Commonwealth of Massachusetts Executive Office for Administration and Finance Office of Information Technology (MassIT)
Commonwealth of Massachusetts Massachusetts Office of Information Technology Request for Quotation MassIT RFQ 15-24A
Disaster Recovery Notification System Posted February 2, 2015
THIS RFQ AND ALL RESPONSES HERETO INCLUDING THE WINNING BID SHALL BECOME PUBLIC RECORD AS OF THE DATE THE CONTRACT REFERENCED HEREIN IS AWARDED, AND CAN BE OBTAINED FROM THE MASSACHUSETTS OFFICE OF INFORMATION TECHNOLOGY, LEGAL UNIT BY SENDING AN EMAIL TO
[email protected]. ANY PORTIONS OF A RESPONSE THAT ARE LABELED AS CONFIDENTIAL WILL STILL BE CONSIDERED PUBLIC RECORD.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 1 of 59
General Procurement Information Procurement Contact:
Allison Poirier
Purchasing Department:
Massachusetts Office of Information Technology (MassIT) One Ashburton Place, Room 819 Boston, MA 02108
E-Mail Address:
[email protected]
Telephone:
617-660-4559
RFQ File Number and Title:
Attachments:
MassIT RFQ 15-24A Disaster Recovery Notification System Attachment A – Tables Attachment B – Template Statement of Work Attachment C – Accessibility Requirements Attachment D – SaaS Terms Attachment E – Business Reference Form Attachment F - ITS42 Software Reseller Engagement Letter
I.
Introduction
Agency: MassIT is responsible for the provision of infrastructure services, development of IT policy, and implementation and oversight of all information technology investments for the Commonwealth and its respective agencies. In addition, MassIT provides the processing and application programming services for many Commonwealth departments.
Procurement: This RFQ does not commit the Commonwealth of Massachusetts or the Office of Information Technology (MassIT) to approve a Statement of Work, pay any costs incurred in the preparation of a Bidder's response to this RFQ or to procure or contract for services. MassIT reserves the right to accept or reject any and all proposals received as a result of this RFQ, to negotiate with any or all qualified Bidders and to cancel, in part or in its entirety, this RFQ if it is in the best interest of MassIT or the Commonwealth to do so. MassIT reserves the right to assign any contract resulting from this RFQ to another Executive Department agency.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 2 of 59
MassIT reserves the right to procure none, a subset, or all of the products or services solicited under this RFQ. MassIT further reserves the right to amend this RFQ at any time prior to the date the responses are due. Any such amendment will be emailed to vendors on the appropriate contract(s) and posted to the Commonwealth’s interim procurement web site on our WIKI. All times stated in the RFQ are Eastern Daylight Time. In the event of a discrepancy between dates and times in document files, information in this RFQ or in a Commonwealth email advising of an updated date or time shall prevail. This Request for Quotes (RFQ) is RESTRICTED to authorized vendors on Statewide Contracts: ITS42 Software Resellers (Dell, En Pointe, and SHI) Software publishers who are not on any of the above contracts may (1) submit a bid through a software reseller on the ITS42 statewide contract, or (2) submit a bid containing a certificate signed by an authorized ITS42 reseller in the form attached to this RFQ as Attachment F along with a quote from the reseller. Software publishers will not be able to submit their bids through Commbuys, they will need to email their responses to
[email protected] and
[email protected], the subject line of the email must read RFQ 15-24A [vendor name_ITS42 Reseller Name]. Software publisher bids will not be accepted without the reseller quotes and certificate.
The ITS42 vendors are: Vendor1 Contact Email Brad McGinnis
[email protected] 512-513-8163 Dell Marketing LLP 617-480-9561
[email protected] Enpointe Technologies Edwin Kane SHI International Corp Amanda Spence
[email protected] 800-527-6389 ext 7162
II.
Procurement Overview
A. Purpose of the Procurement The purpose of this RFQ is to enable MassIT to implement its Disaster Recovery Notification system as a SaaS solution and to prepare to offer the notification system as a shared service to other Commonwealth entities, which may include executive department agencies, authorities, constitutional offices, and municipalities. The system must be able to disseminate information to, and receive responses from, a large number of contacts following an event; it must be able to utilize multiple contact paths for each contact; and it must be configurable for different event types.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 3 of 59
Under this RFQ, MassIT seeks to engage one or more successful Bidders to (1) stand up and support a notification platform that will be used by MassIT and that is sufficiently scalable to support the notification needs of all Commonwealth executive department agencies, authorities, constitutional offices, and municipalities. In the Initial Implementation, the winning Bidder’s solution will be implemented at MassIT and used by MassIT’s Disaster Recovery, CommonHelp and MassIT Human Resources services, to notify MassIT clients across the Executive department. In later phases of this engagement, (the “Enterprise Engagement”), the implementation will be expanded to support other executive department agencies, constitutional offices, authorities, branches of government, and municipalities, including the Human Resources Department for the Commonwealth.
The term of the contract under this RFQ will commence on the date that a contract is executed with the vendor and end fifteen (15) months later, and may be extended at MassIT’s option for up to three two-year terms. .
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 4 of 59
B. Process 1. Demonstration. After responses received by the due date have been reviewed and scored by the Procurement team, MassIT will select up to five (5) bidders to give a demonstration of their SaaS Disaster Recovery Notification system. Demonstrations will be scheduled as shown in the Event Calendar below. Demonstrations should take no more than two hours and may be conducted online or in person, using laptop or remote systems. Demonstrations should emphasize how functionality is configured and implemented. During the demo, MassIT will ask Bidders to show the method of configuration and make modifications interactively. Bidders should have staff participate who are sufficiently technical to make modifications to the configuration of the software. MassIT will give selected Bidders a list of issues that the demo should address at least three (3) days in advance. 2. Winning bidder(s). Following the demonstrations, MassIT will re-evaluate Bidders’ responses and will select one (1) Bidder to provide their solution for DR Notification in the cloud. MassIT will negotiate with the winning Bidder a Statement of Work in the form attached hereto as Exhibit A, incorporating tasks and timelines for both the Enterprise System and the Initial Engagement. The legal agreement governing this engagement shall incorporate the Statement of Work and any subscription agreement (which must address and incorporate the SaaS terms attached hereto as Attachment D (“SaaS Terms”)), service levels, or other standard agreements required by the Bidder.
III.
Requirements
A. High-Level Requirements Selected Bidders must implement both of the following: 1. Enterprise System: Capable of supporting: a. 10-500 Administrators (agency, Constitutional Office, legislative, court, authority, or municipal users) b. Up to 100,000 concurrent recipients per notification, scalable upwards. c. Unlimited storage capability, secured to Commonwealth security standards listed infra. 2. The Commonwealth would prefer the Initial Implementation to be completed by March 31st.. 3. Detailed Mandatory Requirements can be found in Table 1 of Attachment A hereto. Bidders are required to include a completed copy of Table 1 with their bid indicating whether each element is available “out of the box,” or will require configuration.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 5 of 59
B. System Requirements In addition to the specific line items in ‘DR Notification Detailed Requirements ‘ above, Bidders’ DR Notification systems must meet the following requirements: 1. SaaS. Uses a software-as-a-service model, complying with the SaaS Terms included at Attachment D. MassIT will accept Bidder SaaS terms that are substantively the same as the MassIT terms. 2. Permitted Products. Bidders may only propose fully released product versions. If Bidder is proposing third-party products, Bidder must identify and provide information about these products and affirm that the overall solution will be supported and warrantied by Bidder. 3. Product Management. The selected Bidder/Bidders must demonstrate a sound business model and a mature practice related to product development, including but not limited to release management and customer participation in development of changes that may impact users. It is the goal of MassIT to be aware of product changes, or releases, in advance, and to participate in any product development user groups when relevant. The Bidder must be prepared to discuss and document their existing Product Development operation, including information which demonstrates an established release practice with related customer communications, both prior to and after release. 4. No Restriction on Data Storage. MassIT strongly prefers a solution without any limitations on the quantity of data storage that comes with a subscription. If a ceiling is to be imposed, or if the Bidder’s system includes any other storage limitations, the Bidder must clearly disclose such ceiling or limitations in its response to this RFQ. Fees for additional storage, if any, must be specified in Bidder’s response. 5. Security. Selected Bidders must allow MassIT to access vendor systems for purposes of security review and possible penetration tests to validate that Commonwealth security policies and standards (as set forth infra) are being met. Bidders must cooperate and participate in such review and testing. The SaaS Terms (Attachment D) provide further security requirements. 6. Accessibility. Selected Bidders must comply with the Commonwealth’s established standards for accessibility as described in Attachment C. Each Bidder must provide accessibility testing results for accessibility testing with its response, as further described in Attachment C . As provided in Attachment D, after submitting its Bid, Bidder must also provide access to its SaaS platform to MassIT, other Commonwealth Entities, and their third party
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 6 of 59
accessibility testers for purposes of conducting accessibility testing, prior to entering into an agreement with MassIT. MassIT will score bids in part based on the results of such accessibility testing. The Winning Bidder will be expected to provide MassIT’s accessibility director with access to their accessibility and development teams; to meet with MassIT to review MassIT accessibility standards; to meet with the Accessibility Advisory Committee for the engagement, and to collaborate with MassIT in identifying, prioritizing and seeking solutions for accessibility defects in the Bidder’s SaaS. 7. Service Levels. The DR Notification system, once deployed, must meet minimum performance and availability requirements, technical support response parameters (time to respond and time to repair) or equivalent measures, which will be negotiated and finalized as Service Level Agreements (SLAs) attached to the Statement of Work. The SaaS Terms contain minimum requirements for SLAs. 8. Compliance with Enterprise IT Security Policies and Standards. The selected DR Notification solution must comply with all applicable Commonwealth of MA Enterprise IT Policies and Standards, available at http://www.mass.gov/anf/research-and-tech/policies-legal-and-technical-guidance/itpolicies-standards-and-procedures/ent-pols-and-stnds/, including without limitation Sections 5 and 6 of the Access Control Policy, the Access Control Standards, Business Continuity for IT Management Standards, Communications and Operations Policy, Information Security Policy, Enterprise Information Security Standards: Data Classification, Enterprise IT Security Compliance, Enterprise IT Asset and Risk Management Policy, Physical and Environmental Security Policy, Security Incident Response Policy, Staff IT Security Policy, and Website Cookie Policy.
