Policy: August 1, 2017 We are strongly committed to letting you know how we will collect and use your personal information. The policies below are applicable to data and information collected when you use the Bird Rides, Inc. network of websites, including www.Bird.co (including any versions optimized for viewing on a wireless or tablet device); all email newsletters published or distributed by Bird Rides, Inc.; all apps published by Bird Rides, Inc., including the “Bird” app; activate a Bird vehicle (“Vehicle”) or use any other services made available by Bird Rides, Inc. (“Service”) and all other interactive features and communications provided by Bird Rides, Inc. (“App”), however accessed and/or used, that are operated by us, made available by us, or produced and maintained by us and our related companies (collectively “Bird” or “we”, “us”, or “our”). We have established this privacy policy (“Privacy Policy”) to let you know the kinds of personal information we may gather during your use of this App, why we gather your information, what we use your personal information for, when we might disclose your personal information, and how you can manage your personal information. Please be advised that the practices described in this Privacy Policy apply to information gathered online through our App, through our websites and otherwise by our customer service personnel. It does not apply to information that you may submit to organizations to which we may link or who may link to us or information that we may receive about you from other organizations. By using our App, you are accepting the practices described in our Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use the App. We reserve the right to modify or amend the terms of our Privacy Policy from time to time without notice. Your continued use of our App following the posting of changes to these terms will mean you accept those changes. If we intend to apply the modifications or amendments to this Privacy Policy retroactively or to personal information already in our possession, we will provide you with notice of the modifications or amendments. If you have any questions about this Privacy Policy or don’t see your concerns addressed here, you should contact us by email at hello@bird.co. WHAT INFORMATION ABOUT ME IS COLLECTED AND STORED? We collect two basic types of information from you in conjunction with your use of the App, personal information and non-personal information. Personal information is information that you supply to us, as described more fully below, i.e., when you use our Services, obtain a subscription, complete a survey, register on the App, upload content, participate in a community, or provide your e-mail address. Personal information is any information that can individually identify you and includes, among other things, your name, e-mail address, telephone number, postal address, credit card, billing and contact information. Non-personal information includes information that does not personally identify you, but it may include tracking and usage information about your location, demographics, use of the App and the Internet. Personal Information As a general matter, you can browse the App without submitting your personal information to us. However, there are a number of circumstances in which you may supply us or our agents with your personal information. The following lists the most common ways in which we may collect your personal information. • • • • Registration for an account on the App Use of the account through the App, including rental of a Vehicle Payment information submitted to Bird when renting a Vehicle Registration for an event sponsored by Bird • • • • • • • • • • • • Profile information that You provide for Your user profile Social media information that you authorize Certain location data, as described below Uploading Content to the App Submitting an application to work at Bird Participation in surveys, contests, or sweepstakes Sign up to receive alerts or other information via email, text or instant message from Bird Request for customer service, support requests or other assistance App related communications, e.g. account verification; technical notification Participation in communities, commenting to blog entries and participation in other forums Submission of content or other data and information on any part of the App that permits it Any other place on the App where you knowingly volunteer personal information Non-Personal Information In addition, when you interact with the App, we may collect certain information that does not identify you individually and our servers may automatically keep an activity log of your use of our App (“Non-Personal Information”). Generally, we collect and store the following categories of Non-Personal Information: • • • • Non-identifiable demographic data such as age, gender, and five digit zip code as part of collecting personal information Device information about your computer, browser, mobile device, or other device that you use to access the App. This information may include IP address, geolocation information, unique device identifiers, browser type, browser language, and other transactional information. Analytics and usage information about your use of the App, including GPS routes, and status of GPS chips. Device information about the Bird Vehicle, including time stamps, battery status. • • Additional “traffic data” and log files such as time of access, date of access, software crash reports, session identification number, access times, and referring App addresses. Other information regarding your use of the App. Collection of Your Source IP Address/Location Information We collect and store location information about you on the App and associated with your account that you volunteer on the App or enable through the App or your device. We will collect location information regarding the location of the Bird Vehicles, the routes taken by these Vehicles, and the rental status of these Vehicles. We will not collect any location information that you do not volunteer or enable, but you must agree to provide certain location information in order to use the Service. We also collect and store your device’s source IP address which may disclose the location of your device at the time you access the App. Collection of Personal Information From or Through Social Media Sites or Using Your Social Media Logon When you interact with any Service Provider page or account on a social media platform, such as Facebook, Twitter, Google+, Tumblr, LinkedIn, YouTube, or Pinterest, we may collect the personal information that you make available to us on that page or account including your account ID or “handle.” However, we will comply with the privacy policies of the corresponding social media platform and we will only collect and store such personal information that we are permitted to collect by these social media platforms. If you publish your social media profile on our Service, we may collect personal information that you make available as part of that profile. Collection of Information From Other Sources We also may collect information about you that we may receive from other sources or from our offline interactions with you to, among other things, enable us to verify, update information contained in our records and to better customize the App for you. We may also collect Personal Information from credit reporting agencies to, for example, determine your creditworthiness, credit score, and credit usage, in accordance with applicable laws. Collection of Personal and Non-Personal Information Through Surveys and Promotions From time to time We may provide You with the opportunity to participate in sweepstakes or other promotions on our Service, which might be sponsored or conducted by a third party. If you participate, We will request certain personally information from You. Participation in these sweepstakes and promotions are completely voluntary and You therefore have a choice whether or not to disclose this personal information. The requested personal information typically includes contact information. If there is a third party sponsor involved please make sure to review that party's privacy policy. Collection of Third Party Personal Information Through Tell-A-Friend Feature We may from time to time conduct a referral service to introduce people you know to our Apps and Service. If you choose to use our referral service to tell someone about our Apps and Service or a discount on the Apps and Service, we will ask you for your contact’s name and email address. We will automatically send your contact a one-time email inviting him or her to visit our App. We store this information for the purpose of sending this one-time