CONTRACT 7089 Vender AgreementAgreement No. 7089
teC,refresh
Company Address 100 Bayview Circle, Suite 230 Expiration Date 11/6,2024
Newport Beach, CA 92660 Opportunity Owner Michael Tamrnaro
US
Quote # QUO - 1849
Prepared By
Michael Tammaro
Contact Name
Jose Calderon
Title
Account Manager
Title
Director of IT
Email
michael tmmaro@tee-refresh.com
Email
jalderon@elsegundo,org
Phone
(617)829-9153
Phone
+1 310-524-2300
Bill To Name
City of El Segundo
Ship To Name
City of El Segundo
Bill To
350 Main St
Ship To
350 Main St
El Segundo, CA 90245
El Segundo, CA 90245
US
US
Advanced Threat Prevention subscription for device in an HA pair
renewal, PA-3430
PAN-PA-3430-ATP-HA2-R
Start Date: 11/07/2024
2.00 $14,084.08 $28„168A6
End Date: 11/23/2025
Serial #: 024301003488; 024301002699
PA-3430, Advanced WildFire subscription, for one
(1) device in an HA pair, 1 year (12 months) term, renewal.
PAN-PA-3430-AWF-HA2-R
Start Date: 11/07/2024
2.00 $14.084.08 $28,168.16
End Date: 11/23/2025
Serial #: 024301003488; 024301002699
PA-3430, DNS security subscription, for one (1)
device in an HA pair, 1 year (12 months) term, renewal.
PAN-PA-3430-DNS-HA2-R
Start Date: 11/07/2024
2.00 $9,445.60 $18,891.20
End Date: 11/23/2025
Serial #: 024301003488; 024301002699
PA-3430, Advanced URL Filtering subscription, for
one (1) device in an HA pair, 1 year (12 months) term, renewal.
PAN-PA-3430-ADVURL-HA2-R-2
Start Date: 11/07/2024
2.00 $14,084.08` $28,168.16
End Date: 11/23/2025
Serial #: 024301003488; 024301002699
For US Government accounts only. Premium support renewal, PA-3430
PAN-SVC-PREMUSG-3430-R
Start Date: 11/03/2024
2.00 $12,202.75 $24,405.50
End Date: 11/23/2025
Serial #: 024301003488; 024301002699
Terms and Conditions: Net 30
Please remit all purchase orders and invoices to:
Tec-Refresh, Inc.
10 Stevens Street #190
Andover, MA, 0'1810
United States
Agreement No. 7089
teC,ret'resh
Contract # Contract Number: 7-17-70-40-05
NASPO Master Contract Number: AR2472
Contract Term: 09/15/17 — 09115/26
Memo 2024 Palo Alto 3430's Renewal
CITY OF EL SEGUNDO, a general law city
Darrell George, City Manager
ATTEST:
Y"V
Tracy Weaver, City Clerk
ATTACHMENTS:
Subtotal
Grand Total
APPROVED AS TO FORM.
Marc. Hensley, City Attorney
Joaquin] Vazftaez, Assistant City Attorney
.___.. 1
Risk Management
1. State of California Participating Addendum No. 7-17-70-40-05
2. First Amendment to Participating Addendum No. 7-17-70-40-05
3. Second Amendment to Participating Addendum No. 7-17-70-40-05
4. Third Amendment to Participating Addendum No. 7-17-70-40-05
5. State of Utah Cooperative Contract with Carahsoft Technologies Corp.
(NASPO ValuePoint) (Contract # AR2472) - Cover Sheet, Attachment A, and Attachment B Only
Terms and Conditions: Net 30
Please remit all purchase orders and invoices to:
Tec-Refresh, Inc.
10 Stevens Street 4190
Andover, MA, 01810
United States
$127,801,18
$127,801.18
Agreement No. 7089
STATE OF CALIFORNIA
PARTICIPATING ADDENDUM NO. 7-17-70-40-05
Cloud Solutions
Utah NASPO ValuePoint Master Agreement No. AR2472
Carahsoft Technology Corp.
This Participating Addendum Number 7-17-70-40-05 is entered into between the State of
California, Department of General Services (hereafter referred to as "State" or "DGS") and
Carahsoft Technology Corp. (hereafter referred to as "Contractor") under the lead State of Utah
NASPO ValuePoint Master Agreement Number AR2472,
1. SCOPE
A. This Participating Addendum covers the purchase of Cloud Solutions under the Utah
NASPO ValuePoint Master Agreement. The Utah NASPO ValuePoint Master Agreement
Number AR2472 is hereby incorporated by reference. The cloud solution services are
identified in Section 5 (Available Services).
B. This Participating Addendum is available for use by all State Agencies including the
Executive, Judicial and Legislative branches, and will include all California political
subdivisions/local governments. A subdivision/local government is defined as any city,
county, city and county, district, or other local governmental body or corporation, including
the California State Universities (CSU) and University of California (UC) systems, K-12
schools and community colleges empowered to expend public funds.
C. Each political subdivision/local government is to make its own determination whether this
Participating Addendum and the Utah NASPO ValuePoint Master Agreement are
consistent with its procurement policies and regulations.
2. TERM
A. The term of this Participating Addendum shall begin upon signature approval by the
State and will end September 15, 2026, or upon termination by the State, whichever
occurs first.
B. Lead State amendments to extend the Master Price Agreement term date are not
automatically incorporated into this Participating Addendum. Extension(s) to the term
of this Participating Addendum will be through a written amendment upon mutual
agreement between the State and the Contractor.
3. TERMS AND CONDITIONS/INCORPORATION OF DOCUMENTS
A. Terms and conditions listed below are hereby incorporated by reference and made a part
of this Participating Addendum as if attached herein and shall apply to the purchase of
services made under this Participating Addendum.
Page 1 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
1) General Provisions — Information Technology (GSPD-4011T), effective 9/5/2014.
The twelve (12) page document can be viewed at:
htt ://www.documents.d s.ca. ov/ d/ oli rolGSD4011T14 0905. df.
Exception: Article 11 of the General Provisions — Information Technology, is
superseded by Section 4 (Order of Precedence) below.
2) Cloud Computing Special Provisions for Software as a Service (SaaS), effective
9/3/14. The five (5) page document can be viewed at:
htt :/Iw .documents.d s.ca. ovi` d/ olio roc/CLOUDCOMPUTINGS RVICESSI
CIALPROVISIONS 14 0903.docx
4. ORDER OF PRECEDENCE
In the event of any inconsistency between the articles, attachments, or provisions which
constitute this agreement, the following descending order of precedence shall apply:
A. California Participating Addendum Number 7-17-70-40-05
B. Utah NASPO ValuePoint Master Agreement Number AR2472
C. Utah Solicitation CH16012 including all Addendums
D. Contractor's response to Utah's Solicitation
5. AVAILABLE SERVICES
The following service offering from the Utah NASPO ValuePoint Master Agreement Number
AR2472 are allowed under this Participating Addendum:
Software as a Service (SaaS)
6. RESTRICTIONS/DISALLOWED SERVICES — These restrictions are not applicable to
political subdivisions/local governments.
A. The following service offerings are prohibited under this Participating Addendum:
Infrastructure as a Service (laaS)
Platform as a Service (PaaS)
Value Added Services, including Additional Value Added Services such as
Maintenance Services; Deployment Services; Consulting/Advisory Services;
Architectural Design Services; Statement of Work Services; Partner Services,
and Training Deployment Services
B. Product and service categories that are available on mandatory California statewide
contracts cannot be purchased from this Participating Addendum by State Departments
without an exemption. Prior to issuing a purchase order, State Departments are
responsible for obtaining an exemption from DGS, and/or California Department of
Technology (CDT).
Page 2 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
7. PRICING
A. Contractor shall submit a Price Schedule identifying all services offered under this
Participating Addendum for the State's approval.
B. The Price Schedule shall include the following:
1) Service Category (SaaS) Description
2) List Price
3) Discount off List Price
4) Contract Price
C. Contractor shall obtain prior approval from Utah NASPO ValuePoint Contract
Administrator, and submit a written notice of price increases/decreases and a revised
Price List for the State's approval.
D. State -approved Price List will be posted on the State's Cal eProcure website.
8. SERVICE ADDITIONS/DELETIONS
A. Contractor may add or delete services introduced or removed from the market by the
manufacturer under the following conditions:
1) Service is within existing awarded categories under the NASPO ValuePoint
Master Price Agreement;
2) Contractor has obtained prior approval from the Utah NASPO ValuePoint
Contract Administrator; and
3) Contractor receives written approval from the California State Contract
Administrator.
B. Contractor shall submit a written notice of service (s) additions/deletions and a revised
Price Schedule for the State's approval.
9. FULFILLMENT PARTNERS/AUTHORIZED RESELLERS
Authorized Resellers are available for this Participating Addendum:
ISSUE PURCHASE ORDER TO
Orders may be placed with Carahsoft Technology Corp. or with an Authorized Reseller as
indicated below:
Orders placed with Carahsoft Technology Corp.
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
1860 Michael Faraday Drive, Suite 100
Contact:
Karina Woods
Phone:
7031871-8500
Fax No.:
7031871-8505
E-mail:
OIw @carahsoft.c ni
Page 3 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
Orders placed with an Authorized Reseller must be addressed as shown below, and payment
must be made payable to the Authorized Reseller identified on the invoice as shown below:
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o DynTek Services, Inc.
4440 Von Karman, Suite 200, Newport Beach, CA 92660
Contact:
Kelsea Pratt -Acosta
Phone:
949/271-6780
Fax No.:
949/271-6794
E-mail:
CAsales@dyntek.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o NWN Solutions Corporation
2969 Prospect Park Drive, Suite 225, Rancho Cordova, CA 95670
Contact: Team Meade
Phone: 916/637-2160
Fax No.: 916/596-4800
E-mail: TMeade nwnit.corn
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Taborda Solutions, Inc.
9580 Oak Ave Pkwy, Suite 7-180, Folsom, CA 95630
Contact:
Bear Williams
Phone:
9161717-8711
Fax No.:
916/200-0353
E-mail:
bear.williarns tabordasolutions.com,
For invoicing purposes, each State Accounting office must have a copy of the reseller's Payee
Data Record (Std. 204) in order to process payment of the invoice. Agencies should forward a
copy of the Std. 204 to their respective accounting office. Without the Std. 204, payment may
be unnecessarily delayed.
AUTHORIZED RESELLERS ARE RESPONSIBLE FOR SENDING A COPY OF ALL
PURCHASE ORDERS TO CARAHSOFT TECHNOLOGY CORP. FOR COOPERATIVE
AGREEMENTS (NASPO VALUEPOINT) QUARTERLY REPORTING REQUIREMENTS.
When issuing an order to an authorized reseller listed on Cooperative Agreements, it is the
agency's responsibility to ensure that the reseller holds a valid California Seller's Permit.
NOTE: Contractor shall be responsible for successful performance and compliance with all
requirements in accordance with the terms and conditions under this Participating Addendum,
even if work is performed by Servicing Subcontractors. All State policies, guidelines, and
requirements shall apply to Authorized Resellers.
Page 4 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
10. ORDERING AGENCY RESPONSIBILITIES
A. State department and political subdivision/local government use of this Participating
Addendum is optional.
B. State departments and political subdivision/local governments must follow the ordering
procedures outlined within the User Instructions guide, administered by the State
Contract Administrator, to execute orders against this Participating Addendum.
11. INVOICING AND PAYMENT
A. Payment terms for this Participating Addendum are net forty-five (45) days. Payment
will be made in accordance with IT General Provisions Paragraph 30 (Required Payment
Date).
B. Invoices shall be sent to the address identified in the Ordering Agency's purchase order.
The State Participating Addendum Number and Ordering Agency Purchase Order
Number shall appear on each invoice for all purchases placed under this Participating
Addendum.
C. Contractor will accept the State of California credit card (CAL -Card) for payment of
invoices.
12. USAGE REPORTING
A. Contractor shall submit usage reports on a quarterly basis to the State Contract
Administrator for all California entity purchases using the report template attached hereto
as Attachment A. The report is due even when there is no activity.
B. The report shall be an Excel spreadsheet transmitted electronically to the DGS mailbox
at PDCooperatives@dgs.ca.gov.
qov.
C. Any report that does not follow the required format or that excludes information will be
deemed incomplete. Contractor will be responsible for submitting corrected reports
within five business days of the date of written notification from the State.
D. Tax must not be included in the report, even if it is on the purchase order.
E. Reports are due for each quarter as follows:
Reporting Period
Due Date
JUL 1
to
SEP 30
OCT 31
OCT 1
to
DEC 31 _
JAN 31
JAN 1
to
MAR 31
APR 30
APR 1
to
JUN 30
JUL 31
F. Failure to meet reporting requirements and submit the reports on a timely basis shall
constitute grounds for suspension of this contract.
Page 5 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
G. Amendments for term extensions may be approved only if all due reports have been
submitted to the State.
13. ADMINISTRATIVE FEE
A. Contractor shall submit a check, payable to the State of California, remitted to the
Cooperative Agreement Unit for the calculated amount equal to one percent (0.01) of the
sales for the quarterly period.
B. Contractor must include the Participating Addendum Number on the check. Those
checks submitted to the State without the Participating Addendum Number will be
returned to Contractor for additional identifying information.
C. Administrative fee checks shall be submitted to:
State of California
Department of General Services, Procurement Division
Attention: Cooperative Agreement Program
707 3`d Street, 2"d Floor, MS 2-202
West Sacramento, CA 95605
D, The administrative fee shall not be included as an adjustment to Contractor's NASPO
ValuePoint Master Agreement pricing.