IV.
RFQ Responses
Bidder’s response must be valid for ninety (90) days after RFQ responses are due (see Event Calendar). At any point, MassIT may ask for clarification regarding any bid. These clarifications will be conducted by secure email. Responses must include the following: A. Cover Letter A signed cover letter stating that the Bidder agrees to the terms of this RFQ. B. Business Response The business response must include:
Description of the Bidder’s DR Notification SaaS solution, addressing, in detail, how the Bidder proposes to meet each requirement listed in Table 1 of Attachment A hereto. Functionality(ies) that may be pending in a future release may be described, but there
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 7 of 59
must be a clear indication for each one that the specified functionality is not currently available in a general release and a planned date for release must be provided.
Project plan for both the Initial Implementation and for expanding the solution to other Commonwealth entities during the Enterprise Engagement, including for both the Initial Implementation and the Enterprise Engagement: a description of the Bidder’s approach to set up the solution, timeframe, training, configuration, data migration, and resources required from the agency (number of people, skill sets, approximate number of hours per person).
An editable REDLINED version of the template SOW in Attachment B, including a detailed description of personnel to be assigned, tasks, deliverables, milestones and timeframes.
Editable versions of any applicable SaaS, service level, license, or other agreements for products and services included in the proposed solution. The SaaS or subscription agreement must include the SaaS Terms attached hereto as Attachment D. MassIT will accept Bidder SaaS terms that are substantively the same as the MassIT terms. Without limiting the foregoing, vendors must provide in their response, at a minimum, a copy of (rather than a link to) all technical support descriptions, and applicable security, privacy or data management agreements, and terms of use, including those that appear on their websites.
List of all third-party software that the Commonwealth needs (browser brand and version, operating system, et al.) to make use of Bidder’s solution for both server and individual users.
Completed VPATS, if available, and other information about accessibility of the current solution as required in Attachment C.
Do NOT include cost information in the business response.
C. Cost Response Provide a separate cost proposal, which must include a completed version of the table below setting forth pricing as follows:
All-inclusive fixed price, per seat, for one Initial Implementation (as described in Section II above), including without limitation subscription fees, configuration, implementation, necessary add-on services, customer support, documentation, and online or face-to-face training. The Commonwealth will not pay any costs or expenses not included in the fixed price. Payments will be invoiced and paid on a monthly basis. Any partial months will be paid at a prorated rate. For clarity, the expected initial implementation is approximately 1,000. The 100,000-seat requirement is for minimum system capacity, not the expected size of the initial implementation.
Pricing for expansion to other Commonwealth entities, up to and including a full Enterprise System, during the Enterprise Engagement, including the basis and any
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 8 of 59
conditions for such pricing. Include SaaS subscription fees; governor limits; prices for any add-on services or tools; fixed prices for services, including the cost of setting up a new implementation; time and materials costs for services; services to transition to a new vendor after expiration or termination of the Commonwealth’s use of the services of the successful Bidder; and any other applicable costs for the Bidder’s proposed solution or related services offered. Pricing, both in Bidder’s response and throughout the term of any Agreement, must be no higher than the pricing that Bidder currently offers to any other Commonwealth entity. Pricing model must include a completed table including all cost elements, as set forth in Table 2 of Attachment A hereto, or in another easily readable cost presentation.
In the cost proposal, confirm specifically that all prices, including labor rates, provided in the Cost table(s) must be valid for the initial term of fifteen months and one two year extensions from the date of execution of any contract resulting from this RFQ. Thereafter, Bidder may not increase its rates by more than 2% annually.
D. Customer Experience Demonstrate previous experience deploying the same or a similar SaaS solution at an enterprise level in an organization of a size comparable to the Commonwealth within the past 24 months. Provide a detailed description of Bidder’s experience and the name, telephone, and email of a person at the client who can speak to Bidder’s performance on the engagement. Experience with large government organizations is preferred, but not required. List all projects or instances in which, over the past four years, Bidder’s contract to establish a SaaS relationship has been cancelled. Include the nature of the product or solution, the name of the customer, the date thereof, and why the contract or SaaS agreement was cancelled. E. Business References Include all of the information requested on the reference form attached as Attachment E. Provide contact information for customers who are willing to serve as business references and affirm willingness to set up a reference call with those customers. MassIT prefers references from customers of comparable size to the Commonwealth’s executive department (approximately 65,000 employees), with comparable business requirements, and with comparable industry experience. MassIT will contact references to confirm the abilities and qualifications described in Bidder’s response. MassIT may deem any response unresponsive if a reference is not obtainable from a listed reference after reasonable attempts. If any Bidder has installations in any municipal, state, or federal government organization for which that Bidder has not provided a reference, then the Bidder should list the state and the reason why there is no available reference. RFQ 15-24A – Disaster Recovery Notification SaaS
Page 9 of 59
V.
Evaluation and Scoring Process
A. Evaluation Criteria Weighting The following elements will factor (in descending order of significance) into scoring of Bidders’ responses: 1. Evaluation of extent to which product and service meets criteria. 2. Past similar implementations with government organizations, specifically within the Commonwealth. 3. Past shared-services experience; 4. Demonstration; 5. Price (both initial and long-term); 6. Business and Technical Response; 7. References.
B. Scoring Process After a preliminary bid scoring process based on the criteria above, MassIT will select Bidders to conduct demonstrations, as described in Section I(B) above. Following the demonstrations, the SST will update the relevant scores previously assigned in the preliminary bid scoring process. The SST will also review the updated total cost of ownership information and eliminate solutions that may be beyond our budget for either or both agreements. In addition, either before or after the demonstrations, the SST will evaluate the accessibility of each solution as described in Attachment C. The SST will then re-evaluate the scores of up to three top scoring Bidders, and will then select the highestscoring Bidder best-suited to Mass IT’s requirements to proceed with an initial implementation and later possible enterprise-level contract.
VI.
Submission Requirements
A. Required Response Channel With the exception of Software Publishers, interested Bidders must submit their response via the appropriate Bid page on CommBuys. Software publishers may (1) submit a bid through a software reseller on the ITS42 statewide contract, or (2) submit a bid containing a certificate signed by an authorized ITS42 reseller in the form attached to this RFQ as Attachment F along with a quote from the reseller. Software publishers will not be able to submit their bids through Commbuys, they will need to email their responses to
[email protected] and
[email protected], the subject line of the email must read RFQ 15-24A [vendor name_ITS42 Reseller Name]. Software publisher bids will not be accepted without the reseller quotes and certificate.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 10 of 59
Documents should be unlocked to allow for any legal redlined review as necessary. Responses must be received no later than the response due date and time indicated in the Event Calendar above or they will not be evaluated. Useful Links: Job aid on how to submit a quote: http://www.mass.gov/anf/docs/osd/commbuys/create-aquote-v1.docx Webcast: How to Locate and Respond to a Bid in CommBuys, which will familiarize bidders with CommBuys terminology, basic navigation, and provide guidance for locating bid opportunities in CommBuys and submitting an online quote. If Bidder has any issues with responding through CommBuys you must contact the CommBuys Help Desk at
[email protected] or call during normal business hours (8AM – 5PM Monday – Friday) at 1-888-627-8283 or 617-720-3197. Responses must be received no later than the response due date and time indicated in the Event Calendar above or they will not be evaluated.
B. Order of Precedence Any contract resulting from this RFQ shall consist of the following documents in the following order of precedence: the Commonwealth’s Terms and Conditions; the Commonwealth’s Standard Form Contract; the applicable RFR; the Bidder’s response thereto; this RFQ; the Statement of Work, SaaS Agreement and any other agreements negotiated by and between the parties; and (7) the Bidder’s response to this RFQ. (1) (2) (3) (4) (5) (6)
C. Anticipated Contract Duration MassIT anticipates that the agreement entered into with each selected Bidder hereunder will be for an initial term of fifteen (15) months, including three (3) months for planning and activation and twelve (12) months of performance. During the final three months of the period, MassIT will conduct an evaluation of performance including but not limited to vendor responsiveness, available enhancements and issue management. If the evaluation is satisfactory, MassIT may elect at its sole discretion to renew the contract at the subscription price provided in the winning Vendor’s response to this RFQ for up to three (3) additional two-year terms.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 11 of 59
D. Review Rights Responses to this RFQ may be reviewed and evaluated by any person(s) at the discretion of MassIT including non-allied and independent consultants retained by MassIT now or in the future, for the sole purpose of obtaining an analysis of Responses. Any and all respondents may be asked to further explain or clarify in writing areas of their Response during the review process. MassIT retains the right to request further information from respondents.
