Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC21-274 Cloudbakers Holdings LLCDocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD AGREEMENT FOR SERVICES BETWEEN EAGLE COUNTY, COLORADO AND CLOUDBAKERS HOLDINGS LLC THIS AGREEMENT ("Agreement") is effective as of 8/13/2021 by and between Cloudbakers, LLC an Illinois limited liability company (hereinafter "Contractor") and Eagle County, Colorado, a body corporate and politic (hereinafter "County"). RECITALS WHEREAS, the County requires consultation and assistance regarding migration of data storage from external hard drives to a cloud -based storage service; and WHEREAS, Contractor will conduct workshops enabling County to examine the benefits of Google Cloud Platform ("GCP") and make decisions regarding migration of County data to a GCP Platform which would include any technology residing on the Google Cloud Platform including Google Workspace, Data Analytics, Application Development (the "Project") through virtual workshops; and WHEREAS, Contractor is authorized to do business in the State of Colorado and has the time, skill, expertise, and experience necessary to provide the Services as defined below in paragraph 1 hereof, and WHEREAS, this Agreement shall govern the relationship between Contractor and County in connection with the Services. AGREEMENT NOW, THEREFORE, in consideration of the foregoing and the following promises Contractor and County agree as follows: 1. Services or Work. Contractor agrees to diligently provide all services, labor, personnel and materials necessary to perform and complete the services or work described in Exhibit A ("Services" or "Work") which is attached hereto and incorporated herein by reference. The Services shall be performed in accordance with the provisions and conditions of this Agreement. a. Contractor agrees to conduct workshops with the County and in accordance with the schedule established in Exhibit A. If no completion date is specified in Exhibit A, then Contractor agrees to furnish the Services in a timely and expeditious manner consistent with the applicable standard of care. By signing below Contractor represents that it has the expertise and personnel necessary to properly and timely perform the Services. b. In the event of any conflict or inconsistency between the terms and conditions set forth in Exhibit A and the terms and conditions set forth in this Agreement, the terms and conditions set forth in this Agreement shall prevail. 2. County's Representative. The Information Technology Department's designee shall be C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD Contractor's contact with respect to this Agreement and performance of the Services. 3. Term of the Agreement. This Agreement shall commence upon the date first written above, and subject to the provisions of paragraph 11 hereof, shall continue in full force and effect through September 30, 2021, which will be after the two workshops scheduled in August and September 2021. 4. Extension or Modification. This Agreement may be extended for up to three additional one-year terms upon written agreement of the parties. Any amendments or modifications shall be in writing signed by both parties. No additional services or work performed by Contractor shall be the basis for additional compensation unless and until Contractor has obtained written authorization and acknowledgement by County for such additional services in accordance with County's internal policies. Accordingly, no course of conduct or dealings between the parties, nor verbal change orders, express or implied acceptance of alterations or additions to the Services, and no claim that County has been unjustly enriched by any additional services, whether or not there is in fact any such unjust enrichment, shall be the basis of any increase in the compensation payable hereunder. In the event that written authorization and acknowledgment by County for such additional services is not timely executed and issued in strict accordance with this Agreement, Contractor's rights with respect to such additional services shall be deemed waived and such failure shall result in non-payment for such additional services or work performed. 5. Compensation. County shall compensate Contractor for the performance of the Services in a sum computed and payable as set forth in Exhibit A. The performance of the Services under this Agreement shall not exceed $8,000.00. Contractor shall not be entitled to bill at overtime and/or double time rates for work done outside of normal business hours unless specifically authorized in writing by County. a. Payment will be made for Services satisfactorily performed within thirty (30) days of receipt of a proper and accurate invoice from Contractor. All invoices shall include detail regarding the hours spent, tasks performed, who performed each task and such other detail as County may request. b. If, at any time during the term or after termination or expiration of this Agreement, County reasonably determines that any payment made by County to Contractor was improper because the Services for which payment was made were not performed as set forth in this Agreement, then upon written notice of such determination and request for reimbursement from County, Contractor shall forthwith return such payment(s) to County. Upon termination or expiration of this Agreement, unexpended funds advanced by County, if any, shall forthwith be returned to County. C. County will not withhold any taxes from monies paid to the Contractor hereunder and Contractor agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. d. Notwithstanding anything to the contrary contained in this Agreement, County shall have no obligations under this Agreement after, nor shall any payments be made to Contractor in respect of any period after December 31 of any year, without an appropriation therefor by County in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). 