E. The administrative fee shall not be invoiced or charged to the ordering agency.
F. Payment of the administrative fee is due irrespective of payment status on orders or
service contracts from a purchasing entity.
G. Administrative fee checks are due for each quarter as follows:
H. Failure to meet administrative fee requirements and submit fees on a timely basis shall
constitute grounds for suspension of this contract.
Page 6 of 8
Agreement No. 7089
Participating Addendum No. 7-17-7040-05
Carahsoft Technology Corp.
14. CONTRACT MANAGEMENT
A. The primary Contractor Contract Manager for this Participating Addendum shall be as
follows:
Contractor: Carahsoft Technology Corp.
Name: Jack Dixon
Phone: 703-230-7545
Fax: 703-871-8505
E-Mail: nas o carahsoft.com
Address: 1860 Michael Faraday Drive, Ste 100
Reston, VA 20190
B. The State Contract Administrator for this Participating Addendum shall be as follows:
Name:
Yolanda Tuft
Phone:
916.375.4408
Fax:
916.375.4663
E-Mail:
Yolanda, tuft(o)ds.ca. q ov
Address:
State of California
Department of General Services
Procurement Division
707 Third Street, 2nd Floor, MS 2-202
West Sacramento, CA 95605
C. Should the contact information for either party change, the party will provide written
notice with updated information no later than ten business days after the change.
15. Termination of Agreement
The State may terminate this Participating Addendum at any time upon 30 days prior written
notice to the Contractor. Upon termination or other expiration of this Participating
Addendum, each party will assist the other party in orderly termination of the Participating
Addendum and the transfer of all assets, tangible and intangible, as may facilitate the
orderly, nondisrupted business continuation of each party. This provision shall not relieve
the Contractor of the obligation to perform under any purchase order or other similar
ordering document executed prior to the termination becoming effective.
16. Amendment
No amendment or variation of the terms of this Participating Addendum shall be valid unless
made in writing, signed by the parties and approved as required. No oral understanding or
agreement not incorporated in the Participating Addendum is binding on any of the parties.
Page 7 of 8
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Carahsoft Technology Corp.
17. Agreement
A. This Participating Addendum and the Master Agreement together with its exhibits and/or
amendments, set forth the entire agreement between the parties with respect to the
subject matter of all previous communications, representations or agreements, whether
oral or written, with respect to the subject matter hereof. Terms and conditions
inconsistent with, contrary or in addition to the terms and conditions of this Participating
Addendum and the Master Agreement, together with its exhibits and/or amendments,
shall not be added to or incorporated into this Participating Addendum or the Master
Agreement and its exhibits and/or amendments, by any subsequent purchase order or
otherwise, and any such attempts to add or incorporate such terms and conditions are
hereby rejected. The terms and conditions of this Participating Addendum and the
Master Agreement and its exhibits and/or amendments shall prevail and govern in the
case of any such inconsistent or additional terms.
B. By signing below Contractor agrees to offer the same services as on the Utah NASPO
ValuePoint Master Agreement Number AR2472, at prices equal to or lower than the
prices on that contract.
C. IN WITNESS WHEREOF, the parties have executed this Participating Addendum as of
the date of execution by both parties below.
STATE OF CALIFORNIA
Department of General Services
nc Name
ignature ofAuthonzed Signer Date Signed
Ricardo Martinez, Acting Deputy Director
Printed Name and Title of Authorized Signer
707 Third Street
West Sacramento, CA 95605
Address
Page 8 of 8
CONTRACTOR
Carahsoft Technolo Cor .
Contractor Name
August 9, 2017
Signature of Authorized Signer Date Signed
Ellen Lord, Contracts Manage
Printed Name and Title ofAuthorized Signer
1860 Michael Faraday Drive, Suite 100
Reston, VA 20190
Address
Agreement No. 7089
0
e
S
a
0
d
s c»
«oo
�
CL
e E
a 0
t�c4�it,
46H
Agreement No. 7089
STATE OF CALIFORNIA
PARTICIPATING ADDENDUM NO. 7-17-70-40-05
AMENDMENT NO. 1
Cloud Solutions
Utah NASPO ValuePoint Master Agreement No. AR2472
Carahsoft Technology Corp.
The parties hereto mutually agree to amend Participating Addendum Number 7-17-70-40-05 as follows:,
1. Authorized Resellers outlined in Section 9 (Fulfillment Partners/Authorized Resellers)
is revised to reflect the following:
Authorized Resellers are available for this Participating Addendum:
ISSUE PURCHASE ORDER TO
Orders may be placed with Carahsoft Technology Corp. or with an Authorized Reseller as
indicated below:
Orders placed with Carahsoft Technology Corp.
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
1860 Michael Faraday Drive, Suite 100 Tempe, AZ 85283
Contact:
Karina Woods
Phone:
703/871-8500
Fax No.:
703/871-8505
E-mail:
OM@carahsoft.corn
Orders placed with an Authorized Reseller must be addressed as shown below, and payment
must be made payable to the Authorized Reseller identified on the invoice as shown below:
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Allied Network Solutions, Inc.
5718 Lonetree Blvd., Rocklin, CA 95765
Contact: Roger Schnorenberg
Phone: 916/774-2670 X101
E-mail: Rschnor nb rg a@arns-it.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Data Path Inc.
318 McHenry Ave., Modesto, CA 95354
Contact: Brian Jump
Phone: 209/312-9808
E-mail: BJump@mydatapaith.com
Page 1 of 4
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Amendment #1
Carahsoft Technology Corp.
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o DynTek Services, Inc.
4440 Von Karman, Suite 200, Newport Beach, CA 92660
Contact:
Kelsea Pratt -Acosta
Phone:
949/271-6780
Fax No.:
949/271-6794
E-mail:
CAsales@dyntek.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Eventus Solutions Group LLC
9777 Pyramiel Court, Suite 160, Englewood, CA 80112
Contact: Craig Tobin
Phone: 303/376-6161
E-mail: Crai tobin eventus , com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o HF Tech Services, Inc.
5777 Madison Avenue, Suite 1060, Sacramento, CA 95841
Contact: Allan P. Hart
Phone: 916/690-5056
E-mail: allan hftechservices.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o NWN Solutions Corporation
2969 Prospect Park Drive, Suite 225, Rancho Cordova, CA 95670
Contact:
Team Meade
Phone:
916/637-2160
Fax No.:
916/596-4800
E-mail:
TMeade@nwnit.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Savant Solutions, Inc. which will do business in California as [Savant Solutions Group]
1931 H Street, Sacramento, CA 95811
Contact: Caleb Kwong
Phone: 916/836-8182
E-mail: Caleb,@sav,antsolutions.net
Page 2 of 4
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Amendment #1
Carahsoft Technology Corp.
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o SHI International, Corp.
290 Davidson Avenue, Somerset, NJ 08873
Contact: Nick Grappone
Phone: 732/564-8189
E-mail: Nick. Gra one sshi.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Solutions Simplfied
8880 Cal Center Drive, Suite 400, Sacramento, CA 95826
Contact: Rachel DaValle
Phone: 530/521-0576
E-mail: Rachel, DavaIle ,solutionssim lified.net.
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o Taborda Solutions, Inc.
9580 Oak Ave Pkwy, Suite 7-180, Folsom, CA 95630
Contact:
Bear Williams
Phone:
916/717-8711
Fax No.:
916/200-0353
E-mail:
Bear,Wi�lliams@tabordasolLstions.com
SUBMIT ORDERS TO:
Carahsoft Technology Corp.
c/o vCloud Tech Inc.
609 Deep Valley Drive, Suite 200, Rollling Hills Estates, CA 90274
Contact: Nadia Khan
Phone: 424/703-4135
E-mail: nadiakhan vcioudtecl,.com
For invoicing purposes, each State Accounting office must have a copy of the reseller's Payee
Data Record (Std. 204) in order to process payment of the invoice. Agencies should forward a
copy of the Std. 204 to their respective accounting office. Without the Std. 204, payment may
be unnecessarily delayed.
AUTHORIZED RESELLERS ARE RESPONSIBLE FOR SENDING A COPY OF ALL
PURCHASE ORDERS TO QUEST MEDIA & SUPPLIES, INC. FOR COOPERATIVE
AGREEMENTS (NASPO VALUEPOINT) QUARTERLY REPORTING REQUIREMENTS.
When issuing an order to an authorized reseller listed on Cooperative Agreements, it is the
agency's responsibility to ensure that the reseller holds a valid California Seller's Permit.
Page 3 of 4
Agreement No. 7089
Participating Addendum No. 7-17-70-40-05
Amendment #1
Carahsoft Technology Corp.
NOTE: Contractor shall be responsible for successful performance and compliance with all
requirements in accordance with the terms and conditions under this Participating Addendum,
even if work is performed by Authorized Resellers. All State policies, guidelines, and
requirements shall apply to Authorized Resellers.
All other terms and conditions of the Participating Addendum shall remain the same.
IN WITNESS WHEREOF, the parties have executed this Participating Addendum Amendment
as of the date of execution by both parties below.
Participating State: Contractor:
State of California, Carahsoft Technology Corp.
Department of General Services
r14. r
"' wwwww r
Z✓' Name: Angela Shell
Title: Deputy Director
Date: &L
�.
Name: Robert R. Moore
Title: Vice President
Date: April 25, 2018
Page 4 of 4
Agreement No. 7089
STATE OF CALIFORNIA
PARTICIPATING ADDENDUM NUMBER 7-17-70-40-05
AMENDMENT 2
Cloud Solutions
Utah NASPO ValuePoint Master Agreement Number AR2472
Carahsoft Technology Corp. (Contractor)
The parties mutually agree to amend Participating Addendum 7-17-70-40-05 as follows:
1) Section 3. TERMS AND CONDITIONS/INCORPORATION OF DOCUMENTS is
updated to read as follows:
A. Terms and conditions listed below are hereby incorporated by reference and
made a part of this Participating Addendum as if attached herein and shall apply
to the purchase of goods or services made under this Participating Addendum.
Terms can be viewed on the DGS Procurement Division website
(https://www.dgs.ca.gov/PD/Resources/Page-Content/Procurement-Division-
Resources-List-Folder/Model-Contract-Language).
i. General Provisions — Information Technology (GSPD-401 IT) effective
9/5/2014.
ii. Cloud Computing Software as a Service (SaaS) General Provisions
effective 6/7/2019.
iii, Cloud Computing Special Provisions for Software as a Service (SaaS)
effective 03/15/18.
iv. Cloud Computing Special Provisions for Infrastructure as a Service (IaaS) &
Platform as a Service (PaaS), effective 05/11 /16.
2) Section 5. AVAILABLE PRODUCTS AND SERVICES is updated to read as follows:
A. The following service offerings from the Utah NASPO ValuePoint Master
Agreement Number AR2472 are allowed under this Participating Addendum:
1) Software as a Service (SaaS)
2) Infrastructure as a Service (IaaS)
3) Platform as a Service (PaaS)
3) Section 6. RESTRICTIONS/DISALLOWED PRODUCTS AND SERVICES (STATE
AGENCIES ONLY) is updated to read as follows:
A. The following product/service offerings are disallowed for state agencies under
this Participating Addendum:
1) Value Added Services, including Additional Value Added Services such as
Maintenance Services; Deployment Services; Consulting/Advisory Services;
Architectural Design Services; Statement of Work Services; Partner Services,
and Training Deployment Services
Page 1 of 3
Agreement No. 7089
Participating Addendum 7-17-70-40-05
Amendment 2
B. Product and service categories that are available on mandatory California
statewide contracts cannot be purchased from this Participating Addendum by
State agencies without an exemption. Prior to issuing a purchase order, State
agencies are responsible for obtaining an exemption from DGS, and/or California
Department of Technology (CDT).
C. State agencies must first obtain approval by the California Department of
Technology (CDT) to use this Participating Addendum for Infrastructure as a
Service (laaS) and/or Platform as a Service (PaaS) purchases in accordance
with Technology Letter 17 06 (www.cdt.ca.gov/wp-content/uploads/2017/08/TL-
17-06.pdf).
4) Section 14. CONTRACT MANAGEMENT subpart A is updated to read as follows:
A. The primary Contractor Contract Manager for this Participating Addendum shall
be as follows:
Contractor: Carahsoft Technology Corp.
Name: Alex Cord
Phone: 703-871-8500
E-Mail: Alex.Cord@Carahsoft.com
Address: 11493 Sunset Hills Road, Suite 100
Reston, VA 20190
5) Section 9 FULFILLMENT PARTNERS/AUTHORIZED RESELLERS is updated to
read as follows:
A. Contractor may use State -approved Authorized Resellers under this Participating
Addendum for sales and service functions as defined herein.
1) Orders may be placed with the Contractor or Authorized Resellers.
2) Authorized Resellers must accept purchase orders and accept payment
from ordering agencies for products and services offered under this
Participating Addendum.
3) Authorized Resellers are responsible for sending a copy of all purchase
orders and invoices to the Contractor for compliance with quarterly usage
reporting and administrative fee requirements.
4) All purchase documents to Authorized Resellers shall reference the
Participating Addendum Number and Contractor Name.
Page 2 of 3
Agreement No. 7089
Participating Addendum 7-17-70-40-05
Amendment 2
B. Contractor shall be responsible for successful performance and compliance with
all requirements in accordance with the terms and conditions under this
Participating Addendum, even if work is performed by Authorized Resellers. All
State policies, guidelines, and requirements shall apply to Authorized Resellers.
