Loading...
CONTRACT 7089 Vender AgreementAgreement No. 7089 teC,refresh Company Address 100 Bayview Circle, Suite 230 Expiration Date 11/6,2024 Newport Beach, CA 92660 Opportunity Owner Michael Tamrnaro US Quote # QUO - 1849 Prepared By Michael Tammaro Contact Name Jose Calderon Title Account Manager Title Director of IT Email michael tmmaro@tee-refresh.com Email jalderon@elsegundo,org Phone (617)829-9153 Phone +1 310-524-2300 Bill To Name City of El Segundo Ship To Name City of El Segundo Bill To 350 Main St Ship To 350 Main St El Segundo, CA 90245 El Segundo, CA 90245 US US Advanced Threat Prevention subscription for device in an HA pair renewal, PA-3430 PAN-PA-3430-ATP-HA2-R Start Date: 11/07/2024 2.00 $14,084.08 $28„168A6 End Date: 11/23/2025 Serial #: 024301003488; 024301002699 PA-3430, Advanced WildFire subscription, for one (1) device in an HA pair, 1 year (12 months) term, renewal. PAN-PA-3430-AWF-HA2-R Start Date: 11/07/2024 2.00 $14.084.08 $28,168.16 End Date: 11/23/2025 Serial #: 024301003488; 024301002699 PA-3430, DNS security subscription, for one (1) device in an HA pair, 1 year (12 months) term, renewal. PAN-PA-3430-DNS-HA2-R Start Date: 11/07/2024 2.00 $9,445.60 $18,891.20 End Date: 11/23/2025 Serial #: 024301003488; 024301002699 PA-3430, Advanced URL Filtering subscription, for one (1) device in an HA pair, 1 year (12 months) term, renewal. PAN-PA-3430-ADVURL-HA2-R-2 Start Date: 11/07/2024 2.00 $14,084.08` $28,168.16 End Date: 11/23/2025 Serial #: 024301003488; 024301002699 For US Government accounts only. Premium support renewal, PA-3430 PAN-SVC-PREMUSG-3430-R Start Date: 11/03/2024 2.00 $12,202.75 $24,405.50 End Date: 11/23/2025 Serial #: 024301003488; 024301002699 Terms and Conditions: Net 30 Please remit all purchase orders and invoices to: Tec-Refresh, Inc. 10 Stevens Street #190 Andover, MA, 0'1810 United States Agreement No. 7089 teC,ret'resh Contract # Contract Number: 7-17-70-40-05 NASPO Master Contract Number: AR2472 Contract Term: 09/15/17 — 09115/26 Memo 2024 Palo Alto 3430's Renewal CITY OF EL SEGUNDO, a general law city Darrell George, City Manager ATTEST: Y"V Tracy Weaver, City Clerk ATTACHMENTS: Subtotal Grand Total APPROVED AS TO FORM. Marc. Hensley, City Attorney Joaquin] Vazftaez, Assistant City Attorney .___.. 1 Risk Management 1. State of California Participating Addendum No. 7-17-70-40-05 2. First Amendment to Participating Addendum No. 7-17-70-40-05 3. Second Amendment to Participating Addendum No. 7-17-70-40-05 4. Third Amendment to Participating Addendum No. 7-17-70-40-05 5. State of Utah Cooperative Contract with Carahsoft Technologies Corp. (NASPO ValuePoint) (Contract # AR2472) - Cover Sheet, Attachment A, and Attachment B Only Terms and Conditions: Net 30 Please remit all purchase orders and invoices to: Tec-Refresh, Inc. 10 Stevens Street 4190 Andover, MA, 01810 United States $127,801,18 $127,801.18 Agreement No. 7089 STATE OF CALIFORNIA PARTICIPATING ADDENDUM NO. 7-17-70-40-05 Cloud Solutions Utah NASPO ValuePoint Master Agreement No. AR2472 Carahsoft Technology Corp. This Participating Addendum Number 7-17-70-40-05 is entered into between the State of California, Department of General Services (hereafter referred to as "State" or "DGS") and Carahsoft Technology Corp. (hereafter referred to as "Contractor") under the lead State of Utah NASPO ValuePoint Master Agreement Number AR2472, 1. SCOPE A. This Participating Addendum covers the purchase of Cloud Solutions under the Utah NASPO ValuePoint Master Agreement. The Utah NASPO ValuePoint Master Agreement Number AR2472 is hereby incorporated by reference. The cloud solution services are identified in Section 5 (Available Services). B. This Participating Addendum is available for use by all State Agencies including the Executive, Judicial and Legislative branches, and will include all California political subdivisions/local governments. A subdivision/local government is defined as any city, county, city and county, district, or other local governmental body or corporation, including the California State Universities (CSU) and University of California (UC) systems, K-12 schools and community colleges empowered to expend public funds. C. Each political subdivision/local government is to make its own determination whether this Participating Addendum and the Utah NASPO ValuePoint Master Agreement are consistent with its procurement policies and regulations. 2. TERM A. The term of this Participating Addendum shall begin upon signature approval by the State and will end September 15, 2026, or upon termination by the State, whichever occurs first. B. Lead State amendments to extend the Master Price Agreement term date are not automatically incorporated into this Participating Addendum. Extension(s) to the term of this Participating Addendum will be through a written amendment upon mutual agreement between the State and the Contractor. 3. TERMS AND CONDITIONS/INCORPORATION OF DOCUMENTS A. Terms and conditions listed below are hereby incorporated by reference and made a part of this Participating Addendum as if attached herein and shall apply to the purchase of services made under this Participating Addendum. Page 1 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. 1) General Provisions — Information Technology (GSPD-4011T), effective 9/5/2014. The twelve (12) page document can be viewed at: htt ://www.documents.d s.ca. ov/ d/ oli rolGSD4011T14 0905. df. Exception: Article 11 of the General Provisions — Information Technology, is superseded by Section 4 (Order of Precedence) below. 2) Cloud Computing Special Provisions for Software as a Service (SaaS), effective 9/3/14. The five (5) page document can be viewed at: htt :/Iw .documents.d s.ca. ovi` d/ olio roc/CLOUDCOMPUTINGS RVICESSI CIALPROVISIONS 14 0903.docx 4. ORDER OF PRECEDENCE In the event of any inconsistency between the articles, attachments, or provisions which constitute this agreement, the following descending order of precedence shall apply: A. California Participating Addendum Number 7-17-70-40-05 B. Utah NASPO ValuePoint Master Agreement Number AR2472 C. Utah Solicitation CH16012 including all Addendums D. Contractor's response to Utah's Solicitation 5. AVAILABLE SERVICES The following service offering from the Utah NASPO ValuePoint Master Agreement Number AR2472 are allowed under this Participating Addendum: Software as a Service (SaaS) 6. RESTRICTIONS/DISALLOWED SERVICES — These restrictions are not applicable to political subdivisions/local governments. A. The following service offerings are prohibited under this Participating Addendum: Infrastructure as a Service (laaS) Platform as a Service (PaaS) Value Added Services, including Additional Value Added Services such as Maintenance Services; Deployment Services; Consulting/Advisory Services; Architectural Design Services; Statement of Work Services; Partner Services, and Training Deployment Services B. Product and service categories that are available on mandatory California statewide contracts cannot be purchased from this Participating Addendum by State Departments without an exemption. Prior to issuing a purchase order, State Departments are responsible for obtaining an exemption from DGS, and/or California Department of Technology (CDT). Page 2 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. 7. PRICING A. Contractor shall submit a Price Schedule identifying all services offered under this Participating Addendum for the State's approval. B. The Price Schedule shall include the following: 1) Service Category (SaaS) Description 2) List Price 3) Discount off List Price 4) Contract Price C. Contractor shall obtain prior approval from Utah NASPO ValuePoint Contract Administrator, and submit a written notice of price increases/decreases and a revised Price List for the State's approval. D. State -approved Price List will be posted on the State's Cal eProcure website. 8. SERVICE ADDITIONS/DELETIONS A. Contractor may add or delete services introduced or removed from the market by the manufacturer under the following conditions: 1) Service is within existing awarded categories under the NASPO ValuePoint Master Price Agreement; 2) Contractor has obtained prior approval from the Utah NASPO ValuePoint Contract Administrator; and 3) Contractor receives written approval from the California State Contract Administrator. B. Contractor shall submit a written notice of service (s) additions/deletions and a revised Price Schedule for the State's approval. 9. FULFILLMENT PARTNERS/AUTHORIZED RESELLERS Authorized Resellers are available for this Participating Addendum: ISSUE PURCHASE ORDER TO Orders may be placed with Carahsoft Technology Corp. or with an Authorized Reseller as indicated below: Orders placed with Carahsoft Technology Corp. SUBMIT ORDERS TO: Carahsoft Technology Corp. 1860 Michael Faraday Drive, Suite 100 Contact: Karina Woods Phone: 7031871-8500 Fax No.: 7031871-8505 E-mail: OIw @carahsoft.c ni Page 3 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. Orders placed with an Authorized Reseller must be addressed as shown below, and payment must be made payable to the Authorized Reseller identified on the invoice as shown below: SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o DynTek Services, Inc. 4440 Von Karman, Suite 200, Newport Beach, CA 92660 Contact: Kelsea Pratt -Acosta Phone: 949/271-6780 Fax No.: 949/271-6794 E-mail: CAsales@dyntek.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o NWN Solutions Corporation 2969 Prospect Park Drive, Suite 225, Rancho Cordova, CA 95670 Contact: Team Meade Phone: 916/637-2160 Fax No.: 916/596-4800 E-mail: TMeade nwnit.corn SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Taborda Solutions, Inc. 9580 Oak Ave Pkwy, Suite 7-180, Folsom, CA 95630 Contact: Bear Williams Phone: 9161717-8711 Fax No.: 916/200-0353 E-mail: bear.williarns tabordasolutions.com, For invoicing purposes, each State Accounting office must have a copy of the reseller's Payee Data Record (Std. 204) in order to process payment of the invoice. Agencies should forward a copy of the Std. 204 to their respective accounting office. Without the Std. 204, payment may be unnecessarily delayed. AUTHORIZED RESELLERS ARE RESPONSIBLE FOR SENDING A COPY OF ALL PURCHASE ORDERS TO CARAHSOFT TECHNOLOGY CORP. FOR COOPERATIVE AGREEMENTS (NASPO VALUEPOINT) QUARTERLY REPORTING REQUIREMENTS. When issuing an order to an authorized reseller listed on Cooperative Agreements, it is the agency's responsibility to ensure that the reseller holds a valid California Seller's Permit. NOTE: Contractor shall be responsible for successful performance and compliance with all requirements in accordance with the terms and conditions under this Participating Addendum, even if work is performed by Servicing Subcontractors. All State policies, guidelines, and requirements shall apply to Authorized Resellers. Page 4 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. 10. ORDERING AGENCY RESPONSIBILITIES A. State department and political subdivision/local government use of this Participating Addendum is optional. B. State departments and political subdivision/local governments must follow the ordering procedures outlined within the User Instructions guide, administered by the State Contract Administrator, to execute orders against this Participating Addendum. 11. INVOICING AND PAYMENT A. Payment terms for this Participating Addendum are net forty-five (45) days. Payment will be made in accordance with IT General Provisions Paragraph 30 (Required Payment Date). B. Invoices shall be sent to the address identified in the Ordering Agency's purchase order. The State Participating Addendum Number and Ordering Agency Purchase Order Number shall appear on each invoice for all purchases placed under this Participating Addendum. C. Contractor will accept the State of California credit card (CAL -Card) for payment of invoices. 12. USAGE REPORTING A. Contractor shall submit usage reports on a quarterly basis to the State Contract Administrator for all California entity purchases using the report template attached hereto as Attachment A. The report is due even when there is no activity. B. The report shall be an Excel spreadsheet transmitted electronically to the DGS mailbox at PDCooperatives@dgs.ca.gov. qov. C. Any report that does not follow the required format or that excludes information will be deemed incomplete. Contractor will be responsible for submitting corrected reports within five business days of the date of written notification from the State. D. Tax must not be included in the report, even if it is on the purchase order. E. Reports are due for each quarter as follows: Reporting Period Due Date JUL 1 to SEP 30 OCT 31 OCT 1 to DEC 31 _ JAN 31 JAN 1 to MAR 31 APR 30 APR 1 to JUN 30 JUL 31 F. Failure to meet reporting requirements and submit the reports on a timely basis shall constitute grounds for suspension of this contract. Page 5 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. G. Amendments for term extensions may be approved only if all due reports have been submitted to the State. 13. ADMINISTRATIVE FEE A. Contractor shall submit a check, payable to the State of California, remitted to the Cooperative Agreement Unit for the calculated amount equal to one percent (0.01) of the sales for the quarterly period. B. Contractor must include the Participating Addendum Number on the check. Those checks submitted to the State without the Participating Addendum Number will be returned to Contractor for additional identifying information. C. Administrative fee checks shall be submitted to: State of California Department of General Services, Procurement Division Attention: Cooperative Agreement Program 707 3`d Street, 2"d Floor, MS 2-202 West Sacramento, CA 95605 D, The administrative fee shall not be included as an adjustment to Contractor's NASPO ValuePoint Master Agreement pricing. E. The administrative fee shall not be invoiced or charged to the ordering agency. F. Payment of the administrative fee is due irrespective of payment status on orders or service contracts from a purchasing entity. G. Administrative fee checks are due for each quarter as follows: H. Failure to meet administrative fee requirements and submit fees on a timely basis shall constitute grounds for suspension of this contract. Page 6 of 8 Agreement No. 7089 Participating Addendum No. 7-17-7040-05 Carahsoft Technology Corp. 14. CONTRACT MANAGEMENT A. The primary Contractor Contract Manager for this Participating Addendum shall be as follows: Contractor: Carahsoft Technology Corp. Name: Jack Dixon Phone: 703-230-7545 Fax: 703-871-8505 E-Mail: nas o carahsoft.com Address: 1860 Michael Faraday Drive, Ste 100 Reston, VA 20190 B. The State Contract Administrator for this Participating Addendum shall be as follows: Name: Yolanda Tuft Phone: 916.375.4408 Fax: 916.375.4663 E-Mail: Yolanda, tuft(o)ds.ca. q ov Address: State of California Department of General Services Procurement Division 707 Third Street, 2nd Floor, MS 2-202 West Sacramento, CA 95605 C. Should the contact information for either party change, the party will provide written notice with updated information no later than ten business days after the change. 