2 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD 6. Subcontractors. Contractor acknowledges that County has entered into this Agreement in reliance upon the particular reputation and expertise of Contractor. Contractor shall not enter into any subcontractor agreements for the performance of any of the Services or additional services without County's prior written consent, which may be withheld in County's sole discretion. County shall have the right in its reasonable discretion to approve all personnel assigned to the subject Project during the performance of this Agreement and no personnel to whom County has an objection, in its reasonable discretion, shall be assigned to the Project. Contractor shall require each subcontractor, as approved by County and to the extent of the Services to be performed by the subcontractor, to be bound to Contractor by the terms of this Agreement, and to assume toward Contractor all the obligations and responsibilities which Contractor, by this Agreement, assumes toward County. County shall have the right (but not the obligation) to enforce the provisions of this Agreement against any subcontractor hired by Contractor and Contractor shall cooperate in such process. The Contractor shall be responsible for the acts and omissions of its agents, employees and subcontractors. 7. Insurance. Contractor agrees to provide and maintain at Contractor's sole cost and expense, the following insurance coverage with limits of liability not less than those stated below: a. Types of Insurance. Workers' Compensation insurance as required by law. ii. Auto coverage with limits of liability not less than $1,000,000 each accident combined bodily injury and property damage liability insurance, including coverage for owned, hired, and non -owned vehicles. iii. Commercial General Liability coverage to include premises and operations, personal/advertising injury, products/completed operations, broad form property damage with limits of liability not less than $1,000,000 per occurrence and $1,000,000 aggregate limits. b. Other Requirements. i. The automobile and commercial general liability coverage shall be endorsed to include Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and volunteers as additional insureds. A certificate of insurance consistent with the foregoing requirements is attached hereto as Exhibit B. ii. Contractor's certificates of insurance shall include subcontractors, if any as additional insureds under its policies or Contractor shall furnish to County separate certificates and endorsements for each subcontractor. iii. The insurance provisions of this Agreement shall survive expiration or termination hereof. iv. The parties hereto understand and agree that the County is relying on, and does not waive or intend to waive by any provision of this Agreement, the monetary limitations or rights, immunities and protections provided by the Colorado Governmental Immunity Act, as from time to time amended, or otherwise available to County, its affiliated entities, successors or assigns, its elected officials, 3 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD employees, agents and volunteers. V. Contractor is not entitled to workers' compensation benefits except as provided by the Contractor, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Contractor or some other entity. The Contractor is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. 8. Indemnification. The Contractor shall indemnify and hold harmless County, and any of its officers, agents and employees against any losses, claims, damages or liabilities for which County may become subject to insofar as any such losses, claims, damages or liabilities arise out of, directly or indirectly, this Agreement, or are based upon any performance or nonperformance by Contractor or any of its subcontractors hereunder; and Contractor shall reimburse County for reasonable attorney fees and costs, legal and other expenses incurred by County in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of the Contractor. This paragraph shall survive expiration or termination hereof. 9. Ownership of Documents. All documents (including electronic files) and materials obtained during, purchased or prepared in the performance of the Services shall remain the property of the County and are to be delivered to County before final payment is made to Contractor or upon earlier termination of this Agreement. 10. Notice. Any notice required by this Agreement shall be deemed properly delivered when (i) personally delivered, or (ii) when mailed in the United States mail, first class postage prepaid, or (iii) when delivered by FedEx or other comparable courier service, charges prepaid, to the parties at their respective addresses listed below, or (iv) when sent via facsimile so long as the sending party can provide facsimile machine or other confirmation showing the date, time and receiving facsimile number for the transmission, or (v) when transmitted via e-mail with confirmation of receipt. Either party may change its address for purposes of this paragraph by giving five (5) days prior written notice of such change to the other party. COUNTY: Eagle County, Colorado Attention: Scott Lingle, IT Director 500 Broadway Post Office Box 850 Eagle, CO 81631 Phone: 970-328-3581 E-Mail: scott.lingle@eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 Facsimile: 970-328-8699 E-Mail: atty@eaglecounty.us 4 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD CONTRACTOR: Cloudbakers Holdings LLC Finance & Accounting Attn: Ben Kessler 600 W Van Buren St Suite 603, Chicago, IL 60607 Phone: 414-305-6107 Email: ben.kessler@cloudbakers.com 11. Termination. County may terminate this Agreement, in whole or in part, at any time and for any reason, with or without cause, and without penalty therefor with seven (7) calendar days' prior written notice to the Contractor. Upon termination of this Agreement, Contractor shall immediately provide County with all documents as defined in paragraph 9 hereof, in such format as County shall direct and shall return all County owned materials and documents. County shall pay Contractor for Services satisfactorily performed to the date of termination. 