C. Contractor will be the sole point of contact with regard to Participating Addendum
contractual matters, reporting, and administrative fee requirements.
D. Subject to the approval of the State, Authorized Resellers may be added on a
quarterly basis during the term of the contract. Contractors shall notify the State
of any deleted Authorized Resellers or changes to current Authorized Resellers'
contact information in writing at any time during the contract term.
E. Contractor will be required to submit Authorized Reseller requests, in a format
specified by the State, to the State Contract Administrator for approval.
F. State -approved Authorized Resellers will be posted on the State's Cal eProcure
website.
All other terms and conditions of the Participating Addendum shall remain in full force
and effect.
IN WITNESS WHEREOF, the parties have executed this Amendment as of the date of
execution by both parties below.
STATE OF CALIFORNIA CONTRACTOR
Department of General Services _Carahsoft Technology Cori.
Agency Name Contractor Name
9
...._.............._..._._. August 11,ITIT2021 ����...��r�. 8/11 /2021
_._.
Authorized Signature Date Signed Authorized Signature Date Signed
Stephanne Lim, MAU2 Supervisor
Printed Name/Title of Person Signing
707 Third Street
West Sacramento, CA 95605
Address
Kristina Smith - Director of Contracts
Printed Name/Title of Person Signing
11493 Sunset Hills Road, Suite 100
Reston, VA 20190
Address
Page 3 of 3
Agreement No. 7089
STATE OF CALIFORNIA
PARTICIPATING ADDENDUM NUMBER 7-17-70-40-05
AMENDMENT 3
Cloud Solutions
Utah NASPO ValuePoint Master Agreement Number AR2472
Carahsoft Technology Corporation (Contractor)
The parties mutually agree to amend Participating Addendum 7-17-70-40-05 as follows:
1) Section 7. PRICING is revised to read as follows:
A. Contractor's pricing is outlined in the Utah NASPO ValuePoint Master
Agreement Number AR2472.
2) Section 16. CONTRACT MANAGEMENT, subparagraph A is revised to read as
follows:
A. The primary Contractor Contract Manager for this Participating Addendum
shall be as follows:
Contractor
Contract Manager
Name:
Mariah Edwards
Phone:
(818) 449-3729
Email: _
Mariah.Edwards carahsoft.comi
_...................... ......_
Address:
_.......... .. ..... ........
Carahsoft Technology Corporation
Mariah Edwards
11493 Sunset Hills Road, Suite 100
Resto, VA 20190
Page 1 of 2
Agreement No. 7089
Participating Addendum 7-17-70-40-05
Amendment 3
3) Section 18. EXECUTIVE ORDER N-6-22 — RUSSIA SANCTIONS is hereby added
to read as follows:
18. EXECUTIVE ORDER N-6-22 — RUSSIA SANCTIONS
On March 4, 2022, Governor Gavin Newsom issued Executive Order N-6-
22 (the EO) regarding Economic Sanctions against Russia and Russian
entities and individuals. "Economic Sanctions" refers to sanctions imposed
by the U.S. government in response to Russia's actions in Ukraine, as well
as any sanctions imposed under state law. The EO directs state agencies
to terminate contracts with, and to refrain from entering any new contracts
with, individuals or entities that are determined to be a target of Economic
Sanctions. Accordingly, should the State determine Contractor is a target of
Economic Sanctions or is conducting prohibited transactions with
sanctioned individuals or entities, that shall be grounds for termination of
this Participating Addendum. The State shall provide Contractor advance
written notice of such termination, allowing Contractor at least thirty (30)
calendar days to provide a written response. Termination shall be at the
sole discretion of the State.
All other terms and conditions of the Participating Addendum shall remain in full force
and effect.
IN WITNESS WHEREOF, the parties have executed this Amendment as of the date of
execution by both parties below.
STATE OF CALIFORNIA CONTRACTOR
Department of General Services Carahsoft Technology Corporation
Agency Name Contractor Name
Authorized Signature Date Signed
Julie Matthews, MAU2 SuervisorITmmITITITITITITITITITITITITIT_._
Printed Name/Title of Person Signing
707 Third Street
West Sacramento, CA 95605
Address
K� 06/22/2023
.......................
Authorized Signature Date Signed
Kristina Smith, Contracts Director_
Printed Name/Title of Person Signing
11493 Sunset Hills Rd, Suite 100, Reston, VA 20190
Address
Page 2 of 2
Agreement No. 7089
Cunt' act 4 AR27472
P.
.Vol STATE OF UTAH COOPERATIVE CONTRACT
I. CONTRACTING PARTIES: This contract isbcvxcen the Division Of Purchasing and the 1'ollowim, Contractor:
Caralisoft Teci)112joq.� Cotporation ..... ................... . LEGAL STATUS OF CONTRACTOR
Name ❑ Sole Tropriclor
1360 iklichael Faraday Drive, Suite 100 ❑ Non -Profit Corporation
Address Z Fur-Prc Fit Corporation
Reston VA—.. --- 20190 El Partnership
City state Zip ❑ Government Agency
Contact Person LjaLttt'gllv I'lloile .4703-230-7435 E-mail N qq—
Vendor /(VC0000 1 16540 Commodity Code 1020-05
2. GENERAL PURPOSE OF CONTRACT: Contractor is pcirmiltq] it) 11i:2.N Solutions klelllili 2Ld ill ("+UA EgrjKkjgttr� yitdmtes otaet� a l'tlrtici sating Addendmi.i It 1% beg", ned! L-
3. PROCUREMENT PROCESS: This Contract is entered into as a result Of the ])I-OCUrenieril process on F3i(IiICFI 16012.
4. CONTRACT PERIOD: Efl'ective Date: I0/14/20I U6 Termination Date: 09/15/2026 unless terminated early or extended in accordance
with the terms and conditions ofthiS Contract. Note: PLIMLIant to Solicitation flCI-I 160 12, Contract must re-certily its qualifications each
year.
5 Administrative Fee, as described in the Solicitation and Attachment A: The Contractor shall pay to NASPO ViluePoint, or its assignee,
a NASPO VaILIOPoint Administrative Fee o!'one-quarter ol'one percent (0.25% or 0.0025) no later than 60 (lays l'ollowin.,; the end of
each calendar quarter. The NASPO ValtiePoint Administrative Fee shall be submitted quarterly and is based on sales of the Services.
6. ATTACHMENT A: NASPO ValuePoint M aster Terms and Conditions, including the attached Exhibits
ATTACHMENT B: Scope ot"Services Awarded to Contractor
ATTACI IM ENT C: Pricing DiSCOLITItS and Pricing Schedule
ATTACHMENT D: Conlraclor's Response to Solicitation i.`Cl 116012
ATTACHMENT E: Service Offeriw, EU LAs
Any emillicts between Attachment A and the other Attachments will be resolved in favor of Attachment A.
S. DOCUMENTS INCORPORATED INTO THIS CONTRACT BY REFERENCE BUTNOF ATTACHED:
il. All other governmental laws. regulations, or actions applicable to the goods anct,or services authorized by this contracl.
b. Utah State Procurement Code and the Procurement RUICS.
9. Each sionatory below represents that he or she has the requisiteatithoritN lo enter into this contract.
IN WITNESS WI IEREOF, the parties sign and cause this contract to be executed.
CONTRACTOR STATE
10 1 16
k"Ooln"loor's slunatule Date — )iY6lt ri ol'Purchasing, Date
Robert Moore, Vice President
Tvpc or Print Name and Tit Ic
Christophnl er 111.1�1-111CS SO 1 -538-3254 chl
. ................. .
V".' 1,wn hin" I tsY
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
LIM
Attachment A: NASPO ValuePoint Master Agreement Terms and Conditions
1. Master Agreement Order of Precedence
a. Any Order placed under this Master Agreement shall consist of the following
documents:
(1) A Participating Entity's Participating Addendum' ("PA");
(2) NASPO ValuePoint Master Agreement Terms & Conditions, including the applicable
Exhibits2 to the Master Agreement;
(3) The Solicitation;
(4) Contractor's response to the Solicitation, as revised (if permitted) and accepted by
the Lead State; and
(5) A Service Level Agreement issued against the Participating Addendum.
b. These documents shall be read to be consistent and complementary. Any conflict
among these documents shall be resolved by giving priority to these documents in the
order listed above. Contractor terms and conditions that apply to this Master Agreement
are only those that are expressly accepted by the Lead State and must be in writing and
attached to this Master Agreement as an Exhibit or Attachment.
2. Definitions - Unless otherwise provided in this Master Agreement, capitalized terms
will have the meanings given to those terms in this Section.
Confidential Information means any and all information of any form that is marked as
confidential or would by its nature be deemed confidential obtained by Contractor or its
employees or agents in the performance of this Master Agreement, including, but not
necessarily limited to (1) any Purchasing Entity's records, (2) personnel records, and (3)
information concerning individuals, is confidential information of Purchasing Entity.
Contractor means the person or entity providing solutions under the terms and
conditions set forth in this Master Agreement. Contractor also includes its employees,
subcontractors, agents and affiliates who are providing the services agreed to under the
1 A Sample Participating Addendum will be published after the contracts have been awarded.
2 The Exhibits comprise the terms and conditions for the service models: PaaS, IaaS, and PaaS.
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016,.
Master Agreement.
Data means all information, whether in oral or written (including electronic) form,
created by or in any way originating with a Participating Entity or Purchasing Entity, and
all information that is the output of any computer processing, or other electronic
manipulation, of any information that was created by or in any way originating with a
Participating Entity or Purchasing Entity, in the course of using and configuring the
Services provided under this Agreement.
Data Breach means any actual or reasonably suspected non -authorized access to or
acquisition of computerized Non -Public Data or Personal Data that compromises the
security, confidentiality, or integrity of the Non -Public Data or Personal Data, or the
ability of Purchasing Entity to access the Non -Public Data or Personal Data.
Data Categorization means the process of risk assessment of Data. See also "High
Risk Data", "Moderate Risk Data" and "Low Risk Data".
Disabling Code means computer instructions or programs, subroutines, code,
instructions, data or functions, (including but not limited to viruses, worms, date bombs
or time bombs), including but not limited to other programs, data storage, computer
libraries and programs that self -replicate without manual intervention, instructions
programmed to activate at a predetermined time or upon a specified event, and/or
programs purporting to do a meaningful function but designed for a different function,
that alter, destroy, inhibit, damage, interrupt, interfere with or hinder the operation of the
Purchasing Entity's' software, applications and/or its end users processing environment,
the system in which it resides, or any other software or data on such system or any
other system with which it is capable of communicating.
Fulfillment Partner means a third -party contractor qualified and authorized by
Contractor, and approved by the Participating State under a Participating Addendum,
who may, to the extent authorized by Contractor, fulfill any of the requirements of this
Master Agreement including but not limited to providing Services under this Master
Agreement and billing Customers directly for such Services. Contractor may, upon
written notice to the Participating State, pdd or delete authorized Fulfillment Partners as
necessary at any time during the contract term. Fulfillment Partner has no authority to
amend this Master Agreement or to bind Contractor to any additional terms and
conditions.
High Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization
of Federal Information and Information Systems ("High Impact Data").
Infrastructure as a Service (laaS) as used in this Master Agreement is defined the
capability provided to the consumer to provision processing, storage, networks, and
other fundamental computing resources where the consumer is able to deploy and run
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 201&
arbitrary software, which can include operating systems and applications. The
consumer does not manage or control the underlying cloud infrastructure but has
control over operating systems, storage, deployed applications; and possibly limited
control of select networking components (e.g., host firewalls).
Intellectual Property means any and all patents, copyrights, service marks,
trademarks, trade secrets, trade names, patentable inventions, or other similar
proprietary rights, in tangible or intangible form, and all rights, title, and interest therein.
Lead State means the State centrally administering the solicitation and any resulting
Master Agreement(s).
Low Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of
Federal Information and Information Systems ("Low Impact Data").
Master Agreement means this agreement executed by and between the Lead State,
acting on behalf of NASPO ValuePoint, and the Contractor, as now or hereafter
amended.
Moderate Risk Data is as defined in FIPS PUB 199, Standards for Security
Categorization of Federal Information and Information Systems ("Moderate Impact Data").
NASPO ValuePoint is the NASPO ValuePoint Cooperative Purchasing Program,
facilitated by the NASPO Cooperative Purchasing Organization LLC, a 501(c)(3) limited
liability company (doing business as NASPO ValuePoint) is a subsidiary organization
the National Association of State Procurement Officials (NASPO), the sole member of
NASPO ValuePoint. The NASPO ValuePoint Cooperative Purchasing Organization
facilitates administration of the cooperative group contracting consortium of state chief
procurement officials for the benefit of state departments, institutions, agencies, and
political subdivisions and other eligible entities (i.e., colleges, school districts, counties,
cities, some nonprofit organizations, etc.) for all states and the District of Columbia. The
NASPO ValuePoint Cooperative Development Team is identified in the Master
Agreement as the recipient of reports and may be performing contract administration
functions as assigned by the Lead State.
Non -Public Data means High Risk Data and Moderate Risk Data that is not subject to
distribution to the public as public information. It is deemed to be sensitive and
confidential by the Purchasing Entity because it contains information that is exempt by
statute, ordinance or administrative rule from access by the general public as public
information.
Participating Addendum means a bilateral agreement executed by a Contractor and a
Participating Entity incorporating this Master Agreement and any other additional
Participating Entity specific language or other requirements, e.g. ordering procedures
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
specific to the Participating Entity, other terms and conditions.
Participating Entity means a state, or other legal entity, properly authorized to enter
into a Participating Addendum.