email and tracking the success of our referral program. Your contact may contact us at hello@bird.co to request that we remove this information from our database. Use of Cookies and Other Tracking Technologies Like many websites and mobile applications, we use “cookies”, which are small text files that are stored on your computer or equipment when you visit certain online pages that record your preferences and actions. We may also use cookies to monitor traffic, improve the App and make it easier and/or relevant for your use. Like many Apps, we use cookies, web beacons and similar technologies to record your preferences, track the use of our Apps and your exposure to our advertisements. We may also use these technologies to monitor traffic, improve the Apps and make it easier and/or relevant for your use. If you delete your cookies or if you set your browser or device to decline these technologies, some features of the App may not work or may not work as designed. We use both “session” cookies and “persistent” cookies. We do not use flash cookies, web storage, web beacons or other technology that tracks your browsing history across multiple Apps. We use cookies for the other purposes set out below: • • • • • • We use cookies to remind us who you are and to find your account information in our database when you access a Service so you do not need to log in at every visit. This helps us to provide you with service tailored to your specific needs and interests. A cookie is created when you register for a Service We use cookies to determine the browser the visitor uses so the Apps can be designed to work properly with the most common versions of different browsers We use cookies in conjunction with sending you e-mail newsletters Advertisers that place ads on the App may use cookies We use cookies in conjunction with analysis of your use of our App and generate analytics regarding our App We use cookies to estimate our audience size. Your browser is given a unique cookie that helps us determine whether yours is a repeat visit or a first visit We also use Google Analytics, a web analytics service provided by Google, Inc. (“Google”), on our Apps. Google Analytics uses cookies or other tracking technologies to help us analyze how users interact with and use the Apps, compile reports on the Apps’ activity, and provide other services related to Apps activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a return visitor, and any referring App. The Apps do not use Google Analytics to gather information that personally identifies you. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies. To learn more about Google’s partner services and to learn how to opt out of tracking of analytics by Google click here. We may partner with third party advertising companies to better provide advertisements about our goods and services that may be of interest to you. These third party advertisers may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use the Apps. They may collect information about your online activities over time and across different Apps and other online services. They may use this information to provide you with interest-based advertising or other targeted content. These online advertising partners do not have access to or use your name, address, e-mail address, telephone number or other personally identifiable information from us, without your consent. They may, however, use persistent identifiers to anonymously track your Internet usage across other Apps in their networks beyond these Apps. While we restrict their further use of such information, such third parties may, with sufficient data from other sources, be able to personally identify you, unknown to us. Third-party ad serving companies and other unaffiliated advertisers also display advertisements on our Apps. As part of their service, they may place a separate cookie on your computer or utilize other data collection and tracking technologies, to collect information such as your IP address, browser type, the server your computer is logged onto, the area code and zip code associated with your server, and whether you responded to a particular advertisement. For a listing of the third party companies we may allow to place cookies to serve ads on the Apps, click here. We do not control these third parties’ tracking technologies, how they may be used, or the information they may collect and we are not responsible for the privacy policies or the content of those third parties. Please visit the sites of those businesses at the links above to review their privacy policies. We may add or change the list of third party ad servers from time to time and we encourage you to check this section for changes. You can learn more about online advertising at www.aboutads.info/consumers. Many of the third party advertisers that place tracking tools on our Apps are members of programs that offer you additional choices regarding the collection and use of your information. You can learn more about the options available to limit these third parties’ collection and use of your information by visiting the Apps for the Network Advertising Initiative and the Digital Advertising Alliance, as well as the webpages for Facebook’s ad preferences tool and privacy policy. Similarly, you can learn about your options to opt-out of mobile app tracking by certain advertising networks through your device settings. For more information about how to change these settings for Apple, Android or Windows devices, see: Apple: http://support.apple.com/kb/HT4228 do Android: http://www.google.com/policies/technologies/ads/ Windows: http://choice.microsoft.com/en-US/opt-out Please note that opting-out of advertising networks services does not mean that you will not receive advertising while using our Apps or on other Apps, nor will it prevent the receipt of interest-based advertising from third parties that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. Your browser or device may include “Do Not Track” functionality. Because a “Do Not Track” compliance protocol has not yet been finalized, Bird’s information collection and disclosure practices, and the choices that we provide to customers, will continue to operate as described in this privacy policy, whether or not a Do Not Track signal is received. How Do We Use Your Information? We use the information we learn from you to help us personalize and continually improve your experience on the App. We may use your Personal and Non-Personal Information in the following ways: General Uses • • • • • • • • • • • • • To provide the Bird Service to you as you request To track the Vehicles To upload your content to our App as you request To permit you to update, edit, and manage your content on our App To communicate with you about your account or transactions with us (including service related announcements) and send you information about features and enhancements on our App To communicate with you about changes to our policies To communicate with you about your comment to a blog post To personalize content and experiences on our App, including providing you reports, recommendations and feedback based on your preferences To disclose anonymized Personal Information to disclose statistics and analytics and other details regarding the use of our App. To optimize or improve our products, services and operations To automatically update the App on your device To detect, investigate, and prevent activities that may violate our policies or be illegal To perform statistical, demographic, and marketing analyses of users of the App Use of Your Location Information Specifically, we use your location information to: • • • • • Track the use of the Bird Vehicles Personalize content on our App, including providing you reports, recommendations and feedback based on your preferences Optimize or improve our products, services and operations Detect, investigate, and prevent activities that may violate our policies or be illegal Perform statistical, demographic, and marketing analyses of users of the App and their purchasing patterns Combination of Your Personal Information We use the information from one portion of the App on other portions of the App or elsewhere in our network of Apps, apps, and other interactive features, or in reports and analysis, all of which are owned and operated by Bird, and we may combine information gathered from multiple portions of the App into a single customer record or analysis or report. We also use and/or combine information that we collect off-line or we collect or receive from third party sources to enhance, expand, and check the accuracy of your customer records. Who Do We Provide Your Information To? Except as disclosed in this Privacy Policy, we do