Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC15-346 Civicore LLCAGREEMENT FOR LICENSE AND SERVICES BETWEEN EAGLE COUNTY, COLORADO AND CIVICORE LLC THIS AGREEMENT ( "Agreement ") is effective as of the day of 20 15 by and between -15 CiviCore, LLC a Colorado company with its principal place of business at 1580 ncoln Street, Suite 520, Denver, Colorado 80203 (hereinafter "Contractor" or "Consultant") and Eagle County, Colorado, a body corporate and politic (hereinafter "County"). RECITALS WHEREAS, County wishes to contract with a software developer for a license to use certain victim's services case management software and for hosting, maintenance and support services of the same; and WHEREAS, Contractor is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined below in paragraph 1 hereof; and WHEREAS, this Agreement shall govern the relationship between Contractor and County in connection with the Services. AGREEMENT NOW, THEREFORE, in consideration of the foregoing and the following promises Contractor and County agree as follows: 1. Grant of License and Services to be Performed. Contractor hereby grants County a perpetual license to use the CiviCore software (the "Software ") described in Exhibit A, attached hereto and incorporated herein by this reference and agrees to make such modifications to such Software so that it is customized and conforms to the descriptions contained in Exhibit A, including the field mapping feature shown in Appendix 1 (the "Software Development Services "). Contractor agrees to diligently provide all services, labor, personnel and materials necessary to provide hosting, maintenance and support for the Software as set forth in Exhibit A ( "Hosting Services "). The Software Development Services and Hosting Services may be collectively referred to herein as the "Services "). The Services shall be performed in accordance with the provisions and conditions of this Agreement. a. Contractor agrees to furnish the Services in accordance with the schedules or timeframes established in Exhibit A. If no completion date is specified in Exhibit A, then Contractor agrees to furnish the Services in a timely and expeditious manner consistent with the applicable standard of care. By signing below Contractor represents that it has the expertise and personnel necessary to properly and timely perform the Services. b. In the event of any conflict or inconsistency between the terms and conditions set forth in Exhibit A and the terms and conditions set forth in this Agreement, the terms and conditions set forth in this Agreement shall prevail. 2. County's Representative. The Eagle County Innovation and Technology Department's designee shall be Contractor's contact with respect to this Agreement and performance of the Services. 3. Term of the Agreement. This Agreement shall commence upon the date first written above, and subject to the provisions of paragraph 15 hereof, Contractor's obligation to complete the Software Development Services described in Exhibit A shall continue in full force and effect until the Services described in Exhibit A are completed. For the ongoing Hosting Services, this Agreement shall extend for a period of one year from the date first above written (the "Initial Term ") and may be renewed for up to five additional one -year terms upon written approval of the County, in its sole discretion (each one year term after the Initial Term shall hereinafter be referred to as a "Renewal Term "). The Initial Term and all subsequent Renewal Terms shall collectively be referred to as the "Term." 4. Extension or Modification. This Agreement may be extended written agreement of the parties. Any amendments or modifications shall be in writing signed by both parties. No additional services or work performed by Contractor shall be the basis for additional compensation unless and until Contractor has obtained written authorization and acknowledgement by County for such additional services in accordance with County's internal policies. Accordingly, no course of conduct or dealings between the parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any additional services, whether or not there is in fact any such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such additional services is not timely executed and issued in strict accordance with this Agreement, Contractor's rights with respect to such additional services shall be deemed waived and such failure shall result in non- payment for such additional services or work performed. 5. Compensation. County shall compensate Contractor for the right to use and the Software Development =' Services in a sum computed and payable as set forth in Exhibit A. Compensation for the performance of the ` Software development Services described in Exhibit A shall not exceed $9,750 without a signed amendment to this Agreement. If County wishes to add a major new function to the Software developed under this Agreement, Contractor shall prepare a written proposal including an estimate of the development time necessary to create the ne`w function; the rate for such development work will be $150 per hour, but such additional development time shall not be billed without a signed amendment to this Agreement. For Hosing, Maintenance and Support Services identified in Exhibit A, County shall pay Contractor $250 /month during the Initial Term and, subject to annual budgeting and appropriation by County, for all subsequent Renewal Terms. The first monthly Hosting Fee will be 'assessed commencing with the first month after the month in which County approves the Software functionality. For any Renewal Term, Contractor may increase the monthly Hosting, Maintenance and Support Service fee by not more than 5% per year by providing written notice to County no later than June 1, which adjustment shall take effect no sooner than January 1 of the succeeding year. Contractor shall not be entitled to bill at overtime and /or double time rates for work done outside of normal business hours unless specifically authorized in writing by County. a. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. All invoices shall include detail regarding the hours spent, tasks performed, who performed each task and such other detail as County may request. b. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Contractor was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Contractor shall forthwith return such payment(s) to County. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. C. County will not withhold any taxes from monies paid to the Contractor hereunder and Contractor agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. 2 Eagle County Professional Services IT Final 5/14 d. Notwithstanding anything to the contrary contained in this Agreement, County shall have no obligations under this Agreement after, nor shall any payments be made to Contractor in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. 29 -1 -101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). 6. Subcontractors. Contractor acknowledges that County has entered into this Agreement in reliance upon the particular reputation and expertise of Contractor. Contractor shall not enter into any subcontractor agreements for the performance of any of the Services or additional services without County's prior written consent, which may be withheld in County's sole discretion. County shall have the right in its reasonable discretion to approve all personnel assigned to the subject Project during the performance of this Agreement and no personnel to whom County has an objection, in its reasonable discretion, shall be assigned to the Project. Contractor shall require each subcontractor, as approved by County and to the extent of the Services to be performed by the subcontractor, to be bound to Contractor by the terms of this Agreement, and to assume toward Contractor all the obligations and responsibilities which Contractor, by this Agreement, assumes toward County. County shall have the right (but not the obligation) to enforce the provisions of this Agreement against any subcontractor hired by Contractor and Contractor shall cooperate in such process. The Contractor shall be responsible for the acts and omissions of its agents, employees and subcontractors. 7. Insurance. Contractor agrees to provide and maintain at Contractor's sole cost and expense, the following insurance coverage with limits of liability not less than those stated below: a. Types of Insurance. Workers' Compensation insurance as required by law. ii. Auto coverage as necessary and in accordance with state law. iii. At all times during the term of this Agreement, including any renewal terms, Contractor shall carry Commercial General Liability coverage to include premises and operations, personal /advertising injury, products /completed operations, broad form property damage with limits of liability not less than $1,000,000 per occurrence and $1,000,000 aggregate limits. iv. No later than three months after the date first above written, or the date the CiviCore software goes "live" for use by County (whichever date comes first), Contractor shall have obtained and shall carry during the term of the Agreement, including any renewal terms, Professional Liability (Errors and Omissions) coverage including Cyber Liability with prior acts coverage for all deliverables, Services and additional services required hereunder, in a form and with insurer or insurers satisfactory to County, with limits of liability of not less than $3,000,000 per claim and $3,000,000 in the aggregate. The insurance shall provide coverage for (i) liability arising from theft, dissemination and/or use of confidential information stored or transmitted in electronic form; (ii) liability arising from the introduction of a computer virus into, or otherwise causing damage to, County or a third person's computer, computer system, network or similar computer related property and the data, software and programs thereon. Intentionally omitted. b. Other Requirements. i. The automobile and commercial general liability coverage shall be endorsed to include Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and 3 Eagle County Professional Services IT Final 5/14 volunteers as additional insureds. A certificate of insurance consistent with the foregoing requirements is attached hereto as Exhibit B. ii. Contractor's certificates of insurance shall include subcontractors, if any as additional insureds under its policies or Contractor shall furnish to County separate certificates and endorsements for each subcontractor. iii. The insurance provisions of this Agreement shall survive expiration or termination hereof. iv. The parties hereto understand and agree that the County is relying on, and does not waive or intend to waive by any provision of this Agreement, the monetary limitations or rights, immunities and protections provided by the Colorado Governmental Immunity Act, as from time to time amended, or otherwise available to County, its affiliated entities, successors or assigns, its elected officials, employees, agents and volunteers. V. Contractor is not entitled to workers' compensation benefits except as provided by the Contractor, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Contractor or some other entity. The Contractor is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. 