12. Venue, Jurisdiction and Applicable Law. Any and all claims, disputes or controversies related to this Agreement, or breach thereof, shall be litigated in the District Court for Eagle County, Colorado, which shall be the sole and exclusive forum for such litigation. This Agreement shall be construed and interpreted under and shall be governed by the laws of the State of Colorado. 13. Execution by Counterparts; Electronic Signatures. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which shall constitute one and the same instrument. The parties approve the use of electronic signatures for execution of this Agreement. Only the following two forms of electronic signatures shall be permitted to bind the parties to this Agreement: (i) Electronic or facsimile delivery of a fully executed copy of the signature page; (ii) the image of the signature of an authorized signer inserted onto PDF format documents. All documents must be properly notarized, if applicable. All use of electronic signatures shall be governed by the Uniform Electronic Transactions Act, C.R.S. 24-71.3-101 to 121. 14. Other Contract Requirements and Contractor Representations. a. Contractor has familiarized itself with the nature and extent of the Services to be provided hereunder and the Property, and with all local conditions, federal, state and local laws, ordinances, rules and regulations that in any manner affect cost, progress, or performance of the Services. b. Contractor will make, or cause to be made, examinations, investigations, and tests as he deems necessary for the performance of the Services. C. To the extent possible, Contractor has correlated the results of such observations, examinations, investigations, tests, reports, and data with the terms and conditions of this Agreement. d. To the extent possible, Contractor has given County written notice of all conflicts, errors, or discrepancies. e. Contractor shall be responsible for the completeness and accuracy of the Services and shall correct, at its sole expense, all significant errors and omissions in performance of the Services. The 5 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD fact that the County has accepted or approved the Services shall not relieve Contractor of any of its responsibilities. Contractor shall perform the Services in a skillful, professional and competent manner and in accordance with the standard of care, skill and diligence applicable to contractors performing similar services. Contractor represents and warrants that it has the expertise and personnel necessary to properly perform the Services and shall comply with the highest standards of customer service to the public. Contractor shall provide appropriate supervision to its employees to ensure the Services are performed in accordance with this Agreement. This paragraph shall survive termination of this Agreement. f. Contractor agrees to work in an expeditious manner, within the sound exercise of its judgment and professional standards, in the performance of this Agreement. Time is of the essence with respect to this Agreement. g. This Agreement constitutes an agreement for performance of the Services by Contractor as an independent contractor and not as an employee of County. Nothing contained in this Agreement shall be deemed to create a relationship of employer -employee, master -servant, partnership, joint venture or any other relationship between County and Contractor except that of independent contractor. Contractor shall have no authority to bind County. h. Contractor represents and warrants that at all times in the performance of the Services, Contractor shall comply with any and all applicable laws, codes, rules and regulations. i. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all other agreements or understanding between the parties with respect thereto. j. Contractor shall not assign any portion of this Agreement without the prior written consent of the County. Any attempt to assign this Agreement without such consent shall be void. k. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective permitted assigns and successors in interest. Enforcement of this Agreement and all rights and obligations hereunder are reserved solely for the parties, and not to any third party. 1. No failure or delay by either party in the exercise of any right hereunder shall constitute a waiver thereof. No waiver of any breach shall be deemed a waiver of any preceding or succeeding breach. M. The invalidity, illegality or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision hereof. n. The signatories to this Agreement aver to their knowledge no employee of the County has any personal or beneficial interest whatsoever in the Services or Property described in this Agreement. The Contractor has no beneficial interest, direct or indirect, that would conflict in any manner or degree with the performance of the Services and Contractor shall not employ any person having such known interests. o. The Contractor, if a natural person eighteen (18) years of age or older, hereby swears and affirms under penalty of perjury that he or she (i) is a citizen or otherwise lawfully present in the United States pursuant to federal law, (ii) to the extent applicable shall comply with C.R.S. 24-76.5-103 prior to 1.1 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD the effective date of this Agreement. 