not disclose information about your Personal Information collected online to any companies not part of Bird or its parent, subsidiaries or related entities. In no event will we sell or rent your Personal Information as part of a customer list or similar transaction. Business Partners, Sponsors and Third Parties We may share your Personal Information with our sponsors and other business partners from time to time. You may withdraw your consent to our sharing of your Personal Information with business partners and third parties at any time by following the opt-out process described below. Third-Party Agents We have third party agents, subsidiaries, affiliates and partners that perform functions on our behalf, such as hosting, billing, push notifications, storage, bandwidth, content management tools, analytics, customer service, fraud protection, etc. These entities have access to the Personal Information needed to perform their functions and are contractually obligated to maintain the confidentiality and security of that Personal Information. They are restricted from using, selling, distributing or altering this data in any way other than to provide the requested services to the App. Emergency Situations We may also use or disclose Personal Information if required to do so by law or in the good-faith belief that such action is necessary to (a) conform to applicable law or comply with legal process served on us or the App; (b) protect and defend our rights or property, the App or our users, and (c) act under emergency circumstances to protect the personal safety of us, our affiliates, agents, or the users of the App or the public. This includes exchanging information with other companies and organizations for fraud protection. What Steps Are Taken To Keep Personal Information Secure? We are concerned about ensuring the security of your Personal Information. We exercise great care in providing secure transmission of your information from your device to our servers. Personal Information collected by our App are stored in secure operating environments that are not available to the public. Our security procedures mean that we may occasionally request proof of identity before we disclose your Personal Information to you. Please understand, however, that while we try our best to safeguard your Personal Information once we receive it, no transmission of data over the Internet or any other public network can be guaranteed to be 100% secure. How Can We Transfer Your Personal Information? Your information collected through the App may be stored and processed in the United States or any other country in which Bird, its Clients, Affiliates or service providers maintain facilities. Bird, its Clients, Affiliates, or service providers may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the United States or other regions with laws governing data collection and use that may differ from US law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction. Wherever your personal information is transferred, stored, or processed by Bird, Bird will take reasonable steps to safeguard the privacy of your personal information. By registering for and using the App you consent to the transfer of information to the US or to any other country in which Bird, its Clients, Affiliates or service providers maintain facilities and the use and disclosure of information about you as described in this Privacy Policy. How Long Do We Keep Your Information? Following termination or deactivation of your account, Bird, its Clients, Affiliates, or its service providers may retain information (including your profile information) and user Content for a commercially reasonable time for backup, archival, and/or audit purposes. If you have any questions about termination or deactivation of your account, please contact us directly at hello@bird.co. What Happens When I Link To or From Another App? This App may contain links to other Apps operated by third parties. Please be advised that the practices described in this Privacy Policy for Bird do not apply to information gathered through these other Apps. We are not responsible for the actions and privacy policies of third parties and other Apps. Governing Law This App is published in the United States. We attempt to protect the Personal Information of all users of our App and we attempt to comply with local data protection and consumer rights laws to the extent they may apply to the Services, but our App is located and targeted to United States citizens and our policies are directed at compliance with those laws. If you are uncertain whether this privacy policy conflicts with the applicable local privacy laws where you are located, you should not submit your Personal Information to Bird. Assignment We may change our ownership or the corporate structure of Bird while providing the App. We may also sell certain assets associated with the App. As a result, please be aware that in such event we may transfer some or all of your information to a Bird acquiring all or part of our assets or to another Bird with which we have merged. Under such circumstances we would, to the extent possible, require the acquiring party to follow the practices described in this Privacy Policy, as it may be amended from time to time. Nevertheless, we cannot promise that an acquiring Bird or the merged Bird will have the same privacy practices or treat your information the same as described in this Privacy Policy. Changes to This Policy As our App continues to develop, we may add new services and features to our App. In the event that these additions affect our Privacy Policy, this document will be updated appropriately. We will post those changes prominently so that you will always know what information we gather, how we might use that information and whether we will disclose it to anyone. We do, however, recommend that you read this Privacy Policy each time you use our App in case you missed our notice of changes to the Privacy Policy. We will not, however, materially change our policies and practices to make them less protective of Personal Information we have previously collected from you without your express consent. WHAT ARE YOUR CHOICES AND HOW DO YOU OPT-OUT? We believe you should have choices about the collection, use and sharing of your information. Although you cannot opt-out of all data collection when you visit our Apps, you can limit the collection, use and sharing of your personally identifiable information. Collection of Personal Information. All personally identifiable information is provided on a voluntary basis. If you do not want Bird to collect such information, you should not submit it to the App. However, doing so will restrict your ability to access some content and use some of the functionality of the App. Emails and Other Communications. If you would like to alter the type of communications you receive from us, including opting out of promotional communications from us, you may do so at any time by updating the communication preferences specified in your account profile through the App. Please note that this may affect your ability to access certain products and services, and we may continue to send non-promotional communications such as staffing confirmations, surveys, and other information about your use of the Service. If you refer others to us using our email functionality, please note that they may choose not to receive any promotional emails from us in the future by following the opt-out instructions in the email invitation. Tracking. You also have choices to limit some tracking mechanisms that collect information when you use the App. Many web browsers automatically accept cookies, but you can usually modify your browser's setting to decline cookies if you prefer. If you choose to decline cookies, certain features of our App, including the App themselves, may not function properly or remain accessible to you. In addition, you may also render some web beacons unusable by rejecting or removing their associated cookies. Note that if you choose to remove cookies, you may remove opt- out cookies that affect your advertising preferences. For more detail on your ability to opt out, see Use of Cookies and Other Tracking Technologies above. Please note that while you may opt out of online behavioral advertising and other targeted advertising served by participating companies through App you may still see other types of advertising on the App, it just may not be as relevant or targeted to your interests. Accessing and Correcting Your Information. If you have an account with Bird, you may review and change your information by logging into your account and editing your profile. Be advised that we may not be able to delete your Personal