8. Indemnification. The Contractor shall indemnify and hold harmless County, and any of its officers, agents and employees against any losses, claims, damages or liabilities for which County may become subject to insofar as any such losses, claims, damages or liabilities arise out of, directly or indirectly, this Agreement, or are based upon any performance or nonperformance by Contractor or any of its subcontractors hereunder; and Contractor shall reimburse County for reasonable attorney fees and costs, legal and other expenses incurred by County in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Contractor. This paragraph shall survive expiration or termination hereof. 9. Ownership of Data and Intellectual Property. County retains the ownership of any data entered into the new website and database created by Contractor. Contractor shall retain all right, title and interest in the intellectual property utilized to create the Software, and rights not expressly granted herein are reserved to Contractor. Contractor grants to County a worldwide, perpetual (except where terminated for material breach of license), fully - paid (subject to payment of fees set forth herein), non - exclusive, non - transferable, limited license to use the Software as necessary for its internal use only. Notwithstanding the foregoing sentence and except as prohibited by applicable law, County may not: (a) make copies of the Software consisting of computer programming code, whether in source code or object code form, other than for archival purposes; or (b) modify, decompile, or reverse - engineer the Software except as necessary to maintain the Work for County's internal use as designed by Contractor. All data provided by County shall remain the property of County and shall be governed by the confidentiality obligations set forth herein. If Contractor dissolves as a corporate entity and ceases operations, the Contractor agrees to immediately transfer ownership of computer programming code that drives the database and associated website to an appropriate and capable entity that will continue operating the database and associated website. 10. Data Protection. Protection of County Data (which includes all data created or in any way originating with the County, and all data that is the output of computer processing of or other electronic manipulation of any data that was created by or in any way originated with the County or was shared with the County by another law enforcement agency, whether such data or output is stored on the County's hardware, the vendor's hardware or exists in any 4 Eagle County Professional Services IT Final 5/14 system owned, maintained or otherwise controlled by the County or by the Contractor) shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of County Data at any time. To this end, the vendor shall safeguard the confidentiality, integrity and availability of County Data and comply with the following conditions: a. The Vendor shall implement and maintain commercially reasonable and appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of County Data. b. Such security measures shall be in accordance with the standards set forth in the Civicore Application Security and Physical Infrastructure Overview attached hereto as Exhibit C and incorporated herein by this reference, C. Vendor shall maintain the standards established by the Civicore Backup and Recovery plan, which is attached hereto as Exhibit D and incorporated herein by this reference. 11. Security Incident or Data Breach Notification: Contractor shall inform the County of any security incident or data breach. a. Incident Response: Contractor may need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the contract. Discussing security incidents with the County should be handled on an urgent as- needed basis, as part of service provider communication and mitigation processes as mutually agreed upon, defined by law or contained in the contract. b.v Security Incident Reporting Requirements: The Contractor shall report a security incident to the County identified contact immediately or as soon as reasonably practicable. , c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any County content that is subject to applicable data breach notification law, the Contractor shall (1) promptly notify the County identified contact within 24 hours or sooner, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner. 12 Breach Responsibilities: This section only applies when a data breach occurs with respect to personal data within the possession or control of the Contractor. a. The Contractor, unless stipulated otherwise, shall immediately notify the County identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the County identified contact within 24 hours or sooner by telephone and email, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the County as reasonably requested by the County to investigate and resolve the data breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the data breach, including any post- incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. Unless otherwise stipulated, if a data breach is a direct result of the Contractor's breach of its contract obligation to encrypt personal data or otherwise prevent its release, the Contractor shall bear the costs 5 Eagle County Professional Services IT Final 5/14 associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by state law; (3) a credit monitoring service required by state (or federal) law; (4) a website or a toll -free number and call center for affected individuals required by state law — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $201 per record /person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by service provider based on root cause; all [(1) through (5)] subject to this contract's limitation of liability. 13. Notification of Legal Requests: The Contractor shall contact the County upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the County's data under this contract, or which in any way might reasonably require access to the data of the public jurisdiction. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the public jurisdiction without first notifying the County, unless prohibited by law from providing such notice. 14. Notice. Any notice required by this Agreement shall be deemed properly delivered when (i) personally delivered, or (ii) when mailed in the United States mail, first class postage prepaid, or (iii) when delivered by FedEx or other comparable courier service, charges prepaid, to the parties -at their respective addresses listed below, or (iv) when sent via facsimile so long as the sending party can provide facsimile machine or other confirmation showing the date, time and receiving facsimile number for the transmission, or (v) when transmitted via e -mail with confirmation of receipt. Either party may change its address for purposes of this paragraph by giving five (5) days prior written notice of such change to the other party. COUNTY: Eagle County, Colorado Attention: Amanda Bay 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-3585 Facsimile: 970 - 328 -3599 E -Mail: Amanda.bay @eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 Facsimile: 970-328-8699 E -Mail: atty @eaglecounty.us CONTRACTOR: 15. Termination. County may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with seven (7) calendar days' prior written notice to the Contractor. Contractor may terminate this Agreement, in whole or in part, with one hundred eighty (180) days written notice to County. Upon termination of this Agreement, County shall pay Contractor for Services 6 Eagle County Professional Services IT Final 5/14 satisfactorily performed to the date of termination. Either party may terminate this Agreement upon written notice for material breach, provided, however, that the terminating party shall give the other party at least fourteen (14) days written notice and the opportunity to cure such breach. 16. Venue, Jurisdiction and Applicable Law. Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 17. Execution by Counterparts; Electronic Signatures. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which shall constitute one and the same instrument. The parties approve the use of electronic signatures for execution of this Agreement. Only the following two forms of electronic signatures shall be permitted to bind the parties to this Agreement: (i) Electronic or facsimile delivery of a fully executed copy of the signature page; (ii) the image of the signature of an authorized signer inserted onto PDF format documents. All documents must be properly notarized, if applicable. All use of electronic signatures shall be governed by the Uniform Electronic Transactions Act, C.R.S. 24- 71.3 -101 to 121. 18. Confidential Information a. All information relating to County or entered into the Software by County is confidential, and will be held in confidence by Contractor and will not be disclosed or used by Contractor except to the extent that such disclosure or use is reasonably necessary to the performance of Contractor's duties and obligations under this Agreement. b. To the extent allowed under the Colorado Open Records Act, all information relating to Contractor that is known to be confidential or proprietary, or which is clearly marked as such, will be held in confidence by County and will not be disclosed or used by County except to the extent that such disclosure or use is reasonably necessary to the performance of County's duties and obligations under this Agreement. C. These obligations of confidentiality will extend indefinitely after the termination of this Agreement, but will not apply with respect to information that is independently developed by the parties, lawfully becomes a part of the public domain, or of which the parties gained knowledge or possession free of any confidentiality obligation. 19. Other Contract Requirements and Contractor Representations. a. Contractor has familiarized itself with the nature and extent of the Services to be provided hereunder and the Property, and with all local conditions, federal, state and local laws, ordinances, rules and regulations that in any manner affect cost, progress, or performance of the Services. b. Contractor will make, or cause to be made, examinations, investigations, and tests as he deems necessary for the performance of the Services. C. To the extent possible, Contractor has correlated the results of such observations, examinations, investigations, tests, reports, and data with the terms and conditions of this Agreement. d. To the extent possible, Contractor has given County written notice of all conflicts, errors, or discrepancies. 7 Eagle County Professional Services IT Final 5114 e. Contractor shall be responsible for the completeness and accuracy of the Services and shall correct, at its sole expense, all significant errors and omissions in performance of the Services. The fact that the County has accepted or approved the Services shall not relieve Contractor of any of its responsibilities. Contractor shall perform the Services in a skillful, professional and competent manner and in accordance with the standard of care, skill and diligence applicable to contractors performing similar services. Contractor represents and warrants that it has the expertise and personnel necessary to properly perform the Services and shall comply with the highest standards of customer service to the public. Contractor shall provide appropriate supervision to its employees to ensure the Services are performed in accordance with this Agreement. This paragraph shall survive termination of this Agreement. f. Contractor agrees to work in an expeditious manner, within the sound exercise of its judgment and professional standards, in the performance of this Agreement. Time is of the essence with respect to this Agreement. g. This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer- employee, master - servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. h. Contractor represents and warrants that at all times in the performance of the Services, Contractor shall comply with any and all applicable laws, codes, rules and regulations. i. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all other agreements or understanding between the parties with respect thereto. j. Contractor shall not assign any portion of this Agreement without the prior written consent of the County. Any attempt to assign this Agreement without such consent shall be void. k. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective permitted assigns and successors in interest. Enforcement of this Agreement and all rights and obligations hereunder are reserved solely for the parties, and not to any third party. 1. No failure or delay by either party in the exercise of any right hereunder shall constitute a waiver thereof. No waiver of any breach shall be deemed a waiver of any preceding or succeeding breach. m. The invalidity, illegality or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision hereof. n. The signatories to this Agreement aver to their knowledge no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Contractor has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Contractor shall not employ any person having such known interests. o. The Contractor, if a natural person eighteen (18) years of age or older, hereby swears and affirms under penalty of perjury that he or she (i) is a citizen or otherwise lawfully present in the United States pursuant to federal law, (ii) to the extent applicable shall comply with C.R.S. 24- 76.5 -103 prior to the effective date of this Agreement. 8 Eagle County Professional Services IT Final 5/14 [REST OF PAGE INTENTIONALL Y LEFT BLANK] Eagle County Professional Services IT Final 5114 IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: Brent McFall, unty Manager CONTRACTOR: : CIV RE C By: /wO f Print Name: Title% 10 Eagle County Professional Services IT Final 5/14 EXHIBIT A SCOPE OF SERVICES, SCHEDULE, FEES I Eagle County Professional Services IT Final 5/14 INTRODUCTION ABOUTCIVICORE .............................................................................. ............................... 3 SEMI- CUSTOM APPROACH ................................................................. ............................... 3 VICTIM SERVICES CASE MANAGEMENT SYSTEM .................................. ............................... 4 CASEMANAGEMENT ......................................................................... ............................... 4 CaseInformation ..................................................................................................... ..............................4 Victimizations......................................................................................................... ............................... 5 VictimServices ........................................................................................................ ..............................5 Search..................................................................................................................... ............................... 6 PERSONS............................................................................................ ............................... 7 Persons— Overview Tab ......................................................................................... ............................... 7 REPORTING........................................................................................ ............................... 8 Customreports ...................................................................................................... ............................... 8 Templates............................................................................................................... ............................... 8 PROPOSED PROJECT TIMELINE FOR PLATFORM IMPLEMENTATION ........ ............................... 9 TIMELINE.......................................................................................... ............................... 9 PROPOSEDPROJECT BUDGET ...................................................<.......,.. ......:.........,.,,.....,..,.. 10 APPENDIX 1: FIELD MAPPING ......................................................<.,,... ....................,.......... 1 1 APPENDIX 2: IMPORT SPECIFICATIONS ................................................ ............................... 12 IMPORTUTILITY .............................................................................. ............................... 12 APPENDIX3: CHECKLIST ..................................................................... ............................... 13 APPENDIX 4. HOSTING SERVICES PROVIDED., ... ......... ....... 14 i! 1 CiviCore is a company dedicated to providing affordable, high - quality technology solutions to non- profits, public agencies and foundations. CiviCore combines both expert software development experience with a deep understanding of those working in non - profit and public sector agencies. More importantly, CiviCore has successfully completed software development projects similar in scope and design to the effort described in this proposal. About CiviCore CiviCore was founded in 2000 by Charles Naumer and Rich Rainaldi with the objective of utilizing the web to provide organizations in the social sector with cost effective, capacity building information technology solutions. Charles and Rich both had backgrounds deep in the social sector and have lifelong passions to improve social conditions locally, nationally and internationally. The combination of their skills and efforts to build CiviCore as an organization to serve the social sector has been a natural fit. As a result CiviCore has built one of the most comprehensive suites of information technology solutions in the market and has one of the highest implementation success rates of any technology firm across all sectors. CiviCore serves over 350 clients throughout the United States, Canada, Asia and Australia. Semi-Custom approach As discussed, the proposal is for a semi - custom development of the application management system. CiviCore systems are not developed from scratch but are developed on top of a multi- tenant application architecture. This architecture allows a single code base to be reused by multiple clients saving significant cost and effort in the development process. However, applications built on top of this architecture may be tailored to the unique needs of the organization. The benefits of this approach are highly tailored software that facilitates the work of your organization and provides opportunity for continued upgrades and improvements overtime. 31 Page t' The following functionality will be included as part of the proposed application (The proposed system will include the functionality described as follows but will be implemented on CiviCore's latest platform. Therefore, the interface may look different than the following screenshots.) Case Management The following is a list of tabs and fields associated with the Case management functionality. Case Information The following image represents the case information tab that is a part of the case management functionality. S "Y f5. �,Yn {.,- a{...NY2s5r.Y.n's.!tit#� KtSs r 41 Page Victiiii Services The following image represents the victim services tab that is a part of the case management functionality. Search The following image represents the ad -hoc search capability that is a part of the case management functionality. ' on step Basic hft PwPetre- Docurnerds staff Tacks tut- ' Persons The following is a list of tabs and fields associated with the Case management functionality. Persons - Overview Tab The following image represents the persons overview tab that is a part of the case management functionality. 71 Page SHMEM, Custom reports The following image represents the custom reporting area of the application 1. Statistical Report VlEttrinuation count, Victim senitCsS Count. MR member de4,wrhg the services count 2 Case Overview Q 3, Case Overview Templates The following image represents the custom letter templates. Shooring 16 record(s) I No Charges Flied Letter (English) 2 Cold Case Letter (English) 3 Satisfaction Survey (English) 4 Cold Case Letter (Spanish) 5 Court Follow Up Letter (Spanish) 6 Death Letter (Spanish) 7 Investigation Letter (Spanish) 8 Juvenile Court Follow Up Letter (Spanish) 9 No Charges Filed Letter (Spanish) 10 Summons-Release Letter (Spanish) 11 Court Follow Up Letter (English) 12 Investigation Letter (English) 13 Juvenile Court Follow Up Letter (English) 14 Summons-Release Lefler (English) 15 Death Letter (English) 16 Satisfaction Survey (Spanish) + Upload a new row M�4� FifitReprid RunRetind Edit Report Run Report Edit Report Run Report M�- � en M�- � Proposed Project Timeline for Platform Implementation Timeline Development will start approximately 4 weeks after contract signing. '71T 777777,- } Step 1— Project planning TBD TBD ; 2 weeks (one meeting) i i 3 � I Step 2 — Development TBD i TBD 12 weeks Step 3 — Testing /Review /Training j TBD £ TBD 2 weeks i Step 4 — Go Live TBD i � I M Proposed Project Budget BasicCustomization and Training .................................... ..............................$ 8,500 This fee includes the database design, programming, review and revisions as outlined in the plan. It also includes testing of the database and training. One -way synch from Intergraph (Field mapping Appendix ........................ $ 1,000 OngoingMaintenance and Hosting ................................... ............................... $ 250 This is a monthly fee for hosting, maintenance and support. It includes daily data backup, system monitoring and customer service support. The proposed system will be hosted on a secure server located behind a firewall and all communication between client and server will use SSL to ensure a secure connection. Please see appendix 4 for further detail. a M�� Civicore Intergraph )Code ILWNAMES.NC SEQ Ilnci ID tLWMAIN.INCI ID Report date LWMAIN.DATE_REPT Occ from date 1,LWMAIN.DATE OCCU EAt found date qoLWMAIN.DATE _FND numerical IARR_CHRG, Statute ID = STATUTEID literal description LWCHARG CHRDESC Name code LWNAMES.NAME_CODE, PICKLIST mes LWNAMES.NAME_ID ,t name " :INMMAIL.LAST , _._. st nam eµ r x.. NMMAI -NF IRST Ethnicity I W NAM ES. ETH N [CITY Race INMMAIN.RACE, PICKLIST W me Fnone area WE Phone Mamng aaaress po Dox mailing address city !Case status LWMAIN.VPDVINE NMMAIN.STREENBR NMMAIN. `STAR EET, AiAi CASS, Search Table = SYSTAB2 is is the sequence for the name involvment such as Victim 1,2 its will pull the entire name versus breaking down by Last, First middle as liste below. Import utility CiviCore will write SQL query to export data from Intergraph. Eagle County will provide CiviCore with remote access to a PC connected to Intergraph data. SQL exports will be written to txt file for import into the CiviCore database. Imports of data as described in Appendix 1 will be scheduled to run two times per day. The timing of the imports will be specified by Eagle County. Appendix 3: Checklist CiviCore will include all items marked as 5 = Base Package "off- the - shelf" in the following checklist. Items that are marked as 4 =Minor Customization will be billed at $125 per hour as requested by Eagle County. M Application Requirements Checklist Instructions The application requirements checklist must be completed in full by all bidders. Please place a 0, 1, 2, 3, 4, or 5 in the "Vendor Response" column based on the capabilities of your software package and project team. These response codes are described below. 