15. Prohibitions on Government Contracts. As used in this Section 15, the term undocumented individual will refer to those individuals from foreign countries not legally within the United States as set forth in C.R.S. 8-17.5-101, et. seq. If Contractor has any employees or subcontractors, Contractor shall comply with C.R.S. 8-17.5-101, et. seq., and this Agreement. By execution of this Agreement, Contractor certifies that it does not knowingly employ or contract with an undocumented individual who will perform under this Agreement and that Contractor will participate in the E-verify Program or other Department of Labor and Employment program ("Department Program") in order to confirm the eligibility of all employees who are newly hired for employment to perform Services under this Agreement. a. Contractor shall not: i. Knowingly employ or contract with an undocumented individual to perform Services under this Agreement; or ii. Enter into a subcontract that fails to certify to Contractor that the subcontractor shall not knowingly employ or contract with an undocumented individual to perform work under the public contract for services. b. Contractor has confirmed the employment eligibility of all employees who are newly hired for employment to perform Services under this Agreement through participation in the E-Verify Program or Department Program, as administered by the United States Department of Homeland Security. Information on applying for the E-verify program can be found at: https://ww HYPERLINK "https://www.uscis.gov/e-verify"w.uscis.gov/e-verifv C. Contractor shall not use either the E-verify program or other Department Program procedures to undertake pre -employment screening of job applicants while the public contract for services is being performed. d. If Contractor obtains actual knowledge that a subcontractor performing work under the public contract for services knowingly employs or contracts with an undocumented individual, Contractor shall be required to: i. Notify the subcontractor and County within three (3) days that Contractor has actual knowledge that the subcontractor is employing or contracting with an undocumented individual; and ii. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to subparagraph (i) of the paragraph (d) the subcontractor does not stop employing or contracting with the undocumented individual; except that Contractor shall not terminate the contract with the subcontractor if during such three (3) days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an undocumented individual. e. Contractor shall comply with any reasonable request by the Department of Labor and Employment made in the course of an investigation that the department is undertaking pursuant to its 7 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD authority established in C.R.S. 8-17.5-102(5). f. If Contractor violates these prohibitions, County may terminate the Agreement for breach of contract. If the Agreement is so terminated specifically for breach of this provision of this Agreement, Contractor shall be liable for actual and consequential damages to County as required by law. g. County will notify the Colorado Secretary of State if Contractor violates this provision of this Agreement and County terminates the Agreement for such breach. [REST OF PAGE INTENTIONALL Y LEFT BLANK] IN WITNESS WHEREOF, the parties have executed this Agreement the day and year first set forth above. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER Signed by: By: F;�%ra Jeff Shro Auger CONTRACTOR: FD'�o''cus9ned by: By: w� 4ss�t,V' 56582D41B64E4C3_. Print Name: Ben Kessler Title: CFO EXHIBIT A SCOPE OF SERVICES, SCHEDULE, FEES EXHIBIT B C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD EXHIBIT A - Statement of Work - Google Cloud Platform Cloudbakers will work with Eagle County to structure information sharing in a collaborative and hands-on workshop format focused on broadly understanding the general details of the GCP topics of interest outlined below. The objectives of this project are centered on how a suggested implementation would work for Eagle County's "Acclaim" environment. The workshops would involve a combination of oral conversation, whiteboarding, and hands-on "how-to" demonstration within Eagle County's existing GCP environment. Topics of interest are the following • Backup and recovery • Availability monitoring and alerting • Security monitoring and alerting Cloud Storage options - Need to run the variety of storage mechanisms and pricing tiers (at least the local and networked options, plus where GCS possibly would make sense). • Dedicated Circuit vs point to point VPN • Load balancing • Machine and storage redundancy considerations • Recommended approach to SQL Server levels and licensing • Directory Services • Firewall Services • Patch Manaaement • Support Process • Internet access from servers and security concerns • External IP addressing • Network design • DMZ setup • Security boundaries • Internal IP addressing options • Failover VPN • DNS considerations? • Subnets • Data location concerns • Windows server licensina 1 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • Watchpoints • Upgrading Compute Engine instances • Identifying On -premise Services that won't port to GCP • Current costing assumptions • Data migration process • Reverse migration • Third -party VM access Professional services will be provided through "Cloud Start", tailored workshops that provide a detailed understanding for Eagle County of the GCP products, including benefits and differentiators, with a focus on planning for the implementation of the "Acclaim" environment. These consulting engagements are designed to help Eagle County plan and design the implementation of workload(s) and/or application(s) with GCP. The engagement includes a kickoff workshop that focuses on Eagle County's foundational architecture, technical design, reference pipelines, long-term operations, and project planning. Following the initial workshops, Cloudbakers will provide executive oversight and technical advice throughout the planning phases (Assess and Plan) should Eagle County wish to move forward with a larger migration. Cloudbakers will facilitate the technical kickoff workshop along with Eagle County's team to discuss relevant cloud topics and begin the groundwork for planning. The workshop results will be used as input to create the technical and architectural design documents. Contributors • Scott Lingle, IT Director • Jake Klearman, IT Operations Manager Success Factors • Mike Meier, Cloudbakers Practice Lead • Cloudbakers Engineer - TBA • Cloudbakers Supporting Resources • Michael Hodes • Emily Colby The success of this Statement of Work are mutually defined by: • Agreement on following Workshop schedule 2 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • Review Eagle County's documentation, refer