15. Termination of Agreement The State may terminate this Participating Addendum at any time upon 30 days prior written notice to the Contractor. Upon termination or other expiration of this Participating Addendum, each party will assist the other party in orderly termination of the Participating Addendum and the transfer of all assets, tangible and intangible, as may facilitate the orderly, nondisrupted business continuation of each party. This provision shall not relieve the Contractor of the obligation to perform under any purchase order or other similar ordering document executed prior to the termination becoming effective. 16. Amendment No amendment or variation of the terms of this Participating Addendum shall be valid unless made in writing, signed by the parties and approved as required. No oral understanding or agreement not incorporated in the Participating Addendum is binding on any of the parties. Page 7 of 8 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Carahsoft Technology Corp. 17. Agreement A. This Participating Addendum and the Master Agreement together with its exhibits and/or amendments, set forth the entire agreement between the parties with respect to the subject matter of all previous communications, representations or agreements, whether oral or written, with respect to the subject matter hereof. Terms and conditions inconsistent with, contrary or in addition to the terms and conditions of this Participating Addendum and the Master Agreement, together with its exhibits and/or amendments, shall not be added to or incorporated into this Participating Addendum or the Master Agreement and its exhibits and/or amendments, by any subsequent purchase order or otherwise, and any such attempts to add or incorporate such terms and conditions are hereby rejected. The terms and conditions of this Participating Addendum and the Master Agreement and its exhibits and/or amendments shall prevail and govern in the case of any such inconsistent or additional terms. B. By signing below Contractor agrees to offer the same services as on the Utah NASPO ValuePoint Master Agreement Number AR2472, at prices equal to or lower than the prices on that contract. C. IN WITNESS WHEREOF, the parties have executed this Participating Addendum as of the date of execution by both parties below. STATE OF CALIFORNIA Department of General Services nc Name ignature ofAuthonzed Signer Date Signed Ricardo Martinez, Acting Deputy Director Printed Name and Title of Authorized Signer 707 Third Street West Sacramento, CA 95605 Address Page 8 of 8 CONTRACTOR Carahsoft Technolo Cor . Contractor Name August 9, 2017 Signature of Authorized Signer Date Signed Ellen Lord, Contracts Manage Printed Name and Title ofAuthorized Signer 1860 Michael Faraday Drive, Suite 100 Reston, VA 20190 Address Agreement No. 7089 0 e S a 0 d s c» «oo � CL e E a 0 t�c4�it, 46H Agreement No. 7089 STATE OF CALIFORNIA PARTICIPATING ADDENDUM NO. 7-17-70-40-05 AMENDMENT NO. 1 Cloud Solutions Utah NASPO ValuePoint Master Agreement No. AR2472 Carahsoft Technology Corp. The parties hereto mutually agree to amend Participating Addendum Number 7-17-70-40-05 as follows:, 1. Authorized Resellers outlined in Section 9 (Fulfillment Partners/Authorized Resellers) is revised to reflect the following: Authorized Resellers are available for this Participating Addendum: ISSUE PURCHASE ORDER TO Orders may be placed with Carahsoft Technology Corp. or with an Authorized Reseller as indicated below: Orders placed with Carahsoft Technology Corp. SUBMIT ORDERS TO: Carahsoft Technology Corp. 1860 Michael Faraday Drive, Suite 100 Tempe, AZ 85283 Contact: Karina Woods Phone: 703/871-8500 Fax No.: 703/871-8505 E-mail: OM@carahsoft.corn Orders placed with an Authorized Reseller must be addressed as shown below, and payment must be made payable to the Authorized Reseller identified on the invoice as shown below: SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Allied Network Solutions, Inc. 5718 Lonetree Blvd., Rocklin, CA 95765 Contact: Roger Schnorenberg Phone: 916/774-2670 X101 E-mail: Rschnor nb rg a@arns-it.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Data Path Inc. 318 McHenry Ave., Modesto, CA 95354 Contact: Brian Jump Phone: 209/312-9808 E-mail: BJump@mydatapaith.com Page 1 of 4 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Amendment #1 Carahsoft Technology Corp. SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o DynTek Services, Inc. 4440 Von Karman, Suite 200, Newport Beach, CA 92660 Contact: Kelsea Pratt -Acosta Phone: 949/271-6780 Fax No.: 949/271-6794 E-mail: CAsales@dyntek.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Eventus Solutions Group LLC 9777 Pyramiel Court, Suite 160, Englewood, CA 80112 Contact: Craig Tobin Phone: 303/376-6161 E-mail: Crai tobin eventus , com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o HF Tech Services, Inc. 5777 Madison Avenue, Suite 1060, Sacramento, CA 95841 Contact: Allan P. Hart Phone: 916/690-5056 E-mail: allan hftechservices.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o NWN Solutions Corporation 2969 Prospect Park Drive, Suite 225, Rancho Cordova, CA 95670 Contact: Team Meade Phone: 916/637-2160 Fax No.: 916/596-4800 E-mail: TMeade@nwnit.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Savant Solutions, Inc. which will do business in California as [Savant Solutions Group] 1931 H Street, Sacramento, CA 95811 Contact: Caleb Kwong Phone: 916/836-8182 E-mail: Caleb,@sav,antsolutions.net Page 2 of 4 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Amendment #1 Carahsoft Technology Corp. SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o SHI International, Corp. 290 Davidson Avenue, Somerset, NJ 08873 Contact: Nick Grappone Phone: 732/564-8189 E-mail: Nick. Gra one sshi.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Solutions Simplfied 8880 Cal Center Drive, Suite 400, Sacramento, CA 95826 Contact: Rachel DaValle Phone: 530/521-0576 E-mail: Rachel, DavaIle ,solutionssim lified.net. SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o Taborda Solutions, Inc. 9580 Oak Ave Pkwy, Suite 7-180, Folsom, CA 95630 Contact: Bear Williams Phone: 916/717-8711 Fax No.: 916/200-0353 E-mail: Bear,Wi�lliams@tabordasolLstions.com SUBMIT ORDERS TO: Carahsoft Technology Corp. c/o vCloud Tech Inc. 609 Deep Valley Drive, Suite 200, Rollling Hills Estates, CA 90274 Contact: Nadia Khan Phone: 424/703-4135 E-mail: nadiakhan vcioudtecl,.com For invoicing purposes, each State Accounting office must have a copy of the reseller's Payee Data Record (Std. 204) in order to process payment of the invoice. Agencies should forward a copy of the Std. 204 to their respective accounting office. Without the Std. 204, payment may be unnecessarily delayed. AUTHORIZED RESELLERS ARE RESPONSIBLE FOR SENDING A COPY OF ALL PURCHASE ORDERS TO QUEST MEDIA & SUPPLIES, INC. FOR COOPERATIVE AGREEMENTS (NASPO VALUEPOINT) QUARTERLY REPORTING REQUIREMENTS. When issuing an order to an authorized reseller listed on Cooperative Agreements, it is the agency's responsibility to ensure that the reseller holds a valid California Seller's Permit. Page 3 of 4 Agreement No. 7089 Participating Addendum No. 7-17-70-40-05 Amendment #1 Carahsoft Technology Corp. NOTE: Contractor shall be responsible for successful performance and compliance with all requirements in accordance with the terms and conditions under this Participating Addendum, even if work is performed by Authorized Resellers. All State policies, guidelines, and requirements shall apply to Authorized Resellers. All other terms and conditions of the Participating Addendum shall remain the same. IN WITNESS WHEREOF, the parties have executed this Participating Addendum Amendment as of the date of execution by both parties below. Participating State: Contractor: State of California, Carahsoft Technology Corp. Department of General Services r14. r "' wwwww r Z✓' Name: Angela Shell Title: Deputy Director Date: &L �. Name: Robert R. Moore Title: Vice President Date: April 25, 2018 Page 4 of 4 Agreement No. 7089 STATE OF CALIFORNIA PARTICIPATING ADDENDUM NUMBER 7-17-70-40-05 AMENDMENT 2 Cloud Solutions Utah NASPO ValuePoint Master Agreement Number AR2472 Carahsoft Technology Corp. (Contractor) The parties mutually agree to amend Participating Addendum 7-17-70-40-05 as follows: 1) Section 3. TERMS AND CONDITIONS/INCORPORATION OF DOCUMENTS is updated to read as follows: A. Terms and conditions listed below are hereby incorporated by reference and made a part of this Participating Addendum as if attached herein and shall apply to the purchase of goods or services made under this Participating Addendum. Terms can be viewed on the DGS Procurement Division website (https://www.dgs.ca.gov/PD/Resources/Page-Content/Procurement-Division- Resources-List-Folder/Model-Contract-Language). i. General Provisions — Information Technology (GSPD-401 IT) effective 9/5/2014. ii. Cloud Computing Software as a Service (SaaS) General Provisions effective 6/7/2019. iii, Cloud Computing Special Provisions for Software as a Service (SaaS) effective 03/15/18. iv. Cloud Computing Special Provisions for Infrastructure as a Service (IaaS) & Platform as a Service (PaaS), effective 05/11 /16. 2) Section 5. AVAILABLE PRODUCTS AND SERVICES is updated to read as follows: A. The following service offerings from the Utah NASPO ValuePoint Master Agreement Number AR2472 are allowed under this Participating Addendum: 1) Software as a Service (SaaS) 2) Infrastructure as a Service (IaaS) 3) Platform as a Service (PaaS) 3) Section 6. RESTRICTIONS/DISALLOWED PRODUCTS AND SERVICES (STATE AGENCIES ONLY) is updated to read as follows: A. The following product/service offerings are disallowed for state agencies under this Participating Addendum: 1) Value Added Services, including Additional Value Added Services such as Maintenance Services; Deployment Services; Consulting/Advisory Services; Architectural Design Services; Statement of Work Services; Partner Services, and Training Deployment Services Page 1 of 3 Agreement No. 7089 Participating Addendum 7-17-70-40-05 Amendment 2 B. Product and service categories that are available on mandatory California statewide contracts cannot be purchased from this Participating Addendum by State agencies without an exemption. Prior to issuing a purchase order, State agencies are responsible for obtaining an exemption from DGS, and/or California Department of Technology (CDT). C. State agencies must first obtain approval by the California Department of Technology (CDT) to use this Participating Addendum for Infrastructure as a Service (laaS) and/or Platform as a Service (PaaS) purchases in accordance with Technology Letter 17 06 (www.cdt.ca.gov/wp-content/uploads/2017/08/TL- 17-06.pdf). 4) Section 14. CONTRACT MANAGEMENT subpart A is updated to read as follows: A. The primary Contractor Contract Manager for this Participating Addendum shall be as follows: Contractor: Carahsoft Technology Corp. Name: Alex Cord Phone: 703-871-8500 E-Mail: Alex.Cord@Carahsoft.com Address: 11493 Sunset Hills Road, Suite 100 Reston, VA 20190 5) Section 9 FULFILLMENT PARTNERS/AUTHORIZED RESELLERS is updated to read as follows: A. Contractor may use State -approved Authorized Resellers under this Participating Addendum for sales and service functions as defined herein. 1) Orders may be placed with the Contractor or Authorized Resellers. 2) Authorized Resellers must accept purchase orders and accept payment from ordering agencies for products and services offered under this Participating Addendum. 3) Authorized Resellers are responsible for sending a copy of all purchase orders and invoices to the Contractor for compliance with quarterly usage reporting and administrative fee requirements. 4) All purchase documents to Authorized Resellers shall reference the Participating Addendum Number and Contractor Name. Page 2 of 3 Agreement No. 7089 Participating Addendum 7-17-70-40-05 Amendment 2 B. Contractor shall be responsible for successful performance and compliance with all requirements in accordance with the terms and conditions under this Participating Addendum, even if work is performed by Authorized Resellers. All State policies, guidelines, and requirements shall apply to Authorized Resellers. C. Contractor will be the sole point of contact with regard to Participating Addendum contractual matters, reporting, and administrative fee requirements. D. Subject to the approval of the State, Authorized Resellers may be added on a quarterly basis during the term of the contract. Contractors shall notify the State of any deleted Authorized Resellers or changes to current Authorized Resellers' contact information in writing at any time during the contract term. E. Contractor will be required to submit Authorized Reseller requests, in a format specified by the State, to the State Contract Administrator for approval. F. State -approved Authorized Resellers will be posted on the State's Cal eProcure website. All other terms and conditions of the Participating Addendum shall remain in full force and effect. IN WITNESS WHEREOF, the parties have executed this Amendment as of the date of execution by both parties below. STATE OF CALIFORNIA CONTRACTOR Department of General Services _Carahsoft Technology Cori. Agency Name Contractor Name 9 ...._.............._..._._. August 11,ITIT2021 ����...��r�. 8/11 /2021 _._. Authorized Signature Date Signed Authorized Signature Date Signed Stephanne Lim, MAU2 Supervisor Printed Name/Title of Person Signing 707 Third Street West Sacramento, CA 95605 Address Kristina Smith - Director of Contracts Printed Name/Title of Person Signing 11493 Sunset Hills Road, Suite 100 Reston, VA 20190 Address Page 3 of 3 Agreement No. 7089 STATE OF CALIFORNIA PARTICIPATING ADDENDUM NUMBER 7-17-70-40-05 AMENDMENT 3 Cloud Solutions Utah NASPO ValuePoint Master Agreement Number AR2472 Carahsoft Technology Corporation (Contractor) The parties mutually agree to amend Participating Addendum 7-17-70-40-05 as follows: 1) Section 7. PRICING is revised to read as follows: A. Contractor's pricing is outlined in the Utah NASPO ValuePoint Master Agreement Number AR2472. 2) Section 16. CONTRACT MANAGEMENT, subparagraph A is revised to read as follows: A. The primary Contractor Contract Manager for this Participating Addendum shall be as follows: Contractor Contract Manager Name: Mariah Edwards Phone: (818) 449-3729 Email: _ Mariah.Edwards carahsoft.comi _...................... ......_ Address: _.......... .. ..... ........ Carahsoft Technology Corporation Mariah Edwards 11493 Sunset Hills Road, Suite 100 Resto, VA 20190 Page 1 of 2 Agreement No. 7089 Participating Addendum 7-17-70-40-05 Amendment 3 3) Section 18. EXECUTIVE ORDER N-6-22 — RUSSIA SANCTIONS is hereby added to read as follows: 18. EXECUTIVE ORDER N-6-22 — RUSSIA SANCTIONS On March 4, 2022, Governor Gavin Newsom issued Executive Order N-6- 22 (the EO) regarding Economic Sanctions against Russia and Russian entities and individuals. "Economic Sanctions" refers to sanctions imposed by the U.S. government in response to Russia's actions in Ukraine, as well as any sanctions imposed under state law. The EO directs state agencies to terminate contracts with, and to refrain from entering any new contracts with, individuals or entities that are determined to be a target of Economic Sanctions. Accordingly, should the State determine Contractor is a target of Economic Sanctions or is conducting prohibited transactions with sanctioned individuals or entities, that shall be grounds for termination of this Participating Addendum. The State shall provide Contractor advance written notice of such termination, allowing Contractor at least thirty (30) calendar days to provide a written response. Termination shall be at the sole discretion of the State. All other terms and conditions of the Participating Addendum shall remain in full force and effect. IN WITNESS WHEREOF, the parties have executed this Amendment as of the date of execution by both parties below. STATE OF CALIFORNIA CONTRACTOR Department of General Services Carahsoft Technology Corporation Agency Name Contractor Name Authorized Signature Date Signed Julie Matthews, MAU2 SuervisorITmmITITITITITITITITITITITITIT_._ Printed Name/Title of Person Signing 707 Third Street West Sacramento, CA 95605 Address K� 06/22/2023 ....................... Authorized Signature Date Signed Kristina Smith, Contracts Director_ Printed Name/Title of Person Signing 11493 Sunset Hills Rd, Suite 100, Reston, VA 20190 Address Page 2 of 2 Agreement No. 7089 Cunt' act 4 AR27472 P. .Vol STATE OF UTAH COOPERATIVE CONTRACT I. CONTRACTING PARTIES: This contract isbcvxcen the Division Of Purchasing and the 1'ollowim, Contractor: Caralisoft Teci)112joq.� Cotporation ..... ................... . LEGAL STATUS OF CONTRACTOR Name ❑ Sole Tropriclor 1360 iklichael Faraday Drive, Suite 100 ❑ Non -Profit Corporation Address Z Fur-Prc Fit Corporation Reston VA—.. --- 20190 El Partnership City state Zip ❑ Government Agency Contact Person LjaLttt'gllv I'lloile .4703-230-7435 E-mail N qq— Vendor /(VC0000 1 16540 Commodity Code 1020-05 2. GENERAL PURPOSE OF CONTRACT: Contractor is pcirmiltq] it) 11i:2.N Solutions klelllili 2Ld ill ("+UA EgrjKkjgttr� yitdmtes otaet� a l'tlrtici sating Addendmi.i It 1% beg", ned! L- 3. PROCUREMENT PROCESS: This Contract is entered into as a result Of the ])I-OCUrenieril process on F3i(IiICFI 16012. 4. CONTRACT PERIOD: Efl'ective Date: I0/14/20I U6 Termination Date: 09/15/2026 unless terminated early or extended in accordance with the terms and conditions ofthiS Contract. Note: PLIMLIant to Solicitation flCI-I 160 12, Contract must re-certily its qualifications each year. 5 Administrative Fee, as described in the Solicitation and Attachment A: The Contractor shall pay to NASPO ViluePoint, or its assignee, a NASPO VaILIOPoint Administrative Fee o!'one-quarter ol'one percent (0.25% or 0.0025) no later than 60 (lays l'ollowin.,; the end of each calendar quarter. The NASPO ValtiePoint Administrative Fee shall be submitted quarterly and is based on sales of the Services. 6. ATTACHMENT A: NASPO ValuePoint M aster Terms and Conditions, including the attached Exhibits ATTACHMENT B: Scope ot"Services Awarded to Contractor ATTACI IM ENT C: Pricing DiSCOLITItS and Pricing Schedule ATTACHMENT D: Conlraclor's Response to Solicitation i.`Cl 116012 ATTACHMENT E: Service Offeriw, EU LAs Any emillicts between Attachment A and the other Attachments will be resolved in favor of Attachment A. S. DOCUMENTS INCORPORATED INTO THIS CONTRACT BY REFERENCE BUTNOF ATTACHED: il. All other governmental laws. regulations, or actions applicable to the goods anct,or services authorized by this contracl. b. Utah State Procurement Code and the Procurement RUICS. 9. Each sionatory below represents that he or she has the requisiteatithoritN lo enter into this contract. IN WITNESS WI IEREOF, the parties sign and cause this contract to be executed. CONTRACTOR STATE 10 1 16 k"Ooln"loor's slunatule Date — )iY6lt ri ol'Purchasing, Date Robert Moore, Vice President Tvpc or Print Name and Tit Ic Christophnl er 111.1�1-111CS SO 1 -538-3254 chl . ................. . V".' 1,wn hin" I tsY Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. LIM Attachment A: NASPO ValuePoint Master Agreement Terms and Conditions 1. Master Agreement Order of Precedence a. Any Order placed under this Master Agreement shall consist of the following documents: (1) A Participating Entity's Participating Addendum' ("PA"); (2) NASPO ValuePoint Master Agreement Terms & Conditions, including the applicable Exhibits2 to the Master Agreement; (3) The Solicitation; (4) Contractor's response to the Solicitation, as revised (if permitted) and accepted by the Lead State; and (5) A Service Level Agreement issued against the Participating Addendum. b. These documents shall be read to be consistent and complementary. Any conflict among these documents shall be resolved by giving priority to these documents in the order listed above. Contractor terms and conditions that apply to this Master Agreement are only those that are expressly accepted by the Lead State and must be in writing and attached to this Master Agreement as an Exhibit or Attachment. 2. Definitions - Unless otherwise provided in this Master Agreement, capitalized terms will have the meanings given to those terms in this Section. Confidential Information means any and all information of any form that is marked as confidential or would by its nature be deemed confidential obtained by Contractor or its employees or agents in the performance of this Master Agreement, including, but not necessarily limited to (1) any Purchasing Entity's records, (2) personnel records, and (3) information concerning individuals, is confidential information of Purchasing Entity. Contractor means the person or entity providing solutions under the terms and conditions set forth in this Master Agreement. Contractor also includes its employees, subcontractors, agents and affiliates who are providing the services agreed to under the 1 A Sample Participating Addendum will be published after the contracts have been awarded. 2 The Exhibits comprise the terms and conditions for the service models: PaaS, IaaS, and PaaS. Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016,. Master Agreement. Data means all information, whether in oral or written (including electronic) form, created by or in any way originating with a Participating Entity or Purchasing Entity, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with a Participating Entity or Purchasing Entity, in the course of using and configuring the Services provided under this Agreement. Data Breach means any actual or reasonably suspected non -authorized access to or acquisition of computerized Non -Public Data or Personal Data that compromises the security, confidentiality, or integrity of the Non -Public Data or Personal Data, or the ability of Purchasing Entity to access the Non -Public Data or Personal Data. Data Categorization means the process of risk assessment of Data. See also "High Risk Data", "Moderate Risk Data" and "Low Risk Data". Disabling Code means computer instructions or programs, subroutines, code, instructions, data or functions, (including but not limited to viruses, worms, date bombs or time bombs), including but not limited to other programs, data storage, computer libraries and programs that self -replicate without manual intervention, instructions programmed to activate at a predetermined time or upon a specified event, and/or programs purporting to do a meaningful function but designed for a different function, that alter, destroy, inhibit, damage, interrupt, interfere with or hinder the operation of the Purchasing Entity's' software, applications and/or its end users processing environment, the system in which it resides, or any other software or data on such system or any other system with which it is capable of communicating. Fulfillment Partner means a third -party contractor qualified and authorized by Contractor, and approved by the Participating State under a Participating Addendum, who may, to the extent authorized by Contractor, fulfill any of the requirements of this Master Agreement including but not limited to providing Services under this Master Agreement and billing Customers directly for such Services. Contractor may, upon written notice to the Participating State, pdd or delete authorized Fulfillment Partners as necessary at any time during the contract term. Fulfillment Partner has no authority to amend this Master Agreement or to bind Contractor to any additional terms and conditions. High Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems ("High Impact Data"). Infrastructure as a Service (laaS) as used in this Master Agreement is defined the capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 201& arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Intellectual Property means any and all patents, copyrights, service marks, trademarks, trade secrets, trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and all rights, title, and interest therein. Lead State means the State centrally administering the solicitation and any resulting Master Agreement(s). Low Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems ("Low Impact Data"). Master Agreement means this agreement executed by and between the Lead State, acting on behalf of NASPO ValuePoint, and the Contractor, as now or hereafter amended. Moderate Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems ("Moderate Impact Data"). NASPO ValuePoint is the NASPO ValuePoint Cooperative Purchasing Program, facilitated by the NASPO Cooperative Purchasing Organization LLC, a 501(c)(3) limited liability company (doing business as NASPO ValuePoint) is a subsidiary organization the National Association of State Procurement Officials (NASPO), the sole member of NASPO ValuePoint. The NASPO ValuePoint Cooperative Purchasing Organization facilitates administration of the cooperative group contracting consortium of state chief procurement officials for the benefit of state departments, institutions, agencies, and political subdivisions and other eligible entities (i.e., colleges, school districts, counties, cities, some nonprofit organizations, etc.) for all states and the District of Columbia. The NASPO ValuePoint Cooperative Development Team is identified in the Master Agreement as the recipient of reports and may be performing contract administration functions as assigned by the Lead State. Non -Public Data means High Risk Data and Moderate Risk Data that is not subject to distribution to the public as public information. It is deemed to be sensitive and confidential by the Purchasing Entity because it contains information that is exempt by statute, ordinance or administrative rule from access by the general public as public information. Participating Addendum means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements, e.g. ordering procedures Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. specific to the Participating Entity, other terms and conditions. Participating Entity means a state, or other legal entity, properly authorized to enter into a Participating Addendum. Participating State means a state, the District of Columbia, or one of the territories of the United States that is listed in the Request for Proposal as intending to participate. Upon execution of the Participating Addendum, a Participating State becomes a Participating Entity. Personal Data means data alone or in combination that includes information relating to an individual that identifies the individual by name, identifying number, mark or description can be readily associated with a particular individual and which is not a public record. Personal Information may include the following personally identifiable information (PII): government -issued identification numbers (e.g., Social Security, driver's license, passport); financial account information, including account number, credit or debit card numbers; or Protected Health Information (PHI) relating to a person. Platform as a Service (PaaS) as used in this Master Agreement is defined as the capability provided to the consumer to deploy onto the cloud infrastructure consumer - created or -acquired applications created using programming languages and tools supported by the provider. This capability does not necessarily preclude the use of compatible programming languages, libraries, services, and tools from other sources. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Product means any deliverable under this Master Agreement, including Services, software, and any incidental tangible goods. Protected Health Information (PHI) means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and employment records held by a covered entity in its role as employer. PHI may also include information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. Purchasing Entity means a state, city, county, district, other political subdivision of a State, and a nonprofit organization under the laws of some states if authorized by a Participating Addendum, who issues a Purchase Order against the Master Agreement and becomes financially committed to the purchase. Services mean any of the specifications described in the Scope of Services that are supplied or created by the Contractor pursuant to this Master Agreement. Security Incident means the possible or actual unauthorized access to a Purchasing Entity's Non -Public Data and Personal Data the Contractor believes could reasonably result in the use, disclosure or theft of a Purchasing Entity's Non -Public Data within the possession or control of the Contractor. A Security Incident also includes a major security breach to the Contractor's system, regardless if Contractor is aware of unauthorized access to a Purchasing Entity's Non -Public Data. A Security Incident may or may not turn into a Data Breach. Service Level Agreement (SLA) means a written agreement between both the Purchasing Entity and the Contractor that is subject to the terms and conditions in this Master Agreement and relevant Participating Addendum unless otherwise expressly agreed in writing between the Purchasing Entity and the Contractor. SLAs should include: (1) the technical service level performance promises, (i.e. metrics for performance and intervals for measure), (2) description of service quality, (3) identification of roles and responsibilities, (4) remedies, such as credits, and (5) an explanation of how remedies or credits are calculated and issued. Software as a Service (SaaS) as used in this Master Agreement is defined as the capability provided to the consumer to use the Contractor's applications running on a Contractor's infrastructure (commonly referred to as `cloud infrastructure). The applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Web -based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user -specific application configuration settings. Solicitation means the documents used by the State of Utah, as the Lead State, to obtain Contractor's Proposal. Statement of Work means a written statement in a solicitation document or contract that describes the Purchasing Entity's service needs and expectations. 