REQUEST FOR PROPOSALS (RFP) Digital Asset Management


[PDF]REQUEST FOR PROPOSALS (RFP) Digital Asset Management...

0 downloads 193 Views 586KB Size

REQUEST FOR PROPOSALS (RFP) Digital Asset Management System Software RFP NO. H24_14

RFP Issue Date „

July 11, 2013

Proposal Due Date „

July 24, 2013 at 3:00pm local time

NOTE: If you download this RFP from the WEBS website you are responsible for sending your name, address, email address, and telephone number to the RFP Coordinator in order for your organization to receive any RFP amendments or bidder questions/answers.

CONSULTANT ELIGIBILITY: This procurement is open to those consultants that satisfy the minimum qualifications stated herein and that are available for work in Washington State.

TABLE OF CONTENTS 1.

Introduction ........................................................................................................................................3 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8

2.

General Information for Consultants ...............................................................................................4 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17

3.

Letter of Submittal ......................................................................................................................8 Technical Requirements ............................................................................................................8 Technical Proposal.....................................................................................................................8 Management Proposal ...............................................................................................................9 Cost Proposal.......................................................................................................................... 10

Evaluation and Contract Award..................................................................................................... 11 4.1 4.2 4.3 4.4 4.5 4.6 4.7

5.

RFP Coordinator ........................................................................................................................4 Estimated Schedule of Procurement Activities ..........................................................................4 Submission of Proposals ...........................................................................................................5 Proprietary Information/Public Disclosure..................................................................................5 Revisions to the RFP .................................................................................................................5 Minority & Women-Owned Business Participation.....................................................................5 Acceptance Period .....................................................................................................................5 Responsiveness .........................................................................................................................5 Most Favorable Terms ...............................................................................................................5 Contract and General Terms & Conditions ................................................................................6 Costs to Propose .......................................................................................................................6 No Obligation to Contract...........................................................................................................6 Rejection of Proposals ...............................................................................................................6 Commitment of Funds................................................................................................................6 Insurance Coverage...................................................................................................................6 EWU’s Information Technology Standard..................................................................................7 Washington Institutions of Public Higher Education ..................................................................7

Proposal Contents .............................................................................................................................7 3.1 3.2 3.3 3.4 3.5

4.

Purpose and Background...........................................................................................................3 Objective and Scope of Work.....................................................................................................3 Minimum Qualifications ..............................................................................................................3 Funding ......................................................................................................................................3 Period of Performance ...............................................................................................................3 Current or Former State Employees ..........................................................................................3 Definitions...................................................................................................................................3 ADA ...........................................................................................................................................4

Evaluation Procedure.............................................................................................................. 11 Clarification of Proposal .......................................................................................................... 11 Evaluation Weighting and Scoring .......................................................................................... 11 Oral Presentations may be Required...................................................................................... 12 Notification to Proposers ......................................................................................................... 12 Debriefing of Unsuccessful Proposers.................................................................................... 12 Protest Procedure ................................................................................................................... 12

RFP Exhibits . … ............................................................................................................................. 13 Exhibit A Exhibit B Exhibit C Exhibit D Exhibit E

Certifications and Assurances Technical Requirements Form Model Information Technology Contract EWU’s Information Technology Security Standard Washington Institutions of Public Higher Education Participation Form

  1. INTRODUCTION 1.1 PURPOSE AND BACKGROUND Eastern Washington University, hereafter called "EWU”, is initiating this Request for Proposals (RFP) to solicit proposals from firms interested in participating on a project to implement digital asset management system (DAMS) that will accommodate a large range of mounting requests from a departmental or program requests for file storage, an instructional need to file and maintain Open Educational Resources (OER) or proprietary course content to managing and providing work flows to manage and organize “working” versions of digital files. Further, we are seeking a system capable of presenting these stored digital assets online to the public with appropriate digital rights management while providing private access options and offering security options which can be managed by the individual or group owner. As EWU strives to foster teaching and learning in a technology rich environment, digital assets are being developed and collected at an increasing rate. The current fragmented approach to managing these collections presents a risk in terms of potential misplacement or loss of assets and inefficiencies rising from disparate processes and investments. We seek a set of technologies that enables the collection, storage, retrieval duplication and fine grained control over digital media, thus empowering digital intensive work. 

1.2 OBJECTIVES AND SCOPE OF WORK

  EWU expects a DAMS will provide the capability to: • • • • • •

Ingest digital assets and record the descriptive, contextual, technical and functional attributes (metadata) Manage multiple, “working” versions of a digital asset Transform them into derivative/alternative formats Store and index them for search and retrieval Provide robust search and retrieval capabilites Manage the associated rights

The DAMS will leverage economies of scale and expertise across the campus and deliver efficiency and effectiveness of data access, preservation, security, and reuse allowing the institution to call upon and appropriately share its intellectual capital. The overarching goal is to provide faculty, students and staff a way to manage the digital media collections created in the scope of their work. The goal of this specific implementation is to estalblish our initial DAMS deployment focusing on a select user population. Once established as a production service, EWU will consider extending DAMS services to additional EWU community members. This implementation will delvier production services to the following EWU units: • • • •

Marketing and Communications Athletics Library Services Office of Informaiton Technology, Instructional Technology Services

There will be an estimated 40 contributers upon implementation. EWU is not contemplating a large-scale formal migration of exisiting asstes, however, we expect bulk ingest capabilities will be a standard capability of any proposed solution. A detailed list of system requirements are attached as Exhibit B on the Technical Requirements From. 1.3 MINIMUM QUALIFICATIONS Minimum qualifications include: • Licensed to do business in the State of Washington or provide a commitment that it will become licensed in Washington within thirty (30) calendar days of being selected as the Apparently Successful Contractor.

Page 3 of 14

  • EWU wishes to acquire mature, operational application systems. Therefore, it seeks only those systems that have been installed in comparable institutions of higher education and have been operational (i.e., in daily usage from the point of implementation) for a minimum of 2 years. • Documented experience with LTI LMS integration. Bidders, who do not meet these minimum qualifications will be rejected as non-responsive and will not receive further consideration. Any proposal that is rejected as non-responsive will not be evaluated or scored. 1.4 FUNDING Any contract awarded as a result of this procurement is contingent upon the availability of funding. 1.5 PERIOD OF PERFORMANCE The period of performance of any contract resulting from this RFP is tentatively scheduled to begin on or about August 30, 2013 and to end on June 30, 2014. Amendments extending the period of performance, if any, shall be at the sole discretion of EWU. 1.6 CONTRACTING WITH CURRENT OR FORMER STATE EMPLOYEES Specific restrictions apply to contracting with current or former state employees pursuant to RCW 42.52.080. Proposers should familiarize themselves with the requirements prior to submitting a proposal that includes current or former state employees. 1.7 DEFINITIONS Definitions for the purposes of this RFP include: Apparent Successful Contractor – The consultant selected as the entity to perform the anticipated services, subject to completion of contract negotiations and execution of a written contract. Consultant – Individual or company interested in the RFP and that may or does submit a proposal in order to attain a contract with EWU. Contractor – Individual or company whose proposal has been accepted by EWU and is awarded a fully executed, written contract. EWU – Eastern Washington University is the agency of the state of Washington that is issuing this RFP. Proposal – A formal offer submitted in response to this solicitation. Proposer - Individual or company that submits a proposal in order to attain a contract with EWU. Request for Proposals (RFP) – Formal procurement document in which a service or need is identified but no specific method to achieve it has been chosen. The purpose of an RFP is to permit the consultant community to suggest various approaches to meet the need at a given price. RCW – Revised Code of Washington. 1.8 ADA EWU complies with the Americans with Disabilities Act (ADA). Consultants may contact the RFP Coordinator to receive this Request for Proposals in Braille or on tape. 2. GENERAL INFORMATION FOR CONSULTANTS 2.1 RFP COORDINATOR The RFP Coordinator is the sole point of contact for this procurement. All communication with EWU in regard to this RFP shall be directed, in writing through email to the RFP Coordinator named below. Name

Lori Holznagel

Email Address

[email protected]

Mailing Address

Eastern Washington University 218 Tawanka Cheney, WA 99004

Page 4 of 14

  Phone Number

(509) 359-7905

Fax Number

(509) 359-7984

In the interest of fairness, EWU will only answer questions received in writing through email. Do not call the RFP Coordinator to ask questions. EWU will send a copy of all Bidders’ questions and EWU’s official written answers as detailed in Section 2.5. Any other communication will be considered unofficial and non-binding on EWU. Consultants are to rely on written statements issued by the RFP Coordinator. Communication directed to parties other than the RFP Coordinator may result in disqualification of the Consultant. 2.2 ESTIMATED SCHEDULE OF PROCUREMENT ACTIVITIES Issue Request for Proposals

July 11, 2013

Question & answer period

July 11, 2013 – July 18, 2013

Issue last addendum to RFP (if applicable)

July 22, 2013

Proposals due

July 24, 2013

Evaluate proposals

July 25, 2013 – August 9, 2013

Conduct oral interviews or vendor presentations with finalists, if required

August 12, 2013 – August 13, 2013

Announce “Apparent Successful Contractor” and send notification via email to unsuccessful proposers

August 14, 2013

Negotiate contract

August 20, 2013 – August 29, 2013

Begin contract work

August 30, 2013

EWU reserves the right to revise the above schedule. 2.3 SUBMISSION OF PROPOSALS The proposal must be received by the RFP Coordinator no later than 3:00pm, Pacific Standard Time in Cheney, Washington, on Wednesday, July 24 2013. Proposals must be submitted electronically as an attachment to an email to [email protected] the RFP Coordinator, at the email address listed in Section 2.1. Attachments to email shall be in Microsoft Word format or PDF. Zipped files cannot be received by EWU and cannot be used for submission of proposals. The cover submittal letter and the Certifications and Assurances form must have a scanned signature of the individual within the organization authorized to bind the Consultant to the offer. EWU does not assume responsibility for problems with Consultant’s email. If EWU’s email is not working, appropriate allowances will be made for bidders. Proposals may not be transmitted using facsimile transmission. Consultants should allow sufficient time to ensure timely receipt of the proposal by the RFP Coordinator. Late proposals will not be accepted and will be automatically disqualified from further consideration, unless EWU’s email is found to be at fault. All proposals and accompanying documentation received will be the property of EWU and will not be returned. 2.4 PROPRIETARY INFORMATION/PUBLIC DISCLOSURE Proposals submitted in response to this competitive procurement shall become the property of EWU. All proposals received shall remain confidential until the announcement of the apparent successful bidder; thereafter, the proposals shall be deemed public records as defined in Chapter 42.56 RCW. 2.5 REVISIONS TO THE RFP In the event it becomes necessary to revise any part of this RFP, addenda will be provided via email to all individuals, who have made the RFP Coordinator aware of their interest. Addenda will also be published on the Washington’s Electronic Business Solution (WEBS) website at https://fortress.wa.gov/ga/webs/. For this

Page 5 of 14

  purpose, the published questions and answers and any other pertinent information shall be provided as an addendum to the RFP and will be placed on the WEBS website. EWU also reserves the right to cancel or to reissue the RFP in whole or in part, prior to execution of a contract. 2.6 MINORITY & WOMEN-OWNED BUSINESS PARTICIPATION In accordance with Chapter 39.19 RCW, the state of Washington encourages participation in all of its contracts by firms certified by the Office of Minority and Women’s Business Enterprises (OMWBE). Participation may be either on a direct basis in response to this solicitation or on a subcontractor basis. However, no preference will be included in the evaluation of proposals, no minimum level of MWBE participation shall be required as a condition for receiving an award, and proposals will not be rejected or considered non-responsive on that basis. For information on certified firms, consultants may contact OMWBE at 360/753-9693 or http://www.omwbe.wa.gov. 2.7 ACCEPTANCE PERIOD Proposals must provide 90 days for acceptance by EWU from the due date for receipt of proposals. 2.8 RESPONSIVENESS All proposals will be reviewed by the RFP Coordinator to determine compliance with administrative requirements and instructions specified in this RFP. The Consultant is specifically notified that failure to comply with any part of the RFP may result in rejection of the proposal as non-responsive. EWU also reserves the right at its sole discretion to waive minor administrative irregularities. 2.9 MOST FAVORABLE TERMS EWU reserves the right to make an award without further discussion of the proposal submitted. Therefore, the proposal should be submitted initially on the most favorable terms which the Consultant can propose. There will be no best and final offer procedure. EWU does reserve the right to contact a Consultant for clarification of its proposal. The Apparent Successful Contractor should be prepared to accept this RFP for incorporation into a contract resulting from this RFP. Contract negotiations may incorporate some or all of the Consultant’s proposal. It is understood that the proposal will become a part of the official procurement file on this matter without obligation to EWU. 2.10 CONTRACT AND GENERAL TERMS & CONDITIONS The apparent successful contractor will be expected to enter into a contract which is substantially the same as the sample contract and its general terms and conditions attached as Exhibit C. In no event is a Consultant to submit its own standard contract terms and conditions in response to this solicitation. The Consultant may submit exceptions as allowed in the Certifications and Assurances form, Exhibit A to this solicitation. All exceptions to the contract terms and conditions must be submitted as an attachment to Exhibit A, Certifications and Assurances form. EWU will review requested exceptions and accept or reject the same at its sole discretion. 2.11 COSTS TO PROPOSE EWU will not be liable for any costs incurred by the Consultant in preparation of a proposal submitted in response to this RFP, in conduct of a presentation, or any other activities related to responding to this RFP. 2.12 NO OBLIGATION TO CONTRACT This RFP does not obligate the state of Washington or EWU to contract for services specified herein. 2.13 REJECTION OF PROPOSALS EWU reserves the right at its sole discretion to reject any and all proposals received without penalty and not to issue a contract as a result of this RFP.

Page 6 of 14

  2.14 COMMITMENT OF FUNDS The Vice President of Business & Finance or assigned delegate is the only individual who may legally commit EWU to the expenditures of funds for a contract resulting from this RFP. No cost chargeable to the proposed contract may be incurred before receipt of a fully executed contract. 2.15 INSURANCE COVERAGE The Contractor is to furnish EWU with a certificate(s) of insurance executed by a duly authorized representative of each insurer, showing compliance with the insurance requirements set forth below. The Contractor shall, at its own expense, obtain and keep in force insurance coverage which shall be maintained in full force and effect during the term of the contract. The Contractor shall furnish evidence in the form of a Certificate of Insurance that insurance shall be provided, and a copy shall be forwarded to EWU within fifteen (15) days of the contract effective date. Liability Insurance 1) Commercial General Liability Insurance: Contractor shall maintain commercial general liability (CGL) insurance and, if necessary, commercial umbrella insurance, with a limit of not less than $1,000,000 per each occurrence. If CGL insurance contains aggregate limits, the General Aggregate limit shall be at least twice the “each occurrence” limit. CGL insurance shall have products-completed operations aggregate limit of at least two times the “each occurrence” limit. CGL insurance shall be written on ISO occurrence from CG 00 01 (or a substitute form providing equivalent coverage). All insurance shall cover liability assumed under an insured contract (including the tort liability of another assumed in a business contract), and contain separation of insureds (cross liability) condition. Additionally, the Contractor is responsible for ensuring that any subcontractors provide adequate insurance coverage for the activities arising out of subcontracts. 2) Business Auto Policy: As applicable, the Contractor shall maintain business auto liability and, if necessary, commercial umbrella liability insurance with a limit not less than $1,000,000 per accident. Such insurance shall cover liability arising out of “Any Auto.” Business auto coverage shall be written on ISO form CA 00 01, 1990 or later edition, or substitute liability form providing equivalent coverage. Employers Liability (“Stop Gap”) Insurance: In addition, the Contractor shall buy employers liability insurance and, if necessary, commercial umbrella liability insurance with limits not less than $1,000,000 each accident for bodily injury by accident or $1,000,000 each employee for bodily injury by disease. Additional Provisions Above insurance policy shall include the following provisions: 1. Additional Insured. EWU, its elected and appointed officials, agents and employees shall be named as an additional insured on all general liability, excess, umbrella and property insurance policies. All insurance provided in compliance with this contract shall be primary as to any other insurance or self-insurance programs afforded to or maintained by the state. 2. Cancellation. EWU shall be provided written notice before cancellation or non-renewal of any insurance referred to therein, in accord with the following specifications. Insurers subject to RCW 48.18.2901 Renewal required - Exceptions): The insurer must deliver or mail written notice of nonrenewal to the named insured at least forty-five days before the expiration date of the policy. If cancellation is due to non-payment of premium, the state shall be given 10 days advance notice of cancellation, RCW 48.18.290. Insurers subject to Chapter 48.15 RCW (Surplus lines): The state shall be given 20 days advance notice of cancellation. If cancellation is due to non-payment of premium, the state shall be given 10 days advance notice of cancellation. 3. Identification. Policy must reference EWU’s contract number and name. 4. Insurance Carrier Rating. All insurance and bonds should be issued by companies admitted to do business within the state of Washington and have a rating of A-, Class VII or better in the most recently published edition of Best’s Reports. Any exception shall be reviewed and approved by EWU’s Risk Manager or the Risk Manager for the state of Washington, before the contract is accepted or work may begin. If an insurer is not admitted, all insurance policies and procedures for issuing the insurance policies must comply with Chapter 48.15 RCW and Chapter 284-15 WAC. Page 7 of 14