to Customer Documentation • Follow Cloudbakers Cloud technical cloud best practices • Creation of Technical Design Document for Acclaim Application Cloud Start - Plan Overview Kick off the new Google Cloud Platform planning project with a focus on cloud best practice architecture, technical design, reference pipelines, long-term operations, and planning for Eagle County's cloud project. Cloud Start is a two-day consultative workshop to help Eagle County understand the components of Google Cloud Platform (GCP) that relate to your needs (please refer to Addendum A). Cloudbakers will facilitate an interactive session in which Eagle County can explore GCP functionality, scenarios, and capabilities through what -if discussions, whiteboarding, and demos. Cloudbakers also includes one day of workshop preparation and one day for documentation of the workshop findings and architectural documentation and reporting. These discussions with whiteboarding and demos will focus on architecting for the Acclaim Application on GCP with a special emphasis on developing a practical understanding of how to automate provisioning of resources and comply with security and regulatory requirements. Cloud Plan activities and deliverables Cloudbakers will deliver a Cloud Assess Report to provide Eagle County with the following: • A whiteboard discussion with design and architectural recommendations specific to Eagle County's use cases. • Demonstrations of relevant Google Cloud technology configured in an Eagle County's Google Cloud project, time permitting. • A Cloud Start executive summary report outlining insights, recommendations, and next steps. Virtual Workshops During the two days, help guide Eagle County through the following concepts and activities: • Workshop overview, format, and objectives • The workshop is highly interactive and discussion based. 3 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • The workshop explores what Eagle County wants to do with Google Cloud products, and why. • The goal of the workshop is to increase Eagle County's confidence. Helping Eagle County toward a better understanding of the options and decisions to be made of what a GCP solution will involve and what is the right path going forward. • Whiteboarding (virtual) as -is and to -be environments • Eagle County's existing environment and network and data infrastructure strategy, with a focus on components that will be relevant to the strategic use of GCP for data processing and analytics • Eagle County's (hybrid) network and data infrastructure • Key components and dependencies • Map to GCP products, components, and features • Evaluate analytics and data processing components • Discuss design decision points and pros and cons • Increasing Eagle County's understanding and confidence • Keep a running list of issues on the whiteboard • Run demos and show relevant functionality to illustrate and reinforce key concepts where appropriate • Recapping and next steps • Check off the running list of issues on the whiteboard • Remind Eagle County of all the key concepts and decisions discussed • Present a list of next steps that Eagle County should perform to continue with their Cloud project if interested. The workshop scheduled covers: • Day 1 - Workshop to provide guidance on key decision points for the setup in GCP for development and production environments • Team introduction • Managing users • Organizing resources and permissions • Managing connectivity • VPN • Failover VPN • Dedicated Circuit vs point to point VPN • Dedicated connection • Network design • DMZ setup 4 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • VPC • Security boundaries • Internal IP addressing options • DNS considerations • Subnets • Internet access from servers and security concerns • External IP addressing • Compute Engine • Compute Engine on GCP options • Upgrading Compute Engine instances • Cloud Storage • Machine and storage redundancy consideration • Persistent Disk • Cloud Storage • Data Life Cycle Management • Data location concerns • Load balancing • Directory Services • Firewall Services • Backup and recovery • Availability monitoring and alerting • Security monitoring and alerting. • Day 2 - Continued workshop with virtual whiteboarding sessions • Deep Dives on targeted key GCP services used by Eagle County • Use input from day 1 to drive the deep dives and focus on decisions where possible • Deep dive sessions for Data & Analytics on automated resource provisioning, security and regulatory requirements. • Review data and application dependencies • Recommended approach to SQL Server levels and licensing • Patch Management • Support Process • Windows server licensing • Watchpoints • Identifying On -premise Services that won't port to GCP • Current costing assumptions 5 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • Data migration process • Reverse migration • Third -party VM access Summary Report A summary report will document the span of activities and accomplishments during the workshop. The report leverage the notes taken during the workshop, highlighting: • Key discussion topics covered - sharing the slides presented • Meeting notes, photos or drawings from architectural diagrams from whiteboard sessions, if available embedded in meeting notes document • Key questions asked, and answers provided • List of functionality demo'ed • List of recommended next steps Customer Documentation Overview We would like to gain insight as to how a transition from on -premise servers to the GCP cloud will impact a number of our existing server management practices and related subject areas. Ultimately we'd like to better understand: 1) The combination of how each topic listed below is handled conceptually within GCP, as well as gaining a preliminary technical understanding. 2) Validate assumptions regarding how (or if) each subject area is included within base GCP pricing models, and discuss key assumptions used in the development of preliminary costing estimates. 