Information without also deleting your user account. You will not be permitted to examine the Personal Information of any other person or entity and may be required to provide us with Personal Information to verify your identity prior to accessing any records containing information about you. We may not accommodate a request to change or delete Personal Information if we believe doing so would violate any law or legal requirement, or cause the information to be incorrect. If you have any questions about this Privacy Policy, you should contact us by email at hello@bird.co. Your California Privacy Rights California Civil Code Section 1798.83 permits customers of Bird who are California residents to request certain information regarding its disclosure of their personal information to third parties for their direct marketing purposes. To make such a request, please send an e-mail to hello@bird.co. Data Breach History Report Bird has no knowledge of any data breach and, thus, cannot provide a history report. Data Sharing Agreement At the time a permit is issued, Bird agrees to provide the City of Portland, either directly or through a City-approved third party provider, access to the data requested including availability data, trip data, collision data, archival complaint data and the City-developed user survey. Tyler Wallace, Manager Tax Division Revenue Division CITY OF PORTLAND OFFICE OF MANAGEMENT AND FINANCE BUREAU OF REVENUE AND FINANCIAL SERVICES Ted Wheeler, Mayor Jennifer Cooperman, Chief Financial Officer Thomas W. Lannom, Revenue Division Director 111 SW Columbia Street, Suite 600 Portland, Oregon 97201-5840 (503) 823-5157 FAX (503) 823-5192 TDD (503) 823-6868 July 11, 2018 BIRD RIDES INC DBA BIRD BRITTLYN ROSS 406 BROADWAY # 369 SANTA MONICA CA 90401-2314 Account Number 859537 RE: Certificate of Compliance Questions? Call (503) 865-2858 CERTIFICATE OF COMPLIANCE MULTNOMAH COUNTY REVENUE DIVISION – TAX DIVISION, 111 SW COLUMBIA ST., SUITE 600, PORTLAND, OR 97201-5840 PHONE: (503) 823-5157, FAX: (503) 823-5192, TDD: (503) 823-6868 DATE ISSUED: July 11, 2018 ACCOUNT: 859537 TAXFILER: BIRD RIDES INC DBA BIRD BRITTLYN ROSS 406 BROADWAY # 369 SANTA MONICA CA 90401-2314 Verify compliance at www.portlandoregon.gov/biztax LOCATION: 406 BROADWAY # 369 SANTA MONICA CA Is in compliance with90401 the City of Portland Business License Tax Law and Multnomah County Business Income Tax Law as of July 11, 2018. A Certificate of Compliance indicates that on the date of issuance the business was in compliance with applicable tax laws. It does not exempt the holder from annual filing requirements, nor does it entitle the holder to engage in any business activity not otherwise allowed by federal, state, and/or local laws. An Equal Opportunity Employer To help ensure equal access to programs, services and activities, the Office of Management & Finance will reasonably modify policies/procedures and provide auxiliary aids/services to persons with disabilities upon request. www.portlandoregon.gov/revenue APPLICATION FOR AUTHORITY Corporation Division www.filinginoregon.com E-FILED Jul 03, 2018 OREGON SECRETARY OF STATE REGISTRY NUMBER 145560199 TYPE FOREIGN BUSINESS CORPORATION 1. ENTITY NAME BIRD RIDES, INC. 2. MAILING ADDRESS 406 BROADWAY #369 SANTA MONICA CA 90401 USA 3. NAME & ADDRESS OF REGISTERED AGENT 46258083 - NATIONAL REGISTERED AGENTS, INC. 780 COMMERCIAL ST SE STE 100 SALEM OR 97301 USA 4. PRESIDENT TRAVIS VANDERZANDEN #369 406 BROADWAY SANTA MONICA CA 90401 USA 5. SECRETARY DAVID ESTRADA #369 406 BROADWAY SANTA MONICA CA 90401 USA 6. DATE OF INCORPORATION 04-27-2017 7. DURATION PERPETUAL 8. JURISDICTION DELAWARE 9. PRIMARY PHYSICAL LOCATION 1625 ELECTRIC AVE VENICE CA 90291 USA Page 1 Corporation Division www.filinginoregon.com OREGON SECRETARY OF STATE I declare, under penalty of perjury, that this document does not fraudulently conceal, fraudulently obscure, fraudulently alter or otherwise misrepresent the identity of the person or any officers, directors, employees or agents of the corporation on behalf of which the person signs. This filing has been examined by me and is, to the best of my knowledge and belief, true, correct, and complete. Making false statements in this document is against the law and may be penalized by fines, imprisonment, or both. By typing my name in the electronic signature field, I am agreeing to conduct business electronically with the State of Oregon. I understand that transactions and/or signatures in records may not be denied legal effect solely because they are conducted, executed, or prepared in electronic form and that if a law requires a record or signature to be in writing, an electronic record or signature satisfies that requirement. ELECTRONIC SIGNATURE NAME WENDY MANTELL TITLE DEPUTY GENERAL COUNSEL DATE SIGNED 07-02-2018 Page 2 DATE (MM/DD/YYYY) CERTIFICATE OF LIABILITY INSURANCE 7/10/2018 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). CONTACT NAME: PHONE (A/C, No, Ext): E-MAIL ADDRESS: PRODUCER Woodruff-Sawyer & Co. 50 California Street, Floor 12 San Francisco CA 94111 FAX (A/C, No): 415-391-2141 415-989-9923 INSURER(S) AFFORDING COVERAGE BIRDRID-01 INSURED Bird Rides, Inc. 520 Broadway Santa Monica CA 90401 NAIC # INSURER B : Burlington Insurance Company Atlantic Specialty Insurance Company 23620 27154 INSURER C : Great American E & S Insurance Company 37532 INSURER D : ACE American Insurance Company 22667 INSURER A : INSURER E : INSURER F : CERTIFICATE NUMBER: 1059969977 COVERAGES REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR A ADDL SUBR INSD WVD TYPE OF INSURANCE X CLAIMS-MADE X POLICY NUMBER 820BW42687 COMMERCIAL GENERAL LIABILITY POLICY EFF POLICY EXP (MM/DD/YYYY) (MM/DD/YYYY) 3/1/2018 3/1/2019 OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: PROPOLICY LOC JECT LIMITS EACH OCCURRENCE DAMAGE TO RENTED PREMISES (Ea occurrence) $ 1,000,000 MED EXP (Any one person) $ PERSONAL & ADV INJURY $ 1,000,000 GENERAL AGGREGATE $ 2,000,000 PRODUCTS - COMP/OP AGG $ 2,000,000 $ OTHER: B 7110162380000 AUTOMOBILE LIABILITY 5/10/2018 5/10/2019 ANY AUTO X X OWNED AUTOS ONLY HIRED AUTOS ONLY $ 100,000 X SCHEDULED AUTOS NON-OWNED AUTOS ONLY COMBINED SINGLE LIMIT (Ea accident) BODILY INJURY (Per person) $ 1,000,000 $ BODILY INJURY (Per accident) $ PROPERTY DAMAGE (Per accident) $ $ C UMBRELLA LIAB EXCESS LIAB X OCCUR 3/8/2018 3/1/2019 CLAIMS-MADE DED RETENTION $ WORKERS COMPENSATION AND EMPLOYERS' LIABILITY ANYPROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below D XS2258521 Cyber EACH OCCURRENCE $ 5,000,000 AGGREGATE $ $ PER STATUTE Y/N OTHER E.L. EACH ACCIDENT N/A $ E.L. DISEASE - EA EMPLOYEE $ E.L. DISEASE - POLICY LIMIT EONCYBMFGD52758130 6/18/2018 3/1/2019 Limit: $ $5,000,000 DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) The City of Portland, OR is included as an Additional Insured with respects to General and Auto Liability per attached forms. CERTIFICATE HOLDER City of Portland 1221 SW 4th Avenue, Portland, OR 97204 ACORD 25 (2016/03) CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE © 1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD POLICY NUMBER: 8205W42687 COMMERCIAL GENERAL LIABILITY CG 2012 0413 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. ADDITIONAL INSURED STATE OR GOVERNMENTAL AGENCY OR SUBDIVISION OR POLITICAL SUBDIVISION PERMITS OR AUTHORIZATIONS This endorsement modifies insurance provided under the following: COMMERCIAL GENERAL LIABILITY COVERAGE PART SCHEDULE State Or Governmental Agency Or Subdivision Or Political Subdivision: Any state or political subdivision that requires you in accordance with their statutes or regulations to add such state or political subdivision as an additional insured on your policy provided such written permit is fully executed prior to an "occurrence" in which coverage is sought under this policy. Information required to complete this Schedule, if not shown above, will be shown in the Declarations. A. Section II Who Is An Insured is amended to include as an additional insured any state or governmental agency or subdivision or political subdivision shown in the Schedule, subject to the following provisions: 1. This insurance applies only with respect to operations performed by you or on your behalf for which the state or governmental agency or subdivision or political subdivision has issued a permit or authorization. However: a. The insurance afforded to such additional 2. This insurance does not apply to: a. ?Bodily injury", "property damage" or "personal and advertising injury" arising out of operations performed for the federal government, state or municipality; or . "Bodily injury" or "property damage" included within the "products-completed operations hazard". B. With respect to the insurance