  5. Excess Coverage. By requiring insurance herein, the state does not represent that coverage and limits will be adequate to protect Contractor and such coverage and limits shall not limit Contractor’s liability under the indemnities and reimbursements granted to the state in this contract. Workers’ Compensation Coverage The Contractor will at all times comply with all applicable workers’ compensation, occupational disease, and occupational health and safety laws, statutes, and regulations to the full extent applicable. The state will not be held responsive in any way for claims filed by the Contractor or their employees for services performed under the terms of this contract. 2.16 EWU’S APPLICATION SERVICE PROVIDER SECURITY QUESTIONAIRE Exhibit D to this RFP defines the minimum security criteria in order for a hosted solution to be considered for use by EWU. Proposer is required to have the ability to comply with EWU’s Information Technology Standard. If the solution is hosted, Apparent Successful Contractor will then be required to complete this form for EWU evaluation prior to final contract award.  2.17 WASHINGTON INSTITUTIONS OF PUBLIC HIGHER EDUCATION (WIPHE) This solicitation is being issued by Eastern Washington University (The Lead Institution) pursuant to the Interlocal Cooperative Act, RCW 39.34, and offers the Contractor an opportunity to make any resulting contract available to members of the Washington Institutions of Public Higher Education purchasing cooperative (WIPHE). Participants in the Washington Institutions of Public Higher Education (WIPHE) Interlocal agreement may establish an institution specific agreement with the Contractor/Supplier at any time during the term of this Contract. The term of the institution specific agreement may have a term, if mutually agreed upon, which extends beyond the term of the Lead Institution's Contract. In that event all terms and conditions of the Lead Institution’s Contract will inure to the participating institution’s agreement. In addition to EWU, other public agencies and political subdivisions within the State of Washington, pursuant to the Interlocal Cooperative Act, RCW 39.34 may be interested in utilizing the resulting contract(s). Proposer should complete Exhibit E indicating their interest in WIPHE participation. 3. PROPOSAL CONTENTS Proposals must be written in English and submitted electronically to the RFP Coordinator in the order noted below: 1. Letter of Submittal, including signed Certifications and Assurances (Exhibit A to this RFP); 2. Technical Requirements Form (Exhibit B to the RFP) 3. Implementation Project Proposal; 4. Management Proposal; and, 5. Cost Proposal. Proposals must provide information in the same order as presented in this document with the same headings. This will not only be helpful to the evaluators of the proposal, but should assist the Consultant in preparing a thorough response. Items marked “mandatory” must be included as part of the proposal for the proposal to be considered responsive, however, these items are not scored. Items marked “scored” are those that are awarded points as part of the evaluation conducted by the evaluation team. 3.1 LETTER OF SUBMITTAL (MANDATORY) The Letter of Submittal and the attached Certifications and Assurances form (Exhibit A to this RFP) must be signed and dated by a person authorized to legally bind the Consultant to a contractual relationship, e.g., the President or Executive Director if a corporation, the managing partner if a partnership, or the proprietor if a sole proprietorship. Along with introductory remarks, the Letter of Submittal is to include by attachment the following information about the Consultant and any proposed subcontractors: 1. BUSINESS INFORMATION (MANDATORY) A. Name, address, principal place of business, telephone number, and fax number/email address of legal entity or individual with whom contract would be written. Page 8 of 14

  B. Name, address, and telephone number of each principal officer (President, Vice President, Treasurer, Chairperson of the Board of Directors, etc.) C. Legal status of the Consultant (sole proprietorship, partnership, corporation, etc.) and the year the entity was organized to do business as the entity now substantially exists. D. Federal Employer Tax Identification number or Social Security number and the Washington Uniform Business Identification (UBI) number issued by the state of Washington Department of Revenue. If the Consultant does not have a UBI number, the Consultant must state that it will become licensed in Washington within thirty (30) calendar days of being selected as the Apparently Successful Contractor. E. Location of the facility from which the Consultant would operate. F. Identify any state employees or former state employees employed or on the firm’s governing board as of the date of the proposal. Include their position and responsibilities within the Consultant’s organization. If following a review of this information, it is determined by EWU that a conflict of interest exists, the Consultant may be disqualified from further consideration for the award of a contract. 3.2 TECHINCAL REQUIREMENTS FORM, EXHIBIT B (MANDATORY/SCORED) The technical requirements form contains both mandatory and desired items and section for description of how the vendor meets each requirement. Scoring is outlined in Section 4.3. A. Mandatory Items (M) – The proposer must be able to comply with all mandatory requirements. If any of the mandatory items in the technical requirements form cannot be met, the proposer will be automatically disqualified. B. Desired items (D) – The evaluation will include scoring of desired items. C. Description of how the vendor meets each requirement – The evaluation will include scoring of vendor descriptions

3.3 IMPLEMENTATION PROJECT PROPOSAL (SCORED) Work Plan and Deliverables The Implementation Project Proposal must contain a comprehensive description of services including the following elements: A.

Project Approach/Methodology – Include a complete description of the Consultant’s proposed approach and methodology for managing and executing the project. This section should convey Consultant’s understanding of the proposed project. Provide a description of the proposed project team structure and internal controls to be used during the course of the project, including any subcontractors. Provide an organizational chart of your firm indicating lines of authority for personnel involved in performance of this potential contract and relationships of this staff to other programs or functions of the firm. This chart must also show lines of authority to the next senior level of management. Identify who within the firm will have prime responsibility and final authority for the work.

B.

Work Plan and Deliverables- Include all project requirements and the proposed tasks, services, activities, etc. necessary to accomplish the scope of the implementation defined in this RFP. This workplan and deliverables list must support the requirements set forth in Section 1.2, Objectives and Scope of Work as well as in Exhibit B the Technical Requirements Form. This section of the technical proposal must contain sufficient detail to convey to members of the evaluation team the Consultant’s knowledge of the subjects and skills necessary to successfully complete the project. Include any required involvement of EWU staff. Identify the individuals proposed for your team who would be involved in design, implementation, training and account servicing. Describe which roles each team member will play throughout implementation and how much time EWU can expect to spend with each member of the team. Outline when team members will be on campus and our access to them when they are not on campus. Describe the recommended types and length of training to ensure staff is prepared for go-live date. Identify training for the different types of users (i.e., administrative, professional staff, etc.). The Consultant may also

Page 9 of 14

  present any creative approaches to training delivery that might be appropriate. The Consultant may provide any pertinent supporting documentation. The bid response shall include at a minimum 4 hours of consulting time dedicated to pre-planning the project in conjunction with EWU's Office of Information Technology Project Management Services group. These hours will be used to discuss the management approach of the project, organizational readiness, and to exchange project specific information C.

Project Schedule - Include a project schedule describing key milestones and a conceptual timeline.

D.

Outcomes and Performance Measurement – For each milestone describe the outcomes and performace measurments to be used to determine the successful attainment of the milestone.

E.

Risks - The Consultant must identify potential risks that are considered significant to the success of the project. Include how the Consultant would propose to effectively monitor and manage these risks, including reporting of risks to EWU’s project manager.

3.4 MANAGEMENT PROPOSAL A. Experience of the Consultant (SCORED) 1. Indicate the experience the Consultant and any subcontractors have in the following areas associated with a. installed and operational systems at comparable institutions for a minimum of 2 years, b.integration with previously implemented institutional systems (i.e. enterprise resource planning systems, learning management systems, authentication systems, etc.) c. integration with social media 2. Indicate other relevant experience that indicates the qualifications of the Consultant, and any subcontractors, for the performance of the potential contract. B. Related Information (MANDATORY) 1. If the Consultant or any subcontractor contracted with the state of Washington during the past 24 months, indicate the name of the agency, the contract number and project description and/or other information available to identify the contract. 2. If the Consultant’s staff or subcontractor’s staff was an employee of the state of Washington during the past 24 months, or is currently a Washington State employee, identify the individual by name, the agency previously or currently employed by, job title or position held and separation date. 3. If the Consultant has had a contract terminated for default in the last five years, describe such incident. Termination for default is defined as notice to stop performance due to the Consultant’s non-performance or poor performance and the issue of performance was either (a) not litigated due to inaction on the part of the Proposer, or (b) litigated and such litigation determined that the Proposer was in default. 4. Submit full details of the terms for default including the other party's name, address, and phone number. Present the Consultant’s position on the matter. EWU will evaluate the facts and may, at its sole discretion, reject the proposal on the grounds of the past experience. If no such termination for default has been experienced by the Consultant in the past five years, so indicate. C. References (MANDATORY) 1. Business References: List names, addresses, telephone numbers, and fax numbers/email addresses of three (3) business references for the Consultant. Do not include current EWU staff as references. The Consultant must grant permission to EWU to contact the references and others who may have pertinent information regarding the Consultant’s qualifications and experience to perform the services required by this RFP. EWU may evaluate references at EWU’s discretion. 2. Product and Implementation References: Include a list of contracts for comparable higher education institutions that the Consultant has had during the last five years that relate to the Consultant’s ability to perform the services needed under this RFP. List names, addresses, telephone numbers, and fax numbers/email addresses of at least three (3) references for the Consultant. Page 10 of 14

  3. EWU reserves the right to contact the references and others who may have pertinent

information regarding the Consultant’s and the lead staff person’s qualifications and experience to perform the services required by this RFP. It is the Consultant’s responsibility to contact their business references and authorize them to provide information to EWU and EWU affiliates. The references must be available by phone during the evaluation process. EWU may evaluate references at EWU’s discretion. D. OMWBE Certification (OPTIONAL AND NOT SCORED) Include proof of certification issued by the Washington State Office of Minority and Womens Business Enterprises (OMWBE) if certified minority-owned firm and/or women-owned firm(s) will be participating on this project. For information: http://www.omwbe.wa.gov. 3.5 COST PROPOSAL The evaluation process is designed to award this procurement not necessarily to the Consultant of least cost, but rather to the Consultant whose proposal best meets the requirements of this RFP. However, Consultants are encouraged to submit proposals which are consistent with state government efforts to conserve state resources. A. Identification of Costs (SCORED) Identify all costs in U.S. dollars including expenses to be charged for performing the services. The Consultant is to submit a fully detailed budget including staff costs and any expenses necessary to accomplish the tasks and to produce the deliverables under the contract. Pricing should be made with scalability, with a preference for site license. Projected number of contributing users will be: Total Users: Concurrent Users:

40 – 100 30 – 150

Consultants are required to collect and pay Washington state sales and use taxes, as applicable. Costs for subcontractors are to be broken out separately. Please note if any subcontractors are certified by the Office of Minority and Women’s Business Enterprises. 1. Application Software. Provide the following cost information: a) Package/module name: Identify the application software by name and version number. b) Non-recurring cost: Provide any one-time cost associated with acquiring the software/system. Identify as purchase, license fee, etc. All license fees will be assumed to be perpetual unless specified otherwise. c) Contractor Services Costs: Provide the costs, in detail, for all applicable services proposed: 1. Software Installation 2. Implementation 3. Data Interfaces 4. Data Conversion/Migration 5. System Test d) Post Implementation recurring costs: Provide all recurring costs associated with licensing, maintenance and support of the proposed system. Indicate the price and the unit (i.e., by month, etc.) including: annual maintenance cost. All maintenance fees will be assumed to begin twelve (12) months after module implementation unless specified otherwise. Maintenance costs will be assumed to include upgrades to future versions of the software unless specified otherwise. If such separate costs are proposed, please list them separately. 2. Detail Application Customization Cost. Provide detailed application customization costs if customization services are available. 3. Training Costs. For each training module proposed (administrator, contributer, etc.) provide a matrix detailing the following: Page 11 of 14

  a. Service (training) component: Specific training class or component identified (administrator, contributer,  etc.)  proposed in the training plan. Application/product: Indicate specific application module or general area of Proposer's project, whichever applies. Cost: Total cost of this component to EWU. Recurring price/unit: If any ongoing training is a part of the plan, indicate the price and the unit (i.e. by class, etc.) Type and number of personnel: Indicate target group for particular training (i.e. administrators, user department personnel, etc.) f. Travel and per diem: Indicate total cost to EWU if the training class is to be held on the EWU campus.

b. c. d. e.

Proposals must also describe any additional one-time or ongoing training related costs that have not been previously described in this section. Please specify annual costs per person for user group participation. 4. Proposed System Five (5) Year Cost Matrix Provide an overall five-year Cost Matrix of all costs and expenses for financial analysis. 4. EVALUATION AND CONTRACT AWARD 4.1 EVALUATION PROCEDURE Responsive proposals will be evaluated strictly in accordance with the requirements stated in this solicitation and any addenda issued. The evaluation of proposals shall be accomplished by an evaluation team(s), to be designated by EWU, which will determine the ranking of the proposals. EWU, at its sole discretion, may elect to select the top-scoring firms as finalists for an oral presentation. 4.2 CLARIFICATION OF PROPOSAL The RFP Coordinator may contact the Consultant for clarification of any portion of the Consultant’s proposal. 4.3 EVALUATION WEIGHTING AND SCORING The following weighting and points will be assigned to the proposal for evaluation purposes: Implementation Project Proposal

10%

Project Approach/Methodology Work Plan and Deliverables Project Schedule Outcomes and performance measurements Risks

20 points (maximum) 20 points (maximum) 20 points (maximum) 20 points (maximum) 20 points (maximum) 50%

Technical Requirements Form B.1 Application Structure: B.2 Application Functionality: Location and Site Branding B.3 Application Structure: Digital Assets and Metadata B.4 Application Functionality: Users B.5 Application Functionality: Integration B.6 Application Functionality: Administration B.7 Implementation Process

30 points (maximum) 30 points (maximum) 30 points (maximum) 30 points (maximum) 30 points (maximum) 30 points (maximum) 20 points (maximum)

Management Proposal

10%

Experience of the Consultant

20 points (maximum)

Cost Proposal

30%

1. Application Software

20 points (maximum) Page 12 of 14

  2. Detailed Application Customization Costs 3. Training Costs 4. Five Year Cost Matirx

20 points (maximum) 20 points (maximum) 20 points (maximum)

TOTAL

100%

EWU reserves the right to award the contract to the Consultant whose proposal is deemed to be in the best interest of EWU and the state of Washington. 4.4 ORAL PRESENTATIONS MAY BE REQUIRED EWU may after evaluating the written proposals elect to schedule oral presentations of the finalists. Should oral presentations become necessary, EWU will contact the top-scoring firm(s) from the written evaluation to schedule a date, time and location. Commitments made by the Consultant at the oral interview, if any, will be considered binding. The scores from the written evaluation and the oral presentation combined together will determine the apparent successful contractor. 4.5 NOTIFICATION TO PROPOSERS EWU will notify the Apparently Successful Contractor of their selection in writing upon completion of the evaluation process. Individuals or firms whose proposals were not selected for further negotiation or award will be notified separately by email or via WEBS. 4.6 DEBRIEFING OF UNSUCCESSFUL PROPOSERS Any Consultant who has submitted a proposal and been notified that they were not selected for contract award may request a debriefing. The request for a debriefing conference must be received by the RFP Coordinator within three (3) business days after the Unsuccessful Consultant Notification is emailed or faxed to the Consultant. Debriefing requests must be received by the RFP Coordinator no later than 5:00 PM, local time, in Cheney, Washington on the third business day following the transmittal of the Unsuccessful Consultant Notification. The debriefing must be held within three (3) business days of the request. Discussion at the debriefing conference will be limited to the following: • Evaluation and scoring of the firm’s proposal; • Critique of the proposal based on the evaluation; • Review of proposer’s final score in comparison with other final scores without identifying the other firms. Comparisons between proposals or evaluations of the other proposals will not be allowed. Debriefing conferences may be conducted in person or on the telephone and will be scheduled for a maximum of one hour. 4.7 PROTEST PROCEDURE Protests may be made only by Consultants who submitted a response to this solicitation document and who have participated in a debriefing conference. Upon completing the debriefing conference, the Consultant is allowed three (3) business days to file a protest of the acquisition with the RFP Coordinator. Protests must be received by the RFP Coordinator no later than 4:30 PM, local time, in Cheney, Washington on the third business day following the debriefing. Protests may be submitted by email or facsimile, but must then be followed by the document with an original signature. Consultants protesting this procurement shall follow the procedures described below. Protests that do not follow these procedures shall not be considered. This protest procedure constitutes the sole administrative remedy available to Consultants under this procurement. All protests must be in writing, addressed to the RFP Coordinator, and signed by the protesting party or an authorized Agent. The protest must state the RFP number, the grounds for the protest with specific facts and complete statements of the action(s) being protested. A description of the relief or corrective action being requested should also be included. Only protests stipulating an issue of fact concerning the following subjects shall be considered: • A matter of bias, discrimination or conflict of interest on the part of an evaluator; • Errors in computing the score; Page 13 of 14

  • Non-compliance with procedures described in the procurement document or EWU policy. Protests not based on procedural matters will not be considered. Protests will be rejected as without merit if they address issues such as: 1) an evaluator’s professional judgment on the quality of a proposal, or 2) EWU’s assessment of its own and/or other agencies needs or requirements. Upon receipt of a protest, a protest review will be held by EWU. EWU’s Director or an employee delegated by the Director who was not involved in the procurement will consider the record and all available facts and issue a decision within five (5) business days of receipt of the protest. If additional time is required, the protesting party will be notified of the delay. In the event a protest may affect the interest of another Consultant that also submitted a proposal, such Consultant will be given an opportunity to submit its views and any relevant information on the protest to the RFP Coordinator. The final determination of the protest shall: • Find the protest lacking in merit and uphold EWU’s action; or • Find only technical or harmless errors in EWU’s acquisition process and determine EWU to be in substantial compliance and reject the protest; or • Find merit in the protest and provide EWU options which may include: -- Correct the errors and re-evaluate all proposals, and/or --Reissue the solicitation document and begin a new process, or --Make other findings and determine other courses of action as appropriate. If EWU determines that the protest is without merit, EWU will enter into a contract with the apparently successful contractor. If the protest is determined to have merit, one of the alternatives noted in the preceding paragraph will be taken.