E. Procurement Event Calendar 1. Calendar: All times/dates are the prevailing Eastern Time. In the event of discrepancies between dates and times, the dates and times specified on the CommBuys solicitation page shall prevail. Activity
Action
Date
Time
Solicitation
RFQ publicly available
2/2/2015
2:00 PM
Q&A
Bidder Conference
2/11/2015
10:00 – 11:00 AM
Bridge: 1-877-820-7831 474511, # Bidder Questions
Questions Received by
2/13/2015
COB
Answers
Answers posted to CommBuys
2/17/2015
5:00 PM
(estimated) Responses Due
RFQ responses due
2/20/2015
5:00 PM
Demonstrations
Up to 3 top Bidders demo
Wk 2/22315
TBD
Interested Bidders must submit their response documents though CommBuys. If a bidder is having a problem posting to CommBuys, they must work with the CommBuys Help Desk. The help desk can be reached by email at
[email protected] or by phone during normal business hours (8AM – 5PM Monday – Friday) at 1-888-627-8283 or 617-720-3197; Tuesdays through Thursdays tend to be the better days to reach CommBuys Help. Questions may be emailed to Alison.
[email protected] , the subject line of the email must read RFQ 15-24A Questions [vendor name] Questions received by any other method or after the question due date will not be acknowledged or answered.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 12 of 59
The expectation is that many questions will be answered during the bidder conference. Written questions received by the due date will be answered in writing in one document posted to CommBuys on or near the estimated date in the event calendar. Again, it is the vendor’s responsibility to read or download the answers to questions received. Responses must be received no later than the response due date and time indicated in the Event Calendar above or they will not be evaluated.
VII.
General Terms for all RFQs
A. Order of Precedence The contract resulting from this RFQ shall consist of the following documents in the following order of precedence: (1) (2) (3) (4) (5)
(6) (7)
the Commonwealth’s Terms and Conditions; the Commonwealth’s Standard Form Contract; the applicable Commonwealth RFR; the Bidder’s response thereto; this RFQ (as it may be amended, including without limitation by amendments to the RFQ, answers to questions received, requests for clarification and requests for best and final offers); the Statement of Work and any other documents negotiated between the parties; and the Bidder’s response to this RFQ.
This order of precedence is non-negotiable. Bidders who do not agree to this order of precedence should not respond to this RFQ.
B. General. By submitting a proposal in response to this RFQ, Bidders agree to the following terms:
1. Validity of Bids. All bids submitted in response to this RFQ must be valid for a minimum of ninety (90) calendar days. 2. Costs. MassIT will not pay for any costs other than those set forth in the Bidder’s response to this RFQ. 3. Services. If Bidder has provided hourly rates for services, MassIT reserves the right to hire the winning Bidder, at the hourly rates included in its bid, for work closely related to the project described in this RFQ but not specifically described herein.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 13 of 59
4. Bid/Response Rejection. MassIT reserves the right to reject any or all bids (responses), in whole or in part and for any reason deemed non-compliant or non-responsive per this RFQ, its attachments or any subsequent changes, including failure to meet any requirements listed as mandatory. MassIT reserves the right to reject any bid that includes attempts by the Bidder to alter the Commonwealth’s standard legal terms or the order of precedence set forth in this RFQ. 5. No Alteration. Bidders may not alter (manually or electronically) the RFQ language or any RFQ component files. Modifications to the body of the RFQ, specifications, terms and conditions, or which change the intent of this RFQ are prohibited and may disqualify a response. 6. Clarifications. MassIT retains the right to request further information or clarification from respondents. Any such clarification or written communication shall form part of the Bidder’s response to this RFQ. 7. Contract Amendments. MassIT reserves the right to amend this RFQ or any contract resulting from this RFQ. Any amendments to this RFQ will be posted on the Commonwealth’s procurement site, CommBUYS, unless the Bidder is notified otherwise by e-mail. The Bidder is advised to check this site regularly for any amendments. MassIT may negotiate changes to the original performance measures, reporting requirements or payment methodologies tied to performance at any time during the contract duration if they are consistent with the specifications of this RFQ. MassIT reserves the right to negotiate and execute contract amendments with the contractor(s) which MassIT determines as necessary to result in the intent of this RFQ, to amend the specifications for necessary requirements, or to result in a better valued contract. Negotiation would be with the successful contractor(s) of this RFQ. Amendments may include, but are not limited to, contract dollars, contract performance, increased or decreased obligations, scope of work, quantity, etc. Bidders are advised to check prior to submitting a response to ensure that they have the most recent RFQ files. 8. Additional Documents. The Bidder must include in its response all documents that the Commonwealth will be asked to agree to or sign. The Commonwealth shall not be bound by any document not included in the Bidder’s response or any document that it has not executed in writing. 9. Limitations. This RFQ does not commit the Commonwealth or MassIT to approve a Statement of Work, pay any costs incurred in the preparation of a bidder’s response to this RFQ or to procure or contract for any products or services. MassIT reserves the right to accept or reject any and all proposals RFQ 15-24A – Disaster Recovery Notification SaaS
Page 14 of 59
received as a result of this RFQ and to contract for some, all or none of the products and services as a result of this RFQ. MassIT further reserves the right to negotiate with any or all qualified bidders and to cancel in part or in its entirety this RFQ if it is in the best interest of MassIT or the Commonwealth of Massachusetts to do so. 10. Review Rights. Responses to this RFQ may be reviewed and evaluated by any person(s) at the discretion of MassIT including non-allied and independent consultants retained by MassIT now or in the future, for the sole purpose of obtaining an analysis of responses. 11. Proprietary Notices. All bids submitted in response to this RFQ shall be public record in accordance with Mass. Gen. Laws c. 66 and Mass. Gen Laws c. 4, § 7(26). All notices included in such bids to the effect that bid content is confidential or proprietary, that the distribution of such bids is prohibited or that by opening or accepting the bid MassIT is accepting such terms, are null and void, and any portions of the response so marked shall still be considered public record.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 15 of 59
Attachment A
TABLE 1. RFQ 15-24A, DR Notification Detailed Mandatory Requirements
1.0
DR Notification Detailed Requirements SYSTEM PARAMETERS
1.1 1.2
Supports a minimum of 100,000 contacts, with scaleability Capacity to support availability during Commonwealth-wide major event, with effectively unlimited ability to control different lists, messages, scripting and response options.
1.3
The System can be configured for disaster event types in which the DR team can decide the event type, and notification type associated. For example: A disaster event in which immediate response with instructions to the recipient to choose availability (Not Available to Respond), (Available to Respond Remote), (Available to Deploy to Site A, B, C, etc.) Deployment sites would need to be pre-defined by DR administrator. Software supported from multiple data centers and multiple disaster recovery sites. Integrated Public Alert and Warning System (IPAWS) Integration for Wireless Emergency Alerts (WEAs) Integration for Emergency Alert Systems (EAS) Message delivery speed and capacity; responses should include system requirements by delivery mode and tiering information, if appropriate. Compliant with ISO and NIST security standards Support multiple languages
1.4 1.5 1.6 1.7 1.8
1.9 1.10 2.0 2.1 2.2 2.3
2.4 2.5
3.0 3.1
Ready out of the Box
Requires Configuration
SERVICE PARAMETERS 99.999% service availability 24 X 7 LIVE support In addition to designated overall/comprehensive access at the system level, ability to create agency/entity-level administration groups with defined, limited functionality. I.E., an agency can securely control its lists, scripting, pathways, etc., but systemlevel control can see and manage all parameters and permissions. Service Response Time: Bidder commits to provide two-hour (2) response time to a service-affecting outage or issue. Repair Time: Bidder commits to return full functionality to the system within four (4) hours, NETWORK PARAMETERS Uses multiple network providers
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 16 of 59
3.2 3.3 3.4 3.5 3.6
4.0 4.1
4.2 4.3
4.4 4.5 4.6
4.7 4.8
4.9
4.10 4.11
DR Notification Detailed Requirements Call-throttling Load Balancing Supports SMTP and SMPP text messaging Secure transmissions with 128-bit SSL encryption or better Supports all mobile device applications, including but not limited to: o Windows Mobile o Android o IOS o Windows 7, 8 and 9 (when the latter is released). o Mac OS o List any other supported operating systems. CALL AND CONTACT RECORD OPTIONS/FEATURES Find-Me/Follow-Me: System can call multiple numbers in succession, based on outcome of previous calls (call sequencing). Multiple contact paths per user (e.g., email, CoMA phone, home phone, mobile device, SMS, etc.) Ability to deal with extensions, both pre-coded and “live” extension requirements, i.e., For Jane Doe, dial ‘1’; for Joe Smith, dial ‘456’. Leave a scripted message with both live respondents and voicemail\answering machine TTY/TDD recipient Application Supports multiple option response by recipients (multiple-choice OK), e.g., “I have received the message and I am available to assist within 2 hours”, “Received; will respond within 4 hours” or “I have received the message but I am not available.” Cascade notifications: Forwards/Sends the alert to additional persons or groups based on response by initial recipient. Unlimited messaging capability, editable by MassIT or agency/entity administrators; may not be limited to vendorprovided messages. Automatic Web Posting allows notifications to automatically be published to web systems including but not limited to public websites, intranets, internal systems, and social media. Responses should include a description of how a message is assigned to a particular site page and location on that page. Ability to contact a specified number of recipients from a pool of potential contacts in each entity or group. System is able to import a user-generated (.xls or .cvs) contact file and “read” it into individual contact records
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 17 of 59
4.12
4.13 4.14 4.15 4.16 4.17 4.18 4.19
DR Notification Detailed Requirements Geographic information system (GIS)-based message targeting – ability to quickly and easily send messages to recipients in a specific geographic region defined by zip code, street address, radius from a specific point, or other attribute. Individual contacts able to unsubscribe; requires notification to local and system administrators. Ability to verify message delivery Ability to verify message receipt Ability to verify if message has been read Able to de-duplicate contact information Ability to have independent branding (LOGO) for each user group, i.e. MassIT, ANF etc… Defined fields of individual contact records can be updated by the end user (e.g., personal email).