afforded to these additional insureds, the following is added to Section Limits Of Insurance: If coverage provided to the additional insured is CG 20120413 insured only applies to the extent permitted by law; and b. If coverage provided to the additional insured is required by a contract or agreement, the insurance afforded to such additional insured will not be broader than that which you are required by the contract or agreement to provide for such additional insured. Insurance Services Office, Inc., 2012 required by a contract or agreement, the most we will pay on behalf of the additional insured is the amount of insurance: 1. Required by the contract or agreement; or 2. Available under the applicable Limits of Insurance shown in the Declarations; whichever is less. This endorsement shall not increase the applicable Limits of Insurance shown in the Declarations. Page 1 of 1 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. FOR AUTOMOBILE This endorsement modifies insurance provided under the following: BUSINESS AUTO COVERAGE FORM The following schedule lists the coverage extensions provided by this endorsement. Refer to the individual provi- sions to determine the extent of your coverage. SCHEDULE OF COVERAGE EXTENSIONS 1. Additional Insured By Contract 12. Employee Hired Autos 2. Airbag Discharge 13. Fellow Employee Exclusion 3. Auto Theft Reward 14. Glass Repair Waiver of Deductible 4. Blanket Waiver of Subrogation 15. Hired Auto Physical Damage Coverage 5. Bodily Injury Redefined Mental Anguish 16. Lease Gap Coverage 6. Broad Form Named Insured 17. Liability Coverage Supplementary Payments 7. Communications Equipment 18. Newly Formed or Acquired Organizations 8. Diminution in Value 19. Physical Damage - Transportation Expenses 9. Drive Other Car Executive Officers 20. Rental Reimbursement Private Passenger 10. Duties In The Event of Accident, Claim, Suit or Loss Vehicles 11. Employees As Insureds 21. Towing Any Covered Auto 1. ADDITIONAL INSURED BY CONTRACT The Who Is An Insured provision under SECTION II - LIABILITY COVERAGE is amended to include as an additional "insured" any person or organization with whom you agreed in a written contract, written agreement or permit, to provide insurance such as is afforded under this Coverage Form. Such person or organization is an "insured" only with respect to liability for "bodily injury" or "property damage" caused, in whole or in part by your maintenance, operation or use of your covered "autos". With respect to the insurance afforded to these additional "insureds", this insurance does not apply: a. Unless the written contract or agreement has been executed or the permit has been issued prior to the "bodily injury" or "property damage"; b. To any person or organization included as an "insured" by endorsement or in the Declarations; or c. To any lessor of "autos" when their contract or agreement with you for such leased "auto" ends. 2. AIRBAG DISCHARGE If you purchased physical damage coverage for a covered "auto" under this policy, we will pay to reset or re- place an airbag that accidentally discharges without the vehicle being involved in an accident. No deductible applies to this additional coverage. However, this coverage only applies if the airbag is not covered under a manufacturer's warranty and you did not intentionally cause the airbag to discharge. 3. AUTO THEFT REWARD We will pay up to a $2,000 reward in the event of a covered loss, for information leading to the arrest and conviction of anyone stealing a covered "auto". A reward will not be paid to you, a family member, employee or any public of?cial while performing their duty. 4. BLANKET WAIVER OF SUBROGATION The Transfer Of Rights of Recovery Against Others To Us condition under SECTION IV BUSINESS AUTO CONDITIONS, paragraph A. LOSS CONDITIONS is replaced by the following: We will waive any right of recovery we may have against any person or organization because of payments we make for injury or damage arising out of the operation of a covered "auto" when you have assumed liability for such "bodily injury" or "property damage" under an "insured contract", provided the contract is in writing and executed prior to the "bodily injury" or "property damage". 5. BODILY INJURY REDEFINED MENTAL ANGUISH The definition of "bodily injury" under SECTION DEFINITIONS is replaced by the following: "Bodily injury" means bodily injury, sickness, or disease sustained by a person, including mental anguish or death resulting from any of these at any time. VCA 201 01 09 Includes copyrighted material of Insurance Services Of?ce. Inc. Page 1 of 5 Copyright 2004, OneBeacon Insurance Group LLC E-INSURED 6. BROAD FORM NAMED INSURED The Who Is An Insured provision under SECTION II LIABILITY COVERAGE is amended to include the following: Any organization which is a legally incorporated entity in which you own a ?nancial interest of more than 50% of the voting stock on the effective date of this Coverage Form will be a Named Insured until the 180lh day or the end of the policy period whichever comes ?rst, provided there is no other similar insurance avail- able to that organization. Paragraph a. of this provision 6. does not apply to "bodily injury" or "property damage" for which an "in- sured" is also an "insured" under any other automobile policy or would be an "insured" under such a poli- cy, but for its termination or the exhaustion of its Limit of Insurance. 7. COMMUNICATIONS EQUIPMENT The exclusion for electronic equipment under Exclusions of SECTION PHYSICAL DAMAGE COVERAGE does not apply to loss of any permanently installed, non-removable communications equip- ment designed for use as a: 1. Citizen's band radio; 2. Two-way mobile radio or telephone; 3. Scanning monitor receiver; or 4. GPS Navigation System, including its antenna and other accessories. b. No Deductible applies to this additional coverage. 0. The most we will pay for this coverage is $5,000 per occurrence. 8. DIMINUTION IN VALUE The ?diminution in value" exclusion under SECTION PHYSICAL DAMAGE COVERAGE, B. Exclusions does not apply if the covered "auto" is a private passenger "auto" and is leased, rented, hired or borrowed without a driver for a period of 30 days or less and is used in the conduct of the insured's business. The most we will pay for "loss" arising out of an "accident" is the lesser of $7,500 or 20% of the actual cash value of the "auto" as determined by Kelley Blue Book or other independent valuation sources. 9. DRIVE OTHER CAR EXECUTIVE OFFICERS a. The Who Is An Insured provision under SECTION II - LIABILITY COVERAGE is amended to include: If you are designated in the Declarations as: 1. An individual; you and your spouse. 2. A partnership; your partners and their spouses. 3. An organization other than an individual or a partnership; your "executive of?cers" and their spouses. b. SECTION II - LIABILITY COVERAGE and SECTION PHYSICAL DAMAGE COVERAGE are ex- tended to include "autos" you don't own, hire, lease or borrow while in the care, custody or control of an "insured" listed in 9.a. This does not include any "auto": 1. Owned by any "insured" listed in or any member of their household, including any such "auto" that is owned but not insured; 2. Used by an "insured" listed in 9.a. while working in the business of selling, servicing, repairing or parking autos; or 3. Insured under another policy of insurance. If Medical Payments, Uninsured/Underinsured Motorist, Personal Injury Protection or other compulsory coverages required by the governing jurisdiction are covered on this policy, then insureds listed in 9.a. above and family members residing in the same households are "insureds" while: 1. Occupying as a passenger; or 2. A pedestrian when struck by, any "auto" you do not own, hire, lease or borrow, except any "auto" owned by that "insured" listed in 9.a, their family members or an "auto" insured under any other policy. c. The limits and deductibles applicable to this provision will be the largest applicable to any owned "auto" for the speci?c insurance. Page 2 of 5 Includes copyrighted material of Insurance Services Of?ce, Inc. VCA 201 01 09 Copyright 2004, OneBeacon Insurance Group LLC 10. d. The following de?nition is added to the DEFINITIONS section of the policy: "Executive of?cer" means a person holding any of the of?cer positions created by your charter, consti- tution, by-laws or any similar governing document. e. The Other Insurance Condition, under Section IV BUSINESS AUTO CONDITIONS, does not apply to the provisions of this Drive Other Car endorsement. There is no "other insurance" applicable to this en- dorsement. DUTIES IN THE EVENT OF ACCIDENT, CLAIM, SUIT OR LOSS Under SECTION IV - BUSINESS AUTO CONDITIONS the Duties In The Event Of Accident, Claim, Suit Or Loss Condition is amended as follows: The requirements that you must: a. Notify us of an "accident", claim, "suit" or "loss"; and b. Send us documents concerning a claim or "suit", apply only when such "accident", claim, "suit" or "loss" is known to: a. You, if you are an individual; b. A partner, if you are a partnership; c. An executive of?cer of the corporation or insurance manager, if you are a corporation; or d. A manager, if you are a limited liability company. 