6. Discount Guarantee Period: All discounts must be guaranteed for the entire term of the Master Agreement. Participating Entities and Purchasing Entities shall receive the immediate benefit of price or rate reduction of the services provided under this Master Agreement. A price or rate reduction will apply automatically to the Master Agreement Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/Value Point Model Contract for Cloud Services. February 17, 2016. and an amendment is not necessary. 8. Confidentiality, Non -Disclosure, and Injunctive Relief a. Confidentiality. Contractor acknowledges that it and its employees or agents may, in the course of providing a Product under this Master Agreement, be exposed to or acquire information that is confidential to Purchasing Entity's or Purchasing Entity's clients. Any reports or other documents or items (including software) that result from the use of the Confidential Information by Contractor shall be treated in the same manner as the Confidential Information. Confidential Information does not include information that (1) is or becomes (other than by disclosure by Contractor) publicly known; (2) is furnished by Purchasing Entity to others without restrictions similar to those imposed by this Master Agreement; (3) is rightfully in Contractor's possession without the obligation of nondisclosure prior to the time of its disclosure under this Master Agreement; (4) is obtained from a source other than Purchasing Entity without the obligation of confidentiality, (5) is disclosed with the written consent of Purchasing Entity or; (6) is independently developed by employees, agents or subcontractors of Contractor who can be shown to have had no access to the Confidential Information. b. Non -Disclosure. Contractor shall hold Confidential Information in confidence, using at least the industry standard of confidentiality, and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to third parties or use Confidential Information for any purposes whatsoever other than what is necessary to the performance of Orders placed under this Master Agreement. Contractor shall advise each of its employees and agents of their obligations to keep Confidential Information confidential. Contractor shall use commercially reasonable efforts to assist Purchasing Entity in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the generality of the foregoing, Contractor shall advise Purchasing Entity, applicable Participating Entity, and the Lead State immediately if Contractor learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Master Agreement, and Contractor shall at its expense cooperate with Purchasing Entity in seeking injunctive or other equitable relief in the name of Purchasing Entity or Contractor against any such person. Except as directed by Purchasing Entity, Contractor will not at any time during or after the term of this Master Agreement disclose, directly or indirectly, any Confidential Information to any person, except in accordance with this Master Agreement, and that upon termination of this Master Agreement or at Purchasing Entity's request, Contractor shall turn over to Purchasing Entity all documents, papers, and other matter in Contractor's possession that embody Confidential Information. Notwithstanding the foregoing, Contractor may keep one copy of such Confidential Information necessary for quality assurance, audits and evidence of the performance of this Master Agreement. c. Injunctive Relief. Contractor acknowledges that breach of this section, including disclosure of any Confidential Information, will cause irreparable injury to Purchasing Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. Entity that is inadequately compensable in damages. Accordingly, Purchasing Entity may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies that may be available. Contractor acknowledges and agrees that the covenants contained herein are necessary for the protection of the legitimate business interests of Purchasing Entity and are reasonable in scope and content. d. Purchasing Entity Law. These provisions shall be applicable only to extent they are not in conflict with the applicable public disclosure laws of any Purchasing Entity. 9. Right to Publish: Throughout the duration of this Master Agreement, Contractor must secure prior approval from the Lead State or Participating Entity for the release of any information that pertains to the potential work or activities covered by the Master Agreement, including but not limited to reference to or use of the Lead State or a Participating Entity's name, Great Seal of the State, Coat of Arms, any Agency or other subunits of the State government, or any State official or employee, for commercial promotion which is strictly prohibited. News releases or release of broadcast a -mails pertaining to this Master Agreement or Participating Addendum shall not be made without prior written approval of the Lead State or a Participating Entity. The Contractor shall not make any representations of NASPO ValuePoint's opinion or position as to the quality or effectiveness of the services that are the subject of this Master Agreement without prior written consent. Failure to adhere to this requirement may result in termination of the Master Agreement for cause. 11. Changes in Contractor Representation: The Contractor must notify the Lead State of changes in the Contractor's key administrative personnel, in writing within 10 calendar days of the change. The Lead State reserves the right to approve changes in key personnel, as identified in the Contractor's proposal. The Contractor agrees to propose replacement key personnel having substantially equal or better education, training, and experience as was possessed by the key person proposed and evaluated in the Contractor's proposal. 13. Indemnification and Limitation of Liability a. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating Entities, and Purchasing Entities, along with their officers, agents, and employees as well as any person or entity for which they may be liable, from and against claims, damages or causes of action including reasonable attorneys' fees and related costs for any death, bodily injury, or damage to real or tangible property arising directly or indirectly from the negligent or wrongful act(s), error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers, at any tier, relating to the performance under the Master Agreement. b. Indemnification — Intellectual Property. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating entities, Purchasing Entities, along with their officers, agents, and employees as well as any Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. person or entity for which they may be liable ("Indemnified Party"), from and against claims, damages or causes of action including reasonable attorneys' fees and related costs arising out of the claim that the Product or its use, infringes Intellectual Property rights ("Intellectual Property Claim") of another person or entity. (1) The Contractor's obligations under this section shall not extend to: a. Any use of the Services provided hereunder not contemplated in the product documentation. b. Any use of the Services provided hereunder in combination with other products not contemplated hereunder or in the documentation, any use of modification of the Services provided hereunder except as permitted by this Agreement. (2) The Indemnified Party shall notify the Contractor within a reasonable time after receiving notice of an Intellectual Property Claim. Even if the Indemnified Party fails to provide reasonable notice, the Contractor shall not be relieved from its obligations unless the Contractor can demonstrate that it was prejudiced in defending the Intellectual Property Claim resulting in increased expenses or loss to the Contractor and then only to the extent of the prejudice or expenses. If the Contractor promptly and reasonably investigates and defends any Intellectual Property Claim, it shall have control over the defense and settlement of it. However, the Indemnified Party must consent in writing for any money damages or obligations for which it may be responsible. The Indemnified Party shall furnish, at the Contractor's reasonable request and expense, information and assistance necessary for such defense. If the Contractor fails to vigorously pursue the defense or settlement of the Intellectual Property Claim, the Indemnified Party may assume the defense or settlement of it and the Contractor shall be liable for all costs and expenses, including reasonable attorneys' fees and related costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property Claim. Unless otherwise agreed in writing, this section is not subject to any limitations of liability in this Master Agreement or in any other document executed in conjunction with this Master Agreement. b. Except as otherwise set forth in the Indemnification Paragraphs above, the limit of liability shall be as follows: i. Contractor's liability for any claim, loss or liability arising out of, or connected with'the Services provided, and whether based upon default, or other liability such as breach of contract, warranty, negligence, misrepresentation or otherwise, shall in no case exceed direct damages in: (i) an amount equal to two (2) times the charges specified in the Purchase Order for the Services, or parts thereof forming the basis of the Purchasing Entity's claim, (said amount not to exceed a total of twelve (12) months charges payable under the applicable Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. Purchase Order) or (ii) two million dollars ($2,000,000), whichever is greater. ii. The Purchasing Entity may retain such monies from any amount due Contractor as may be necessary to satisfy any claim for damages, costs and the like asserted against the Purchasing Entity unless Contractor at the time of the presentation of claim shall demonstrate to the Purchasing Entity's satisfaction that sufficient monies are set aside by the Contractor in the form of a bond or through insurance coverage to cover associated damages and other costs. iii. Notwithstanding the above, neither the Contractor nor the Purchasing Entity shall be liable for any consequential, indirect or special damages of any kind which may result directly or indirectly from such performance, including, without limitation, damages resulting from loss of use or loss of profit by the Purchasing Entity, the Contractor, or by others. iv. The limitations of liability in Section 43 will not apply to claims for bodily injury or death as set forth in Section 13, and Section 30 when made applicable under a specific purchase order. 16. Insurance a. Unless otherwise agreed in a Participating Addendum, Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in each Participating Entity's state and having a rating of A-, Class VII or better, in the most recently published edition of Best's Reports. Failure to buy and maintain the required insurance may result in this Master Agreement's termination or, at a Participating Entity's option, result in termination of its Participating Addendum. b. Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as indicated below, with no deductible for each of the following categories: (1) Commercial General Liability covering premises operations, independent contractors, products and completed operations, blanket contractual liability, personal injury (including death), advertising liability, and property damage, with a limit of not less than $1 million per occurrence/$3 million general aggregate; (2) CLOUD MINIMUM INSURANCE COVERAGE: Data Breach and Privacy/Cyber Liability including Technology Crime Insurance Level of Errors and Omissions Minimum Insurance Risk Minimum Insurance Coverage Coverage Low $2,000,000 $2,000,000 Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 201& Moderate $5,000,000 $5,000,000 High _....m $10,000,000 $10,000,000 (3) Contractor must comply with any applicable State Workers Compensation or Employers Liability Insurance requirements. (4) Professional Liability. As applicable, Professional Liability Insurance Policy in the minimum amount of $1,000,000 per occurrence and $1,000,000 in the aggregate, written on an occurrence form that provides coverage for its work undertaken pursuant to each Participating Addendum. c. Contractor shall pay premiums on all insurance policies. Such policies shall also reference this Master Agreement and shall have a condition that they not be revoked by the insurer until thirty (30) calendar days after notice of intended revocation thereof shall have been given to Purchasing Entity and Participating Entity by the Contractor. d. Prior to commencement of performance, Contractor shall provide to the Lead State a written endorsement to the Contractor's general liability insurance policy or other documentary evidence acceptable to the Lead State that (1) names the Participating States identified in the Request for Proposal as additional insureds, (2) provides that no material alteration, cancellation, non -renewal, or expiration of the coverage contained in such policy shall have effect unless the named Participating State has been given at least thirty (30) days prior written notice, and (3) provides that the Contractor's liability insurance policy shall be primary, with any liability insurance of any Participating State as secondary and noncontributory. Unless otherwise agreed in any Participating Addendum, the Participating Entity's rights and Contractor's obligations are the same as those specified in the first sentence of this subsection. Before performance of any Purchase Order issued after execution of a Participating Addendum authorizing it, the Contractor shall provide to a Purchasing Entity or Participating Entity who requests it the same information described in this subsection. e. Contractor shall furnish to the Lead State, Participating Entity, and, on request, the Purchasing Entity copies of certificates of all required insurance within thirty (30) calendar days of the execution of this Master Agreement, the execution of a Participating Addendum, or the Purchase Order's effective date and prior to performing any work. The insurance certificate shall provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all states); a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements); and an acknowledgment of the requirement for notice of cancellation. Copies of renewal certificates of all required insurance shall be furnished within thirty (30) days after any renewal date. These certificates of insurance must expressly indicate compliance with each and every insurance requirement specified in this section. Failure to provide evidence of coverage Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. may, at sole option of the Lead State, or any Participating Entity, result in this Master Agreement's termination or the termination of any Participating Addendum. f. Coverage and limits shall not limit Contractor's liability and obligations under this Master Agreement, any Participating Addendum, or any Purchase Order. 