Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC20-398 Online Web Services US. IncPage 1 of 33 AGREEMENT FOR PROFESSIONAL SERVICES BETWEEN EAGLE COUNTY AND OWSUS, Inc. (VSTracking.com) THIS AGREEMENT (“Agreement”) is effective as of the _________________ by and between Online Web Services US, Inc. a Colorado C Corporation (hereinafter “Consultant” or “Contractor”) and Eagle County, Colorado, a body corporate and politic (hereinafter “County”). RECITALS WHEREAS, the County wishes to contract with a software provider for a license to use a certain secure online web-based service which is a victim’s services case management software and for hosting, maintenance and support services of the same; and WHEREAS, Contractor is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined by this agreement; and WHEREAS, this Agreement shall govern the relationship between Contractor and County in connection with the Services. NOW, THEREFORE, in consideration of the foregoing and the following promises Consultant and County agree as follows: AGREEMENT 1.DEFINITIONS Whenever used herein, any schedules, exhibits, order forms, or addenda to this Agreement, the following terms shall have the meanings assigned below unless otherwise defined therein. Other capitalized terms used in this Agreement are defined in the context in which they are used. 1.1. “Agreement” means this cloud computing Agreement between County and Contractor, inclusive of all schedules, exhibits, attachments, addenda and other documents incorporated by reference between the County and Contractor. 1.2. “Confidential Information” means any and all records or data not subject to disclosure under CORA”). Confidential Information shall include, but is not limited to, PII, PHI, PCI, Tax Information, CJI, and personnel records not subject to disclosure under CORA. Confidential Information also means any information or data that a disclosing party treats in a confidential manner and that is marked “Confidential Information” or is considered “proprietary” prior to disclosure to the other party. Confidential Information does not include information which: (a) is public or becomes public through no breach of the confidentiality obligations herein; (b) is disclosed by the party that has received Confidential Information (the "Receiving Party") with the prior written approval of the other party; (c) was DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 10/30/2020 C20-398 Page 2 of 33 known by the Receiving Party at the time of disclosure; (d) was developed independently by the Receiving Party without use of the Confidential Information; (e) becomes known to the Receiving Party from a source other than the disclosing party through lawful means; (f) is disclosed by the disclosing party to others without confidentiality obligations; or (g) is required by law to be disclosed. 1.3. “CORA” means the Colorado Open Records Act, §§ 24-72-200.1, et. seq., C.R.S. 1.4. “County Data” means all information, whether in oral or written (including electronic) form, created by or in any way originating with County and End Users, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with County and End Users, in the course of using and configuring the Services provided under this Agreement, and includes all records relating to County’s use of Contractor Services and Protected Information. 1.5. “Data Incident” means any accidental or deliberate event that results in or constitutes an imminent threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of any communications or information resources of the County. Data Incidents include, without limitation (i) successful attempts to gain unauthorized access to a County system or County information regardless of where such information is located; (ii) unwanted disruption or denial of service; (iii) the unauthorized use of a County system for the processing or storage of data; or (iv) changes to County system hardware, firmware, or software characteristics without the County’s knowledge, instruction, or consent. It shall also include any actual or reasonably suspected unauthorized access to or acquisition of computerized County Data that compromises the security, confidentiality, or integrity of the County Data, or the ability of County to access the County Data. 1.6. “Deliverable” means the outcome to be achieved or output to be provided, in the form of a tangible object or software that is produced as a result of Contractor’s Work that is intended to be delivered to the County by Contractor. 1.7. "Documentation" means, collectively: (a) all materials published or otherwise made available to County by Contractor that relate to the functional, operational and/or performance capabilities of the Services; (b) all user, operator, system administration, technical, support and other manuals and all other materials published or otherwise made available by Contractor that describe the functional, operational and/or performance capabilities of the Services; (c) any Requests for Information and/or Requests for Proposals (or documents of similar effect) issued by County, and the responses thereto from Contractor, and any document which purports to update or revise any of the foregoing; and (d) the results of any Contractor “Use Cases Presentation”, “Proof of Concept” or similar type presentations or tests provided by Contractor to County. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 3 of 33 1.8. “Downtime” means any period of time of any duration that the Services are not made available by Contractor to County for any reason, including scheduled maintenance or Enhancements. 1.9. “Effective Date” means the date on which this Agreement is fully approved and signed by the County as shown on the Signature Page for this Agreement. The Effective Date for Services may be set out in an order form or similar exhibit. 1.10. “End User” means the individuals (including, but not limited to employees, authorized agents, students and volunteers of County; Third Party consultants, auditors and other independent contractors performing services for County; any governmental, accrediting or regulatory bodies lawfully requesting or requiring access to any Services; customers of County provided services; and any external users collaborating with County) authorized by County to access and use the Services provided by Contractor under this Agreement. 1.11. “End User Data” includes End User account credentials and information, and all records sent, received, or created by or for End Users, including email content, headers, and attachments, and any Protected Information of any End User or Third Party contained therein or in any logs or other records of Contractor reflecting End User’s use of Contractor Services. 1.12. "Enhancements" means any improvements, modifications, upgrades, updates, fixes, revisions and/or expansions to the Services that Contractor may develop or acquire and incorporate into its standard version of the Services or which the Contractor has elected to make generally available to its customers. 1.13. “Intellectual Property Rights” includes without limitation all right, title, and interest in and to all (a) Patent and all filed, pending, or potential applications for Patent, including any reissue, reexamination, division, continuation, or continuation-in-part applications throughout the world now or hereafter filed; (b) trade secret rights and equivalent rights arising under the common law, state law, and federal law; (c) copyrights, other literary property or authors rights, whether or not protected by copyright or as a mask work, under common law, state law, and federal law; and (d) proprietary indicia, trademarks, trade names, symbols, logos, and/or brand names under common law, state law, and federal law. 1.14. “PCI” means payment card information including any data related to credit card holders’ names, credit card numbers, or other credit card information as may be protected by state or federal law. 1.15. “PII” means personally identifiable information including, without limitation, any information maintained by the County about an individual that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. PII includes, DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 4 of 33 but is not limited to, all information defined as personally identifiable information in §§ 24-72-501 and 24-73-101, C.R.S. 1.16. “PHI” means any protected health information, including, without limitation any information whether oral or recorded in any form or medium: (i) that relates to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes, but is not limited to, any information defined as Individually Identifiable Health Information by the federal Health Insurance Portability and Accountability Act (“HIPAA”). (See Exhibit A). 1.17. “Protected Information” includes, but is not limited to, PII, student records, protected health information, criminal justice information or individual financial information and other data defined under § 24-72-101, C.R.S., et seq., and personal information that is subject to local, state or federal statute, regulatory oversight or industry standard restricting the use and disclosure of such information. The loss of such Protected Information would constitute a direct damage to the County. 1.18. “Service” means Contractor’s computing solutions, provided to County pursuant to this Agreement, that provide the functionality and/or produce the results described in the Documentation, including without limitation all Enhancements thereto and all interfaces. 1.19. “Subcontractor” means any third party engaged by Contractor to aid in performance of the work or the Service. 1.20. "Third Party" means persons, corporations and entities other than Contractor, County or any of their employees, contractors or agents. 1.21. “Third Party Host” means that the servers where the Contractor’s software resides is at physical location, which is not controlled by the Contractor, sometimes called “managed hosting”, for example, Amazon Web Service. 2. RIGHTS AND LICENSE IN AND TO DATA 2.1. The parties agree that as between them, all rights in and to County Data shall remain the exclusive property of County, and Contractor has a limited, nonexclusive license to access and use County Data as provided in this Agreement solely for the purpose of performing its obligations hereunder. 2.2. All End User Data and County Data created and/or processed by the Service is and shall remain the property of County and shall in no way become attached to the Service, nor shall Contractor have any rights in or to the County Data without DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 5 of 33 the express written permission of the County and may not include Protected Information. 2.3. This Agreement does not give a party any rights, implied or otherwise, to the other’s data, content, or intellectual property, except as expressly stated in the Agreement. 2.4. County retains the right to use the Service to access and retrieve data stored on Contractor’s Service infrastructure at any time during the term of this Agreement at its sole discretion. 3. DATA PRIVACY 3.1. Contractor will use County Data and End User Data only for the purpose of fulfilling its duties under this Agreement and for County’s and its End User’s sole benefit and will not share County Data with or disclose it to any Third Party without the prior written consent of County or as otherwise required by law. By way of illustration and not of limitation, Contractor will not use County Data for Contractor’s own benefit and, in particular, will not engage in “data mining” of County Data or communications, whether through automated or human means, except as specifically and expressly required by law or authorized in writing by County. 3.2. Contractor will provide access to County Data only to those Contractor employees, contractors and subcontractors (“Contractor Staff”) who need to access the County Data to fulfill Contractor’s obligations under this Agreement. Contractor will ensure that, prior to being granted access to the County Data, Contractor Staff who perform work under this Agreement have all undergone and passed criminal background screenings; have successfully completed annual instruction of a nature sufficient to enable them to effectively comply with all data protection provisions of this Agreement; and possess all qualifications appropriate to the nature of the employees’ duties and the sensitivity of the County Data they will be handling. 