|
ATTACHMENT C—CITY OF EVERETT CLOUD-AND/OR OFFSITE
<br /> HOSTING TERMS AND CONDITIONS
<br /> 1. Data Ownership: The City of Everett shall own all right,title and interest in its data that is related to the services
<br /> provided by this contract. The Service Provider shall not access City of Everett User accounts,or City of Everett
<br /> Data,except(i)in the course of data center and other technical operations,(ii)response to service or technical issues,
<br /> (iii)as required or allowed by the express terms of this contract,or(iv)at City of Everett's written request.
<br /> 2. Data Protection: Protection of personal privacy and sensitive data shall be an integral part of the business activities
<br /> of the Service Provider to ensure that there is no inappropriate or unauthorized use of City of Everett information at
<br /> any time.To this end,the Service Provider shall safeguard the confidentiality, integrity,and availability of City
<br /> information and comply with the following conditions:
<br /> a) All personal data and other sensitive information obtained by the Service Provider under this contract shall
<br /> become and remain property of the City of Everett.
<br /> b) At no time shall any data or processes which either belongs to or are intended for the use of City of Everett or its
<br /> officers,agents,or employees,be copied, disclosed,or retained by the Service Provider or any party related to the
<br /> Service Provider for subsequent use in any transaction that does not include the City of Everett.
<br /> 3. Data Location: The Service Provider shall not store or transfer non-public City of Everett data outside of the United
<br /> States. This includes backup data and Disaster Recovery locations. The Service Provider will permit its personnel and
<br /> contractors to access City of Everett data remotely only as required to provide technical or other customer support.
<br /> 4. Encryption:
<br /> a) The Service Provider shall encrypt all non-public data in transit regardless of the transit mechanism.
<br /> b) For engagements where the Service Provider stores sensitive personally identifiable or otherwise confidential
<br /> information,this data shall be encrypted at rest. Examples are social security number,date of birth,driver's
<br /> license number,financial data, federal/state tax information,and hashed passwords. The Service Provider's
<br /> encryption shall be consistent with validated cryptography standards as specified in National Institute of
<br /> Standards and Technology FIPS 140-2, Security Requirements. The key location and other key management
<br /> details will be discussed and negotiated by both parties. When the Service Provider cannot offer encryption at
<br /> rest,they must maintain,for the duration of the contract,cyber security liability insurance coverage for any loss
<br /> resulting from a data breach in accordance with the table below. Additionally,where encryption of data at rest is
<br /> not possible,vendor must describe existing security measures that provide a similar level of protection.
<br /> • Cyber Liability Insurance. Service Provider shall,at its sole expense,procure,maintain,and keep in force for the
<br /> duration of the Agreement the following insurance coverage: Cyber Liability insurance with limits of not less than
<br /> $1,000,000 per occurrence and an annual aggregate of$2,000,000 covering claims involving privacy violations,
<br /> information theft,damage to or destruction of electronic information, unintentional release of private information,
<br /> alternation of electronic information,extortion and network security caused by the acts or omissions of Software
<br /> Company(or any subcontractors acting on its behalf). City of Everett must be named as an Additional Named Insured
<br /> on such policy. Service Provider's insurer shall be currently rated by A.M.Best as A-IX or better. At a minimum,the
<br /> policy must include third party coverage for credit monitoring;notification costs to data breach victims;and regulatory
<br /> penalties and fines. In the event contractor fails to keep in effect at all times the insurance coverage required by this
<br /> provision,the City may,in addition to any other remedies it may have,terminate the contract upon the occurrence of
<br /> such event,subject to the provisions of the contract.
<br /> 5. Breach Notification and Recovery: City of Everett requires public breach notification when citizens' personally
<br /> identifiable information is lost or stolen.Additionally,unauthorized access or disclosure of non-public data is
<br /> considered to be a breach. The Service Provider will provide notification to the City without unreasonable delay and
<br /> all communication to the data subjects shall be made without unreasonable delay and coordinated between the Service
<br /> Provider and the City of Everett. When the Service Provider or their subcontractors are liable for the loss,the Service
<br /> Provider shall bear all costs associated with the investigation,response and recovery from the breach. The City of
<br /> Everett shall not agree to any limitation on liability that relieves a Contractor from its own negligence or to the extent
<br /> that it creates an obligation on the part of the State to hold a Contractor harmless.
<br /> 6. Notification of Legal Requests: The Service Provider shall contact the City of Everett upon receipt of any electronic
<br /> discovery, litigation holds,discovery searches,and expert testimonies related to,or which in any way might
<br /> reasonably require access to the data of the City. The Service Provider shall not respond to subpoenas,service of
<br /> Everett Public Library 20170701 Page 10 of 13 OCLC Master Services Agreement
<br />
|