5.0 5.1 5.2
MONITORING & REPORTING Report all usage data, by defined fields. Extract system usage data by defined field; download and deliver in MassIT-controlled report formats or vendor formats. At a minimum, include: User group/sub-group Identify administrators who ‘touch’ an message delivery Number of users Number of calls Number of responses Tier usage, as appropriate
5.3
All administrators see in real time current status of notifications responses. Ability to see response by sub-group or sub unit type, e.g., Storage, Windows, Linux, etc. Ability to set, track and show on console varying types of recipient response. Example, one notification requires a “live” response with a minimum of two respondents in each six groups, but another only requires voicemail delivery to 300 people. The system console will monitor all activity. The system will attempt to reach the required number of a specific ROLE OR NAMED person until the pre-programmed requirement is reached.
5.4
5.5
6.0 6.1
PRICING State pricing structures and parameters, including, at a minimum: System stand-up Messaging pricing
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 18 of 59
DR Notification Detailed Requirements Move/Add/Change pricing Administrator Change costs, if any. Subscription fees Annual fees, if additional Administrator training at system level, online and F2F Administrator training at local level, online and F2F Ability to offer to Commonwealth entities as a managed service Ability to offer as a separate instance. Termination or end-of-contract transition costs
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 19 of 59
TABLE 2. RFQ 15-24A -- DR Notification Table of Costs INITIAL IMPLEMENTATION
UNIT COST
TOTAL PRICE
COST PER ENTITY
ENTERPRISE COST
All-inclusive fixed fee (SaaS subscription and all services) for Initial Implementation, with details of levels/tiers/messaging databases, etc. provided) FUTURE IMPLEMENTATIONS SaaS subscription fee (indicate whether fees are enterprise-wide, per-agency, per-seat, or based on some other measure) System stand-up Messaging pricing Move/add/change pricing, including users, administrators, any other. Administrator training at system level, online and face-to-face Administrator training at local level, online and face-to-face Setup fee for new instance(s), including access to online training. Time and materials cost for services, including F2F training. Governor limits (indicate whether fees change if usage exceeds limits) Add-on services and tools (indicate name and type of service or tool and price) End-of-contract or cancellation transition to new vendor services, if/when required. Any other applicable costs (in detail)
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 20 of 59
Attachment B
STATEMENT OF WORK BETWEEN THE MASSACHUSETTS OFFICE OF INFORMATION TECHNOLOGY AND [NAME ITS VENDOR] FOR THE COMMONWEALTH DISASTER RECOVERY NOTIFICATION SYSTEM 1.
INTRODUCTION
The following document will serve as a Statement of Work (“SOW”) between MassIT (“MassIT”) in the Executive Office of Administration and Finance and [Vendor Name] (“[Vendor Abbreviation]”) to apply to work on the Disaster Recovery Notification System ([DR Notification”). The entire agreement (the “Agreement”) between the parties (the “Agreement”) consists of the following documents in the following order of precedence: (1) the Commonwealth Standard Terms and Conditions; (2) the Commonwealth’s Standard Form Contract; (3) Request for Response (“RFR”) ITT46; (4) [Vendor Abbreviation]’s response thereto; (5) the Request for Quotes (“RFQ”) [name and date of Eligible Entity’s RFQ]; and (6) [Vendor Abbreviation]’s response thereto as amended by this SOW. 2.
DEFINITIONS
The terms used in this SOW, unless defined in this SOW or in an amendment made hereto, shall have the meaning ascribed to them in the other documents that constitute the Agreement between the parties. “Deliverable” means any work product that [Vendor Abbreviation] delivers for the purposes of fulfilling its obligations to MassIT under the terms of the Agreement, including work product that [Vendor Abbreviation] must submit to MassIT for MassIT’s approval in accordance with the formal acceptance procedures set forth within the SOW or the Task Order(s) entered into hereunder. “Milestone Payment” means a defined payment amount associated with the completion of a particular Deliverable or set of Deliverables.
“Task” means a material activity engaged in by [Vendor Abbreviation] for the purpose of fulfilling its obligations to MassIT under the terms of the Agreement, which may or may not result in the creation of a Deliverable.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 21 of 59
“Task Order” means an amendment to this SOW that specifies Tasks, Deliverables, or hourly rate services to be completed by [Vendor Abbreviation] under the terms of this Agreement.
3.
OVERVIEW, EFFECTIVE DATE AND TERM
[Provide a high level description of the project.]
This Agreement’s term (the “Term”) begins on the date on that it is executed by both parties (the “Effective Date”) and shall terminate at 5:00 p.m. on [INSERT END DATE] (“Termination Date”). Notwithstanding the foregoing, Sections 5.1 and 5.2 of System Security, Section 11.2 Warranty, and Section 11.3, Title and Intellectual Property Rights [Eligible Entity choose other sections that will survive termination] shall survive the termination of the remainder of this SOW.
4.
POINTS OF CONTACT
4.1
Single Point of Contact
[Vendor Abbreviation] and MassIT will each assign a single point of contact with respect to this SOW. It is anticipated that the contact person will not change during the Term of this Agreement. In the event that a change is necessary, the party requesting the change will provide prompt written notice to the other. In the event a change occurs because of a non-emergency, two-week written notice is required. For a change resulting from an emergency, prompt notice is required. [Vendor Abbreviation]’s contact person is [Vendor Contact Name and Title], who can be reached at [Vendor Contact Address, phone number(s), email]. MassIT’s contact is [Eligible Entity Contract Name and Title] who can be reached at [Eligible Entity Contact Address, phone number(s), email].
4.2.
Subcontractors [Delete provision 4.2, the following provision, if the Vendor is not using subcontractors]
[Vendor Abbreviation] shall take full responsibility for project management. [Vendor Abbreviation] shall submit all subcontracts related to work to be performed hereunder for approval by MassIT within two weeks of the Execution Date of this SOW and within two weeks for any Task Order issued hereunder which entails work by [Vendor Abbreviation] subcontractors. [Vendor Abbreviation] shall ensure that its subcontractor(s) that perform work efforts under this SOW shall comply with all terms of the Agreement.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 22 of 59
[Vendor Abbreviation] will act as prime contractor for the [Vendor Abbreviations]’s subcontractor (s) and be responsible for the performance of subcontractor. [Vendor Abbreviation] must submit for approval, be responsible for, and pass on all covenants, and warranties, etc. to subcontractor. 5.
SYSTEM SECURITY
As part of its work efforts under this SOW, [Vendor Abbreviation] will be required to use Commonwealth data and IT resources. For purposes of this work effort, “Commonwealth Data” shall mean data provided by the MassIT to [Vendor Abbreviation], which may physically reside at a Commonwealth or MassIT or [Vendor Abbreviation] location. 5.1
Commonwealth Data In connection with Commonwealth Data, [Vendor Abbreviation] will implement commercially reasonable safeguards necessary to: 5.1.1
5.2
Prevent unauthorized access to Commonwealth Data from any public or private network; 5.1.2 Prevent unauthorized physical access to any information technology resources involved in the development effort; and 5.1.3 Prevent interception and manipulation of Commonwealth Data during transmission to and from any servers. Commonwealth Personal Data In addition to the above requirements for Commonwealth Data, [Vendor Abbreviation] may be required to use the following Commonwealth personal data under MGL ch. 66A and/or personal information under MGL ch. 93H, or to work on or with information technology systems that contain such data as [here eligible entity should list the categories of such data that the vendor will be required to use] in order to fulfill part of its specified tasks. For purposes of this work effort, electronic personal data and personal information includes data provided by the MassIT to [Vendor Abbreviation] which may physically reside at a location owned and/or controlled by the Commonwealth or MassIT or [Vendor Abbreviation]. In connection with electronic personal data and personal information, [Vendor Abbreviation] shall implement the maximum feasible safeguards reasonably needed to: 5.2.1 5.2.2
5.2.3
Ensure the security, confidentiality and integrity of electronic personal data and personal information; Prevent unauthorized access to electronic personal data or personal information or any other Commonwealth Data from any public or private network; Notify MassIT immediately if any breach of such system or of the security, confidentiality, or integrity of electronic personal data or personal information occurs.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 23 of 59
5.2.4 5.3
[Vendor Abbreviation] represents that it has executed the EO504 Contractor Certification Form, which is attached hereto as Exhibit B. Software Integrity Controls [Address the following controls if applicable, usually in the case wherein the Vendor will be developing code and migrating that code to a production environment] [Vendor Abbreviation] and MassIT recognize the serious threat of fraud, misuse, and destruction or theft of data or funding. These threats could be introduced when unauthorized or inappropriate modifications are made to a production system. [Vendor Abbreviation] shall implement the following controls for the purpose of maintaining software integrity and traceability throughout the software creation life cycle, including during development, testing, and production: 5.3.1
[Vendor Abbreviation] shall configure at least two software environments including a development/quality assurance (QA) environment and a production environment.