3.3. If Contractor receives PII of a Colorado resident under this Agreement, Contractor shall implement and maintain reasonable written security procedures and practices that are appropriate to the nature of the PII and the nature and size of Contractor’s business and its operations. Unless Contractor agrees to provide its own security protections for the information it discloses to a third-party service provider, Contractor shall require all its third-party service providers to implement and maintain reasonable written security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII subject to this Agreement from unauthorized access, use, modification, disclosure, or destruction. Contractor and its third-party service providers that maintain electronic or paper documents that contain PII under this Agreement shall develop a written policy for the destruction of such records by DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 6 of 33 shredding, erasing, or otherwise modifying PII to make it unreadable or indecipherable when the records are no longer needed. 3.4. Contractor may provide County Data to its agents, employees, assigns, and Subcontractors as necessary to perform the work, but shall restrict access to Confidential Information to those agents, employees, assigns, and subcontractors who require access to perform their obligations under this Agreement. Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Agreement, and that the nondisclosure provisions are in force at all times the agent, employee, assign, or Subcontractor has access to any Confidential Information. Contractor shall provide copies of those signed nondisclosure provisions to the County upon execution of the nondisclosure provisions if requested by the County. 4. DATA SECURITY AND INTEGRITY 4.1. All facilities, whether Contractor hosted or Third Party Hosted, used to store and process County Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service availability and to secure County Data from unauthorized access, destruction, use, modification, or disclosure. Such measures include, but not limited to all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) § 24-72-101, C.R.S., et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. The Contractor shall submit to the County, within fifteen (15) days of the County’s written request, copies of the Contractor’s policies and procedures to maintain the confidentiality of protected health information to which the Contractor has access, and if applicable, Contractor shall comply with all HIPAA requirements contained herein or attached as an Exhibit. See Exhibit A. 4.2. Contractor warrants that all County Data and End User Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 7 of 33 4.3. Contractor shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti- malware protections and intrusion detection and reporting in providing Services under this Agreement. 4.4. Contractor shall, and shall cause its Subcontractors, to do all of the following: 4.4.1. Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. 4.4.2. Maintain network, system, and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or enhancements consistent with evolving industry standards. 4.4.3. Comply with state and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. 4.4.4. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. 4.4.5. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. 4.4.6. Upon reasonable prior notice, Contractor shall provide the County with scheduled access for the purpose of inspecting and monitoring access and use of County Data, maintaining County systems, and evaluating physical and logical security control effectiveness. 4.4.7. Contractor shall perform current background checks in a form reasonably acceptable to the County on all of its respective employees and agents performing services or having access to County Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within 30 days prior to the date such employee or agent begins performance or obtains access to County Data shall be deemed to be current. 4.4.8. Upon request by the County, Contractor will provide notice to the County IT Department confirming that background checks have been performed. Such notice will inform the County of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. 4.4.9. If Contractor will have access to Federal Tax Information under the Agreement, Contractor shall comply with the background check DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 8 of 33 requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. 4.5. Contractor shall use, hold, and maintain Confidential and Protected Information in compliance with any and all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. See Exhibit D. 4.6. Prior to the Effective Date of this Agreement, Contractor, will at its expense conduct or have conducted the following, and thereafter, Contractor will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: 4.6.1. An SSAE 16/SOC 2 or other mutually agreed upon audit of Contractor’s security policies, procedures and controls; 4.6.2. A quarterly external and internal vulnerability scan of Contractor’s systems and facilities, to include public facing websites, that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; and 4.6.3. A formal penetration test performed by process and qualified personnel of Contractor’s systems and facilities that are used in any way to deliver Services under this Agreement. 4.7. Contractor will provide County the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of Contractor’s receipt of such results. 4.8. Based on the results and recommendations of the above audits, certifications, scans and tests, Contractor will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement and provide County with written evidence of remediation. 4.9. County may require, at its expense, that Contractor perform additional audits and tests, the results of which will be provided to County within seven (7) business days of Contractor’s receipt of such results. 5. RESPONSE TO LEGAL ORDERS, DEMANDS OR REQUESTS FOR DATA 5.1. Except as otherwise expressly prohibited by law, Contractor will: 5.1.1. If required by a court of competent jurisdiction or an administrative body to disclose County Data, Contractor will notify County in writing immediately upon receiving notice of such requirement and prior to any DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 9 of 33 such disclosure; 5.1.2. Consult with County regarding its response; 5.1.3. Cooperate with County’s reasonable requests in connection with efforts by County to intervene and quash or modify the legal order, demand or request; and 5.1.4. Upon County’s request, provide County with a copy of its response. 5.2. If County receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Contractor, County will promptly provide a copy to Contractor. Contractor will supply County with copies of data required for County to respond within forty-eight (48) hours after receipt of copy from County and will cooperate with County’s reasonable requests in connection with its response. 6. DATA INCIDENT RESPONSE 6.1. The Contractor shall maintain documented policies and procedures for Data Incident and breach reporting, notification, and mitigation. If the Contractor becomes aware of any Data Incident, it shall notify the County immediately and cooperate with the County regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the County. The Contractor shall cooperate with the County to satisfy notification requirements as currently defined in federal, state, or local law. Unless Contractor can establish that none of Contractor or any of its agents, employees, assigns or subcontractors are the cause or source of the Data Incident, Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Data Incident. After a Data Incident, Contractor shall take steps to reduce the risk of incurring a similar type of Data Incident in the future as directed by the County, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the County at no additional cost to the County. 6.2. Contractor shall report, either orally or in writing, to County any Data Incident involving County Data, or circumstances that could have resulted in unauthorized access to or disclosure or use of County Data, not authorized by this Agreement or in writing by County, including any reasonable belief that an unauthorized individual has accessed County Data. Contractor shall make the report to County immediately upon discovery of the unauthorized disclosure, but in no event more than forty-eight (48) hours after Contractor reasonably believes there has been such unauthorized use or disclosure. Oral reports by Contractor regarding Data Incidents will be reduced to writing and supplied to County as soon as reasonably practicable, but in no event more than forty-eight (48) hours after oral report. 6.3. Immediately upon becoming aware of any such Data Incident, Contractor shall DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 10 of 33 fully investigate the circumstances, extent and causes of the Data Incident, and report the results to County and continue to keep County informed daily of the progress of its investigation until the issue has been effectively resolved. 6.4. Contractor’s report discussed herein shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure (if known), (iv) what Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. 6.5. Within five (5) calendar days of the date Contractor becomes aware of any such Data Incident, Contractor shall have completed implementation of corrective actions to remedy the Data Incident, restore County access to the Services as directed by County, and prevent further similar unauthorized use or disclosure. 6.6. Contractor, at its expense, shall cooperate fully with County’s investigation of and response to any such Data Incident. 6.7. Except as otherwise required by law, Contractor will not disclose or otherwise provide notice of the incident directly to any person, regulatory agencies, or other entities, without prior written permission from County. 6.8. Notwithstanding any other provision of this Agreement, and in addition to any other remedies available to County under law or equity, Contractor will promptly reimburse County in full for all costs incurred by County in any investigation, remediation or litigation resulting from any such Data Incident, including but not limited to providing notification to Third Parties whose data were compromised and to regulatory bodies, law-enforcement agencies or other entities as required by law or contract; establishing and monitoring call center(s), and credit monitoring and/or identity restoration services to assist each person impacted by a Data Incident in such a fashion that, in County’s sole discretion, could lead to identity theft; and the payment of legal fees and expenses, audit costs, fines and penalties, and other fees imposed by regulatory agencies, courts of law, or contracting partners as a result of the Data Incident.. 7. DATA RETENTION AND DISPOSAL 7.1. Contractor will retain Data in an End User’s account, including attachments, until the End User deletes them or for the time period mutually agreed to by the parties in this Agreement. 7.2. Using appropriate and reliable storage media, Contractor will regularly backup Data and retain such backup copies consistent with the County’s data retention policies. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 11 of 33 7.3. At the County’s election, Contractor will either securely destroy or transmit to County repository any backup copies of County and/or End User Data. Contractor will supply County a certificate indicating the records disposed of, the date disposed of, and the method of disposition used. 7.4. Contractor will retain logs associated with End User activity consistent with the County’s data retention policies. 7.5. Contractor will immediately preserve the state of the data at the time of the request and place a “hold” on data destruction or disposal under its usual records retention policies of records that include data, in response to an oral or written request from County indicating that those records may be relevant to litigation that County reasonably anticipates. Oral requests by County for a hold on record destruction will be reduced to writing and supplied to Contractor for its records as soon as reasonably practicable under the circumstances. County will promptly coordinate with Contractor regarding the preservation and disposition of these records. Contractor shall continue to preserve the records until further notice by County. 