3) Flag any potential impacts of subject areas that may need to be addressed with additional tool sets. It is our suggested approach to use one of our more complex non-HTTP(s) on -premise business software applications as the central point of discussion related to answering how specific topics of interest might likely be handled within GCP. We'd like to center the GCP conversation around our Clerk and Recorder's "Acclaim" software application from Harris Recording Solutions. Acclaim is a client/server-based application with a large file repository of scanned images, a SQL Server database, a local Windows 64-bit installation on client workstations, and an HTTP(s) based web server located in our DMZ that is exposed for public access. The production Acclaim servers include The App/File server, SQL server, Web server, and Web "Zip download" server (used by local Real Estate organizations for downloading C&R transaction information). 0 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD ECG F I\Su�� -- SP n6 d�enb/SPxifi�{Ps= �{m � rusemames [[GwH]e �ISSxlema tlk wehsae M arviage Kpfh dale eReaarel vale Alin Flrewall ECGioa9- Rppll-0- i5 ncclalm nppll I.. �8oe5-6aeGp 1 ECG9401 [a89 xalalm applluuen an rvervroMmmpuiar Our present hope would be to structure information sharing in a collaborative and hands- on workshop format focused on broadly understanding the general details of the GCP topics of interest outlined below. The focal point of conversation would be centered on how a suggested implementation would work for our Acclaim environment. We'd envision the workshop would involve a combination of oral conversation, whiteboarding, and hands-on "how-to" demonstration within Eagle County's existing GCP environment. In our minds, this feels like a 1-2 day process. GCP Topics of Interest • Backup and recovery process and design (Veeam or built-in back to on-prem or stay in cloud etc). Would involve all forms of backup including data as well as baseline machine configuration. We currently have both backups and SAN datastore snapshots for DR. Want to know how this will change under the GCP model. • Availability monitoring and alerting - At present we monitor uptime and service/process availability with Solarwinds Orion. How will this work in GCP? We are also working towards "air -gapped" backups to protect against a 7 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD ransomware event, how would this be addressed? • Security monitoring and alerting - At present we use Crowdstrike for endpoint detection and response, and Qualys to scan for vulnerability issues. We also use MS-ISAC services to monitor our ingress/egress traffic for potential threats. Our web servers are located in the DMZ, have Palo Alto threat protection enabled, and we automatically block malicious IPs per an MS-ISAC TAXII feed. Interested in how this picture likely changes under the GCP model? • Cloud Storage options - Need to run the variety of storage mechanisms and pricing tiers (at least the local and networked options, plus where GCS possibly would make sense). • Dedicated Circuit vs point to point VPN - Discuss pros, cons, and triggers associated with going one route vs the other. Cost implications of each. Recommendations given our environment. • Load balancing - Will this be required if so why/where? • Machine and storage redundancy considerations - Understand our options and implications related to potential machine, disk, or data center events that would lead to loss of machine, data, or system availability issues. • Recommended aDDroach to SQL Server levels and Iicensina - • Directory Services - AD - Required to run on cloud? • Firewall Services - Firewall/No firewall? Is the firewall on the edge or more at the core. Would we continue with the virtual Palo or is there a better option that meets our security goals? What is the process for external Web servers to be allowed access to the back -end servers (just IP & port rules?). Also interested in how our clients will access the DMZ servers on GCP from our internal network). • Patch Management - Review how the Windows patching process works in GCP? • Vulnerability management - Currently use Qualys to monitor vulnerabilities on all servers with both external web application, IP-based scanning, and with a Qualys "VM agent' application installed on the servers. Will/how would this process change? • Support Process - Review how GCP support process will work? • Internet access from servers - Concerned that web traffic from the servers hosted in GCP will not be protected/monitored through our firewall threat protection module or via the Albert sensors. That is, how are we maintaining visibility and control of east/west traffic to the web servers. • External IP addressing - How do we obtain fixed IP addresses for our compute engine resources. • Network design • DMZ setup • Security boundaries • Internal IP addressing options (extend possible?) 0 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD • Failover VPN • DNS considerations? • Subnets • Data location concerns - USA only? • Windows server licensing - How does Windows Server licensing change from our existing on-prem - Per host server model? Is the cost built into the server charges or is it extra? • Gotchas - Understand potential gotchas such as external RDP being enabled by default. • Upgrading Compute Engine instances - Post machine instance configuration, interested in limitations/process for upgrading existing machine instances to more "powerful" resources when necessary (Add RAM, Processors, Storage)? Where might we be stuck with our original configuration (e.g. thin -provisioned storage)? • Identifying On -premise Services that won't port to GCP - Path of least resistance to get a handle on what we won't be able to port over? Extremely important to know for duplicitous costing analysis purposes. • Current costing assumptions - What are our present machine instance base configuration assumptions used to develop existing preliminary all -in cost model at $175K? • Data migration process - Review both how the detail process works and discuss the broad overall vision. • Reverse migration - What does transitioning out of GCP look like? Both in terms of migrating