5.3.2
[Vendor Abbreviation] shall implement a change management procedure to ensure that activities in the development/QA environment remain separate and distinct from the production environment. In particular the change management procedure shall incorporate at least the following: 5.3.2.1 Segregates duties between development and testing of software changes and migration of changes to the production environment; 5.3.2.2 Implements security controls to restrict individuals who have development or testing responsibilities from migrating changes to the production environment. 5.3.2.3 Includes a process to log and review all source control activities.
6.
5.3.3
[Vendor Abbreviation] shall implement a source control tool to ensure that all changes made to the production system are authorized, tested, and approved before migration to the production environment.
5.3.4
[Vendor Abbreviation] shall not make any development or code changes in a production environment.
5.3.5
[Vendor Abbreviation] shall implement additional internal controls as specified in [Eligible Entity and Vendor incorporate attachment if relevant].
ACCEPTANCE OR REJECTION PROCESS
[Vendor Abbreviation] will submit the required Deliverables specified in this SOW, or any Task Order entered into hereunder, to the MassIT Project Manager for approval and acceptance. MassIT will review work product for each of the Deliverables and evaluate whether each Deliverable has clearly met in all material respects the criteria established in this Agreement and the relevant Task Order specifications. Once reviewed and favorably evaluated, the Deliverables will be deemed acceptable.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 24 of 59
Within ten (10) working days of receipt of each Deliverable, the MassIT Project Manager will notify [Vendor Abbreviation], in writing, of the acceptance or rejection of said Deliverable using the acceptance criteria specified in this Section and associated with the Task or Deliverable specifications in this Agreement. A form signed by MassIT shall indicate acceptance. [Vendor Abbreviation] shall acknowledge receipt of acceptance forms in writing. Any rejection will include a written description of the defects of the Deliverable. If MassIT does not respond to the submission of the Deliverable, within five (5) working days of [Eligible Entity Abbreviation’s] receipt of each Deliverable, [Vendor Abbreviation] shall provide a reminder notice to the MassIT Project Manager. If MassIT fails to reject a Deliverable within five (5) business days after MassIT’s receipt of the reminder notice, the Task or Deliverable is deemed accepted. If MassIT rejects a Deliverable, [Vendor Abbreviation] will, upon receipt of such rejection, act diligently to correct the specified defects and deliver an updated version of the Deliverable to the Commonwealth. MassIT will then have an additional 5 (five) business days from receipt of the updated Deliverable to notify [Vendor Abbreviation], in writing, of the acceptance or rejection of the updated Deliverable. Any such rejections will include a description of the way in which the updated Deliverable fails to correct the previously reported deficiency. Following any acceptance of a Deliverable which requires additional work to be entirely compliant with the pertinent specifications, and until the next delivery, [Vendor Abbreviation] will use reasonable efforts to provide a prompt correction or workaround. 7.
PROJECT MANAGEMENT - Project Managers
[Vendor Abbreviation] and MassIT must notify the other party’s Project Managers of any change in the name, address, phone number, fax number, or email address of their respective Project Manager. 7.1
MassIT Project Manager
[INSERT NAME OF Eligible Entity Abbreviation Designed Project Manager, Eligible Entity Project Manager Title] (“MassIT’s Project Manager”) shall perform project management on behalf of MassIT for this engagement. MassIT’s Project Manager will:
7.1.1
Work closely with [Vendor Abbreviation] Project Manager to ensure successful completion of the project.
7.1.2
Consult with [Vendor Abbreviation] Project Manager to develop the Project Management Plan.
7.1.3
Review weekly status reports and schedule weekly meetings with [Vendor Abbreviation], as necessary.
7.1.4
Coordinate participation from [name other agencies and/or vendors] as required during the engagement.
7.1.5
Acquire MassIT project team members as needed.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 25 of 59
7.1.6
Coordinate MassIT’s review of the Deliverables and sign an acceptance form to signify acceptance for each accepted Deliverable.
MassIT’s Project Manager reports to [name and title], who reports to [name and title][repeat this phrase until last named individual is eligible entity head]. [Name individual, with title] will sign this SOW and all amendments hereto on behalf of MassIT. 7.2
Vendor Project Manager
[The parties may insert additional language in this Section to incorporate the vendor’s additional project management practices for project planning, tracking, reporting and management, including the types, frequency and contents of reports that will be provided by the developer to the Eligible Entity.]
[INSERT NAME OF Vendor Abbreviation Designed Project Manager, Vendor Project Manager Title] (“[Vendor Abbreviation]’s Project Manager”) shall perform project management on behalf of [Vendor Abbreviation] for this engagement. [Vendor Abbreviation]’s Project Manager will:
7.2.1
Be responsible for administering this Agreement and the managing of the day-to-day operations under this Agreement.
7.2.2
Serve as an interface between the MassIT Project Manager and all [Vendor Abbreviation] personnel participating in this engagement.
7.2.3
Develop and maintain the Project Management Plan, in consultation with the MassIT Project Manager.
7.2.4
Facilitate regular communication with the MassIT Project Manager, including weekly status reports/updates, and review the project performance against the project plan. Facilitate weekly project status meetings for the duration of the engagement.
7.2.5
Update the project plan on a weekly basis and distribute at weekly meetings for the duration of the engagement.
7.2.6
Sign acceptance forms to acknowledge their receipt from MassIT.
7.2.7
Be responsible for the management and deployment of [Vendor Abbreviation] personnel.
[Vendor Abbreviation]’s Project Manager reports to _____, who reports to_____ [repeat until reaching engagement partner or equivalent]. [Name and title], being an authorized signatory named in [Vendor Abbreviation]’s response to ITT46, will sign this SOW and all amendments thereto on behalf of [Vendor Abbreviation].
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 26 of 59
7.3 Issue Resolution
The Project Managers from each organization bear the primary responsibility for ensuring issue resolution. If they mutually agree that they are unable to resolve an issue, they are responsible for escalating the issue to [insert name and title of respective persons at Eligible Entity and vendor].
8.
Amendments to the Scope of Work
This Agreement may be amended prior to the end of the Term. The Project Manager who would like to request a change in scope for this engagement or any other terms contained within the Agreement, will provide the suggested amendment in writing to the other party’s Project Manager. The Project Managers will jointly determine whether the change impacts any terms contained within the Agreement. The parties may mutually agree to the change through a written amendment to this SOW. For any amendment entered into under this Agreement where [Vendor Abbreviation] will be providing services on a Time and Materials basis, the parties shall apply the Time and Materials terms as described in Section 12 of this SOW to the relevant Task Order. 9.
Personnel
9.1
Key Personnel
[Vendor Abbreviation] agrees to provide the following personnel for the following amounts of time for the duration of this project: TABLE 1 KEY PERSONNEL
Staff Members
Role
RFQ 15-24A – Disaster Recovery Notification SaaS
Time Commitment expressed as percentage of full time
Page 27 of 59
[Vendor Abbreviation] shall assign all of the foregoing personnel to this engagement on the time basis set forth in Table 1. In the event that a change is necessary, [Vendor Abbreviation] Project Manager will provide prompt written notice to MassIT Project Manager of the proposed change. If the personnel change is a result of a nonemergency, the [Vendor Abbreviation] Project Manager shall provide the MassIT Project Manager two-week written notice. For personnel changes that result from an emergency, [Vendor Abbreviation] Project Manager shall provide prompt written notice to MassIT Project Manager. MassIT Project Manager has the right to accept or reject all personnel. [Vendor Abbreviation]’s personnel must comply with MASSIT’s relevant Policies, Standards and Guidance, which may be located at www.mass.gov/itd and MASSIT’s workplace policies, which may be located at http://www.mass.gov/itdemployee/docs/hr/itd-employee-manual06-2014.doc. 9.2
Equipment, Work Space, Office Supplies
MassIT will provide [workspace, cubicles, standard office equipment, and standard network connectivity provided to state employees] for [Vendor Abbreviation] team members working on-site for activities defined by this SOW or in the relevant Task Order. [Vendor Abbreviation] will submit a list of employees who will need access to the building and to state systems before execution of this SOW. Any [Vendor Abbreviation] employees who have access to IT resources must comply with the “Acceptable Use Policy” (see www.mass.gov/itdmass.gov) or any alternative Acceptable Use Policy adopted by the MassIT. 9.3
Related Project Knowledge
In addition to the “Statewide Contract IT Specifications” and all other terms of ITT46, [Vendor Abbreviation] shall, prior to commencing any other work under this SOW, become familiar with the following documents: [here list any other material that the vendor must master in order to perform under the contract, such as prior studies, agreements, reports, etc.]. 9.4
Intellectual Property and Work Effort Agreement for [Vendor Abbreviation]’s Employees, Contractors and Consultants and Agents
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 28 of 59
[Vendor Abbreviation] shall ensure that each of [Vendor Abbreviation] personnel providing services under this SOW, regardless of whether the individual is an employee, contractor, or agent of [Vendor Abbreviation], shall, prior to rendering any services under this SOW, sign the “Intellectual Property and Work Effort Agreement for Vendor’s Employees, Contractors, Consultants, and Agents” (the “IPAWE Agreement”) which is attached hereto as Exhibit A. If [Vendor Abbreviation]’s personnel who will be rendering services under this SOW have already executed an agreement that, in the opinion of MassIT’s counsel, provides legal protection to the Commonwealth as strong as that provided by the IPAWE Agreement, [Vendor Abbreviation] may substitute such agreement in place of the IPAWE Agreement for such personnel. [Vendor Abbreviation] shall return the signed copies of the IPAWE Agreement, or the MassIT Project Manager’s pre-approved substitute agreement, to MassIT’s Project Manager prior to the rendering of any services under this SOW. 10.
