Laserfiche WebLink
<br />Exhibit B - 1 <br />Exhibit B <br />City of Everett <br />Cloud / Offsite Hosting Terms and Conditions <br />1. Data Ownership: The City of Everett shall own all right, title and interest in its data that is related to the <br />services provided by this contract. The Service Provider shall not access City of Everett User accounts, or <br />City of Everett Data, except (i) in the course of data center operations, (ii) response to service or technical <br />issues, (iii) as required by the express terms of this contract, (iv) at City of Everett’s written request, or (v) <br />as part of the regular operation of the software. <br /> <br />2. Data Protection: Protection of personal privacy and sensitive data shall be an integral part of the business <br />activities of the Service Provider to ensure that there is no inappropriate or unauthorized use of City of <br />Everett information at any time. To this end, the Service Provider shall safeguard the confidentiality, <br />integrity, and availability of City information and comply with the following conditions: <br /> <br />a) All information provided by the City of Everett under this contract shall become and remain property <br />of the City of Everett. <br /> <br />b) At no time shall any data, which either belongs to or are intended for the exclusive use of City of <br />Everett or its officers, agents, or employees, be copied, disclosed, or retained by the Service <br />Provider or any party related to the Service Provider for subsequent use in any transaction that <br />does not include the City of Everett. <br /> <br />3. Data Location: The Service Provider shall not store or transfer non-public City of Everett data outside of <br />the United States. This includes backup data and Disaster Recovery locations. The Service Provider will <br />permit its personnel and contractors to access City of Everett data remotely only as required to provide <br />technical support. <br /> <br />4. Encryption: <br /> <br />a) The Service Provider shall encrypt all non-public data in transit regardless of the transit <br />mechanism. <br /> <br />b) For engagements where the Service Provider stores sensitive personally identifiable or otherwise <br />confidential information, this data shall be encrypted at rest. Examples are social security number, <br />date of birth, driver’s license number, financial data, federal/state tax information, and hashed <br />passwords. The Service Provider’s encryption shall be consistent with validated cryptography <br />standards as specified in National Institute of Standards and Technology FIPS140-2, Security <br />Requirements. The key location and other key management details will be discussed and <br />negotiated by both parties. When the Service Provider cannot offer encryption at rest, they must <br />maintain, for the duration of the contract, cyber security liability insurance coverage for any loss <br />resulting from a data breach in accordance with the table below. Additionally, where encryption of <br />data at rest is not possible, vendor must describe existing security measures that provide a similar <br />level of protection.