8. DATA TRANSFER UPON TERMINATION OR EXPIRATION 8.1. Upon expiration or earlier termination of this Agreement or any Services provided in this Agreement, Contractor shall accomplish a complete transition of the Services from Contractor to the County or any replacement provider designated solely by the County without any interruption of or adverse impact on the Services or any other services provided by third parties in this Agreement. Contractor shall cooperate fully with the County or such replacement provider and promptly take all steps required to assist in effecting a complete transition of the Services designated by the County. All services related to such transition shall be performed at no additional cost beyond what would be paid for the Services in this Agreement. 8.2. In the event of termination of any services or agreement in entirety, the Contractor shall not take any action to intentionally erase any County Data for a period of 60 days after the effective date of termination. After such period, the Contractor shall have no obligation to maintain or provide any County Data. After the 60- day period, unless otherwise agreed upon by Contractor and County in writing, Contractor will securely dispose all County Data in its systems or otherwise in its possession or under its control. 8.3. During any period of service suspension, the Contractor shall not take any action to intentionally erase any County Data. 9. SERVICE LEVELS Incorporated into Agreement and Statement of Work as detailed in Exhibit B. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 12 of 33 10. COMPLIANCE WITH APPLICABLE LAWS AND COUNTY POLICIES Contractor will comply with all applicable laws, codes, rules and regulations in performing the Services under this Agreement. Any Contractor personnel visiting County’s facilities will comply with all applicable County policies regarding access to, use of, and conduct within such facilities. County will provide copies of such policies to Contractor upon request. 11. WARRANTIES, REPRESENTATIONS AND COVENANTS 11.1. Contractor represents and warrants that: 11.1.1. The Service will conform to applicable specifications, and operate and produce results substantially in accordance with the Documentation and the Exhibits attached hereto, and will be free from deficiencies and defects in materials, workmanship, design and/or performance during the Term of this Agreement; 11.1.2. All technology related services will be performed by qualified personnel in a professional and workmanlike manner, consistent with industry standards; 11.1.3. Contractor has the requisite ownership, rights and licenses to perform its obligations under this Agreement fully as contemplated hereby and to grant to the County all rights with respect to the software and Services free and clear from all liens, adverse claims, encumbrances and interests of any Third Party; 11.1.4. There are no pending or threatened lawsuits, claims, disputes or actions: (i) alleging that any software or service infringes, violates or misappropriates any Third Party rights; or (ii) adversely affecting any software, service or supplier's ability to perform its obligations hereunder; 11.1.5. The Service will not violate, infringe, or misappropriate any patent, copyright, trademark, trade secret, or other intellectual property or proprietary right of any Third Party; and 11.1.6. The software and Service will contain no malicious or disabling code that is intended to damage, destroy or destructively alter software, hardware, systems or data. Contractor shall be responsible for the completeness and accuracy of the Services, including all supporting data or other documents prepared or compiled in performance of the Services, and shall correct, at its sole expense, all significant errors and omissions therein. The fact that the County has accepted or approved the Services shall not relieve Consultant of any of its responsibilities. If Contractor is unable to correct DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 13 of 33 any breach in the Services warranty by the date which is sixty (60) calendar days after County provides notice of such breach, County may, in its sole discretion, either extend the time for Contractor to cure the breach or terminate this Agreement and receive a full refund of all amounts paid to Contractor under this Agreement. 11.2. Disabling Code Warranty. Contractor represents, warrants and agrees that the Services do not contain and County will not receive from Contractor any virus, worm, trap door, back door, timer, clock, counter or other limiting routine, instruction or design, or other malicious, illicit or similar unrequested code, including surveillance software or routines which may, or is designed to, permit access by any person, or on its own, to erase, or otherwise harm or modify any County system or Data (a "Disabling Code"). In the event a Disabling Code is identified, Contractor shall take all steps necessary, at no additional cost to County, to: (a) restore and/or reconstruct any and all Data lost by County as a result of Disabling Code; (b) furnish to County a corrected version of the Services without the presence of Disabling Codes; and, (c) as needed, re-implement the Services at no additional cost to County. This warranty shall remain in full force and effect as long as this Agreement remains in effect. 11.3. Third Party Warranties and Indemnities. Contractor will assign to County all Third Party warranties and indemnities that Contractor receives in connection with any products provided to County. To the extent that Contractor is not permitted to assign any warranties or indemnities through to County, Contractor agrees to specifically identify and enforce those warranties and indemnities on behalf of County to the extent Contractor is permitted to do so under the terms of the applicable Third Party agreements. 11.4. THE WARRANTIES SET FORTH ABOVE ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THE SERVICES PURSUANT TO THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY. 12. CONFIDENTIALITY 12.1. Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all County Data, unless the County Data are publicly available. Contractor shall not, without prior written approval of the County, use, publish, copy, disclose to any third party, or permit the use by any third party of any County Data, except as otherwise stated in this Agreement, permitted by law, or approved in writing by the County. Contractor shall provide for the security of all Confidential Information in accordance with all applicable laws, rules, policies, publications, and guidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, Contractor or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax Information and in DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 14 of 33 accordance with the Safeguarding Requirements for Federal Tax Information, attached to this Contract as an Exhibit if applicable; (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI; (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI; and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and in accordance with the HIPAA Business Associate Agreement attached to this Agreement as an Exhibit if applicable. 12.2. The Contractor agrees to exercise the same degree of care and protection with respect to the Confidential Information that it exercises with respect to its own similar Confidential Information and not to directly or indirectly provide, disclose, copy, distribute, republish or otherwise allow any Third Party to have access to any Confidential Information without prior written permission from the disclosing party. However: (a) either party may disclose Confidential Information to its employees and authorized agents who have a need to know; (b) either party may disclose Confidential Information if so required to perform any obligations under this Agreement; and (c) either party may disclose Confidential Information if so required by law (including court order or subpoena). Nothing in this Agreement shall in any way limit the ability of County to comply with any laws or legal process concerning disclosures by public entities. Contractor acknowledges that any responses, materials, correspondence, documents or other information provided to County are subject to applicable state and federal law, including CORA, and that the release of Confidential Information in compliance with those acts or any other law will not constitute a breach or threatened breach of this Agreement. 12.3. Contractor will inform its employees and officers of the obligations under this Agreement, and all requirements and obligations of the Receiving Party under this Agreement shall survive the expiration or earlier termination of this Agreement. Contractor shall not disclose County Data or Confidential Information to subcontractors unless such subcontractors are bound by non-disclosure and confidentiality provisions at least as strict as those contained in this Agreement. 13. COLORADO OPEN RECORDS ACT The parties understand that all the material provided or produced under this Agreement, including items marked Proprietary or Confidential, may be subject to the Colorado Open Records Act., § 24-72-201, et seq., C.R.S. In the event of a request to the County for disclosure of such information, the County shall advise Contractor of such request in order to give Contractor the opportunity to object to the disclosure of any of its documents which it marked as proprietary or confidential material. In the event of the filing of a lawsuit to compel such disclosure, the County will tender all such material to the court for judicial determination of the issue of disclosure and Contractor agrees to intervene in such lawsuit to protect and assert its claims of privilege against disclosure of such material or waive the same. Contractor further agrees to defend, indemnify and save DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 15 of 33 and hold harmless the County, its officers, agents and employees, from any claim, damages, expense, loss or costs arising out of Contractor’s intervention to protect and assert its claim of privilege against disclosure under this Article including but not limited to, prompt reimbursement to the County of all reasonable attorney fees, costs and damages that the County may incur directly or may be ordered to pay by such court. 14. SOFTWARE AS A SERVICE, SUPPORT AND SERVICES TO BE PERFORMED 14.1. Contractor, under the general direction of, and in coordination with, the County’s IT Department or other designated supervisory personnel (the “Manager”) agrees to provide the Services listed on Exhibit B and perform the technology related services described on attached Exhibit B (the “Statement of Work” or “SOW”). 14.2. As the Manager directs, the Contractor shall diligently undertake, perform, and complete all of the technology related services and produce all the deliverables set forth on Exhibit B to the County’s satisfaction. 14.3. By signing below, Contractor represents that it has the expertise and personnel necessary to properly and timely perform the technology related services and the Services required by this Agreement. 14.4. The Contractor shall faithfully perform the technology related services in accordance with the standards of care, skill, training, diligence, and judgment provided by highly competent individuals performing services of a similar nature to those described in the Agreement and in accordance with the terms of the Agreement. 14.5. User ID Credentials. Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: 14.5.1. Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) 14.5.2. Account credential lifecycle management from instantiation through revocation 14.5.3. Account credential and/or identity store minimization or re-use when feasible 14.5.4. Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expire able, non-shared authentication secrets) 14.6. Vendor Supported Releases. The Contractor shall maintain the currency all third- DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 16 of 33 party software used in the development and execution or use of the software including, but not limited to: all code libraries, frameworks, components, and other products (e.g., Java JRE, code signing certificates, .NET, jQuery plugins, etc.), whether commercial, free, open-source, or closed-source; with third-party vendor approved and supported releases. 