MassGIS Web Mapping Services [Parties may delete this Section if not relevant for work efforts under this SOW]
MassGIS is the Commonwealth’s Office of Geographic and Environmental Information. Its legislative mandate includes coordinating GIS activities in the Commonwealth’s public agencies and distributing GIS data. MassGIS has also developed and is the host for the Commonwealth’s e-government geospatial web mapping initiative.
If [Vendor Abbreviation] will develop a capability for viewing maps and related information on an internet web site for MassIT, and if that web site will display map information available through MassGIS web mapping services (e.g., parcels, orthophotos, streets, wetlands), then [Vendor Abbreviation] shall use MassGIS geospatial web mapping services. MassGIS may grant a waivers of this requirement if [Vendor Abbreviation] demonstrates to MassGIS’ satisfaction that using the MassGIS web mapping services for the proposed application is not reasonably practical due to one or more of the following concerns:
10.1 10.2 10.3 10.4
Performance of the application would be degraded due to using the MassGIS services; The proposed application requires reliability that exceeds those that MassGIS can reasonably be expected to provide; The security requirements of the application preclude using the MassGIS services; Cost.
Waivers are not valid under this Agreement unless they are provided in writing by the Director or Assistant Director of MassGIS and the MassGIS Director or Assistant Director has indicated approval in writing.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 29 of 59
11.
ADDITIONAL TERMS 11.1
Code Review
All Deliverables that include software code or applications shall follow current industry design and best practices, including, but not limited to those published by The National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies. [Vendor Abbreviation] shall cooperate with [Eligible Entity’s Abbreviation’s] code review of the relevant software or application Deliverables. Prior to implementation or acceptance of a Deliverable, [Vendor Abbreviation] shall subject Deliverables that include software code or script to independent application review by MassIT or its delegated reviewer to validate that all applicable enterprise IT standards and security policies have been met, as well as other specifications as identified in this Agreement or the relevant Task Order. The review shall be performed by individuals other than [Vendor Abbreviation] or MassIT’s staff who developed the Deliverables. For purposes of this requirement, "independent" may include other staff of the MassIT provided no direct reporting relationships exist between the development and review organizations.
11.2
Warranty
Consistent with the ITT46 RFR, [Vendor Abbreviation] represents and warrants to MassIT that: 11.2.1 [Vendor Abbreviation] and its subcontractors are sufficiently staffed and equipped to fulfill [Vendor Abbreviation]’s obligations under this Agreement; 11.2.2 [Vendor Abbreviation]’s services will be performed: 11.2.2.1
By appropriately qualified and trained personnel;
11.2.2.2.
With due care and diligence and to a high standard of quality as is customary in the industry;
11.2.2.3
In compliance with the Milestone Schedule and the terms and conditions of this Agreement; and
11.2.2.4
In accordance with all applicable professional standards for the field of expertise;
11.2.3 Deliverables delivered under this Agreement will substantially conform with the Tasks and Deliverable descriptions set forth in this Agreement; 11.2.4 All media on which [Vendor Abbreviation] provides any software under this Agreement shall be free from defects; 11.2.5 All software delivered by [Vendor Abbreviation] under this Agreement shall be free of Trojan horses, back doors, and other malicious code; RFQ 15-24A – Disaster Recovery Notification SaaS
Page 30 of 59
11.2.6 [Vendor Abbreviation] has obtained all rights, grants, assignments, conveyances, licenses, permissions and authorizations necessary or incidental to any materials owned by third parties supplied or specified by [Vendor Abbreviation] for incorporation in the Deliverables to be developed; 11.2.7 Documentation provided by [Vendor Abbreviation] under this Agreement shall be in sufficient detail so as to allow suitably skilled, trained, and educated MassIT personnel to understand the operation of the Deliverables. [Vendor Abbreviation] shall promptly, at no additional cost to MassIT make corrections to any documentation that does not conform to this warranty; and 11.2.7 Any systems created or modified by [Vendor Abbreviation] under this SOW shall operate in substantial conformance with the specifications for the system or modifications for a minimum of three months (the “Warranty Period”) after Eligible Entity accepts such system or modifications pursuant to Section 6 of this SOW. During the Warranty Period, [Vendor Abbreviation] shall correct any Severity Level I, II or III defects, as defined in the RFR for ITT46, at no charge to MassIT.
11.3
Title and Intellectual Property Rights
[These terms will apply if [Vendor Abbreviation] will be developing or modifying software or will be developing Deliverables that contain other intellectual property. They are subject to negotiation. However, the approval of the General Counsel for the Eligible Entity is required for any changes to these terms.] 11.3.1 Definition of Property
The term Property as used herein includes the following forms of property: (1) confidential, proprietary, and trade secret information; (2) trademarks, trade names, discoveries, inventions processes, methods and improvements, whether or not patentable or subject to copyright protection and whether or not reduced to tangible form or reduced to practice; and (3) works of authorship, wherein such forms of property are required by [Vendor Abbreviation] to develop, test, and install the [name product to be developed] that may consist of computer programs (in object and source code form), scripts, data, documentation, the audio, visual and audiovisual content related to the layout and graphic presentation of the [name product to be developed], text, photographs, video, pictures, animation, sound recordings, training materials, images, techniques, methods, algorithms, program images, text visible on the Internet, HTML code and images, illustrations, graphics, pages, storyboards, writings, drawings,
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 31 of 59
sketches, models, samples, data, other technical or business information, reports, and other works of authorship fixed in any tangible medium. 11.3.2 Source of Property The development of the [name product to be developed] will involve intellectual property derived from four different sources: (1) a third party such as …[this provision may not apply to all contracts, but it could apply if [Vendor Abbreviation] is using third party intellectual property to perform tasks or deliver Deliverables, e.g. configuring another entity’s COTS]; (2) that developed by [Vendor Abbreviation] for the open market (e.g. [Vendor Abbreviation]’s commercial off the shelf software); (3) that developed by [Vendor Abbreviation] for other individual clients, or for internal purposes prior to the Effective Date of this Statement of Work and not delivered to any other client of [Vendor Abbreviation]’s; and (4) developed by [Vendor Abbreviation] specifically for the purposes of fulfilling its obligations to MassIT under the terms of this Agreement. Ownership of the first and second categories of intellectual property is addressed in separate agreements between MassIT and the contractors and resellers of work product. This Section of 11 the Statement of Work addresses exclusively ownership rights in the third and fourth categories of intellectual property. 11.3.3 [Vendor Abbreviation] Property and License
[Vendor Abbreviation] will retain all right, title and interest in and to all Property developed by it, i) for clients other than the Commonwealth, and ii) for internal purposes and not yet delivered to any client, including all copyright, patent, trade secret, trademark and other intellectual property rights created by [Vendor Abbreviation] in connection with such work (hereinafter the "[Vendor Abbreviation] Property"). MassIT acknowledges that its possession, installation or use of [Vendor Abbreviation] Property will not transfer to it any title to such property. MassIT acknowledges that [Vendor Abbreviation] Property contains or constitutes commercially valuable and proprietary trade secrets of [Vendor Abbreviation], the development of which involved the expenditure of substantial time and money and the use of skilled development experts. MassIT acknowledges that [Vendor Abbreviation] Property is being disclosed to MassIT to be used only as expressly permitted under the terms herein. MassIT will take no affirmative steps to disclose such information to third parties, and, if required to do so under the Commonwealth’s Public Records Law, M.G.L. c. 66 § 10, or by legal process, will promptly notify [Vendor Abbreviation] of the imminent disclosure so that [Vendor Abbreviation] can take steps to defend itself against such disclosure.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 32 of 59