11. EMPLOYEES AS INSUREDS The Who Is An Insured provision under SECTION II LIABILITY COVERAGE is changed by adding the fol- lowing: Any "employee" of yours while using a covered "auto" you don't own, hire or borrow in your business or your personal affairs. This coverage is excess over any other collectible insurance. 12. EMPLOYEE HIRED AUTOS The following is added to the Who Is An Insured Provision: An "employee" of yours is an "insured" while operating an "auto" hired or rented under a contact or agreement in that "employee's" name, with your permission, while performing duties related to the conduct of your busi- ness. For purposes of this coverage grant, paragraph 5.b. of the Other Insurance Condition in the Business Auto Coverage Form is replaced by the following: b. For Hired Auto Physical Damage Coverage, the following are deemed to be covered "autos" you own: 1. Any covered "auto" you lease, hire, rent or borrow; and 2. Any covered "auto" hired or rented by your "employee" under a contract in that individual "employ- ee's" name, with your permission, while performing duties related to the conduct of your business. However, any "auto" that is leased, hired, rented or borrowed with a driver is not a covered "auto". This coverage is excess over any other collectible insurance. 13. FELLOW EMPLOYEE EXCLUSION The Fellow Employee exclusion under SECTION II LIABILITY COVERAGE does not apply if the "bodily in- jury" results from the use of a covered "auto" you own or hire. This coverage is excess over any other insur- ance. 14. GLASS REPAIR WAIVER OF DEDUCTIBLE Under paragraph D. Deductible of SECTION PHYSICAL DAMAGE COVERAGE, the following is added: No deductible applies to glass damage if the glass is repaired rather than replaced. 15. HIRED AUTO PHYSICAL DAMAGE COVERAGE If hired "autos" are covered "autos" under SECTION II LIABILITY COVERAGE and if Comprehensive, Speci- ?ed Causes of Loss, or Collision coverages are provided under this policy for any "auto" you own, then SECTION PHYSICAL DAMAGE COVERAGE is extended to "autos" you hire, subject to the following limit: The most we will pay for "loss" to any hired "auto" is the lesser of: a. $75,000 for "autos" of the private passenger type and $50,000 for all other "autos"; VCA 201 01 09 Includes copyrighted material of Insurance Services Of?ce, Inc. Page 3 of 5 Copyright 2004, OneBeacon Insurance Group LLC b. The actual cash value; or c. The cost of repairing or replacing it with other property of like kind or quality. The deductible will be equal to the largest deductible applicable to any owned "auto" for that coverage. No deductible applies to "loss" caused by fire or lightning. Subject to the above limit, deductible and excess provisions, we will provide coverage equal to the broadest coverage applicable to any covered "auto" you own. We will also cover loss of use of the hired "auto" if the following conditions are met: a. It results from an accident; b. You are legally liable; and c. The lessor incurs an actual financial loss. The most we will pay for this loss of use coverage is $1,000 per "accident". 16. LEASE GAP COVERAGE 17. 18. 19. 20. Under paragraph C. Limit of Insurance of SECTION PHYSICAL DAMAGE COVERAGE, the following is added: If a covered "auto" is leased, we will also pay the difference between the actual cash value of a covered ?au- to" at the time of "loss" and the remaining balance on your lease if the following conditions are met: a. The "auto" has a long term lease and is covered on this policy. b. The lessor is added as an Additional Insured in a written lease agreement. c. You are legally obligated for the remaining balance. We will not pay for any amounts representing excess wear and tear charges; additional mileage charges; taxes; overdue payments; penalties, interest or charges resulting from overdue payments; or lease termination fees. LIABILITY COVERAGE EXTENSIONS SUPPLEMENTARY PAYMENTS Under SECTION II LIABILITY COVERAGE, the Coverage Extension for Supplementary Payments is re- vised as follows: a. The limit for the cost of bail bonds is amended to $3,500. b. The limit for reasonable expenses incurred by the "insured" is amended to $500 a day. NEWLY FORMED OR ACQUIRED ORGANIZATIONS a. The Who Is An Insured provision under SECTION II LIABILITY COVERAGE is amended to include as an "insured" any organization that is formed or acquired by you and over which you maintain majority ownership. b. Paragraph a. of this provision 18. does not apply to any organization: 1. That is a joint venture or partnership; 2 That is an "insured" under any other policy; 3. That has exhausted its Limit of Insurance under any other policy; or 4 180 days or more after its acquisition or formation by you, unless you have given us notice of the ac- quisition or formation. c. Paragraph a. of this provision 18. does not apply to "bodily injury" or "property damage" that results from an "accident" that occurred before you formed or acquired the organization. PHYSICAL DAMAGE TRANSPORTATION EXPENSES COVERAGE Under SECTION - PHYSICAL DAMAGE Coverage Extensions, the limit for Transportation Expenses is amended to $75 per day and the maximum is amended to $2,250. RENTAL REIMBURSEMENT We will pay for rental reimbursement expenses incurred by you for the rental of an "auto" of the private passenger type because of "loss" to a "covered auto" of the private passenger type. Payment applies in addition to the other- wise applicable amount of each coverage you have on a "covered auto". No deductibles apply to this coverage. We will pay those expenses incurred during the policy period beginning 24 hours after the "loss" and ending, regardless of the policy?s expiration, six (6) days afterthe "loss". Page 4 of 5 Includes copyrighted material of Insurance Services Of?ce, Inc. VCA 201 01 09 Copyright 2004, OneBeacon Insurance Group LLC Payment is limited to the lesser of the following amounts: 1. Necessary and actual expenses incurred. 2. The maximum daily payment of $25 for any one day. This coverage does not apply while there are spare or reserve "autos" available to you. If "loss" results from the total theft of the private passenger "auto", we will pay under this coverage only that amount of your rental reimbursement expenses which is not already provided for under the PHYSICAL DAMAGE COVERAGE Extension. 21. TOWING - COVERED AUTOS Under SECTION PHYSICAL DAMAGE COVERAGE, Coverage for Towing is amended as follows: a. This coverage applies to any covered "auto" for which a premium charge for towing and labor is shown in the Schedule or in the Declarations. b. The limit is $100. VCA 201 01 09 Includes copyrighted material of Insurance Services Of?ce, Inc. Page 5 of 5 Copyright 2004, OneBeacon Insurance Group LLC Security Standards Council ?13 Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments - Service Providers Version 3.2 April 2016 Security Standards Council Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the service provider?s assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI 088). Complete all sections: The service provider is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures. Part 1. Service Provider and Qualified Security Assessor Information Part 1a. Service Provider Organization Information Company Name: Stripe, Inc. DBA (doing Stripe France SARL business as): Stripe Stripe Netherlands B.V. Stripe Payments Mexico 8 de RL de CV Stripe Payments HK Limited Stripe Brazil Participacoes Ltda. Stripe Payments Canada Ltd. Stripe Canada Payment Services Ltd. Stripe Payments Europe Limited Stripe Payments UK, Ltd. Stripe Japan KK/Stripe Japan, Inc. Stripe Payments Australia, Ltd. Stripe New Zealand Limited Stripe Payments Singapore Pte, Ltd. Stripe India Private Limited Stripe Payments Malaysia Sdn. Bhd. Stripe Payments Company Contact Name: - Mike Dahn 7 Title: Security Policy Relations Telephone: 415-420-4331 E-mail: md@stripe.com Business Address: 185 Berry St Suite 550 City: San Francisco State/Province: CA Country: USA Zip: 94107 PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 Security Standards Council, LLC. All Rights Reserved. Page 1 want. "Tr I Sir 1h. )ll'l . URL: 7 Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name: Securisea, Inc. rLead QSA