14.7. Azure AD. The County’s Identity and Access Provider system is an integrated infrastructure solution that enables many of the County’s services and online resources to operate more efficiently, effectively, economically and securely. All new and proposed applications must utilize federated single sign-on via Azure AD. Strong authentication is required for privileged accounts or accounts with access to sensitive information. This technical requirement applies to all solutions, regardless to where the application is hosted. 15. GRANT OF LICENSE; RESTRICTIONS 15.1. Contractor hereby grants to County a right and license to: (a) display, perform, and use the Service; and (b) use all intellectual property rights necessary to use the Service as authorized in subparagraph (a). 15.2. Title to and ownership of the Service will remain with Contractor. County will not reverse engineer or reverse compile any part of the Service. County will not remove, obscure or deface any proprietary notice or legend contained in the Service or Documentation without Contractor's prior written consent. 16. DELIVERY AND ACCEPTANCE 16.1. During the implementation of the Service, the County may test and evaluate the Service to ensure that the Service conforms, in the County’s reasonable judgment, to the specifications outlined in the SOW or the Documentation. If at any time the Service does not conform to said specifications, the County will notify Contractor in writing within sixty (60) days. Contractor will, at its expense, repair or replace the nonconforming Service within fifteen (15) days after receipt of the County’s notice of deficiency. The foregoing procedure will be repeated until the County accepts or finally rejects the Service, in whole or part, in its sole discretion. In the event that the Service does not perform to the County’s satisfaction, the County reserves the right to repudiate acceptance and terminate this Agreement in its sole discretion. In the event that the County finally rejects the Service, or repudiates acceptance of it and terminates this Agreement, Contractor will refund to the County all fees paid, if any, by the County with respect to the Service. 16.2. If the County is not satisfied with the Contractor’s performance of the technology related services described in the SOW, the County will so notify Contractor within thirty (30) days after Contractor’s performance thereof. Contractor will, at its own expense, re-perform the service within fifteen (15) days after receipt of DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 17 of 33 County's notice of deficiency. The foregoing procedure will be repeated until County accepts or finally rejects the technology related service in its sole discretion. In the event that County finally rejects any technology related service, Contractor will refund to County all fees paid by County with respect to such technology related service. 17. TERM This Agreement shall commence upon the date first written above, and subject to the provisions of paragraph 19 hereof, shall continue for one year. Thereafter, this agreement shall be automatically renewed for successive periods of 12 months (each a “Renewal Term”), unless either party notifies the other party of termination, in writing, at least sixty (60) days before the end of the initial Term or any Renewal Term. 18. COMPENSATION AND PAYMENT: 18.1. Fee: The fee for the Service and technology related services described in Exhibit B is $1,700 (the “Fee”). The one-time fee for Data Conversion shall not exceed $4,000 (the “Data Conversion Fee”). The Fee and Data Conversion Fee shall be paid in accordance with the Payment Milestones in Exhibit B. County will not withhold any taxes from monies paid to the Consultant hereunder and Consultant agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. 18.2. Reimbursement Expenses: Any out-of-pocket expenses to be incurred by Contractor and reimbursed by County shall be identified on Exhibit B. Out-of- pocket expenses will be reimbursed without any additional mark-up thereon and are included in the Maximum Payment Obligation set forth below. Out-of-pocket expenses shall not include any payment of salaries, bonuses or other compensation to personnel of Contractor. Contractor shall not be reimbursed for expenses that are not set forth on Exhibit B unless specifically approved in writing by County. 18.3. Invoicing: Contractor must submit an invoice which shall include clear identification of the deliverable that has been completed, and other information reasonably requested by the County. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. 18.4. Maximum Payment Obligation: 18.4.1. Notwithstanding any other provision of the Agreement, the County’s maximum payment obligation for the initial Term of this Agreement shall not exceed $5,700.00. No additional services or work performed by Consultant shall be the basis for additional compensation unless and until Consultant has obtained written authorization and acknowledgement by County for such additional services in accordance with County’s internal policies. Accordingly, no course of conduct or dealings between the DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 18 of 33 parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any additional services, whether or not there is in fact any such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such additional services is not timely executed and issued in strict accordance with this Agreement, Consultant’s rights with respect to such additional services shall be deemed waived and such failure shall result in non-payment for such additional services or work performed. 18.4.2. For any Renewal Term, the maximum payment obligation for the Fee shall not exceed the sum that is equal to a three percent (3%) increase over the prior year’s Fee. 18.4.3. Notwithstanding anything to the contrary contained in this Agreement, County shall have no obligations under this Agreement after, nor shall any payments be made to Consultant in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. § 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). 18.5. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Consultant was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Consultant shall forthwith return such payment(s) to County. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. 19. STATUS OF CONTRACTOR This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer-employee, master-servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. 20. TERMINATION 20.1. County may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with thirty (30) calendar days’ prior written notice to the Contractor. 20.2. Notwithstanding the preceding paragraph, the County may terminate the DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 19 of 33 Agreement if the Contractor or any of its officers or employees are convicted, plead nolo contendere, enter into a formal agreement in which they admit guilt, enter a plea of guilty or otherwise admit culpability to criminal offenses of bribery, kickbacks, collusive bidding, bid-rigging, antitrust, fraud, undue influence, theft, racketeering, extortion or any offense of a similar nature in connection with Contractor’s business. Termination for the reasons stated in this paragraph is effective upon receipt of notice. 20.3. Upon termination of the Agreement, with or without cause, the Contractor shall have no claim against the County by reason of, or arising out of, incidental or relating to termination, except for compensation for work duly requested and satisfactorily performed as described in the Agreement and shall refund to the County any prepaid cost or expenses. 21. WHEN RIGHTS AND REMEDIES NOT WAIVED In no event shall any action by either Party hereunder constitute or be construed to be a waiver by the other Party of any breach of covenant or default which may then exist on the part of the Party alleged to be in breach, and the non-breaching Party’s action or inaction when any such breach or default shall exist shall not impair or prejudice any right or remedy available to that Party with respect to such breach or default; and no assent, expressed or implied, to any breach of any one or more covenants, provisions or conditions of the Agreement shall be deemed or taken to be a waiver of any other breach. 22. INSURANCE 22.1. General Conditions: Contractor agrees to secure, at or before the time of execution of this Agreement, the following insurance covering all operations, goods or services provided pursuant to this Agreement. Contractor shall keep the required insurance coverage in force at all times during the term of the Agreement, or any extension thereof, during any warranty period, and for three (3) years after termination of the Agreement. The required insurance shall be underwritten by an insurer licensed or authorized to do business in Colorado and rated by A.M. Best Company as “A-” VIII or better. Each policy shall contain a valid provision or endorsement requiring notification to the County in the event any of the required policies is canceled or non-renewed before the expiration date thereof. Such written notice shall be sent to the parties identified in the Notices section of this Agreement. Such notice shall reference the County contract number listed on the signature page of this Agreement. Said notice shall be sent thirty (30) days prior to such cancellation or non-renewal unless due to non- payment of premiums for which notice shall be sent ten (10) days prior. If such written notice is unavailable from the insurer, contractor shall provide written notice of cancellation, non-renewal and any reduction in coverage to the parties identified in the Notices section by certified mail, return receipt requested within three (3) business days of such notice by its insurer(s) and referencing the County’s contract number. If any policy is in excess of a deductible or self- insured retention, the County must be notified by the Contractor. Contractor shall DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 20 of 33 be responsible for the payment of any deductible or self-insured retention. The insurance coverages specified in this Agreement are the minimum requirements, and these requirements do not lessen or limit the liability of the Contractor. The Contractor shall maintain, at its own expense, any additional kinds or amounts of insurance that it may deem necessary to cover its obligations and liabilities under this Agreement. 22.2. Proof of Insurance: Contractor shall provide a copy of this Agreement to its insurance agent or broker. Contractor may not commence services or work relating to the Agreement prior to placement of coverages required under this Agreement. Contractor certifies that the certificate of insurance attached as Exhibit C, preferably an ACORD certificate, complies with all insurance requirements of this Agreement. The County’s acceptance of a certificate of insurance or other proof of insurance that does not comply with all insurance requirements set forth in this Agreement shall not act as a waiver of Contractor’s breach of this Agreement or of any of the County’s rights or remedies under this Agreement. 22.3. Additional Insureds: For Commercial General Liability, Auto Liability and Excess Liability/Umbrella (if required), Contractor and subcontractor’s insurer(s) shall include the County, its elected and appointed officials, employees and volunteers as additional insured. 22.4. Waiver of Subrogation: Consultant’s insurance coverage shall be primary and non-contributory with respect to all other available sources. Consultant’s policy shall contain a waiver of subrogation against Eagle County. 22.5. Subcontractors and Subconsultants: All subcontractors and subconsultants (including independent contractors, suppliers or other entities providing goods or services required by this Agreement) shall be subject to all of the requirements herein and shall procure and maintain the same coverages required of the Contractor. Contractor shall include all such subcontractors as additional insured under its policies (with the exception of Workers’ Compensation) or shall ensure that all such subcontractors and subconsultants maintain the required coverages. Contractor agrees to provide proof of insurance for all such subcontractors and subconsultants upon request by the County. 