Participating State means a state, the District of Columbia, or one of the territories of
the United States that is listed in the Request for Proposal as intending to participate.
Upon execution of the Participating Addendum, a Participating State becomes a
Participating Entity.
Personal Data means data alone or in combination that includes information relating to
an individual that identifies the individual by name, identifying number, mark or
description can be readily associated with a particular individual and which is not a
public record. Personal Information may include the following personally identifiable
information (PII): government -issued identification numbers (e.g., Social Security,
driver's license, passport); financial account information, including account number,
credit or debit card numbers; or Protected Health Information (PHI) relating to a person.
Platform as a Service (PaaS) as used in this Master Agreement is defined as the
capability provided to the consumer to deploy onto the cloud infrastructure consumer -
created or -acquired applications created using programming languages and tools
supported by the provider. This capability does not necessarily preclude the use of
compatible programming languages, libraries, services, and tools from other sources.
The consumer does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has control over the deployed
applications and possibly application hosting environment configurations.
Product means any deliverable under this Master Agreement, including Services,
software, and any incidental tangible goods.
Protected Health Information (PHI) means individually identifiable health information
transmitted by electronic media, maintained in electronic media, or transmitted or
maintained in any other form or medium. PHI excludes education records covered by
the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C.
1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and employment records held
by a covered entity in its role as employer. PHI may also include information that is a
subset of health information, including demographic information collected from an
individual, and (1) is created or received by a health care provider, health plan,
employer or health care clearinghouse; and (2) relates to the past, present or future
physical or mental health or condition of an individual; the provision of health care to an
individual; or the past, present or future payment for the provision of health care to an
individual; and (a) that identifies the individual; or (b) with respect to which there is a
reasonable basis to believe the information can be used to identify the individual.
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
Purchasing Entity means a state, city, county, district, other political subdivision of a
State, and a nonprofit organization under the laws of some states if authorized by a
Participating Addendum, who issues a Purchase Order against the Master Agreement
and becomes financially committed to the purchase.
Services mean any of the specifications described in the Scope of Services that are
supplied or created by the Contractor pursuant to this Master Agreement.
Security Incident means the possible or actual unauthorized access to a Purchasing
Entity's Non -Public Data and Personal Data the Contractor believes could reasonably
result in the use, disclosure or theft of a Purchasing Entity's Non -Public Data within the
possession or control of the Contractor. A Security Incident also includes a major
security breach to the Contractor's system, regardless if Contractor is aware of
unauthorized access to a Purchasing Entity's Non -Public Data. A Security Incident may
or may not turn into a Data Breach.
Service Level Agreement (SLA) means a written agreement between both the
Purchasing Entity and the Contractor that is subject to the terms and conditions in this
Master Agreement and relevant Participating Addendum unless otherwise expressly
agreed in writing between the Purchasing Entity and the Contractor. SLAs should
include: (1) the technical service level performance promises, (i.e. metrics for
performance and intervals for measure), (2) description of service quality, (3)
identification of roles and responsibilities, (4) remedies, such as credits, and (5) an
explanation of how remedies or credits are calculated and issued.
Software as a Service (SaaS) as used in this Master Agreement is defined as the
capability provided to the consumer to use the Contractor's applications running on a
Contractor's infrastructure (commonly referred to as `cloud infrastructure). The
applications are accessible from various client devices through a thin client interface
such as a Web browser (e.g., Web -based email), or a program interface. The consumer
does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the
possible exception of limited user -specific application configuration settings.
Solicitation means the documents used by the State of Utah, as the Lead State, to
obtain Contractor's Proposal.
Statement of Work means a written statement in a solicitation document or contract
that describes the Purchasing Entity's service needs and expectations.
6. Discount Guarantee Period: All discounts must be guaranteed for the entire term of
the Master Agreement. Participating Entities and Purchasing Entities shall receive the
immediate benefit of price or rate reduction of the services provided under this Master
Agreement. A price or rate reduction will apply automatically to the Master Agreement
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/Value Point Model
Contract for Cloud Services.
February 17, 2016.
and an amendment is not necessary.
8. Confidentiality, Non -Disclosure, and Injunctive Relief
a. Confidentiality. Contractor acknowledges that it and its employees or agents may, in
the course of providing a Product under this Master Agreement, be exposed to or
acquire information that is confidential to Purchasing Entity's or Purchasing Entity's
clients. Any reports or other documents or items (including software) that result from
the use of the Confidential Information by Contractor shall be treated in the same
manner as the Confidential Information. Confidential Information does not include
information that (1) is or becomes (other than by disclosure by Contractor) publicly
known; (2) is furnished by Purchasing Entity to others without restrictions similar to
those imposed by this Master Agreement; (3) is rightfully in Contractor's possession
without the obligation of nondisclosure prior to the time of its disclosure under this
Master Agreement; (4) is obtained from a source other than Purchasing Entity without
the obligation of confidentiality, (5) is disclosed with the written consent of Purchasing
Entity or; (6) is independently developed by employees, agents or subcontractors of
Contractor who can be shown to have had no access to the Confidential Information.
b. Non -Disclosure. Contractor shall hold Confidential Information in confidence, using
at least the industry standard of confidentiality, and shall not copy, reproduce, sell,
assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential
Information to third parties or use Confidential Information for any purposes whatsoever
other than what is necessary to the performance of Orders placed under this Master
Agreement. Contractor shall advise each of its employees and agents of their
obligations to keep Confidential Information confidential. Contractor shall use
commercially reasonable efforts to assist Purchasing Entity in identifying and preventing
any unauthorized use or disclosure of any Confidential Information. Without limiting the
generality of the foregoing, Contractor shall advise Purchasing Entity, applicable
Participating Entity, and the Lead State immediately if Contractor learns or has reason
to believe that any person who has had access to Confidential Information has violated
or intends to violate the terms of this Master Agreement, and Contractor shall at its
expense cooperate with Purchasing Entity in seeking injunctive or other equitable relief
in the name of Purchasing Entity or Contractor against any such person. Except as
directed by Purchasing Entity, Contractor will not at any time during or after the term of
this Master Agreement disclose, directly or indirectly, any Confidential Information to
any person, except in accordance with this Master Agreement, and that upon
termination of this Master Agreement or at Purchasing Entity's request, Contractor shall
turn over to Purchasing Entity all documents, papers, and other matter in Contractor's
possession that embody Confidential Information. Notwithstanding the foregoing,
Contractor may keep one copy of such Confidential Information necessary for quality
assurance, audits and evidence of the performance of this Master Agreement.
c. Injunctive Relief. Contractor acknowledges that breach of this section, including
disclosure of any Confidential Information, will cause irreparable injury to Purchasing
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
Entity that is inadequately compensable in damages. Accordingly, Purchasing Entity
may seek and obtain injunctive relief against the breach or threatened breach of the
foregoing undertakings, in addition to any other legal remedies that may be available.
Contractor acknowledges and agrees that the covenants contained herein are
necessary for the protection of the legitimate business interests of Purchasing Entity
and are reasonable in scope and content.
d. Purchasing Entity Law. These provisions shall be applicable only to extent they are
not in conflict with the applicable public disclosure laws of any Purchasing Entity.
9. Right to Publish: Throughout the duration of this Master Agreement, Contractor must
secure prior approval from the Lead State or Participating Entity for the release of any
information that pertains to the potential work or activities covered by the Master
Agreement, including but not limited to reference to or use of the Lead State or a
Participating Entity's name, Great Seal of the State, Coat of Arms, any Agency or other
subunits of the State government, or any State official or employee, for commercial
promotion which is strictly prohibited. News releases or release of broadcast a -mails
pertaining to this Master Agreement or Participating Addendum shall not be made without
prior written approval of the Lead State or a Participating Entity.
The Contractor shall not make any representations of NASPO ValuePoint's opinion or
position as to the quality or effectiveness of the services that are the subject of this
Master Agreement without prior written consent. Failure to adhere to this requirement
may result in termination of the Master Agreement for cause.
11. Changes in Contractor Representation: The Contractor must notify the Lead State
of changes in the Contractor's key administrative personnel, in writing within 10 calendar
days of the change. The Lead State reserves the right to approve changes in key
personnel, as identified in the Contractor's proposal. The Contractor agrees to propose
replacement key personnel having substantially equal or better education, training, and
experience as was possessed by the key person proposed and evaluated in the
Contractor's proposal.
13. Indemnification and Limitation of Liability
a. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO
ValuePoint, the Lead State, Participating Entities, and Purchasing Entities, along with
their officers, agents, and employees as well as any person or entity for which they may
be liable, from and against claims, damages or causes of action including reasonable
attorneys' fees and related costs for any death, bodily injury, or damage to real or
tangible property arising directly or indirectly from the negligent or wrongful act(s),
error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers,
at any tier, relating to the performance under the Master Agreement.
b. Indemnification — Intellectual Property. The Contractor shall defend, indemnify and
hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating entities,
Purchasing Entities, along with their officers, agents, and employees as well as any
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
person or entity for which they may be liable ("Indemnified Party"), from and against
claims, damages or causes of action including reasonable attorneys' fees and related
costs arising out of the claim that the Product or its use, infringes Intellectual Property
rights ("Intellectual Property Claim") of another person or entity.
(1) The Contractor's obligations under this section shall not extend to:
a. Any use of the Services provided hereunder not contemplated in the
product documentation.
b. Any use of the Services provided hereunder in combination with other
products not contemplated hereunder or in the documentation, any use
of modification of the Services provided hereunder except as permitted
by this Agreement.
(2) The Indemnified Party shall notify the Contractor within a reasonable time
after receiving notice of an Intellectual Property Claim. Even if the Indemnified Party
fails to provide reasonable notice, the Contractor shall not be relieved from its
obligations unless the Contractor can demonstrate that it was prejudiced in defending
the Intellectual Property Claim resulting in increased expenses or loss to the Contractor
and then only to the extent of the prejudice or expenses. If the Contractor promptly and
reasonably investigates and defends any Intellectual Property Claim, it shall have
control over the defense and settlement of it. However, the Indemnified Party must
consent in writing for any money damages or obligations for which it may be
responsible. The Indemnified Party shall furnish, at the Contractor's reasonable request
and expense, information and assistance necessary for such defense. If the Contractor
fails to vigorously pursue the defense or settlement of the Intellectual Property Claim,
the Indemnified Party may assume the defense or settlement of it and the Contractor
shall be liable for all costs and expenses, including reasonable attorneys' fees and
related costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property
Claim. Unless otherwise agreed in writing, this section is not subject to any limitations of
liability in this Master Agreement or in any other document executed in conjunction with
this Master Agreement.
b. Except as otherwise set forth in the Indemnification Paragraphs above, the limit of
liability shall be as follows:
i. Contractor's liability for any claim, loss or liability arising out of, or connected
with'the Services provided, and whether based upon default, or other liability
such as breach of contract, warranty, negligence, misrepresentation or
otherwise, shall in no case exceed direct damages in: (i) an amount equal to two
(2) times the charges specified in the Purchase Order for the Services, or parts
thereof forming the basis of the Purchasing Entity's claim, (said amount not to
exceed a total of twelve (12) months charges payable under the applicable
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
Purchase Order) or (ii) two million dollars ($2,000,000), whichever is greater.
ii. The Purchasing Entity may retain such monies from any amount due
Contractor as may be necessary to satisfy any claim for damages, costs and the
like asserted against the Purchasing Entity unless Contractor at the time of the
presentation of claim shall demonstrate to the Purchasing Entity's satisfaction
that sufficient monies are set aside by the Contractor in the form of a bond or
through insurance coverage to cover associated damages and other costs.
iii. Notwithstanding the above, neither the Contractor nor the Purchasing Entity
shall be liable for any consequential, indirect or special damages of any kind
which may result directly or indirectly from such performance, including, without
limitation, damages resulting from loss of use or loss of profit by the Purchasing
Entity, the Contractor, or by others.
iv. The limitations of liability in Section 43 will not apply to claims for bodily injury or
death as set forth in Section 13, and Section 30 when made applicable under a specific
purchase order.
16. Insurance
a. Unless otherwise agreed in a Participating Addendum, Contractor shall, during the
term of this Master Agreement, maintain in full force and effect, the insurance described
in this section. Contractor shall acquire such insurance from an insurance carrier or
carriers licensed to conduct business in each Participating Entity's state and having a
rating of A-, Class VII or better, in the most recently published edition of Best's Reports.
Failure to buy and maintain the required insurance may result in this Master
Agreement's termination or, at a Participating Entity's option, result in termination of its
Participating Addendum.
b. Coverage shall be written on an occurrence basis. The minimum acceptable limits
shall be as indicated below, with no deductible for each of the following categories:
(1) Commercial General Liability covering premises operations, independent
contractors, products and completed operations, blanket contractual liability,
personal injury (including death), advertising liability, and property damage,
with a limit of not less than $1 million per occurrence/$3 million general
aggregate;
(2) CLOUD MINIMUM INSURANCE COVERAGE:
Data Breach and Privacy/Cyber
Liability including Technology Crime Insurance
Level of Errors and Omissions Minimum Insurance
Risk Minimum Insurance Coverage Coverage
Low $2,000,000 $2,000,000
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 201&
Moderate $5,000,000 $5,000,000
High _....m $10,000,000 $10,000,000
(3) Contractor must comply with any applicable State Workers Compensation or
Employers Liability Insurance requirements.