Contact Name: Josh Daymont Title: Principal 6 Telephone: .. - 415-494-8215 7 E-mail: joshd@securisea.com Business Address: 7 201 Spear St Ste 1100 City: San Francisco State/Province: CA Country: USA Zip: 94105 URL: 7 PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 Security Standards Council, LLC. All Rights Reserved. Page 2 Part 2. Executive Summary Part 2a. Scope Verification Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) assessed: Type of service(s) assessed: Hosting Provider: Applications software Hardware Infrastructure Network Physical space (co-location) El Storage Web Security services 3-D Secure Hosting Provider Shared Hosting Provider El Other Hosting (specify): Account Management Back-Office Services Billing Management Clearing and Settlement CI Network Provider El Others (specify): Stripe - including Stripe Elements, Stripejs, Stripe Checkout, Stripe mobile libraries, and the Stripe Managed Services (specify): Payment Processing: El Systems security services POS card present [3 IT support Internet e-commerce Physical security MOTO Call Center Terminal Management System [3 ATM [3 Other services (specify): Other processing (specify): El Fraud and?Chargeback Payment Gateway/Switch IE Issuer Processing Prepaid Services Loyalty Programs Records Management Merchant Services Tax/Government Payments Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity?s service description. If you feel these categories don?t apply to your service, complete ?Others. If you?re unsure whether a category could apply to your service, consult with the applicable payment brand. PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Resen/ed. Page 3 I Part 2a. Scope Verification (continued) Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) not assessed: Type of service(s) not assessed: Hosting Provider: Applications software Hardware Infrastructure Network Physical space (co-location) [3 Storage Web Security services 3-D Secure Hosting Provider Shared Hosting Provider Other Hosting (specify): IT support Account Management Back-Office Services Billing Management El Clearing and Settlement CI Network Provider Others (specify): Provide a brief explanation why any checked services were not included in the assessment: Part 2b. Description. of Payment Card Business Describe how and in what capacity your business stores, processes, and/or transmits cardholder data. Describe how and in what capacity your business is othenivise involved in or has the ability to impact the security of cardholder data. Managed Services (specify): El Systems security services Physical security [3 Terminal Management System C) Other services (specify): Fraud and Chargeback [j Issuer Processing Loyalty Programs [3 Merchant Services Payment Processing: POS card present Internet e-commerce MOTO Call Center ATM Other processing (specify): [3 Payment Gateway/Switch Prepaid Services .. Records Management Tax/Government Payments Stripe provides e-commerce and card-present payment processing services to merchants. Stripe received cardholder data from its merchants via the following Stripe integration methods: Javascript libraries, mobile libraries, hosted payment fields, direct posts to the API, or Relay service. Card numbers are stored, in Stripe's Card Data Vault, and merchants are issued tokens that represent those cards for later use. Stripe handles cardholder data for the transactions and cardholders it processes data for, and can impact the security of this data. Stripe also provisions various Stripe integration code for merchants to accept cardholder data (6.9., hosted payment fields, Javascript and mobile libraries). Stripe does not perform other services that might impact the security of cardholder data. PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016 Page 4 I 'l ,1 -: 5.. fly Part 2c. Locations List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review. Type of facility: Number of facilities Location(s) of facility (city, country): . of this type Example: Retail outlets 3 Boston, MA, USA Corporate of?ces 2 I .. - San Francisco, CA ., Seattle, WA laaS 1 Covered by Stripes TPSP for Amazon Web Services Datacenters 5 Tokyo, Japan Osaka, Japan San Jose, CA, USA Asburn, VA, USA Seattle, WA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses: Payment Application Version Application ls application PA-DSS Listing Expiry Name Number Vendor PA-DSS Listed? date (if applicablePart 2e. Description of Environment Provide a high-level description of the environment Stripe's PCI environment, consisting of certain covered by this assessment. dataenter transmission locations and its Stripe Card Data Vault (CDV), is segmented from the For example: rest of the Stripe infrastructure. The CDV - Connections into and out of the cardholder data receives requests containing cardholder data, environment (005- tokenizes the CHD, and forwards the requests to - Critical system components within the CDE, such as POS Stripe's payment processing environment. devices, databases, web servers, etc, and any other Outbound traf?c to payment processors passes necessary payment components, as applicable, through the CDV environment in which tokens are substituted for the orignial cardholder data. PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 Security Standards Council, LLC. All Rights Reserved. Page 5 The CDV environment contains only the services required to receive data from third parties. transmit data to third parties. and perform the tokenization and vaulting processes, with some supporting management infrastructure. Management of the CDE is performed remotely using Stripe laptops, accessing the CDE via SSH with two-factor authentication. Some networking equipment is co-located in datacenters where physical routers provided by payment brands is required. These environments are managed in the same fashion, and do not contain cardholder data. Does your business use network segmentation to affect the scope of your PCI 088 Yes No environment? (Refer to ?Network Segmentation section of PCI 088 for guidance on network segmentation) PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Sen/ice Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 6 I lizti ml: -l Part 2f. Third-Party Service Providers Does your company have a relationship with a Qualified Integrator Reseller for the purpose of the services being validated? If Yes: Name of QIR Company: QIR Individual Name: Description of services provided by QIR: Does your company have a relationship with one or more third-party service providers (for example, Qualified Integrator Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies. airline booking agents, loyalty program agents, etc.) for the purpose of the services being validated? If Yes: Name of service provider: Description of services provided: AWSH la-aS' I I I Equinix Datacenter services Note: Reqdirement 12.8 applies to all entities in this list. ENO Yes No PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 2006-2016 Security Standards Council, LL C. All Rights Reserved. April 2016 Page 7 . 3? till. vlz? Part 29. Summary of Requirements Tested For each PCI DSS Requirement, select one of the following: . Full The requirement and all sub-requirements of that requirement were assessed, and no sub? requirements were marked as ?Not Tested" or ?Not Applicable? in the ROC. . Partial One or more sub-requirements of that requirement were marked as "Not Tested? or ?Not Applicable" in the ROC. 0 None All sub-requirements of that requirement were marked as ?Not Tested? and/or ?Not Applicable? in the ROC. For all requirements identified as either ?Partial" or ?None,? provide details in the ?Justi?cation for Approach" column, including: . Details of speci?c sub-requirements that were marked as either ?Not Tested? and/or ?Not Applicable? in the ROC 0 Reason why sub-requirement(s) were not tested or not applicable Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the SSC website. Name of Service Assessed: Stripe - including Stripe Elements, Stripejs, Stripe Checkout, Stripe mobile libraries, and the Stripe Details of Requirements Assessed Justification for Approach PCI DSS (Required for all ?Partial? and ?None? responses. Identify which Requirement Partlal None sub-requirements were not tested and the reason.) Requirement 1: [j 1.2.3 is not applicable as there are no wireless in scope Requirement 2: 2.1.1 is not applicable as there are no wireless in scope Requirement 3: 3.4.1 is not applicable as disk is not used to achieve PCI compliance Requirement 4: 4.1.1 is not applicable as there are no wireless networks in scope Requirement 5: [j Except for documentation requirements, Requirement 5 is not applicable as Stripe does not have any in- scope systems that are commonly