5. RFP EXHIBITS Exhibit A Exhibit B Exhibit C Exhibit D Exhibit E

Certifications and Assurances Technical Requirements Form Model Information Technology Contract Certifications and Assurances WIPHE Participation Form

Page 14 of 14

    EXHIBIT A: CERTIFICATIONS AND ASSURANCES FOR RFP H24_14 I/we make the following certifications and assurances as a required element of the proposal to which it is attached, understanding that the truthfulness of the facts affirmed here and the continuing compliance with these requirements are conditions precedent to the award or continuation of the related contract: 1. I/we declare that all answers and statements made in the proposal are true and correct. 2. The prices and/or cost data have been determined independently, without consultation, communication, or agreement with others for the purpose of restricting competition. However, I/we may freely join with other persons or organizations for the purpose of presenting a single proposal. 3. The attached proposal is a firm offer for a period of 60 days following receipt, and it may be accepted by EWU without further negotiation (except where obviously required by lack of certainty in key terms) at any time within the 60-day period. 4. In preparing this proposal, I/we have not been assisted by any current or former employee of the state of Washington whose duties relate (or did relate) to this proposal or prospective contract, and who was assisting in other than his or her official, public capacity. If there are exceptions to these assurances, I/we have described them in full detail on a separate page attached to this document. 5. I/we understand that EWU will not reimburse me/us for any costs incurred in the preparation of this proposal. All proposals become the property of EWU, and I/we claim no proprietary right to the ideas, writings, items, or samples, unless so stated in this proposal. 6. Unless otherwise required by law, the prices and/or cost data which have been submitted have not been knowingly disclosed by the Proposer and will not knowingly be disclosed by him/her prior to opening, directly or indirectly, to any other Proposer or to any competitor. 7. I/we agree that submission of the attached proposal constitutes acceptance of the solicitation contents and the attached sample contract and general terms and conditions. If there are any exceptions to these terms, I/we have described those exceptions in detail on a page attached to this document. 8. No attempt has been made or will be made by the Proposer to induce any other person or firm to submit or not to submit a proposal for the purpose of restricting competition. 9. I/we grant EWU the right to contact references and other, who may have pertinent information regarding the ability of the Consultant and the lead staff person to perform the services contemplated by this RFP. We (circle one) are / are not submitting proposed Contract exceptions. (See Section 2.10, Contract and General Terms and Conditions.) If Contract exceptions are being submitted, I/we have attached them to this form. On behalf of the Consultant submitting this proposal, my name below attests to the accuracy of the above statement. We are submitting a scanned signature of this form with our proposal.

Signature of Proposer Title

 

Date

 

 

  EXHIBIT B: TECHNICAL REQUIREMENTS FORM Directions: Please respond by indicating yes (Y) or no (N) in the box corresponding to the requirement. If a third-party product or service will be required to fulfill the criterion, please place an X in the far right column. All responses need to include a description of how the proposed solution meets the requirement. If additional comments need to be made, please attach an additional sheet, and include the page section name and criterion number to which the comment applies. If the requirement is a future enhancement, please indicate when the enhancement is scheduled for general release.

Technical Requirements   

Item Number  B.1.1 

B.1.3 

B.1.4 

B.1.5  B.1.6 

B.1.7  B.1.8 

B.1.9 

   

Application Structure 

Manditory  Desired or 

Vendor  Answer 

Requirement  

Informational 

 

B.1 

B.1.2 

   

Do you provide digital asset management as localy installed software solution? Do you provide digital asset management as a hosted (application service provider)?

Are you able to scale from 50 contributing  authenticated users to say 12,000 contributors?   Describe your system deployment to accomplish  this scaling.  If hosted, does your system allow for the  automated storage of at least the Raw asset to  EWU local storage.  Describe.  Within what programming language(s) is your  product/service written? 

   

Yes/No  Yes/No 

Are there backup processes and/or disaster recovery processes to ensure the application will perform in the event of an unforeseen disaster? Please explain the methods used.

Exhibit B: Technical Requirements Form

  

Yes/No 

  



  

  

  

  



  

  

  

  

  

  

  

What hardware is required to run your application if you are offering a product, or what hardware is being used on the backend if you are providing as a service? If the solution is an on-premise solution, are virtual technologies available, and on what platform? If hosted, what security measures are taken to ensure the application remains safe from external threats?

Your product must insure that uploaded assets  and associated documents are free of malware  and contagens. List common antivirus products  supported by the DAMS solution The DAMS  solution must support enterprise‐level AV  providers such as Symantec, McAfee, Trend, and  Microsoft. 

Requires  3rd party  soft/  hardware or  services 



  

     

  



  B.1.10  B.1.11  B.1.12  B.1.13  B.1.14  B.1.15  B.1.16  B.1.17 

 

B.2  Item Number  B.2.1  B.2.2 

  

  

  

  

  

  

  

  

  

  

  

  

  

  

Are Utilities available to batch upload user  accounts in addition to CAS or LDAP  authentications?   

  

  

    

 

Application Functionality: Location  and Site Branding 

Manditory  or 

Vendor  Answer 

Requirement  

Desireed 

Where do I go to access the application you are providing? (i.e. your internet site, a domain of choice, existing web site, on our network)

B.2.4 

Do branded displays automatically adjust for  Mobile access?   

 

B.3  Item Number  B.3.1 

Application Functionality: Digital  Assets and Metadata 

Requires  3rd party  soft/  hardware or  Yes/No  services       

  

  

  

  

 

    

    

Manditory  or 

Vendor  Answer 



  

Requirement   Desireed  M  Search operations are key functionality.  Please  describe the search capabilities of your DAMS  product.     Does your product provide the ability to create  on a specific repository or collection unique  watermark? Does it support different  watermarks for different user populations – EWU  Staff, Faculty, indivudual user, collections, etc.?  

Exhibit B: Technical Requirements Form

 



Do local system administrators have full control  of display branding and page layout?  Do local departmental administrators have full  control of departmental display branding and  page layout? 

B.2.3 

B.3.2 

Are special plug-ins required on the workstation for the application to run properly? Are there optional modules availble for your DAMS product and if so describe the modules funtion and include pricing information for each? What are the minimum browser requirements for both Windows and Macintosh operating systems? Can you/we customize the application to accommodate the demands of our departmental workflows? Can users be authenticated via CAS or Active Directory, LDAP? Describe operating systems supported by the DAMS servers. Does your system support for the sale of assets including e-commerece and order fulfillment?

Requires  3rd party  soft/  hardware or  Yes/No  services 

  

     

  



  B.3.3  B.3.4 

B.3.5 

B.3.6  B.3.7  B.3.8 

B.3.9 

B.3.10  B.3.11 

B.3.12 

B.3.13 

B.3.14  B.3.15  B.3.16 

B.3.17  B.3.18     

Can we use metadata to automate  watermarking? Describe.  Please verify that your product supports all EWU  required file formats listed in appendix (X) and  list any additional formats supported.    If you accommodate Video/Audio formats  describe the additional interface features  available to display these formats.  How are digital assets stored within the  application? (file format, color space, resolution)  What types of previews are available for each  asset?  Does your DAMS solution accommodate  workflows that track the creation of derived  assets?  Are metadata fields limited to a  fixed set that  are delivered, or may additional fields be added?   If so are the additional fields able to be searched  and used in the same manner as those that are  delivered? 

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

  

Does your application allow metadata to display  with each asset?  How is the metadata entered and tagged to the     appropriate asset? Can metadata be imported  from other tools such as Adobe Bridge?  How are the metadata fields determined and can     there be different sets of metadata fields for  different groups of assets?  Does your application allow our digital assets and  metadata to be categorized into different areas  to restrict/grant privileges of certain users to  certain assets?  Please explain how this is done.  Is controlled vocabulary supported?  What is the upload limit of individual assets file  size?  Can this be set by the administrator?  Are zip or other compressed file collections  retained as the .zip container or are they  expanded into their individual components or  both?  Are the common metadata schemas such as  MARC, Dublin Core, etc supported?  Can Copyright be enforced via permissions or  specific copyright components?  Describe     

Exhibit B: Technical Requirements Form

M    

     

  

  

  



  

  

        

     

  

  

  

  

  

  

  

            

   

   



 

B.4  Item Number  B.4.1 

B.4.2 

B.4.3 

B.4.5 

B.4.6   

B.5  Item Number  B.5.1 

B.5.3  B.5.4   

Requirement   Desireed  M  Discoverability of our assets is key.  Describe  your practices, features and/or workflows that  have proven to enhance and optimize  discoverability for your clients.  Do users have the ability to save and reuse  search filters?  If a user commonly looks for  specific things do they have to redefine their  search each time? Can search criteria be saved as  a favorite or template as a function of the  application?     M  Fine Grained User permissions control are  essential. Describe how your application permits  us to catogroize EWU users to assign privileges to  restrict/grant access to file formats, delivery  methods, groups of assets, and administrative  functionality?    How are EWU guest users categorized to  accommodate access restriction and privileges to  functionality and assets?  Are you able to restrict individual users from  ordering/downloading more than a certain  quantity of assets?  How are general users trained on system  functionality?   

B.4.4 

B.5.2 

Application Functionality: Users 

Manditory  or 

Application Functionality: Integration Requirement   Describe all methods available to share assets  with other systems i.e. social media.  Can assets   be "hot‐streamed" to social media providers  other internal systems directly?  Is bulk uploading of assets to services such as  Flickr or YouTube supported? Describe.  Can your system share and sycronize information  with the Adobe suite?  Does you DAMS solution offer an LTI integration  to make collections available to courses online?   

Exhibit B: Technical Requirements Form

Requires  3rd party  soft/  hardware or  Yes/No  services 

Vendor  Answer 

 

   

 

 

   

 

 

 

 

 

 

     

 

 

  

Requires  3rd party  soft/  hardware or  Yes/No  services       

  

  

  

  

  

  

  

  

 

 

Manditory  or  Desireed 

    

Vendor  Answer 



 

B.6  Item Number  B.6.1 

B.6.2  B.6.3  B.6.4  B.6.5  B.6.6 

B.6.7 

B.6.8  B.6.9 

B.6.10 

B.6.11  B.6.12  B.6.13 

Application Functionality:  Administration 

Manditory  or 

Requirement   How is clean up and de‐duplication of uploaded  files accomplished?  Is it automated? Can it be  scheduled? What happens to performance of the  system when it is taking place?   Describe asset backup and recovery  proceedures.  What is the backup frequency?  Is a contributor able to recover their own assets  from backup?  Are adminstrators able to Masquarde as diferent  users to test access and functionality?  Describe.  Describe the built‐in reporting and analytics  capabilities.  What types of responsibilities do the  administrator(s) have to maintain the  performance of the application?  How are administrators trained on functionality  and day‐to‐day activities?  What training options  are available?  What tools are provided to automate custom  maintenance activities? 

Desireed  M 

Describe the solution’s ability to enforce security  policies and standards including authentication  and encryption. This must be able to be managed  in a multi‐tenant environment of delegated  administrative ability where a department is free  to enforce stricter policy than a root template if  desired.  How do users register to access the application?  Are users given automatic access or approved on  a case‐by‐case basis?  Are there a limited number of users that can  have concurrent access?  Are there a limited number of total users that  can be listed within the application?  Is there capability for file‐type search (to allow  for easy conversion from obsolete types to  newer types)? 

Exhibit B: Technical Requirements Form

Requires  3rd party  soft/  hardware or  Yes/No  services 

Vendor  Answer 

  

  

  

  

M    

  

  

  

  

  

  

  

  

  

  

  

           

      M 

  

     

  

  

  

  

  

  

  

        

  



     

 

B.7  Item Number  B.7.1 

B.7.2 

B.7.3 

B.7.4 

B.7.5 

B.7.6 

 

 

Implementation Process  Requirement   What type of assistance does your organization  provide to help with gathering assets, assigning  metadata, and importing users?  How much time will be needed from EWU  application administrators to configure, test and  properly deploy this solution? Please discuss  specific tasks required.  What additional support will be needed from our  internal Information Technology department?   Please provide specific tasks they will need to  perform.  How is the user base notified of the new service  existence and usage?  Please provide a few  customer examples on their launch strategies.  What is the typical timeframe from purchase  order to live launch?  Please provide a detailed  breakout of this schedule with customer  deadlines.  If Customization is available, how is that  discovered and handled during the  implementation?  Please provide a typical  customization request and the process to  accommodate it.   

B.8  Item Number 

B.8.1   

 

Manditory  or  Desireed 

  

  

  

  

  

  

  

  

  

  

  

  

  

     

Manditory  or 

Requirement   Desireed  Note: Will this system be subject to EWU ASP  Security Assessment (yes/no?) add requirements  here if yes  M     

Exhibit B: Technical Requirements Form

Requires  3rd party  Vendor  soft/  Answer  hardware or  Yes/No  services       

  

 

EWU Information Technology  Standards 

 

 

 

Vendor  Answer     Yes/No 

  

  

    

 



EXHIBIT C: MODEL INFORMATION TECHNOLOGY CONTRACT CONTRACT NUMBER [XXX-XXX-XXX] for [describe acquisition] PARTIES This Contract “Contract” is entered into by and between the Eastern Washington University “EWU” located at 211 Tawanka, Cheney, WA 99004 and [Vendor], a [corporation/sole proprietor or other business form] licensed to conduct business in the state of Washington “Vendor”, located at [Vendor address] for the purpose of purchasing Software licenses for [describe Software licenses to be purchased]. RECITALS EWU, issued a Request for Proposal (RFP) dated [date], (Exhibit A) for the purpose of purchasing Software licenses for [describe Software licenses to be purchased] in accordance with its authority under chapter 43.105 RCW. Vendor submitted a timely Response to the EWU’s RFP (Exhibit B). EWU evaluated all properly submitted Responses to the above-referenced RFP and has identified [Vendor] as the apparently successful Vendor. EWU has determined that entering into a Contract with [Vendor] will meet EWU’s needs and will be in EWU’s best interest. NOW THEREFORE, EWU awards to [Vendor] this Software License Contract, the terms and conditions of which shall govern Vendor’s furnishing to EWU the [describe the Software licenses being purchased] and Services. This Contract is not for personal use. IN CONSIDERATION of the mutual promises as hereinafter set forth, the parties agree as follows: Definition of Terms The following terms as used throughout this Contract shall have the meanings set forth below. Acceptance shall mean that the Software has passed its Acceptance Testing and shall be formalized in a written notice from EWU to Vendor; or, if there is no Acceptance Testing, Acceptance shall occur when the Products are delivered. Acceptance Date shall mean the date upon which EWU Accepts the Software as provided in the section titled Standard of Performance and Acceptance; or, if there is no Acceptance Testing, Acceptance Date shall mean the date Vendor delivers the Products. Acceptance Testing shall mean the process for ascertaining that the Software meets the standards set forth in the section titled Standard of Performance and Acceptance, prior to Acceptance by the EWU. Business Days and Hours shall mean Monday through Friday, 8:00 a.m. to 5:00 p.m., Pacific Time, except for holidays observed by the state of Washington. Confidential Information shall mean information that may be exempt from disclosure to the public or other unauthorized persons under either chapter 42.56 RCW or other state or federal statutes. Confidential Information includes, but is not limited to, names, addresses, Social Security numbers, e-mail addresses, telephone numbers, financial profiles, credit card information, driver’s license numbers, medical data, law enforcement records, agency source code or object code, agency security data, or [add other items as necessary or delete items not applicable]. Contract shall mean this document, all schedules and exhibits, and all amendments hereto. Delivery Date shall mean the date by which the Products ordered hereunder must be delivered. Department/Commission/Board shall mean the same as EWU. Effective Date shall mean the first date this Contract is in full force and effect. It may be a specific date agreed to by the parties; or, if not so specified, the date of the last signature of a party to this Contract. Exhibit A shall mean the RFP. Exhibit B shall mean Vendor’s Response. Help Desk shall mean a service provided by Vendor for the support of Vendor’s Products. EWU shall report warranty or maintenance problems to Vendor’s Help Desk for initial troubleshooting and possible resolution of the problems or for the initiation of repair or replacement services. Installation Date shall mean the date by which all Software ordered hereunder shall be in place, in good working order [and ready for Acceptance Testing]. License shall mean the rights granted to EWU to use the Software that is the subject of this Contract. Order or Order Document shall mean any official document and attachments thereto specifying the Software and/or Services to be licensed or purchased from Vendor under this Contract. Price shall mean charges, costs, rates, and/or fees charged for the Products and Services under this Contract and shall be paid in United States dollars.