(4) Professional Liability. As applicable, Professional Liability Insurance Policy in
the minimum amount of $1,000,000 per occurrence and $1,000,000 in the
aggregate, written on an occurrence form that provides coverage for its work
undertaken pursuant to each Participating Addendum.
c. Contractor shall pay premiums on all insurance policies. Such policies shall also
reference this Master Agreement and shall have a condition that they not be revoked by
the insurer until thirty (30) calendar days after notice of intended revocation thereof shall
have been given to Purchasing Entity and Participating Entity by the Contractor.
d. Prior to commencement of performance, Contractor shall provide to the Lead State a
written endorsement to the Contractor's general liability insurance policy or other
documentary evidence acceptable to the Lead State that (1) names the Participating
States identified in the Request for Proposal as additional insureds, (2) provides that no
material alteration, cancellation, non -renewal, or expiration of the coverage contained in
such policy shall have effect unless the named Participating State has been given at
least thirty (30) days prior written notice, and (3) provides that the Contractor's liability
insurance policy shall be primary, with any liability insurance of any Participating State
as secondary and noncontributory. Unless otherwise agreed in any Participating
Addendum, the Participating Entity's rights and Contractor's obligations are the same as
those specified in the first sentence of this subsection. Before performance of any
Purchase Order issued after execution of a Participating Addendum authorizing it, the
Contractor shall provide to a Purchasing Entity or Participating Entity who requests it the
same information described in this subsection.
e. Contractor shall furnish to the Lead State, Participating Entity, and, on request, the
Purchasing Entity copies of certificates of all required insurance within thirty (30)
calendar days of the execution of this Master Agreement, the execution of a
Participating Addendum, or the Purchase Order's effective date and prior to performing
any work. The insurance certificate shall provide the following information: the name
and address of the insured; name, address, telephone number and signature of the
authorized agent; name of the insurance company (authorized to operate in all states);
a description of coverage in detailed standard terminology (including policy period,
policy number, limits of liability, exclusions and endorsements); and an acknowledgment
of the requirement for notice of cancellation. Copies of renewal certificates of all
required insurance shall be furnished within thirty (30) days after any renewal date.
These certificates of insurance must expressly indicate compliance with each and every
insurance requirement specified in this section. Failure to provide evidence of coverage
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
may, at sole option of the Lead State, or any Participating Entity, result in this Master
Agreement's termination or the termination of any Participating Addendum.
f. Coverage and limits shall not limit Contractor's liability and obligations under this
Master Agreement, any Participating Addendum, or any Purchase Order.
17. Laws and Regulations: Any and all Services offered and furnished shall comply
fully with all applicable Federal and State laws and regulations.
The federal and state laws, regulations, policies, standards, and guidelines that
Contractors doing business with the Participating Entities must be aware of, include, but
not limited to: Criminal Justice Information Services (CJIS) Security Policy; Federal
Educational Rights and Privacy Act (FERPA); Federal Information Security
Management Act (FISMA); National Institute of Technology Standards; Gramm -Leach -
Bliley Act (GLB) Act; Health Insurance Portability and Accountability Act (HIPAA);
Health Information Technology for Economic and Clinical Health Act (HITECH); IRS
Publication 1075; Payment Card Industry Data Security Standard (PCI DSS); Sarbanes-
Oxley Act (SOX); Electronic Communications Privacy Act, Stored Communications Act
and the PATRIOT Act. The list is intentionally United States -centric, and is not intended
to be all-inclusive. Further, since laws, regulations, requirements and industry guidelines
change, consulting definitive sources to assure a clear understanding of compliance
requirements is critical. Many State Entities have additional program compliance
requirements that must be considered in addressing compliance. (e.g., DMV Privacy
Act, Public Service Law, etc.).
20. Participants and Scope
a. Contractor may not deliver Services under this Master Agreement until a Participating
Addendum acceptable to the Participating Entity and Contractor is executed. The
NASPO ValuePoint Master Agreement Terms and Conditions are applicable to any
Order by a Participating Entity (and other Purchasing Entities covered by their
Participating Addendum), except to the extent altered, modified, supplemented or
amended by a Participating Addendum. By way of illustration and not limitation, this
authority may apply to unique delivery and invoicing requirements, confidentiality
requirements, defaults on Orders, governing law and venue relating to Orders by a
Participating Entity, indemnification, and insurance requirements. Statutory or
constitutional requirements relating to availability of funds may require specific language
in some Participating Addenda in order to comply with applicable law. The expectation
is that these alterations, modifications, supplements, or amendments will be addressed
in the Participating Addendum or, with the consent of the Purchasing Entity and
Contractor, may be included in the ordering document (e.g. purchase order or contract)
used by the Purchasing Entity to place the Order.
b. Subject to subsection 20c and a Participating Entity's Participating Addendum, the
use of specific NASPO ValuePoint cooperative Master Agreements by state agencies,
political subdivisions and other Participating Entities (including cooperatives) authorized
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016„
by individual state's statutes to use state contracts is subject to the approval of the
respective State Chief Procurement Official.
c. Unless otherwise stipulated in a Participating Entity's Participating Addendum,
specific services accessed through the NASPO ValuePoint cooperative Master
Agreements for Cloud Services by state executive branch agencies, as required by a
Participating Entity's statutes, are subject to the authority and approval of the
Participating Entity's Chief Information Officer's Office3.
Cl. Obligations under this Master Agreement are limited to those Participating Entities
who have signed a Participating Addendum and Purchasing Entities within the scope of
those Participating Addenda. Financial obligations of Participating States are limited to
the orders placed by the departments or other state agencies and institutions having
available funds. Participating States incur no financial obligations on behalf of political
subdivisions.
e. NASPO ValuePoint is not a party to the Master Agreement. It is a nonprofit
cooperative purchasing organization assisting states in administering the NASPO
ValuePoint cooperative purchasing program for state government departments,
institutions, agencies and political subdivisions (e.g., colleges, school districts, counties,
cities, etc.) for all 50 states, the District of Columbia and the territories of the United
States.
f. Participating Addenda shall not be construed to amend the terms of this Master
Agreement between the Lead State and Contractor.
g. Participating Entities who are not states may under some circumstances sign their
own Participating Addendum, subject to the approval of participation by the Chief
Procurement Official of the state where the Participating Entity is located. Coordinate
requests for such participation through NASPO ValuePoint. Any permission to
participate through execution of a Participating Addendum is not a determination that
procurement authority exists in the Participating Entity; they must ensure that they have
the requisite procurement authority to execute a Participating Addendum.
h. Resale. Subject to any explicit permission in a Participating Addendum, Purchasing
Entities may not resell goods, software, or Services obtained under this Master
Agreement. This limitation does not prohibit: payments by employees of a Purchasing
Entity as explicitly permitted under this agreement; sales of goods to the general public
as surplus property; and fees associated with inventory transactions with other
governmental or nonprofit entities under cooperative agreements and consistent with a
Purchasing Entity's laws and regulations. Any sale or transfer permitted by this
3 Chief Information Officer means the individual designated by the Governor with Executive Branch, enterprise -
wide responsibility for the leadership and management of information technology resources of a state.
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
subsection must be consistent with license rights granted for use of intellectual property.
22. Data Access Controls: Contractor will provide access to Purchasing Entity's Data
only to those Contractor employees, contractors and subcontractors ("Contractor Staff')
who need to access the Data to fulfill Contractor's obligations under this Agreement.
Contractor shall not access a Purchasing Entity's user accounts or Data, except on the
course of data center operations, response to service or technical issues, as required by
the express terms of this Master Agreement, or at a Purchasing Entity's written request.
Contractor may not share a Purchasing Entity's Data with its parent corporation, other
affiliates, or any other third party without the Purchasing Entity's express written
consent.
Contractor will ensure that, prior to being granted access to the Data, Contractor Staff
who perform work under this Agreement have successfully completed annual instruction
of a nature sufficient to enable them to effectively comply with all Data protection
provisions of this Agreement; and possess all qualifications appropriate to the nature of
the employees' duties and the sensitivity of the Data they will be handling.
23. Operations Management: Contractor shall maintain the administrative, physical,
technical, and procedural infrastructure associated with the provision of the Product in a
manner that is, at all times during the term of this Master Agreement, at a level equal to
or more stringent than those specified in the Solicitation. Contractor must maintain any
certifications required under the Solicitation.
24. Public Information: This Master Agreement and all related documents are subject
to disclosure pursuant to the Purchasing Entity's public information laws.
26. Records Administration and Audit.
a. The Contractor shall maintain books, records, documents, and other evidence
pertaining to this Master Agreement and orders placed by Purchasing Entities under it
to the extent and in such detail as shall adequately reflect performance and
administration of payments and fees. Contractor shall permit the Lead State, a
Participating Entity, a Purchasing Entity, the federal government (including its grant
awarding entities and the U.S. Comptroller General), and any other duly authorized
agent of a governmental agency, to audit, inspect, examine, copy and/or transcribe
Contractor's books, documents, papers and records directly pertinent to this Master
Agreement or orders placed by a Purchasing Entity under it for the purpose of making
audits, examinations, excerpts, and transcriptions. This right shall survive for a period
of six (6) years following termination of this Agreement or final payment for any order
placed by a Purchasing Entity against this Agreement, whichever is later, to assure
compliance with the terms hereof or to evaluate performance hereunder.
b. Without limiting any other remedy available to any governmental entity, the
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016,
Contractor shall reimburse the applicable Lead State, Participating Entity, or Purchasing
Entity for any overpayments inconsistent with the terms of the Master Agreement or
orders or underpayment of fees found as a result of the examination of the Contractor's
records.
c. The rights and obligations herein exist in addition to any quality assurance obligation
in the Master Agreement requiring the Contractor to self -audit contract obligations and
that permits the Lead State to review compliance with those obligations.
d. The Contractor shall allow the Purchasing Entity to audit conformance to the Master
Agreement and applicable Participating Addendum terms. The purchasing entity may
perform this audit or contract with a third party at its discretion and at the purchasing
entity's expense.
27. Administrative Fees: The Contractor shall pay to NASPO ValuePoint, or its
assignee, a NASPO ValuePoint Administrative Fee of one -quarter of one percent
(0.25% or 0.0025) no later than 60 days following the end of each calendar quarter. The
NASPO ValuePoint Administrative Fee shall be submitted quarterly and is based on
sales of the Services. The NASPO ValuePoint Administrative Fee is not negotiable. This
fee is to be included as part of the pricing submitted with proposal.
Additionally, some states may require an additional administrative fee be paid directly to
the state on purchases made by Purchasing Entities within that state. For all such
requests, the fee level, payment method and schedule for such reports and payments
will be incorporated into the Participating Addendum that is made a part of the Master
Agreement. The Contractor may adjust the Master Agreement pricing accordingly for
purchases made by Purchasing Entities within the jurisdiction of the state. All such
agreements shall not affect the NASPO ValuePoint Administrative Fee percentage or
the prices paid by the Purchasing Entities outside the jurisdiction of the state requesting
the additional fee. The NASPO ValuePoint Administrative Fee shall be based on the
gross amount of all sales at the adjusted prices (if any) in Participating Addenda.
28. System Failure or Damage: In the event of system failure or damage caused by
Contractor or its Services, the Contractor agrees to use its best efforts to restore or
assist in restoring the system to operational capacity.
29. Title to Product: If access to the Product requires an application program interface
(API), Contractor shall convey to Purchasing Entity an irrevocable and perpetual license
to use the API.
30. Data Privacy: When required by a specific purchase order issued under this
Agreement or a Participating Addendum and accepted by the Contractor, the Contractor
must comply with all applicable laws related to data privacy and security, including IRS
Pub 1075. Prior to entering into a SLA with a Purchasing Entity, the Contractor and
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
Purchasing Entity must cooperate and hold a meeting to determine the Data
Categorization to determine whether the Contractor will hold, store, or process High
Risk Data, Moderate Risk Data and Low Risk Data. The Contractor must document the
Data Categorization in the SLA or Statement of Work.
31. Warranty: At a minimum the Contractor must warrant the following:
a. Contractor has acquired any and all rights, grants, assignments, conveyances,
licenses, permissions, and authorization for the Contractor to provide the Services
described in this Master Agreement.
b. Contractor will perform materially as described in this Master Agreement, SLA,
Statement of Work, including any performance representations contained in the
Contractor's response to the Solicitation by the Lead State.
c. Contractor represents and warrants that the representations contained in its response
to the Solicitation by the Lead State.
d. The Contractor will not interfere with a Purchasing Entity's access to and use of the
Services it acquires from this Master Agreement.
e. The Services provided by the Contractor are compatible with and will operate
successfully with any environment (including web browser and operating system)
specified by the Contractor in its response to the Solicitation by the Lead State.
f. The Contractor warrants that the Products it provides under this Master Agreement
are free of malware. The Contractor must use industry -leading technology to detect and
remove worms, Trojans, rootkits, rogues, dialers, spyware, etc.
32. Transition Assistance:
a. The Contractor shall reasonably cooperate with other parties in connection with all
Services to be delivered under this Master Agreement, including without limitation any
successor service provider to whom a Purchasing Entity's Data is transferred in
connection with the termination or expiration of this Master Agreement. The Contractor
shall assist a Purchasing Entity in exporting and extracting a Purchasing Entity's Data,
in a format usable without the use of the Services and as agreed by a Purchasing
Entity, at no additional cost to the Purchasing Entity. Any transition services requested
by a Purchasing Entity involving additional knowledge transfer and support may be
subject to a separate transition Statement of Work.
b. A Purchasing Entity and the Contractor shall, when reasonable, create a Transition
Plan Document identifying the transition services to be provided and including a
Statement of Work if applicable.
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/Value Point Model
Contract for Cloud Services.
February 17, 2016.
c. The Contractor must maintain the confidentiality and security of a Purchasing Entity's
Data during the transition services and thereafter as required by the Purchasing Entity.
35. Debarment : The Contractor certifies, to the best of its knowledge, that neither it nor
its principals are presently debarred, suspended, proposed for debarment, declared
ineligible, or voluntarily excluded from participation in this transaction (contract) by any
governmental department or agency. This certification represents a recurring
certification made at the time any Order is placed under this Master Agreement. If the
Contractor cannot certify this statement, attach a written explanation for review by the
Lead State.
37. Governing Law and Venue
a. The procurement, evaluation, and award of the Master Agreement shall be governed
by and construed in accordance with the laws of the Lead State sponsoring and
administering the procurement. The construction and effect of the Master Agreement
after award shall be governed by the law of the state serving as Lead State (in most
cases also the Lead State). The construction and effect of any Participating Addendum
or Order against the Master Agreement shall be governed by and construed in
accordance with the laws of the Participating Entity's or Purchasing Entity's State.
b. Unless otherwise specified in the RFP, the venue for any protest, claim, dispute or
action relating to the procurement, evaluation, and award is in the Lead State. Venue
for any claim, dispute or action concerning the terms of the Master Agreement shall be
in the state serving as Lead State. Venue for any claim, dispute, or action concerning
any Order placed against the Master Agreement or the effect of a Participating
Addendum shall be in the Purchasing Entity's State.
c. If a claim is brought in a federal forum, then it must be brought and adjudicated solely
and exclusively within the United States District Court for (in decreasing order of
priority): the Lead State for claims relating to the procurement, evaluation, award, or
contract performance or administration if the Lead State is a party; the Participating
State if a named party; the Participating Entity state if a named party; or the Purchasing
Entity state if a named party.
d. This section is also not a waiver by the Participating State of any form of immunity,
including but not limited to sovereign immunity and immunity based on the Eleventh
Amendment to the Constitution of the United States.
40. Contract Provisions for Orders Utilizing Federal Funds: Pursuant to Appendix II
to 2 Code of Federal Regulations (CFR) Part 200, Contract Provisions for Non -Federal
Entity Contracts Under Federal Awards, Orders funded with federal funds may have
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016.
additional contractual requirements or certifications that must be satisfied at the time the
Order is placed or upon delivery. These federal requirements may be proposed by
Participating Entities in Participating Addenda and Purchasing Entities for incorporation
in Orders placed under this master agreement.
42. NASPO ValuePoint Summary and Detailed Usage Reports: In addition to other
reports that may be required by this solicitation, the Contractor shall provide the
following NASPO ValuePoint reports.
a. Summary Sales Data. The Contractor shall submit quarterly sales reports directly to
NASPO ValuePoint using the NASPO ValuePoint Quarterly Sales/Administrative Fee
Reporting Tool found at http://www.naspo.org/WNCPO/Calculator.aspx. Any/all sales
made under the contract shall be reported as cumulative totals by state. Even if
Contractor experiences zero sales during a calendar quarter, a report is still required.
Reports shall be due no later than 30 day following the end of the calendar quarter (as
specified in the reporting tool).
b. Detailed Sales Data. Contractor shall also report detailed sales data by: (1) state; (2)
entity/customer type, e.g. local government, higher education, K12, non-profit; (3)
Purchasing Entity name; (4) Purchasing Entity bill -to and ship -to locations; (4)
Purchasing Entity and Contractor Purchase Order identifier/number(s); (5) Purchase
Order Type (e.g. sales order, credit, return, upgrade, determined by industry practices);
(6) Purchase Order date; (7) Ship Date; (8) and line item description, including product
number if used. The report shall be submitted in any form required by the solicitation.
Reports are due on a quarterly basis and must be received by the Lead State and
NASPO ValuePoint Cooperative Development Team no later than thirty (30) days after
the end of the reporting period. Reports shall be delivered to the Lead State and to the
NASPO ValuePoint Cooperative Development Team electronically through a
designated portal, email, CD -Rom, flash drive or other method as determined by the
Lead State and NASPO ValuePoint. Detailed sales data reports shall include sales
information for all sales under Participating Addenda executed under this Master
Agreement. The format for the detailed sales data report is in shown in Attachment F.
c. Reportable sales for the summary sales data report and detailed sales data report
includes sales to employees for personal use where authorized by the solicitation and
the Participating Addendum. Report data for employees should be limited to ONLY the
state and entity they are participating under the authority of (state and agency, city,
county, school district, etc.) and the amount of sales. No personal identification
numbers, e.g. names, addresses, social security numbers or any other numerical
identifier, may be submitted with any report.
d. Contractor shall provide the NASPO ValuePoint Cooperative Development
Coordinator with an executive summary each quarter that includes, at a minimum, a list
Agreement No. 7089
This document includes salient or non-standard provisions extracted from NASPO/ValuePoint Model
Contract for Cloud Services.
February 17, 2016„
of states with an active Participating Addendum, states that Contractor is in negotiations
with and any PA roll out or implementation activities and issues. NASPO ValuePoint
Cooperative Development Coordinator and Contractor will determine the format and
content of the executive summary. The executive summary is due 30 days after the
conclusion of each calendar quarter.
e. Timely submission of these reports is a material requirement of the Master
Agreement. The recipient of the reports shall have exclusive ownership of the media
containing the reports. The Lead State and NASPO ValuePoint shall have a perpetual,
irrevocable, non-exclusive, royalty free, transferable right to display, modify, copy, and
otherwise use reports, data and information provided under this section.
f. If requested by a Participating Entity, the Contractor must provide detailed sales data
within the Participating State.
43. Entire Agreement: This Master Agreement, along with any attachment, contains
the entire understanding of the parties hereto with respect to the Master Agreement
unless a term is modified in a Participating Addendum with a Participating Entity. No
click -through, or other end user terms and conditions or agreements required by the
Contractor ("Additional Terms") provided with any Services hereunder shall be binding
on Participating Entities or Purchasing Entities, even if use of such Services requires an
affirmative "acceptance" of those Additional Terms before access is permitted.
Agreement No. 7089
Exhibit 1 to the Master Agreement: Software -as -a -Service
1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is
related to the Services provided by this Master Agreement. The Contractor shall not access
Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data
center operations, (2) in response to service or technical issues, (3) as required by the express
terms of this Master Agreement, Participating Addendum, SLA, and/or other contract
documents, or (4) at the Purchasing Entity's written request.
Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly
necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing
Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any
reason unless required by law or regulation or by an order of a court of competent jurisdiction. This
obligation shall survive and extend beyond the term of this Master Agreement.
2. Data Protection: Protection of personal privacy and data shall be an integral part of the
business activities of the Contractor to ensure there is no inappropriate or unauthorized use of
Purchasing Entity information at any time. To this end, the Contractor shall safeguard the
confidentiality, integrity and availability of Purchasing Entity information and comply with the
following conditions:
a. The Contractor shall implement and maintain appropriate administrative, technical and
organizational security measures to safeguard against unauthorized access, disclosure or
theft of Personal Data and Non -Public Data. Such security measures shall be in accordance
with recognized industry practice and not less stringent than the measures the Contractor
applies to its own Personal Data and Non -Public Data of similar kind.
b. All data obtained by the Contractor in the performance of the Master Agreement shall
become and remain the property of the Purchasing Entity.
c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless
otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any
stipulation of responsibilities will identify specific roles and responsibilities and shall be
included in the service level agreement (SLA), or otherwise made a part of the Master
Agreement.
d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and
in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the
Contractor. The level of protection and encryption for all Non -Public Data shall be identified
in the SLA.
e. At no time shall any data or processes —that either belong to or are intended for the
use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or
retained by the Contractor or any party related to the Contractor for subsequent use in any
transaction that does not include the Purchasing Entity.
Agreement No. 7089
f. The Contractor shall not use any information collected in connection with the Services
issued from this Master Agreement for any purpose other than fulfilling the Services.
3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end
users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be
located solely in data centers in the U.S. The Contractor shall not allow its personnel or
contractors to store Purchasing Entity data on portable devices, including personal computers,
except for devices that are used and kept only at its U.S. data centers. The Contractor shall
permit its personnel and contractors to access Purchasing Entity data remotely only as required
to provide technical support. The Contractor may provide technical user support on a 24/7 basis
using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum.
4. Security Incident or Data Breach Notification:
a. Incident Response: Contractor may need to communicate with outside parties regarding
a security incident, which may include contacting law enforcement, fielding media inquiries
and seeking external expertise as mutually agreed upon, defined by law or contained in the
contract. Discussing security incidents with the Purchasing Entity should be handled on an
urgent as needed basis, as part of Contractor's communication and mitigation processes as
mutually agreed upon, defined by law or contained in the Master Agreement.
b. Security Incident Reporting Requirements: The Contractor shall report a security
incident to the Purchasing Entity identified contact immediately as soon as possible or
promptly without out reasonable delay, or as defined in the SLA.
c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed
data breach that affects the security of any purchasing entity's content that is subject to
applicable data breach notification law, the Contractor shall (1) as soon as possible or
promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is
required by applicable law, and (2) take commercially reasonable measures to address the
data breach in a timely manner.
S. Personal Data Breach Responsibilities: This section only applies when a Data Breach occurs
with respect to Personal Data within the possession or control of the Contractor.
a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate
Purchasing Entity identified contact by telephone in accordance with the agreed upon
security plan or security procedures if it reasonably believes there has been a security
incident.
b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate
Purchasing Entity identified contact within 48 hours or sooner by telephone, unless shorter
time is required by applicable law, if it has confirmed that there is, or reasonably believes
that there has been a Data Breach. The Contractor shall (1) cooperate with the Purchasing
Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data
Breach, (2) promptly implement necessary remedial measures, if necessary, and (3)
Agreement No. 7089
document responsive actions taken related to the Data Breach, including any post -incident
review of events and actions taken to make changes in business practices in providing the
services, if necessary.
6. Notification of Legal Requests: If legally permissible, the Contractor shall contact the
Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches
and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or
which in any way might reasonably require access to the data of the Purchasing Entity. The
Contractor shall not respond to subpoenas, service of process and other legal requests related
to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing
Entity, unless prohibited by law. .
7. Termination and Suspension of Service:
a. In the event of a termination of the Master Agreement or applicable Participating
Addendum, the Contractor shall implement an orderly return of purchasing entity's data in
a CSV or another mutually agreeable format at a time agreed to by the parties or allow the
Purchasing Entity to extract it's data and the subsequent secure disposal of purchasing
entity's data.
b. During any period of service suspension, the Contractor shall not take any action to
intentionally erase or otherwise dispose of any of the Purchasing Entity's data.
c. In the event of termination of any services or agreement in entirety, the Contractor shall
not take any action to intentionally erase purchasing entity's data for a period of:
w 10 days after the effective date of termination, if the termination is in
accordance with the contract period
o 30 days after the effective date of termination, if the termination is for
convenience
• 60 days after the effective date of termination, if the termination is for cause
After such period, the Contractor shall have no obligation to maintain or provide any
purchasing entity's data and shall thereafter, unless legally prohibited, delete all purchasing
entity's data in its systems or otherwise in its possession or under its control.
d. The purchasing entity shall be entitled to any post termination assistance generally
made available with respect to the services, unless a unique data retrieval arrangement has
been established as part of an SLA.
e. Upon termination of the Services or the Agreement in its entirety, Contractor shall
securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD,
Agreement No. 7089
backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be
permanently deleted and shall not be recoverable, according to National Institute of
Standards and Technology (NIST)-approved methods. Certificates of destruction shall be
provided to the Purchasing Entity.
8. Background Checks: Upon the request of the Purchasing Entity, the Contractor shall conduct
criminal background checks and not utilize any staff, including subcontractors, to fulfill the
obligations of the Master Agreement who have been convicted of any crime of dishonesty,
including but not limited to criminal fraud, or otherwise convicted of any felony or
misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The
Contractor shall promote and maintain an awareness of the importance of securing the
Purchasing Entity's information among the Contractor's employees and agents. If any of the
stated personnel providing services under a Participating Addendum is not acceptable to the
Purchasing Entity in its sole opinion as a result of the background or criminal history
investigation, the Purchasing Entity, in its' sole option shall have the right to either (1) request
immediate replacement of the person, or (2) immediately terminate the Participating
Addendum and any related service agreement.
9. Access to Security Logs and Reports: The Contractor shall provide reports on a schedule
specified in the SLA to the Purchasing Entity in a format as specified in the SLA agreed to by
both the Contractor and the Purchasing Entity. Reports shall include latency statistics, user
access, user access IP address, user access history and security logs for all public jurisdiction files
related to this Master Agreement and applicable Participating Addendum.
10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the
Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third
party at its discretion and at the Purchasing Entity's expense.
11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at
least annually at its expense, and provide an unredacted version of the audit report upon
request to a Purchasing Entity. The Contractor may remove its proprietary information from the
unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent
sets the minimum level of a third -party audit.
12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour
advance notice (or as determined by a Purchasing Entity and included in the SLA) to the
Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that
may impact service availability and performance. A major upgrade is a replacement of
hardware, software or firmware with a newer or better version in order to bring the system up
to date or to improve its characteristics. It usually includes a new version number.
Contractor will make updates and upgrades available to Purchasing Entity at no additional costs
when Contractor makes such updates and upgrades generally available to its users.
Agreement No. 7089
No update, upgrade or other charge to the Service may decrease the Service's functionality,
adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the
Service to the Purchasing Entity.
Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major
update or upgrade.
13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary
system security plans (SSP) or security processes and technical limitations to the Purchasing
Entity such that adequate protection and flexibility can be attained between the Purchasing
Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity
and the Contractor shall understand each other's roles and responsibilities.
14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties,
require commercially reasonable non -disclosure agreements, and limit staff knowledge of
Purchasing Entity data to that which is absolutely necessary to perform job duties.
15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data
in piecemeal or in entirety at its discretion without interference from the Contractor at any time
during the term of Contractor's contract with the Purchasing Entity. This includes the ability for
the Purchasing Entity to import or export data to/from other Contractors. Contractor shall
specify if Purchasing Entity is required to provide its' own tools for this purpose, including the
optional purchase of Contractors tools if Contractors applications are not able to provide this
functionality directly.
16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition
and operation of all hardware, software and network support related to the services being
provided. The technical and professional activities required for establishing, managing and
maintaining the environments are the responsibilities of the Contractor. The system shall be
available 24/7/365 (with agreed -upon maintenance downtime), and provide service to
customers as defined in the SLA.
17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related
to services provided under this Master Agreement, including but not limited to all
subcontractors or other entities or individuals who may be a party to a joint venture or similar
agreement with the Contractor, and who shall be involved in any application development
and/or operations.
18. Right to Remove Individuals: The Purchasing Entity shall have the right at any time to require
that the Contractor remove from interaction with Purchasing Entity any Contractor
representative who the Purchasing Entity believes is detrimental to its working relationship with
the Contractor. The Purchasing Entity shall provide the Contractor with notice of its
determination, and the reasons it requests the removal. If the Purchasing Entity signifies that a
potential security violation exists with respect to the request, the Contractor shall immediately
Agreement No. 7089
remove such individual. The Contractor shall not assign the person to any aspect of the Master
Agreement or future work orders without the Purchasing Entity's consent.
19. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity
and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time
objective (RTC) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the
Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual
Disaster Recovery test and take action to correct any issues detected during the test in a time
frame mutually agreed between the Contractor and the Purchasing Entity.
20. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to
Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973, or any
other state laws or'administrative regulations identified by the Participating Entity.
21. Web Services: The Contractor shall use Web services exclusively to interface with the
Purchasing Entity's data in near real time.
22. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with
validated cryptography standards as referenced in FIPS 140-2, Security Requirements for
Cryptographic Modules for all Personal Data, unless the Purchasing Entity approves in writing
for the storage of Personal Data on a Contractor portable device in order to accomplish work as
defined in the statement of work.
23. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the
Service for its business purposes; (ii) for SaaS, use underlying software as embodied or used in the
Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's
documentation.
No Contractor terms, including standard click through license or website terms or use of privacy
policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement.
Agreement No. 7089
Exhibit 2 to the Master Agreement: Platform -as -a -Service
1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is
related to the Services provided by this Master Agreement. The Contractor shall not access
Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data
center operations, (2) in response to service or technical issues, (3) as required by the express
terms of this Master Agreement, Participating Addendum, SLA, and/or other contract
documents, or (4) at the Purchasing Entity's written request.
Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly
necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing
Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any
reason unless required by law or regulation or by an order of a court of competent jurisdiction. This
obligation shall survive and extend beyond the term of this Master Agreement.
2. Data Protection: Protection of personal privacy and data shall be an integral part of the
business activities of the Contractor to ensure there is no inappropriate or unauthorized use of
Purchasing Entity information at any time. To this end, the Contractor shall safeguard the
confidentiality, integrity and availability of Purchasing Entity information and comply with the
following conditions:
a. The Contractor shall implement and maintain appropriate administrative, technical and
organizational security measures to safeguard against unauthorized access, disclosure or
theft of Personal Data and Non -Public Data. Such security measures shall be in
accordance with recognized industry practice and not less stringent than the measures
the Contractor applies to its own Personal Data and Non -Public Data of similar kind.
b. All data obtained by the Contractor in the performance of the Master Agreement shall
become and remain the property of the Purchasing Entity.
c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless
otherwise stipulated, the Contractor is responsible for encryption of the Personal Data.
Any stipulation of responsibilities will identify specific roles and responsibilities and shall
be included in the service level agreement (SLA), or otherwise made a part of the Master
Agreement.
d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and
in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the
Contractor. The level of protection and encryption for all Non -Public Data shall be
identified in the SLA.
e. At no time shall any data or processes — that either belong to or are intended for the use
of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or
retained by the Contractor or any party related to the Contractor for subsequent use in
any transaction that does not include the Purchasing Entity.
Agreement No. 7089
f. The Contractor shall not use any information collected in connection with the Services
issued from this Master Agreement for any purpose other than fulfilling the Services.
3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end
users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be
located solely in data centers in the U.S. The Contractor shall not allow its personnel or
contractors to store Purchasing Entity data on portable devices, including personal computers,
except for devices that are used and kept only at its U.S. data centers. The Contractor shall
permit its personnel and contractors to access Purchasing Entity data remotely only as required
to provide technical support. The Contractor may provide technical user support on a 24/7 basis
using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum.
4. Security Incident or Data Breach Notification: The Contractor shall inform the Purchasing Entity
of any security incident or data breach within the possession and control of the Contractor and
related to the service provided under the Master Agreement, Participating Addendum, or SLA.
Such notice shall include, to the best of Contractor's knowledge at that time, the persons
affected, their identities, and the Confidential Information and Data disclosed, or shall include if
this information is unknown.
a. Incident Response: The Contractor may need to communicate with outside parties
regarding a security incident, which may include contacting law enforcement, fielding
media inquiries and seeking external expertise as mutually agreed upon, defined by law
or contained in the Master Agreement, Participating Addendum, or SLA. Discussing
security incidents with the Purchasing Entity should be handled on an urgent as -needed
basis, as part of Contractor's communication and mitigation processes as mutually
agreed, defined by law or contained in the Master Agreement, Participating Addendum,
or SLA.
b. Security Incident Reporting Requirements: Unless otherwise stipulated, the Contractor
shall immediately report a security incident related to its service under the Master
Agreement, Participating Addendum, or SLA to the appropriate Purchasing Entity.
c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed
data breach that affects the security of any Purchasing Entity data that is subject to
applicable data breach notification law, the Contractor shall (1) promptly notify the
appropriate Purchasing Entity within 48 hours or sooner, unless shorter time is required
by applicable law, and (2) take commercially reasonable measures to address the data
breach in a timely manner
S. Breach Responsibilities: This section only applies when a Data Breach occurs with respect to
Personal Data within the possession or control of the Contractor.
a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate
Purchasing Entity identified contact by telephone in accordance with the agreed upon
security plan or security procedures if it reasonably believes there has been a security
incident.
Agreement No. 7089
b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate
Purchasing Entity identified contact within 24 hours or sooner by telephone, unless
shorter time is required by applicable law, if it has confirmed that there is, or reasonably
believes that there has been a data breach. The Contractor shall (1) cooperate with the
Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and
resolve the data breach, (2) promptly implement necessary remedial measures, if
necessary, and (3) document responsive actions taken related to the data breach,
including any post -incident review of events and actions taken to make changes in
business practices in providing the services, if necessary.
6. Notification of Legal Requests: If legally permissible, the Contractor shall contact the
Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches
and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or
which in any way might reasonably require access to the data of the Purchasing Entity. The
Contractor shall not respond to subpoenas, service of process and other legal requests related
to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing
Entity, unless prohibited by law.
7. Termination and Suspension of Service:
a. In the event of an early termination of the Master Agreement, Participating or SLA,
Contractor shall allow for the Purchasing Entity to retrieve its digital content and provide
for the subsequent secure disposal of the Purchasing Entity's digital content.
b. During any period of service suspension, the Contractor shall not take any action to
intentionally erase or otherwise dispose of any of the Purchasing Entity's data.
c. In the event of early termination of any Services or agreement in entirety, the Contractor
shall not take any action to intentionally erase any Purchasing Entity's data for a period
of 1) 45 days after the effective date of termination, if the termination is for
convenience; or 2) 60 days after the effective date of termination, if the termination is
for cause. After such day period, the Contractor shall have no obligation to maintain or
provide any Purchasing Entity data and shall thereafter, unless legally prohibited, delete
all Purchasing Entity data in its systems or otherwise in its possession or under its control..
In the event of either termination for cause, the Contractor will impose no fees for access
and retrieval of digital content to the Purchasing Entity.
d. The Purchasing Entity shall be entitled to any post termination assistance generally made
available with respect to the services, unless a unique data retrieval arrangement has
been established as part of an SLA.
e. Upon termination of the Services or the Agreement in its entirety, Contractor shall
securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD,
backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall
be permanently deleted and shall not be recoverable, according to National Institute of
Agreement No. 7089
Standards and Technology (NIST)-approved methods. Certificates of destruction shall be
provided to the Purchasing Entity.
8. Background Checks:
a. Upon the request of the Purchasing Entity, the Contractor shall conduct criminal
background checks and not utilize any staff, including subcontractors, to fulfill the
obligations of the Master Agreement who have been convicted of any crime of
dishonesty, including but not limited to criminal fraud, or otherwise convicted of any
felony or misdemeanor offense for which incarceration for up to 1 year is an authorized
penalty. The Contractor shall promote and maintain an awareness of the importance of
securing the Purchasing Entity's information among the Contractor's employees and
agents.
b. The Contractor and the Purchasing Entity recognize that security responsibilities are
shared. The Contractor is responsible for providing a secure infrastructure. The
Purchasing Entity is responsible for its secure guest operating system, firewalls and other
logs captured within the guest operating system. Specific shared responsibilities are
identified within the SLA.
c. If any of the stated personnel providing services under a Participating Addendum is not
acceptable to the Purchasing Entity in its sole opinion as a result of the background or
criminal history investigation, the Purchasing Entity, in its' sole option shall have the right
to either (1) request immediate replacement of the person, or (2) immediately terminate
the Participating Addendum and any related service agreement.
9. Access to Security Logs and Reports:
a. The Contractor shall provide reports on a schedule specified in the SLA to the Purchasing
Entity in a format as specified in the SLA and agreed to by both the Contractor and the
Purchasing Entity. Reports will include latency statistics, user access, user access IP address,
user access history and security logs for all Purchasing Entity files related to the Master
Agreement, Participating Addendum, or SLA.
b. The Contractor and the Purchasing Entity recognize that security responsibilities are
shared. The Contractor is responsible for providing a secure infrastructure. The
Purchasing Entity is responsible for its secure guest operating system, firewalls and other
logs captured within the guest operating system. Specific shared responsibilities are
identified within the SLA.
10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the
Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third
party at its discretion and at the Purchasing Entity's expense.
11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at
least annually at its expense, and provide an unredacted version of the audit report upon
Agreement No. 7089
request to a Purchasing Entity. The Contractor may remove its proprietary information from the
unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent
sets the minimum level of a third -party audit.
12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour
advance notice (or as determined by a Purchasing Entity and included in the SLA) to the
Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that
may impact service availability and performance. A major upgrade is a replacement of
hardware, software or firmware with a newer or better version in order to bring the system up
to date or to improve its characteristics. It usually includes a new version number.
Contractor will make updates and upgrades available to Purchasing Entity at no additional costs
when Contractor makes such updates and upgrades generally available to its users.
No update, upgrade or other charge to the Service may decrease the Service's functionality,
adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the
Service to the Purchasing Entity.
Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major
update or upgrade.
13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary
system security plans (SSP) or security processes and technical limitations to the Purchasing
Entity such that adequate protection and flexibility can be attained between the Purchasing
Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity
and the Contractor shall understand each other's roles and responsibilities.
14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties,
require commercially reasonable non -disclosure agreements, and limit staff knowledge of
Purchasing Entity data to that which is absolutely necessary to perform job duties.
15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data
in piecemeal or in entirety at its discretion without interference from the Contractor at any time
during the term of Contractor's contract with the Purchasing Entity. This includes the ability for
the Purchasing Entity to import or export data to/from other Contractors. Contractor shall
specify if Purchasing Entity is required to provide its' own tools for this purpose, including the
optional purchase of Contractors tools if Contractors applications are not able to provide this
functionality directly.
16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition
and operation of all hardware, software and network support related to the services being
provided. The technical and professional activities required for establishing, managing and
maintaining the environments are the responsibilities of the Contractor. The system shall be
available 24/7/365 (with agreed -upon maintenance downtime), and provide service to
customers as defined in the SLA.
Agreement No. 7089
17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related
to services provided under this Master Agreement, including but not limited to all
subcontractors or other entities or individuals who may be a party to a joint venture or similar
agreement with the Contractor, and who shall be involved in any application development
and/or operations.
18. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity
and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time
objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the
Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual
Disaster Recovery test and take action to correct any issues detected during the test in a time
frame mutually agreed between the Contractor and the Purchasing Entity.
19. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to
Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973 or any
other state laws or administrative regulations identified by the Participating Entity..
20. Web Services: The Contractor shall use Web services exclusively to interface with the
Purchasing Entity's data in near real time.
21. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with
validated cryptography standards as referenced in FIPS 140-2, Security Requirements for
Cryptographic Modules for all Personal Data as identified in the SLA, unless the Contractor
presents a justifiable position that is approved by the Purchasing Entity that Personal Data, is
required to be stored on a Contractor portable device in order to accomplish work as defined in
the scope of work.
22. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the
Service for its business purposes; (ii) for PaaS, use underlying software as embodied or used in the
Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's
documentation.
No Contractor terms, including standard click through license or website terms or use of privacy
policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement.