services back on -premise or out to an alternative Cloud provider? • Third -party VM access - Providing and revoking access to third -party support personnel? Addendum B - Statement of Work - Google SSO 9 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD Workshop Eagle County is interested in exploring the possibility of transitioning to Google Cloud as our authentication source for our cloud based software applications (typically SAAS offerings). In this workshop, Eagle County will work with a Cloudbakers Workspace Certified Engineer to explore options around using the best available options for Single Sign On for the County. Contributors • Scott Lingle, IT Director • Brian Alanis, Cloudbakers Practice Lead • Jake Klearman, IT Operations • Cloudbakers Engineer - TBA Manager Cloud SSO activities and deliverables Cloudbakers will deliver a virtual 1 day Google Cloud SSO workshop to provide Eagle County with the following: • A whiteboard discussion regarding the current state and desired state and specific to Eagle County's use cases regarding using Google as their SSO solution. (see Addendum 8) • Demonstrations of relevant Google Cloud technology configured in an Eagle County's Google Workspace environment, time permitting. • A Cloud SSO executive summary report outlining insights, recommendations, and next steps. Success Factors The success of this Statement of Work are mutually defined by: • Agreement on following Workshop schedule date • Review Eagle County's documentation, refer to Customer Documentation • Follow Cloudbakers Cloud SSO technical cloud best practices Summary Keport A summary report will document the span of activities and accomplishments during the workshop. The report leverage the notes taken during the workshop, highlighting: • Key discussion topics covered - sharing the slides presented 10 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD • Meeting notes, photos or drawings from architectural diagrams from whiteboard sessions, if available embedded in meeting notes document • Key questions asked, and answers provided • List of functionality demo'ed • List of recommended next steps Customer Documentation Overview - Cloud SSO approach with Google Cloud Eagle County is interested in exploring the possibility of transitioning to Google Cloud as our authentication source for our cloud based software applications (typically SAAS offerings). Current Eagle County Directory Environment • On -premise Microsoft Active Directory (MAD) - MAD is basically Eagle County's current single source of the truth. Most pertinent directory information is set up and maintained within this environment. • Azure Active Directory (AAD) - Bi-directional synchronization in place between On -premise Active Directory and Azure Active Directory. We use this environment for: • Selected on -premise https based business software applications can be accessed remotely via Azure proxy. • A limited number of users access AAD in order to make password updates. • A third party (Arapahoe County) has an internally developed software application that is hosted on Microsoft Azure. Eagle County uses the Arapahoe County software application and Eagle County users authenticate to this application using AAD. • Eagle County also uses AAD in combination with our MFA solution (legacy Microsoft phonefactor) for our external VPN authentication. In totality we have about 55 (50 basic level and 5 P2 level) Azure AD licenses (vs. 550 user base) that we presently license. Sync Google Cloud Directory - Combination of batch driven Google Cloud Directory Sync (formerly Google Apps Directory Sync) and event driven G Suite Password Sync (formery Google Apps Password Sync). Combination of two tools synchronize pertinent user and group information from on -premise AD to Google Workspace. We do have a small number of users in the synchronization exclusion list that are set up solely within Google. 11 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD Current or perceived challenges / issues using Google Cloud as central authentication smurce • Cached Google login credentials continue to live beyond 3rd party application logout While Google Session Control is presently enabled globally within our Google Workspace environment for all machines for 7 days. The positive on this is that users are prompted for credentials every 7 days, the negative is that 7 days can be a long time in the wrong situation. Also, current setup up can erratically log users out during the work day when the user might be in the middle of something important. We presently harbor concerns regarding end user's Google session authentication information continuing to live beyond 3rd party application logout for various types of shared devices (...and the end user being oblivious to this fact): Public Kiosks - The hotel business center. • Internal Shared Personal Computers - Examples include the Sheriffs office and our Transit department. • Home Windows Machines - Unprotected home machines easily accessible by other family members. Chromebook Password Reset (current issue) - Those users that exclusively use Chromebooks are never prompted to reset their password consistent with Windows Group Policy aging policy. Presently this group of users is relatively small, but is expected to grow in the future. Current Google Workspace Environment • Presently license at Enterprise Plus level (recently upgraded from pre -"Workspace" Business level) with 600 user licenses Endpoint management - Essentially all devices are auto -approved to work in our Google environment. This initially was focused on ease of enrollment for both personal and work issued user mobile (phone) devices, and likely pre -dated current features now available. There are selected mobile device management policies in place, but are generally fairly lightweight. It appears that we presently have over 4300 approved devices registered. • Context aware access - Feature set not presently in use. 12 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD Envisioned Way Forward to leveraging Google Authentication capabilities • Directory