5 - Base Package "off-the-shelf'- The requirements and tasks can be accomplished by the using the core "off- the - shelf' or "out of the box" software package. Virtually no configuration or customization is needed. The standard user interface can be used, and there is no need to make improvements through customization. 4 - Minor Customization - The requirements can be met with minor customization at the client's site. May require customizing components of the user interface, creating customized forms and reports, and changing the workflow procedures to match the customer's business practices. - Optional Module - The requirement can be met by purchasing an optional module or add - i piece of software produced by the vendor or a third -party vendor. For all #3 answers, ease list the name of the optional module in the "Comments" column. * uture Release - The functionality will be included in a planned, future release of the luct. For all #2 answers, please list the anticipated release date of the future version in the Comments" column. 1 - Custom Pro This requirement could be met, but new custom e would need to be written by the vendor, in order to provide this functionality. 0 - Not Supported - This requirement is not supported by the vendor's software or services. - Due to the style of question, an above number can not be assigned. Remark is required. Please note that the "Comments" column does not need to be filled in for responses of 0, 1, 4, or 5. However, vendors are welcome to add any comments which might elaborate upon or further clarify their responses. If you need additional space for comments regarding a specific question, feel free to attach additional pages. its checklist has been made available as both and EXCEL spreadsheet and Adobe PDF >cument. Vendors may either complete the checklist using the EXCEL spreadsheet, or they ay write their answers manually on hard copies of the PDF document. 5 = Base Package "off- the - shelf' Eagle County Innovation & Technology Checklist 4= Minor Customization 3 = Optional Module 2 = Future Release 1= Custom Programming 0 = Not 5upported n/a = Can't be answered by above A, remark 1 01 11 _ m, is re9uired Identification and Authentication Does the application require user authentication? 5 = Base Package "off- the - shelf" Is the application capable of automatic session timeouts? Please provide details of timeout options. _ 5 = Base Package "off- the - shelf' _____ Yes, standard setting is 30 minutes Are credentials in use with the application? If so, please describe how they are obtained. (i.e.1 through a trusted CA, self- signed, etc.) j n/a - Can't be answered by above #, remark is required �no j Are generic, built -in, or shared accounts necessary for the application to function? If so, provide details. - -n /a = Can't be answered by above #, remark is required no - - profiles are setup — -- — - - p -- Does the application support individually identifiable authentication for access - to sensitive 4= Minor Customization User p durin g the initial - - - - - - - Data Protection What encryption method is utilized bythe- application? If proprietary, please describe. 5 =Base Package "off- the - shelf" We use AES built into mysql /mariadb for - -- - -- - - - --- t tio - -- enc ryp n - If proprietary, does the encryption method meet NIST FIPS 140 -1 and 140 -2 standards? n/a = Can't be answered by above #, remark is require_ d Not proprietary - - - - How are encryption keys stored? Is there an encryption management policy? If so, please describe or provide. - n/a = Can't be answered by above #, remark is required N/A -- - - - -- - Sensitive data is encrypted before Is the application capable of encryption at rest of sensitive data elements? Please describe. IS =_ Base Package "off-the-shelf"_ istorage. Is the application capable of encrypting data in transit to internal and external devices? i Data is encrypted before transit and Please describe. -- 5 = Base Package "off- the - shelf' secure channels are used. -- - Is the application capable of encrypting application and database passwords at rest? Please [ Sensitive data is encrypted before ,;describe. 5 = Base Package "off- the - shelf'_ Is storage. the application capable of encrypting application and database passwords in transit? Please+ Sensitive data is encrypted before jdescribe. _ J5 = Base Package "off- the - shelf' stora e. - -- - - - g _ AUGIT Is the application capable of auditing events such as login, privileged use, account lockouts, access to sensitive information, access changes, and user creation? This auditing should include timestamps of the event and username. Please describe. 3 = Optional Module Does the application log contain credentials or other sensitive information? If yes, please describe why this is necessary. n/a = Can't be answered by above #, remark is required No Is the application capable of time stamping of application logs? 5 = Base Package "off- the - shelf' Controlled in server environment Is the application capable of configuring log retention policies? Please describe. 5 - Base Package "off- the - shelf' Controlled in server environment Is the application capable of notifying administrators when the logs are full? 5 =Base Package "off- the - shelf" Controlled in server environment Is the application capable of managing access to application logs? How are these logs protected within the application from unauthorized viewing or changes? I5 = Base Package "off- the - shelf' Controlled in server environment Is the application capable of sending application logs to a remote log aggregation host service, such as syslog? 5 - Base Package "off- the - shelf' -- - - g Controlled in server environment Does the application support the capability of displaying customizable login banners? (i.e., warning messages to users about acceptable use, etc.) 4 = Minor Customization How are user sessions managed by the application, i.e., are cookies used? What type of information is stored on the client computers? Are credentials ever stored on the client computer? If so, is this data removed after the session is over? _ 5 = Base Package "off- the - shelf'_ A cookie is used to store the session id etc. i - _g � j Click I g out link. Closing of browser will - What is the user logout procedure? (e.g., Close the browser window, click the to out button, 5 =Base Package "off- the - shelf" also to the user out. � Access restricted to SSL. No data If utilizing a browser, is information entered by the user cached? 15 = Base Package "off- the - shelf' cached. - - - - - - 1 - - - - -- - - -- Data validation on fields where How does the application validate user inputs? Please describe the process. 5 = Base Package "off- the - shelf" appropriate. General How often are patches released for this application, and what sort of testing is done I lSoftware as a Service. Patches released regarding patches? 5 = Base Package "off- the - shelf' !frequently. - - - - - - i I Can aged data be purged through out of the system based on a user inputted date range? 10 = Not Supported Can be done manually - - - - -- - System allows simultaneous access to data by concurrent users? ;5 = Base Package "off- the - shelf' System is based on industry best practices and uses common business process flow? IS = Base Package_ "off-the-shelf"j Applications are integrated and modules work cohesively? Pp e - g _ -- Y• _ 5= Base Package "off- the - shelf' j - -- - - - IT he software creates and stores an audit trail of all edits to data. 3 = Optional Module The software uses a graphical user interface where major functions are accessible through � -- - — icons and /or drop down menus. 5 = Base Package "off- the - shelf' -- -- - - F - - - - Data is accessible as soon as it is entered. 15 = Base Package "off - the - shelf' -- - - ;The software supports Windows cut and paste capabilities. _TS =Base Package "off- the - shelf' ' ;The software provides an online help function. 5 = Base Package "off- the - shelf' Eagle County Innovation Technology Checklist -1 of 2 Reports, query results, drawings, and schematics can be printed to screen, clipboard, file, or network printers. - 5 = Base Package "off- the - shelf' via web browser The software is customizable through the use of user - definable fields. Customization of lookups. Fields 5= Base Package "off- the - shelf' configured as part of initial setup. Lookup lists for all coded data are provided, or full text descriptions are displayed for coded data. 5 = Base Package "off- the - shelf' The software can store and retrieve up to five years worth of data. 5 = Base Package "off- the - shelf' The software provides facilities for importing and exporting of data in user - definable formats: 4 = Minor Customization The software has an all user messaging feature that will alert all users logged in of a message defined by the software administrator. 5 = Base Package "off- the - shelf Data Retrieval and Flexibility Ability to generate predefined reports and manipulate (add, remove, group by) fields. �5 = Base Package "off -t_he- shelf' - Ability for users to easily create new reports. iAbility to save ad -hoc queries; Users can 5 = Base Package "off- the - shelf' I use the BIRT reporting engine to create — -- -- -- -- -- - -- - - - - Users can perform ad hoc queries of data using multiple complex search criteria, Boolean reports - - - i logic, and multiple criteria. P B T5 = Base Package "off- the - shelf "_ abase ppli - - An field in the database can be searched by, inside the applications search area. 5 =Base Packa a "off- the - shelf" — Excludin system fields g Commonly needed reports are provided. �5 = Base Package "off- the - shelf' Reports can present data in graphical form using graphs and charts. �4 =Minor Customization Abiltiy to copy data from any screen report and paste into any other_ application 15 =Base Package "off- the - shelf' Abilty to export in standard file formats (pdf, .csv, txt) 5 sea Package "off- the -shelf - - - _ csv, pdf, excel primarily supported - - Web based application -- - -- What browsers are supported? 75 =Base Package off - the - shelf" �iF u+ fhrnme f�fon C,.of Are there any specific ports in the firewall that will need to be opened? Are there any workstation requirements (ex. lava, x version of flash_) Can users print to local / network printers without any special configuration? Entire database can be exported by user in a text delimited format, or some other file standard. need to be installed locally on workstations? fill out "Application" worksheet /a = Can't be answered by above #, remark is required /a = Can't be answered by above_ #, remark is required = Base Package "off- the - shelf = Minor Customization /a = Can't be answered by above #, remark is Eagle County Innovation Technology Checklist - 2 of 2 No No We can provide database export on No 5 = Base Package "off-the-shell" 4 = Minor Customization Eagle County Sheriff Victim Services Checklist 2 z luour R Module 7 = uture Release 1= Custom Programming 0 =Not Supported nla= Can't be answered by abvep , remark Is req ed Software can import data directly from Intergraph into customizable records /fields including but not limited to name, address, gender, race, ethnicity, primary or secondary victim, offender information etc. Please see proposal -FIELD MAPPING 3 = Optional Module 1APPENDIX Software will auto - generate upload on periodic basis to be decided by ECSO I Please see proposal -FIELD MAPPING . 