affected by malware. All in scope systems are Linux or vendor proprietary Requirement 6: Requirement 7: IE Requirement 8: 8.1.5 is not applicable as Stripe does not permit any 3rd party access to its CDE 8.5.1 is not applicable as Stripe does not access customer environments PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 8 I n: in :u'w Requirement 9: Requirement 9.9 is not applicable as Stripe does not use any POS systems Requirement 10: Requirement 11: Requirement 12: Appendix A1: Stripe is not a shared service provider Appendix A2: A2.1 is not applicable as Stripe does not use any POS systems PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 9 . Irri-nw. mz? Section 2: Report on Compliance This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC). The assessment documented in this attestation and in the ROC was completed 3/1/2018 on: Have compensating controls been used to meet any requirement in the Yes No Were any requirements in the ROC identified as being not applicable Yes No Were any requirements not tested? Yes No Were any requirements in the ROC unable to be met due to a legal constraint? Yes IE No PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 10 ll}, innit! tn!" .iv Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This ADC is based on results noted in the ROC dated 3/1/2018. Based on the results documented in the ROC noted above, the signatories identi?ed in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identi?ed in Part 2 of this document (check one): Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby Stripe, Inc. has demonstrated full compliance with the PCI DSS. Non-Compliant: Not all sections of the PCI DSS R00 are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4. Compliant but with Legal exception: One or more requirements are marked ?Not in Place" due to a . legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand. If checked, complete the following: Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) con?rms: (Check all that apply) Kl The ROC was completed according to the PCI DSS Requirements and Security Assessment Procedures, Version 3.2, and was completed according to the instructions therein. All information within the above-referenced ROC and in this attestation fairly represents the results of my assessment in all material respects. have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times. If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply. PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 PCI Security Standards Council, LL C. All Rights Reserved. Page 1 1 Part 3a. Acknowledgement of Status (continued) No evidence of full track data?, CAV2, CVC2, CID, or CW2 data2, or PIN data3 storage after transaction authorization was found on ANY system reviewed during this assessment. ASV scans are being completed by the PCI SSC ApprovedScanning Vendor Trustwave Part 3b. Service Provider Attestation Signature of Service Provider Executive Of?cer 7? Date: 1 March 2018 Service Provider Executive Of?cer Name.? Title: Security Policy Relations Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this Securisea performed a full PCI Assessment and issued a assessment, describe the role performed: complete PCI DSS 3-2 Report on Compliance. 7 Signature of Duly Authorized Officer of QSA Company Date: 3/7/2078 Duly Authorized Of?cer Name: Josh Daymont QSA Company: Securisea, Inc. Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an was involved or assisted with this assessment, identify the ISA personnel and describe the role performed: Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full track data after transaction authorization. The only elements of track data that may be retained are primary account number (PAN), expiration date, and cardholder name. 2 The three- or four-digit value printed by the signature panel or on the face of a payment card used to verify card-not-present transactions. 3 Personal identi?cation number entered by cardholder during a card-present transaction, and/or PIN block present within the transaction message. PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. . :l?tJJl-l?a Part 4. Action Plan for Non-Compliant Requirements Select the appropriate response for ?Compliant to PCI DSS Requirements? for each requirement. If you answer ?No? to any of the requirements, you may be required to provide the date your Company expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement. Check with the applicable payment brand(s) before completing Part 4. Compliant to Remediation Date and PCI DSS 088 Requirements Actions . Descri tion of Re uirement Requurement (Select One) (If selected for any YES NO Requirement) 1 Install and maintain a ?rewall con?guration to protect cardholder data Do not use vendor-supplied defaults for 2 system passwords and other security El parameters 3 Protect stored cardholder data I: 4 transmission of cardholder data across open, public networks Protect all systems against malware 5 and regularly update anti-virus software [2 or programs Develop and maintain secure systems 6 and applications Restrict access to cardholder data by 7 business need to know XI Identify and authenticate access to 8 system components '3 Restrict sical access to cardholder 9 IE data 10 Track and monitor all access to network El resources and cardholder data Regularly test security systems and 11 processes Maintain a policy that addresses 12 information security for all personnel . Additional PCI DSS Requirements for App endix A1 Shared Hosting Providers Appendix A2 Additional PCI DSS Requurements for '3 Entities using SSL/early TLS was? ex ven 53 (W VISA II A PCI DSS v3.2 Attestation of Compliance for Onsite Assessments Service Providers, Rev. 1.0 April 2016 2006-2016 Security Standards Council, LLC. All Rights Reserved. Page 13 Shared Electric Scooters Permit Application APPENDIX A SHARED ELECTRIC SCOOTER PERMIT APPLICATION THE PORTLAND BUREAU OF TRANSPORTATION (PBOT) WILL ADMINISTER A 12O--DAY PILOT FOR THE REGULATION OF SHARED ELECTRIC SCOOTERS BEGINNING IN THE SUMMER OF 2018 PILOT THE PILOT PERIOD WILL HELP THE CITY DETERMINE WHETHER SHARED SCOOTERS CAN SUPPORT THE POLICY GOALS. WHILF TRN 15.01 MAY REMAIN IN EFFECT BEYOND THE END OF THE PILOT PERIOD, THE CITY ONLY INTENDS TO PROVIDE PERMITS TO COMPANIES FOR THE PILOT PERIOD. COMPANIES MUST SECURE A PERMIT FROM PBOT TO OFFER SHARED SCOOTERS FOR COMMERCIAL PURPOSES IN PORTLAND. THE OPERATION OF A SHARED SCOOTER IS A PRIVILEGE, NOT A RIGHT. 2 COMPANY 7) 7 . I I 1 LICUS BUSINESS ADDRESS I MAILING ADDRESS (IF DIFFERENT THAN BUSINESS ADDRESS) LI C(c Cad UQCI Lid La 3 CITY, STATE, ZIPCODE Cm, STATE, ZIP CODE SCMTA CH ?lad/DI PORTLAND BUSINESS LICENSE NUMBER 4 ODOT ACCOUNT NUMBER 8 8 6?1 ?3 :3 9' PRIMARY CONTACT NAME TITLE . MCIYII) Sam C?c ?em Mud? I?m-mom 2 PHONE NUMBER .. . EMAIL ADDRESS Zcu JILL .79 rd (0 ALTERNATE CONTACT NAME . . . . FIAC ECU IQ: Lemmas . DWQLICYL 5 PHONE NUMBER EMAIL ADDRESS . . I em wag 19/ch (0 5 GENERAL CONIACIPHONE NUMBER . GENERAL FAIL NUMBER New 2C6 9'42. AHA GENERAL CONTACT EMAIL ADDRESS (a [Ha @Iozvd (0 CITY OF PORTLAND DATE SECRETARY OF STATE EXPIRATION DATE 5 CERTIFICATE OF PCI BUSINESS LICENSE 7 I I I 9, REGISTRATION 7] 3, 16] 0? 0 URANCE f) I ?1 COMPLIANCE I DATA PAID APPLICATION FEE min? MAINTENANCE COMMUNICATIONS AGREEMENT OPERATIONS PLAN OUTREACH PLAN INITIAL - INITIR INITIAL. PRIVACY POLICY {1 USER EQUITY PLAN {\50 SAFETY HISTORY REPORT ?49 DATA BREACH HISTORY . COMPLAINT HISTORY LOCAL AGENT CONTACT ?In? K.) BRANDING DESCRIPTION REPORT REPORT {1 INFORMATION RENDERING 7 CUSTOMER SERVICE AGREE To PARTICIPATE mm? LAUNCH SCHEDULE mm? NUMBER OF SHARED INFORMATION IN EVALUATION SERVICE RATES SCOOTERS REQUESTED I) I CERTIFY, BY SIGNING BELOW, EACH CRITERION OUTLINED IN TRN 15.01 HAS BEEN MET AND WILL BE CORRECT AND ACCURATE UPON AN AUDIT CONDUCTED BY THE PORTLAND BUREAU OF TRANSPORTATION. THE APPLICANT AGREES TO PARTICIPATE IN THE EVALUATION OF THE PILOT PERIOD BY DISTRIBUTING A CITY SURVEY TO ITS USERS. FAILURE TO COMPLY WITH CITY CODE, TRN 15.01, AND PERMIT CONDITIONS MAY RESULT IN ONE OR MORE OF THE FOLLOWING: CIVIL PENALTY, VEHICLE IMPOUND, SUSPENSION OR REVOCATION OF THE SHARED ELECTRIC SCOOTER COMPANY PERMIT. FURTHER AGREE TO INDEMNIFY, DEFEND, AND HOLD THE CITY OF PORTLAND AND ITS ELECTED OFFICIALS, OFFICERS, EMPLOYEES, AND AGENTS HARMLESS FROM AND AGAINST ALL CLAIMS ARISING FROM, IN WHOLE OR IN PART, THE OPERATIONS UNDER THIS PERMIT. PLEASE PRINT NAME . . w, SIGNATURES TITLE OF SIGNOR COCCINUDLI DATE STAMP DOCUMENTS RECEIVED DOCUMENTS RECEIVED BY APPLICATION Fu REMENTS (INITIAL, DATE) Lu U) PERMIT APPROVED BY PERMIT DENIED ISSUED PERMIT DATE 0 PERMIT APPROVED In 0. NUMBER OF APPROVED SHARED SCOOTERS FULL DEPLOYMENT DATE 8 Upa'area? Div 3, 29 I8