17. Laws and Regulations: Any and all Services offered and furnished shall comply fully with all applicable Federal and State laws and regulations. The federal and state laws, regulations, policies, standards, and guidelines that Contractors doing business with the Participating Entities must be aware of, include, but not limited to: Criminal Justice Information Services (CJIS) Security Policy; Federal Educational Rights and Privacy Act (FERPA); Federal Information Security Management Act (FISMA); National Institute of Technology Standards; Gramm -Leach - Bliley Act (GLB) Act; Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH); IRS Publication 1075; Payment Card Industry Data Security Standard (PCI DSS); Sarbanes- Oxley Act (SOX); Electronic Communications Privacy Act, Stored Communications Act and the PATRIOT Act. The list is intentionally United States -centric, and is not intended to be all-inclusive. Further, since laws, regulations, requirements and industry guidelines change, consulting definitive sources to assure a clear understanding of compliance requirements is critical. Many State Entities have additional program compliance requirements that must be considered in addressing compliance. (e.g., DMV Privacy Act, Public Service Law, etc.). 20. Participants and Scope a. Contractor may not deliver Services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The NASPO ValuePoint Master Agreement Terms and Conditions are applicable to any Order by a Participating Entity (and other Purchasing Entities covered by their Participating Addendum), except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on Orders, governing law and venue relating to Orders by a Participating Entity, indemnification, and insurance requirements. Statutory or constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Purchasing Entity and Contractor, may be included in the ordering document (e.g. purchase order or contract) used by the Purchasing Entity to place the Order. b. Subject to subsection 20c and a Participating Entity's Participating Addendum, the use of specific NASPO ValuePoint cooperative Master Agreements by state agencies, political subdivisions and other Participating Entities (including cooperatives) authorized Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016„ by individual state's statutes to use state contracts is subject to the approval of the respective State Chief Procurement Official. c. Unless otherwise stipulated in a Participating Entity's Participating Addendum, specific services accessed through the NASPO ValuePoint cooperative Master Agreements for Cloud Services by state executive branch agencies, as required by a Participating Entity's statutes, are subject to the authority and approval of the Participating Entity's Chief Information Officer's Office3. Cl. Obligations under this Master Agreement are limited to those Participating Entities who have signed a Participating Addendum and Purchasing Entities within the scope of those Participating Addenda. Financial obligations of Participating States are limited to the orders placed by the departments or other state agencies and institutions having available funds. Participating States incur no financial obligations on behalf of political subdivisions. e. NASPO ValuePoint is not a party to the Master Agreement. It is a nonprofit cooperative purchasing organization assisting states in administering the NASPO ValuePoint cooperative purchasing program for state government departments, institutions, agencies and political subdivisions (e.g., colleges, school districts, counties, cities, etc.) for all 50 states, the District of Columbia and the territories of the United States. f. Participating Addenda shall not be construed to amend the terms of this Master Agreement between the Lead State and Contractor. g. Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of participation by the Chief Procurement Official of the state where the Participating Entity is located. Coordinate requests for such participation through NASPO ValuePoint. Any permission to participate through execution of a Participating Addendum is not a determination that procurement authority exists in the Participating Entity; they must ensure that they have the requisite procurement authority to execute a Participating Addendum. h. Resale. Subject to any explicit permission in a Participating Addendum, Purchasing Entities may not resell goods, software, or Services obtained under this Master Agreement. This limitation does not prohibit: payments by employees of a Purchasing Entity as explicitly permitted under this agreement; sales of goods to the general public as surplus property; and fees associated with inventory transactions with other governmental or nonprofit entities under cooperative agreements and consistent with a Purchasing Entity's laws and regulations. Any sale or transfer permitted by this 3 Chief Information Officer means the individual designated by the Governor with Executive Branch, enterprise - wide responsibility for the leadership and management of information technology resources of a state. Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. subsection must be consistent with license rights granted for use of intellectual property. 22. Data Access Controls: Contractor will provide access to Purchasing Entity's Data only to those Contractor employees, contractors and subcontractors ("Contractor Staff') who need to access the Data to fulfill Contractor's obligations under this Agreement. Contractor shall not access a Purchasing Entity's user accounts or Data, except on the course of data center operations, response to service or technical issues, as required by the express terms of this Master Agreement, or at a Purchasing Entity's written request. Contractor may not share a Purchasing Entity's Data with its parent corporation, other affiliates, or any other third party without the Purchasing Entity's express written consent. Contractor will ensure that, prior to being granted access to the Data, Contractor Staff who perform work under this Agreement have successfully completed annual instruction of a nature sufficient to enable them to effectively comply with all Data protection provisions of this Agreement; and possess all qualifications appropriate to the nature of the employees' duties and the sensitivity of the Data they will be handling. 23. Operations Management: Contractor shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Product in a manner that is, at all times during the term of this Master Agreement, at a level equal to or more stringent than those specified in the Solicitation. Contractor must maintain any certifications required under the Solicitation. 24. Public Information: This Master Agreement and all related documents are subject to disclosure pursuant to the Purchasing Entity's public information laws. 26. Records Administration and Audit. a. The Contractor shall maintain books, records, documents, and other evidence pertaining to this Master Agreement and orders placed by Purchasing Entities under it to the extent and in such detail as shall adequately reflect performance and administration of payments and fees. Contractor shall permit the Lead State, a Participating Entity, a Purchasing Entity, the federal government (including its grant awarding entities and the U.S. Comptroller General), and any other duly authorized agent of a governmental agency, to audit, inspect, examine, copy and/or transcribe Contractor's books, documents, papers and records directly pertinent to this Master Agreement or orders placed by a Purchasing Entity under it for the purpose of making audits, examinations, excerpts, and transcriptions. This right shall survive for a period of six (6) years following termination of this Agreement or final payment for any order placed by a Purchasing Entity against this Agreement, whichever is later, to assure compliance with the terms hereof or to evaluate performance hereunder. b. Without limiting any other remedy available to any governmental entity, the Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016, Contractor shall reimburse the applicable Lead State, Participating Entity, or Purchasing Entity for any overpayments inconsistent with the terms of the Master Agreement or orders or underpayment of fees found as a result of the examination of the Contractor's records. c. The rights and obligations herein exist in addition to any quality assurance obligation in the Master Agreement requiring the Contractor to self -audit contract obligations and that permits the Lead State to review compliance with those obligations. d. The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement and applicable Participating Addendum terms. The purchasing entity may perform this audit or contract with a third party at its discretion and at the purchasing entity's expense. 27. Administrative Fees: The Contractor shall pay to NASPO ValuePoint, or its assignee, a NASPO ValuePoint Administrative Fee of one -quarter of one percent (0.25% or 0.0025) no later than 60 days following the end of each calendar quarter. The NASPO ValuePoint Administrative Fee shall be submitted quarterly and is based on sales of the Services. The NASPO ValuePoint Administrative Fee is not negotiable. This fee is to be included as part of the pricing submitted with proposal. Additionally, some states may require an additional administrative fee be paid directly to the state on purchases made by Purchasing Entities within that state. For all such requests, the fee level, payment method and schedule for such reports and payments will be incorporated into the Participating Addendum that is made a part of the Master Agreement. The Contractor may adjust the Master Agreement pricing accordingly for purchases made by Purchasing Entities within the jurisdiction of the state. All such agreements shall not affect the NASPO ValuePoint Administrative Fee percentage or the prices paid by the Purchasing Entities outside the jurisdiction of the state requesting the additional fee. The NASPO ValuePoint Administrative Fee shall be based on the gross amount of all sales at the adjusted prices (if any) in Participating Addenda. 28. System Failure or Damage: In the event of system failure or damage caused by Contractor or its Services, the Contractor agrees to use its best efforts to restore or assist in restoring the system to operational capacity. 29. Title to Product: If access to the Product requires an application program interface (API), Contractor shall convey to Purchasing Entity an irrevocable and perpetual license to use the API. 30. Data Privacy: When required by a specific purchase order issued under this Agreement or a Participating Addendum and accepted by the Contractor, the Contractor must comply with all applicable laws related to data privacy and security, including IRS Pub 1075. Prior to entering into a SLA with a Purchasing Entity, the Contractor and Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. Purchasing Entity must cooperate and hold a meeting to determine the Data Categorization to determine whether the Contractor will hold, store, or process High Risk Data, Moderate Risk Data and Low Risk Data. The Contractor must document the Data Categorization in the SLA or Statement of Work. 31. Warranty: At a minimum the Contractor must warrant the following: a. Contractor has acquired any and all rights, grants, assignments, conveyances, licenses, permissions, and authorization for the Contractor to provide the Services described in this Master Agreement. b. Contractor will perform materially as described in this Master Agreement, SLA, Statement of Work, including any performance representations contained in the Contractor's response to the Solicitation by the Lead State. c. Contractor represents and warrants that the representations contained in its response to the Solicitation by the Lead State. d. The Contractor will not interfere with a Purchasing Entity's access to and use of the Services it acquires from this Master Agreement. e. The Services provided by the Contractor are compatible with and will operate successfully with any environment (including web browser and operating system) specified by the Contractor in its response to the Solicitation by the Lead State. f. The Contractor warrants that the Products it provides under this Master Agreement are free of malware. The Contractor must use industry -leading technology to detect and remove worms, Trojans, rootkits, rogues, dialers, spyware, etc. 32. Transition Assistance: a. The Contractor shall reasonably cooperate with other parties in connection with all Services to be delivered under this Master Agreement, including without limitation any successor service provider to whom a Purchasing Entity's Data is transferred in connection with the termination or expiration of this Master Agreement. The Contractor shall assist a Purchasing Entity in exporting and extracting a Purchasing Entity's Data, in a format usable without the use of the Services and as agreed by a Purchasing Entity, at no additional cost to the Purchasing Entity. Any transition services requested by a Purchasing Entity involving additional knowledge transfer and support may be subject to a separate transition Statement of Work. b. A Purchasing Entity and the Contractor shall, when reasonable, create a Transition Plan Document identifying the transition services to be provided and including a Statement of Work if applicable. Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/Value Point Model Contract for Cloud Services. February 17, 2016. c. The Contractor must maintain the confidentiality and security of a Purchasing Entity's Data during the transition services and thereafter as required by the Purchasing Entity. 