4 = Minor Customization (APPENDIX J ISoftware will identify blank /missing incident reports (IR)in numerical listing of IR numbers We are not completely sure what this and sort by agency, date, etc. request addresses. Most likely a report j could be generated to support this -- - - -- — - 14 - Minor Customization !functionality IVRA specific crimes will be flagged for priority response 14 = Minor Customization We can configure flags on initial setup. j - — - -- - -- Users have ability to edit imported data in any field 5 = Base Package "off- the - shelf' j Imported data can be viewed in customized windows 1= Custom Programming (Source Code) Notes clear on this item. Software has ability to upload customizable documents like case status letters, etc. � ! S =Base Package "off-the-shelf" - - - - -- ___ - -- - -- � Software will link victim info to service Info with multiple entries available for each type of service performed 5 = Base Package "off- the - shelf" Software will include fields for court information including but not limited to next court date, name of prosecutor, etc. 5 = Base Package "off- the - shelf' Software will flag upcoming dates of importance such as court dates, follow -updates, etc. and email reminder to user 5 = Base Package "off- the - shelf' Software will include list of referral agencies with checkboxes and date for user to Typically don't include date - but we complete 15 = Base Package "off- the - shelf' !could add this field. _ Software will upload information from Intergraph indicating whether or not a victim booklet was given by the officer. A report can be generated to show this _ �4= Minor Customization (information. Software will allow Coordinator to add /delete user access from any computer at any time I5 = Base Package "off- the - shelf' Software will allow Coordinator to determine level of use, for example view only and We can setup various levels of access. which fields can be viewed for certain types of case, i.e. sexual assault victim information These levels of access can then be _ 4= Minor Customization_ assigned to users. Software will automatically calculate age from date of birth field and include a field for age at time of crime and age as of current date. 5 = Base Package "off- the - shelf' Software will allow attachment or upload of specialized materials, i.e. grief packets, volunteer calendar, customized letters on agency letterhead _ 5= Base Package_ "off- the - shelf" _ Users have ability to create new /additional client files using formatting identical to Imported data report formatting Software has ability to sort data by any and all fields 5 = Base Package "off- the - shelf' Client files have pre- determined formatting to identify data collection requirements as We are assuming this means "masks" detailed by users IS = Base Package "off- the - shelf' and data validation. The software program can sort data to compile reports in pre - defined formats - i.e. VOCA & VALE grant reporting formats 4 = Minor Customization Tech support will assist administrator /user in setting up reports for individual funding !sources, individual police agencies and other criteria. 4= MinorCustomlzation IAs an example for number 25 & 26, VOCA requires a 13 year old sexual assault victim be ;counted as an adult. VALE requires anyone under 18 be counted as a child. Software will j populate periodic reports (monthly, quarterly) with those different user - defined criteria (Currently supports VOCA/VALE reports. j Future changes to VOCA/VALE reports 14 = Minor Customization Iwill be billed at standard $100 per hour. When compiling statistical reports software will be able to count each victim only once per incident regardless of the number of services provided. 5 = Base Package "off- the - shelf' Civicore will provide back -up discs upon request and within 5 days of any such request. Backups may be downloaded at any 5 = Base Package "off- the - shelf time by client. Users can perform ad hoc queries of data using multiple complex search criteria, Boolean We have complex search criteria. We are logic, and multiple sorting criteria. able to do all of the search criteria as either an "AND" or an "OR ". The system currently allows sorting of a single column. Additional sorting can be done upon export to excel Multiple advocates or agencies can be assigned on each case 5 = Base Package "off- the - shelf' Data fields include a searchable variable length text description field large enough to hold at least 500 characters. 5 = Base Package "off- the - shelf Software will allow manual entry of victim contacts in addition to the uploaded data. 5 = Base Package "off- the - shelf' Coordinator can record information about users including name, identification number 4 = Minor Customization and varying levels of access to data. per advocate or funding source. 5 = Base Package "off- the - shelf' Auto calculation of lapsed time between each interval of updates, events or status changes with email notification to supervisor if a preset amount of lapsed time is reached. 3 = Optional Module Client data can be exported to and imported from specialized software such as Primavera 4 = Minor Customization Software can interface with County's Document Management System "Laserfiche" to store 5 = Base Package "off- the - shelf' records and attachments 3 = Optional Module Client contacts can be routed for review and approval 4 = Minor Customization Predefined services can be selected from a customizable pick list, resulting in fields such as 3= Optional Module assigned advocate, type of service, with the incident number being subsequently incorporated into future communications 3 = Optional Module Client services may be charged to multiple funding sources in varying percentages 4 = Minor Customization Client contacts can be electronically routed for review and approval to other agencies, queues and individuals based on system configurable rules. 4 = Minor Customization Ability to assign cases to contractors 5 = Base Package "off- the - shelf' Ability to assign multiple workers to a case or victim 5 = Base Package "off- the - shelf' Separate fields for user's urgency and Coordinator's issued priority level. 4 = Minor Customization Video or audio files can be attached to a contact, victim or incident report. 5 = Base Package "off- the - shelf' Client files can include user - definable fields indicating the presence and nature of risk factors 4 = Minor Customization Client records contain a history of previous contacts with client or close associate. 5 = Base Package "off- the - shelf' Software alerts selected users to impending court dates with user - definable lead times. 4 = Minor Customization Information on clients and services can be queried and grouped by the advocate /employee and other user - definable fields 4 = Min_ or Customization _ Users can perform ad hoc queries of client or incident data using multiple complex search criteria, Boolean logic, and multiple sorting criteria including type of crime, case number, location of crime, victim demographics, etc. 5 = Base Package "off- the - shelf' Search results can be displayed in tables that Include links to detailed records. 4 =Minor Customization _ Software permits concurrent data entry from multiple client PCs. _ S = Base Package "off- the - shelf' Email interface supports Microsoft Outlook, Exchange, MAN and SMTP /POP3 internet mail. _ I n/a = Can't be answered by above #, remark is The software can be configured such that completion of certain fields of victim or contact information is mandatory. - - S =Base Package "off -t_he- shelf_' The website uses windows authentication so users do not need to enter a password and i only authorized users can submit client or case data 0 =Not Supported Software generates email notifications of receipt, status of work request and closed cases to Coordinator. These items can be turned on or off on a global level by Coordinator - -_L4 = M•mor Customization Data entered via the World Wide Web will update the software's database tables so that such requests need not be re- entered. 15 = Base Package "off- the - shelf' Software provides a means of restricting read and write access to various data to authorized users and groups. Coordinator can change access levels at any time from any computer. 15 =Base Package "off- the - shelf' Software provides configurable email links to departmental functions and employees. 14 =Minor Customization Software allows every web page to incorporate graphics - - 15 = Base Package "off- the - shelf' Would need to know more about "Laserfiche" We allow for upload of files. File uploads can not exceed 8MB but could be customized to handle larger files if necessary. Agency may store this information. Ad -hoc search If not handled by ad -hoc search managed by custom report which can be developed $100 per hour. We are assuming this refers to service delivery. to Excel or CSV. A funding source can be Id ces are identified by users. We have complex search criteria. We are able to do all of the search criteria as either an "AND" or an "OR ". The system currently allows sorting of a single Security levels can not be configured. But you can change a users security le 4 = Minor Customization Software can record work performed by users and such data can be accessed and grouped per advocate or funding source. 5 = Base Package "off- the - shelf' Software can provide utilization reports on employees, other agencies and contractors 3 = Optional Module Client data can be exported to and imported from specialized software such as Primavera and Microsoft Project. 5 = Base Package "off- the - shelf' Software can reference a funding source to which costs will be charged, or contacts tabulated using a field of no less than 20 alphanumeric characters. 3= Optional Module Software can post services to victims daily or more frequently 3 = Optional Module Client services may be charged to multiple funding sources in varying percentages 4 = Min_ or Customization _ Users can perform ad hoc queries of client or incident data using multiple complex search criteria, Boolean logic, and multiple sorting criteria including type of crime, case number, location of crime, victim demographics, etc. 5 = Base Package "off- the - shelf' Search results can be displayed in tables that Include links to detailed records. 4 =Minor Customization _ Software permits concurrent data entry from multiple client PCs. _ S = Base Package "off- the - shelf' Email interface supports Microsoft Outlook, Exchange, MAN and SMTP /POP3 internet mail. _ I n/a = Can't be answered by above #, remark is The software can be configured such that completion of certain fields of victim or contact information is mandatory. - - S =Base Package "off -t_he- shelf_' The website uses windows authentication so users do not need to enter a password and i only authorized users can submit client or case data 0 =Not Supported Software generates email notifications of receipt, status of work request and closed cases to Coordinator. These items can be turned on or off on a global level by Coordinator - -_L4 = M•mor Customization Data entered via the World Wide Web will update the software's database tables so that such requests need not be re- entered. 