Except as expressly authorized herein, MassIT will not copy, modify, distribute or transfer by any means, display, sublicense, rent, reverse engineer, decompile or disassemble [Vendor Abbreviation] Property. [Vendor Abbreviation] grants to MassIT, a fully-paid, royalty-free, non-exclusive, non-transferable, worldwide, irrevocable, perpetual, assignable license to make, have made, use, reproduce, distribute, modify, publicly display, publicly perform, digitally perform, transmit, copy, sublicense to any MassIT subcontractor for purposes of creating, implementing, maintaining or enhancing a Deliverable, and create derivative works based upon [Vendor Abbreviation] Property, in any media now known or hereafter known, to the extent the same are embodied in the Deliverables, or otherwise required to exploit the Deliverables. During the Term of this Agreement and immediately upon any expiration or termination thereof for any reason, [Vendor Abbreviation] will provide to MassIT the most current copies of any [Vendor Abbreviation] Property to which MassIT has rights pursuant to the foregoing, including any related documentation. Notwithstanding anything contained herein to the contrary, and notwithstanding MassIT’s use of [Vendor Abbreviation] Property under the license created herein, [Vendor Abbreviation] shall have all the rights and incidents of ownership with respect to [Vendor Abbreviation] Property, including the right to use such property for any purpose whatsoever and to grant licenses in the same to third parties. Vender shall not encumber or otherwise transfer any rights that would preclude a free and clear license grant to the Commonwealth. 11.3.4 Commonwealth Property In conformance with the Commonwealth’s Standard Terms and Conditions, all Deliverables created under this Agreement whether made by [Vendor Abbreviation], subcontractor or both are the property of MassIT, except for the [Vendor Abbreviation] Property embodied in the Deliverable. [Vendor Abbreviation] irrevocably and unconditionally sells, transfers and assigns to MassIT or its designee(s), the entire right, title, and interest in and to all intellectual property rights that it may now or hereafter possess in said Deliverables, except for the [Vendor Abbreviation] Property embodied in the Deliverables, and all derivative works thereof. This sale, transfer and assignment shall be effective immediately upon creation of each Deliverable and shall include all copyright, patent, trade secret, trademark and other intellectual property rights created by [Vendor Abbreviation] or [Vendor Abbreviation]’s subcontractor in connection with such work (hereinafter the "Commonwealth Property"). All copyrightable material contained within a Deliverable and created under this Agreement are works made for hire. [Vendor Abbreviation] bears the burden to prove that a work within a Deliverable was not created under this Agreement. If work is determined to not be made for hire or that designation is not sufficient to RFQ 15-24A – Disaster Recovery Notification SaaS
Page 33 of 59
secure rights, to the fullest extent allowable and for the full term of protection otherwise accorded to [Vendor Abbreviation] under such law, [Vendor Abbreviation] shall and hereby irrevocably does, assign and transfer to MassIT free from all liens and other encumbrances or restrictions, all right, title and interest [Vendor Abbreviation] may have or come to have in and to such Deliverable. [Vendor Abbreviation] HEREBY WAIVES IN FAVOR OF MassIT (AND SHALL CAUSE ITS PERSONNEL TO WAIVE IN FAVOR OF CLIENT IN WRITING SIGNED BY SUCH PERSONNEL) ANY AND ALL ARTIST’S OR MORAL RIGHTS (INCLUDING, WITHOUT LIMITATION, ALL RIGHTS OF INTEGRITY AND ATTRIBUTION) IT MAY HAVE PURSUANT TO ANY STATE OR FEDERAL LAWS OF THE UNITED STATES IN RESPECT TO ANY DELIVERABLE AND ALL SIMILAR RIGHTS UNDER THE LAWS OF ALL OTHER APPLICABLE JURISDICTIONS. [Vendor Abbreviation] agrees to execute all documents and take all actions that may be reasonably requested by MassIT to evidence the transfer of ownership of or license to intellectual property rights described in this Section 11, including providing any code used exclusively to develop such Deliverables for MassIT and the documentation for such code. [Vendor Abbreviation] acknowledges that there are currently and that there may be future rights that the Commonwealth may otherwise become entitled to with respect to Commonwealth Property that does not yet exist, as well as new uses, media, means and forms of exploitation, current or future technology yet to be developed, and that [Vendor Abbreviation] specifically intends the foregoing ownership or rights by the Commonwealth to include all such now known or unknown uses, media and forms of exploitation.
The Commonwealth retains all right, title and interest in and to all derivative works of Commonwealth Property.
MassIT hereby grants to [Vendor Abbreviation] a nonexclusive, revocable license to use, copy, modify and prepare derivative works of Commonwealth Property only during the Term and only for the purpose of performing services and developing Deliverables for the MassIT under this Agreement. With respect to web site development contracts, MassIT will bear sole responsibility for registering the software or system domain name or URL, applying for any trademark registration relating to the software or system domain name or URL and applying for any copyright registration related to its copyright ownership with respect to any Commonwealth Property. 11.3.5 Third-party Intellectual Property
If the Deliverables contain or will contain any third-party intellectual property to which [Vendor Abbreviation] intends to provide a sublicense, [Vendor RFQ 15-24A – Disaster Recovery Notification SaaS
Page 34 of 59
Abbreviation] must provide copies of all such sublicense agreements as early in the process as possible. The sublicense agreements must be included in [Vendor Abbreviation]’s initial quotation to the MassIT, or, if the requirement to utilize sublicensed intellectual property is not known at the outset of the project, as soon as the requirement becomes known. Sublicenses to third-party intellectual property can ONLY be provided under ITT46 if they are provided at no charge to the Commonwealth. 11.4
MassIT’s Responsibilities In addition to the Tasks set forth in ”Equipment, Work Space, Office Supplies,” MassIT shall be responsible for the following [insert any additional obligations that Eligible Entity must fulfill; use this section sparingly; include responsibility for procuring hardware and commercial off the shelf software licenses or providing travel reimbursement.].
11.5
Software Escrow
[Address software escrow if applicable, usually in the case wherein Eligible Entity is purchasing a system based on code that will not be owned by the Commonwealth. If the Commonwealth will own the code, software escrow is not needed unless the code will be shared by multiple agencies.]
12.
[VENDOR ABBREVIATION] TASKS AND DELIVERABLES
This Section describes the Deliverables that [Vendor Abbreviation] will provide to MassIT and the Tasks that [Vendor Abbreviation] will complete by the end of the engagement described in this SOW. A Task or Deliverable will be considered “complete” when all the acceptance criteria set forth in this SOW have been met or the prescribed review period for each Deliverable or Task has expired without written response from MassIT. The Task/Deliverable numbers are referred to in subsequent sections throughout this SOW.
All written documents shall be delivered in machine-readable format, capable of being completely and accurately reproduced by computer software on a laser printer. All itemized and/or annotated lists shall be delivered in computer spreadsheets, capable of being imported to Microsoft Excel 2010 or Microsoft Word. All meetings shall be held at 200 Arlington Street, #2100, Chelsea, MA unless agreed to otherwise by the Project Managers. Meetings must be scheduled at least three full business days in advance, with reasonable accommodation of attendees’ schedules. All meeting results will be described in a follow-up report generated by [Vendor Abbreviation] Project Manager and approved by the MassIT Project Manager.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 35 of 59
12.1
Fixed Price Tasks and Deliverables:
[ELIGIBLE ENTITY AND VENDOR INSERT: Draft the specific description for each fixed price Task or Deliverable that is material for completion of services and deliverables for work efforts under the RFQ.]
For the Fixed Price Tasks and Deliverables of this Agreement, [Vendor Abbreviation] shall perform Tasks or deliver Deliverables in conformance with the Description and Metrics of Acceptance on or before Milestone Schedule date set forth in Table 2.
TABLE 2 Deliverables and Tasks Deliverable or Task Deliverable or Number Task Name 1.1
Description and Metrics of Acceptance
Milestone Schedule (Due Date)
[For each Deliverable or Task, describe Deliverable and list metrics for acceptance]
1.2
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 36 of 59
Deliverable or Task Deliverable or Number Task Name
12.2
Description and Metrics of Acceptance
Milestone Schedule (Due Date)
Time and Materials Personnel
[VENDOR ABBREVIATION] agrees to provide the following Named Resources, whose resume is attached hereto as Exhibit [INSERT NUMBER], on a Time and Materials basis and as described in any relevant Task Order entered into hereunder: TABLE 3 Time and Materials Resources
Named Resource
12.3
Title
Hourly Rate
Payment Terms
All payments under this Agreement shall be made in accordance with the Commonwealth's bill paying policy.
12.1.1 Fixed Price Payments for Tasks and Deliverables A Deliverable or Task will be considered “completed” when MassIT has determined that the acceptance criteria for that specific Deliverable or Task has been met as specified in Table 4 of this SOW or the relevant Task Order, and elsewhere in this Agreement. [Vendor Abbreviation] agrees to invoice the Commonwealth for the Deliverables or work completed per the requirements set forth in this SOW and the relevant Task Order. MassIT will make payments to [Vendor Abbreviation] only after receiving an accurate invoice for Tasks and Deliverables completed and accepted pursuant to Section 6 of this SOW. Payments for specific Tasks and Deliverables shall be made in accordance with Table 4 below. TABLE 4 Fixed Price Deliverables and Tasks
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 37 of 59
Deliverable Deliverable or Task Name or Task Number
Milestone Payment
1.1 1.2
12.1.2 Time and Materials Payments For the Time and Materials Services provided in any Task Order entered hereunder, [VENDOR ABBREVIATION] shall complete the work described in the relevant Task Order and as scheduled through weekly planning meetings. [VENDOR ABBREVIATION] will submit weekly reports to the MassIT Project Manager detailing the hours actually worked by the Named Resource performing Time and Materials work and described herein or in the relevant Task Order. The weekly reporting must show actual resource hours worked against assigned tasks. [VENDOR ABBREVIATION] will also report weekly to the MassIT Project Manager its expected work effort the forthcoming week, showing the Named Resource’s expected level of effort. The Named Resource will be authorized for work without the prior review and authorization by the MassIT Project Manager.