Agreement No. 7089
Exhibit 3 to the Master Agreement: Infrastructure -as -a -Service
1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is
related to the Services provided by this Master Agreement. The Contractor shall not access
Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data
center operations, (2) in response to service or technical issues, (3) as required by the express
terms of this Master Agreement, Participating Addendum, SLA, and/or other contract
documents, or (4) at the Purchasing Entity's written request.
Contractor shall not collect, access, or use user -specific Purchasing Entity Data except as strictly
necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing
Entity's use of the Service may be disclosed, provided, rented or sold to any third party for any
reason unless required by law or regulation or by an order of a court of competent jurisdiction. This
obligation shall survive and extend beyond the term of this Master Agreement.
2. Data Protection: Protection of personal privacy and data shall be an integral part of the
business activities of the Contractor to ensure there is no inappropriate or unauthorized use of
Purchasing Entity information at any time. To this end, the Contractor shall safeguard the
confidentiality, integrity and availability of Purchasing Entity information and comply with the
following conditions:
a. The Contractor shall implement and maintain appropriate administrative, technical and
organizational security measures to safeguard against unauthorized access, disclosure or
theft of Personal Data and Non -Public Data. Such security measures shall be in accordance
with recognized industry practice and not less stringent than the measures the Contractor
applies to its own Personal Data and Non -Public Data of similar kind.
b. All data obtained by the Contractor in the performance of the Master Agreement shall
become and remain the property of the Purchasing Entity.
c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless
otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any
stipulation of responsibilities will identify specific roles and responsibilities and shall be
included in the service level agreement (SLA), or otherwise made a part of the Master
Agreement.
d. Unless otherwise stipulated, the Contractor shall encrypt all Non -Public Data at rest and
in transit. The Purchasing Entity shall identify data it deems as Non -Public Data to the
Contractor. The level of protection and encryption for all Non -Public Data shall be identified
in the SLA.
e. At no time shall any data or processes —that either belong to or are intended for the
use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or
retained by the Contractor or any party related to the Contractor for subsequent use in any
transaction that does not include the Purchasing Entity.
Agreement No. 7089
f. The Contractor shall not use any information collected in connection with the Services
issued from this Master Agreement for any purpose other than fulfilling the Services.
3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end
users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be
located solely in data centers in the U.S. The Contractor shall not allow its personnel or
contractors to store Purchasing Entity data on portable devices, including personal computers,
except for devices that are used and kept only at its U.S. data centers. The Contractor shall
permit its personnel and contractors to access Purchasing Entity data remotely only as required
to provide technical support. The Contractor may provide technical user support on a 24/7 basis
using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum.
4. Security Incident or Data Breach Notification: The Contractor shall inform the Purchasing Entity
of any security incident or data breach related to Purchasing Entity's Data within the possession
or control of the Contractor and related to the service provided under the Master Agreement,
Participating Addendum, or SLA. Such notice shall include, to the best of Contractor's
knowledge at that time, the persons affected, their identities, and the Confidential Information
and Data disclosed, or shall include if this information is unknown.
a. Security Incident Reporting Requirements: The Contractor shall report a security
incident to the Purchasing Entity identified contact immediately as soon as possible or
promptly without out reasonable delay, or as defined in the SLA.
b. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed
data breach that affects the security of any purchasing entity's content that is subject to
applicable data breach notification law, the Contractor shall (1) as soon as possible or
promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is
required by applicable law, and (2) take commercially reasonable measures to address the
data breach in a timely manner.
S. Breach Responsibilities: This section only applies when a Data Breach occurs with respect to
Personal Data within the possession or control of the Contractor and related to the service
provided under the Master Agreement, Participating Addendum, or SLA.
a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate
Purchasing Entity identified contact by telephone in accordance with the agreed upon
security plan or security procedures if it reasonably believes there has been a security
incident.
b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate
Purchasing Entity identified contact within 48 hours or sooner by telephone, unless shorter
time is required by applicable law, if it has confirmed that there is, or reasonably believes
that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing
Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data
Breach, (2) promptly implement necessary remedial measures, if necessary, and (3)
document responsive actions taken related to the Data Breach, including any post -incident
Agreement No. 7089
review of events and actions taken to make changes in business practices in providing the
services, if necessary.
Notification of Legal Requests: If legally permissible, the Contractor shall contact the
Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches
and expert testimonies related to the Purchasing Entity's data under the Master Agreement, or
which in any way might reasonably require access to the data of the Purchasing Entity. The
Contractor shall not respond to subpoenas, service of process and other legal requests related
to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing
Entity, unless prohibited by law.
7. Termination and Suspension of Service:
a. In the event of an early termination of the Master Agreement, Participating or SLA,
Contractor shall allow for the Purchasing Entity to retrieve its digital content and provide
for the subsequent secure disposal of the Purchasing Entity's digital content.
b. During any period of service suspension, the Contractor shall not take any action to
intentionally erase or otherwise dispose of any of the Purchasing Entity's data.
c. In the event of early termination of. any Services or agreement in entirety, the
Contractor shall not take any action to intentionally erase any Purchasing Entity's data for a
period of 1) 45 days after the effective date of termination, if the termination is for
convenience; or 2) 60 days after the effective date of termination, if the termination is for
cause. After such day period, the Contractor shall have no obligation to maintain or provide
any Purchasing Entity data and shall thereafter, unless legally prohibited, delete all
Purchasing Entity data in its systems or otherwise in its possession or under its control. In
the event of either termination for cause, the Contractor will impose no fees for access and
retrieval of digital content to the Purchasing Entity.
d. The Purchasing Entity shall be entitled to any post termination assistance generally
made available with respect to the services, unless a unique data retrieval arrangement has
been established as part of an SLA.
e. Upon termination of the Services or the Agreement in its entirety, Contractor shall
securely dispose of all Purchasing Entity's data in all of its forms, such as disk, CD/ DVD,
backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be
permanently deleted and shall not be recoverable, according to National Institute of
Standards and Technology (NIST)-approved methods. Certificates of destruction shall be
provided to the Purchasing Entity.
8. Background Checks:
a. Upon the request of the Purchasing Entity, the Contractor shall conduct criminal
background checks and not utilize any staff, including subcontractors, to fulfill the
obligations of the Master Agreement who have been convicted of any crime of dishonesty,
Agreement No. 7089
including but not limited to criminal fraud, or otherwise convicted of any felony or
misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The
Contractor shall promote and maintain an awareness of the importance of securing the
Purchasing Entity's information among the Contractor's employees and agents.
b. The Contractor and the Purchasing Entity recognize that security responsibilities are
shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing
Entity is responsible for its secure guest operating system, firewalls and other logs captured
within the guest operating system. Specific shared responsibilities are identified within the
SLA.
c. If any of the stated personnel providing services under a Participating Addendum is not
acceptable to the Purchasing Entity in its sole opinion as a result of the background or
criminal history investigation, the Purchasing Entity, in its' sole option shall have the right
to either (1) request immediate replacement of the person, or (2) immediately terminate
the Participating Addendum and any related service agreement.
9. Access to Security Logs and Reports:
a. The Contractor shall provide reports on a schedule specified in the SLA to the Contractor
directly related to the infrastructure that the Contractor controls upon which the
Purchasing Entity's account resides. Unless otherwise agreed to in the SLA, the Contractor
shall provide the public jurisdiction a history or all API calls for the Purchasing Entity
account that includes the identity of the API caller, the time of the API call, the source IP
address of the API caller, the request parameters and the response elements returned by
the Contractor. The report will be sufficient to enable the Purchasing Entity to perform
security analysis, resource change tracking and compliance auditing
b. The Contractor and the Purchasing Entity recognize that security responsibilities are
shared. The Contractor is responsible for providing a secure infrastructure. The Purchasing
Entity is responsible for its secure guest operating system, firewalls and other logs captured
within the guest operating system. Specific shared responsibilities are identified within the
SLA.
10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the
Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third
party at its discretion and at the Purchasing Entity's expense.
11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at
least annually and at its own expense, and provide an unredacted version of the audit report
upon request. The Contractor may remove its proprietary information from the unredacted
version. For example, a Service Organization Control (SOC) 2 audit report would be sufficient.
12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour
advance notice (or as determined by a Purchasing Entity and included in the SLA) to the
Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that
Agreement No. 7089
may impact service availability and performance. A major upgrade is a replacement of
hardware, software or firmware with a newer or better version in order to bring the system up
to date or to improve its characteristics. It usually includes a new version number.
Contractor will make updates and upgrades available to Purchasing Entity at no additional costs
when Contractor makes such updates and upgrades generally available to its users.
No update, upgrade or other charge to the Service may decrease the Service's functionality,
adversely affect Purchasing Entity's use of or access to the Service, or increase the cost of the
Service to the Purchasing Entity.
Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major
update or upgrade.
13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary
system security plans (SSP) or security processes and technical limitations to the Purchasing
Entity such that adequate protection and flexibility can be attained between the Purchasing
Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity
and the Contractor shall understand each other's roles and responsibilities.
14. Non -disclosure and Separation of Duties: The Contractor shall enforce separation of job duties,
require commercially reasonable non -disclosure agreements, and limit staff knowledge of
Purchasing Entity data to that which is absolutely necessary to perform job duties.
15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data
in piecemeal or in entirety at its discretion without interference from the Contractor at any time
during the term of Contractor's contract with the Purchasing Entity. This includes the ability for
the Purchasing Entity to import or export data to/from other Contractors. Contractor shall
specify if Purchasing Entity is required to provide its' own tools for this purpose, including the
optional purchase of Contractors tools if Contractors applications are not able to provide this
functionality directly.
16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition
and operation of all hardware, software and network support related to the services being
provided. The technical and professional activities required for establishing, managing and
maintaining the environments are the responsibilities of the Contractor. The system shall be
available 24/7/365 (with agreed -upon maintenance downtime), and provide service to
customers as defined in the SLA.
17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related
to services provided under this Master Agreement, including but not limited to all
subcontractors or other entities or individuals who may be a party to a joint venture or similar
agreement with the Contractor, and who shall be involved in any application development
and/or operations.
Agreement No. 7089
18. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity
and disaster recovery plan upon request and ensure that the Purchasing Entity's recovery time
objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the
Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual
Disaster Recovery test and take action to correct any issues detected during the test in a time
frame mutually agreed between the Contractor and the Purchasing Entity.
19. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the
Service for its business purposes; (ii) for IaaS, use underlying software as embodied or used in the
Service; and (iii) view, copy, upload and download (where applicable), and use Contractor's
documentation.
No Contractor terms, including standard click through license or website terms or use of privacy policy,
shall apply to Purchasing Entities unless such terms are included in this Master Agreement via
amendment.
Agreement No. 7089
V
SN
L
aJ
C0
C
aJ
al
H
O
c
M
u
C
al
I
m
i+
C
E
s
u
M
Q
4
v
a,
O
41
EA
>p
Q
f6
E
}
a
LL
Vf
L
41cu
v
E
u
a
N
:Ea)
~
L1
c3i
'p
a1
'^
+�+
.O
n3 Q
a)
� E
a1
&A
G!
p
£
i
C.
ar
0
w
�' 0
LL Z
c u>
hp 'j
L
Ln
0 Q
vi u
,_�
O
O
t
�nQi
I— M
V
V Ci
u al >
10 O 41
0 o L
Q C7 >
3
i
Ln
�
ai
dD
O
0op
aJ
>
aJ
L
LL.
0
Z
u
'>
L
aJ
Ln
Lnj
ai
Ln
vi
a) +
L
O +J
o L
C7 >
3
r O
4-1+
(O
-0 a1
E
ipp
C
by
gyp— 4M
cu
ro -0
>
t Y
7,
N
U
do
•L a)pC
LA
O
L
j
(D }
(p
v)
c
fa
O
L
L
L
cu
E
O
>-
Ln
�
O
�
0
3
Ln>`
C
4M
L
L
L
O—
O
t
.-'
c
tip
O
E
4-13
-beo
Y
T u
ro
>`
u
to
>` u
M
c
:F3 4'
3V,
3
7
>
O
0
2
> Z>
>
>
O
0
.0
v
N
M
'L
4�
O
M
L
L
L
w En
O
p
E
p
O
aJ
aJ
al
3 Q
-O in
cu
Op
4;
N
O
O
0
u CC
>
d
v
v
v
L
L
Q u
tUl
�+
�.
L
Ca
u
i
4-
h
4-
4-
aJ
'C
.a' C
a)c
.L c
L
E ,n
4-
c
2
>
>
>
a)
u
,n
L
O
++ EA
a)
t
O
L
�
V1
3
L
L
L
a) M
L
M
E
4-
O
a)
a)
aJ
U
p
Z
op
O
0
0
O ai
v
4-
tw
O
>
—
(Q
*'
M,,,
L
L
L
; N
M a
c
M
p
0
3
3
3
Ln
M
L
cO
Y
>• u
u
A u '....
aJ
O
of
-0 M
0
M
m
a
a)
a,
OJ
o
3
.22 C:
c
L
0 o
L
aJ
C
C
J
f6 c
> C
>
CC
G
cc
> G
rd
h
...
3 ra
�
aJ
Ln
Q .
Q
d
L
U
E
O
L O
u
L
O al op
�
�
p
3 O
7
O
O 41 c
E
_
Lq v
Ln
v,
M
>
E a,
L
O
L
f O
Q
u
O a1 cyo
Vf pp L
4-
M
•L
Ln
M
N
M
M c -O
O
f6i
v
�O
.�
to
'^
a
o co 0
E E
U