  Product(s) shall mean any Vendor-supplied equipment, Software, and documentation. Proprietary Information shall mean information owned by Vendor to which Vendor claims a protectable interest under law. Proprietary Information includes, but is not limited to, information protected by copyright, patent, trademark, or trade secret laws. EWU Eastern Washington University, any division, section, office, unit or other entity of EWU or any of the officers or other officials lawfully representing EWU. EWU Project Manager shall mean the person designated by EWU who is assigned as the primary contact person whom Vendor’s Account Manager shall work with for the duration of this Contract and as further defined in the section titled EWU Project Manager. EWU Contract Administrator shall mean that person designated by EWU to administer this Contract on behalf of EWU. EWU Contracting Officer shall mean [name of EWU’s officer with signature authority], or the person to whom signature authority has been delegated in writing. This term includes, except as otherwise provided in this Contract, an authorized representative of the EWU Contracting Officer acting within the limits of his/her authority. RCW shall mean the Revised Code of Washington. RFP shall mean the Request for Proposal used as a solicitation document to establish this Contract, including all its amendments and modifications, Exhibit A hereto. Response shall mean Vendor’s Response to EWU’s RFP for [describe acquisition], Exhibit B hereto. Schedule A: Authorized Product and Price List shall mean the attachment to this Contract that identifies the authorized Software and Services and Prices available under this Contract. Services shall mean those Services provided under this Contract and related to the Software License(s) being purchased that are appropriate to the scope of this Contract and includes such things as installation Services, maintenance, training, etc. Software shall mean the object code version of computer programs licensed pursuant to this Contract. Software also means the source code version, where provided by Vendor. Embedded code, firmware, internal code, microcode, and any other term referring to software residing in the equipment that is necessary for the proper operation of the equipment is not included in this definition of Software. Software includes all prior, current, and future versions of the Software and all maintenance updates and error corrections. Specifications shall mean the technical and other specifications set forth in the RFP Exhibit A, any additional specifications set forth in Vendor’s Response, Exhibit B, and the specifications set forth in Vendor’s Product documentation, whether or not Vendor produces such documentation before or after this Contract’s Effective Date. Standard of Performance shall mean the criteria that must be met before Software Acceptance, as set forth in the section titled Standard of Performance and Acceptance. The Standard of Performance also applies to all additional, replacement or substitute Software and Software that is modified by or with the written approval of Vendor after having been accepted. Subcontractor shall mean one not in the employment of Vendor, who is performing all or part of the business activities under this Contract under a separate contract with Vendor. The term “Subcontractor” means Subcontractor(s) of any tier. Vendor shall mean [Vendor], its employees and agents. Vendor also includes any firm, provider, organization, individual, or other entity performing the business activities under this Contract. It shall also include any Subcontractor retained by Vendor as permitted under the terms of this Contract. Vendor Account Manager shall mean a representative of Vendor who is assigned as the primary contact person whom the EWU’s Project Manager shall work with for the duration of this Contract and as further defined in the section titled Vendor Account Manager. Vendor Contracting Officer shall mean [title of Vendor officer with signature authority], or the person to whom signature authority has been delegated in writing. This term includes, except as otherwise provided in this Contract, an authorized representative of Vendor Contracting Officer acting within the limits of his/her authority. Work Product shall mean data and products produced under this Contract including but not limited to, discoveries, formulae, ideas, improvements, inventions, methods, models, processes, techniques, findings, conclusions, recommendations, reports, designs, plans, diagrams, drawings, Software, databases, documents, pamphlets, advertisements, books, magazines, surveys, studies, computer programs, films, tapes, and/or sound reproductions, to the extent provided by law. Contract Term Term (required) Term of Contract for Licensed Software Purchases Exhibit C: Model Information Technology Contract

2

  All purchase transactions executed pursuant to this Contract’s authority shall be placed by [date] and Vendor shall have the Software delivered by the date specified in the Delivery section and installed by the date specified in the Installation section. Term of Contract for Maintenance and Support This Contract’s initial Software maintenance and support term shall be [____(__)] year(s) [or other appropriate time period], commencing the day following expiration of Vendor’s warranty for the Software. This Contract’s Software maintenance and support term may be extended by [____(__)] additional one (1) year term[s]: provided that the extensions shall be at EWU’s option and shall be effected by EWU giving written notice of its intent to extend this Contract to Vendor not less than thirty (30) calendar days prior to the thencurrent Contract term’s expiration and Vendor accepting such extension prior to the then-current Contract term’s expiration. No change in terms and conditions shall be permitted during these extensions unless specifically agreed to in writing. Survivorship (required) All license and purchase transactions executed pursuant to the authority of this Contract shall be bound by all of the terms, conditions, Prices and Price discounts set forth herein, notwithstanding the expiration of the initial term of this Contract or any extension thereof. Further, the terms, conditions and warranties contained in this Contract that by their sense and context are intended to survive the completion of the performance, cancellation or termination of this Contract shall so survive. In addition, the terms of the sections titled Overpayments to Vendor; License Grant; Software Ownership; Ownership/Rights in Data; Date Warranty; No Surreptitious Codes Warranty; Vendor Commitments, Warranties and Representations; Protection of EWU’s Confidential Information; Section Headings, Incorporated Documents and Order of Precedence; Publicity; Review of Vendor’s Records; Patent and Copyright Indemnification; Vendor’s Proprietary Information; Disputes; and Limitation of Liability, and shall survive the termination of this Contract. Pricing, Invoice and Payment Pricing (required) The total amount expended under this Contract shall not exceed [___] dollars [$____] [specify maximum dollar amount]. Vendor agrees to provide the Products and Services at the Prices set forth [below or in Schedule A]. No other Prices shall be payable to Vendor for implementation of Vendor’s Response. Upon expiration of Vendor-provided warranty as set forth in the section titled Software Warranty and upon election by EWU to receive maintenance and support Services from Vendor, EWU shall pay maintenance and support fees to Vendor at the Prices set forth below or in Schedule A. Prices are not be increased during the initial term of the Contract. If Vendor reduces its Prices for any of the Software or Services during the term of this Contract, EWU shall have the immediate benefit of such lower Prices for new purchases. Vendor shall send notice to the EWU Contract Administrator with the reduced Prices within fifteen (15) Business Days of the reduction taking effect. At least [one hundred twenty (120)] calendar days before the end of the then-current term of this Contract, Vendor may propose license fees and Service rate increases by written notice to EWU’s Contract Administrator. Price adjustments will be taken into consideration by EWU’s Contract Administrator when determining whether to extend this Contract. Vendor agrees all the Prices, terms, warranties, and benefits provided in this Contract are comparable to or better than the terms presently being offered by Vendor to any other governmental entity purchasing the same quantity under similar terms. If during the term of this Contract Vendor shall enter into contracts with any other governmental entity providing greater benefits or more favorable terms than those provided by this Contract, Vendor shall be obligated to provide the same to EWU for subsequent purchases. EWU shall reimburse Vendor for travel and other expenses as identified in this Contract, or as authorized in writing, in advance by EWU in accordance with the then-current rules and regulations set forth in the Washington State Administrative and Accounting Manual (http://www.ofm.wa.gov/policy/poltoc.htm). Advance Payment Prohibited (required) No advance payment shall be made for the Software and Services furnished by Vendor pursuant to this Contract. “Notwithstanding the above, maintenance payments, if any, may be made on a quarterly basis at the beginning of each quarter.” Taxes EWU will pay sales and use taxes, if any, imposed on the Products and Services acquired hereunder. Vendor must pay all other taxes including, but not limited to, Washington Business and Occupation Tax, other taxes based on Vendor’s income or gross receipts, or personal property taxes levied or assessed on Vendor’s personal property. EWU, as an agency of Washington State government, is exempt from property tax. Vendor shall complete registration with the Washington State Department of Revenue and be responsible for payment of all taxes due on payments made under this Contract. Exhibit C: Model Information Technology Contract

3

  Invoice and Payment (required) Vendor will submit properly itemized invoices to [title of person to receive invoices] at [provide appropriate address]. Invoices shall provide and itemize, as applicable: EWU Contract number C000XXXX; Vendor name, address, phone number, and Federal Tax Identification Number; Description of Software, including quantity ordered; Date(s) of delivery and/or date(s) of installation and set up; Price for each item, or Vendor’s list Price for each item and applicable discounts; Maintenance charges; Net invoice Price for each item; Applicable taxes; Shipping costs; Other applicable charges; Total invoice Price; and Payment terms including any available prompt payment discounts. If expenses are invoiced, Vendor must provide a detailed itemization of those expenses that are reimbursable, including description, amounts and dates. Any single expense must be accompanied by a receipt in order to receive reimbursement. Payments shall be due and payable within thirty (30) calendar days after receipt and Acceptance of Software or Services or thirty (30) calendar days after receipt of properly prepared invoices, whichever is later. Payment of maintenance service/support of less than one (1) month’s duration shall be prorated at 1/30th of the basic monthly maintenance charges for each calendar day. Incorrect or incomplete invoices will be returned by EWU to Vendor for correction and reissue. The EWU Contract number C000XXXX must appear on all bills of lading, packages, and correspondence relating to this Contract. If EWU fails to make timely payment, Vendor may invoice EWU one percent (1%) per month on the amount overdue or a minimum of one dollar ($1). Payment will not be considered late if payment is deposited electronically in Vendor’s bank account or if a check or warrant is postmarked within thirty (30) calendar days of Acceptance of the Software or receipt of Vendor’s properly prepared invoice, whichever is later. Overpayments to Vendor Vendor shall refund to EWU the full amount of any erroneous payment or overpayment under this Contract within thirty (30) days’ written notice. If Vendor fails to make timely refund, EWU may charge Vendor one percent (1%) per month on the amount due, until paid in full. Software License License Grant (required) Vendor grants to EWU a non-exclusive, perpetual [site-wide, irrevocable, transferable – use terms as applicable] license to use the Software and related documentation according to the terms and conditions of this Contract. EWU may modify any Vendor Software and may combine such with other programs or materials to form a derivative work, provided that upon discontinuance or termination of the license, Vendor Software will be removed from the derivative work and, at EWU’s option, either destroyed or returned to Vendor. In such situations, EWU retains a license only to use the Software in the derivative work. EWU will not decompile or disassemble any Software provided under this Contract or modify Software that bears a copyright notice of any third party without the prior written consent of Vendor or Software owner. EWU may copy each item of Software to a single hard drive. EWU will make and maintain no more than one [or other agreed upon number] archival copy of each item of Software, and each copy will contain all legends and notices and will be subject to the same conditions and restrictions as the original. EWU may also make copies of the Software in the course of routine backups of hard drive(s) for the purpose of recovery of hard drive contents. EWU may use backup or archival copies of the Software, without reinstallation or interruption of production copy(ies), for disaster recovery exercises at its disaster recovery site(s), without additional charge. EWU may make these backup or archival copies available to the disaster recovery site(s)’ employees who require use of the Software in order to assist EWU with disaster recovery exercises. EWU agrees that production use of the Software at the disaster recovery site(s) shall be limited to times when EWU’s facilities, or any portion thereof, are inoperable due to emergency situations. Business or Support Termination Rights. In the event that Vendor shall, for any reason, cease to conduct business, or cease to support the Software licensed under this Contract, EWU shall have a right to convert the Software licenses into perpetual licenses, with rights of quiet enjoyment, but subject to payment obligations not to exceed the Contract Prices. Exhibit C: Model Information Technology Contract

4

  Freedom of Use. Vendor understands that EWU may provide information processing services to other users that are agencies of state government and other tax-supported entities. Vendor further understands that EWU or other users that are agencies of state government and other tax-supported entities may provide services to the public through Internet applications. Software delivered hereunder may be used in the delivery of these services. Vendor acknowledges and agrees that such use of Software products is acceptable under the licensing agreements contained herein. Software Ownership (required) Vendor shall maintain all title, copyright, and other proprietary rights in the Software. EWU does not acquire any rights, express or implied, in the Software, other than those specified in this Contract. Vendor hereby warrants and represents to EWU that Vendor is the owner of the Software licensed hereunder or otherwise has the right to grant to EWU the licensed rights to the Software provided by Vendor through this Contract without violating any rights of any third party worldwide. Vendor represents and warrants that Vendor has the right to license the Software to EWU as provided in this Contract and that EWU’s use of the Software and documentation within the terms of this Contract will not infringe upon any copyright, patent, trademark, or other intellectual property right worldwide or violate any third party’s trade secret, contract, or confidentiality rights worldwide. Vendor represents and warrants that: (i) Vendor is not aware of any claim, investigation, litigation, action, suit or administrative or judicial proceeding pending or threatened based on claims that the Software infringes any patents, copyrights, or trade secrets of any third party, and (ii) that Vendor has no actual knowledge that the Software infringes upon any patents, copyrights, or trade secrets of any third party. Software Code Escrow Source Code Escrow Package Definition. The term “Source Code Escrow Package” shall mean: A complete copy in machine-readable form of the source code and executable code of the licensed Software; A complete copy of any existing design documentation and user documentation; and/or Complete instructions for compiling and linking every part of the source code into executable code for purposes of enabling verification of the completeness of the source code as provided below. Such instructions shall include precise identification of all compilers, library packages, and linkers used to generate executable code. Vendor and EWU shall use best efforts to enter into such an Escrow Agreement as soon as possible after the Effective Date of this Contract, but not later than thirty (30) days after the Effective Date of this Contract. Delivery of New Source Code into Escrow. If during the term of this Contract, term of license, or term of maintenance and support, Vendor provides EWU with a maintenance release or upgrade version of the licensed Software, Vendor shall within ten (10) Business Days deposit with Escrow Agent a Source Code Escrow Package for the maintenance release or upgrade version and give EWU notice of such delivery. Verification of Source Code Escrow Package. At its option and expense, EWU may request that the completeness and accuracy of any Source Code Escrow Package be verified. Such verification may be requested once per Source Code Escrow Package. Such verification will be conducted by Escrow Agent or, upon at least ten (10) Business Days’ prior notice to Vendor, by another party (“Verifier”) acceptable to Vendor, after full disclosure to Vendor of information reasonably requested by Vendor about Verifier. Prior to conducting the verification, Verifier shall first execute a confidentiality agreement prepared by Vendor that precludes Verifier from disclosing any information to EWU about the Source Code Escrow Package other than whether the Source Code Escrow Package was found to be complete and accurate. Unless otherwise agreed at the time by Vendor and EWU, verification will be performed on-site at Vendor’s premises, utilizing Vendor’s equipment and software, at a time reasonably acceptable to Vendor. Vendor shall make technical and support personnel available as reasonably necessary for the verification. At its discretion, Vendor may designate a representative to accompany the Source Code Escrow Package at all times, and to be present at the verification. Verifier will be EWU’s sole representative at the verification. Verifier is solely responsible for the completeness and accuracy of the verification. Neither the Escrow Agent, if different from the Verifier, nor Vendor shall have any responsibility or liability to EWU for any incompleteness or inaccuracy of any verification. Escrow Fees. All fees and expenses charged by Escrow Agent will be borne by Vendor. Release Events for Source Code Escrow Packages. The Source Code Escrow Package may be released from escrow to EWU, temporarily or permanently, solely upon the occurrence of one or more of the following “Escrow Release Events:” Vendor becomes insolvent, makes a general assignment for the benefit of creditors, files a voluntary petition of bankruptcy, suffers or permits the appointment of a receiver for business or assets, or becomes subject to any proceeding under any bankruptcy or insolvency law, whether domestic or foreign;

Exhibit C: Model Information Technology Contract

5

  Vendor has wound up or liquidated its business voluntarily or otherwise and EWU has compelling reasons to believe that such events will cause Vendor to fail to meet its warranties and maintenance obligations in the foreseeable future; or Vendor has voluntarily or otherwise discontinued support of the Software or fails to support the Software in accordance with its warranties and maintenance obligations. Release Event Procedures. If EWU desires to obtain the Source Code Escrow Package from Escrow Agent: EWU shall comply with the procedures set forth in the Escrow Agreement to document the occurrence of the Release Event; EWU shall maintain all materials and information comprising the Source Code Escrow Package in confidence in accordance with the Contract section titled Vendor’s Proprietary Information; If the release is temporary, EWU shall promptly return all released materials to Vendor when the circumstances leading to the release are no longer in effect; and EWU shall promptly, fully, and completely respond to any and all requests for information from Vendor concerning EWU’s use or contemplated use of the Source Code Escrow Package. Ownership/Rights in Data (required) EWU and Vendor agree that all data and work products (collectively called “Work Product”) produced pursuant to this Contract shall be considered work made for hire under the U.S. Copyright Act, 17 U.S.C. §101 et seq, and shall be owned by EWU. Vendor is hereby commissioned to create the Work Product. Work Product includes, but is not limited to, discoveries, formulae, ideas, improvements, inventions, methods, models, processes, techniques, findings, conclusions, recommendations, reports, designs, plans, diagrams, drawings, Software, databases, documents, pamphlets, advertisements, books, magazines, surveys, studies, computer programs, films, tapes, and/or sound reproductions, to the extent provided by law. Ownership includes the right to copyright, patent, register and the ability to transfer these rights and all information used to formulate such Work Product. If for any reason the Work Product would not be considered a work made for hire under applicable law, Vendor assigns and transfers to EWU the entire right, title and interest in and to all rights in the Work Product and any registrations and copyright applications relating thereto and any renewals and extensions thereof. Vendor shall execute all documents and perform such other proper acts as EWU may deem necessary to secure for EWU the rights pursuant to this section. Vendor shall not use or in any manner disseminate any Work Product to any third party, or represent in any way Vendor ownership in any Work Product, without the prior written permission of EWU. Vendor shall take all reasonable steps necessary to ensure that its agents, employees, or Subcontractors shall not copy or disclose, transmit or perform any Work Product or any portion thereof, in any form, to any third party. Material that is delivered under this Contract, but that does not originate therefrom (“Preexisting Material”), shall be transferred to EWU with a nonexclusive, royalty-free, irrevocable license to publish, translate, reproduce, deliver, perform, display, and dispose of such Preexisting Material, and to authorize others to do so except that such license shall be limited to the extent to which Vendor has a right to grant such a license. Vendor shall exert all reasonable effort to advise EWU at the time of delivery of Preexisting Material furnished under this Contract, of all known or potential infringements of publicity, privacy or of intellectual property contained therein and of any portion of such document which was not produced in the performance of this Contract. Vendor agrees to obtain, at its own expense, express written consent of the copyright holder for the inclusion of Preexisting Material. EWU shall receive prompt written notice of each notice or claim of copyright infringement or infringement of other intellectual property right worldwide received by Vendor with respect to any Preexisting Material delivered under this Contract. EWU shall have the right to modify or remove any restrictive markings placed upon the Preexisting Material by Vendor. Software Specifications All Software will conform to its Specifications. Vendor warrants that the Products delivered hereunder shall perform in conformance with the Specifications. Compliance with Standards Vendor represents that all Software and elements thereof, including but not limited to, documentation and source code, shall meet and be maintained by Vendor to conform to (the standards set forth in the RFX, Response, or Schedule Vendor warrants that it has received certification from an authorized certifying authority that its Software quality assurance practices conform to the requirements of the current version of the International Standards Organization (ISO) ISO-9001 standard “Quality systems - Model for quality assurance in design, development, production, installation and servicing” and that this certification was received within one (1) year of execution of this Contract. Vendor further warrants that it will maintain its quality assurance practices and certification in conformance with the ISO-9001 during the term of this Contract. Date Warranty (required) Exhibit C: Model Information Technology Contract