Architecture • On -premise - In order to minimize complexity of changing how our on - premise applications integrate with our directory environment, it seems prudent to continue to stay with our current on -premise MAD model for the foreseeable future. • Google Cloud - Assuming we stay with on -premise Microsoft Active Directory as suggested above, the primary question becomes how to integrate on -premise MAD information with our Google Cloud Directory. On -premise MAD two way sync with AAD; with Google SAML authenticating against AAD. The main downside of this approach is cost. Eagle County has made a significant financial investment in upgrading our Google Workspace environment to the Enterprise Plus level. Will be challenging to justify also having to pay up to $57,600 (600 users on P2 @ $8 per month) annually for this service. • On -premise MAD to GCD. Need to validate our understanding of suggested architecture on this one, but basically feels like: On - premise MAD one way sync to GCD; with Google SAML authenticating against GCD. No updates in GCD and pushback to MAD possible under this setup. • Establishing Policies to Differentiate Device Access Rules In order to alleviate our current concerns regarding end user Google authentication credentials living beyond 3rd party application logout, it feels like that we need to strongly consider implementing more restrictive endpoint management rules and / or context aware access policies. Could possibly involve: • Pragmatic way to establish challenge login for less trusted or unknown machines. • Forcing MFA on selected apps (e.g. payroll). • Low trust machines may be required to use MFA for every login. • Applying a shorter duration timeout on less trusted devices. Additionally, we would also like to explore instituting a mechanism towards improving our existing approach to session management in a way that might me less intrusive to the end user (e.g. scheduling periodic session logouts to occur 13 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD during non -business hours). • Chromebook Password Reset Dependent on the Cloud Directory Architecture path ultimately selected, we need to land on a sensible approach to improving the existing Chromebook Password Reset problem discussed above. Options to consider need to give thought towards: • How will the end user be notified of password reset needs? • Need to force the MAD password reset? • The actual mechanism the end user will use to actually make the password change? Actual need for password reset vs an alternative like making the Chromebook password rules more challenging (e.g. 16 characters+num+special characters, etc...) so as to negate the perceived need for periodic resets. 14 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-400D-AD6F-95946434AOAD Addendum C - Pricing Cloudbakers Technical Services Cloudbakers team of Certified Google Cloud Architects, Data Engineers, and Associate Engineers are available to provide Technical services for Eagle County. In the event Eagle County needs Technical services to be provided, Cloudbakers CARE team will review the matter and facilitate communications between Eagle County and a Cloudbakers' Architect/Engineer best suited to resolve the matter. Depending on the matter, work may be performed on a time & materials basis or may require a project Statement of Work. Cloudbakers Technical Services for GCP time & materials services are billed at the end of the month at the hourly rate of $200. Pricinq Table Service Unit Cost Qty Total Cloudbakers GCP Cloud Start Workshop $200 30 $6,000 Cloudbakers Google Workspace SSO Workshop $200 10 $2,000 Total $8,000 15 C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD INSURANCE CERTIFICATE C21-274 DocuSign Envelope ID: FCOAA54A-EA89-40OD-AD6F-95946434AOAD CLOULLC-01 KPOPP ,4coR0 CERTIFICATE OF LIABILITY INSURANCE FDATE(MMIDDIYYYY) 7/27/2021 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT NAME: PHONE FAX (A/C, No, Ext): (630) 468-5400 (A/C, No):(630) 468-5432 Robertson Ryan - Oak Brook Riordan & Scully Insurance Services 815 Commerce Drive Oak Brook, IL 60523 ADDRESS: INSURERS AFFORDING COVERAGE NAIC # INSURERANalley Forge Insurance Company 20508 INSURED INSURER B : Continental Casualty Co. 20443 Cloudbakers Holdings LLC d/b/a Cloudbakers LLC and Qwinix Technologies, Inc. INSURER C : Continental Insurance Company 35289 600 West Van Buren, Suite 603 INSURER D : INSURER E : Chicago, IL 60607 INSURER F : COVERAGES CERTIFICATE NUMBER: REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR LTR TYPE OF INSURANCE ADDL INSD SUBR WVD POLICY NUMBER POLICY EFF MM DD YYYY POLICY EXP MM DD YYYY LIMITS A X COMMERCIAL GENERAL LIABILITY CLAIMS -MADE ^ OCCUR 4018262333 6/1/2021 6/1/2022 EACH OCCURRENCE $ 2,000,000 DAMAGE TO RENTED PREMISES Ea occurrence 300,000 $ MED EXP (Any oneperson) $ 10,000 PERSONAL & ADV INJURY $ 2,000,000 GEN'L X AGGREGATE LIMIT APPLIES PER: POLICY PRO - El LOC OTHER: GENERAL AGGREGATE $ 4,000,000 PRODUCTS - COMP/OP AGG $ 4,000,000 $ A AUTOMOBILE LIABILITY ANY AUTO OWNED SCHEDULED AUTOS ONLY AUTOS HIRED X NON -OWNED AUTOS ONLY AUTOS ONLY 4018262333 6/1/2021 6/1/2022 COMBINED SINGLE LIMIT Ea accident 1,000,000 $ BODILY INJURY Perperson) $ BODILY INJURY Per accident $ X PROPERTY DAMAGE Per accident $ B X UMBRELLA LIAB EXCESS LIAB X OCCUR CLAIMS -MADE 6057464273 6/1/2021 6/1/2022 EACH OCCURRENCE $ 5,000,000 AGGREGATE $ 5,000,000 DED X RETENTION $ 10,000 $ C WORKERS COMPENSATION ANDEMPLOYERS' LIABILITY Y/N ANY PROPRIETOR/PARTNER/EXECUTIVE ❑ OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below N / A 4018262378 6/1/2021 6/1/2022 X PER OTH- STATUTE ER E.L. EACH ACCIDENT 1,000,000 $ E.L. DISEASE - EA EMPLOYEE $ 1,000,000 E.L. DISEASE - POLICY LIMIT 1,000,000 $ DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) CERTIFICATE HOLDER CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE Eagle County, Colorado 9 Y THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. P.O. Box 850 Eagle, CO 81631 AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) C21-274 ©1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD