Download - ISACA Security Template for Contracts file · Web viewISACA Security Template for Contracts
Reasonable Assurance – Guidance for A Technical Enabled World Property of Business Technology Guidance Associates, LLC.
Reproduction is not allowed without written permission
2016-2017
Module 18
Vendor Management Forms
Shawna M Flanders CRISC, CISA, CISM, SSGB, SSBBBusiness – Technology Guidance Associates, LLC
ContentsIntroduction.................................................................................................................................................2
Example RFP – (LMS – Learning Management System Based Example)......................................................3
Statement of Work....................................................................................................................................63
Nondisclosure Agreement.........................................................................................................................67
Data and Information Ownership and Custodian Reciprocal Agreement..................................................72
Service Level Agreement.........................................................................................................................100
Satisfaction Factors Template..............................................................................................................106
Memorandum of Understanding.............................................................................................................108
Third Party Due Care Checklist................................................................................................................112
Associated BUSTECHGA Course Offerings...............................................................................................116
Building Security Into Contractual Agreements: Bid Specifications, SLAs and MOUs.........................116
Building Security Into Contractual Agreements: SLAs and MOUs.......................................................116
About the Author....................................................................................................................................117
IntroductionThis module is a supplement to Module 18 for those looking for examples of forms including form templates.
Example RFP – (LMS – Learning Management System Based Example)
Module 18
Vendor Management Forms
2016-2017Business – Technology Guidance Associates, LLC
General InformationPB&G ENTERPRISES (Customer) is soliciting proposals for new Learning Management System / LMS systems for their organization, which provides services to its member credit unions. The intent of this Request for Proposal (RFP) document is to secure under contract all materials, engineering, equipment, installation, supervision, and training services to implement this new system to meet the business requirements detailed in this RFP. A vendor, by submitting the bid, represents that they possess the capabilities, hardware, software and personnel necessary to provide an efficient and successful installation of properly operating systems.
http://www.capterra.com/school-administration-software/
RESPONSES TO THIS RFP WILL CONSTITUTE AN INTEGRAL PART OF THE FINAL CONTRACT TO BE NEGOTIATED WITH THE SUCCESSFUL VENDOR.Vendors are requested to confirm/update their firm’s name, address, information, and primary contact below in the space provided.Company NameStreet AddressCity, State and Zip CodePrimary Contact Name & TitlePhone NumbersEmail addressWebsite
Bid Instructions and GuidelinesAll respondents to this RFP must agree to the terms and conditions of this section. Vendors must meet the requirements and specification details contained in this RFP and any addenda that may be issued by PB&G ENTERPRISES Any exceptions must be noted in your response. Prior to submitting bids, each vendor is requested to carefully consider the amount and character of the work to be done as well as the difficulties involved in its proper execution. Vendors should include in their bids all costs deemed necessary to cover all contingencies essential to successfully installing the specified systems. Any cost not specifically itemized in the proposal shall not be incurred unless specifically agreed upon, in writing. No claims for compensation will be considered or allowed for extra work resulting from lack of knowledge of any existing conditions on the part of the vendor. Ownership - All copies of this request, and all proposals and attachments will remain the property of PB&G ENTERPRISES. Vendors may copy this document for the purpose of responding to this request. All copies of this document must be returned to PB&G ENTERPRISES upon request. Submitted proposals are to be considered the property of PB&G ENTERPRISES and will not be returned.Implied Offer to do Business - This RFP is not an offer to enter into an agreement with any party, but rather a request to receive proposals from entities interested in providing services outlined within. PB&G ENTERPRISES or any affiliate, subsidiary, etc. shall not be obligated for the payment of any sums whatsoever to any recipient of this RFP, nor shall PB&G ENTERPRISES be under any obligation to any such recipient in any manner whatsoever with regard to the subject matter of this RFP, until and unless a formal written agreement is executed by PB&G ENTERPRISES.Presentation - Selected vendors, at PB&G ENTERPRISES’s discretion, may be asked to provide a formal proposal presentation and or demonstration. A requested presentation or demonstration will not imply a commitment or award. Should a presentation be requested, PB&G ENTERPRISES may provide
vendor with a defined format or outline.Incurred Costs - Vendor shall bear its own costs and expenses. PB&G ENTERPRISES will not be responsible for any costs incurred by a vendor in preparing, delivering or presenting responses to this RFP, unless otherwise agreed to in writing by the vendor and PB&G ENTERPRISES.Confidentiality / Non-Disclosure – All information about PB&G ENTERPRISES and affiliates, subsidiaries, etc., and their marketing data/plans, peripherals, supplies and service purchases is proprietary. This RFP and its contents are confidential and may not be disclosed to any third party without prior written consent of PB&G ENTERPRISES. Likewise, the contents of vendor’s proposal and all documentation will be held in confidence by PB&G ENTERPRISES and their consultants and may not be disclosed to any third party without prior written consent of vendor. This section shall not act to supersede any non-disclosure agreement in place between PB&G ENTERPRISES and vendor. All mutual proprietary agreements are hereby incorporated by reference.During the period from now until a contract is awarded, all communications shall be with Pooka Bear of PB&G Enterprises, with a copy to Godiva of PB&G ENTERPRISES.Modifications to RFP Specifications - PB&G ENTERPRISES reserves the right, at any time, to amend, supplement, withdraw or otherwise change this RFP. Addenda or amendments will be emailed or faxed to all vendors who have been provided copies of the RFP. If revisions are of such a magnitude, in the Customer’s opinion, to warrant the postponement of the date for receipt of proposals, an addendum will be issued announcing the new date. No modification or interpretation of the specifications other than through the issuance of addenda will be binding upon the Customer. Vendors must notify PB&G Enterprises as soon as possible of any omissions or errors in the specifications so that those corrective addenda may be issued. PB&G Enterprises must receive such notification within seven (7) calendar days of the issuance of the RFP.Questions Regarding this RFP - All questions regarding this RFP must be submitted in writing at any time on or before HH:MM mmddyyyy. Questions are to be submitted via email to PB&G Enterprises at proposal@pb&genterprises.com. If requested, an email reply confirming the receipt of your email will be generated.We will make every attempt to respond to questions as quickly as possible. If the questions affect the RFP Specifications, any new information or changes to this RFP will be sent to all vendors as time permits.Due Date for Bid Submittal - The vendor must provide signed hard copies and electronic soft copies of their complete bid to the individuals specified in this section. Bids are to be submitted for review, not formally presented , unless so requested by either Customer or Consultant.
Submissions must be received or have a postmark No Later than hh:mm on mmddyyyyThe Bid Submittal Deadline is Firm and Will Not Be Extended. Failure to provide a response by the date and time specified at the location as stated may result in the disqualification of that vendor from further consideration. It is vendor’s responsibility to ensure their responses are delivered to the exact location specified below by the date and time specified. Please deliver your proposal to the following:Pooka BearPresidentPB&G Enterprises100 Wheaton DriveAnytown, Fl 99999Withdrawal of Bid Response - Withdrawal of bid response will not be allowed for a period of 60 days
following the bid deadline. Should you withdraw your bid, you will not be allowed to submit another bid for this project.Right to Reject Bid - PB&G ENTERPRISES has the right to reject any and all bids, such as a bid not accompanied by the data required by this RFP, a bid that is non-compliant, or for reasons only known to PB&G ENTERPRISES and their telecommunications consultants.Bid Format - Bids must be submitted on these forms (the RFP document will be provided electronically). All entries made by the vendor to the RFP document must be in a color other than black so as to be conspicuous. Attachments do not need to be in color as long as they are appropriately labeled as an attachment. All bids must be formatted for 8 1/2 x 11 inch paper .All bid responses must be precise, to the point, and follow the form of this RFP. The complete proposal must include this document with point-by-point responses to the RFP and all other materials requested in the RFP. All questions asked in the RFP must be answered fully and concisely. If a question is redundant, please answer it again. Avoid ambiguous phrases like “all reasonable effort”. Alternatives to the specification will be considered and evaluated, but only if they are in addition to, and not in place of, the stated requirements. Any exception must be clearly specified as such and the Customer reserves the right to reject any bids that do not comply with this instruction.Each question must be responded to completely. References to other documents that are not included as part of the appendix will not be accepted. Please do not include promotional materials unless they add substance to vendor’s proposal. Vendors are cautioned that proposals that do not conform to the guidelines required by this RFP will be subject to rejection without a complete review.Clarification and Interpretation of RFP - The words "must" or "will" in this Request for Proposal (RFP) indicate mandatory requirements. Taking exception to any mandatory requirement may be grounds for rejection of the proposal. There are other requirements that PB&G ENTERPRISES considers critical but not mandatory. Therefore, it is important to respond in a brief but concise manner to each section of this document.Indicate the level of compliance as follows:Acknowledge – The vendor has read and understood the information provided; No action is required of the vendor.Compliant – Vendor meets the specifications.Compliant with Clarification – Vendor meets the specification; however, the manner in which it is accomplished may be different than was specified. Provide clarifying information.Do Not Comply – Vendor does not meet the specification or only meets part of the specification. Explain the deviation.Option – Item is not available as standard, but is available at an additional cost. Indicate what additional hardware, software, services and the associated costs that would be required to add the item.Exception – Vendor does not meet the specification. Provide an alternative when possible. Brand Name Specifications - Generally, brand name specifications may be used to help describe in a practical or economical manner the items being purchased. These specifications are a design guide when used by the Customer to convey to the vendor information as to the type and kind of product being requested. Bids on any such item similar and substantially equivalent will be considered, but must be clearly identified. Quantities - Quantities mentioned in the RFP are approximate and may be subject to change. Costs - Vendor responses must include a completed itemized bill of material, detailing all proposed costs for the bid. It must detail unit pricing and correspond to the summary information requested in this RFP. Verify your calculations. If there is a discrepancy between the unit cost and the total price,
the lower of the two will stand as the bid price.Discounts - Vendors are encouraged to identify any and all discounts for items and services that are bid. Provide an attachment describing the discounts and qualifying conditions.Deliveries - Deliveries required in this bid must be freight prepaid; F.O.B. destination and bid prices must include all freight and delivery charges. All deliveries must be made between the hours of 8:00 a.m. to 4:00 p.m. Monday through Friday. No deliveries will be accepted on Saturday, Sunday or Holidays, unless so requested by Customer and agreed to by vendor. Bid Pricing Firm Until 90 Days After Cutover - The pricing for all items presented in the bid response shall remain firm for a period of 90 days following the cutover of the system.Optional / Additional Items - Optional / additional items or services that are included in the prices quoted must be uniquely identified and detailed in an attachment signed by a person who is authorized to commit your firm to such a bid. The description must be in sufficient detail as to allow the Customer to assess what is being offered and to determine what value that offering might have to them. Evaluation of Bids and Awarding of Contract - PB&G ENTERPRISES reserves the right to accept any bid or, at its discretion, reject any or all bids for whatever reasons it deems appropriate. All bid responses will be thoroughly and carefully considered. The vendor’s financial stability, service and delivery performance, support and price will be key factors for future consideration of awarding a contract. Vendor references may be contacted and financial information may be requested by PB&G ENTERPRISESPB&G ENTERPRISES reserves the right to use any or all design concepts presented in any bid response submitted in response to this RFP, whether amended or not, even if the vendor's response is not accepted. Minimum Qualifications - After the bid opening, PB&G ENTERPRISES will check bid responses for the presence or absence of required information and minimum qualifications in conformance with the submittal requirements of this RFP. Submittal requirements are obligatory, and failure to fully comply will deem the bid unresponsive.Each responsive bid will be checked against the mandatory requirements of the RFP to assure compliance. bids that do not include all of the mandatory requirements may not be considered. Each bid response will be evaluated to assure consistency between the various sections within the bid. Any items that are inconsistent or appear contradictory will be evaluated to determine if they will be classified as material deviations.Vendor agrees to provide reasonable access to their technical resources and relevant information for purposed of evaluating the bid response.If you are not the manufacturer’s direct representative, a letter must accompany your bid from an authorized representative of the equipment manufacturer you are representing. Said letter must clearly define your association with the manufacturer and your function with regard to design, installation, and maintenance of the systems your wish to sell.Contract Award - The award will be made by PB&G ENTERPRISES based upon what they consider to be the bid that provides the "best overall value”. Criteria will include, but not be limited to Cost, Conformity to Specifications, Product Performance, Manufacturer Maintenance & Support, References, Technical capabilities and adherence to Best Practices. The determination of the successful bid will be based on information submitted by the vendor and information obtained, where necessary, through manufacturer, distributor, and user contacts. All vendors will be notified that a supplier has been selected once a decision is made.
Summary of Key Dates
ActivityRFP Published to VendorsDeadline for Vendor’s QuestionsDeadline for Bid submissionRESPONSE
Contract ExpectationsThe vendor that is awarded this project will be required to execute a Master Services Agreement with PB&G ENTERPRISES for this project, which will delineate the formal terms and conditions. This section provides general information and expectations.Winning Vendor Responsibilities - The selected vendor will be considered the primary contractor and will assume total responsibility for providing the Customer with all material needed to make the systems fully operational by the agreed-upon date. The primary contractor must agree to be responsible for the actions and quality of workmanship of any subcontractor(s).PB&G ENTERPRISES requires all business partners, equipment vendors, support or maintenance vendors, and subcontractors whom the vendor will use to perform services under this proposal to be identified for approval prior to contract award. Substitutions of subcontractors must be submitted in writing for the Customer’s approval during the term of the agreement. Sub-contractors’ references must accompany vendors’ proposal. If unions are involved in the project, the primary contractor will comply with all union rules and regulations in force at the project site. Any unions involved in any collective bargaining agreements covering any employees working on Customer’s premises must be specified.Contractor/vendor and/or subcontractor(s) shall get clearance from owner's representative before entering any and all areas of the building to perform work assignments. PB&G ENTERPRISES may require the successful vendor to sign an agreement drafted by them that includes all of the requirements, deliverables, and remedies agreed to and negotiated by both parties. The agreement shall be governed by and construed according to the laws of the State of Florida.Vendor must be responsible for full restoration to original condition of all Customer surfaces, buildings, and grounds.Risk of Loss - All risk of loss or damage to the equipment during and until delivery to Customer as a result of fire, theft, water, malicious mischief, or other causes shall be borne by the successful vendor. This responsibility shall continue until equipment is delivered to, received, and inventoried by PB&G ENTERPRISES. Laws, Ordinances, Codes, Etc. - The successful vendor will comply with all applicable Federal, State, and local government laws, building & fire statutes, codes, ordinances, rules, regulations, and industry standards as applicable to the work to be performed. The successful vendor will also comply with all jobsite construction and/or PB&G ENTERPRISES regulations & requirements and agree to cooperate with the Customer’s team.Patent Infringements/ Sub-Contractor Actions - The successful vendor shall agree to indemnify PB&G ENTERPRISES with respect to any legal suit, claim, or proceeding which may be brought against it claiming that the use of the proposed systems constitutes an infringement of any patent or trade secret, as well as claims from vendor's subcontractors. The successful vendor will further agree to defend PB&G ENTERPRISES against any such claims by paying all litigation costs, attorneys' fees, settlement payments, and any damages awarded or resulting from any such claims. Insurance - Vendor shall maintain, at its expense, the following insurances issued by an insurer with an A.M. Best Rating of A or better, such as will protect both vendor and Customer from, and pay on
their behalf, any claims (including claims by Customer against vendor) which may arise for any reason under the Agreement, whether by vendor, any subcontractor, Customer, or their agents or employees. Vendor must include an attachment providing proof of insurance to include:Commercial automobile liability insurance with a $1,000,000 combined single limit on vehicles owned, leased, or rented by vendor while performing under the Agreement; Employer's liability insurance with a limit of not less than $1,000,000 per accident; Commercial general liability insurance (including completed operations and contractual liability), including personal injury, blanket contractual liability and broad form property damage, with a $5,000,000 combined single limit per occurrence and in the aggregate; and Professional liability insurance (errors and omissions) or comparable coverage for technology related acts, with limits not less than two million dollars ($2,000,000) annual aggregate for all claims each policy year. Said policies shall name Customer as an additional insured and shall provide that it may not be canceled or materially altered without at least thirty (30) days prior written notice to Customer. Vendor shall also maintain Workers' compensation statutory coverage as required by the laws of the jurisdiction in which the services are performed. Said policy must include a waiver of subrogation to Customer (or its subsidiaries).Payment Terms - The PB&G ENTERPRISES standard payment terms are Net 60 days.Changes to the Contract - During the course of the installation process, the Customer will issue clarifications on the specifications as needed. Should the successful vendor believe that any clarification in fact constitutes a change to the contract, they shall so notify PB&G ENTERPRISES in the form of a Change Order, identifying all associated changes to the cost of the contract.During the course of the installation process, either party may issue requests for changes in the contract. This shall take the form of a Change Order, which, if accepted by both parties, shall be executed as a change. When, in the judgment of the Customer, a need for immediate action exists, the successful vendor may be directed to proceed on a time and materials basis with the proposed change. In no event shall changes involving extra cost to the Customer be allowed to proceed without prior written approval.Cancellation - Any contract, agreement, or Purchase Order resulting from this RFP may be canceled, with or without cause, in part or in whole, without penalty, by PB&G ENTERPRISES providing a forty-five (45) day written notice of intent to cancel prior to cutover. Upon cancellation, the Customer will only be responsible for payment for those items and services received and/or installed up to the time the notice of cancellation was communicated. If the equipment received can be restocked, vendor will restock the equipment and assess a reasonable re-stocking charge if required not to exceed 20% of the quotes cost. Reasonable engineering and/or installation charges incurred prior to cancellation notice can also be charged.RESPONSE
Vendor / Manufacturer Profile Vendor Corporate Information – Please complete the fields below.Question ResponseVendor nameStreet addressCityStateZip CodePhone number
Fax numberWeb addressName of CEOCEO email addressName of CIOCIO email addressPCI compliant dateCurrent number of employees# of employees 12 months agoEmployee turnover rateYear the company was establishedInformation current as of
Manufacturer/Developer Corporate Information – Please complete if the solution you are proposing is manufactured or developed by another company.Question ResponseManufacturer nameStreet addressCityStateZip CodePhone numberFax numberWeb addressName of CEOCEO email addressName of CIOCIO email addressPCI compliant dateCurrent number of employeesYear the company was establishedInformation current as of
Financial Information - Vendors should respond to the following questions based on the most current information available.Question Response
Stock Exchange Trading Symbol:
What is your firm’s annualized revenues for the past two years and current year’s estimated revenues?
What is your firm’s annualized net profits for the past two years and current year’s estimated net profit?
Tax ID#
Please provide your company’s proof of PCI certification.Please provide an SSAE 16 SOC2 Type 2 that contains the assessors’ review results and position on the soundness of the controls, specifically around the LMS application and associated client considerations.Please provide your most recent 2 Years of Audited Financials.
Provide a description of the manufacturer's corporate history, present status, and projected corporate direction. This description must be separate from any brochure and other information that you may include.
RESPONSE
Look for company history and growth and acquisition/merger details here and compare results with results from your own google search on company
If not a direct manufacturer bid, please provide a description of your company’s corporate history, present status, primary business focus and core services and products offered to your customers and biographies for key executives. This description must be separate from any brochure and other information that you may include.
RESPONSE
Here we are looking for details about where the product is manufactured or purchased from. Pay attention to location as that could have a bearing on how quickly parts can be delivered or how quickly maintenance works (including software coding and report writing) can be conducted.
What specific strength does your company provide that distinguishes you from the competition?
RESPONSE
What Do You Offer? How it Benefits PB&G Enterprises
Proven scalability for dynamically responding to changing business needs
Flexible architecture to speed deployments, ensure responsive change and offer options
Experienced, trusted partner with vertical expertise and dedicated client teams
Engineer to engineer communication
Continual investment in technology
24x7 Customer Support
Has your company been involved in any reorganization, acquisition or merger within the last four years? Please indicate any name changes your company has gone through and the reason.
SOLUTION
This is important because an merger or acquisition can signal the end of a product line or a merging of two products that were formally competition
Is your company currently for sale or involved in any expansion or acquisition plans?
SOLUTION
Has your company ever filed for bankruptcy? If so, please provide full details.
SOLUTION
How many clients have contracted related services with you in the last 2 years (new business)?
SOLUTION
How many clients have not renewed related services with you in the last 2 years?
SOLUTION
Describe your national and local Service Operations structure.
SOLUTION
Look for a response that explains how the company will support you throughout the business relationship such as:professional services team aiding in deployment; account team consisting of:Account Manager — Operational day to day relationship managerClient Development Manager — Strategic relationship managerClient Services Manager — Account and team managerClient Support Business Manager — Daily program analytics and monitoring contactCommunications Commitment’sProject Status Meetings — Leadership and PB&G ENTERPRISES advocacy during developmentProgram Status Updates — Program success, tuning and optimizationQuarterly Business Reviews — Updates on program statistics, combined business strategies, product and technology and service levelsQuality Assurance group commitment both in delivery and ongoing. Quality Assurance Testing CoverageFunctional, integration, regression, voice qualityLoad, performance, stressFailure, failover, monitoring, alertingUser and client acceptance testingQuality Assurance Improvement ServicesTesting lab administrationProcess improvement initiativesTrainingProduct Management is focused on developing a portfolio of products that are innovative and meet the changing needs of our clients so they can improve business operations, increase revenue and exceed customer expectations. This is accomplished using a variety of tools and techniques including:Market analysis — uncovers industry trends and client needsTechnology research — identifies cutting edge innovationsProduct Advisory Communities — facilitate open dialogue among key stakeholdersClient newsletters — enable relevant communication between Our Company and our clients
Product roadmaps — ensure timely delivery of high priority, relevant products and services
Describe the experience your company has in the financial industry vertical.
SOLUTION
Provide three recent references of financial institutions within the USA that are most similar to PB&G ENTERPRISES where your company has sold, installed, and are currently maintaining systems that are currently using your products. Please provide contact names, titles, addresses, telephone numbers and email addresses for each reference. You must also include a system profile for each reference that describes what systems and releases they have installed, when it was installed and the number of users.SOLUTION
Provide three additional references within the USA of other companies where your company has sold, installed, and are currently maintaining systems of a similar configuration using your products. Please provide contact names, titles, addresses, telephone numbers and email addresses for each reference. You must also include a system profile for each reference that describes what systems and releases they have installed, when it was installed and the number of users.RESPONSE
Customer & Current Systems OverviewThe following sections will provide information about PB&G ENTERPRISES as well as an overview of their current configuration.About PB&G ENTERPRISES - Since 2004, PB&G ENTERPRISES has been a leading provider of training services to small and large organizations. To date, they have supported more than 400 clients worldwide.PB&G ENTERPRISES offers training and consulting services. They also develop course curriculum, training guides and develop items for multiple organizations. These courses are delivered both in person and through the internet.Existing Collaboration Environment - PB&G ENTERPRISES utilizes a standard CISCO Webex Platform
for most virtual course delivery along with occasionally using Skype.PB&G ENTERPRISES develops course content in Power Point 2016 and Word 2016.Existing LMS Platform - PB&G ENTERPRISES has been operating without a formal LMS platform but with the current volume of requests and the general adoption of online course deliver the organization believes it can increase revenue be making the transition.Currently the organization delivers approximately 70 courses per year and about 40% are virtual.Existing LMS Environment - Due to class size and reporting needs the organization moved from Join.me to Webex in January 2016. Webex can continue to be an avenue to deliver live courses if the content does not warrant the LMS.Existing Applications - PB&G ENTERPRISES offers a wide variety of classes that can be customized to meet the individual needs of the client. Today’s courseware is written in MS Word and Power Point and delivered as Secure PDF’s.The organization does not have the expertise in house to build courseware in HTLM so the solution must be able to translate source document from common Microsoft tools.RESPONSE
Requirements OverviewPB&G ENTERPRISES will be implementing a new LMS system and is seeking the partner and solution that best fits their situation and requirements, whether it be premised-based, Hosted or a Managed services solution.The initial objective is to be able to reproduce all of the services / applications that are being provided by the current system using current, open standards. The high level requirements include but are not limited to the following. The system must:* be capable of transforming existing course content * be capable of building quizzes and test* have student collaboration capabilities * have chat and whiteboard capabilities* have role based security at the individual course level* have the ability to build a content library based on course* have the ability to register students, take tuition and report student progress* have the ability to support attendees worldwide* have the ability to expand attendees quickly* have the ability to allow attendees to login as guests without registration* must have privacy opt out capabilities built in* must be able to secure content within stated geographical location* must follow good change, release, project practices* must have a suite of controls over CIA that are regularly tests* must allow the right to audit and perform annual remote risk assessments* must provide log and usage details on demand* must provide data owner and data custodian responsibilities within the contract * must allow local user provisioning and access administration* must conduct regular DR Restore exercises of our data
* must conduct regular client BCP and Incident Response drills* must communicate change control board meeting minutes* be reliable and designed with adequate levels of redundancyBefore making the final vendor selection PB&G ENTERPRISES will require the review of the following items:* Results from the vendor completed PB&G Enterprise New Vendor Risk Assessment* Vendor’s Business Continuity and Disaster Recovery Plan.* Vendor’s Information Security Policies* Vendor’s Employee Background Check Policy* Vendor’s Network and Data Maps* Vendor’s Vendor Management Process “for bringing on business partners”* Vendor’s certification regarding Compliance with regulations including NASBA and FERPA* Vendor’s latest pertinent SSAE16RESPONSE
Solution ArchitectureYour proposed solution must provide for the seamless integration to the existing training material. How this is accomplished should be described below for both a premise-based and Hosted solutions. In both cases, the proposed system must provide redundancy and be able to support Business Continuity and Disaster Recovery processes.Describe the physical architecture/configuration of the proposed Premise-based system, if applicable.
RESPONSE
What connectivity is required to communicate between the systems in a premise-based solution?
RESPONSE
PB&G ENTERPRISES will be using the MS Office 2016 - 365 for their course development. Please confirm your solution is compatible.
RESPONSE
Describe how the design of the proposed premise-based solution accounts for Business Continuity and Disaster Recovery requirements.
RESPONSE
Describe the physical architecture/configuration of the proposed Hosted system, if applicable, as it relates to the PB&G ENTERPRISES learning delivery environment.
RESPONSE
What connectivity is required to communicate between the systems in a Hosted solution?
RESPONSE
Are any facilities or support services staff located outside the US?
RESPONSE
Are your hosting data centers geographically distributed? Where? Do we have a choice of locations for our data storage?
RESPONSE
Describe how load balancing is accomplished across all hosting data centers, if applicable. (or between devices if all servers are in the same physical location)
RESPONSE
What real-time and historical measurements are available to monitor storage, attendee’s dates, time of active attendance and percent of complete for our courses?
RESPONSE
In a Hosted solution, can the system be set to dynamically make additional ports available if attendees exceed current thresholds?
RESPONSE
In a Hosted solution, can the system be set to dynamically make additional ports available if storage needs exceed current thresholds?
RESPONSE
What SLA options are available for your Hosted solutions? Please detail.
RESPONSE
Describe the application architecture/configuration of the proposed system. Include network, dataflow and process diagrams?
RESPONSE
Describe how the design of the proposed Hosted solution accounts for Business Continuity and Disaster Recovery.
RESPONSE
Describe how training delivery would be affected in the event of a catastrophic failure in the data center?
RESPONSE
Describe how training development would be affected in the event of a catastrophic failure in the data center?
RESPONSE
Please describe the customer management tools available with your system.
RESPONSE
Please address the following questions in the event you are proposing a Hosted solution.
RESPONSE
Will the solution have a fixed number of available login’s “ports”? If so, what is the process to add ports, and in what increments?
RESPONSE
If ports are dynamic, can PB&G ENTERPRISES control the maximum number of ports?
RESPONSE
Does the monthly billing take into account the number of attendee ports available and assigned, amount of storage allocated and in use and number of other resources used/modified such as professional services?RESPONSE
What tools are available so that PB&G ENTERPRISES will be able to track login and storage utilization?
RESPONSE
Can PB&G ENTERPRISES perform their own access administration to the Hosted system?
RESPONSE
Describe how course content is promoted from PB&G ENTERPRISES computers to the Hosted system and any associated requirements.
RESPONSE
Describe how courses from the Hosted system are delivered to attendees live.
RESPONSE
Describe how courses from the Hosted system are delivered to attendees On Demand?
RESPONSE
What information is collected about attendees and how can it be obtained by PB&G ENTERPRISES?
RESPONSE
Please describe whatever escrow or other options for continuation of service in the event your company ceased operations?
RESPONSE
Communications Standards - The system being proposed must support current technology open standards. Indicate how your proposed solution supports and is certified with which communications standards.RESPONSE
Programming Standards - The system being proposed must support current technology open standards. Indicate how your proposed solution supports and is certified with which communications standards.RESPONSE
Security Aspects - Security is a major concern with any system and encompasses many facets. For the parents using the system, it is user authentication to gain access and the protection of all data and information that is accessible as well as its compliance with PCI and other regulations. For the administrators, it is controlling access to the system and role-based permissions. For educators it’s is not only authentication but also ease of use in developing, modifying and delivering course content. Describe the security framework for the solution being proposed.RESPONSE – Parental Portal
RESPONSE – Student Portal
RESPONSE – Course Delivery Portal
RESPONSE – Course Design / Maintenance Portal
RESPONSE – School Administration Functions Portal
RESPONSE – Access and Role Administration Portal
Is the solution certified? If so, by what entity?
RESPONSE
Is your solution compliant with:
FERPA COPPA PCI HIPAA / HITECH / HITRUST
RESPONSE
YES/NO
Date Last Assessed
Assessor’s Company Name
Please provide ROC or other document of compliance from independent assessor
RESPONSE
Is this a public company? If so, are you SOX certified? Public Companies: Please provide annual reports filed with the SEC on form 10-K
RESPONSE
If you are proposing a Hosted solution, are your data centers as well as the LMS solution annually reviewed by an independent assessor? If yes, please provide SSAE16 SOC2 Type 2
RESPONSE
Is your organization willing to annually participate in a third-party security assessment by PB&G ENTERPRISES or their preferred assessor at PB&G ENTERPRISES’s expense?
RESPONSE
Is your organization willing to annually participate in a third-party risk assessment by PB&G ENTERPRISES or their preferred assessor at PB&G ENTERPRISES’s expense?
RESPONSE
Is your organization willing to participate in a third-party vulnerability assessment by PB&G ENTERPRISES or their preferred assessor at PB&G ENTERPRISES’s expense?
RESPONSE
Is your organization willing to participate in a third-party Penetration Test of our Instance including connection points between our facilities and our instance at your facility by PB&G ENTERPRISES or their preferred assessor at PB&G ENTERPRISES’s expense?
RESPONSE
Describe the process and timing of addressing an issue if a security vulnerability is identified in your product?
RESPONSE
Describe the process and timing of addressing an issue if a security vulnerability is identified in your hardware, firmware or software?
RESPONSE
Please describe your company’s vulnerability management process Please explain:How often your organization run vulnerability scans? How is the scanning tool master file updated and how often?What assets are included in the scan? How often are social engineering activities conducted?How often are the business processes reviewed for vulnerabilities?If a patch is identified to fix a vulnerability, how quickly is it applied?
RESPONSE
Please describe your company’s Penetration Testing processPlease explain:How often does your organization run penetration tests? What types of test? (White Box, Black Box, Gray Box, Red Team/Blue Team)What is the scope? What social engineering activities are conducted?Who performs the tests?If a deficiency is identified, what is the process to assess and remediate?
RESPONSE
How does the system provide for role-based access? Please describe.
RESPONSE
How does the system provide real-time status for all users logged into the system including what was data and time of login and IP address logged in?
RESPONSE
How does the system log administrative login in attempts and activities and are any activities omitted from the log files?
RESPONSE
How does the system log the activities of those logged into the system and are any activities omitted from the log files?
RESPONSE
How does the system log and store sensitive data like credit card numbers, social security numbers, grades, health records, etc.?
RESPONSE
What other multi-factor authentication methods are supported by your application? Please describe and indicate what is required to support them.
RESPONSE
Please detail your product roadmap for the next three years
RESPONSE
Data Sources, Interfaces and channels - As with any complex environment, there are various systems and databases within the PB&G ENTERPRISES environment that applications will need to interface to via web services. Further, there are also external systems at other companies that must interface and
exchange information as appropriate via web services. There is also consideration for other channels of communication between teachers, students and parents such as text, email, web chat, and outbound calls to school.What communications protocols are supported?RESPOND
For the communications protocols supported, what provisions are there for error handling, such as timeouts, bad data, etc.?
RESPONSE
Explain how data, information and communication is securely transferred between the institution and students and parents as well as between systems inside and outside the institution?
RESPONSE
Do you have any pre-built connectors available? If so, are they based on web services? Describe how they work and what web services are used?
RESPONSE
Application Development - PB&G ENTERPRISES has an ongoing need to support its users through modifications and development of new curriculum that it can market to its users. Please describe the application development process and tools that are available to the institution.SOLUTION
Can non-technical PB&G ENTERPRISES instructors develop and modify class curriculum?
RESPONSE
What application development tools are available?
RESPONSE
How can PB&G ENTERPRISES leverage and incorporate existing training resources in order to manage training programs long term?
RESPONSE
Do you provide a separate development environment for course development?
RESPONSE
Have you employed a standardized data dictionary and a high level library of available functions for course descriptions? Provide a description or sample of data dictionary and function library.
RESPONSE
Does the proposed solution require an internal database that must be maintained or can it access the existing PB&G ENTERPRISES multi-database environment? Explain database design options.
RESPONSE
What database environments, if any, do you not support?
RESPONSE
Describe the application debugging and troubleshooting environment for each module within the LMS solution.
RESPONSE
How are applications enhancements and bug fixes tested before deployment to production?
RESPONSE
What is the change control process for moving enhancements to production? Describe the process of deploying an application to production.
RESPONSE
Does your solution provide real-time configuration management, i.e. the ability to make real-time configuration and course content changes?
RESPONSE
Will you accept a code escrow clause in the final contract for extenuating circumstances?
RESPONSE
What templates are available to start the course, exercise and test development?
RESPONSE
Reporting Capabilities - PB&G ENTERPRISES requires secure robust reporting and logging capabilities. Please provide a list of standard reports and associated descriptions for the system you are proposing.
RESPONSE
How is access to reporting accomplished in a secure fashion?
RESPONSE
How can access to the reports be controlled via user profiles? For example, could a parent have access to see reports specific to their child or children?
RESPONSE
Can administration reports be scheduled to run and distributed automatically?
RESPONSE
What formats are available for reports to be exported/distributed in?
RESPONSE
Do you have any billing reports based on per student and per login by the minute charges that could be used to charge back usage to attendees?
RESPONSE
Do you offer the capability to create custom administration and teacher/student, teacher/parent reports?
RESPONSE
What real time monitoring capabilities are available with your system?
RESPONSE
What types of analytics are available using your solution?
RESPONSE
What tools are available so that PB&G ENTERPRISES will be able to view and analyze system activities?
RESPONSE
How does your solution provide fall-out analytics documenting where attendees cannot log in or do not take or complete course… or are not active when logged in?
RESPONSE
Does your system provide any alerting to errors with hardware, software, etc.?
RESPONSE
What log sharing capabilities are available with your proposed system for advanced internal analytics?
RESPONSE
How are rules developed for IDS, IPS, DLP, DLAP, SIEM, etc.? How are exception reports developed, assessed and responded too?
RESPONSE
Solution Capabilities - The evaluation process will take into account features that may be able to be incorporated over time into the new PB&G ENTERPRISES system. Ensuring the capability is available today in your proposed system is important.PB&G ENTERPRISES requires the ability to have a customized reporting requirements based on each course. Does your proposed system provide that capability? Please detail.RESPONSE
Are customized courses easily modifiable rather than requiring code changes. How would your proposed solution address this?
RESPONSE
Can you leverage URL to DNIS mapping to allow access to the proposed solution via a click on the web?
RESPONSE
Does the proposed system provide the capability for surveys and future course marketing.? Please describe the capabilities and requirements for implementation.
RESPONSE
Does the proposed system provide the capability for Web Chat with live and on-demand attendees? Please describe the capabilities and requirements.
RESPONSE
Does the proposed system provide the capability for Social Media marketing, course development and delivery? Please describe the capabilities and requirements.
RESPONSE
Does the proposed system provide the capability for Mobile development and delivery? Please describe the capabilities and requirements.
RESPONSE
Professional Services - Please describe the professional services offerings that would be utilized to convert PB&G ENTERPRISES to your proposed system.
RESPONSE
What is your hourly charge for application development services?
RESPONSE
What is your hourly charge or cost for custom course and report development?
RESPONSE
Implementation - Describe how your company manages the development, implementation and testing process, including the roles of key project personnel. Please complete Columns B, C and D
Area CSP Role / Responsibility Description
PB&G ENTERPRISES Role / Responsibility Description
Further Commentary
Relationship Management
SLA Management
Management Reporting
Continuous Improvement
Forecasting: Estimating transaction arrival patterns by interval based on historical data.Quality – Root Cause Analysis
Quality – Process Level Changes
Staffing: Determining the
number of staff required for each interval to service the forecasted transaction volumes.Scheduling: Developing schedules for each CCR (start, stop, break, and lunch times)Staffing – Planning
Staffing – Training
Staffing – Management
Technology – Planning
Technology – Maintenance & MonitoringTechnology – Development
Workforce Management
Facilities Management
Program Implementation
MSA and SOW creation and maintenance
Project Manager - The successful vendor will be required to name a Project Manager who will assume overall responsibility for the project and serve as single point of contact for this project. Vendors must submit the name and resume of their Project Manager in their bid response. The primary contractor’s Project Manager cannot be changed without the prior approval of the Customer and/or its Consultant or unless he/she ceases employment with the vendor’ firm. No more than one substitution will be accepted without a 10% of contract amount penalty being assessed against the primary contractor by Customer. Such penalty is to be reflected in the very next payment due to the primary contractor by the Customer.The successful vendor is also required to provide complete specifics with regard to the composition and experience of the installation team. This will include specifics indicating whether each resource is an employee of the vendor, a contractor used by the vendor, or an employee of the manufacturer.RESPONSE
Implementation Plan - Each vendor is required to submit with the bid response a sample implementation plan outlining the major milestones, associated time frames, and methods of project control. All appropriate details should be specified in the sample implementation plan including the expected responsibilities of the Customer during all phases of the project.Upon bid award, a detailed implementation plan will be developed based on this plan.RESPONSE
Coordination with Customer Representatives - PB&G ENTERPRISES's representatives will coordinate with the winning vendor in terms of developing the final system design to be used for the system implementation.RESPONSE
Development Engineers - Please provide the number of development engineers that are available and properly skilled for this solution.
RESPONSE
Change Orders - Please describe your process for change orders that may arise during implementation.
RESPONSE
Change Orders - Please describe your process for change orders that may arise post implementation.
RESPONSE
System Load Testing - Please describe what aspects of the proposed system can be load tested and how that would be accomplished. How does platform load testing vary from application load testing?
RESPONSE
Test Plans for Systems Acceptance - Vendor shall describe and list a detailed acceptance test plan. Describe the criteria for assuring full system performance and outline how tests will be conducted to demonstrate proper installation and performance as specified in this RFP. PB&G ENTERPRISES and/or their IT Team will review the vendor’s results and conduct additional testing as needed.RESPONSE
Systems Acceptance - Acceptance of the Learning Management System / LMS systems will occur after the final cutover and final payment will not be withheld without merit. (The final cutover will be when the system is when the first course is successfully converted and delivered to a student). The Customer will provide vendor with a list of any deficiencies found within 10 working days after the installation phase. An acceptance letter will be sent to the vendor when the deficiencies are corrected. RESPONSE
Customer Access To Installed Systems - The Customer must be provided with any and all security access codes for the systems installed (except those that may activate features that were not purchased). This also applies to any new codes that may be added after the cutover. The Customer will take full responsibility for any actions resulting from these access arrangements.RESPONSE
System Documentation - All publications that are required to effectively troubleshoot, maintain, and understand the operation of all systems must be provided or be available via the Internet. Please provide a list of the relevant documents and where they can be accessed.RESPONSE
Application Documentation - Documentation must be provided for all system and application configurations, interfaces, menus, scripts. All development efforts must be documented. Please describe how this is addressed by your organization.RESPONSE
Post Implementation Warranty & Maintenance Services - For Premise-based or Managed Service solutions, the vendor should guarantee all equipment (without regard to manufacturer or origin), software, cable, and installation against design, mechanical, electrical and workmanship defects for a minimum of one year. If defects appear within that period, the vendor must furnish all replacement parts, materials, and labor at no cost to the Customer. The warranty must begin at Customer’s formal acceptance of the system. Vendor and/or the manufacturer/developer must guarantee parts and services availability for a period of five years from the acceptance date. Exceptions will be accepted and be evaluated.Provide a statement from the manufacturer that they will provide hardware/software alternate service providers if and when the bidding vendor is unable to provide the support necessary to maintain the systems to industry standards, for a minimum period of 5 years after acceptance.For Hosted solutions, you must provide operational maintenance and support 24x7x365.RESPONSE
Warranty & Maintenance Agreement - A complete maintenance and warranty agreement must be included with the bid response. All details and costs for this agreement must be separately identified and summarized to clearly delineate the cost for the purchase of the system components vs. the cost for this agreement.
Please provide complete warranty information for all hardware, software, materials, and services included in your bid. Identify any components of the system that would not be covered under warranty for at least one year. RESPONSE
Warranty & Agreement Options - We understand that each vendor has a variety of options that are available to Customers. Accordingly, use these guidelines to structure the options that PB&G ENTERPRISES will consider. With the options listed below, please detail the itemized annual cost for maintenance for each component for year one, i.e. for twelve months following Customer System Acceptance. RESPONSE
Detail the subsequent itemized annual cost for each component for year two. Does the year two cost also apply to year three? If not, describe the cost differences.
RESPONSE
What are the available terms for your maintenance contracts?Please indicate if this agreement is with you as the vendor, with the manufacturer direct or with a 3 rd party.RESPONSE
The requirement is 24x7x365 Hardware/Software availability and Remote Technical support with a 4-Hour or less response, is that acceptable?
RESPONSE
If available as an option, the additional amount required to include software upgrades?
RESPONSE
Does your warranty program for a premise-based system cover damage to a fully maintained system affected by lightning and/or electrical surges, that are not the fault of the Customer?
RESPONSE
Reporting & Response Time for Premise-based System Issues – Provide SLA
RESPONSE
What is your definition of a Major System failure? Detail your response times and actions based on the priority levels and characteristics provided.
RESPONSE
Failure definitions and response times are listed in the following chart
Priority Level Characteristics
Required time to acknowledge receipt of incident
Required time to restore incident
Required time to resolve incident
CRITICAL All users or a significant
Production Systems Only)
proportion of users cannot get service. System is not operational and no work around exists. e.g. no course content can be accessed by students or instructors.Significant Commercial Impact. e.g. problem prevents billing, loss of service to downstream providers
MAJOR (Production Systems Only)
All redundant and some non-redundant capacity is lost and calls are affected. e.g. n + 1 redundancy in place and + 1 and half of n is lostMajor function not available and no work around exists. e.g. platform not providing audio or video or recording functionality for active students or content developers or courses will not convert from MS products to platform
MINOR
Redundant capacity may be lost but normal capacity is not affected. e.g. n + 1 redundancy in place and + 1 is lost yet n remainsSmall proportion of users may experience faults.
InformationalProduct informationConfiguration informationGeneral information.
What is your definition of a Minor System failure? Detail your response times and actions.
RESPONSE
For non-emergency service requests, what is your response time?
RESPONSE
In the case of a complete disaster, such as fire or destructive storm, what services do you provide to your maintenance customers to ensure rapid recovery of service?
RESPONSE
Operational maintenance and support for Hosted solutions - As part of a Hosted solution, maintenance and operational support must be available 24x7x365. Please confirm.
RESPONSE
In a Hosted or Managed Services solution, there must be proactive monitoring of the platform and applications. Please describe how this is performed and what tools or vendors are used to support this process.
RESPONSE
Please describe your incident reporting, trouble management and escalation process.
RESPONSE
Service Infrastructure - Describe your local service organization.
RESPONSE
Does the vendor maintain a local parts depot in the area? If so, where is the closest one located to PB&G ENTERPRISES locations in Punta Gorda, FL?
RESPONSE
Are there any hardware components of the proposed system that are manufactured overseas and not readily available locally? Describe where and how the distribution channel works.
RESPONSE
Does the vendor have local service technicians employed in the local Punta Gorda area? If not, in what city are they based and how many of these technicians are certified to support the various modules within the system?
RESPONSE
In the event a service technician cannot correct a problem within a reasonable time, describe your escalation procedures.
RESPONSE
Describe your application support services organization and where they are based.
RESPONSE
Software Upgrades - Describe what the Warranty & Maintenance agreement includes with regard to upgrades to the various components covered under the agreement. Describe your procedures for managing the various upgrades that may be required over time.
RESPONSE
Patches/Corrective Updates – Are they included under the agreement at no cost? Is the labor to perform the Patch/Corrective Update included or is it an additional cost? Please describe.
RESPONSE
Firmware Upgrades - Are they included under the agreement at no cost? Is the labor to perform the Patch/Corrective Update included or is it an additional cost? Please describe.
RESPONSE
Software Upgrades - Are they included under the agreement at no cost? Is the labor to perform the Patch/Corrective Update included or is it an additional cost? Please describe.
RESPONSE
Is the Customer responsible for performing any of these updates themselves? If the Customer were to require assistance, how would the vendor provide that service?
RESPONSE
How will the Customer be made aware that updates are available?
RESPONSE
What guidance is provided to the Customer for them to determine if a particular update is required for their system configuration?
RESPONSE
Product End of Life - Have any of the products being offered in your response to this RFP been designated end of life?
RESPONSE
How will the Customer receive end of life announcements?
RESPONSE
Describe the typical timeframes involved from initial announcement, i.e. how long until last sale, how long until factory discontinuation, how long until last maintenance support, etc.
RESPONSE
Service Levels - What are the available SLA options for Hosted services? Please describe.
RESPONSE
What are the available SLA options for Managed Services? Please describe.
RESPONSE
Would a Hosted solution ever encounter the need for planned downtime whereby the system would not be available?
RESPONSE
Training Requirements
PB&G ENTERPRISES views training as a critical element of the Learning Management System / LMS system. Knowledge Transfer - To what degree do you conduct knowledge transfer to the Customer while performing implementation of the system?
RESPONSE
System Administrator Training - System administrator training is required for all system components. This training needs to be conducted virtually. Please provide a realistic syllabus / curriculum describing this training with your bid response. The systems’ price must include all costs for this onsite training.
RESPONSE
Training Courses - Explain the general training curriculum available to support the products proposed by the vendor. Please indicate whether it is available online, as self-paced courses or taught in a classroom situation. If training is in a classroom, can it be provided onsite?
RESPONSE
Describe your training plan for each of the types of users in connection with this project, including the type of class, the recommended number of students per class, the length of the class and a sample agenda. For Example:An administrators guide may include, for example:Launching the administrator desktopUsing the administrator’s desktopLogging inProducing a courseCustomizing the courseDelivering a courseGetting reporting on a course
An Students user’s Guide may include, for example Registering for a courseLaunching a course
Logging InParticipating in a courseTroubleshooting connections
RESPONSE
System Documentation - All publications that are required to effectively troubleshoot, maintain, and understand the operation of all systems must be provided or be available via the Internet. Please provide a list of the relevant documents and where they can be accessed.
RESPONSE
Guidance for RFP ResponseThis section is intended to provide guidance to assist you in determining the solution that you will be proposing in your response.Objective - To identify the best partner and solution to implement a LMS solution. Considerations will include system capability and functionality, security and compliance, reliability, BCP and DR coverage, and the partner’s ability to augment or provide development, implementation and support services.Scenarios for Deployment PB&G ENTERPRISES is considering various scenarios for the deployment of the new system and will compare the costs, advantages/disadvantages and risks of each alternative. These are:* Premised-based deployment.* Premise-based deployment with Managed Services.* Hosted/Cloud-based deployment.We understand that some of you may only provide a premise-based or a Hosted solution, while others may be able to do various. Please clearly delineate which alternatives you are responding to for this RFP in the table below. Deployment Yes No
Premised-based deployment
Premise-based deployment with Managed Services
Hosted/Cloud-based deployment
RESPONSE
Cost Structure – We understand that the pricing that you respond with for a premise-based solution vs. that for a Hosted solution will be based on different parameters. Accordingly, please complete the proper sections for your response. You need to include all of the costs broken down and summarized as requested. Any optional items that are either requested in that section or recommended by you need to be detailed as options for consideration.RESPONSE
Traffic – The following table describes the approximate traffic of virtual courseware today.
RESPONSE
Virtual Courseware Traffic Statistics
Average Weekly Volume 200
Average Daily Volume 30
Busy Day 99
Busy Hour 99
Average Time of each Virtual Course 1:45
Application Development & Other Services - We understand that there are certain services required in order to implement various modules. As part of your response for services, PB&G ENTERPRISES is going to consider options with regard to the development of courseware on the new platform. Given the scope of this project, PB&G ENTERPRISES needs to understand the cost involved in implementing each module and developing courseware. They would like to understand the effort/cost and potential timeframes involved in several scenarios:* Awarded vendor implements the solution, converts existing courseware onto platform, migrates other data into the solution and works with PB&G ENTERPRISES on the interfaces.* Awarded vendor provides professional services assistance to PB&G ENTERPRISES resources as they take the lead on development.
RESPONSE
Future – On-demand Courseware Delivery - As an option and separately detailed from the replacement solution, provide a budgetary cost to expand the proposed system to accommodate the additional traffic.RESPONSE
Estimated Future Traffic Statistics
Average Daily Volume 4000
Average Hourly Volume 1000
Average Login Time 2.50 HR
Based on the information above, can you provide any budgetary cost for the increased volume? If not, what additional specific information would you require to do so?
RESPONSE
Premise-Based Solution This section applies to vendors proposing a premise-based solution (both with and without Managed Services)PB&G ENTERPRISES is considering various configuration options. One option is the replacement of their current premise-based system with a new premise-based system, which they will manage themselves once implemented. They also want to evaluate a Managed Services offer on the same.As discussed in this RFP, PB&G ENTERPRISES requires the proposed VMS system to be fully redundant and resilient with the capacity to expand. Your system design should not include any single points of failure.The system specifications and requirements appearing in this section are based on today’s known assumptions and are for bidding purposes only. The configuration is a summary guideline of the requirements known at this time. Once a vendor is awarded the project, quantities will be finalized in order to place the order for the system. It is essential that the vendor carefully read and address all of the requirements called for in this RFP.
If a component is specified in this RFP, it must be included unless the vendor notes an exception. If a specified component is not included, and no exception is noted, then the vendor is responsible for providing the component to PB&G ENTERPRISES at no additional charge.Vendor Response: Agreed and understood: Yes _____ No _____RESPONSE
DefinitionsThe proposed system must be configured to support the specified required quantities at cutover of the system as well as supporting future growth as specified in the following definitions.Equipped - The equipped and functional port and license quantities required at system cutover. Spare – Additional quantity to be included over and above the equipped quantity specified.Please describe the recommended configuration.RESPONSE
Premise-Based Solution - Pricing Please note that we request that you group pricing in the manner described. We require you to include an itemized bill of material, identifying all items by the summary pricing group as specified, such as by hardware and materials, software & licenses, implementation services, etc.You are required to provide your detailed auto-quote / bill of materials with your response as an Excel file. At a minimum, it should contain part numbers, item descriptions, quantities and costs and easily correlate to the summary numbers you provided. If you are also proposing Managed Services, those also must be detailed in an Excel file along with the description of the services and associated SLAs.Any maintenance costs relating to year 1 of operation and for years 2-3 need to be accounted for separately in the next sections. If software assurance/upgrades are included within your maintenance pricing, they must be line-itemed to see the actual cost of said service.RESPONSE
Premise SummaryDiscounted Cost
Discount %Applied
Premise Hardware and Materials
Premise Software / Licenses
Premise Implementation Services
Application Development / Professional Services
Managed Services Contract
Total Cost
Vendors are asked to guarantee their prices for a period of at least 90 days from the date of installation.Agree as specified ( ) Not as specified ( ) Explain:
Premise System – Maintenance Year 1 PricingPB&G ENTERPRISES requires that maintenance agreement costs be separately detailed. Please identify any exceptions to the maintenance as stated in the “Other” column and describe the exception.24x7x365 Option – Hardware/Software Break/Fix; 24x7x365; Remote Technical support; 4-Hour or less response.You are required to provide your detailed auto-quote / bill of materials for all hardware & Software maintenance charges for the configuration with your response as an Excel file. At a minimum, it should contain coverage descriptions and costs. Please summarize your pricing in the following chart.RESPOND
Premise - Maintenance Summary First Year 24x7x365
Year 1Other
Hardware / Software Maintenance
Additional Cost for Upgrade Coverage
Total Cost
Premise System – Maintenance Years 2-3 PricingPB&G ENTERPRISES requires that maintenance agreement costs be separately detailed. Please identify any exceptions to the maintenance as stated in the “Other” column and describe the exception.24x7x365 Option – Hardware/Software Break/Fix; 24x7x365; Remote Technical support; 4-Hour or less response.You are required to provide your detailed auto-quote / bill of materials for all hardware & Software maintenance charges for the configuration with your response as an Excel file. At a minimum, it should contain coverage descriptions and costs. Please summarize your pricing in the following chart.
RESPONSE
Premise - Maintenance Summary Annual for Years 2-3
24x7x365Year 2
24x7x365Year 3
Other
Hardware / Software Maintenance
Additional Cost for Upgrade Coverage
Total Cost
Hosted Solution This section applies to vendors proposing a Hosted solution.PB&G ENTERPRISES is also considering the option of a new Hosted system.As discussed in this RFP, PB&G ENTERPRISES requires the proposed Learning Management System / LMS system to be fully redundant and resilient with the capacity to expand. Your system design should not include any single points of failure.The system specifications and requirements appearing in this section are based on today’s known assumptions and are for bidding purposes only. The configuration is a summary guideline of the components known to us as of this time. Once a vendor is awarded the project, quantities will be finalized in order to place the order for the system. It is essential that the vendor carefully read and address all of the requirements called for in this RFP.If a component is specified in this RFP, it must be included unless the vendor notes an exception. If a specified component is not included, and no exception is noted, then the vendor is responsible for providing the component to PB&G ENTERPRISES at no additional charge.Vendor Response: Agreed and understood: Yes _____ No _____RESPONSE
What are the License requirements by Module for Test and Production with costs? “Web Based”
RESPONSE
Academic Reporting
Admissions Management
Assessment Management
Attendance Tracking
Behavior Management
Bookstore Management
Cafeteria Management
Classroom Management
Clinic Management
Curriculum Management
Enrollment Management
Event Calendar
Facility Management
Faculty / Staff Management
Financial Management
Fundraising Management
Higher Education
Housing Management
Independent / Private
K-12
Library Management
Parent Portal
Scheduling
School District
Special Education
Student Information / Records
Student Portal
What are the License requirements by Module for Test and Production with costs? “Installed”
Academic Reporting
Admissions Management
Assessment Management
Attendance Tracking
Behavior Management
Bookstore Management
Cafeteria Management
Classroom Management
Clinic Management
Curriculum Management
Enrollment Management
Event Calendar
Facility Management
Faculty / Staff Management
Financial Management
Fundraising Management
Higher Education
Housing Management
Independent / Private
K-12
Library Management
Parent Portal
Scheduling
School District
Special Education
Student Information / Records
Student Portal
Hosted Solution - Pricing We request that you provide group pricing in the manner described. PB&G ENTERPRISES will require itemized billing in the list of material along with summary pricing grouped as specified, such as by hardware and materials, software & licenses, implementation services, etc.You are required to provide your detailed auto-quote / bill of materials with your response as an Excel file. At a minimum, it should contain part numbers, item descriptions, quantities and costs and easily correlate to the summary numbers you provided. Any maintenance costs not included in the monthly operational costs relating to year 1 of operation
and for years 2-3 need to be accounted for separately in the next sections. If software assurance/upgrades are included within your maintenance pricing, they must be line-itemed to see the actual cost of said service.RESPONSE
Hosted System – System Pricing Summary
Premise SummaryDiscounted Cost
Discount %Applied
Set Up Charges
Project Management Charges
Monthly Toll-free minute Charges
Premise SummaryDiscounted Cost
Discount %Applied
Monthly Long distance minute Charges
Monthly IVR Time Charges
Monthly Feature Charges
Monthly Recurring Platform Charges
Monthly Recurring Bandwidth Charges
Application Development / Professional Services
Total Cost
Options
Application Development for Member Services
Hosted System – Maintenance Year 1 PricingPB&G ENTERPRISES requires that maintenance agreement costs be separately detailed. Are there any maintenance costs separate from the regular monthly costs for operating the system?Please summarize your pricing in the following chart.
Hosted - Maintenance Summary First Year 24x7x365
Year 1Comments
$
$
Total Cost $
Hosted System – Maintenance Years 2-3 PricingPB&G ENTERPRISES requires that maintenance agreement costs be separately detailed. Are there any maintenance costs separate from the regular monthly costs for operating the system?Please summarize your pricing in the following chart.Hosted - Maintenance Summary Annual for Years 2-3
24x7x365Year 2
24x7x365Year 3
Other
$ $
$ $
Total Cost $ $
AgreementBy submitting a bid, a vendor represents the following:The vendor has read and understands the RFP and has placed their name at the bottom of each page of the RFP to acknowledge they have read and understand the requirements called for in the RFP.Agree as specified ( ) Not as specified ( )The bid must conform to all provisions of the RFP. All exceptions to the RFP must be clearly delineated next to the required RFP provision, starting with the word “EXCEPTION”. It will be assumed that the vendor conforms to the RFP unless an exception is clearly stated.Agree as specified ( ) Not as specified ( )The vendor agrees that if they are awarded the contract, this RFP and their bid response will be attached to the final contract as an exhibit.Agree as specified ( ) Not as specified ( )RESPONSE
Inventory of All Attachments
Document Name File Type Version # and Last Revised Date
This RFP must be signed for your response to be considered. By signing below, your firm agrees to provide the items and services described in this RFP and abide by all the terms and conditions as specified in this document and any contract resulting from an award based on this Request for Proposal. Any exceptions taken to the terms and conditions as set forth in this document must be identified in detail and accompany this bid. Any exceptions not identified in detail at the time this bid is presented will not be considered.
Authorized Signature Printed Name of Authorized Party
Name of Firm Email Address of Authorized Party
Phone Number Date of Submission
Statement of Work
Statement of Work
This Statement of Work is executed pursuant to the Consulting Services Agreement (“Agreement”) dated and executed on ____________________by and between Your Company Name (the Company”), a Florida corporation, and VENDOR Name., (“Consultant”), a BUSINESS TYPE (collectively, the “Parties”) shall be deemed to be a part thereof. The services to be provided under this SOW are for Consulting Services as described in the Agreement and this SOW.
Objective:
Based on our previous conversation, the objective of this engagement is to provide consulting services during ENGAGEMENT/PROJECT NAME on an HOURLY / FIXED COST, FOR STATED Dates / TIMEFRAME / AS NEEDED, basis.
Term of SOW:
This agreement will extend for one year from date of signing or until services are deemed no longer necessary by YOUR COMPANY. The contract can be terminated early by either party with a four week written notice.
Scope of Engagement
During the engagement, VENDOR will provide the following services: STATE SERVICES
Deliverables
The following deliverable(s) will be provided to the client during the engagement: STATE DELIVERABLE
Approach
Activity / Deliverable Description Required Start Date Required Completion Date
Scope Changes and On-demand Services
During the engagement, COMPANY may request additional services or deliverables from VENDOR. A change order with costs will be written for each additional request and those orders will be amended to the SOW and associated SLA. Fees for these services will be based on the same billing structure as mentioned below.
Payment Terms
Our fees for consulting are $xxxx.xx per hour / $xxxxxx,xx per month / $xxxxxx,xx per engagement.
Our invoices for these fees will be rendered as the work progresses and are payable Net 30. In accordance with our firm policies, work may be suspended if your account becomes 90 days or more overdue and will not be resumed until your account is paid in full.
Location of Work
REMOTE / ONSITE @_________________________
Other terms and conditions
Availability for onsite meetings at YOUR COMPANY will be based on the availability of VENDOR.
IN WITNESS WHEREOF, the parties have executed this Statement of Work by their undersigned, duly authorized officers on the date first above written:
VENDOR Name YOUR COMPANY Name
(“Consultant”) (“the Company”)
NAME: NAME:
SIGNATURE: SIGNATURE:
TITLE: ____________________________ TITLE:____________________________
DATE: ____________________________ DATE: ____________________________
Nondisclosure Agreement
Nondisclosure Agreement Example
THIS AGREEMENT, made this ____ day of ____________ (month), _____ (year), between _______________________, (hereinafter “Disclosing Party”), and __________________________ (hereinafter “Receiving Party”) including their direct business partners.
BACKGROUND
The Disclosing Party and Receiving Party wish to discuss and exchange certain items, data and information related to business programs, products, applications, systems, components, technologies and business topics (the “Invention”) which the parties hereto consider highly Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public and proprietary.
NOW THEREFORE, the parties hereto, intending to be legally bound in consideration of the mutual covenants and agreements set forth herein, hereby agree as follows:
1. DEFINITIONS
1.1. “Invention” shall mean all data and information relating to business programs, products, applications, systems, components, technologies and business topics.
1.2. “Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information” shall mean all data and information provided by Disclosing Party with respect to the Invention regardless of whether it is written, oral, audio tapes, video tapes, computer discs, machines, prototypes, designs, specifications, articles of manufacture, drawings, human or machine readable documents. Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information shall also include all data and information related to the Invention provided by Disclosing Party to Receiving Party prior to the signing of this agreement. Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information shall not include any of the following:
(a) such data and information in the public domain at the time of the disclosure, or subsequently comes within the public domain without fault of the Receiving Party;
(b) such data and information which was in the possession of Receiving Party at the time of disclosure that may be demonstrated by business records of Receiving Party and was not acquired, directly or indirectly, from Disclosing Party; or
(c) such data and information which Receiving Party acquired after the time of disclosure from a third party who did not require Receiving Party to hold the same in confidence and who did not acquire such technical data and information from Disclosing Party.
1.3. “Disclosing Party” shall mean the party disclosing data and information to the other relating to the Invention.
1.4. “Receiving Party” shall mean the party receiving data and information from the other relating to the Invention. This also applies to all their direct business partners that could access the Disclosing Parties Data and Information.
2. USE OF SENSITIVE, CONFIDENTIAL, PROPRIETARY OR OTHERWISE DEEMED NON-PUBLIC DATA and INFORMATION
The Receiving Party agrees to:
(a) receive and maintain the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information in confidence;
(b) examine the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information at its own expense;
(c) not reproduce the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information or any part thereof without the express written consent of Disclosing Party;
(d) not, directly or indirectly, make known, divulge, publish or communicate the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data or Information to any person, firm or corporation without the express written consent of Disclosing Party;
(e) limit the internal dissemination of the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information and the internal disclosure of the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information received from the Disclosing Party to those officers and employees, if any, of the Receiving Party who have a need to know and an obligation to protect it;
(f) not use or utilize the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information without the express written consent of Disclosing Party;
(g) not use the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information or any part thereof as a basis for the design or creation of any method, system, apparatus or device similar to any method, system, apparatus or device embodied in the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information unless expressly authorized in writing by Disclosing Party; and
(h) utilize the best efforts possible to protect and safeguard the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information from loss, theft, destruction, or the like ensuring at a minimal: data and information segregation; access on need to know; encryption at rest and in transit; logging of all attempts to access or alter provided data and information; log encryption of sensitive fields.
3. RETURN OF SENSITIVE, CONFIDENTIAL, PROPRIETARY OR OTHERWISE DEEMED NON-PUBLIC DATA
All data provided by the Disclosing Party shall remain the property of the Disclosing Party. Receiving Party agrees to return all Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public data in its original media to Disclosing Party within 5 days of written demand by Disclosing Party and to permanently remove all electronic forms of shared information from primary and secondary storage as well as backups. When the Receiving Party has finished reviewing the data provided by the Disclosing Party and has made a decision as to whether or not to work with the Disclosing Party, Receiving Party shall return all information to the Disclosing Party without retaining any copies and to permanently remove all electronic forms of shared data from primary and secondary storage as well as backups.
4. RETURN OF SENSITIVE, CONFIDENTIAL, PROPRIETARY OR OTHERWISE DEEMED NON-PUBLIC INFORMATION
All information provided by the Disclosing Party shall remain the property of the Disclosing Party. Receiving Party agrees to return all Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Information in its original media to Disclosing Party within 5 days of written demand by Disclosing Party and to permanently remove all electronic forms of shared information from primary and secondary storage as well as backups. When the Receiving Party has finished reviewing the information provided by the Disclosing Party and has made a decision as to whether or not to work with the Disclosing Party, Receiving Party shall return all information to the Disclosing Party without retaining any copies and to permanently remove all electronic forms of shared information from primary and secondary storage as well as backups.
5. NON-ASSIGNABLE
This agreement shall be non-assignable by the Receiving Party unless prior written consent of the Disclosing Party is received. If this Agreement is assigned or otherwise transferred, it shall be binding on all successors and assigns. If the Receiving Party has a directly provider relationship with a hosting company or other organization that has access to the data and information of the Disclosing Party, the Receiving Party must disclose the name, address and contact information for each business partner and their authorized representative must also sign this agreement.
6. GOVERNING LAW
This Agreement and all questions relating to its validity, interpretation, performance and enforcement (including, without limitation, provisions concerning limitations of actions), shall be governed by and construed in accordance with the laws of the State of _______________, notwithstanding any conflict-of-laws doctrines of such state or other jurisdiction to the contrary, and without the aid of any canon, custom or rule of law requiring construction against the draftsman.
7. No License
Neither party does, by virtue of disclosure of the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information, grant, either expressly or by implication, estoppel or otherwise, any right or license to any patent, trade secret, invention, trademark, copyright, or other intellectual property right.
8. Binding Nature of Agreement
This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective heirs, personal representatives, successors and assigns.
9. Provisions Separable
The provisions of this Agreement are independent of and separable from each other, and no provision shall be affected or rendered invalid or unenforceable by virtue of the fact that for any reason any other or others of them may be invalid or unenforceable in whole or in part.
10. ENTIRE AGREEMENT
This Agreement sets forth all of the covenants, promises, agreements, conditions and understandings between the parties and there are no covenants, promises, agreements or conditions, either oral or written, between them other than herein set forth. No subsequent alteration, amendment, change or addition to this Agreement shall be binding upon either party unless reduced in writing and signed by them.
11. Arbitration
Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be resolved by arbitration conducted by the ____________________ and in accordance with the rules thereof, conducted in CITY, STATE, or in any other convenient forum agreed to in writing by the parties. Any arbitration award shall be final and binding, and judgment upon the award rendered pursuant to such arbitration may be entered in any court of proper jurisdiction. Notwithstanding the foregoing, either party may seek and obtain temporary injunctive relief from any court of competent jurisdiction against
any improper disclosure of the Sensitive, Confidential, Proprietary or Otherwise Deemed Non-Public Data and Information.
IN WITNESS OF THEIR AGREEMENT, the parties have set their hands to it below effective the day and year first written above.
Disclosing Party Receiving Party “Direct Vendor”
By: __________________________ By: __________________________
Receiving Party – Hosting Receiving Party – Application Support
By: __________________________ By: __________________________
Receiving Party – Access Admin Receiving Party – Network Monitoring
By: __________________________ By: __________________________
Receiving Party - DRaaS Receiving Party – Storage / Backup
By: __________________________ By: __________________________
Receiving Party - Audit/PEN Receiving Party - Other
By: __________________________ By: __________________________
Data and Information Ownership and Custodian Reciprocal Agreement
Sample Data and Information Ownership and Custodian Reciprocal Agreement
The intent of this Data Ownership and Custodian Reciprocal Agreement is to develop a comprehensive agreement that would govern the ownership and protection of data and information between _____________ (Company - Data and Information Owner) and __________________ (Vendor - Data and Information Custodian).
This Data Use and Reciprocal Support Agreement is made and entered into on the date set forth below by and between the undersigned (hereinafter referred to individually as “Vendor - Data and Information Custodian” and collectively as “Vendor - Data and Information Custodians”) and [_________], a [____________] (hereinafter referred to as the “Company - Data and Information Owner”)(the “Agreement”).
The Agreement is a comprehensive, multi-party trust agreement that will be signed by all parties, wishing to provide IT Services for COMPANY. The agreement provides the legal framework governing participation by requiring the signatories to abide by a common set of terms and conditions. These common terms and conditions support the secure, interoperable exchange of company and client data and information in all forms between the COMPANY data/information owner and VENDORS data/information custodian including their business partners.
This agreement is a vehicle for creating trust relationships among those parties with access to data and information.
WITNESSETH:
WHEREAS, the Vendor - Data and Information Custodians have each individually been accepted by the Company - Data and Information Owner;
WHEREAS, some Vendor - Data and Information Custodians are business partners of the primary Vendor - Data and Information Custodian. These Vendor - Data and Information Custodians generally have a direct relationship with the primary Vendor - Data and Information Custodian who serves as the custodian of the owners’ data and information within or through their respective Systems;
WHEREAS, as a condition of participation, the Vendor - Data and Information Custodians must enter into this agreement for purposes of electronic data exchange and have agreed to do so;
NOW, THEREFORE, for and in consideration of the mutual covenants herein contained, the Vendor - Data and Information Custodians hereto mutually agree as follows:
Definitions.
Applicable Law shall mean: (i) for all Vendor - Data and Information Custodians, all relevant laws of the state(s) or jurisdiction(s) for with the Data/Information Owner COMPANY operates, as well as all relevant federal laws;
Audit shall mean a review and examination of records (including logs), and/or activities to ensure compliance with this Agreement and Performance and Service Specifications. This review can be manual, automated or a combination of both.
Authorization shall meet the requirements and have the meaning set forth by applicable Regulations.
Common Resource shall mean software, utilities and automated tools made available for use in connection with the agreement by a Vendor - Data and Information Custodian, the Company - Data and Information Owner or any other natural or unnatural person with sufficient rights to grant such a designation.
Confidential Data and Information shall mean proprietary or confidential materials or information of a Discloser in any medium or format including but not limited to: (i) the Discloser’s designs, drawings, procedures, trade secrets, processes, specifications, source code, System architecture, processes and security measures, Data schema, research and development, including but not limited to research protocols and findings, passwords and identifiers, new products, and marketing plans; (ii) proprietary financial and business information of a Discloser; (iii) information or reports provided by a Discloser to a Receiving Party pursuant to this Agreement; and (iv) all other non-public information designated by either party in writing as confidential or proprietary.
Consent shall be understood in the context of Applicable Regulations.
Data shall mean natural or de-identified data, and metadata.
Discloser shall mean a Vendor - Data and Information Custodian that discloses Confidential Information to a Receiving Party.
Dispute shall mean any controversy, dispute, or disagreement arising out of or relating to this Agreement or the breach of this Agreement when such controversy, dispute or disagreement has not been resolved through other available processes and mechanisms provided by the Company - Data and Information Owner.
Effective Date shall mean the date on which a Vendor - Data and Information Custodian executes this Agreement, which shall be indicated next to the signature of the authorized representative of the Vendor - Data and Information Custodian on the execution page of this Agreement.
Company - Data and Information Owner shall mean the subscribing companies Data Owner, which is accountable for the relationship and the data and information within the possession of the custodian and fulfilling the roles and responsibilities described herein or any interim Company - Data and Information Owner given responsibilities pursuant to this Agreement.
Service Provider shall mean a company or other organization that serves as the data custodian or their business partners / affiliates.
Integrated Delivery System or IDS shall mean the solution subscribed to by the data and information owner.
Material shall mean, for the purposes of Section 10.03/10.04 only, the implementation of, or change to, a Performance and Service Specification that will: (i) have a significant adverse operational or financial impact on a majority of Vendor - Data and Information Custodians; (ii) require a majority of Vendor - Data and Information Custodians to materially modify their existing agreements with Vendor - Data and Information Custodian Users or third parties; or (iii) require an amendment to this Agreement.
Message shall mean a mechanism for exchanging Data between Vendor - Data and Information Custodians through the Data and Information Owner, which complies with the agreed upon Performance and Service Specifications. Messages include, but are not limited to, query, retrieve, and publish-subscribe.
Monitor shall mean a review and examination of records (including logs), and/or activities to evaluate the utilization levels, efficiency and technical capabilities of Service Provider and their affiliates. This review can be manual, automated or a combination of both.
Provider Network shall mean a secure infrastructure that allows for the exchange of Data between the owner and custodians.
Performance and Service Specifications shall refer to the Test Approach, the Interface Specifications and the Policies and Procedures.
Test Approach shall be agreed upon which provides the framework for Testing and demonstrations for parties applying to participate, as amended from time to time.
Interface Specifications shall mean the specifications adopted by the Company - Data and Information Owner to specify the data content, technical and security requirements necessary.
Policies and Procedures shall mean the policies and procedures adopted by the Company - Data and Information Owner that describe management, operation and participation
Notice or notify shall mean a notice in writing sent to the appropriate Vendor - Data and Information Custodian’s representative or the Company - Data and Information Owner
Vendor - Data and Information Custodian shall mean any organization that is a signatory to this Agreement, except for the Company - Data and Information Owner.
Vendor - Data and Information Custodian Users shall mean those persons, who have been authorized to access Data in the System and in a manner defined by the respective Vendor - Data and Information Custodian.
Payment shall have the meaning set forth by Regulations.
Permitted Purposes shall mean the following reasons for which Vendor - Data and Information Custodian may legitimately exchange Data include:
Request by government or law enforcement authorities
With signed, written request or consent of Data and Information Owner
Protected Information shall have the meaning set forth by Applicable Regulations.
Receiving Party shall mean a Vendor - Data and Information Custodian that receives Confidential Information from a Discloser.
Recipient shall mean the Requesting Vendor - Data and Information Custodian that receives Data for Permitted Purposes, a Vendor - Data and Information Custodian User who receives Data for Permitted Purposes, or other persons who use Data for Permitted Purposes.
Requesting Vendor - Data and Information Custodian shall mean the Vendor - Data and Information Custodian that submits a Message that initiates an exchange of Data.
Responding Vendor - Data and Information Custodian shall mean the Vendor - Data and Information Custodian that receives or responds to a Message from a Requesting Vendor - Data and Information Custodian.
Security Incident shall be limited to only those Security Incidents which effect or are reasonably anticipated to affect the data and information owners’ assets.
Service Registry shall mean the catalogue describing the functionality and services supported by each Vendor - Data and Information Custodian.
System shall mean software, portal, platform or other electronic medium controlled by a Vendor - Data and Information Custodian through which the Vendor - Data and Information Custodian conducts its activities for the Data and Information Owner. For purposes of this definition, it shall not matter whether the Vendor - Data and Information Custodian controls the software, portal, platform or medium through ownership, lease, license or otherwise.
Testing shall mean the tests and demonstrations of a Vendor - Data and Information Custodian’s System and processes used, which conform to the Interface Specifications and Test Approach.
2. Incorporation of Recitals. The Recitals set forth above are hereby incorporated into this Agreement in their entirety and shall be given full force and effect as if set forth in the body of this Agreement.
3. Purpose and Scope of the Agreement. The purpose of this Agreement is to provide a legal framework that will describe the role of the Data and Information Owner and Custodian.
4. Governance.
The Data and Information Owners and their associates will provide guidance to the individuals managing the arrangement with the Custodian and their associates.
5. Use of Data.
5.01. Permitted Purposes. The data and information shall be used only for Permitted Purposes as defined in this Agreement. Each Vendor - Data and Information Custodian shall require that its Vendor - Data and Information Custodian Users only use the data and information for the Permitted Purposes.
5.02. Permitted Future Uses. Subject to this Section 5.02 and Section 19.06, Recipients may retain Data received in response to a Message in accordance with the Recipient’s record retention policies and procedures. As a result, Recipients may use and re-disclose Data received in response to a Message, in accordance with all Applicable Law and the agreements between a Vendor - Data and Information Custodian and its Vendor - Data and Information Custodian Users. Notwithstanding the preceding sentence, a Recipient may not use or re-disclose Data received in response to a Message based on an Authorization beyond the uses and disclosures allowed by the Authorization, except as required or permitted by law or by a subsequent Authorization provided by the individual.
5.03. Management Uses. The Company - Data and Information Owner may request information, including Personally Identified Information and de-identified data, from Vendor - Data and Information Custodians, and Vendor - Data and Information Custodians shall provide requested information, for the following purposes: system administration, testing, problem identification and resolution, management of the System, and otherwise as the Company - Data and Information Owner determines is necessary and appropriate to comply with and carry out its obligations under all Applicable Law and this Agreement. Any such information provided by a Vendor - Data and Information Custodian to the Company - Data and Information Owner shall be treated as Confidential Information pursuant to Section 16 of this Agreement.
6 System Access Policies.
Pursuant to Section 11.02 (Common Policies and Procedures), each Vendor - Data and Information Custodian shall have policies and procedures in place that govern its Vendor - Data and Information Custodian Users’ ability to access information on or through the Vendor - Data and Information Custodian’s System (“Vendor - Data and Information Custodian Access Policies”). Each Vendor - Data and Information Custodian acknowledges that Vendor - Data and Information Custodian
Access Policies will differ among them as a result of differing Applicable Law and business practices. For the purposes of this Agreement, the Vendor - Data and Information Custodians agree that they shall allow a Requesting Vendor - Data and Information Custodian to follow its Vendor - Data and Information Custodian Access Policies for Vendor - Data and Information Custodian Users even if they allow greater access to a Vendor - Data and Information Custodian’s System than the policies and practices of the Responding Vendor - Data and Information Custodian would allow. Notwithstanding the preceding sentence, the Vendor - Data and Information Custodians agree that each Vendor - Data and Information Custodian shall comply with the Applicable Law. Each Vendor - Data and Information Custodian shall provide its Vendor - Data and Information Custodian Access Policies to any other Vendor - Data and Information Custodian upon reasonable request.
7. Enterprise Security.
7.01. General. Each Vendor - Data and Information Custodian shall be responsible for maintaining a secure environment that supports the operation and continued development. Each Vendor - Data and Information Custodian should follow agreed upon the Interface Specifications and Policies and Procedures that define expectations for Vendor - Data and Information Custodians with respect to enterprise security or the Company - Data and Information Owner otherwise sets forth a policy regarding enterprise security, Vendor - Data and Information Custodians shall use appropriate safeguards to prevent use or disclosure of Data otherwise than as permitted by this Agreement, including appropriate administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of that Data. Appropriate safeguards (as stated in applicable regulations and based on the data and information owners internal policies, shall be those identified and, to the extent that implementation is reasonable, those that are identified as “addressable.” Each Vendor - Data and Information Custodian shall have appropriate written privacy and security policies in place no later than the Vendor - Data and Information Custodian’s respective Effective Date.
7.02. Malicious Software. Each Vendor - Data and Information Custodian shall ensure that it employs security controls that meet applicable industry or federal standards so that the information and data being transmitted and any method of transmitting such information and data will not introduce any viruses, worms, unauthorized cookies, trojans, malicious software or “malware”, ransomware or other program, routine, subroutine, or data designed to disrupt the proper operation of a System or any part thereof or any hardware or software used by a Vendor - Data and Information Custodian in connection therewith, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action will cause a System or any part thereof or any hardware, software or data used by a Vendor - Data and Information Custodian in connection therewith, to be improperly accessed, destroyed, damaged, or otherwise made inoperable. In the absence of applicable industry standards, each Vendor - Data and Information
Custodian shall use all commercially reasonable efforts to comply with the requirements of this Section.
8. Equipment and Software.
Each Vendor - Data and Information Custodian shall be responsible for procuring, and assuring that its Vendor - Data and Information Custodian Users have or have access to, all equipment and software necessary for it to participate. Each Vendor - Data and Information Custodian shall ensure that all computers and electronic devices owned or leased by the Vendor - Data and Information Custodian and its Vendor - Data and Information Custodian Users are properly configured, including, but not limited to, the base workstation operating system, web browser and Internet connectivity.
9. Auditing.
9.01. Vendor - Data and Information Custodian Auditing and Monitoring. Each Vendor - Data and Information Custodian represents that, through its agents, employees and independent contractors, it shall have the ability to monitor and audit all access to and use of its System related to this Agreement, for system administration, security, and other legitimate purposes. Each Vendor - Data and Information Custodian shall perform those auditing activities to ensure the reasonable effectiveness of the agreed upon Performance and Service Specifications and Sections 9.02 and 20.
9.02. Company - Data and Information Owner Auditing and Monitoring.
a. Vendor - Data and Information Custodians agree that the Company - Data and Information Owner shall have the right, but not the obligation, to Monitor or Audit the operations of the Vendor - Data and Information Custodians. The Company - Data and Information Owner shall also have the right to Audit a specific Vendor - Data and Information Custodian’s activities related to the modules they subscribe too and their data, access and log files, but only when the Company - Data and Information Owner has reasonable cause to believe that the audited Vendor - Data and Information Custodian is in material breach of its obligations under this Agreement or is otherwise compromising the security or stability. Such Audits may include requests for documents and information from a Vendor - Data and Information Custodian concerning its activities.
b. Vendor - Data and Information Custodians shall fully cooperate with any such Monitoring or Auditing activities by providing information requested by the Company - Data and Information Owner within ten (10) days of receiving a written request from the Company - Data and Information Owner, provided that a Vendor - Data and Information Custodian may withhold information and records relating to its System and data security programs and processes or other sensitive Confidential Information which is not normally disclosed to third parties.
c. A Vendor - Data and Information Custodian’s failure to cooperate with Monitoring or to comply with the Company - Data and Information Owner’s efforts to Audit a Vendor - Data and Information Custodian’s compliance with this Agreement or the Performance and Service Specifications may constitute a material breach of this Agreement and serve as grounds for termination in accordance with Section 19.04, including the notice and cure provisions therein.
d. All information provided in accordance with this Section 9.02 shall be treated as “Confidential Information” and shall be so labeled.
10. Performance and Service Specifications.
10.01. General Compliance. Each Vendor - Data and Information Custodian shall comply with: (i) the Interface Specifications; (ii) the Test Approach; and (iii) the Operating Policies and Procedures (collectively, the “Performance and Service Specifications”).
10.02. Development of the Performance and Service Specifications. The Vendor - Data and Information Custodians hereby grant the Company - Data and Information Owner the power to develop the Performance and Service Specifications, and to amend, or repeal and replace, the Performance and Service Specifications at any time through the Performance and Service Specification Change Process described in Section 10.03/10.04.
10.03. Performance and Service Specification Change Process.
a. Development and Amendment of the Performance and Service Specifications. The Company - Data and Information Owner is responsible for the development of the Performance and Service Specifications, and may implement any new Performance and Service Specifications, or amend, or repeal and replace any existing Performance and Service Specifications, at any time by providing the Vendor - Data and Information Custodians notice of the change at least forth five (45) days prior to the effective date of the change, which includes the rationale and specific changes or additions to such Specifications.
b. Vendor - Data and Information Custodian Right to Object. If the implementation of a new Performance and Service Specification, or change to any existing Performance and Service Specification, is Material, each Vendor - Data and Information Custodian shall have the right to object to the change in writing to the Company - Data and Information Owner within thirty (30) days following the Company - Data and Information Owner’s notice of the change to Vendor - Data and Information Custodian. Such objection shall contain a summary of the reasons for the objection. If the Company - Data and Information Owner receives objections from a majority of Vendor - Data and Information Custodians, within thirty (30) days, the Company - Data and Information Owner shall review the proposed change in light of the objections and make a
determination as to whether to proceed with the change as is or modify it. The determination must be conveyed in writing to Vendor - Data and Information Custodians within ten (10) business days of becoming final.
c. Change Required to Comply with Applicable Law or the Stability the Network. Notwithstanding Sections 10.03(a) and (b), if the change is required for Vendor - Data and Information Custodians to comply with Applicable Law or to maintain the stability of the network, the Company - Data and Information Owner may implement the change without allowing for objection and within such period of time as the Company - Data and Information Owner determines appropriate under the circumstances. Any change required to comply with Applicable Law may not take effect any earlier than the legally required effective date of the change to Applicable Law. The Company - Data and Information Owner shall notify Vendor - Data and Information Custodians immediately in the event of a change required to comply with Applicable Law or to maintain the stability of the network.
d. Vendor - Data and Information Custodian Duty to Terminate Participation. If, as a result of a change made by the Company - Data and Information Owner in accordance with this Section 10.03, a Vendor - Data and Information Custodian will not be able to comply with the Performance and Service Specifications or does not otherwise desire to continue participating in the business relationship after such change becomes effective, then such Vendor - Data and Information Custodian shall terminate its participation in accordance with Section 19.02.
11. Expectations of Vendor - Data and Information Custodians.
11.01. Minimum Requirement for All Vendor - Data and Information Custodians.
a. All Vendor - Data and Information Custodians shall be required to provide a response that complies with Performance and Service Specifications, this Agreement and Applicable Law to a Message that seeks Data for Treatment. Vendor - Data and Information Custodians may, but are not required to, respond to Messages that seek Data for Permitted Purposes other than Treatment.
b. Each Vendor - Data and Information Custodian shall exchange Data with all other Vendor - Data and Information Custodians for Treatment. If a Vendor - Data and Information Custodian desires to stop exchanging Data with another Vendor - Data and Information Custodian based on the other Vendor - Data and Information Custodian’s acts or omissions with this Agreement, the Vendor - Data and Information Custodian may temporarily stop exchanging Data with such Vendor - Data
and Information Custodian, to the extent necessary to address the Vendor - Data and Information Custodian’s concerns, and shall notify the Company - Data and Information Owner of such cessation and the reasons supporting the cessation. The Vendor - Data and Information Custodians are strongly encouraged to resolve any issues which lead to the cessation through the Dispute Resolution Process in Section 21.
11.02. Common Policies and Procedures.
Each Vendor - Data and Information Custodian shall adopt and implement the common policies and procedures
11.03. Vendor - Data and Information Custodian Users.
Vendor - Data and Information Custodian shall require that all of its Vendor - Data and Information Custodian Users to use the system and associated network only in accordance with the terms and conditions of this Agreement, including without limitation those governing the use, confidentiality, privacy and security of Data. Vendor - Data and Information Custodian shall discipline appropriately any of its employee’s, or take appropriate contractual action with respect to contractor’s, who fail to act in accordance with the terms and conditions of this Agreement relating to the privacy and security of Data, in accordance with Vendor - Data and Information Custodian’s employee disciplinary policies and procedures and its contractor and vendor policies and contracts, respectively or the requirements and/or policies provided by the Data and Information Owner in the contract.
11.04. License to Resources. Data and Information Owner is hereby granted a nonexclusive, nontransferable, revocable and limited license to Resources solely for use as a Requesting Vendor - Data and Information Custodian or a Responding Vendor - Data and Information Custodian in performance of this Agreement. Data and Information Owner shall not (a) sell, sublicense, transfer, exploit or use any Resources for Owners own financial benefit or any commercial purpose, or (b) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code to any Resources. THE RESOURCES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
12. Specific Duties of a Requesting Vendor - Data and Information Custodian.
A Requesting Vendor - Data and Information Custodian shall be responsible for:
12.01. Submitting each Message to the SYSTEM in compliance with the Performance and Service Specifications, including representing that the Message is: (i) for a Permitted Purpose; (ii) supported by appropriate legal authority for obtaining the Data; and (iii) submitted by a Vendor - Data and Information Custodian User with the ability to make such a request;
12.02. Authenticating that Recipient is an authorized Vendor - Data and Information Custodian User within the Vendor - Data and Information Custodian’s System and that Recipient has represented that he has requested the Data for a Permitted Purpose in accordance with the Performance and Service Specifications;
12.03. Stating the Permitted Purpose in the Message; and
12.04. If the Message is not based on the Permitted Purposes, transmitting a copy of the Authorization on which the Message is based.
13. Specific Duties of a Responding Vendor - Data and Information Custodian.
A Responding Vendor - Data and Information Custodian shall be responsible for:
13.01. Authenticating requests for Data, meaning that the Responding Vendor - Data and Information Custodian shall confirm and verify that the request was submitted by an appropriate Requesting Vendor - Data and Information Custodian, in accordance with the Performance and Service Specifications;
13.02. Responding to all authenticated Messages which seek Data for Treatment, in accordance with this Agreement and the Performance and Service Specifications. The Vendor - Data and Information Custodian may respond to Messages which seek Data for a Permitted Purpose other than Treatment, in accordance with this Agreement and the Performance and Service Specifications;
13.03. Authenticating its response to a Message by confirming and verifying that it is transmitting the requested Data to the Requesting Vendor - Data and Information Custodian, in accordance with Performance and Service Specifications;
13.04. Ensuring that Consent or Authorization, if required by the Responding Vendor - Data and Information Custodian’s Applicable Law, has been obtained before making Data available to be transmitted to a Recipient in response to a Message which seeks Data for Treatment;
13.05. Granting to the Requesting Vendor - Data and Information Custodian a perpetual, fully-paid, worldwide, non-exclusive, royalty-free right and license to access and use all Data that is provided by the Responding Vendor - Data and Information Custodian to the Recipient, in accordance with this Agreement; and
13.06. For Federal Vendor - Data and Information Custodians only, in addition to complying with Sections 13.01 through 13.05, ensuring that Data transmitted adhere to interoperability standards recognized FERPA, COPPA, GLB, NIST and FIPS standards, as applicable.
14. Privacy and Security.
14.01. Applicability of Privacy and Security Rules.
The Data exchanged through the system and in accordance with this Agreement may contain Personally Identifiable or Confidential Information. All Vendor - Data and Information Custodians must disclose and conflicts of interest as well as any business Associations between each other. To support the privacy, confidentiality and security of the Data, each Vendor - Data and Information Custodian agrees as follows:
a. Each Vendor - Data and Information Custodian will, and at all times, comply with identified regulations to the extent applicable.
b. Each Vendor - Data and Information Custodian, as a Business Associate of a Covered Entity, shall at all times, comply with the provisions of its Business Associate Agreements with the assigned primary Vendor - Data and Information Custodian.
c. Each Vendor - Data and Information Custodian at all times shall, comply with the applicable privacy and security laws and regulations to which it is subject.
d. Each Vendor - Data and Information Custodian shall at all times, at a minimum, comply with the Privacy and Security Rules as a standard of performance or such other standards as decided by the Company - Data and Information Owner.
14.02. Safeguards. In accordance with Section 7 (Enterprise Security), Vendor - Data and Information Custodian agrees to use reasonable and appropriate administrative, physical and technological safeguards to prevent use or disclosure of Data other than as permitted by Section 5 of this Agreement.
14.03. Report of Security Incident.
a. Each Vendor - Data and Information Custodian agrees that within two (2) hours of completing an initial investigation and making a preliminary determination that a Security Incident may have occurred (a “Potential Security Incident”), Vendor - Data and Information Custodian will notify the Company - Data and Information Owner, and any Vendor - Data and Information Custodian that could reasonably be impacted by the Potential Security Incident, of the Potential Security Incident.
The notification to the Company - Data and Information Owner shall include: (i) a preliminary description of the Potential Security Incident; (ii) a summary of the facts that lead the Vendor - Data and Information Custodian to conclude that a Potential Security Incident may have occurred; (iii) an action plan for definitively determining whether an actual Security Incident occurred; and (iv) an action plan for responding to the Security Incident if the Vendor - Data and Information Custodian determines that it did occur.
Upon making a final determination regarding a Potential Security Incident, the Vendor - Data and Information Custodian shall provide a final report to the Company - Data and Information Owner, which shall include the results of the investigation and the response (if any) to the Security Incident. The Vendor - Data and Information Custodian shall submit the final report to the Company - Data and Information Owner within two (2) days of the preliminary report unless the Company - Data and Information Owner grants the Vendor - Data and Information Custodian additional time. If the Vendor - Data and Information Custodian submitting the report and the Company - Data and Information Owner determine that other Vendor - Data and Information Custodians could reasonably be impacted by the Security Incident and that these impacted Vendor - Data and Information Custodians need additional information contained in either the preliminary or final reports, the Company - Data and Information Owner will provide the needed details to such Vendor - Data and Information Custodians.
b. All information provided in accordance with this Section 14.03 shall be treated as “Confidential Information” and shall be so labeled.
c. This Section 14.03 shall not be deemed to supersede a Vendor - Data and Information Custodian’s obligations (if any) under a security breach notification requirement of Applicable Law.
Representations and Warranties. Each Vendor - Data and Information Custodian hereby represents and warrants the following: 15.01. Application to Participate. Each Vendor - Data and Information Custodian has submitted a complete application using the forms provided by the Company - Data and Information Owner, completed all required Testing in accordance with the Test Approach to the satisfaction of the Company - Data and Information Owner, and the Company - Data and Information Owner has accepted and approved each Vendor - Data and Information Custodian’s application.
15.02. Accurate Vendor - Data and Information Custodian Information. Each Vendor - Data and Information Custodian has provided, and will continue to provide, the Company - Data and Information Owner with all information reasonably requested by the Company - Data and Information Owner and needed by the Company - Data and Information Owner to discharge its duties under this Agreement or Applicable Law, including during the application process and Dispute Resolution Process. Any information provided by a Vendor - Data and Information Custodian to the Company - Data and Information Owner shall be responsive and accurate. Each Vendor - Data and Information Custodian shall provide notice to the Company - Data and Information Owner if any information provided by the Vendor - Data and Information Custodian to the Company - Data and Information Owner materially changes. Each Vendor - Data and Information Custodian acknowledges that the Company - Data and Information Owner reserves the right to confirm or otherwise verify or check, in its sole discretion, the completeness and accuracy of any information provided by a Vendor - Data and Information Custodian at any time and each Vendor - Data and Information Custodian will reasonably cooperate with the Company - Data and Information Owner in such actions, given reasonable prior notice.
15.03. Execution of the Agreement. Prior to participating in the, each Vendor - Data and Information Custodian shall have executed this Agreement and returned an executed copy of this Agreement to the Company - Data and Information Owner. The Vendor - Data and Information Custodian has full power and authority to enter into and perform this Agreement and has taken whatever measures necessary to obtain all required approvals or consents in order for it to execute this Agreement. The representatives signing this Agreement on behalf of the Vendor - Data and Information Custodians have been properly authorized and empowered to enter into this Agreement.
15.04. Compliance with this Agreement. Each Vendor - Data and Information Custodian shall comply fully with all provisions of this Agreement. To the extent that a Vendor - Data and Information Custodian delegates its duties under this Agreement to a third party (by contract or otherwise) and such third party will have access to Data and Information, that delegation shall be in writing and require the third party to agree to the same restrictions and conditions that apply through this Agreement to Vendor - Data and Information Custodian.
15.05. Agreements with Vendor - Data and Information Custodian Users. Each Vendor - Data and Information Custodian has valid and enforceable agreements with each of its Vendor - Data and Information Custodian Users that require the Vendor - Data and Information Custodian User to, at a minimum: (i) comply with all Applicable Law; (ii) reasonably cooperate with the other Vendor - Data and Information Custodians to this Agreement on issues related to the system, under the direction of the Vendor - Data and Information Custodian; (iii) submit a Message only for Permitted Purposes; (iv) use Data received through the system in accordance with the terms and conditions of this Agreement; and (v) refrain from disclosing to any other person any passwords or other security measures issued to the Vendor - Data and Information Custodian User by the Vendor - Data and Information Custodian. Notwithstanding the foregoing, for Vendor - Data and Information Custodian Users who are employed by a Vendor - Data and Information Custodian or who have agreements with the Vendor - Data and Information Custodian which became effective prior to the Effective Date, compliance with this Section 15.05 may be satisfied through written policies and procedures so long as the Vendor - Data and Information Custodian can document that there is a written requirement that the Vendor - Data and Information Custodian User must comply with the policies and procedures.
15.06. Agreements with Technology Hosts/Partners. Each Vendor - Data and Information Custodian has valid and enforceable agreements with each of its technology partners, that require the technology partner to, at a minimum: (i) comply with Applicable Law; (ii) protect the privacy and security of any Data to which it has access; and (iii) reasonably cooperate with the other Vendor - Data and Information Custodians to this Agreement on issues related to the SYSTEM, under the direction of the Vendor - Data and Information Custodian.
15.07. Compliance with Specifications. Each Vendor - Data and Information Custodian shall fully comply with the Performance and Service Specifications as more fully discussed in Section 10.01 of this Agreement.
15.08. Creation of Test Data. Certain Vendor - Data and Information Custodians have agreed to anonymize PII to create Test Data to be used by other Vendor - Data and Information Custodians for Testing. Each Vendor - Data and Information Custodian that has so agreed represents that the Test Data do not contain actual PII and further represents that it has created the Test Data in accordance with the Test Approach and that the test data is refreshed at least monthly and that the test environment has no Trusted Rights to Production or DR and that there are strong access controls and monitoring controls enforced.
15.09. Accuracy of Data. When acting as a Responding Vendor - Data and Information Custodian, each Vendor - Data and Information Custodian hereby represents that at the time of transmission, the Data it provides is (a) an accurate representation of the data contained in, or available through, its System, (b) sent from a System that employs security controls that meet industry standards so that the information and Data being transmitted are intended to be free from malicious software in accordance with Section 7.02, and (c) provided in a timely manner and in accordance with the Performance and Service Specifications. Other than those representations in Sections 15.06, 15.07, 15.08, 15.09 and 15.10, the Responding Vendor - Data and Information Custodian makes no other representation, express or implied, about the Data.
15.10. Express Warranty of Authority to Transmit Data. To the extent each Vendor - Data and Information Custodian is a Responding Vendor - Data and Information Custodian and is providing Data to a Recipient, each Vendor - Data and Information Custodian represents and warrants that it has sufficient rights in and to all Data that it provides or makes available to Recipient to grant the rights set out in this Agreement.
15.11. Use of Data. Each Vendor - Data and Information Custodian hereby represents and warrants that it shall use the Data only in accordance with the provisions of this Agreement.
15.12. Compliance with Laws. Each Vendor - Data and Information Custodian will, at all times, fully comply with all Applicable Law relating to this Agreement, the exchange of Data for Permitted Purposes and the use of Data.
15.13. Absence of Investigations. Each Vendor - Data and Information Custodian hereby represents and warrants that it is not currently under a final order issued by any federal, state, local or international regulatory or law enforcement organization finding a violation of Applicable Law related to the privacy or security of PII. Each Vendor - Data and Information Custodian shall inform the Company - Data and Information Owner if at any point during its participation in the contractual agreement comes under such an order or any order that will materially impact the Vendor - Data and Information Custodian’s ability to fulfill its obligations under this Agreement.
16. Confidential Information.
16.01. Each Receiving Party shall hold all Confidential Information in confidence and agrees that it shall not, during the term or after the termination of this Agreement, disclose to anyone, nor use for its own business or benefit, any information obtained by it in connection with this Agreement unless such use or disclosure is permitted by the terms of this Agreement.
16.02. Confidential Information does not include any information which is or becomes known publicly through no fault of a Receiving Party; is learned by a Receiving Party from a third party entitled to disclose it; is already known to a Receiving Party before receipt from a Discloser as documented by Receiving Party’s written records; is independently developed by Receiving Party without reference to, reliance on or use of Discloser’s Confidential Information; or, because of the passage of time, has become obsolete and lost all value in the market.
16.03. Confidential Information may be disclosed under operation of law, provided that the Receiving Party immediately notify the Discloser of the existence, terms and circumstances surrounding such operation of law to allow the Discloser its rights to object to such disclosure. If after Discloser’s objection the Receiving Party is still required by law to disclose Discloser’s Confidential Information, it shall do so only to the minimum extent necessary to comply with the operation of the law and shall request that the Confidential Information be treated as such.
17. Disclaimers
17.01. Reliance on a System.
Each Vendor - Data and Information Custodian acknowledges and agrees that: (i) the Data provided by, or through, its System is drawn from numerous sources, and (ii) it can only confirm that, at the time Data is transmitted by the Responding Vendor - Data and Information Custodian the information and Data transmitted are an accurate representation of the data that is contained in, or available through, its System. Within this Agreement the imposed responsibility or liability on a Vendor - Data and Information Custodian related to the accuracy, content or completeness of any Data rests in ensuring the system functionality is accurate and the roles are designed to support separation of duty and least privilege.
17.02. Incomplete Data. Each Vendor - Data and Information Custodian acknowledges that Data received in response to a Message may not include restricted PII. Such Data will only include that Data which is the subject of the Message and available for exchange.
17.04. Carrier lines. All Vendor - Data and Information Custodians acknowledge that the exchange of Data between Vendor - Data and Information Custodians is to be provided over various facilities and communications lines, and information shall be transmitted over local exchange and Internet backbone carrier lines and through routers, switches, and other devices (collectively, “carrier lines”) owned, maintained, and serviced by third-party carriers, utilities, and Internet Service Providers, all of which may be beyond the Vendor - Data and Information Custodians’ control. Provided a Vendor - Data and Information Custodian uses reasonable security measures, no less stringent than those directives, instructions and specifications contained in this Agreement and the Performance and Service Specifications, the Vendor - Data and Information Custodians assume no liability for or relating to the integrity, privacy, security, confidentiality, or use of any information while it is transmitted over those carrier lines, which are beyond the Vendor - Data and Information Custodians’ control, or any delay, failure, interruption, interception, loss, transmission, or corruption of any Data or other information attributable to transmission over those carrier lines, which are beyond the Vendor - Data and Information Custodians’ control. Use of the carrier lines is solely at the Vendor - Data and Information Custodians’ risk and is subject to all Applicable Law.
17.05. No Warranties. EXCEPT AS REPRESENTED IN SECTION 15.09, THE DATA OBTAINED BY A RECIPIENT ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IT IS EXPRESSLY AGREED THAT IN NO EVENT SHALL THE VENDOR - DATA AND INFORMATION CUSTODIAN BE LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING
BUT NOT LIMITED TO, LOSS OF PROFITS OR REVENUES, LOSS OF USE, OR LOSS OF INFORMATION OR DATA, WHETHER A CLAIM FOR ANY SUCH LIABILITY OR DAMAGES IS PREMISED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER THEORIES OF LIABILITY, EVEN IF THE VENDOR - DATA AND INFORMATION CUSTODIAN HAS BEEN APPRISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OCCURRING. THE VENDOR - DATA AND INFORMATION CUSTODIAN DISCLAIMS ANY AND ALL LIABILITY FOR ERRONEOUS TRANSMISSIONS AND LOSS OF SERVICE RESULTING FROM COMMUNICATION FAILURES BY TELECOMMUNICATION SERVICE PROVIDERS OR OTHER THIRD PARTIES.
17.06. Performance of the System. The Vendor - Data and Information Custodian makes full representation, express or implied, as to the performance of the System. This disclaimer is not intended to diminish or limit in any way the other representations and warranties that the Vendor - Data and Information Custodian is making in this Agreement. It is intended to recognize that the overall performance of the systems is the accountability of the Primary Vendor - Data and Information Custodian.
18. LIABILITY
18.01. Vendor - Data and Information Custodian Liability. As between Vendor - Data and Information Custodians to this Agreement, each Vendor - Data and Information Custodian shall be responsible for all acts and omissions of the Vendor - Data and Information Custodian or the Vendor - Data and Information Custodian Users. Each Vendor - Data and Information Custodian shall also be responsible for other individuals who access the Network, System and its Data or Confidential Information through the Vendor - Data and Information Custodian or by use of any password, identifier or log-on received or obtained, directly or indirectly, lawfully or unlawfully, from the Vendor - Data and Information Custodian or any of the Vendor - Data and Information Custodian Users, to the extent caused by the Vendor - Data and Information Custodian’s breach of the Agreement or its negligent or willful misconduct. Nothing herein shall be construed to (a) limit the Vendor - Data and Information Custodian’s ability to contractually allocate liability as between the Vendor - Data and Information Custodian and Vendor - Data and Information Custodian Users or (b) waive any rights or defenses available under Applicable Law in any action that may arise in connection with this Agreement.
18.02. Effect of Agreement. Except as provided in Section 17.05, nothing in this Agreement shall be construed to restrict a Vendor - Data and Information Custodian’s right to pursue all remedies
available under law for damages or other relief arising from acts or omissions of other Vendor - Data and Information Custodians related to this Agreement, or to limit any rights or defenses to which a Vendor - Data and Information Custodian may be entitled under Applicable Law.
18.03. Company - Data and Information Owner Liability. Each Vendor - Data and Information Custodian has agreed to comply with this Agreement; however, the actions of such Vendor - Data and Information Custodians are beyond the control of the Company - Data and Information Owner. Accordingly, the Vendor - Data and Information Custodians shall not hold the Company - Data and Information Owner liable for or relating to any impairment of the privacy, security, confidentiality, integrity, availability, or restricted use of any information on a Vendor - Data and Information Custodian’s System resulting from any Vendor - Data and Information Custodian’s actions or failures to act, except to the extent such action or failure to act was directed by the Company - Data and Information Owner.
19. Term, Suspension and Termination
19.01. Term. The initial term of this Agreement shall be for a period of one year commencing on the Effective Date. Upon the expiration of the initial term, this Agreement shall automatically renew for successive one -year terms unless terminated pursuant to this Section 19.
19.02. Termination by Vendor - Data and Information Custodian. A Vendor - Data and Information Custodian’s may terminate its participation in the contract by terminating this Agreement with or without cause by giving the Company - Data and Information Owner thirty (30) business day’s prior written notice. Once proper notice is given, the Company - Data and Information Owner shall be empowered to terminate Vendor - Data and Information Custodian’s ability to access the System after one (1) business days without any further action by the Vendor - Data and Information Custodian. Once the Company - Data and Information Owner removes the Vendor - Data and Information Custodian from the system, the Company - Data and Information Owner shall provide notice of such removal to the remaining Vendor - Data and Information Custodians.
19.03. Suspension by Company - Data and Information Owner. Upon the Company - Data and Information Owner completing a preliminary investigation and determining that there is a reasonable likelihood that a Vendor - Data and Information Custodian’s acts or omissions create an immediate threat or will cause irreparable harm to another party including, but not limited to, a
Vendor - Data and Information Custodian, a Vendor - Data and Information Custodian User, or an individual whose Data is exchanged through the system, the Vendor - Data and Information Custodians hereby grant to the Company - Data and Information Owner the power to summarily suspend, to the extent necessary to address the threat posed by the Vendor - Data and Information Custodian, pending the submission and approval of a corrective action plan, as provided in this Section. Upon suspension, the Company - Data and Information Owner shall within twelve (12) hours of suspending a Vendor - Data and Information Custodian’s right to participate in the system the Company - Data and Information Owner shall provide to the suspended Vendor - Data and Information Custodian a written summary of the reasons for the suspension. The Vendor - Data and Information Custodian shall use reasonable efforts to respond to the suspension notice with a detailed plan of correction or an objection to the suspension within three business days or, if such submission is not reasonably feasible within three business days, then at the earliest practicable time.
If the Vendor - Data and Information Custodian submits a plan of correction, the Company - Data and Information Owner will have two (2) business days to review and either accept or reject the plan of correction. If the plan of correction is accepted, the Company - Data and Information Owner will reinstate the Vendor - Data and Information Custodian’s right to participate upon completion of the plan of correction, update the Service Registry accordingly and provide notice to all Vendor - Data and Information Custodians of such reinstatement. If the plan of correction is rejected, the Vendor - Data and Information Custodian’s suspension will continue, during which time the Company - Data and Information Owner and the Vendor - Data and Information Custodian will negotiate an acceptable plan of correction. If the Company - Data and Information Owner and the Vendor - Data and Information Custodian cannot reach agreement on a plan of correction within thirty (30) business days of the date of the notice of suspension, the Company - Data and Information Owner may terminate the Vendor - Data and Information Custodian. If the Vendor - Data and Information Custodian objects to the suspension, the Vendor - Data and Information Custodian and the Company - Data and Information Owner are encouraged to avail themselves of the Dispute Resolution Process described in Section 21. If the suspension is the result of a Potential Security Incident, the Vendor - Data and Information Custodian and Company - Data and Information Owner shall comply with both this Section 19.03 and Section 14.03.
19.04. Termination by Company - Data and Information Owner. The Vendor - Data and Information Custodians hereby grant to the Company - Data and Information Owner the power to terminate a Vendor - Data and Information Custodian’s participation in the contract as follows:
a. After taking a suspension action in accordance with Section 19.03 when there is a reasonable likelihood that the Vendor - Data and Information Custodian’s acts or omissions create an
immediate threat or will cause irreparable harm to another party including, but not limited to, a Vendor - Data and Information Custodian, a Vendor - Data and Information Custodian User or an individual whose Data is exchanged; or
b. In the event a Vendor - Data and Information Custodian is in material default of the performance of a duty or obligation imposed upon it by this Agreement and such default has not been substantially cured within thirty (30) days following receipt by the defaulting Vendor - Data and Information Custodian of written notice thereof from the Company - Data and Information Owner.
19.05. Effect of Termination. Upon any termination of this Agreement for any reason, the terminated party shall cease to be a Vendor - Data and Information Custodian and thereupon and thereafter neither that party nor its Vendor - Data and Information Custodian Users shall have any rights to use the System (unless such Vendor - Data and Information Custodian Users have an independent right to access the system through another Vendor - Data and Information Custodian). The Company - Data and Information Owner shall remove a terminated Vendor - Data and Information Custodian’s ability to access the system. Once the Company - Data and Information Owner removes the Vendor - Data and Information Custodian’s access, the Company - Data and Information Owner shall provide notice of such removal to the remaining Vendor - Data and Information Custodians. In the event that any Vendor - Data and Information Custodian(s) are terminated, this Agreement will remain in full force and effect with respect to all other Vendor - Data and Information Custodians. Certain provisions of this Agreement survive termination, as more fully described in Section 23.05 (Survival Provisions).
19.06. Disposition of Data on Termination.
To the extent a Responding Vendor - Data and Information Custodian has provided Data to a Recipient, such Data may be entangled with the Recipient’s System such that returning or destroying the Data at the termination of this Agreement is infeasible. In addition, the Recipients may need to retain such Data to maintain the integrity a client information and for legal defense or risk management purposes. At the time of termination, therefore, Data may remain on Recipient’s System in accordance with the Recipient’s document and data retention policies and procedures and in accordance with the terms and conditions of this Agreement, including Section 5.02.
20. Cooperation.
Each Vendor - Data and Information Custodian understands and acknowledges that numerous activities with respect to the system and underlying network and infrastructure shall likely involve another Vendor - Data and Information Custodian’s employees, agents and third party contractors, vendors or consultants. To the extent not legally prohibited, each Vendor - Data and Information Custodian shall: (a) cooperate fully with the Company - Data and Information Owner, each other Vendor - Data and Information Custodian and any such third parties with respect to such activities as they relate to this Agreement; (b) provide such information to the Company - Data and Information Owner, each other Vendor - Data and Information Custodian or such third parties as they may reasonably request for purposes of performing activities related to this Agreement; (c) devote such time as may reasonably be requested by the Company - Data and Information Owner to review information, meet with, respond to, and advise the Company - Data and Information Owner or other Vendor - Data and Information Custodians with respect to activities as they relate to this Agreement; (d) provide such reasonable assistance as may be requested by the Company - Data and Information Owner when performing activities as they relate to this Agreement; and (e) subject to a Vendor - Data and Information Custodian’s right to restrict or condition its cooperation or disclosure of information in the interest of preserving privileges in any foreseeable dispute or litigation or protecting a Vendor - Data and Information Custodian’s Confidential Information, provide information and assistance to the Company - Data and Information Owner or other Vendor - Data and Information Custodians in the investigation of Security Incidents and unauthorized or improper uses of the system, Vendor - Data and Information Custodian’s System or the Systems of the Vendor - Data and Information Custodians. In seeking another Vendor - Data and Information Custodian’s cooperation, each Vendor - Data and Information Custodian shall make all reasonable efforts to accommodate the other Vendor - Data and Information Custodian’s schedules and operational concerns. A Vendor - Data and Information Custodian shall promptly report, in writing, to any other Vendor - Data and Information Custodian and the Company - Data and Information Owner any problems or issues that arise in working with the other Vendor - Data and Information Custodian’s employees, agents or subcontractors which threaten to delay or otherwise adversely impact a Vendor - Data and Information Custodian’s ability to fulfill its responsibilities under this Agreement. This writing shall set forth in detail and with clarity the problems that the Vendor - Data and Information Custodian has identified.
21. Dispute Resolution.
21.01. General. The Vendor - Data and Information Custodians acknowledge that it is in their best interest to resolve Disputes through an alternative dispute resolution process rather than through civil litigation. The Vendor - Data and Information Custodians have reached this conclusion based upon the fact that the legal and factual issues involved in this Agreement are unique, novel and complex; and as of 2008, limited case law exists which addresses the legal issues that could arise from this Agreement. Therefore, the Vendor - Data and Information Custodians are strongly encouraged to resolve Disputes related to this Agreement through the Dispute Resolution Process.
21.02. Activities during Dispute Resolution Process. Pending resolution of any Dispute under this Agreement, subject to Sections 11.01 and 19.03, the Vendor - Data and Information Custodians agree to fulfill their responsibilities in accordance with this Agreement and shall not delay the progress toward the fulfillment of those responsibilities.
21.03. Reservation of Rights. If a Dispute is submitted to the Dispute Resolution Process and is resolved through the issuance of a decision, the Vendor - Data and Information Custodians agree to implement the decision provided, however, that the Vendor - Data and Information Custodians may pursue other remedies available to them under law. The Vendor - Data and Information Custodians also reserve the right to obtain relief from any determination resulting from the Dispute Resolution Process in a court of competent jurisdiction. When such determinations result in sanctions, the sanctions will remain in full force and effect during such legal action unless vacated by the court.
22. Notices.
All notices to be made under this Agreement shall be given in writing to the appropriate Vendor - Data and Information Custodian’s representative or the Company - Data and Information Owner, and shall be deemed given: (i) upon delivery, if personally delivered; (ii) five (5) business days after deposit in the United States mail, if sent certified mail, return receipt requested; and (iii) if by facsimile telecommunication or other form of electronic transmission, upon receipt when the notice is directed to a facsimile telecommunication number or electronic mail address and the sending facsimile machine or electronic mail address receives confirmation of receipt by the receiving facsimile machine or electronic mail address.
23. Miscellaneous/General.
23.01. Governing Law. In the event of a Dispute between or among the Vendor - Data and Information Custodians arising out of this Agreement, the applicable federal and state conflicts of law provisions that
govern the operations of the Vendor - Data and Information Custodians involved in the Dispute shall determine governing law.
23.02. Amendment. This Agreement may be amended in accordance with the Change Process described in Section 10. However, if the change is required for the system, the Company - Data and
Information Owner or Vendor - Data and Information Custodians to comply with Applicable Law, the Company - Data and Information Owner may implement the change without [allowing for objection/seeking comment] and within a time period the Company - Data and Information Owner determines is appropriate under the circumstances. All Vendor - Data and Information Custodians shall be required to sign an amendment adopted in accordance with the provisions of this Section or terminate participation in the contract in accordance with Section 19.02.
23.03. Additional Vendor - Data and Information Custodians. Upon admission of a new party (subcontractor) as a Vendor - Data and Information Custodian in the System, all current Vendor - Data and Information Custodians desire to have the new Vendor - Data and Information Custodian execute and become bound by this Agreement. To accomplish this, the new Vendor - Data and Information Custodian will sign this agreement, pursuant to which the new Vendor - Data and Information Custodian agrees to be bound by this Agreement. The Vendor - Data and Information Custodians agree that upon execution of the Agreement by a duly authorized representative of the Company - Data and Information Owner, all then current Vendor - Data and Information Custodians and the new Vendor - Data and Information Custodian are all bound by this Agreement. The new Vendor - Data and Information Custodian shall not be granted the right to participate in the system (be given rights to the data and information owners data and instance) until both it and the Company - Data and Information Owner execute the Agreement.
23.04. Assignment. No Party shall assign or transfer this Agreement, or any part thereof, except in accordance with Section 23.02. Any assignment that does not comply with the requirements of Section 23.02 shall be void and have no binding effect.
23.05. Survival. The provisions of Sections 5.02, 5.03, 9.02, 14, 15.11, 16, 18, 19.06 20, and 21 shall survive the termination of this Agreement for any reason.
23.06. Waiver. No failure or delay by any Vendor - Data and Information Custodian in exercising its rights under this Agreement shall operate as a waiver of such rights, and no waiver of any breach shall constitute a waiver of any prior, concurrent, or subsequent breach.
23.07. Entire Agreement. This Agreement sets forth the entire and only Agreement among the Vendor - Data and Information Custodians relative to the subject matter hereof. Any representation, promise, or condition, whether oral or written, not incorporated herein shall not be binding upon any Vendor - Data and Information Custodian.
23.08. Validity of Provisions. In the event that a court of competent jurisdiction shall hold any Section, or any part or portion of any Section of this Agreement, invalid, void or otherwise unenforceable, each and every remaining Section or part or portion thereof shall remain in full force and effect.
23.09. Priority. In the event of any conflict or inconsistency between a provision in the body of this Agreement, the terms contained in the body of this Agreement shall prevail.
23.10. Headings. The headings throughout this Agreement are for reference purposes only, and the words contained therein may in no way be held to explain, modify, amplify, or aid in the interpretation or construction of meaning of the provisions of this Agreement. All references in this instrument to designated “Sections” and other subdivisions are to the designated Sections and other subdivisions of this Agreement. The words “herein,” “hereof,” “hereunder” and other words of similar import refer to this Agreement as a whole and not to any particular Section or other subdivision.
23.11. Relationship of the Vendor - Data and Information Custodians. The Parties are independent contracting entities. Nothing in this Agreement shall be construed to create a partnership, agency relationship, or joint venture among the Parties. Neither the Company - Data and Information Owner nor any Vendor - Data and Information Custodian shall have any authority to bind or make commitments on behalf of another Vendor - Data and Information Custodian for any purpose, nor shall any such Party hold itself out as having such authority. No Vendor - Data and Information Custodian shall be held liable for the acts or omissions of another Vendor - Data and Information Custodian.
23.12. Counterparts. This Agreement shall become binding when any one or more counterparts hereof, individually or taken together, bears the signatures of each of the Vendor - Data and Information Custodians hereto. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original as against the Vendor - Data and Information Custodian whose signature appears thereon, but all of which taken together shall constitute but one and the same instrument.
23.13. Third-Party Beneficiaries. With the exception of (1) the Vendor - Data and Information Custodians to this Agreement and (2) the Company - Data and Information Owner, there shall exist no right of any person to claim a beneficial interest in this Agreement or any rights occurring by virtue of this Agreement.
23.14. Force Majeure. A Vendor - Data and Information Custodian shall not be deemed in violation of any provision of this Agreement if it is prevented from performing any of its obligations by reason of: (a) severe weather and storms; (b) earthquakes or other natural occurrences; (c) strikes or other labor unrest; (d) power failures; (e) nuclear or other civil or military emergencies; (f) terrorist attacks; (g) acts of legislative, judicial, executive, or administrative authorities; or (h) any other circumstances that are not within its reasonable control. This Section 23.14 shall not apply to obligations imposed under Applicable Law.
23.15. Time Periods. Any of the time periods specified in this Agreement may be changed pursuant to the mutual written consent of the Company - Data and Information Owner and the affected Vendor - Data and Information Custodian(s).
This Agreement has been entered into and executed by officials duly authorized to bind their respective parties.
Service Level Agreement
Service Level Agreement (SLA)
for Customer
by
Vendor Name
Effective Date: 1/1/2016
Document Owner: VENDOR Name
Version
Version Date Description Author
1.0 1/1/2015 Service Level Agreement Pooka Bear
2.0 1/1/2016 Service Level Agreement Revised Godiva
Approval
(By signing below, all Approvers agree to all terms and conditions outlined in this Agreement.)
Approvers Role Signed Approval Date
Company name Service Provider 1/15/2016
Customer Customer 1/15/2016
Table of Contents
1. Agreement Overview 103
2. Goals & Objectives 103
3. Stakeholders 103
4. Periodic Review 104
5. Service Agreement 104
5.1. Service Scope 104
5.2. Customer Requirements 105
5.3. Service Provider Requirements 105
5.4. Service Assumptions 105
6. Service Management 105
6.1. Service Availability 105
6.2. Service Requests 106
Agreement Overview
This Agreement represents a Service Level Agreement (“SLA” or “Agreement”) between VENDOR. and Department or Organization X for the provisioning of IT services required to support and sustain the technology infrastructure.
This Agreement remains valid until superseded by a revised agreement mutually endorsed by the stakeholders and outlines the parameters of all IT services covered as they are mutually understood by the primary stakeholders. This Agreement does not supersede current processes and procedures unless explicitly stated herein.
Goals & Objectives
The purpose of this Agreement is to ensure that the proper elements and commitments are in place to provide consistent IT service support and delivery to the Customer(s) by the Service Provider(s).
The goal of this Agreement is to obtain mutual agreement for IT service provision between the Service Provider(s) and Customer(s).
The objectives of this Agreement are to:
Provide clear reference to service ownership, accountability, roles and/or responsibilities.
Present a clear, concise and measurable description of service provision to the customer.
Match perceptions of expected service provision with actual service support & delivery.
Stakeholders
The following Service Provider(s) and Customer(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA:
IT Service Provider(s): VENDOR (“Provider”)
IT Customer(s): xxx (“Customer”)
Periodic Review
This Agreement is valid from the Effective Date outlined herein and is valid until further notice. This Agreement should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current Agreement will remain in effect.
The Business Relationship Manager (“Document Owner”) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.
Business Relationship Manager: Pooka Bear
Review Period: Annually
Previous Review Date: 12/1/2015
Next Review Date: 12/1/2016
Service Agreement
The following detailed service parameters are the responsibility of the Service Provider in the ongoing support of this Agreement.
Service Scope
The following Services are covered by this Agreement;
Multimedia customer support from 7am to 7pm M-F except federal holidays After hours support (pay per hour, 2 hours minimal) Remote assistance using Remote Desktop and a Virtual Private Network where available Planned or Emergency Onsite assistance (extra costs apply) Weekly system health check Monthly SLA Compliance Reporting
Customer Requirements
Customer responsibilities and/or requirements in support of this Agreement include:
Payment for all support costs at the agreed interval. Timely notification of incidents and other vendors or internal planned outages. Reasonable availability of customer representative(s) when resolving a service related
incident or request.
Service Provider Requirements
Service Provider responsibilities and/or requirements in support of this Agreement include:
Meeting response times associated with service related incidents. Appropriate notification to Customer for all scheduled maintenance.
Service Assumptions
Assumptions related to in-scope services and/or components include:
Changes to services will be communicated and documented to all stakeholders.
Service Management
Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components.
Service Availability
Coverage parameters specific to the service(s) covered in this Agreement are as follows:
Multimedia Customer support: 7:00 A.M. to 7:00 P.M. Monday – Friday Calls received out of office hours will be forwarded to a call center and best efforts will
be made to answer / action the call, however there will be a backup answer phone service
Onsite assistance guaranteed within 8 hours during the business week and 18 hours on weekends and holiday’s
Service Requests
In support of services outlined in this Agreement, the Service Provider will respond to service related incidents and/or requests submitted by the Customer within the following time frames:
0-4 hours (during business hours) for issues classified as High priority. 4-8 hours for issues classified as Medium priority. Within 1 working day for issues classified as Low priority.
Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
Satisfaction Factors Template Activity # of
Exceptions per reporting period
Total Duration for PeriodAssessed
% of time in compliance
Fine/Penalty Imposed Vendor or Institution or Both
Money’s Collected or Paid
Date Assessed
System Degradation outside SLA
$
Single Service Outage
$
Complete System Outage
$
Hardware Outage
$
Communication Services Outage
$
Access Denied Condition
$
Backup Failure $Information Security Incident – Data Leakage
$
Information Security Incident – Data Destruction
$
Information Security Incident – Data Alteration
$
Data Restoral Failure
$
Information Security Incident – Ransomware
$
Vendor BCP Test Failure
$
Vendor DR Test Failure
$
Vendor IRP Test Failure
$
Customer Satisfaction Survey Rating Below SLA
$
Time to Respond Outside SLA
$
Time to Resolve Outside SLA
$
Memorandum of Understanding
Sample Memorandum of Understanding Template
Memorandum of Understanding
Between
(Partner)
and
(Partner)
This Memorandum of Understanding (MOU) sets for the terms and understanding between the (partner) and the (partner) to (insert activity).
Background
(Why partnership important)
Purpose
This MOU will (purpose/goals of partnership)
The above goals will be accomplished by undertaking the following activities:
(List and describe the activities that are planned for the partnership and who will do what)
Reporting
(Record who will evaluate effectiveness and adherence to the agreement and when evaluation will happen)
Funding
(Specify that this MOU is not a commitment of funds)
Duration
This MOU is at-will and may be modified by mutual consent of authorized officials from (list partners). This MOU shall become effective upon signature by the authorized officials from the (list partners) and will remain in effect until modified or terminated by any one of the partners by mutual consent. In the absence of mutual agreement by the authorized officials from (list partners) this MOU shall end on (end date of partnership).
Contact Information
Partner name
Partner representative
Position
Address
Telephone
Fax
Partner name
Partner representative
Position
Address
Telephone
Fax
Date:
(Partner signature)
(Partner name, organization, position)
Date:
(Partner signature)
(Partner name, organization, position)
Third Party Due Care Checklist
Third Party Due Care Checklist
Due Care Policy – Outlines Due Care Process
Vendor NameVendor DescriptionInternal Sponsor / Business OwnerNarrative of Selection ProcessJustification for Selected VendorScope of Work / RelationshipStatement of Work – Services ProvidedCompensation RequirementsReferences
Risk Ranking SummaryFactor Score
Onboard Yr1 Yr2Financial StabilityMerger & AcquisitionFraudAdverse Media ReportEthics and Compliance ProgramInformation Security Incidents (ID Theft)Service Level NondisclosureNon-CompeteSSAE / External Audit ResultsPen Test ResultsRisk Assessment Results
Document ChecklistDocument Requested Date Requested Date Received Accept
+Poor -
Assessment Notes – Score Justification
Financial StatementNondisclosureRFPSOWSLA
MOUData Ownership/Custodian Reciprocal Agreement Customer Reference ListROCSSAE16 SOC2 TYPE 2Information Security PoliciesAccess Control PolicyAccess Administration GuideBusiness Continuity PlanDisaster Recovery PlanIncident Response PlanVulnerability Management ProcessPen Test ResultsPatch Management ProcessChange Control ProcessNetwork DiagramData Flow Diagram for each module purchasedProcess Flow Diagram for each module purchased Employee Onboarding ProcessVendor Onboarding and Ongoing Vendor Due Care ProcessBackup ScheduleRestore ProcedureTech SpecsSystem Administration GuideUser GuideRisk Assessment - Completed Self-
Assessment
Associated BUSTECHGA Course OfferingsBuilding Security Into Contractual Agreements: Bid Specifications, SLAs and MOUsBuilding Security Into Contractual Agreements: SLAs and MOUs
About the AuthorCollaborative Innovation
Offering your technology and business partners with a unique collection of real world training and consulting services tailored to your organizations unique needs and expectations.
Shawna M Flanders CRISC, CISM, CISA, CSSGB, SSBB
Founder and CEO, Business Technology Guidance Associates, LLC., a consulting firm that believes in collaborative innovation between business and technology - offering your technology and business partners with a unique collection of real world training and consulting services tailored to your organizations unique needs and expectations.
My passion rests firmly on three pillars: 1. Enriching companies in building and improving their strategies, programs and underlying processes (primarily within technology, Technology Internal Audit, IT GRC, Technology Related Risk Management, Information Security, BCP/DR, Project Management and Process Reengineering); 2. Mentoring individuals: both in the topics above as well as aiding in their quest for assurance certifications; 3. Enhancing and developing curriculum and other publications to improve the profession.
With over 30 years of experience in the financial services sector, Shawna brings her real world experience to every engagement. Shawna has completed certificate programs in Risk Management from Kaplan University and Six Sigma Green & Lean/Black Belt from Villanova University, and has earned the Life Operations Management Association – Associate of Customer Service designation as well as holding certifications in CRISC, CISM, CISA and CSSGB.
Besides serving as the Research Director, CSX Liaison, and CISM / CRISC Certification Coordinator for West Florida ISACA and serving in various capacities on various other advisory boards, Shawna has been a chapter, conference and onsite trainer for various organizations since 2008. She designs her own course content and also has contributed and/or reviewed multiple publications.
If you would like additional information regarding this topic please contact me by email, Google+, LinkedIn, Twitter, Facebook or Phone:
Shawna M Flanders CRISC, CISM, CISA, CSSGB, SSBB
Business – Technology Guidance Associates, LLC.
www.bustechga.com
https:// www.linkedin.com/in/sflanders
https://www.facebook.com/Business-Technology-Guidance-Associates-LLC-544587322229503/? ref=hl
https://twitter.com/shawna4training
https://plus.google.com/110253813467082085462
727-491-7337 or 844-4BUSTECH (Office)
727-483-3662 (Mobile)
941-621-4980 (Fax)
For More information about my course offerings, please contact me!