35. Debarment : The Contractor certifies, to the best of its knowledge, that neither it nor its principals are presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this transaction (contract) by any governmental department or agency. This certification represents a recurring certification made at the time any Order is placed under this Master Agreement. If the Contractor cannot certify this statement, attach a written explanation for review by the Lead State. 37. Governing Law and Venue a. The procurement, evaluation, and award of the Master Agreement shall be governed by and construed in accordance with the laws of the Lead State sponsoring and administering the procurement. The construction and effect of the Master Agreement after award shall be governed by the law of the state serving as Lead State (in most cases also the Lead State). The construction and effect of any Participating Addendum or Order against the Master Agreement shall be governed by and construed in accordance with the laws of the Participating Entity's or Purchasing Entity's State. b. Unless otherwise specified in the RFP, the venue for any protest, claim, dispute or action relating to the procurement, evaluation, and award is in the Lead State. Venue for any claim, dispute or action concerning the terms of the Master Agreement shall be in the state serving as Lead State. Venue for any claim, dispute, or action concerning any Order placed against the Master Agreement or the effect of a Participating Addendum shall be in the Purchasing Entity's State. c. If a claim is brought in a federal forum, then it must be brought and adjudicated solely and exclusively within the United States District Court for (in decreasing order of priority): the Lead State for claims relating to the procurement, evaluation, award, or contract performance or administration if the Lead State is a party; the Participating State if a named party; the Participating Entity state if a named party; or the Purchasing Entity state if a named party. d. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States. 40. Contract Provisions for Orders Utilizing Federal Funds: Pursuant to Appendix II to 2 Code of Federal Regulations (CFR) Part 200, Contract Provisions for Non -Federal Entity Contracts Under Federal Awards, Orders funded with federal funds may have Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016. additional contractual requirements or certifications that must be satisfied at the time the Order is placed or upon delivery. These federal requirements may be proposed by Participating Entities in Participating Addenda and Purchasing Entities for incorporation in Orders placed under this master agreement. 42. NASPO ValuePoint Summary and Detailed Usage Reports: In addition to other reports that may be required by this solicitation, the Contractor shall provide the following NASPO ValuePoint reports. a. Summary Sales Data. The Contractor shall submit quarterly sales reports directly to NASPO ValuePoint using the NASPO ValuePoint Quarterly Sales/Administrative Fee Reporting Tool found at http://www.naspo.org/WNCPO/Calculator.aspx. Any/all sales made under the contract shall be reported as cumulative totals by state. Even if Contractor experiences zero sales during a calendar quarter, a report is still required. Reports shall be due no later than 30 day following the end of the calendar quarter (as specified in the reporting tool). b. Detailed Sales Data. Contractor shall also report detailed sales data by: (1) state; (2) entity/customer type, e.g. local government, higher education, K12, non-profit; (3) Purchasing Entity name; (4) Purchasing Entity bill -to and ship -to locations; (4) Purchasing Entity and Contractor Purchase Order identifier/number(s); (5) Purchase Order Type (e.g. sales order, credit, return, upgrade, determined by industry practices); (6) Purchase Order date; (7) Ship Date; (8) and line item description, including product number if used. The report shall be submitted in any form required by the solicitation. Reports are due on a quarterly basis and must be received by the Lead State and NASPO ValuePoint Cooperative Development Team no later than thirty (30) days after the end of the reporting period. Reports shall be delivered to the Lead State and to the NASPO ValuePoint Cooperative Development Team electronically through a designated portal, email, CD -Rom, flash drive or other method as determined by the Lead State and NASPO ValuePoint. Detailed sales data reports shall include sales information for all sales under Participating Addenda executed under this Master Agreement. The format for the detailed sales data report is in shown in Attachment F. c. Reportable sales for the summary sales data report and detailed sales data report includes sales to employees for personal use where authorized by the solicitation and the Participating Addendum. Report data for employees should be limited to ONLY the state and entity they are participating under the authority of (state and agency, city, county, school district, etc.) and the amount of sales. No personal identification numbers, e.g. names, addresses, social security numbers or any other numerical identifier, may be submitted with any report. d. Contractor shall provide the NASPO ValuePoint Cooperative Development Coordinator with an executive summary each quarter that includes, at a minimum, a list Agreement No. 7089 This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model Contract for Cloud Services. February 17, 2016„ of states with an active Participating Addendum, states that Contractor is in negotiations with and any PA roll out or implementation activities and issues. NASPO ValuePoint Cooperative Development Coordinator and Contractor will determine the format and content of the executive summary. The executive summary is due 30 days after the conclusion of each calendar quarter. e. Timely submission of these reports is a material requirement of the Master Agreement. The recipient of the reports shall have exclusive ownership of the media containing the reports. The Lead State and NASPO ValuePoint shall have a perpetual, irrevocable, non-exclusive, royalty free, transferable right to display, modify, copy, and otherwise use reports, data and information provided under this section. f. If requested by a Participating Entity, the Contractor must provide detailed sales data within the Participating State. 43. Entire Agreement: This Master Agreement, along with any attachment, contains the entire understanding of the parties hereto with respect to the Master Agreement unless a term is modified in a Participating Addendum with a Participating Entity. No click -through, or other end user terms and conditions or agreements required by the Contractor ("Additional Terms") provided with any Services hereunder shall be binding on Participating Entities or Purchasing Entities, even if use of such Services requires an affirmative "acceptance" of those Additional Terms before access is permitted. Agreement No. 7089 Exhibit 1 to the Master Agreement: Software -as -a -Service 1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is related to the Services provided by this Master Agreement. The Contractor shall not access Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data center operations, (2) in response to service or technical issues, (3) as required by the express terms of this Master Agreement, Participating Addendum, SLA, and/or other contract documents, or (4) at the Purchasing Entity's written request. Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall survive and extend beyond the term of this Master Agreement. 2. Data Protection: Protection of personal privacy and data shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of Purchasing Entity information at any time. To this end, the Contractor shall safeguard the confidentiality, integrity and availability of Purchasing Entity information and comply with the following conditions: a. The Contractor shall implement and maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of Personal Data and Non -Public Data. Such security measures shall be in accordance with recognized industry practice and not less stringent than the measures the Contractor applies to its own Personal Data and Non -Public Data of similar kind. b. All data obtained by the Contractor in the performance of the Master Agreement shall become and remain the property of the Purchasing Entity. c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any stipulation of responsibilities will identify specific roles and responsibilities and shall be included in the service level agreement (SLA), or otherwise made a part of the Master Agreement. d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the Contractor. The level of protection and encryption for all Non -Public Data shall be identified in the SLA. e. At no time shall any data or processes —that either belong to or are intended for the use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the Purchasing Entity. Agreement No. 7089 f. The Contractor shall not use any information collected in connection with the Services issued from this Master Agreement for any purpose other than fulfilling the Services. 3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be located solely in data centers in the U.S. The Contractor shall not allow its personnel or contractors to store Purchasing Entity data on portable devices, including personal computers, except for devices that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and contractors to access Purchasing Entity data remotely only as required to provide technical support. The Contractor may provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum. 4. Security Incident or Data Breach Notification: a. Incident Response: Contractor may need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the contract. Discussing security incidents with the Purchasing Entity should be handled on an urgent as needed basis, as part of Contractor's communication and mitigation processes as mutually agreed upon, defined by law or contained in the Master Agreement. b. Security Incident Reporting Requirements: The Contractor shall report a security incident to the Purchasing Entity identified contact immediately as soon as possible or promptly without out reasonable delay, or as defined in the SLA. c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any purchasing entity's content that is subject to applicable data breach notification law, the Contractor shall (1) as soon as possible or promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner. S. Personal Data Breach Responsibilities: This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 48 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a Data Breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) Agreement No. 7089 document responsive actions taken related to the Data Breach, including any post -incident review of events and actions taken to make changes in business practices in providing the services, if necessary. 6. Notification of Legal Requests: If legally permissible, the Contractor shall contact the Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or which in any way might reasonably require access to the data of the Purchasing Entity. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing Entity, unless prohibited by law. . 7. Termination and Suspension of Service: a. In the event of a termination of the Master Agreement or applicable Participating Addendum, the Contractor shall implement an orderly return of purchasing entity's data in a CSV or another mutually agreeable format at a time agreed to by the parties or allow the Purchasing Entity to extract it's data and the subsequent secure disposal of purchasing entity's data. b. During any period of service suspension, the Contractor shall not take any action to intentionally erase or otherwise dispose of any of the Purchasing Entity's data. c. In the event of termination of any services or agreement in entirety, the Contractor shall not take any action to intentionally erase purchasing entity's data for a period of: w 10 days after the effective date of termination, if the termination is in accordance with the contract period o 30 days after the effective date of termination, if the termination is for convenience • 60 days after the effective date of termination, if the termination is for cause After such period, the Contractor shall have no obligation to maintain or provide any purchasing entity's data and shall thereafter, unless legally prohibited, delete all purchasing entity's data in its systems or otherwise in its possession or under its control. d. The purchasing entity shall be entitled to any post termination assistance generally made available with respect to the services, unless a unique data retrieval arrangement has been established as part of an SLA. e. Upon termination of the Services or the Agreement in its entirety, Contractor shall securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD, Agreement No. 7089 backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Standards and Technology (NIST)-approved methods. Certificates of destruction shall be provided to the Purchasing Entity. 8. Background Checks: Upon the request of the Purchasing Entity, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Master Agreement who have been convicted of any crime of dishonesty, including but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of the importance of securing the Purchasing Entity's information among the Contractor's employees and agents. If any of the stated personnel providing services under a Participating Addendum is not acceptable to the Purchasing Entity in its sole opinion as a result of the background or criminal history investigation, the Purchasing Entity, in its' sole option shall have the right to either (1) request immediate replacement of the person, or (2) immediately terminate the Participating Addendum and any related service agreement. 9. Access to Security Logs and Reports: The Contractor shall provide reports on a schedule specified in the SLA to the Purchasing Entity in a format as specified in the SLA agreed to by both the Contractor and the Purchasing Entity. Reports shall include latency statistics, user access, user access IP address, user access history and security logs for all public jurisdiction files related to this Master Agreement and applicable Participating Addendum. 10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third party at its discretion and at the Purchasing Entity's expense. 11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at least annually at its expense, and provide an unredacted version of the audit report upon request to a Purchasing Entity. The Contractor may remove its proprietary information from the unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent sets the minimum level of a third -party audit. 