6

  Vendor warrants that all Software provided under this Contract: (i) does not have a life expectancy limited by date or time format; (ii) will correctly record, store, process, and present calendar dates; (iii) will lose no functionality, data integrity, or performance with respect to any date; and (iv) will be interoperable with other software used by EWU that may deliver date records from the Software, or interact with date records of the Software “Date Warranty”. In the event a Date Warranty problem is reported to Vendor by EWU and such problem remains unresolved after three (3) calendar days, at EWU’s discretion, Vendor shall send, at Vendor’s sole expense, at least one (1) qualified and knowledgeable representative to EWU’s premises. This representative will continue to address and work to remedy the failure, malfunction, defect, or nonconformity on EWU’s premises. This Date Warranty shall last perpetually. In the event of a breach of any of these representations and warranties, Vendor shall indemnify and hold harmless EWU from and against any and all harm, injury, damages, costs, and expenses incurred by EWU arising out of said breach. Physical Media Warranty Vendor warrants to EWU that each licensed copy of the Software provided by Vendor is and will be free from physical defects in the media that tangibly embodies the copy (the “Physical Media Warranty”). The Physical Media Warranty does not apply to defects discovered more than thirty (30) calendar days after the date of Acceptance of the Software copy by EWU. No Surreptitious Code Warranty (required) Vendor warrants to EWU that no licensed copy of the Software provided to EWU contains or will contain any Self-Help Code nor any Unauthorized Code as defined below. Vendor further warrants that Vendor will not introduce, via modem or otherwise, any code or mechanism that electronically notifies Vendor of any fact or event, or any key, node, lock, time-out, or other function, implemented by any type of means or under any circumstances, that may restrict EWU’s use of or access to any program, data, or equipment based on any type of limiting criteria, including frequency or duration of use for any copy of the Software provided to EWU under this Contract. The warranty is referred to in this Contract as the “No Surreptitious Code Warranty.” As used in this Contract, “Self-Help Code” means any back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than a licensee of the Software. Self-Help Code does not include software routines in a computer program, if any, designed to permit an owner of the computer program (or other person acting by authority of the owner) to obtain access to a licensee’s computer system(s) (e.g., remote access via modem) solely for purposes of maintenance or technical support. As used in this Contract, “Unauthorized Code” means any virus, Trojan horse, worm or other software routines or equipment components designed to permit unauthorized access, to disable, erase, or otherwise harm Software, equipment, or data; or to perform any other such actions. The term Unauthorized Code does not include Self-Help Code. Vendor will defend EWU against any claim, and indemnify EWU against any loss or expense arising out of any breach of the No Surreptitious Code Warranty. No limitation of liability, whether contractual or statutory, shall apply to a breach of this warranty. Reauthorization Code Required If a reauthorization code must be keyed in by Vendor for the Software to remain functional upon movement to another computer system, Vendor shall provide the reauthorization code to EWU within one (1) Business Day after receipt of EWU’s notice of its machine upgrade or movement. Software Documentation Vendor will provide two (2) complete sets of documentation for each Software order, including technical, maintenance, and installation information. Vendor shall also provide two (2) complete sets of documentation for each updated version of Software that Vendor provides pursuant to the Software Upgrades and Enhancements section. Vendor shall provide the documentation on or before the date Vendor delivers its respective Software. There shall be no additional charge for this documentation or the updates, in whatever form provided. Vendor’s Software documentation shall be comprehensive, well structured, and indexed for easy reference. If Vendor maintains its technical, maintenance and installation documentation on a web site, Vendor may fulfill the obligations set forth in this section by providing EWU access to its web-based documentation information. Vendor may also provide such information on CD-ROM. Vendor grants EWU the right to make derivative works, update, modify, copy, or otherwise reproduce the documentation furnished pursuant to this section at no additional charge. Vendor’s Responsibilities Shipping and Risk of Loss Vendor shall ship all Products purchased pursuant to this Contract, freight prepaid, FOB EWU’s destination. The method of shipment shall be consistent with the nature of the Products and hazards of transportation. Regardless of FOB point, Vendor agrees to bear all risks of loss, damage, or destruction of the Products Exhibit C: Model Information Technology Contract

7

  ordered hereunder that occurs prior to [Delivery Date or Acceptance, except loss or damage attributable to EWU’s fault or negligence; and such loss, damage, or destruction shall not release Vendor from any obligation hereunder. After [Delivery Date or Acceptance, whichever is applicable], the risk of loss or damage shall be borne by EWU, except loss or damage attributable to Vendor’s fault or negligence. Delivery Vendor shall deliver the Products ordered pursuant to this Contract on or before [specify delivery date], the Delivery Date. For any exception to this Delivery Date, Vendor must notify EWU and obtain prior approval in writing. Time is of the essence with respect to delivery and Vendor may be subject to liquidated damages and/or termination of an order or of this Contract and/or other damages available under law for failure to deliver on time. All deliveries made pursuant to this Contract must be complete. Unless Vendor has obtained prior written approval from EWU, which shall not be withheld unreasonably, incomplete deliveries or backorders will not be accepted. All packages must be accompanied by a packing slip that identifies all items included with the shipment and the EWU’s Order Document number. Vendor’s delivery receipt must be signed by an authorized representative of EWU for all deliveries made hereunder. Vendor shall maintain a website from which EWU may download the Software [specify method of access for EWU, security, etc.]. Such web site shall be of a design approved by both Vendor and EWU prior to this Contract’s execution. Vendor shall not change such web site without the prior written consent of EWU. Time is of the essence with respect to delivery and Vendor may be subject to termination of this Contract and/or other damages available under law for failure to maintain an operable web site. Site Security While on EWU’s premises, Vendor, its agents, employees, or Subcontractors shall conform in all respects with physical, fire, or other security regulations. Installation Vendor shall install the Software on EWU’s designated equipment in accordance with the [applicable industry standards–OR–installation requirements in RFX. Standard of Performance and Acceptance This section establishes a Standard of Performance that must be met before Acceptance. This Standard of Performance is also applicable to any additional, replacement, or substitute Software and any Software that is modified by or with the written approval of Vendor after having been Accepted. The Standard of Performance for Software is defined in RFP or a Schedule. The Acceptance Testing period shall be thirty (30) calendar days starting from the day after the Software is installed and Vendor certifies that Software is ready for Acceptance Testing. EWU will review all pertinent data and shall maintain appropriate daily records to ascertain whether the Standard of Performance has been met. In the event the Software does not meet the Standard of Performance during the initial period of Acceptance Testing, EWU may, at its discretion, continue Acceptance Testing on a day-to-day basis until the Standard of Performance is met. If after [ninety (90) calendar days, or other appropriate time period] the Software still has not met the Standard of Performance EWU may, at its option: (i) declare Vendor to be in breach of this Contract and terminate this Order or this Contract; or, (ii) at the sole option of EWU, demand replacement Software from Vendor at no additional cost to EWU; or, (iii) continue the Acceptance Testing for an additional [thirty (30) calendar days]. EWU’s option to declare Vendor in breach and terminate this Order or this Contract shall remain in effect until exercised or until such time as Acceptance Testing is successfully completed. Software shall not be accepted and no charges shall be paid until this Standard of Performance is met. The date of Acceptance shall be the first EWU Business Day following the successful Acceptance Testing period and shall be formalized in a notice of Acceptance from EWU to Vendor. Software Warranty Vendor warrants that the Software shall be in good operating condition and shall conform to the Specifications for a period of [ninety (90) days, or as specified by EWU in the RFP or in Vendor’s Response], the Warranty Period. This Warranty Period begins the first day after the Acceptance Date. Vendor shall replace all Software that is defective or not performing in accordance with the Specifications, at Vendor’s sole expense. Software Upgrades and Enhancements Vendor shall Supply at no additional cost updated versions of the Software to operate on upgraded versions of operating systems, upgraded versions of firmware, or upgraded versions of hardware; Supply at no additional cost updated versions of the Software that encompass improvements, extensions, maintenance updates, error corrections, or other changes that are logical improvements or extensions of the original Software supplied to EWU; and Supply at no additional cost interface modules that are developed by Vendor for interfacing the Software to other Software products. Exhibit C: Model Information Technology Contract

8

  Software Maintenance and Support Services Vendor shall provide a replacement copy or correction service at no additional cost to EWU for any error, malfunction, or defect in Software that, when used as delivered, fails to perform in accordance with the Specifications and that EWU shall bring to Vendor’s attention. Vendor shall undertake such correction service as set forth below and shall use its best efforts to make corrections in a manner that is mutually beneficial. Vendor shall disclose all known defects and their detours or workarounds to EWU. In addition, Vendor shall provide the following Services: Help Desk Services. Vendor shall provide Help Desk Services for reporting errors and malfunctions and troubleshooting problems. Vendor’s Help Desk Services shall be [web-based and/or by toll-free telephone lines and/or via e-mail]. Vendor’s Help Desk Services shall include but are not limited to the following Services: Assistance related to questions on the use of the subject Software; Assistance in identifying and determining the causes of suspected errors or malfunctions in the Software; Advice on detours or workarounds for identified errors or malfunctions, where reasonably available; Information on errors previously identified by EWU and reported to Vendor and detours to these where available; and Advice on the completion and authorization for submission of the required form(s) reporting identified problems in the Software to Vendor. On-line Support. Vendor may execute on-line diagnostics from a remote Vendor location solely to assist in the identification and isolation of suspected Software errors or malfunctions. [For the Error and Malfunction Service below, build escalation procedures with different response times and requirements depending upon the severity of specific types of problems.] Error and Malfunction Service. Within two (2) Business Days of receiving oral or written notification by EWU of identified errors or malfunctions in the Software, Vendor will either: Provide EWU with detour or code correction to the Software error or malfunctions. Each detour or code correction will be made available in the form of either a written correction notice or machine-readable media and will be accompanied by a level of documentation adequate to inform EWU of the problem resolved and any significant operational differences resulting from the correction that is known by Vendor, or Provide EWU with a written response describing Vendor’s then-existing diagnosis of the error or malfunction and generally outlining Vendor’s then-existing plan and timetable, subject to EWU’s approval, for correcting or working around the error or malfunction. On-Call Support. If a problem occurs that significantly impacts EWU’s usage of the Software and remains unidentified or unresolved after EWU has utilized the detour or code correction prescribed by Vendor pursuant to subsection 0 or 0 above, Vendor will dispatch a qualified representative to the system location during Business Days and Hours. The representative must arrive within [________(__)] Business Hours. This representative shall have the qualifications necessary to provide: Advice and assistance in diagnosis and identification of Software errors or malfunctions. On-site consultation on correction or detour of identified errors or malfunctions. When Vendor performs Services pursuant to this Contract that require the use of EWU’s equipment, EWU agrees to make the equipment available at reasonable times and in reasonable time increments, and in no event will EWU charge Vendor for such use. Maintenance Release Services. Vendor will provide error corrections and maintenance releases to the Software that have been developed by Vendor at no additional cost to EWU. Such releases shall be licensed to EWU pursuant to the terms and conditions of this Contract. Each maintenance release will consist of a set of programs and files made available in the form of machine-readable media and will be accompanied by a level of documentation adequate to inform EWU of the problems resolved including any significant differences resulting from the release that are known by Vendor. Vendor agrees that each maintenance release of Software will be compatible with the then-current unaltered release of Software applicable to the computer system. Vendor Commitments, Warranties and Representations (required) Any written commitment by Vendor within the scope of this Contract shall be binding upon Vendor. Failure of Vendor to fulfill such a commitment may constitute breach and shall render Vendor liable for damages under the terms of this Contract. For purposes of this section, a commitment by Vendor includes: (i) Prices, discounts, and options committed to remain in force over a specified period of time; and (ii) any warranty or representation made by Vendor in its Response or contained in any Vendor or manufacturer publications, written materials, schedules, charts, diagrams, tables, descriptions, other written representations, and any other communication medium accompanying or referred to in its Response or used to effect the sale to EWU. Training Vendor agrees to provide training as set forth in Exhibit B, in accordance with the requirements set forth in Exhibit A. Exhibit C: Model Information Technology Contract

9

  At the time of installation, Vendor shall provide [____ (__)] days of training, by at least one qualified Vendor employee to be attended by up to [____ (__)] of EWU’s employees, agents, or independent contractors, at the installation site or at such other location as the parties may agree. Such training shall, at a minimum, include orientation and familiarization training on the Software and be sufficiently thorough to instruct EWU’s staff in the use of the Software. The starting date of the training will be as agreed by the parties, but in no case later than [day, month, year]. EWU shall have the right, so long as the Software licensed or purchased hereunder is in use by EWU, to give instruction to EWU’s personnel in all courses described above without charge, using materials supplied by Vendor. Such use by EWU of Vendor’s materials shall include the right to reproduce the same solely for the permitted use, which use and reproduction shall not be a violation or infringement upon any patent, copyright, or other proprietary right of Vendor. Vendor grants to EWU the right to make derivative works, update, modify, copy, or otherwise reproduce the documentation furnished pursuant to this section at no additional charge. Protection of EWU’s Confidential Information (required) Safeguarding of Information Vendor acknowledges that some of the material and information that may come into its possession or knowledge in connection with this Contract or its performance may consist of information that is exempt from disclosure to the public or other unauthorized persons under either chapter 42.56 RCW or other state or federal statutes (“Confidential Information”). Confidential Information includes, but is not limited to, names, addresses, Social Security numbers, e-mail addresses, telephone numbers, financial profiles, credit card information, driver’s license numbers, medical data, law enforcement records, agency source code or object code, agency security data, or [add other items as necessary or delete items not applicable], or information identifiable to an individual that relates to any of these types of information. Vendor agrees to hold Confidential Information in strictest confidence and not to make use of Confidential Information for any purpose other than the performance of this Contract, to release it only to authorized employees or Subcontractors requiring such information for the purposes of carrying out this Contract, and not to release, divulge, publish, transfer, sell, disclose, or otherwise make the information known to any other party without EWU’s express written consent or as provided by law. Vendor agrees to release such information or material only to employees or Subcontractors who have signed a nondisclosure agreement, the terms of which have been previously approved by EWU. Vendor agrees to implement physical, electronic, and managerial safeguards to prevent unauthorized access to Confidential Information. Immediately upon expiration or termination of this Contract, Vendor shall, at EWU’s option: (i) certify to EWU that Vendor has destroyed all Confidential Information; or (ii) return all Confidential Information to EWU; or (iii) take whatever other steps EWU requires of Vendor to protect EWU’s Confidential Information. Vendor shall maintain a log documenting the following: the Confidential Information received in the performance of this Contract; the purpose(s) for which the Confidential Information was received; who received, maintained and used the Confidential Information; and the final disposition of the Confidential Information. Vendor’s records shall be subject to inspection, review or audit in accordance with Review of Vendor’s Records. EWU reserves the right to monitor, audit, or investigate the use of Confidential Information collected, used, or acquired by Vendor through this Contract. The monitoring, auditing, or investigating may include, but is not limited to, salting databases. Violation of this section by Vendor or its Subcontractors may result in termination of this Contract and demand for return of all Confidential Information, monetary damages, or penalties. Contract Administration Legal Notices Any notice or demand or other communication required or permitted to be given under this Contract or applicable law shall be effective only if it is in writing and signed by the applicable party, properly addressed, and either delivered in person, or by a recognized courier service, or deposited with the United States Postal Service as first-class mail, postage prepaid [certified mail, return receipt requested, via facsimile or by electronic mail], to the parties at the addresses [and fax number, e-mail addresses] provided in this section. For purposes of complying with any provision in this Contract or applicable law that requires a “writing,” such communication, when digitally signed with a Washington State Licensed Certificate, shall be considered to be “in writing” or “written” to an extent no less than if it were in paper form. To Vendor at: [Vendor] Attn: [Vendor address] Exhibit C: Model Information Technology Contract

To EWU at: Attn: [EWU Contract Administrator] [EWU address] 10

  Phone: Fax: E-mail:

Phone: Fax: E-mail:

Notices shall be effective upon receipt or four (4) Business Days after mailing, whichever is earlier. The notice address as provided herein may be changed by written notice given as provided above. In the event that a subpoena or other legal process commenced by a third party in any way concerning the Software or Services provided pursuant to this Contract is served upon Vendor or EWU, such party agrees to notify the other party in the most expeditious fashion possible following receipt of such subpoena or other legal process. Vendor and EWU further agree to cooperate with the other party in any lawful effort by the other party to contest the legal validity of such subpoena or other legal process commenced by a third party. Vendor Account Manager Vendor shall appoint an Account Manager for EWU’s account under this Contract who will provide oversight of Vendor activities conducted hereunder. Vendor’s Account Manager will be the principal point of contact for EWU concerning Vendor’s performance under this Contract. Vendor shall notify EWU Contract Administrator and EWU Project Manager, in writing, when there is a new Vendor Account Manager assigned to this Contract. The Vendor Account Manager information is: Vendor Account Manager: Address: Phone: Fax: E-mail: EWU’s Project Manager EWU shall appoint [name] who will be the EWU Project Manager for this Contract and will provide oversight of the activities conducted hereunder. EWU’s Project Manager will be the principal contact for Vendor concerning business activities under this Contract. EWU shall notify Vendor, in writing, when there is a new EWU Project Manager assigned to this Contract. Section Headings, Incorporated Documents and Order of Precedence (required) The headings used herein are inserted for convenience only and shall not control or affect the meaning or construction of any of the sections. Each of the documents listed below is, by this reference, incorporated into this Contract as though fully set forth herein. Schedules A, B and C [if applicable]; [include other Schedules, if appropriate] EWU RFP dated [date]; Vendor’s Response to EWU’s RFP dated [date]; The terms and conditions contained on EWU’s purchase documents, if used; and All Vendor or manufacturer publications, written materials and schedules, charts, diagrams, tables, descriptions, other written representations and any other supporting materials Vendor made available to EWU and used to effect the sale of Software to EWU. In the event of any inconsistency in this Contract, the inconsistency shall be resolved in the following order of precedence: Applicable federal and state statutes, laws, and regulations; Sections of this Contract; Schedule A; [include other Schedules, if appropriate] EWU’s RFP dated [date]; Vendor’s Response to EWU RFP dated [date]; The terms and conditions contained on EWU’s order documents, if used; and All Vendor or manufacturer publications, written materials and schedules, charts, diagrams, tables, descriptions, other written representations and any other supporting materials Vendor made available to EWU and used to effect the sale of Software to EWU. Entire Agreement (required) This Contract sets forth the entire agreement between the parties with respect to the subject matter hereof and except as provided in the section titled Vendor Commitments, Warranties and Representations, understandings, agreements, representations, or warranties not contained in this Contract or a written amendment hereto shall not be binding on either party. Except as provided herein, no alteration of any of the terms, conditions, delivery, Price, quality, or Specifications of this Contract will be effective without the written consent of both parties. Authority for Modifications and Amendments Exhibit C: Model Information Technology Contract

11

  No modification, amendment, alteration, addition, or waiver of any section or condition of this Contract shall be effective or binding unless it is in writing and signed by EWU and Vendor Contracting Officers. Only EWU’s Contracting Officer shall have the express, implied, or apparent authority to alter, amend, modify, add, or waive any section or condition of this Contract on behalf of EWU. Independent Status of Vendor (required) In the performance of this Contract, the parties will be acting in their individual, corporate or governmental capacities and not as agents, employees, partners, joint venturers, or associates of one another. The parties intend that an independent contractor relationship will be created by this Contract. The employees or agents of one party shall not be deemed or construed to be the employees or agents of the other party for any purpose whatsoever. Vendor shall not make any claim of right, privilege or benefit which would accrue to an employee under chapter 41.06 RCW or Title 51 RCW. Governing Law (required) Venue This Contract shall be governed in all respects by the law and statutes of the state of Washington, without reference to conflict of law principles. However, if the Uniform Computer Information Transactions Act (UCITA) or any substantially similar law is enacted as part of the law of the state of Washington, said statute will not govern any aspect of this Contract or any license granted hereunder, and instead the law as it existed prior to such enactment will govern. The jurisdiction for any action hereunder shall be exclusively in the Superior Court for the state of Washington. The venue of any action hereunder shall be in the Superior Court for Spokane County, Washington. Subcontractors Vendor may, with prior written permission from EWU Contracting Officer, which consent shall not be unreasonably withheld, enter into subcontracts with third parties for its performance of any part of Vendor’s duties and obligations. In no event shall the existence of a subcontract operate to release or reduce the liability of Vendor to EWU for any breach in the performance of Vendor’s duties. For purposes of this Contract, Vendor agrees that all Subcontractors shall be held to be agents of Vendor. Vendor shall be liable for any loss or damage to EWU, including but not limited to personal injury, physical loss, harassment of EWU’s employee, or violations of the Patent and Copyright Indemnification, Protection of EWU’s Confidential Information, Ownerhip/Rights in Data, and Software Ownership sections of this Contract occasioned by the acts or omissions of Vendor’s Subcontractors, their agents or employees. The Patent and Copyright Indemnification, Protection of EWU’s Confidential Information, Ownership/Rights in Data, Software Ownership, Publicity and Review of Vendor’s Records sections of this Contract shall apply to all Subcontractors. Assignment With the prior written consent of EWU’s Contracting Officer, which consent shall [“not be unreasonably withheld,” – OR – “ be at EWU’s sole option”], Vendor may assign this Contract including the proceeds hereof, provided that such assignment shall not operate to relieve Vendor of any of its duties and obligations hereunder, nor shall such assignment affect any remedies available to EWU that may arise from any breach of the sections of this Contract, or warranties made herein including but not limited to, rights of setoff. EWU may assign this Contract to any public agency, commission, board, or the like, within the political boundaries of the state of Washington, provided that such assignment shall not operate to relieve EWU of any of its duties and obligations hereunder. Publicity (required) The award of this Contract to Vendor is not in any way an endorsement of Vendor or Vendor’s products by EWU and shall not be so construed by Vendor in any advertising or other publicity materials. Vendor agrees to submit to EWU, all advertising, sales promotion, and other publicity materials relating to this Contract or any Product furnished by Vendor wherein EWU’s name is mentioned, language is used, or Internet links are provided from which the connection of EWU’s name therewith may, in EWU’s judgment, be inferred or implied. Vendor further agrees not to publish or use such advertising, sales promotion materials, publicity or the like through print, voice, the World Wide Web, and other communication media in existence or hereinafter developed without the express written consent of EWU prior to such use. Review of Vendor’s Records (required) Vendor and its Subcontractors shall maintain books, records, documents and other evidence relating to this Contract, including but not limited to Minority and Women’s Business Enterprise participation, protection and use of EWU’s Confidential Information, and accounting procedures and practices which sufficiently and properly reflect all direct and indirect costs of any nature invoiced in the performance of this Contract. Vendor shall retain all such records for six (6) years after the expiration or termination of this Contract. Records involving matters in litigation related to this Contract shall be kept for either one (1) year following the termination of litigation, Exhibit C: Model Information Technology Contract

12

  including all appeals, or six (6) years from the date of expiration or termination of this Contract, whichever is later. All such records shall be subject at reasonable times and upon prior notice to examination, inspection, copying, or audit by personnel so authorized by the EWU’s Contract Administrator and/or the Office of the State Auditor and federal officials so authorized by law, rule, regulation or contract, when applicable, at no additional cost to the State. During this Contract’s term, Vendor shall provide access to these items within Spokane County. Vendor shall be responsible for any audit exceptions or disallowed costs incurred by Vendor or any of its Subcontractors. Vendor shall incorporate in its subcontracts this section’s records retention and review requirements. It is agreed that books, records, documents, and other evidence of accounting procedures and practices related to Vendor’s cost structure, including overhead, general and administrative expenses, and profit factors shall be excluded from EWU’s review unless the cost or any other material issue under this Contract is calculated or derived from these factors. General Provisions Patent and Copyright Indemnification (required) Vendor, at its expense, shall defend, indemnify, and save EWU harmless from and against any claims against EWU that any Product [and/or Work Product] supplied hereunder, or EWU’s use of the Product [and/or Work Product] within the terms of this Contract, infringes any patent, copyright, utility model, industrial design, mask work, trade secret, trademark, or other similar proprietary right of a third party worldwide. Vendor shall pay all costs of such defense and settlement and any penalties, costs, damages and attorneys’ fees awarded by a court or incurred by EWU provided that EWU: Promptly notifies Vendor in writing of the claim, but EWU’s failure to provide timely notice shall only relieve Vendor from its indemnification obligations if and to the extent such late notice prejudiced the defense or resulted in increased expense or loss to Vendor; and Cooperates with and agrees to use its best efforts to encourage the Office of the Attorney General of Washington to grant Vendor sole control of the defense and all related settlement negotiations. If such claim has occurred, or in Vendor’s opinion is likely to occur, EWU agrees to permit Vendor, at its option and expense, either to procure for EWU the right to continue using the Product [and/or Work Product] or to replace or modify the same so that they become noninfringing and functionally equivalent. If use of the Product [and/or Work Product] is enjoined by a court and Vendor determines that none of these alternatives is reasonably available, Vendor, at its risk and expense, will take back the Product [and/or Work Product] and provide EWU a refund. [Insert this sentence if Contract includes Work Product: “In the case of Work Product, Vendor shall refund to EWU the entire amount EWU paid to Vendor for Vendor’s provision of the Work Product.”] In the case of Product, Vendor shall refund to EWU its depreciated value. No termination charges will be payable on such returned Product, and EWU will pay only those charges that were payable prior to the date of such return. Depreciated value shall be calculated on the basis of a useful life of [four (4)] years commencing on the date of purchase and shall be an equal amount per year over said useful life. [To ensure the accurate useful life, consult the Washington State Administrative and Accounting Manual, Chapter 30 (Fixed Asset Policies) for Fixed Asset Commodity Class Code List and Useful Life Schedule (http://www.ofm.wa.gov/policy/30.50.htm).] The depreciation for fractional parts of a year shall be prorated on the basis of three hundred sixty-five (365) days per year. In the event the Product has been installed less than one (1) year, all costs associated with the initial installation paid by EWU shall be refunded by Vendor. Vendor has no liability for any claim of infringement arising solely from: Vendor’s compliance with any designs, specifications or instructions of EWU; Modification of the Product [and/or Work Product] by EWU or a third party without the prior knowledge and approval of Vendor; or Use of the Product [and/or Work Product] in a way not specified by Vendor; unless the claim arose against Vendor’s Product [and/or Work Product] independently of any of these specified actions Save Harmless (required) Vendor shall defend, indemnify, and save EWU harmless from and against any claims, including reasonable attorneys’ fees resulting from such claims, by third parties for any or all injuries to persons or damage to property of such third parties arising from intentional, willful or negligent acts or omissions of Vendor, its officers, employees, or agents, or Subcontractors, their officers, employees, or agents. Vendor’s obligation to defend, indemnify, and save EWU harmless shall not be eliminated or reduced by any alleged concurrent EWU negligence. Insurance Vendor shall, during the term of this Contract, maintain in full force and effect, the insurance described in this section. Vendor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business Exhibit C: Model Information Technology Contract

13

  in the state of Washington having a rating of A-, Class VII or better, in the most recently published edition of Best’s Reports. In the event of cancellation, non-renewal, revocation, or other termination of any insurance coverage required by this Contract, Vendor shall provide written notice of such to EWU within one (1) Business Day of Vendor’s receipt of such notice. Failure to buy and maintain the required insurance may, at EWU’s sole option, result in this Contract’s termination. The minimum acceptable limits shall be as indicated below, with no deductible for each of the following categories: Commercial General Liability covering the risks of bodily injury (including death), property damage and personal injury, including coverage for contractual liability, with a limit of not less than $1 million per occurrence/$2 million general aggregate; Business Automobile Liability (owned, hired, or non-owned) covering the risks of bodily injury (including death) and property damage, including coverage for contractual liability, with a limit of not less than $1 million per accident; Employers Liability insurance covering the risks of Vendor’s employees’ bodily injury by accident or disease with limits of not less than $1 million per accident for bodily injury by accident and $1 million per employee for bodily injury by disease; Professional Liability Errors and Omissions, with a deductible not to exceed $25,000, conditioned upon subsection 0 below, and coverage of not less than $1 million per occurrence/$2 million general aggregate; and Crime Coverage with a deductible not to exceed $1 million, conditioned upon subsection 0 below, and coverage of not less than $5 million single limit per occurrence and $10 million in the aggregate, which shall at a minimum cover occurrences falling in the following categories: Computer Fraud; Forgery; Money and Securities; and Employee Dishonesty. For Professional Liability Errors and Omissions coverage and Crime Coverage, Vendor shall: (i) continue such coverage for six (6) years beyond the expiration or termination of this Contract, naming EWU as an additional insured and providing EWU with certificates of insurance on an annual basis; (ii) within thirty (30) days of execution of this Contract provide for EWU’s benefit an irrevocable stand-by letter of credit, or other financial assurance acceptable to EWU, in the amount of $1 million, during the initial and any subsequent terms of this Contract and for six (6) years beyond the expiration or termination of this Contract to pay for any premiums to continue such claims-made policies, or available tails, whichever is appropriate, at EWU’s sole option, in the event Vendor fails to do so. In addition, such irrevocable stand-by letter of credit shall provide for payment of any deductible on the Professional Liability Errors and Omissions policy and the Crime Coverage under the same terms and conditions of such policy as though there were no deductible. “Irrevocable stand-by letter of credit” as used in this Contract means a written commitment by a federally insured financial institution to pay all or part of a stated amount of money, until the expiration date of the letter, upon presentation by EWU of a written demand therefor. Vendor shall pay premiums on all insurance policies. Such insurance policies shall name EWU as an additional insured on all general liability, automobile liability, and umbrella policies. Such policies shall also reference this Contract number [XXX-XXX-XXX] and shall have a condition that they not be revoked by the insurer until fortyfive (45) calendar days after notice of intended revocation thereof shall have been given to EWU by the insurer. All insurance provided by Vendor shall be primary as to any other insurance or self-insurance programs afforded to or maintained by the State and shall include a severability of interests (cross-liability) provision. Vendor shall include all Subcontractors as insured under all required insurance policies, or shall furnish separate certificates of insurance and endorsements for each Subcontractor. Subcontractor(s) shall comply fully with all insurance requirements stated herein. Failure of Subcontractor(s) to comply with insurance requirements does not limit Vendor’s liability or responsibility. Vendor shall furnish to EWU copies of certificates of all required insurance within thirty (30) calendar days of this Contract’s Effective Date and copies of renewal certificates of all required insurance within thirty (30) days after the renewal date. These certificates of insurance must expressly indicate compliance with each and every insurance requirement specified in this section. Failure to provide evidence of coverage may, at EWU’s sole option, result in this Contract’s termination. By requiring insurance herein, EWU does not represent that coverage and limits will be adequate to protect Vendor. Such coverage and limits shall not limit Vendor’s liability under the indemnities and reimbursements granted to EWU in this Contract. Industrial Insurance Coverage (required) Prior to performing work under this Contract, Vendor shall provide or purchase industrial insurance coverage for its employees, as may be required of an “employer” as defined in Title 51 RCW, and shall maintain full compliance with Title 51 RCW during the course of this Contract. EWU will not be responsible for payment of industrial insurance premiums or for any other claim or benefit for Vendor, or any Subcontractor or employee of Exhibit C: Model Information Technology Contract