15 = Base Package "off- the - shelf' Software provides a means of restricting read and write access to various data to authorized users and groups. Coordinator can change access levels at any time from any computer. 15 =Base Package "off- the - shelf' Software provides configurable email links to departmental functions and employees. 14 =Minor Customization Software allows every web page to incorporate graphics - - 15 = Base Package "off- the - shelf' Would need to know more about "Laserfiche" We allow for upload of files. File uploads can not exceed 8MB but could be customized to handle larger files if necessary. Agency may store this information. Ad -hoc search If not handled by ad -hoc search managed by custom report which can be developed $100 per hour. We are assuming this refers to service delivery. to Excel or CSV. A funding source can be Id ces are identified by users. We have complex search criteria. We are able to do all of the search criteria as either an "AND" or an "OR ". The system currently allows sorting of a single Security levels can not be configured. But you can change a users security le Software allows special formatting capabilities for alerts and special messages appearing on Web pages or forms. 4 = Minor Customization Software can email various kinds of other alerts to designated users _ 4 = Minor Customization Users can enter data on behalf of someone else in their unit. 4 = Minor Customization I Existing client information can be copied to create new client records 4 =Minor Customization Client contacts can be assigned to specific employees or groups of employees 4 = Minor Customization Software can generate reports of overdue client contacts 4 = Minor Customization Depending on exact requirements the software can generate reports detailing adherence of actual client contact ! _ ,One client can have several incident numbers assigned to them Minor Customization mization 5 = Base Package "off- the - shelf' (One incident report can have several victims assigned to it. "off- Software - 5 Base Package the - shelf' - provide a way to plan and schedule follow -up contacts and to alert workers to daily scheduled tasks i - 4 Minor Customization Software places no limits on the number of services that can be provided to a client. -- 15 = Base Package "off- the - shelf' - g- !software can maintain a list of materials given (victim booklet, grief resources, etc.) and - —- - generate re -order lists as needed — 14 = Minor Customization Field solutions are compatible with handheld /mobile devices, laptops and Tablet PCs Works in any web enabled device. running on the Windows 7/Windows Mobile operating systems However, is not optimized for smaller `R 15 =Base Package "off-the-shelf" g- idevices (Read time data field /office data available when connected via cell or wireless connection - -_ _ Assuming evice is connected to the I __ i5 -Base Package "off-the-shelf" - g_ Internet via data service. Mobile solution uses store and forward type technology. The would allow user to _ -_ _ ,download their client info locally to their mobile device, update or add new data while �offline that would then sync with the database when connected via cell or network '[connection. - 10 = Not Supported Provide maps and data of client contacts and /or crime scenes. 4 = Minor Customization Provide spatial topology of user - definable fields. 4 _- Minor Customization Appendix 4: Hosting Services Provided The following services are provided as part of the monthly hosting services proposed • Application hosting • Data backup • Security monitoring and tuning • Security software upgrades • Server operating system upgrades and maintenance • Database software upgrades and maintenance • Hardware upgrades (servers, memory, etc.) • Performance monitoring and tuning • Anti -virus software maintenance • Database performance tuning, indexing, etc. • Basic customer service calls on functionality, help desk, etc., not to exceed 2 • hours per month. • Defect fixes, and minor functionality modifications to achieve design goals 14 Page EXHIBIT B INSURANCE CERTIFICATE 12 Eagle County Professional Services IT Final 5114 ACORbr CERTIFICATE OF LIABILITY INSURANCE DATE (MM /DD/YYYY) 1 05/12/2015 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER NAME: Scott Ligouri The Insurance Loft CNN , Ext: Off: 303 - 872 -9017 (A/C, No): 888-645-4229 1630 Welton St. Ste. 202 ADDRESS: scott@theinsuranceloft.com INSURER(S) AFFORDING COVERAGE NAIC # Denver CO 80202 INSURERA: TRAVELERS CAS INS CO OF AMER 19046 INSURED INSURER B $ 300000 Civicore, LLC INSURER C : $ 5000 1580 Lincoln St INSURER D: Ste 520 INSURER E: Denver CO 80203 INSURER F COVERAGES CERTIFICATE NUMBER: REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR TYPE OF INSURANCE INSD WVD POLICY NUMBER (MM/DD/YYYY) (MM /DD/YYYY) LIMITS ✓ COMMERCIAL GENERAL LIABILITY CLAIMS -MADE I-V OCCUR EACH OCCURRENCE $ 1000000 PREMISES (Ea occurrence) $ 300000 MED EXP (Any one person) $ 5000 PERSONAL & ADV INJURY $ 1000000 A X 680OF327276 10/01/2014 10/01/2015 GEN'L AGGREGATE LIMIT APPLIES PER: RPOLICY F—] PRO JECT F—] LOC GENERAL AGGREGATE $ 2000000 PRODUCTS - COMP /OP AGG $ VOTHER: HRDBD $ 1000000 AUTOMOBILE LIABILITY (Ea accident) $ BODILY INJURY (Per person) $ ANY AUTO ALL OWNED SCHEDULED AUTOS AUTOS BODILY INJURY (Per accident) $ HIRED AUTOS NON -OWNED AUTOS (Per accident) $ UMBRELLA LIAR OCCUR EACH OCCURRENCE $ AGGREGATE $ EXCESS LIAB CLAIMS -MADE DED I RETENTION $ $ • WORKERS COMPENSATION AND EMPLOYERS' LIABILITY YIN FFICERIME BER EXCLUDED? PROPRIETOR/PARTNER/EXECUTIVE Y N � A UBOF34046A 02/01 /2015 02/01/2016 - STATUTE V ER E.L. EACH ACCIDENT $ 500000 E.L. DISEASE - EA EMPLOYEE $ 500000 Mandatory In NH) If yes, describe under DESCRIPTION OF OPERATIONS below E.L. DISEASE - POLICY LIMIT Is 500000 • Errors & Omissions Liability Coverage X 680OF327276 10/01/2014 10/01/2015 Claims Made $3,000,000 each wrongful act limit. $3,000,000 Aggregate DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) Please note the Errors & Omissions Coverage (Professional Liability), is limited to the policy language provided as an attachment to this certificate. Coverage Will not extend outside those specific terms of this current and in force policy language section as it pertains to Civicore's Professional Liability Coverage. Please note coverage and or policy language may change at the renewal of the policy. At the request of the certificate holder we will provide updated policy language and certificates on an ongoing basis. Please note: Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and volunteers are Additional Insureds under the commercial general liability coverage section, which also extends to hired and non -owned auto on the general liability section. I SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE Eagle County, Colorado THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. 500 Broadway AUTHORIZED REPRESENTATIVE PO Box 850 Eagle CO 81631'f"� ©1988 -2014 ACORD CORPORATION. All rights reserved. ACORD 25 (2014/01) The ACORD name and logo are registered marks of ACORD AGENCY CUSTOMER ID: _ LOC #: A ADDITIONAL REMARKS SCHEDULE Page 1 of 1 AGENCY The Insurance Loft NAMEDINSURED Civicore, LLC POLICY NUMBER 680OF327276 CARRIER TRAVELERS CAS INS CO OF AMER NAIC CODE 19046 EFFECTIVE DATE: 10/01/2014 THIS ADDITIONAL REMARKS FORM IS A SCHEDULE TO ACORD FORM, FORM NUMBER: 25 FORM TITLE: CERTIFICATE OF LIABILITY INSURANCE Please See attached Travelers Insurance Policy Language Form for Specific E &O coverages. ACORD 101 (2008101) © 2008 ACORn CORPr1RATION All rinhfc ro.-A The ACORD name and logo are registered marks of ACORD TRAVELERS) CYBERFIRST ESSENTIALS COVERAGE PART DECLARATIONS One Tower Square, Hartford, Connecticut 06183 POLICY NUMBER: 680- OF327276 -14 -42 ISSUE DATE:. 10 -02 -14 THIS COVERAGE IS PROVIDED ON A CLAIMS -MADE BASIS. DEFENSE EXPENSES ARE PAYABLE WITHIN, AND ARE NOT IN ADDITION TO, THE LIMITS OF INSURANCE. INSURING COMPANY: TRAVELERS CASUALTY INSURANCE COMPANY OF AMERICA Policy Period: From 10 -01 -14 to 10 -01 -15 12:01 A.M. Standard Time at your mailing address shown in the Common Policy Declarations. Information Security Retroactive Date: 10 -01 -14 Errors And Omissions Retroactive Date: 10 -01 -14 The CyberFirst Essentials Coverage Part consists of these Declarations, the CyberFirst Essentials General Provi- sions Form and the Coverage Forms shown below. ITEM 1. COVERAGE CYBERFIRST ESSENTIALS INFORMATION SECURITY LIABILITY COVERAGE FORM CYBERFIRST ESSENTIALS TECHNOLOGY PRODUCTS AND SERVICES ERRORS AND OMISSIONS LIABILITY COVERAGE FORM ITEM 2. LIMITS OF INSURANCE: Aggregate Limit $ 3,000,000 Each Wrongful Act Limit $ 3,000,000 ITEM 3. DEDUCTIBLE: Each Wrongful Act Deductible $ 2,500 ITEM 4. NUMBERS OF FORMS, SCHEDULES AND ENDORSEMENTS FORMING THIS COVERAGE PART ARE ATTACHED AS A SEPAR ATE LISTING. PR TO 19 02 12 Page 1 of 1 POLICY NUMBER: 680- OF327276 -14 -42 CYBER LIABILITY ISSUE DATE: 10 -02 -14 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. BREACH ESSENTIALS ENDORSEMENT - TECHNOLOGY This endorsement modifies insurance provided under the following: CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM CYBERFIRST ESSENTIALS INFORMATION SECURITY LIABILITY COVERAGE FORM CYBERFIRST ESSENTIALS TECHNOLOGY PRODUCTS AND SERVICES ERRORS AND OMISSIONS LIABILITY COVERAGE FORM SCHEDULE OF CYBER FIRST -PARTY LIMIT AND DEDUCTIBLE Limit Deductible Cyber First -Party Limit and Deductible $ 10,000 $ 0 PROVISIONS A. INTRODUCTION The following is added to the Introductory Note in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: THE LIMITS OF INSURANCE WILL BE RE- DUCED BY THE PAYMENT OF: 1. YOUR SECURITY BREACH NOTIFICATION AND REMEDIATION EXPENSES, YOUR PAYMENT CARD EXPENSES AND YOUR CRISIS MANAGEMENT SERVICE EX- PENSES COVERED BY YOUR CYBER- FIRST ESSENTIALS INFORMATION SE- CURITY LIABILITY COVERAGE FORM; AND 2. YOUR CRISIS MANAGEMENT SERVICE EXPENSES COVERED BY YOUR CYBER- FIRST ESSENTIALS TECHNOLOGY PRODUCTS OR SERVICES ERRORS AND OMISSIONS LIABILITY COVERAGE FORM, IF THAT COVERAGE FORM IS PART OF YOUR POLICY. B. CYBER FIRST -PARTY COVERAGES 1. The following is added to Paragraph 1., in- suring Agreement, of SECTION I — INFOR- MATION SECURITY LIABILITY COVERAGE in the CYBERFIRST ESSENTIALS INFOR- MATION SECURITY LIABILITY COVERAGE FORM: Security Breach diation Expenses penses Coverage Notification And Reme- And Payment Card Ex- We will reimburse you for loss to which this insurance applies that is "your security breach notification and remediation expenses" or "your payment card expenses" directly attrib- uted to a "security breach" that: (1) Is caused by an "information security wrongful act" committed on or after the Information Security Retroactive Date shown in the Declarations of this Cover- age Part and before the end of the policy period; (2) Occurs during the policy period; and (3) Is first reported to us during the policy pe- riod or within 90 days after the end of the policy period. But we will not reimburse you for "your pay- ment card expenses" that are "payment card contract penalties" or "chargebacks" unless you have agreed to pay such "payment card contract penalties" or "chargebacks" in a "merchant service agreement" you entered into before such "security breach" occurred. Each "security breach" in a series of "related security breaches" will be deemed to occur on the date the first "security breach" in that se- ries occurs. A "security breach" will be deemed to have been first reported to us on the date that we first receive a written notice of such "security breach" from any insured or any authorized government entity. PR TS 01 10 13 © 2013 The Travelers Indemnity Company. All rights reserved. Page 1 of 6 CYBER LIABILITY Crisis Management Service Expenses Coverage We will reimburse you for "your crisis man- agement service expenses" that: (1) Arise out of loss to which this insurance applies that is caused by an "information security wrongful act" committed on or af- ter the Information Security Retroactive Date shown in the Declarations of this Coverage Part and before the end of the policy period; (2) Are first incurred by you during the policy period; and (3) Are reported to us during the policy pe- riod or within 90 days after the end of the policy period. Each "information security wrongful act" in a series of "related information security wrong- ful acts" will be deemed to have been commit- ted on the date the first "information security wrongful act" in that series is committed. Any of 'your crisis management service ex- penses" that: (1) Are first incurred by you after the end of the policy period; and (2) Relate to any of 'your crisis management service expenses" that are first incurred by you during the policy period; will be deemed to have been incurred by you during the policy period. 2. The following is .added to Paragraph 1., In- suring Agreement, of SECTION I — ER- RORS AND OMISSIONS LIABILITY COV- ERAGE in the CYBERFIRST ESSENTIALS TECHNOLOGY PRODUCTS OR SERVICES ERRORS AND OMISSIONS LIABILITY COVERAGE FORM, if that coverage form is part of your policy: Crisis Management Service Expenses Coverage We will reimburse you for 'your crisis man- agement service expenses" that: (1) Arise out of loss to which this insurance applies that is caused by an "errors and omissions wrongful act" committed on or after the Errors And Omissions Retroac- tive Date shown in the Declarations of this Coverage Part and before the end of the policy period; (2) Are first incurred by you during the policy period: and (3) Are reported to us during the policy pe- riod or within 90 days after the end of the policy period. Each "errors and omissions wrongful act" in a series of "related errors and omissions wrong- ful acts" will be deemed to have been commit- ted on the date the first "error and omissions wrongful act" in that series is committed. Any of 'your crisis management service ex- penses" that: (1) Are first incurred by you after the end of the policy period; and (2) Relate to any of "your crisis management service expenses" that are first incurred by you during the policy period; will be deemed to have been incurred by you during the policy period. 3. The following replaces the third paragraph of Paragraph 1.a., Defense Of Claims Or Suits, of SECTION I — COVERAGE in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: We may, at our discretion, investigate any "wrongful act" or "claim" and settle any "claim" or "suit ". But our right and duty to de- fend ends when we have used up the: a. Aggregate Limit in the payment of: (1) Judgments, settlements or "defense expenses "; and (2) Loss that is 'your cyber first -party loss "; or b. Each Wrongful Act Limit in the payment of judgments, settlements or "defense expenses". 4. The following replaces the last paragraph of Paragraph 2., Supplementary Payments, of SECTION I — COVERAGE in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: Our duty to make such payments ends when we have used up the: a. Aggregate Limit in the payment of: (1) Judgments, settlements or "defense expenses "; and (2) Loss that is 'your cyber first -party loss'; or b. Each Wrongful Act Limit in the payment of judgments, settlements or "defense expenses ". Page 2 of 6 © 2013 The Travelers Indemnity Company. All rights reserved. PR TS 01 10 13 S. The following exclusion is added to Para- 2. graph 2., Exclusions, of SECTION I — IN- FORMATION SECURITY LIABILITY COV- ERAGE in the CYBERFIRST ESSENTIALS INFORMATION SECURITY LIABILITY COVERAGE FORM: PCI Attestation Of Compliance "Your payment card expenses" if: (1) You have not attested compliance with the "payment card security standards" by completing and signing a "PCI attestation of compliance" within the twelve months immediately preceding the "security breach "; or (2) You fraudulently or intentionally misrep- resent that you are in compliance with the "payment card security standards" in completing the "PCI attestation of compli- ance ". C. LIMITS OF INSURANCE 1. The following is added to SECTION III — LIMITS OF INSURANCE in the CYBER- FIRST ESSENTIALS GENERAL PROVI- SIONS FORM: Subject to the Aggregate Limit, the Cyber First -Party Limit shown in the Schedule Of Cyber First -Party Limit And Deductible is the most we will pay for the sum of all loss that is "your cyber first -party loss ". 2. The following replaces the first paragraph of Paragraph 2. of SECTION III — LIMITS OF INSURANCE in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: The Aggregate Limit is the most we will pay for the sum of all: a. "Damages" and "defense expenses" for the combined total of all "claims" or "suits" for loss; and b. Loss that is "your cyber first -party loss "; to which the insurance provided under one or more of "your cyber liability coverage forms" applies. D. DEDUCTIBLE 1. The following is added to the last sentence of Paragraph 1. of SECTION IV — DEDUCTI- BLE in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: The Each Wrongful Act Deductible does not apply to payments we make for loss that is "your cyber first -party loss." CYBER LIABILITY The following is added to SECTION IV — DEDUCTIBLE in the CYBERFIRST ESSEN- TIALS GENERAL PROVISIONS FORM: We will not reimburse you for any of "your cy- ber first -party loss" to which this insurance applies until the amount of such loss exceeds the deductible shown in the Schedule Of Cy- ber First -Party Limit And Deductible. We will then reimburse you for the amount of such loss in excess of the deductible, up to the limit of insurance shown in the Schedule. E. CYBER LIABILITY CONDITIONS 1. The following replaces the last sentence of Paragraph 11., When We Are Prohibited From Defending An Insured, of SECTION V — CYBER LIABILITY CONDITIONS in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: Our duty to make such payments ends when we have used up the: a. Aggregate Limit in the payment of: (1) Judgments, settlements or "defense expenses "; and (2) Loss that is "your cyber first -party loss "; or b. Each Wrongful Act Limit in the payment of judgments, settlements or "defense expenses ". 2. The following is added to Paragrap h 14., Cur- rency, of SECTION V — CYBER LIABILITY CONDITIONS in the CYBERFIRST ESSEN- TIALS GENERAL PROVISIONS FORM: Payments for loss that is "your cyber first - party loss" will be in currency of the United States of America. At our sole option, we may make these payments in a different currency. Any necessary currency conversion for such payments will be calculated based on the rate of exchange published in the Wall Street Journal immediately preceding the date the payment is processed. 3. The following is added to SECTION V — CYBER LIABILITY CONDITIONS in the CY- BERFIRST ESSENTIALS GENERAL PRO- VISIONS FORM: Duties In The Event Of A Security Breach a. You must see to it that we are notified in writing as soon as practicable of a "secu- rity breach" which may result in "your se- curity breach notification and remediation PR TS 01 10 13 © 2013 The Travelers Indemnity Company. All rights reserved. Page 3 of 6 CYBER LIABILITY expenses" or "your payment card ex- penses". Such notice should include: (1) How, when and where the "security breach" occurred; and (2) The nature and extent of fees, costs or expenses incurred and paid by you which can be directly attributed to a "security breach ". b. You must: (1) Authorize us to obtain records and other information; (2) Cooperate with us in the investigation of the "security breach "; and (3) Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to you because of loss to which this insurance may also apply. F. DEFINITIONS The following is added to the DEFINITIONS Sec- tion in the CYBERFIRST ESSENTIALS GENERAL PROVISIONS FORM: "Chargebacks ": a. Means "payment card" charge reversals be- cause of the fraudulent use of "payment cards" or "identity information ". b. Includes transaction fees assessed to proc- ess such "payment card" charge reversals. "Merchant service agreement" means a contract between you and an acquiring bank or other ac- quiring institution that establishes the terms and conditions for accepting and processing "payment card" transactions. "Payment card" means a credit card, debit card or charge card issued by a financial institution. "Payment card contract penalties ": a. Means fines or penalties incurred by you after a "security breach" because of non- compliance with the "payment card security standards ". b. Does not include: (1) Fines or penalties assessed because of not promptly reporting a "security breach "; (2) Fines or penalties assessed because of failure to properly validate system secu- rity according to the "payment card secu- rity standards "; or (3) Any interchange fees or changes in inter- change fee schedules. "Payment card security standards" means: a. The most current edition of security standards contained in: (1) The Payment Card Industry Data Security Standards program (PCI DSS); (2) Visa's Cardholder Information Security Program (CISP); (3) MasterCard's Site Data Protection pro- gram (SDP); (4) American Express's Data Security Oper- ating Policy; or (5) Discover's Information Security and Compliance program (DISC): or b. Other security standards similar to those in Paragraphs a.(1) through a.(5) above that you have agreed to in a "merchant service agreement" with a financial institution; that apply to you. "PCI attestation of compliance" means the decla- ration of compliance status with the Payment Card Industry Data Security Standards program found in the "PCI self- assessment questionnaire" that applies to you. "PCI forensic investigation" means a professional review of your computer systems by a "qualified forensic investigator" to determine your compli- ance with the "payment card security standards ". "PCI self- assessment questionnaire" means the questionnaire, developed by the Payment Card Industry Security Standards Council, that assists you in self - evaluation of your compliance with the "payment card security standards ". "Qualified forensic investigator" means an organi- zation approved by the applicable "payment card" issuing bank to conduct forensic investigations af- ter a "security breach ". "Qualified security assessor" means a person or organization certified by the Payment Card Indus- try Security Standards Council to assess compli- ance with "payment card security standards ". "Related security breaches" means two or more "security breaches" that have as a common con- nection, tie, or link any fact, circumstance, situa- tion, event, transaction, cause, or series of related facts, circumstances, situation, events, transac- tions, or causes. Page 4 of 6 © 2013 The Travelers Indemnity Company. All rights reserved. PR T5 01 10 13 "Security breach" means unauthorized access to, or acquisition of, "identity information" owned, li- censed, maintained or stored by you. "Security breach notification law" means any law or regulation that requires an organization to no- tify persons that their nonpublic personal informa- tion was or may have been accessed or acquired without their authorization. "Software and hardware upgrade and scanning services expenses" means: a. Fees, costs or expenses for a "PCI forensic investigation" arising out of a written notifica- tion by a "payment card" issuing bank, mer- chant bank, acquiring bank or other acquiring institution that you are a likely common point of purchase source of a "security breach" or otherwise involved in a "security breach" to determine if you are in compliance with the "payment card security standards "; b. Costs or expenses to purchase and install anti -virus software, point -of -sale systems software, firewall protection software, or fire - wall protection hardware that satisfies the re- quirements of the "payment card security standards ", if, after a "security breach ", it is determined through a "PCI forensic investiga- tion" that you are out of compliance with the "payment card security standards "; or c. Costs for the scanning services of a "qualified security assessor" to certify that your up- graded software and hardware systems meet the requirements of the "payment card secu- rity standards ", but only for the first such scanning services after your software or hardware systems, or both, are upgraded. "Your crisis management service expenses ": a. Means the reasonable fees, costs or ex- penses incurred and paid by you in: (1) Retaining a public relations consultant or firm, or a crisis management consultant or firm; or (2) Planning or executing your public rela- tions campaign; to mitigate any actual or potential negative publicity generated from loss to which this in- surance applies. b. Does not include fees, costs or expenses you incur to comply with any law or regulation. "Your cyber first -party loss" means loss that is: a. "Your security breach notification and reme- diation expenses "; CYBER LIABILITY b. "Your payment card expenses'; or c. "Your crisis management service expenses ". "Your payment card expenses ": a. Means any of the following reasonable fees, costs or expenses incurred and paid by you which are directly attributed to a "security breach ": (1) "Software and hardware upgrade and scanning services expenses "; (2) "Payment card contract penalties "; or (3) "Chargebacks ". b. Does not include: (1) Remuneration paid to your regular "em- ployees" for work beyond their normal scheduled hours; (2) Fees, costs, or expenses of outside con- sultants retained by you, unless we agree to reimburse you for such fees, costs, or expenses; (3) Amounts that you voluntarily agree to pay to any person whose "identity informa- tion" was accessed or acquired without his or her authorization; (4) Fees, costs, or expenses in: (a) Retaining a public relations consult- ant or firm, or a crisis management consultant or firm; or (b) Planning or executing your public re- lations campaign; to mitigate any actual or potential nega- tive publicity generated from the "security breach "; or (5) "Your security breach notification and remediation expenses ". "Your security breach notification and remediation expenses ": a. Means any of the following reasonable fees, costs or expenses incurred and paid by you which can be directly attributed to a "security breach ": (1) Forensic fees, costs or expenses to de- termine the cause of the "security breach" and the persons whose "identity informa- tion" was accessed or acquired without their authorization. (2) Fees, costs or expenses to develop documents or materials to notify the per- sons whose "identity information" was ac- PR T5 01 10 13 © 2013 The Travelers Indemnity Company. All rights reserved. Page 5 of 6 CYBER LIABILITY cessed or acquired without their authori- zation. (3) Costs of mailings or other communica- tions required to notify the persons whose "identity information" was accessed or acquired without their authorization. (4) Costs of providing 365 days of credit monitoring services to persons whose "identity information" was accessed or acquired without their authorization, start- ing with the date that you first notify such persons of the "security breach ". (5) Costs of establishing and maintaining a call center to be used by persons whose "identity information was accessed or ac- quired without their authorization. (6) Any other fees, costs, or expenses nec- essary 'to comply with any "security breach notification law" that applies to you. b. Does not include: (1) Remuneration paid to your regular "em- ployees" for work beyond their normal scheduled hours. (2) Fees, costs, or expenses of outside con- sultants retained by you, unless we agree to reimburse you for such fees, costs, or expenses. (3) Fines or penalties imposed by law. or that any insured has agreed to pay for any reason. (4) Amounts that you voluntarily agree to pay to any person whose "identity informa- tion" was accessed or acquired without his or her authorization. (5) "Your crisis management service ex- penses". Page 6 of 6 © 2013 The Travelers Indemnity Company. All rights reserved. PR T5 01 10 13 EXHIBIT C SECURITY PROTOCOLS 13 Eagle County Professional Services IT Final 5/14 Overview System reliability and security is of paramount importance to CiviCore. Maintaining reliable and secure systems is a multidimensional effort requiring careful planning and consideration at the following levels. Physical Environment CiviCore utilizes Amazon Web Services (AWS) for server hosting. AWS is the market leader offering world - class, highly secure data centers that utilize state -of- the art electronic surveillance and multi- factor access control systems. Data centers are staffed 247 by trained security guards, and access is authorized strictly on a least privileged basis. For more information please see - http: // media .amazonwebservices.com /pdf/AWS Security Whitepaper.pdf. Application Architecture CiviCore applications are built on a multi- tenant architecture enabling each client application to share infrastructure across the platform of CiviCore applications. This type of architecture is considered "best practice" for software as service applications. Multi- tenant architecture enables economies of scale to be achieved when testing and monitoring of applications for security vulnerabilities. CiviCore software engineers test applications for vulnerability and continually apply released patches as needed. Data security and integrity Application data is stored in a commercial grade MariaDB databases. Client data is stored in client specific databases. All backups are encrypted before being transferred. Network and Data Transmission Depending on the sensitivity of the data being transmitted Secure Sockets Layer (SSL) Protocol and Server Digital Certificates are used to encrypt all data traffic between our servers and client machines. Key security attributes: ■ Hosted at top -tier hosting facilities staffed 24x7 ■ Redundant systems including RAID -10 disk storage ■ Multi- tenant architecture ■ Data encryption and transmission using secure sockets layer protocol ■ Continual intrusion detection and monitoring -To] I car* I Aft Intrusion Detection and Access Controls CiviCore servers are protected by network firewalls. These firewalls protect CiviCore servers from unauthorized network access and traffic. Network access to CiviCore applications may be restricted to specific IP addresses. CiviCore servers are continually monitored for unauthorized access. For the past several years, CiviCore has undergone an annual security audit by a third -party security and compliance firm. These audits include penetration testing and a review of internal policies and procedures. Vulnerability Testing and Monitoring CiviCore servers are tested for security vulnerabilities on a monthly basis by a third -party security firm. The contracted firm provides risk management and threat intelligence to CiviCore in order to protect CiviCore systems. Additionally, CiviCore employs several performance monitoring systems that monitor CiviCore firewalls and system uptimes 240. CiviCore engineering staff is alerted 247 of any system failures or threats in order to immediately address system issues as they may occur. Compliance The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best - practices including HIPAA, SOC 1 /SSAE 16 /ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP and FISMA, ITAR, FIPS 140 -2, CSA, MPAA. Compliance responsibilities are most often shared requiring controls be in place at multiple layers of the information management process. The Amazon and CiviCore infrastructures provide a solid foundation for all of your compliance objectives. For more information on compliance please see - https: / /aws.amazon.com /compliance /. Additionally, CiviCore maintains PCI (Payment Card Industry Data Security Standard) compliance. These requirements are designed to ensure that credit card processes, storage and transmittal is conducted in a secure environment. Authorization Policies CiviCore applications include a robust set of security policies that may be implemented to provide clients with a security configuration that provides them with highly configurable and granular access control. Groups of users may be established and granted specific field or tab level security rights. Additionally, custom security requirements may be set that define password strength requirements. Service Level Commitment CiviCore guarantees to deliver at least 99.9 percent system availability. This includes all network, hardware and application configurations of the Developer domain. On a monthly basis, 99.9 percent availability equates to a maximum of 43.2 minutes of unscheduled downtime. Updated: 08115114 EXHIBIT D DATA BACKUP PROTOCOLS 14 Eagle County Professional Services IT Final 5/14 �CiviCore Overview Key backup and recovery attributes: CiviCore understands.the importance of our client's data. CiviCore has carefully developed a backup plan to insure data integrity and maintenance. CiviCore client o All backups encrypted databases are backed up in multiple locations to guard against data loss. e Redundant backup systems Daily backups Client databases are backed up daily on the CiviCore network infrastructure. Data ® Three physical backup is encrypted using 256 bit advanced encryption standards before being locations transmitted out of the production environment to an off -site secure facility. Redundant storage Multiple backup locations are used to store 30 days of encrypted daily data backups to guard against a single point of failure. Frequent tests of backup procedures are used to insure data integrity of backups. Data Retention Policies CiviCore retains client data according to the following schedule. • Daily Backups — 6 months • Weekly Backups —1 year • Monthly Backups — 2 years Therefore, clients may request data be restored for any single day in the past 6 months, any single week during the past year, or any month for the past two years. • Multiple data backups Updated: 0812712013