12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour advance notice (or as determined by a Purchasing Entity and included in the SLA) to the Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that may impact service availability and performance. A major upgrade is a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. It usually includes a new version number. Contractor will make updates and upgrades available to Purchasing Entity at no additional costs when Contractor makes such updates and upgrades generally available to its users. Agreement No. 7089 No update, upgrade or other charge to the Service may decrease the Service's functionality, adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the Service to the Purchasing Entity. Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major update or upgrade. 13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary system security plans (SSP) or security processes and technical limitations to the Purchasing Entity such that adequate protection and flexibility can be attained between the Purchasing Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity and the Contractor shall understand each other's roles and responsibilities. 14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties, require commercially reasonable non -disclosure agreements, and limit staff knowledge of Purchasing Entity data to that which is absolutely necessary to perform job duties. 15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data in piecemeal or in entirety at its discretion without interference from the Contractor at any time during the term of Contractor's contract with the Purchasing Entity. This includes the ability for the Purchasing Entity to import or export data to/from other Contractors. Contractor shall specify if Purchasing Entity is required to provide its' own tools for this purpose, including the optional purchase of Contractors tools if Contractors applications are not able to provide this functionality directly. 16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of the Contractor. The system shall be available 24/7/365 (with agreed -upon maintenance downtime), and provide service to customers as defined in the SLA. 17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related to services provided under this Master Agreement, including but not limited to all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with the Contractor, and who shall be involved in any application development and/or operations. 18. Right to Remove Individuals: The Purchasing Entity shall have the right at any time to require that the Contractor remove from interaction with Purchasing Entity any Contractor representative who the Purchasing Entity believes is detrimental to its working relationship with the Contractor. The Purchasing Entity shall provide the Contractor with notice of its determination, and the reasons it requests the removal. If the Purchasing Entity signifies that a potential security violation exists with respect to the request, the Contractor shall immediately Agreement No. 7089 remove such individual. The Contractor shall not assign the person to any aspect of the Master Agreement or future work orders without the Purchasing Entity's consent. 19. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time objective (RTC) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual Disaster Recovery test and take action to correct any issues detected during the test in a time frame mutually agreed between the Contractor and the Purchasing Entity. 20. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973, or any other state laws or'administrative regulations identified by the Participating Entity. 21. Web Services: The Contractor shall use Web services exclusively to interface with the Purchasing Entity's data in near real time. 22. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Security Requirements for Cryptographic Modules for all Personal Data, unless the Purchasing Entity approves in writing for the storage of Personal Data on a Contractor portable device in order to accomplish work as defined in the statement of work. 23. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the Service for its business purposes; (ii) for SaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's documentation. No Contractor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement. Agreement No. 7089 Exhibit 2 to the Master Agreement: Platform -as -a -Service 1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is related to the Services provided by this Master Agreement. The Contractor shall not access Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data center operations, (2) in response to service or technical issues, (3) as required by the express terms of this Master Agreement, Participating Addendum, SLA, and/or other contract documents, or (4) at the Purchasing Entity's written request. Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall survive and extend beyond the term of this Master Agreement. 2. Data Protection: Protection of personal privacy and data shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of Purchasing Entity information at any time. To this end, the Contractor shall safeguard the confidentiality, integrity and availability of Purchasing Entity information and comply with the following conditions: a. The Contractor shall implement and maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of Personal Data and Non -Public Data. Such security measures shall be in accordance with recognized industry practice and not less stringent than the measures the Contractor applies to its own Personal Data and Non -Public Data of similar kind. b. All data obtained by the Contractor in the performance of the Master Agreement shall become and remain the property of the Purchasing Entity. c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any stipulation of responsibilities will identify specific roles and responsibilities and shall be included in the service level agreement (SLA), or otherwise made a part of the Master Agreement. d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the Contractor. The level of protection and encryption for all Non -Public Data shall be identified in the SLA. e. At no time shall any data or processes — that either belong to or are intended for the use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the Purchasing Entity. Agreement No. 7089 f. The Contractor shall not use any information collected in connection with the Services issued from this Master Agreement for any purpose other than fulfilling the Services. 3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be located solely in data centers in the U.S. The Contractor shall not allow its personnel or contractors to store Purchasing Entity data on portable devices, including personal computers, except for devices that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and contractors to access Purchasing Entity data remotely only as required to provide technical support. The Contractor may provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum. 4. Security Incident or Data Breach Notification: The Contractor shall inform the Purchasing Entity of any security incident or data breach within the possession and control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. Such notice shall include, to the best of Contractor's knowledge at that time, the persons affected, their identities, and the Confidential Information and Data disclosed, or shall include if this information is unknown. a. Incident Response: The Contractor may need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the Master Agreement, Participating Addendum, or SLA. Discussing security incidents with the Purchasing Entity should be handled on an urgent as -needed basis, as part of Contractor's communication and mitigation processes as mutually agreed, defined by law or contained in the Master Agreement, Participating Addendum, or SLA. b. Security Incident Reporting Requirements: Unless otherwise stipulated, the Contractor shall immediately report a security incident related to its service under the Master Agreement, Participating Addendum, or SLA to the appropriate Purchasing Entity. c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any Purchasing Entity data that is subject to applicable data breach notification law, the Contractor shall (1) promptly notify the appropriate Purchasing Entity within 48 hours or sooner, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner S. Breach Responsibilities: This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. Agreement No. 7089 b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the data breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the data breach, including any post -incident review of events and actions taken to make changes in business practices in providing the services, if necessary. 6. Notification of Legal Requests: If legally permissible, the Contractor shall contact the Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or which in any way might reasonably require access to the data of the Purchasing Entity. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing Entity, unless prohibited by law. 7. Termination and Suspension of Service: a. In the event of an early termination of the Master Agreement, Participating or SLA, Contractor shall allow for the Purchasing Entity to retrieve its digital content and provide for the subsequent secure disposal of the Purchasing Entity's digital content. b. During any period of service suspension, the Contractor shall not take any action to intentionally erase or otherwise dispose of any of the Purchasing Entity's data. c. In the event of early termination of any Services or agreement in entirety, the Contractor shall not take any action to intentionally erase any Purchasing Entity's data for a period of 1) 45 days after the effective date of termination, if the termination is for convenience; or 2) 60 days after the effective date of termination, if the termination is for cause. After such day period, the Contractor shall have no obligation to maintain or provide any Purchasing Entity data and shall thereafter, unless legally prohibited, delete all Purchasing Entity data in its systems or otherwise in its possession or under its control.. In the event of either termination for cause, the Contractor will impose no fees for access and retrieval of digital content to the Purchasing Entity. d. The Purchasing Entity shall be entitled to any post termination assistance generally made available with respect to the services, unless a unique data retrieval arrangement has been established as part of an SLA. e. Upon termination of the Services or the Agreement in its entirety, Contractor shall securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD, backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Agreement No. 7089 Standards and Technology (NIST)-approved methods. Certificates of destruction shall be provided to the Purchasing Entity. 8. Background Checks: a. Upon the request of the Purchasing Entity, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Master Agreement who have been convicted of any crime of dishonesty, including but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of the importance of securing the Purchasing Entity's information among the Contractor's employees and agents. b. The Contractor and the Purchasing Entity recognize that security responsibilities are shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing Entity is responsible for its secure guest operating system, firewalls and other logs captured within the guest operating system. Specific shared responsibilities are identified within the SLA. c. If any of the stated personnel providing services under a Participating Addendum is not acceptable to the Purchasing Entity in its sole opinion as a result of the background or criminal history investigation, the Purchasing Entity, in its' sole option shall have the right to either (1) request immediate replacement of the person, or (2) immediately terminate the Participating Addendum and any related service agreement. 9. Access to Security Logs and Reports: a. The Contractor shall provide reports on a schedule specified in the SLA to the Purchasing Entity in a format as specified in the SLA and agreed to by both the Contractor and the Purchasing Entity. Reports will include latency statistics, user access, user access IP address, user access history and security logs for all Purchasing Entity files related to the Master Agreement, Participating Addendum, or SLA. b. The Contractor and the Purchasing Entity recognize that security responsibilities are shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing Entity is responsible for its secure guest operating system, firewalls and other logs captured within the guest operating system. Specific shared responsibilities are identified within the SLA. 10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third party at its discretion and at the Purchasing Entity's expense. 11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at least annually at its expense, and provide an unredacted version of the audit report upon Agreement No. 7089 request to a Purchasing Entity. The Contractor may remove its proprietary information from the unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent sets the minimum level of a third -party audit. 12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour advance notice (or as determined by a Purchasing Entity and included in the SLA) to the Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that may impact service availability and performance. A major upgrade is a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. It usually includes a new version number. Contractor will make updates and upgrades available to Purchasing Entity at no additional costs when Contractor makes such updates and upgrades generally available to its users. No update, upgrade or other charge to the Service may decrease the Service's functionality, adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the Service to the Purchasing Entity. Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major update or upgrade. 13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary system security plans (SSP) or security processes and technical limitations to the Purchasing Entity such that adequate protection and flexibility can be attained between the Purchasing Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity and the Contractor shall understand each other's roles and responsibilities. 14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties, require commercially reasonable non -disclosure agreements, and limit staff knowledge of Purchasing Entity data to that which is absolutely necessary to perform job duties. 15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data in piecemeal or in entirety at its discretion without interference from the Contractor at any time during the term of Contractor's contract with the Purchasing Entity. This includes the ability for the Purchasing Entity to import or export data to/from other Contractors. Contractor shall specify if Purchasing Entity is required to provide its' own tools for this purpose, including the optional purchase of Contractors tools if Contractors applications are not able to provide this functionality directly. 16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of the Contractor. The system shall be available 24/7/365 (with agreed -upon maintenance downtime), and provide service to customers as defined in the SLA. Agreement No. 7089 17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related to services provided under this Master Agreement, including but not limited to all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with the Contractor, and who shall be involved in any application development and/or operations. 18. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual Disaster Recovery test and take action to correct any issues detected during the test in a time frame mutually agreed between the Contractor and the Purchasing Entity. 19. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973 or any other state laws or administrative regulations identified by the Participating Entity.. 20. Web Services: The Contractor shall use Web services exclusively to interface with the Purchasing Entity's data in near real time. 21. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Security Requirements for Cryptographic Modules for all Personal Data as identified in the SLA, unless the Contractor presents a justifiable position that is approved by the Purchasing Entity that Personal Data, is required to be stored on a Contractor portable device in order to accomplish work as defined in the scope of work. 22. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the Service for its business purposes; (ii) for PaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's documentation. No Contractor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement. Agreement No. 7089 Exhibit 3 to the Master Agreement: Infrastructure -as -a -Service 1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is related to the Services provided by this Master Agreement. The Contractor shall not access Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data center operations, (2) in response to service or technical issues, (3) as required by the express terms of this Master Agreement, Participating Addendum, SLA, and/or other contract documents, or (4) at the Purchasing Entity's written request. Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall survive and extend beyond the term of this Master Agreement. 2. Data Protection: Protection of personal privacy and data shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of Purchasing Entity information at any time. To this end, the Contractor shall safeguard the confidentiality, integrity and availability of Purchasing Entity information and comply with the following conditions: a. The Contractor shall implement and maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of Personal Data and Non -Public Data. Such security measures shall be in accordance with recognized industry practice and not less stringent than the measures the Contractor applies to its own Personal Data and Non -Public Data of similar kind. b. All data obtained by the Contractor in the performance of the Master Agreement shall become and remain the property of the Purchasing Entity. c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any stipulation of responsibilities will identify specific roles and responsibilities and shall be included in the service level agreement (SLA), or otherwise made a part of the Master Agreement. d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the Contractor. The level of protection and encryption for all Non -Public Data shall be identified in the SLA. e. At no time shall any data or processes —that either belong to or are intended for the use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the Purchasing Entity. Agreement No. 7089 f. The Contractor shall not use any information collected in connection with the Services issued from this Master Agreement for any purpose other than fulfilling the Services. 3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be located solely in data centers in the U.S. The Contractor shall not allow its personnel or contractors to store Purchasing Entity data on portable devices, including personal computers, except for devices that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and contractors to access Purchasing Entity data remotely only as required to provide technical support. The Contractor may provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum. 4. Security Incident or Data Breach Notification: The Contractor shall inform the Purchasing Entity of any security incident or data breach related to Purchasing Entity's Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. Such notice shall include, to the best of Contractor's knowledge at that time, the persons affected, their identities, and the Confidential Information and Data disclosed, or shall include if this information is unknown. a. Security Incident Reporting Requirements: The Contractor shall report a security incident to the Purchasing Entity identified contact immediately as soon as possible or promptly without out reasonable delay, or as defined in the SLA. b. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any purchasing entity's content that is subject to applicable data breach notification law, the Contractor shall (1) as soon as possible or promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner. S. Breach Responsibilities: This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 48 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post -incident Agreement No. 7089 review of events and actions taken to make changes in business practices in providing the services, if necessary. Notification of Legal Requests: If legally permissible, the Contractor shall contact the Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or which in any way might reasonably require access to the data of the Purchasing Entity. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing Entity, unless prohibited by law. 7. Termination and Suspension of Service: a. In the event of an early termination of the Master Agreement, Participating or SLA, Contractor shall allow for the Purchasing Entity to retrieve its digital content and provide for the subsequent secure disposal of the Purchasing Entity's digital content. b. During any period of service suspension, the Contractor shall not take any action to intentionally erase or otherwise dispose of any of the Purchasing Entity's data. c. In the event of early termination of. any Services or agreement in entirety, the Contractor shall not take any action to intentionally erase any Purchasing Entity's data for a period of 1) 45 days after the effective date of termination, if the termination is for convenience; or 2) 60 days after the effective date of termination, if the termination is for cause. After such day period, the Contractor shall have no obligation to maintain or provide any Purchasing Entity data and shall thereafter, unless legally prohibited, delete all Purchasing Entity data in its systems or otherwise in its possession or under its control. In the event of either termination for cause, the Contractor will impose no fees for access and retrieval of digital content to the Purchasing Entity. d. The Purchasing Entity shall be entitled to any post termination assistance generally made available with respect to the services, unless a unique data retrieval arrangement has been established as part of an SLA. e. Upon termination of the Services or the Agreement in its entirety, Contractor shall securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD, backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Standards and Technology (NIST)-approved methods. Certificates of destruction shall be provided to the Purchasing Entity. 8. Background Checks: a. Upon the request of the Purchasing Entity, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Master Agreement who have been convicted of any crime of dishonesty, Agreement No. 7089 including but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of the importance of securing the Purchasing Entity's information among the Contractor's employees and agents. b. The Contractor and the Purchasing Entity recognize that security responsibilities are shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing Entity is responsible for its secure guest operating system, firewalls and other logs captured within the guest operating system. Specific shared responsibilities are identified within the SLA. c. If any of the stated personnel providing services under a Participating Addendum is not acceptable to the Purchasing Entity in its sole opinion as a result of the background or criminal history investigation, the Purchasing Entity, in its' sole option shall have the right to either (1) request immediate replacement of the person, or (2) immediately terminate the Participating Addendum and any related service agreement. 9. Access to Security Logs and Reports: a. The Contractor shall provide reports on a schedule specified in the SLA to the Contractor directly related to the infrastructure that the Contractor controls upon which the Purchasing Entity's account resides. Unless otherwise agreed to in the SLA, the Contractor shall provide the public jurisdiction a history or all API calls for the Purchasing Entity account that includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters and the response elements returned by the Contractor. The report will be sufficient to enable the Purchasing Entity to perform security analysis, resource change tracking and compliance auditing b. The Contractor and the Purchasing Entity recognize that security responsibilities are shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing Entity is responsible for its secure guest operating system, firewalls and other logs captured within the guest operating system. Specific shared responsibilities are identified within the SLA. 10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third party at its discretion and at the Purchasing Entity's expense. 11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at least annually and at its own expense, and provide an unredacted version of the audit report upon request. The Contractor may remove its proprietary information from the unredacted version. For example, a Service Organization Control (SOC) 2 audit report would be sufficient. 12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour advance notice (or as determined by a Purchasing Entity and included in the SLA) to the Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that Agreement No. 7089 may impact service availability and performance. A major upgrade is a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. It usually includes a new version number. Contractor will make updates and upgrades available to Purchasing Entity at no additional costs when Contractor makes such updates and upgrades generally available to its users. No update, upgrade or other charge to the Service may decrease the Service's functionality, adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the Service to the Purchasing Entity. Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major update or upgrade. 13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary system security plans (SSP) or security processes and technical limitations to the Purchasing Entity such that adequate protection and flexibility can be attained between the Purchasing Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity and the Contractor shall understand each other's roles and responsibilities. 14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties, require commercially reasonable non -disclosure agreements, and limit staff knowledge of Purchasing Entity data to that which is absolutely necessary to perform job duties. 15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data in piecemeal or in entirety at its discretion without interference from the Contractor at any time during the term of Contractor's contract with the Purchasing Entity. This includes the ability for the Purchasing Entity to import or export data to/from other Contractors. Contractor shall specify if Purchasing Entity is required to provide its' own tools for this purpose, including the optional purchase of Contractors tools if Contractors applications are not able to provide this functionality directly. 16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of the Contractor. The system shall be available 24/7/365 (with agreed -upon maintenance downtime), and provide service to customers as defined in the SLA. 17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related to services provided under this Master Agreement, including but not limited to all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with the Contractor, and who shall be involved in any application development and/or operations. Agreement No. 7089 18. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual Disaster Recovery test and take action to correct any issues detected during the test in a time frame mutually agreed between the Contractor and the Purchasing Entity. 19. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the Service for its business purposes; (ii) for IaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's documentation. No Contractor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement via amendment. Agreement No. 7089 V SN L aJ C0 C aJ al H O c M u C al I m i+ C E s u M Q 4 v a, O 41 EA >p Q f6 E } a LL Vf L 41cu v E u a N :Ea) ~ L1 c3i 'p a1 '^ +�+ .O n3 Q a) � E a1 &A G! p £ i C. ar 0 w �' 0 LL Z c u> hp 'j L Ln 0 Q vi u ,_� O O t �nQi I— M V V Ci u al > 10 O 41 0 o L Q C7 > 3 i Ln � ai dD O 0op aJ > aJ L LL. 0 Z u '> L aJ Ln Lnj ai Ln vi a) + L O +J o L C7 > 3 r O 4-1+ (O -0 a1 E ipp C by gyp— 4M cu ro -0 > t Y 7, N U do •L a)pC LA O L j (D } (p v) c fa O L L L cu E O >- Ln � O � 0 3 Ln>` C 4M L L L O— O t .-' c tip O E 4-13 -beo Y T u ro >` u to >` u M c :F3 4' 3V, 3 7 > O 0 2 > Z> > > O 0 .0 v N M 'L 4� O M L L L w En O p E p O aJ aJ al 3 Q -O in cu Op 4; N O O 0 u CC > d v v v L L Q u tUl �+ �. L Ca u i 4- h 4- 4- aJ 'C .a' C a)c .L c L E ,n 4- c 2 > > > a) u ,n L O ++ EA a) t O L � V1 3 L L L a) M L M E 4- O a) a) aJ U p Z op O 0 0 O ai v 4- tw O > — (Q *' M,,, L L L ; N M a c M p 0 3 3 3 Ln M L cO Y >• u u A u '.... aJ O of -0 M 0 M m a a) a, OJ o 3 .22 C: c L 0 o L aJ C C J f6 c > C > CC G cc > G rd h ... 3 ra � aJ Ln Q . Q d L U E O L O u L O al op � � p 3 O 7 O O 41 c E _ Lq v Ln v, M > E a, L O L f O Q u O a1 cyo Vf pp L 4- M •L Ln M N M M c -O O f6i v �O .� to '^ a o co 0 E E U