22.6. Workers’ Compensation/Employer’s Liability Insurance: Contractor shall maintain the coverage as required by statute for each work location and shall maintain Employer’s Liability insurance with limits of $100,000 per occurrence for each bodily injury claim, $100,000 per occurrence for each bodily injury caused by disease claim, and $500,000 aggregate for all bodily injuries caused by disease claims. Contractor expressly represents to the County, as a material representation upon which the County is relying in entering into this Agreement, that none of the Contractor’s officers or employees who may be eligible under any statute or law to reject Workers’ Compensation Insurance shall effect such DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 21 of 33 rejection during any part of the term of this Agreement, and that any such rejections previously affected, have been revoked as of the date Contractor executes this Agreement. 22.7. Commercial General Liability: Contractor shall maintain a Commercial General Liability insurance policy with limits of $1,000,000 for each occurrence, $1,000,000 for each personal and advertising injury claim, $2,000,000 products and completed operations aggregate, and $2,000,000 policy aggregate. 22.8. Business Automobile Liability: Contractor shall maintain Business Automobile Liability with limits as required by law. 22.9. Technology Errors & Omissions: Contractor shall maintain Technology Errors and Omissions insurance including cyber liability, network security, privacy liability and product failure coverage with limits of $1,000,000 per occurrence and $1,000,000 policy aggregate. 22.10. Additional Provisions: 22.10.1. For Commercial General Liability, the policy must provide the following: 22.10.1.1. That this Agreement is an Insured contract under the policy; 22.10.1.2. Defense costs are outside the limits of liability; 22.10.1.3. A severability of interests or separation of insureds provision (no insured vs. insured exclusion); and 22.10.1.4. A provision that coverage is primary and non-contributory with other coverage or self-insurance maintained by the County. 22.10.2. For claims-made coverage: 22.10.2.1. The retroactive date must be on or before the Agreement date or the first date when any goods or services were provided to the County, whichever is earlier. 22.10.2.2. Contractor shall advise the County in the event any general aggregate or other aggregate limits are reduced below the required per occurrence limits. At their own expense, and where such general aggregate or other aggregate limits have been reduced below the required per occurrence limit, the Contractor will procure such per occurrence limits and furnish a new certificate of insurance showing such coverage is in force. 22.10.3. Consultant is not entitled to workers’ compensation benefits except as provided by the Consultant, nor to unemployment insurance benefits DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 22 of 33 unless unemployment compensation coverage is provided by Consultant or some other entity. The Consultant is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. 22.10.4. If Consultant fails to secure and maintain the insurance required by this Agreement and provide satisfactory evidence thereof to County, County shall be entitled to immediately terminate this Agreement. 22.10.5. The insurance provisions of this Agreement shall survive expiration or termination hereof. 23. DEFENSE AND INDEMNIFICATION 23.1. Contractor hereby agrees to defend, indemnify, reimburse and hold harmless County, and any of its appointed and elected officials, agents and employees (“Indemnified Parties”) for, from and against all liabilities, claims, judgments, suits or demands for damages to persons or property arising out of, resulting from, or relating to the Services or work performed under this Agreement or are based on any performance or nonperformance by Contractor or any of its subcontractors hereunder (“Claims”). This indemnity shall be interpreted in the broadest possible manner to indemnify County for any acts or omissions of Contractor or its subcontractors either passive or active, irrespective of fault, including County’s concurrent negligence whether active or passive, except for the sole negligence or willful misconduct of County. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Consultant. 23.2. Contractor’s duty to defend and indemnify County shall arise at the time written notice of the Claim is first provided to County regardless of whether claimant has filed suit on the Claim. Contractor’s duty to defend and indemnify County shall arise even if County is the only party sued by claimant and/or claimant alleges that County’s negligence or willful misconduct was the sole cause of claimant’s damages. 23.3. Contractor will defend any and all Claims which may be brought or threatened against County and will pay on behalf of County any expenses incurred by reason of such Claims including, but not limited to, court costs and attorney fees incurred in defending and investigating such Claims or seeking to enforce this indemnity obligation. Such payments on behalf of County shall be in addition to any other legal remedies available to County and shall not be considered County’s exclusive remedy. 23.4. Insurance coverage requirements specified in this Agreement shall in no way lessen or limit the liability of the Contractor under the terms of this indemnification obligation. The Contractor shall obtain, at its own expense, any DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 23 of 33 additional insurance that it deems necessary for the County’s protection. 23.5. Contractor shall indemnify, save, and hold harmless the Indemnified Parties, against any and all costs, expenses, claims, damages, liabilities, and other amounts (including attorneys’ fees and costs) incurred by the Indemnified Parties in relation to any claim that any Deliverable, Service, software, or work product provided by Contractor under this Agreement (collectively, “IP Deliverables”), or the use thereof, infringes a patent, copyright, trademark, trade secret, or any other intellectual property right. 23.6. This defense and indemnification obligation shall survive the expiration or termination of this Agreement. 24. COLORADO GOVERNMENTAL IMMUNITY ACT The parties hereto understand and agree that the County is relying upon, and has not waived, the monetary limitations and all other rights, immunities and protection provided by the Colorado Governmental Act, § 24-10-101, et seq., C.R.S. (2003). 25. TAXES, CHARGES AND PENALTIES The County shall not be liable for the payment of taxes, late charges or penalties of any nature other than the compensation stated herein. 26. ASSIGNMENT; SUBCONTRACTING The Contractor shall not voluntarily or involuntarily assign any of its rights or obligations, or subcontract performance obligations, under this Agreement without obtaining the County’s prior written consent. Any assignment or subcontracting without such consent will be ineffective and void and shall be cause for termination of this Agreement by the County. The County has sole and absolute discretion whether to consent to any assignment or subcontracting, or to terminate the Agreement because of unauthorized assignment or subcontracting. In the event of any subcontracting or unauthorized assignment: (i) the Contractor shall remain responsible to the County; and (ii) no contractual relationship shall be created between the County and any sub-consultant, subcontractor or assign. 27. NO THIRD-PARTY BENEFICIARY Enforcement of the terms of the Agreement and all rights of action relating to enforcement are strictly reserved to the parties. Nothing contained in the Agreement gives or allows any claim or right of action to any third person or entity. Any person or entity other than the County or the Contractor receiving services or benefits pursuant to the Agreement is an incidental beneficiary only. 28. NO AUTHORITY TO BIND COUNTY TO CONTRACTS The Contractor lacks any authority to bind the County on any contractual matters. 29. AGREEMENT AS COMPLETE INTEGRATION-AMENDMENTS The Agreement is the complete integration of all understandings between the parties as to the subject matter of the Agreement. No prior, contemporaneous or subsequent addition, deletion, or other modification has any force or effect, unless embodied in the Agreement in writing. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 24 of 33 No oral representation by any officer or employee of the County at variance with the terms of the Agreement or any written amendment to the Agreement will have any force or effect or bind the County. 30. SEVERABILITY Except for the provisions of the Agreement requiring appropriation of funds and limiting the total amount payable by the County, if a court of competent jurisdiction finds any provision of the Agreement or any portion of it to be invalid, illegal, or unenforceable, the validity of the remaining portions or provisions will not be affected, if the intent of the parties can be fulfilled. 31. CONFLICT OF INTEREST 31.1. The signatories to this Agreement aver to their knowledge, no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Consultant has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Consultant shall not employ any person having such known interests. 31.2. The Contractor shall not engage in any transaction, activity or conduct that would result in a conflict of interest under the Agreement. The Contractor represents that it has disclosed any and all current or potential conflicts of interest. A conflict of interest shall include transactions, activities or conduct that would affect the judgment, actions or work of the Contractor by placing the Contractor’s own interests, or the interests of any party with whom the Contractor has a contractual arrangement, in conflict with those of the County. The County, in its sole discretion, will determine the existence of a conflict of interest and may terminate the Agreement in the event it determines a conflict exists, after it has given the Contractor written notice describing the conflict. 32. NOTICES All notices required by the terms of the Agreement must be hand delivered, sent by overnight courier service, mailed by certified mail, return receipt requested, or mailed via United States mail, postage prepaid, if to Contractor at the address first above written, and if to the County at: Eagle County, Colorado Attention: Jessie Porter 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-8540 Facsimile: 970-328-1488 E-Mail: Jessie.porter@eaglecounty.us With copy to: Director of Innovation & Technology or Designee DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 25 of 33 PO Box 850 500 Broadway Eagle, Colorado 81631 Eagle County Attorney’s Office PO Box 850 500 Broadway Eagle, Colorado 81631 CONTRACTOR CONTACT INFORMATION Notices hand delivered or sent by overnight courier are effective upon delivery. Notices sent by certified mail are effective upon receipt. Notices sent by mail are effective upon deposit with the U.S. Postal Service. The parties may designate substitute addresses where or persons to whom notices are to be mailed or delivered. However, these substitutions will not become effective until actual receipt of written notification. 34. GOVERNING LAW; VENUE Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 35. NO DISCRIMINATION IN EMPLOYMENT In connection with the performance of work under this contract, the Contractor may not refuse to hire, discharge, promote or demote, or discriminate in matters of compensation against any person otherwise qualified, solely because of race, color, religion, national origin, gender, age, military status, sexual orientation, gender identity or gender expression, marital status, or physical or mental disability. The Contractor shall insert the foregoing provision in all subcontracts. 36. LEGAL AUTHORITY Contractor represents and warrants that it possesses the legal authority, pursuant to any proper, appropriate and official motion, resolution or action passed or taken, to enter into the Agreement. Each person signing and executing the Agreement on behalf of Contractor represents and warrants that he has been fully authorized by Contractor to execute the Agreement on behalf of Contractor and to validly and legally bind Contractor to all the terms, performances and provisions of the Agreement. The County shall have the right, in its sole discretion, to either temporarily suspend or permanently terminate the Agreement if there is a dispute as to the legal authority of either Contractor or the person signing the Agreement to enter into the Agreement. 37. NO CONSTRUCTION AGAINST DRAFTING PARTY The parties and their respective counsel have had the opportunity to review the Agreement, and the Agreement will not be construed against any party merely because any provisions of the Agreement were prepared by a particular party. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 26 of 33 38. ORDER OF PRECEDENCE In the event of any conflicts between the language of the Agreement and the exhibits, the language of the Agreement controls. 39. SURVIVAL OF CERTAIN PROVISIONS The terms of the Agreement and any exhibits and attachments that by reasonable implication contemplate continued performance, rights, or compliance beyond expiration or termination of the Agreement survive the Agreement and will continue to be enforceable. Without limiting the generality of this provision, the Contractor’s obligations to provide insurance and to indemnify the County will survive for a period equal to any and all relevant statutes of limitation, plus the time necessary to fully resolve any claims, matters, or actions begun within that period. 40. INUREMENT The rights and obligations of the parties herein set forth shall inure to the benefit of and be binding upon the parties hereto and their respective successors and assigns permitted under this Agreement. 41. TIME IS OF THE ESSENCE The parties agree that in the performance of the terms, conditions, and requirements of this Agreement, time is of the essence. 42. FORCE MAJEURE Neither party shall be responsible for failure to fulfill its obligations hereunder or liable for damages resulting from delay in performance as a result of war, fire, strike, riot or insurrection, natural disaster, unreasonable delay of carriers, governmental order or regulation, complete or partial shutdown of plant, unreasonable unavailability of equipment or software from suppliers, default of a subcontractor or vendor (if such default arises out of causes beyond their reasonable control), the actions or omissions of the other party or its officers, directors, employees, agents, Contractors or elected officials and/or other substantially similar occurrences beyond the party’s reasonable control (“Excusable Delay”) herein. In the event of any such Excusable Delay, time for performance shall be extended for a period of time as may be reasonably necessary to compensate for such delay. 43. PARAGRAPH HEADINGS The captions and headings set forth herein are for convenience of reference only and shall not be construed so as to define or limit the terms and provisions hereof. 44. COUNTY EXECUTION OF AGREEMENT: This Agreement is expressly subject to and shall not be or become effective or binding on the County until it has been fully executed by all signatories of the County. 45. COUNTERPARTS OF THIS AGREEMENT This Agreement may be executed in counterparts, each of which shall be deemed to be an original of this Agreement. 46. ELECTRONIC SIGNATURES AND ELECTRONIC RECORDS Contractor consents to the use of electronic signatures by the County. The Agreement, and any other documents requiring a signature hereunder, may be signed electronically by the County DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 27 of 33 in the manner specified by the County. The Parties agree not to deny the legal effect or enforceability of the Agreement solely because it is in electronic form or because an electronic record was used in its formation. The Parties agree not to object to the admissibility of the Agreement in the form of an electronic record, or a paper copy of an electronic document, or a paper copy of a document bearing an electronic signature, on the ground that it is an electronic record or electronic signature or that it is not in its original form or is not an original. 47. ADVERTISING AND PUBLIC DISCLOSURE The Contractor shall not include any reference to the Agreement or to services performed pursuant to the Agreement in any of the Contractor’s advertising or public relations materials without first obtaining the written approval of the Manager. Any oral presentation or written materials related to services performed under the Agreement will be limited to services that have been accepted by the County. The Contractor shall notify the Manager in advance of the date and time of any presentation. Nothing in this provision precludes the transmittal of any information to County officials. 48. COMPLIANCE FOR IN-SCOPE SERVICES The Contractor covenants and agrees to comply with all information security and privacy obligations imposed by any federal, state, or local statute or regulation, or by any industry standards or guidelines, as applicable based on the classification of the data relevant to Contractor’s performance under the Contract. Such obligations may arise from: 48.1 HIPAA 48.2 IRS Publication 1075 48.3 Payment Card Industry Data Security Standard (PCI-DSS) 48.4 FBI Criminal Justice Information Service Security Addendum 48.5 CMS Minimum Acceptable Risk Standards for Exchanges and further covenants and agrees to maintain compliance with the same when appropriate for the Data and Services provided under the Agreement. Contractor further agrees to exercise reasonable due diligence to ensure that all of its service providers, agents, business partners, contractors, subcontractors and any person or entity that may have access to Data under this Agreement maintain compliance with and comply in full with the terms and conditions set out in this Section. Notwithstanding Force Majeure, the respective processing, handling, and security standards and guidelines referenced by this section may be revised or changed from time to time or Data may be utilized within the Services that change the compliance requirements. In the event that compliance requirements change, the Contractor and County shall collaborate in good faith and use all reasonable efforts to become or remain compliant as necessary under this section. In the event that compliance is required or statutory and no reasonable efforts are available, the County at its discretion may terminate the agreement for cause. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 28 of 33 49. ON-LINE AGREEMENT DISCLAIMER Notwithstanding anything to the contrary herein, the County shall not be subject to any provision included in any terms, conditions, or agreements appearing on Contractor’s or a Subcontractor’s website or any provision incorporated into any click-through or online agreements related to the work unless that provision is specifically referenced in this Agreement. 50. PROHIBITED TERMS Any term included in this Agreement that requires the County to indemnify or hold Contractor harmless; requires the County to agree to binding arbitration; limits Contractor’s liability for damages resulting from death, bodily injury, or damage to tangible property; or that conflicts with this provision in any way shall be void ab initio. Nothing in this Agreement shall be construed as a waiver of any provision of §24-106-109 C.R.S. 51. ON-CALL SERVICES In the event that the Agreement or the SOW contains hourly or daily rates the Contractor and the Manager may enter into Work Orders for ongoing services. The County shall authorize specific assignments for the Contractor by placing a written service order signed by the Manager and the Contractor (the “Order”) describing in sufficient details the services and/or deliverables at the rates provided. The Contractor agrees that during the term of this Agreement it shall fully coordinate its provision of the services with any person or firm under contract with the County doing work or providing services which affect the Contractor’s services. The Contractor shall faithfully perform the work in accordance with the standards of care, skill, training, diligence and judgment provided by highly competent individuals and entities that perform services of a similar nature to those described in this Agreement. 52. RECORDS Consultant shall maintain for a minimum of three years, adequate financial and other records for reporting to County. Consultant shall be subject to financial audit by federal, state or county auditors or their designees. Consultant authorizes such audits and inspections of records during normal business hours, upon 48 hours’ notice to Consultant. Consultant shall fully cooperate during such audit or inspections. IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager CONTRACTOR: By:________________________________ Print Name: _________________________ Title: ______________________________ DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Randy Feuilly President Page 29 of 33 ATTACHED EXHIBITS EXHIBIT A -SERVICE/BUSINESS ASSOCIATE AGREEMENT EXHIBIT B-STATEMENT OF WORK EXHIBIT C-CERTIFICATE OF INSURANCE EXHIBIT D-SECURITY DOCUMENT DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 30 of 33 EXHIBIT A BAA DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement This Agreement is made effective the __________________(the “Effective Date”), by and between Eagle County, Colorado, a body corporate and politic (hereinafter referred to as “Covered Entity”), and Online Web Services US, Inc., (hereinafter referred to as “Business Associate”), (individually, a “Party” and collectively, the “Parties”). WHEREAS, Business Associate and Covered Entity have entered into one or more agreements (collectively the “Underlying Agreement”), whereby Business Associate provides services or performs certain functions or activities for or on behalf of, or provides certain services to, the Covered Entity, that involve the use or disclosure of Protected Health Information; and WHEREAS, Covered Entity qualifies as a Covered Entity under federal privacy regulations and subject to 45 CFR. §§ 164.314(a) 164.504(e) relating to business associates; and WHEREAS, the Underlying Agreement between Business Associate and Covered Entity involves access, acquisition, creation, use, disclosure or transmission of protected health information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and its regulations, as amended by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, Title XIII (2009) (the “HITECH Act”; any reference herein to HIPAA shall include the HITECH Act amendments and any other amendments) and is therefore applicable to Covered Entity and Business Associate (45 CFR. Parts 160 and 164). NOW THEREFORE, Covered Entity and Business Associate agree to enter into this Business Associate Agreement, hereinafter referred to as “Agreement” in order to comply with the federal privacy regulations referred to above as follows: 1. Definitions a. General. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings set forth in under the HIPAA Rules, including but not limited to 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.401 and 164.501, as currently drafted and as subsequently updated, or revised. b. HIPAA Rules. HIPAA Rules shall mean the EDI, Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160, 162 and 164. c. “Business Associate” shall have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the Party to this agreement, shall mean Online Web Services US, Inc. d. “CFR” means Code of Federal Regulations. e. “Covered Entity” shall have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the Party to this agreement, shall mean Eagle County, Colorado, a body corporate and politic. f. "Electronic Health Record" means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. g. "HlTECH Act" means the changes to HIPAA made by the Health Information Technology for Economic and Clinical Health Act enacted as part of the American Recovery and Reinvestment Act of 2009. 2. Obligations and Activities of Business Associate a. Business Associate understands that it is subject to the Privacy Rule and Security Rule. As a result, Business Associate agrees to take all actions necessary to comply with the Privacy Rule and Security Rule including, but not limited to, identification of a security official, risk analysis, risk management, workforce training in privacy and security requirements, implementation of safeguards as required by the Security Rule, and establishment of privacy/security agreements with its subcontractors that perform functions relating to Covered Entity and involving PHI. b. Business Associate agrees to not use or further disclose PHI received from, or created for or on behalf of, Covered Entity, other than to perform the Services in the Underlying Agreement, and as expressly permitted or required by this Agreement, or as required by law. Business Associate shall not use, disclose, release, reveal, show, sell, rent, lease, loan, publish or otherwise grant access to PHI in any manner that is prohibited by law or regulation, or in any manner that would be a violation of any law or regulation if it were to have been done by Covered Entity. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement c. Business Associate agrees to use reasonable and appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate shall comply with the applicable requirements of the Security Rule with respect to electronic PHI, including, but not limited to, implementing administrative, physical and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, accesses, acquires, receives, maintains or transmits for or on behalf of Covered Entity. d. Business Associate (or its agents and contractors), shall only request, use and disclose the minimum necessary amount of PHI required to accomplish the purpose of the request, use or disclosure in accordance with the HIPAA Rules and HITECH Act. e. Business Associate shall not use or disclose PHI for marketing purposes except as directed by Covered Entity and in accordance with HIPAA and the HITECH Act. f. Business Associate agrees to and shall promptly mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or a Security incident regarding PHI, in violation of the requirements of this Agreement, applicable law, or Business Associate’s own policies and procedures. g. Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware, including any Security Incident or Breach of Unsecured PHI, of which it becomes aware. To the extent a reportable event involves a Breach of Unsecured PHI as those terms are defined in 45 CFR § 164.402, Business Associate agrees to the following in connection with the breach notification requirements of 45 CFR, Part 164, Subpart D: 1. Business Associate shall notify Covered Entity without unreasonable delay and within two (2) calendar days after discovery. For this purpose, a Breach shall be treated as “discovered” in accordance with 45 CFR § 164.402(a) (2). The notification must include, to the extent known, identification of each individual whose unsecured PHI has been, or is reasonably believed to have been breached, the date of the incident or the date the incident was discovered if the incident date is not known, the scope of the incident, the Business Associate’s response to the incident and the identification of the party responsible for causing the incident, if known, and any other available information which the Covered Entity is required to include in the individual notice contemplated by 45 CFR § 164.404. 2. In addition to any indemnification obligations set forth in this Agreement or the Underlying Agreement, Business Associate agrees to reimburse Covered Entity for the reasonable costs and expenses incurred by Covered Entity to provide any notices required under 45 CFR part 164, Subpart D arising from a Breach of unsecured PHI caused by Business Associate. h. Business Associate shall maintain a log of breaches as defined in HIPAA of unsecured PHI with respect to Covered Entity and shall submit the log to Covered Entity within thirty (30) calendar days following the end of each calendar year so that Covered Entity may report breaches to the Secretary in accordance with 45 CFR § 164.408. i. Business Associate agrees to ensure that any agent or subcontractor to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Moreover, Business Associate shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s electronic PHI. j. The following obligations will apply if Business Associate will have custody of or maintain a Designated Record Set for or on behalf of Covered Entity: (1) Business Associate agrees to provide reasonable access at the written request of Covered Entity to PHI in a Designated Record Set, to Covered Entity or, as directed in writing by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524, relating to an Individual’s right to inspect or obtain copies of his or her PHI. (2) Business Associate agrees to make any amendment(s) or correction(s) to PHI in a Designated Record Set that Covered Entity directs in writing or agrees to pursuant to 45 CFR § 164.526 at the written request of Covered Entity. k. Business Associate agrees to document all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement in accordance with 45 CFR § 164.528, or effective as of the Effective Date or such later effective date prescribed by regulations issued by the U.S. Department of Health and Human Services, an accounting of disclosures of PHI from an Electronic Health Record in accordance with the HITECH Act. The documentation required by this paragraph shall be maintained for six years, or as otherwise required by the Privacy Rule and Security Rule. l. Following receipt of a written request by Covered Entity, Business Associate agrees to provide to Covered Entity or an Individual, information collected in accordance with the preceding paragraph, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528, or effective as of the Effective Date or such later effective date prescribed by regulations issued by the U.S. Department of Health and Human Services, an accounting of disclosures of PHI from an Electronic Health Record in accordance with the HITECH Act. m. Following receipt of a written request by Covered Entity, Business Associate agrees to make internal practices, books, and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity reasonably available to the Secretary for purposes of the Secretary in determining Covered Entity’s compliance with the Privacy Rule and Security Rule. n. Business Associate agrees that Covered Entity has the right to audit, investigate, monitor, access, review and report on Business Associate’s use of any Covered Entity’s PHI, with or without advance notice from Covered Entity. o. Related to this Agreement, Business Associate shall retain the following documentation for at least six years from the date of its creation or the date when it last was in effect, whichever is later: (1.) A written or electronic record of a designation of an organization as a Business Associate. (2.) Information security and privacy policies and procedures implemented to comply with HIPAA. (3.) All documented settings, activities and assessments required by HIPAA. (4.) All data use agreements and other forms supporting HIPAA compliance. (5.) All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments. (6.) Designated record sets that are subject to access by individuals. (7.) Documentation of the titles of the persons or offices responsible for HIPAA compliance, including not only those with over-all responsibility for compliance, but also those responsible for receiving and processing requests for amendments by individuals, and those responsible for receiving and processing requests for an accounting by individuals. (8.) Accounting of disclosures of PHI. p. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s). q. Data Ownership. Business Associate acknowledges that it has no ownership rights with respect to PHI. r. Business Associate Insurance. Business Associate shall maintain insurance to cover loss of PHI data and claims based upon alleged violation of privacy rights through the improper use or disclosure of PHI. 3. Permitted Uses and Disclosures By Business Associate a. Business Associate may only use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity as specified herein, provided that such use or disclosure would not violate the Privacy Rule or Security Rule or applicable Colorado law if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Except as otherwise limited in this Agreement, Business Associate may use PHI to carry out the legal responsibilities of the Business Associate. b. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that the disclosures are required by law. c. Except as otherwise limited in this Agreement or Underlying Agreement, Business Associate may use PHI to provide Data Aggregation services related to the health care operations of the Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). d. Business Associate may use PHI to report violations of the Privacy Rule and Security Rule to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1). 4. Obligations of Covered Entity a. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. b. Covered Entity shall be responsible for communications with Individuals and third parties regarding restrictions on uses and disclosures of PHI, amendments or corrections to PHI, and accountings of disclosures requested by Individuals. 5. Term and Termination a. The term of this Agreement shall terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is infeasible to return or destroy PHI, the protections of this Agreement are extended to such information, in accordance with the termination provisions in Section 6, Effect of Termination. b. Upon either party's knowledge of a material breach of this Agreement by the other party (the "breaching party"), the first party shall either: (1) Provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Agreement and any Underlying Agreement if the breaching party does not cure the breach or end the violation within thirty (30) days or (2) Immediately terminate this Agreement and any Underlying Agreement(s) if the breaching party has breached a material term of this Agreement and cure is not possible. 6. Effect of Termination a. Except as provided in paragraph (b) of this section, upon termination of this Agreement or the Underlying Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. b. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. Upon receipt of written notification that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 7. Miscellaneous a. Any notice or other written communications required or permitted to be given to the other party under this Agreement must be addressed to the attention of the other party in care of the contact person identified below. Written notice may be delivered by certified mail or overnight mail. If to Business Associate: If to Covered Entity: Online Web Services US, Inc. Attn: Eagle County, CO 515 West Grand Ave #D P.O.Box 850 Mancos, CO 81328 500 Broadway Eagle, CO 81631 DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement b. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended. c. This Agreement may only be amended in a written document signed by an authorized representative of each party. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the privacy and security requirement s of HIPAA. If the Business Associate refuses to sign such an amendment, this Agreement and any Underlying Agreement that involves the use or disclosure of PHI shall automatically terminate. d. The respective rights and obligations of Business Associate under Section 6, Effect of Termination, shall survive the termination of this Agreement. e. Construction of this Agreement shall be resolved in favor of a meaning that permits both parties to comply with applicable law protecting the privacy, security and confidentiality of PHI, including but not limited to HIPAA and the HIPAA Rules. To the extent that any provisions of this Agreement conflict with the provisions of any other agreement or understanding between the parties, this Agreement shall control. f. Business Associate will indemnify and hold harmless Covered Entity and its directors, officers, agents, employees and other representatives, individually and collectively, from and against any and all liability to third parties, including any claims, demands, lawsuits, settlements, judgments, costs, penalties, expenses, liabilities and losses including attorneys' fees, court costs and punitive damages resulting from or arising out of or in connection with a use or disclosure of PHI by Business Associate or its sub-contractors or agents in violation of this Agreement. g. In the event that Colorado law is more stringent than a HIPAA standard, requirement or implementation specification, Business Associate's activities and obligations shall be governed by Colorado law. For purposes of this paragraph, "more stringent" has the same meaning as the term "more stringent" in 45 CFR § 160.202. h. Covered Entity and Business Associate acknowledge and agree that this Agreement amends, supplements, and is made part of the Underlying Agreement. If a provision of this Agreement is in conflict with a provision of the Underlying Agreement, this Agreement shall govern when the provision relates to either Covered Entity’s or the Business Associate's obligations under HIPAA and the HITECH Act. i. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything confer upon any person other than Covered Entity, Business Associate, and their respective successors or assigns, any rights, remedies, obligations or liabilities. j. No Waiver of Immunity. No term or condition of this Agreement shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection or other provisions of the Colorado Governmental Immunity Act, C.R.S. § 24-10-101 et seq., or the Federal Tort Claims Act 28 U.S.C. 2671 et seq. as now in effect or hereafter amended. k. Subpoena. In the event that Business Associate receives a subpoena for any PHI in its possession, it shall immediately notify Covered Entity and deliver a copy of the subpoena to Covered Entity. Business Associate shall respond to the subpoena only in accordance with the Privacy Rule. l. Waiver. No failure to exercise and no delay in exercising any right, remedy or power hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, remedy or power hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy or power provided herein or by law or in equity. m. Entire Agreement. This Agreement constitutes the entire agreement of the parties with respect to the subject matter hereof, and all prior and contemporaneous understandings, agreements and representations, whether oral or written, with respect to such matters are superseded. n. Assignment. No assignment of this Agreement or the rights and obligations hereunder shall be valid without the specific written consent of both parties hereto, provided, however, that this Agreement may be assigned by Business Associate to any successor entity operating Business Associate and such assignment shall forever release Business Associate hereunder. o. Binding Effect. This Agreement shall be binding upon the parties hereto and their respective heirs, executors, administrators, successors and permitted assigns. p. Non-Exclusivity. Nothing in this Agreement shall be construed as limiting the right of either party to affiliate or contract with any other person or entity on either a limited or general basis while this Agreement is in effect. q. Signatures. This Agreement may be executed in counterparts, each of which when so executed and delivered shall be deemed an original and all of which taken together shall constitute one instrument. This Agreement and any counterpart original may be executed and transmitted by facsimile. The facsimile signature shall be valid and acceptable for all purposes as if it were an original. Agreed to: By Business Associate: By Covered Entity: ___________________________________ ___________________________________ DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Business Associate Agreement Signature Signature __Randy Feuilly______________________ ___________________________________ Printed Name Printed Name __President__________________________ ___________________________________ Title Title __02/12/2020________________________ ___________________________________ Date Date DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 31 of 33 EXHIBIT B SOW DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Exhibit B Statement of Work SOFTWARE -AS-A-SERVICE (SAAS) This agreement provides Customer with access to the proprietary software named “VSTracking™”, and a terminable, non-transferable and non-exclusive limited license for usage of its functions as a service, hereinafter called “SaaS”. Provider will provide this functionality through the Internet within a hosted server environment, mobile software applications, or other Provider approved interface. Customer’s license confers no title or ownership in the SAAS software. Online Web Services US, Inc will provide: • Robust victim services case management database and grant reporting software (VS Tracking) • Store documents, generates letters, keeps tasks, appointments and timesheets • Grant reporting that satisfies the current VALE and VOCA grant reporting requirements • Letter writing • Document storage • Time sheets • Custom reports • HIPAA, FIPS, CJIS and NIST compliance • Complies with CJIS recommended security standards • Unlimited users • Free, unlimited training • Free upgrades • Migrate all data from Civicore to VSTracking • Configuration assistance on getting VSTracking setup for Eagle County’s specific needs Customer Responsibilities. Customer • must keep his/her passwords secure and confidential; • is solely responsible for Customer Data and all activity in its account in the Service; • must use commercially reasonable efforts to prevent unauthorized access to its account, and notify Provider promptly of any such unauthorized access; • and may use the Service only in accordance with applicable law. Customer Owned Data. All data uploaded by Customer and collected by the Licensed Software remains the sole property of Customer (Customer Data). Customer grants Provider the right to use, store and modify the Customer Data solely for purposes of Provider performing the Services under this agreement. Customer hereby warrants to Provider that it either owns, or is a licensee, of the Customer Data and has the full requisite power and authority to grant Provider such usage rights in the Customer Data and that there are no additional consents or approvals required for granting such usage rights. During the term of this agreement, Customer may download the Customer Data from within the Service or schedule the Customer Data to be automatically downloaded, which in each case will only be provided in the available formats. Service Commitment Provider will use all commercially reasonable efforts to make the Included Services available with a Monthly Uptime Percentage of at least 99.99%, during any monthly cycle. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Exhibit B Statement of Work Annual Fee for Software License and Support: $1700.00 One-Time Data Conversion Fee (not to exceed): $4000.00 Various fees to be paid within 30 days of receiving invoice. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 32 of 33 EXHIBIT C CERTIFICATE OF INSURANCE DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS AUTOSAUTOSNON-OWNEDHIRED AUTOS SCHEDULEDALL OWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD MTTU Hiscox Inc. 520 Madison Avenue 32nd Floor New York, NY 10022 (888) 202-3007 contact@hiscox.com Hiscox Insurance Company Inc 10200 515 W Grand Ave Unit D Mancos, CO 81328 A Cyber and Data Risk P100.000.976.1 10/15/2020 10/15/2021 Each Claim: $ 1,000,000 Aggregate: $ 1,000,000 10/15/2020 Eagle County Government 500 Broadway Eagle, CO 81631 Y Eagle County Government is an additional insured. Online Web Services US, Inc. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIRED AUTOS ONLY 10/15/2020 Hiscox Inc. 520 Madison Avenue 32nd Floor New York, NY 10022 (888) 202-3007 contact@hiscox.com Hiscox Insurance Company Inc 10200 Online Web Services US, Inc. 515 W Grand Ave Unit D Mancos, CO 81328 X X A X Y UDC-4569688-CGL-20 08/11/2020 08/11/2021 1,000,000 100,000 5,000 1,000,000 2,000,000 S/T Gen. Agg Eagle County Government are included as additional insured. Eagle County Government 500 Broadway Eagle, CO 81631 DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIRED AUTOS ONLY 10/15/2020 Hiscox Inc. 520 Madison Avenue 32nd Floor New York, NY 10022 (888) 202-3007 contact@hiscox.com Hiscox Insurance Company Inc 10200 Online Web Services US, Inc. 515 W Grand Ave Unit D Mancos, CO 81328 A Professional Liability Y UDC-4569688-EO-20 08/11/2020 08/11/2021 Each Claim: Aggregate: Eagle County Government are included as additional insured. Eagle County Government 500 Broadway Eagle, CO 81631 $ 1,000,000 $ 1,000,000 DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Page 33 of 33 EXHIBIT D SECURITY DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 VST Security All client data is encrypted at rest and in transit using 2048-bit RSA keys. The generation, storage and handling of these keys follow the requirements described in the Links article. All VST cloud services and servers are 100% located in the United States and access is limited to accredited users only. Definitions Keyword Definition VST Victim Services Tracking VST-services Cloud based software applications Login-credentials A unique username and password assigned to a VST-user VST-user An individual that has login-credentials and is authorized to use VST-services VST-client The individual and/or organization responsible for the VST membership and administration VST-client-data All information/data submitted by the VST-client to VST-services Links Org Document NIST https://www.nist.gov/ CJIS https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center HIPAA https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final FIPS 200 https://csrc.nist.gov/publications/detail/fips/200/final What are VST-services and the cloud? VST-services are cloud based applications that assist the VST-client in obtaining government grants. The only system requirement is a modern browser; such as Google Chrome, Mozilla Firefox, or Safari. In this context, the cloud is a secure off premises server/computer located in the United States that is designated to processes and store client-data. How does the login/authentication work? Access to VST-services is done by using a standard user login and password across the https protocol. Simply go to agencyservicestracking.com and provide your login-credentials; normally an email and password. VST-services uses the RBAC (role-based access control) model to allow VST-clients the ability to control who has access to what. VST-client Administrators can set the permission levels for each advocate granting or revoking access to the various VST-services. After a successful login, a time sensitive access key is granted to the browser and used to make authenticated requests to a VST-service. Your data is your data! All VST-client-data belongs to the VST-client. VST does not share or analyze VST-client-data without explicit consent from the VST-client. Only specific VST employees are authorized to access and maintain VST-client-servers. The VST- client has full authority over the VST-client-data and can decide what happens to it in terms of removal, storage and transmission at any time for any reason. DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620 Who has access? VST never accesses client-data unless a VST-client explicitly requests it. Only specific VST developers are authorized to access client-data for the purposes of maintenance and upgrades only. VST-client administrators are authorized to access the data at any time and the VST-client advocates can access the data according to their perspective roles assigned by the administrator. Where is your data and data backups? All VST-client-data is stored in the United States on FIPS compliant servers. The data is encrypted at rest and backups are made daily and are also stored on FIPS compliant servers in the United States. Each VST-client’s data is isolated from other VST-clients. The granularity of the isolation depends on the membership of the VST-client. Standard memberships house all data on the same server but in different databases. Dedicated servers can be created to offer more isolation. Personally Identifiable Information (PII) The information stored in VST databases consists of, and is not limited to, victim contact information and the nature of their victimization. Identification numbers can be associated to victims as opposed to names and/or addresses to meet compliance requirements. When grant reports are generated, the statistics are completely anonymized and do not associate PII or location data in the reports. Further obfuscation can be worked out on a case by case bases as needed. What happens if a breach occurs, a vulnerability is found, or if a natural disaster occurs? These are the steps VST will take once a breach or vulnerability has been discovered. The execution of these steps depends on the severity of the issue and will be performed in a timely manner from the date of discovery. 1. Disable and reset all login-credentials of affected accounts 2. Develop a plan-of-action based on the severity of the issue, this includes fixing the vulnerability and enabling data recovery if necessary 3. Notifying the affected VST-clients 4. Notifying law enforcement if necessary 5. Implementing the plan-of-action VST Training and Service Schedule VST performs scheduled maintenance and employee training. The table below outlines a current view of what processes are performed and when they are scheduled. All upgrades and maintenance routines are performed after the close of business (in the Mountain Time zone) in order to prevent or minimize downtime for VST-clients. Procedure Daily Weekly Monthly Annually Data Backups  Server Updates  Compliance Checks  Virus/Malware Scans  Employee Training  DocuSign Envelope ID: B7A4C0F3-ADED-4E6A-8EFC-9586DB47F620