14

  Vendor, which might arise under the industrial insurance laws during the performance of duties and services under this Contract. Licensing Standards Vendor shall comply with all applicable local, state, and federal licensing, accreditation and registration requirements and standards necessary in the performance of this Contract. OSHA/WISHA Vendor represents and warrants that its Products, when shipped, are designed and manufactured to meet then current federal and state safety and health regulations. Vendor agrees to indemnify and hold EWU harmless from all damages assessed against EWU as a result of the failure of the Products furnished under this Contract to so comply. Uniform Commercial Code (UCC) Applicability Except to the extent the sections of this Contract are clearly inconsistent, this Contract shall be governed by any applicable sections of the Uniform Commercial Code (UCC) as set forth in Title 62A RCW. To the extent this Contract entails delivery or performance of services, such services shall be deemed “goods” within the meaning of the UCC, except when to do so would result in an absurdity. In the event of any clear inconsistency or contradiction between this Contract and the UCC, the terms and conditions of this Contract take precedence and shall prevail unless otherwise provided by law. Antitrust Violations Vendor and EWU recognize that, in actual economic practice, overcharges resulting from antitrust violations are usually borne by EWU. Therefore, Vendor hereby assigns to EWU any and all claims for such overcharges as to goods and services purchased in connection with this Contract, except as to overcharges not passed on to EWU resulting from antitrust violations commencing after the date of the bid, quotation, or other event establishing the Price under this Contract. Compliance with Civil Rights Laws (required) During the performance of this Contract, Vendor shall comply with all federal and applicable state nondiscrimination laws, including but not limited to: Title VII of the Civil Rights Act, 42 U.S.C. §12101 et seq.; the Americans with Disabilities Act (ADA); and Title 49.60 RCW, Washington Law Against Discrimination. In the event of Vendor’s noncompliance or refusal to comply with any nondiscrimination law, regulation or policy, this Contract may be rescinded, canceled, or terminated in whole or in part under the Termination for Default sections, and Vendor may be declared ineligible for further contracts with EWU. Severability (required) If any term or condition of this Contract or the application thereof is held invalid, such invalidity shall not affect other terms, conditions, or applications which can be given effect without the invalid term, condition, or application; to this end the terms and conditions of this Contract are declared severable. Waiver (required) Waiver of any breach of any term or condition of this Contract shall not be deemed a waiver of any prior or subsequent breach. No term or condition of this Contract shall be held to be waived, modified, or deleted except by a written instrument signed by the parties. Treatment of Assets Title to all property furnished by EWU shall remain EWU’s. Title to all property furnished by Vendor, for which Vendor is entitled to reimbursement, other than rental payments, under this Contract, shall pass to and vest in EWU pursuant to the Ownership/Rights in Data section. As used in this section Treatment of Assets, if the “property” is Vendor’s proprietary, copyrighted, patented, or trademarked works, only the applicable license, not title, is passed to and vested to EWU. Any EWU property furnished to Vendor shall, unless otherwise provided herein or approved by EWU, be used only for the performance of this Contract. Vendor shall be responsible for any loss of or damage to property of EWU that results from Vendor’s negligence or that results from Vendor’s failure to maintain and administer that property in accordance with sound management practices. Upon loss or destruction of, or damage to any EWU property, Vendor shall notify EWU thereof and shall take all reasonable steps to protect that property from further damage. Vendor’s Proprietary Information (required) Vendor acknowledges that EWU is subject to chapter 42.56 RCW and that this Contract shall be a public record as defined in chapter 42.56 RCW. Any specific information that is claimed by Vendor to be Proprietary Information must be clearly identified as such by Vendor. To the extent consistent with chapter 42.56 RCW, EWU shall maintain the confidentiality of all such information marked Proprietary Information. If a public disclosure request is made to view Vendor’s Proprietary Information, EWU will notify Vendor of the request and of the date that such records will be released to the requester unless Vendor obtains a court order from a court Exhibit C: Model Information Technology Contract

15

  of competent jurisdiction enjoining that disclosure. If Vendor fails to obtain the court order enjoining disclosure, EWU will release the requested information on the date specified. Disputes and Remedies Disputes In the event a dispute arises under this Contract, it shall be handled by a Dispute Resolution Panel in the following manner. Each party to this Contract shall appoint one member to the Panel. These two appointed members shall jointly appoint an additional member. The Dispute Resolution Panel shall review the facts, Contract terms and applicable statutes and rules and make a determination of the dispute as quickly as reasonably possible. The determination of the Dispute Resolution Panel shall be final and binding on the parties hereto. EWU and Vendor agree that, the existence of a dispute notwithstanding, they will continue without delay to carry out all their respective responsibilities under this Contract that are not affected by the dispute. In the event a bona fide dispute concerning a question of fact arises between EWU and Vendor and it cannot be resolved between the parties, either party may initiate the dispute resolution procedure provided herein. The initiating party shall reduce its description of the dispute to writing and deliver it to the responding party. The responding party shall respond in writing within three (3) Business Days. The initiating party shall have three (3) Business Days to review the response. If after this review resolution cannot be reached, both parties shall have three (3) Business Days to negotiate in good faith to resolve the dispute. If the dispute cannot be resolved after three (3) Business Days, a Dispute Resolution Panel may be requested in writing by either party who shall also identify the first panel member. Within three (3) Business Days of receipt of the request, the other party will designate a panel member. Those two panel members will appoint a third individual to the dispute resolution panel within the next three (3) Days. The Dispute Resolution Panel will review the written descriptions of the dispute, gather additional information as needed, and render a decision on the dispute in the shortest practical time. Each party shall bear the cost for its panel member and share equally the cost of the third panel member. Both parties agree to be bound by the determination of the Dispute Resolution Panel. Both parties agree to exercise good faith in dispute resolution and to settle disputes prior to using a Dispute Resolution Panel whenever possible. EWU and Vendor agree that, the existence of a dispute notwithstanding, they will continue without delay to carry out all their respective responsibilities under this Contract that are not affected by the dispute. If the subject of the dispute is the amount due and payable by EWU for Services being provided by Vendor, Vendor shall continue providing Services pending resolution of the dispute provided EWU pays Vendor the amount EWU, in good faith, believes is due and payable, and places in escrow the difference between such amount and the amount Vendor, in good faith, believes is due and payable. Attorneys’ Fees and Costs If any litigation is brought to enforce any term, condition, or section of this Contract, or as a result of this Contract in any way, the prevailing party shall be awarded its reasonable attorneys’ fees together with expenses and costs incurred with such litigation, including necessary fees, costs, and expenses for services rendered at both trial and appellate levels, as well as subsequent to judgment in obtaining execution thereof. In the event that the parties engage in arbitration, mediation or any other alternative dispute resolution forum to resolve a dispute in lieu of litigation, both parties shall share equally in the cost of the alternative dispute resolution method, including cost of mediator or arbitrator. In addition, each party shall be responsible for its own attorneys’ fees incurred as a result of the alternative dispute resolution method. Non-Exclusive Remedies The remedies provided for in this Contract shall not be exclusive but are in addition to all other remedies available under law. Liquidated Damages Liquidated Damages – General Any delay by Vendor in meeting the [Delivery Date, Installation Date, maintenance or repair date, or other applicable date] set forth in this Contract will interfere with the proper implementation of EWU’s programs and will result in loss and damage to EWU. As it would be impracticable to fix the actual damage sustained in the event of any such failure(s) to perform, EWU and Vendor agree that in the event of any such failure(s) to perform, the amount of damage which will be sustained will be the amount set forth in the following subsections and the parties agree that Vendor shall pay such amounts as liquidated damages and not as a penalty. Liquidated damages provided under the terms of this Contract are subject to the same limitations as provided in the section titled Limitation of Liability. Liquidated Damages – Specific Exhibit C: Model Information Technology Contract

16

  If Vendor does not have the Software installed by the Installation Date, agreed upon between EWU and Vendor, then Vendor shall provide a revised [Delivery Date or Installation Date] and pay to EWU as fixed and agreed liquidated damages, in lieu of all other damages due to such delay, for each calendar day between the specified [Delivery Date or Installation Date] and the date that Vendor actually [delivers or installs] the Software an amount of [fixed dollar amount per day or percentage of total cost (purchase price plus applicable tax and shipping) of the delinquent Software per day]. If the revised [Delivery Date or Installation Date] is more than [___ (__)] calendar days from the original [Delivery Date or Installation Date, then by written notice to Vendor, EWU may immediately terminate the right of Vendor to [deliver or install] the Software and EWU may obtain substitute Software from another vendor. In this event, Vendor shall be liable for fixed and agreed-upon liquidated damages, in lieu of all other damages due to such delay, in the amount specified above, until substitute Software is [delivered or installed], or a maximum of [___(__)] [__] calendar days from the original [Installation Date], whichever occurs first. If Vendor’s maintenance personnel fail to arrive at EWU’s site within [insert agreed upon time period] after notification by EWU that maintenance is required, Vendor shall pay to EWU as fixed and agreed liquidated damages, in lieu of all other damages due to such non-responsiveness, for each hour between the agreed [insert agreed upon time period] response time and the actual response time an amount of [______] dollars [($____)] per hour for each “late” hour or part thereof (prorated) beginning with the time of notification by EWU and ending with the time that Vendor’s maintenance personnel arrive at EWU’s site. Failure to Perform If Vendor fails to perform any substantial obligation under this Contract, EWU shall give Vendor written notice of such Failure to Perform. If after thirty (30) calendar days from the date of the written notice Vendor still has not performed, then EWU may withhold all monies due and payable to Vendor, without penalty to EWU, until such Failure to Perform is cured or otherwise resolved. Limitation of Liability The parties agree that neither Vendor nor EWU shall be liable to each other, regardless of the form of action, for consequential, incidental, indirect, or special damages except a claim related to bodily injury or death, or a claim or demand based on a Date Warranty or No Surreptitious Code Warranty issue or patent, copyright, or other intellectual property right infringement, in which case liability shall be as set forth elsewhere in this Contract. This section does not modify any sections regarding liquidated damages or any other conditions as are elsewhere agreed to herein between the parties. The damages specified in the sections titled OSHA/WISHA, Termination for Default, and Review of Vendor’s Records are not consequential, incidental, indirect, or special damages as that term is used in this section. Neither Vendor nor EWU shall be liable for damages arising from causes beyond the reasonable control and without the fault or negligence of either Vendor or EWU. Such causes may include, but are not restricted to, acts of God or of the public enemy, acts of a governmental body other than EWU acting in either its sovereign or contractual capacity, war, explosions, fires, floods, earthquakes, epidemics, quarantine restrictions, strikes, freight embargoes, and unusually severe weather; but in every case the delays must be beyond the reasonable control and without fault or negligence of Vendor, EWU, or their respective Subcontractors. If delays are caused by a Subcontractor without its fault or negligence, Vendor shall not be liable for damages for such delays, unless the Services to be performed were obtainable on comparable terms from other sources in sufficient time to permit Vendor to meet its required performance schedule. Neither party shall be liable for personal injury to the other party or damage to the other party’s property except personal injury or damage to property proximately caused by such party’s respective fault or negligence. Contract Termination Termination for Default If either EWU or Vendor violates any material term or condition of this Contract or fails to fulfill in a timely and proper manner its obligations under this Contract, then the aggrieved party shall give the other party written notice of such failure or violation. The responsible party will correct the violation or failure within [thirty (30) calendar days or as otherwise mutually agreed in writing. If the failure or violation is not corrected, this Contract may be terminated immediately by written notice from the aggrieved party to the other party. The option to terminate shall be at the sole discretion of the aggrieved party. EWU reserves the right to suspend all or part of the Contract, withhold further payments, or prohibit Vendor from incurring additional obligations of funds during investigation of any alleged Vendor compliance breach and pending corrective action by Vendor or a decision by EWU to terminate the Contract. In the event of termination of this Contract by EWU, EWU shall have the right to procure the Products and Services that are the subject of this Contract on the open market and Vendor shall be liable for all damages, including, but not limited to: (i) the cost difference between the original Contract price for the Products and Services and the replacement costs of such Products and Services acquired from another Vendor; (ii) if applicable, all administrative costs directly related to the replacement of this Contract, such as costs of Exhibit C: Model Information Technology Contract

17

  competitive bidding, mailing, advertising, applicable fees, charges or penalties, staff time costs; and, (iii) any other costs to EWU resulting from Vendor’s breach. EWU shall have the right to deduct from any monies due to Vendor, or that thereafter become due, an amount for damages that Vendor will owe EWU for Vendor’s default. If the Failure to Perform is without the defaulting party’s control, fault, or negligence, the termination shall be deemed to be a Termination for Convenience. This section shall not apply to any failure(s) to perform that results from the willful or negligent acts or omissions of the aggrieved party. Termination for Convenience When, at the sole discretion of EWU, it is in the best interest of the State, EWU’s Contracting Officer may terminate this Contract, in whole or in part, by fourteen (14) calendar days written notice to Vendor. If this Contract is so terminated, EWU is liable only for payments required by the terms of this Contract for Software and Services received and Accepted by EWU prior to the effective date of termination. Termination for Withdrawal of Authority In the event that EWU’s authority to perform any of its duties is withdrawn, reduced, or limited in any way after the commencement of this Contract and prior to normal completion, EWU may terminate this Contract by seven (7) calendar days written notice to Vendor. No penalty shall accrue to EWU in the event this section shall be exercised. This section shall not be construed to permit EWU to terminate this Contract in order to acquire similar Services from a third party. Termination for Non-Allocation of Funds If funds are not allocated to EWU to continue this Contract in any future period, EWU may terminate this Contract by seven (7) calendar days written notice to Vendor or work with Vendor to arrive at a mutually acceptable resolution of the situation. EWU will not be obligated to pay any further charges for Services including the net remainder of agreed to consecutive periodic payments remaining unpaid beyond the end of the then-current period. EWU agrees to notify Vendor in writing of such non-allocation at the earliest possible time. No penalty shall accrue to EWU in the event this section shall be exercised. This section shall not be construed to permit EWU to terminate this Contract in order to acquire similar Services from a third party. Termination for Conflict of Interest EWU may terminate this Contract by written notice to Vendor if EWU determines, after due notice and examination, that any party has violated chapter 42.52 RCW, Ethics in Public Service or any other laws regarding ethics in public acquisitions and procurement and performance of contracts. In the event this Contract is so terminated, EWU shall be entitled to pursue the same remedies against Vendor as it could pursue in the event Vendor breaches this Contract. Termination Procedure In addition to the procedures set forth below, if EWU terminates this Contract, Vendor shall follow any procedures EWU specifies in EWU’s Notice of Termination. Upon termination of this Contract, EWU, in addition to any other rights provided in this Contract, may require Vendor to deliver to EWU any property, Products, or Work Products specifically produced or acquired for the performance of such part of this Contract as has been terminated. Contract Execution Authority to Bind The signatories to this Contract represent that they have the authority to bind their respective organizations to this Contract. In Witness Whereof, the parties hereto, having read this Contract in its entirety, including all attachments, do agree in each and every particular and have thus set their hands hereunto. This Contract is effective this _____day of ______________, 2___. Approved Eastern Washington University

Approved [Vendor]

Signature

Signature

Exhibit C: Model Information Technology Contract

18

  Print or Type Name

Date

Title

Exhibit C: Model Information Technology Contract

Print or Type Name

Date

Title

19

 

Schedule A Authorized Product and Price List as of

[date]

for Contract Number [XXX-XXX-XXX] with [Vendor]

[Vendor] is authorized to sell only the Products identified in this Schedule A at the Prices set forth in this Schedule A under this Contract. [List information required to be included by the Vendor, e.g., Product category, name, description, Prices, training Prices, installation Prices, upgrade Prices, maintenance Prices, etc.]

   

Schedule A

  EXHIBIT D: EWU’S INFORMATION TECHNOLOGY SECURITY STANDARD Introduction: This document defines the minimum security criteria that an Application Service Provider (ASP) must meet in order to be considered for use by Eastern Washington University (EWU). This standard has been developed to support the goals and objectives of EWU’s Information Security Policy (EWU Policy 203-010). This standard will be incorporated in whole or in part in vendor contracts or agreements as appropriate. As part of the evaluation and selection process for a hosted service, the ASP must demonstrate compliance with the requirements of this standard. If the solution is hosted, Apparent Successful Contractor will then be required to complete this form for EWU evaluation prior to final contract award.  Scope: This standard applies to ASPs who provide services to EWU. ASP’s must meet this standard to be considered to provide application services to EWU unless a requirement of this standard is specifically waived in writing by EWU. Standard General Description of Hosted Service Environment 1. Using the requirements of this document as a guide, the ASP shall provide a detailed description of the hosted service environment that describes the typical flow of data between the client computer and ASP networks and servers (including those of subcontractors), and the technologies and security measures employed. Areas to be addressed shall include: a) b) c) d) e)

Security of networks, servers and facilities Data exchange methodologies Server platforms and operating systems Web Servers and databases used Application program development environment (development framework, programming languages, scripting languages used in the application) f) Directory integration capabilities g) Disaster recovery and business continuity provisions Comments: ASP Policies 2. ASP shall supply EWU with copies of its security and privacy policies and those of any subcontractor directly involved with the delivery of the hosted service. Comments: Location of ASP Facilities 3. ASP shall provide EWU with the names and addresses of facilities housing ASP operations and equipment, including subcontractors directly involved in the delivery of the service provided by the ASP (e.g., data centers, backup operations or data storage facilities, credit card processors, etc.). Comments: Definitions – Refer to Appendix B for a definition of terms used in this document. Data Security Data Elements 4. The collection of data by the ASP shall be limited to the data elements specifically defined and authorized by EWU. If ASP wishes to collect additional data, ASP must submit a request in writing to EWU. Under no circumstances shall ASP collect any information classified as Sensitive or Confidential without the express written approval of EWU. Comments: Data Classes. The following definitions shall be used to classify data for security purposes:

 

  Normal: The least restrictive class of data. Although it must be protected from unauthorized disclosure and/or modification, it is often public information or subject to disclosure as a public record. Examples of this class of data are: class schedules, course catalogs, general ledger data, and employee demographic statistics. Sensitive: This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are: peoples’ names in combination with any of the following: driver’s license numbers, birth date, EWU ID number (EWUID), address, e-mail addresses, and telephone numbers. Also included are: agency source code or object code, agency security data, education records including papers, grades, and test results, or information identifiable to an individual that relates to any of these types of information. Confidential: This class includes those data elements that are either passwords in the traditional sense or function in the role of an access control such as a credit card number, expiration date, PIN, and card security code. All data classified as Confidential shall be encrypted in storage and in transit. Access to these elements are tightly controlled and audited. Examples of these data are: Social Security Numbers (SSN), credit card numbers, expiration dates, PINs, and card security codes, financial profiles, bank routing numbers, medical data, law enforcement records. Data Handling Requirements 5. Data handling requirements may vary depending on the classification of data collected, transmitted or stored by the ASP. However, it is anticipated that most hosted computer applications used by institutions of higher education will involve a mix of data classes including sensitive and possibly confidential information. Therefore, whenever data elements are aggregated for collection, transmission, or storage, and the elements cannot be secured individually, the aggregate data shall be handled using the protocols that apply to the most sensitive data element. The requirements set forth in this standard assume that applications will involve sensitive data at a minimum. Specific requirements for handling confidential data are clearly identified in the standard. Comments: Sharing Data with Third Parties 6. Data supplied by the EWU to the ASP or collected by the ASP on behalf of its students, prospective students, employees or alumni is the property of EWU and shall not be shared with third parties without the written permission of EWU. This restriction does not apply to identified subcontractors of the ASP that are directly involved with the delivery of the hosted service (hosting facilities, credit card processors, etc.). Customer data shall not be sold or used, internally or externally, for any purpose not directly related to the delivery of the hosted service without the written permission of EWU. This requirement supersedes any data sharing provisions that may be incorporated in the ASP’s privacy policy. Comments: User Authentication and Authorization 7. ASP’s system shall enforce unique usernames and strong passwords to authenticate users. ASP must provide mechanisms to ensure that users will only have access to their own data. The system shall provide a user account management capability to enforce user security levels within the system for administrative users based on defined user groups and roles. Comments: Data Access by ASP Staff 8. Access to accounts, applications, or data stored on ASP's systems shall be via secure channel using SSL, SSH or VPN technologies with a minimum of AES-128 encryption. ASP employee access to systems shall be accomplished using separate, managed administration accounts requiring complex passwords or twofactor authentication. Access shall be limited to those ASP employees and subcontractor employees with a defined need for management and maintenance of the applications, data, or services. Access shall be appropriately logged to provide an audit trail. Comments: Backup Data

Exhibit D: EWU’s Information Technology Security Standard



  9. Data stored on backup media (drives, tapes, disks, etc.) shall be encrypted. In the case of on-line backup strategies that employ the Internet for transport, the transmission of backup data shall be encrypted. Security protocols and procedures shall be in place to prevent the loss or destruction of backup media. Comments: Termination of Services 10. In the event EWU or the ASP terminates the service agreement, or the ASP ceases operation, the ASP shall return to EWU all data collected in the course of providing the application service. The vendor shall certify in writing within five business days that all copies of the data stored on ASP application servers, backup servers, backup media, or other media including paper copies have been permanently erased or destroyed. “Permanently erased” means the data have been completely overwritten and are unrecoverable. File deletions or media formatting operations do not constitute a permanent erasure. Comments: Network Security Attack Prevention 11. ASP shall employ attack prevention tools including, at a minimum, a network firewall and anti-virus/antimalware software to protect its network from Internet attacks. Comments: Attack Detection and Response 12. ASP shall maintain a written Incident Detection and Response Plan that details standards for reviewing server logs, the operation and maintenance of IDS/IPS tools, and procedures for responding to and mitigating a successful attack. Comments: Host Security Server Architecture 13. ASP shall employ, at a minimum, a two-tiered architecture whereby the publicly-facing Web server (frontend server) is isolated from the application/database server(s) by means of a network firewall (see Diagram 1 below). The front-end server used to collect data shall not cache or store any collected data or derived data there from at any time. All collected data shall be immediately passed to a separate database system residing on a back-end database server behind a firewall for storage and management. Comments: Diagram 1 – Front-end and Back-end Servers and Firewall

Exhibit D: EWU’s Information Technology Security Standard



 

Configuration Management 14. ASP shall have in place written policies and procedures addressing server configuration that protect the server environment from configuration flaws that compromise security including: a. b. c. d. e. f. g. h. i. j.

Un-patched security flaws in the server software. Server software flaws or misconfigurations that permit directory listing and directory traversal attacks. Improper file and directory permissions. Unnecessary services enabled, including content management and remote administration. Default accounts with their default passwords. Administrative or debugging functions that are enabled or accessible. Misconfigured SSL certificates and encryption settings. Use of self-signed certificates to achieve authentication and man-in-the-middle protection. Use of default certificates. Improper authentication with external systems.

Comments: Web Security Data Transmission 15. Data transmissions between client Web browsers and ASP servers, including usernames, passwords, and all Sensitive or Confidential information, shall be encrypted using, at a minimum, 128 bit SSL/TLS, an industry standard means of encrypting Web site traffic. Comments: Web Applications 16. Web applications shall adhere to the minimum standards for web-based application security described in the Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications (http://www.owasp.org) Comments: Adherence to Industry Best Practices 17. ASP Web applications shall be designed to avoid common security vulnerabilities identified in the OWASP Top Ten, a list of the most critical web application security flaws including: • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards Comments: 18.

Login pages shall not be delivered to the client browser using unsecured http, even if user credentials are submitted using https.

Comments: 19.

Unsecured (http) content shall not be mixed with https content on secure Web pages.

Comments: E-commerce Applications Exhibit D: EWU’s Information Technology Security Standard



  20. For e-commerce applications involving credit card transactions, the ASP and its subcontractors shall comply with Payment Card Industry (PCI) requirements and standards for the processing and encryption of payment card numbers, PINs, security codes and expiration dates (https://www.pcisecuritystandards.org/tech/index.htm). Comments: Banner Page 21. At the request of EWU, ASP shall provide a banner page that is displayed prior to any user data entry. The page may be used by EWU to provide information to the user concerning the use of the application as it deems necessary. The banner page shall either be editable by EWU or by the ASP provided content supplied by the EWU is posted within 24 hours of submission. Comments: Cryptography Encryption Algorithms 22. Encryption methods must employ industry standard algorithms that have been published and evaluated by the general cryptographic community and are considered to reflect current best practices. ASP applications shall not employ proprietary or “home grown” cryptographic techniques. Comments: Internet Access 23. Connections to the ASP utilizing the Internet, whether for client access or remote administration, must be protected using any of the following cryptographic technologies: SSL/TLS, IPSec, SSH/SCP, PGP. Comments: Data Storage 24. Regardless of the media employed (i.e., disk, tape, etc.), Confidential data must be stored in an encrypted format. Encryption algorithms shall be AES-128 or better, or Triple-DES (TDEA). The use of other encryption algorithms for data storage must be approved in writing by EWU. Comments: Key Management 25. ASP shall have developed a Key Management Specification defining protocols for the storage and safeguarding of encryption keys. See NIST Special Publication 800-57, Recommendation for Key Management - Part 1: General (http://csrc.nist.gov/publications/nistpubs/index.html). Comments: ASP Personnel Access to Data 26. ASP shall limit access to Sensitive and Confidential data to those staff members with a well-defined business need. ASP will follow industry best practices in security training, background checks, and use of mobile devices/removable media for all employees who have access to data. Comments: Physical Security Access Control 27. The equipment hosting the application for EWU must be located in a physically secure facility, which requires badge access at a minimum. Comments: Redundancy Exhibit D: EWU’s Information Technology Security Standard



  28. ASP operations facilities shall have the necessary redundant power and environmental systems to continue operations in the event of primary system failure. Comments:

Backup Storage Facility 29. Backup storage facilities shall not be located in the same building as the primary site. On-line backup storage facilities shall have the same physical security and environmental requirements as those required for the primary site. Facilities used to store removable backup media shall have restricted access and appropriate environmental controls to insure the security and integrity of the backup data. Comments: Disaster Recovery/Business Continuity 30. ASP shall maintain a written Disaster Recovery/Business Continuity Plan that identifies the procedures that will be employed, and the resources that are available to restore service in the event of a disaster, and the projected timeframes for service restoration. Comments: Change/Relocation of Data Center 31. ASP shall notify EWU in the event ASP plans to relocate its data center or secure the services of different subcontracted data center. Such notification shall be sent to EWU at least 30 days prior to moving data or servers to the new location. The notification shall include all information required to demonstrate the new hosting facility’s compliance with the contract. EWU must have an opportunity to review these specifications. EWU retains the option of canceling the contract if the new hosting facility does not meet with EWU approval. Comments: Audit Requirements Third Party Audit 32. ASPs that process confidential data shall undergo an annual information systems audit conducted by CISAcertified independent auditor. If ASP subcontracts all or part of its operations, the audit requirement applies to subcontractors as well. ASP shall provide EWU with copies of the annual audit reports. Alternate auditing methods must be approved in writing by EWU. Comments: Legal Compliance with Applicable Laws and Regulations 33. Vendor shall comply with all applicable federal laws and regulations protecting the privacy of individuals including the Family Educational Rights and Privacy Act (FERPA, http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html) and the Health Insurance Portability and Accountability Act (HIPAA, http://www.cms.hhs.gov/HIPAAGenInfo/) Comments: Notification of Security Breaches 34. Washington State law requires that affected individuals be notified in the event of a security breach. Pursuant to RCW 19.255.010, Disclosure, notice – Definitions – Rights, remedies, (http://search.leg.wa.gov), ASP agrees that, in the event of any breach in data security where unencrypted personal information of an EWU student, prospective student, employee or alumnus was, or is reasonably believed to have been, acquired by an unauthorized person, ASP shall notify EWU of the security breach within 24 hours and assist EWU with the notification action required under the law. Comments: Exhibit D: EWU’s Information Technology Security Standard



  Indemnification 35. Vendor shall indemnify and hold EWU harmless for all costs and damages related in any way to the misuse of data or breach of security that occurs while data is in the possession or control of the ASP including, but not limited to, all notification costs and requirements as set forth in RCW 19.255.010, financial restitution to affected individuals to mitigate actual/potential identity theft, and the costs of any resulting legal action. Comments: Certification The undersigned certifies that the ASP vendor satisfies the requirements set forth in this IT Security Standard Response Form together with any addenda detailing exception, modifications or amendments approved by EWU. Signer warrants that he/she is authorized to legally bind the ASP vendor to the terms and conditions detailed in the Eastern Washington University IT Security Standard Response Form. Company Name: __________________________________ Authorized by: __________________________________ Position: __________________________________ Signature: __________________________________ Date:_______________________

Exhibit D: EWU’s Information Technology Security Standard



  Appendix B to EWU’s Information Technology Security Standard Definitions Advanced Encryption Standard (AES) - a block cipher adopted as an encryption standard by the US government. AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. The key length is frequently appended to the abbreviation (e.g., AES-128). Application Service Provider (ASP) - a business that provides computer-based services to customers over a network, sometimes referred to as a “Hosting Service.” Back-end Server - a server (sometimes referred to as a private server) that stores data on behalf of a front-end server. In a properly designed system, a back-end server is not directly accessible from a public network, but rather is secured behind a firewall that limits access only to a specific pool of hosts (See Diagram 1 in Section 5.5.1.). Certified Information Systems Auditor (CISA) – a professional certification sponsored by the Information Systems Audit and Control Association (http://www.isaca.org). Data Center - a secure facility that houses the servers, storage devices and communications equipment used by the ASP or its subcontractors, sometimes referred to as a “Hosting Facility”. Front-end Server - a server (sometimes referred to as a public server) that is directly accessible from a public network, typically the Internet. Public servers provide an interface for the collection and retrieval of data over a public network. In a properly designed system, no data is stored or cached (this includes any log files that could contain Sensitive information) on a public server (see Diagram 1 in Section 5.5.1.). Hosting Facility – See Data Center. Hosting Service - See Application Service Provider. IPsec (IP security) is a standardized framework for securing IP communications by encrypting and/or authenticating each IP packet in a data stream. PGP (Pretty Good Privacy) - a computer program which provides cryptographic privacy and authentication. RCW - Revised Code of Washington Secure Shell (SSH) - a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. Strong Password - a password complicated by length, upper and lower case letters, numerals and symbols in some combination. The Washington Department of Information Systems strong password standard specifies a minimum password length of eight (8) characters. The password must contain at least one special character (any Windows –allowed special character) and at least one characters selected from the two of the following three character types: uppercase letters, lowercase letters, and numerals. Triple DES - a block cipher formed from the 56-bit key length Data Encryption Standard (DES) cipher by using it three times to form an effective key length of 168 bits. The term is used synonymously with the more standard Triple Data Encryption Algorithm (TDEA). Virtual Private Network (VPN) - a private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network, typically the Internet.

Exhibit D: EWU’s Information Technology Security Standard



  EXHIBIT E: WASHINGTON INSTITUTIONS OF PUBLIC HIGHER EDUCATION (WIPHE) PARTICIPATION FORM FOR RFP 08_13 Washington Institutions of Public Higher Education is a consortium of State of Washington four-year, community college and technical institutions who are signatories to the Interlocal Agreement for Cooperative Purchasing, pursuant to the Interlocal Cooperative Act, RCW 39.34. Bidders are asked to consider allowing WIPHE members to participate in the resulting contract at the same pricing, terms and conditions as Eastern Washington University. This solicitation is being issued by Eastern Washington University (The Lead Institution). All members of WIPHE which are listed below are to be eligible to purchase from the vendor who receives the award of this solicitation. Institutions that are "committed participants," indicated with an asterisk in the list of members, intend to purchase goods or services from the vendor. All others are considered “potential participants”. The Lead Institution reserves the right to award the contract in whole or in part in a manner that most effectively serves the WIPHE members, to reject any or all bids, and to otherwise proceed with the award as necessary to protect the best interests of WIPHE. After award, members of WIPHE will issue separate purchase orders to the successful vendor(s) if they choose to acquire the items pursuant to this award. All questions regarding this bid must be directed to the Lead Institution. DO NOT CONTACT ANY OTHER WIPHE MEMBERS. All information relating to this solicitation will be retained by the Lead Institution as the official public record. DEFINITIONS WIPHE: Washington Institutions of Public Higher Education who are signatories to the Interlocal Agreement for Cooperative Purchasing. Lead Institution: The WIPHE member that has volunteered to conduct the solicitation/negotiation process on behalf of the WIPHE members. Committed Participants: Those WIPHE members who respond affirmatively to the Lead Institution's request for participation, and whose estimated purchase volume will be included in the solicitation/negotiation documents. Potential Participants: All other WIPHE member institutions who are not Committed Participants. Potential Participants may choose to use any contract awarded, provided the contractor will accept their participation. CONTRACT ADMINISTRATION This contract shall be administered by the Lead Institution and the Committed Participants in the following manner: A. The terms and conditions contained in their entirety throughout this bid, as it relates to the Lead Institution and the WIPHE Institutions in general, may not be altered unless provided in writing by the Lead Institution. B. WIPHE Institutions may at their sole option, individually negotiate operational provisions specific to the needs of their Institution. These would include agreed arrangements for such operational provisions as delivery, installation, service, and invoicing processes. Such negotiated changes shall not be binding on any other Institution. These changes may, however, bind the vendor to providing similar arrangements to the other Institutions pursuant to any “Best Customer” provisions of this document. C. WIPHE Institutions shall individually be responsible for their obligations to the Vendor pursuant to any purchase associated with this agreement. Likewise, the Vendor shall be responsible for their obligations to the WIPHE Institutions pursuant to this agreement. All reasonable efforts will be made by the Vendor and the WIPHE Institutions to satisfy any breach of these obligations, or, disagreements arising between the individual WIPHE Institution and the Vendor. Resolution may take several forms, including cancellation of specific arrangements between the Vendor and the Institution. Resolutions of any nature shall not have a binding effect on any other Institution. D. In the event a breach or disagreement cannot be resolved between the Institution(s) and the Vendor, either party may notify the Lead Institution and request the Lead Institution satisfy the dispute in accordance with this agreement, including any Dispute Resolution process identified within.

 

  E. The Lead Institution may at any time act on behalf of any WIPHE Institution in resolving breach of contract, or, to settle disputes in accordance with this agreement. F. Participants in the Washington Institutions of Public Higher Education (WIPHE) Interlocal agreement may establish an institution specific agreement with the Contractor/Supplier/Vendor at any time during the term of this Contract. The term of the institution specific agreement may have a term, if mutually agreed upon, which extends beyond the term of the Lead Institution's Contract. In that event all terms and conditions of the Lead Institution’s Contract will inure to the participating institution’s agreement. CONTRACT DOCUMENTS The Vendor shall make copies of this contract available in its entirety to any WIPHE Institution expressing an interest in purchasing the product or service covered by this bid. The Lead Institution and The Vendor agree that a summary of this agreement, including a phone number for interested agencies to contact The Vendor, may be placed on a public access electronic Home Page, Bulletin Board, Fax on Demand network, or similar form of accessible medium. WIPHE MEMBERS Four Year Institutions: Central Washington University, Ellensburg Eastern Washington University, Cheney The Evergreen State College, Olympia Community and Technical Colleges: Bates Technical College, Tacoma Bellevue Community College, Bellevue Bellingham Technical College, Bellingham Big Bend Community College, Moses Lake Cascadia Community College, Bothell Centralia College, Centralia Clark College, Vancouver Clover Park Technical College, Lakewood Columbia Basin College, Pasco Edmonds Community College, Edmonds Everett Community College, Everett Grays Harbor College, Aberdeen Green River Community College, Auburn Highline Community College, Des Moines Lake Washington Technical Col., Kirkland State Board for Community & Technical Colleges Lower Columbia College, Longview

University of Washington, Seattle Washington State University, Pullman Western Washington University, Bellingham

Olympic College, Bremerton Pierce College, Lakewood Peninsula College, Port Angeles Renton Technical College, Renton Seattle Community Colleges, Seattle Shoreline Community College, Seattle Skagit Valley College, Mt. Vernon South Puget Sound Community College Community Colleges of Spokane Tacoma Community College, Tacoma Walla Walla Community College, Wenatchee Valley College, Wenatchee Whatcom Community College Bellingham Yakima Valley Community College, Yakima

The bidder signifies by signature below their willingness to offer the pricing, terms and conditions of this bid and any resulting contract to the WIPHE members. YES__________

NO__________

Signed: ____________________________________________ Printed Name: ______________________________________ Title: ___________________________ Date: ___________________________

Exhibit E: WIPHE Participation Form