[VENDOR ABBREVIATION] shall provide a bi-weekly invoice to MassIT Project Manager for the actual hours worked per week of the Named Resource identified in Table 3. No invoice will exceed 37.5 hours per week per resource, and the total payments under this SOW or the relevant Task Order will not exceed the authorized hours or the total authorized amount as identified in the relevant Task Order. The MassIT Project Manager will review and approve these invoices based on satisfactory work performance by the Named Resource. The MassIT Project Manager may terminate use of the Named Resource by providing ten (10) days written notice to [VENDOR ABBREVIATION] Project Manager. If termination is “For Cause”, or for a violation of a term of this Agreement, MassIT may terminate use of the Named Resource effective immediately by providing written notice to [VENDOR ABBREVIATION] Project Manager.
13.
TRANSFER OF ENGAGEMENT PRODUCTS AT CONTRACT TERMINATION
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 38 of 59
[Address any special requirements for transfer of the application and/or other engagement products to the Commonwealth or to another vendor at Contract Termination.] 14.
MAINTENANCE
[Eligible Entity and Vendor: Address maintenance to be provided by vendor, if any, and cost thereof]
The undersigned hereby represent that they are duly authorized to execute this SOW on behalf of their respective organizations.
[Eligible Entity Name]
[Eligible Entity Signatory and Title]
Date
RFQ 15-24A – Disaster Recovery Notification SaaS
[Vendor Name]
[Vendor Signatory and Title]
Date
Page 39 of 59
EXHIBIT A Intellectual Property and Work Effort Agreement for Vendor’s Employees, Consultants, and Agents Confidentiality, Assignment of Inventions and Representation of Non-Infringement Agreement; Other Representations The undersigned hereby acknowledges that he or she is an employee or consultant to of the following vendor of the Commonwealth of Massachusetts:
Name of Vendor: ________________________ (“Vendor”) and desires to be assigned by the Vendor to perform services for the Commonwealth, and that the Vendor desires to assign you to perform services on one or more projects for the Commonwealth, but only under the condition that you sign this Agreement and agree to be bound by all of its terms and conditions.
NOW THEREFORE, in consideration of your assignment to work for the Commonwealth, the access you have to the confidential information of the Commonwealth, and for other good and valuable consideration, the parties agree as follows:
1. Confidentiality of the Commonwealth’s Materials. You agree that both during your assignment at the Commonwealth and thereafter you will not use for your own benefit, or divulge or disclose to anyone except to persons within the Commonwealth whose positions require them to know it, any information not already lawfully available to the public concerning the Commonwealth (“Confidential Information”), including but not limited to information regarding any website of the Commonwealth, any e-commerce products or services, any web development strategy, any financial information or any information regarding users of or vendors to the Commonwealth’s websites. Confidential Information also includes, without limitation, any technical data, design, pattern, formula, computer program, source code, object code, algorithm, subroutine, manual, product specification, or plan for a new, revised or existing product or web site; any business, marketing, financial or sales information; and the present or future plans of the Commonwealth with respect to the development of its web sites and web services. 2. All Developments the Property of the Commonwealth. All confidential, proprietary or other trade secret information and all other works of authorship, trademarks, trade names, discoveries, inventions, processes, methods and improvements, conceived, developed, or otherwise made by you, alone or with others, and in any way relating to the Commonwealth or any of its web development projects, whether or not patentable or RFQ 15-24A – Disaster Recovery Notification SaaS
Page 40 of 59
subject to copyright protection and whether or not reduced to tangible form or reduced to practice during the period of your assignment with the Commonwealth (“Developments”) shall be the sole property of the Vendor’s customer, the Commonwealth. All copyrightable material contained within a Development during the period of your assignment with the Commonwealth are works made for hire. You bear the burden to prove that a work was not made during the period of your assignment with the Commonwealth. If a work is determined to not be made for hire or that designation is not sufficient to secure rights, to the fullest extent allowable and for the full term of protection otherwise accorded to you under such law, you shall and hereby irrevocably do, assign and transfer to the Commonwealth free from all liens and other encumbrances or restrictions, all right, title and interest you may have or come to have in and to such Development. YOU HEREBY WAIVE IN FAVOR OF THE COMMONWEALTH ANY AND ALL ARTIST’S OR MORAL RIGHTS (INCLUDING, WITHOUT LIMITATION, ALL RIGHTS OF INTEGRITY AND ATTRIBUTION) YOU MAY HAVE PURSUANT TO ANY STATE OR FEDERAL LAWS OF THE UNITED STATES IN RESPECT TO ANY DELIVERABLE AND ALL SIMILAR RIGHTS UNDER THE LAWS OF ALL OTHER APPLICABLE JURISDICTIONS. You agree to disclose all Developments promptly, fully and in writing to the Commonwealth promptly after development of the same, and at any time upon request. You agree to, and hereby do assign to the Commonwealth all your right, title and interest throughout the world in and to all Developments without any obligation on the part of the Commonwealth to pay royalties or any other consideration to you in respect of such Developments. You agree to assist the Vendor’s customer the Commonwealth, (without charge, but at no cost to you) to obtain and maintain for itself such rights. 3. Return of the Commonwealth’s Materials. At the time of the termination of your assignment with the Commonwealth, you agree to return to the Commonwealth all Commonwealth materials, documents and property, in your possession or control, including without limitation, all materials relating to work done while assigned by the Vendor to projects for Commonwealth or relating to the processes and materials of the Commonwealth. You also agree to return to the Commonwealth all materials concerning past, present and future or potential products and/or services of the Commonwealth. You also agree to return to the Commonwealth all materials provided by persons doing business with the Commonwealth and all teaching materials provided by the Commonwealth. 4. Representation of Non-Infringement. You hereby represent and warrant that, to your best knowledge, no software, no web content and no other intellectual property that you develop during your assignment to and deliver to the Commonwealth, and no Developments made by you and assigned to the Commonwealth pursuant to Section 2 above, shall infringe a patent, copyright, trade secret or other proprietary or intellectual property right of any third party. 5. No Conflicting Agreements. You represent and warrant that you are not a party to any agreement or arrangement which would constitute a conflict of interest with the
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 41 of 59
obligations undertaken hereunder or would prevent you from carrying out your obligations hereunder. 6. Tax Payments. You hereby represent and warrant that you have paid all due state and federal taxes, or, if your tax status is in dispute or in the process of settlement, that you have responded as directed and within the required timeframes to all communications received from the state or federal government. 7. You acknowledge that you are not an employee of any Massachusetts state or municipal government Eligible Entity, and are not entitled to any benefits, guarantees or other rights granted to state or municipal government agencies, including but not limited to group insurance, disability insurance, paid vacations, sick leave or other leave, retirements plans, health plans, or premium overtime pay. Should you be deemed to be entitled to receive any such benefits by operation of law or otherwise, you expressly waive any claim or entitlement to receiving such benefits from Massachusetts state or municipal government agencies. 8. Miscellaneous: a. The Commonwealth is a third party beneficiary of this Agreement with full rights to enforce its terms directly b. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof, superseding any previous oral or written agreements. c. Your obligations under this Agreement shall survive the termination of your assignment with the Commonwealth regardless of the manner of or reasons for such termination. Your obligations under this Agreement shall be binding upon and shall inure to the benefits of the heirs, assigns, executors, administrators and representatives of the parties. d. You agree that the terms of this Agreement are reasonable and properly required for the adequate protection of our customer the Commonwealth’s legitimate business interests. You agree that in the event that any of the provisions of this Agreement are determined by a court of competent jurisdiction to be contrary to any applicable statute, law, rule, or policy or for any reason unenforceable as written, then such court may modify any of such provisions so as to permit enforcement thereof to the maximum extent permissible as thus modified. Further, you agree that any finding by a court of competent jurisdiction that any provision of this Agreement is contrary to any applicable statute, law, or policy or for any reason unenforceable as written shall have no effect upon any other provisions and all other provisions shall remain in full force and effect. e. You agree that any breach of this Agreement will cause immediate and irreparable harm to the Vendor’s customer the Commonwealth not compensable by monetary damages and that the Commonwealth will be entitled to obtain injunctive relief, in addition to all other relief, in any court of competent
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 42 of 59
jurisdiction, to enforce the terms of this Agreement, without having to prove or show any actual damage to the Commonwealth. f.
No failure to insist upon strict compliance with any of the terms, covenants, or conditions hereof, and no delay or omission in exercising any right under this Agreement, will operate as a waiver of such terms, covenants, conditions or rights. A waiver or consent given on any one occasion is effective only in that instance and will not be construed as a bar to or waiver of any right on any other occasion.
g. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard to the doctrine of conflicts of law. This Agreement is executed under seal. The undersigned believes that this Agreement imposes reasonable standards of conduct for all of the employees, consultants, and agents of the vendor on assignment at the Commonwealth, and that this Agreement will serve to best protect the interests of all involved parties. If you agree with the terms set forth herein, please sign and return this Agreement.
Intellectual Property and Work Effort Agreement for Vendor’s Employees, Consultants, and Agents Confidentiality, Assignment of Inventions and Representation of Non-Infringement Agreement; Other Representations Agreed and Accepted:
Name of Employee, Consultant, or Agent Signature Date Name of Vendor Vendor Signature Vendor Signatory Name Vendor Signatory Title Vendor Signature Date
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 43 of 59
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 44 of 59
Attachment C ACCESSIBILITY OBLIGATIONS FOR RFQ BIDDERS The successful Bidder (referred to herein as the “Vendor”) must comply with the Commonwealth’s established standards for accessibility as described herein. Overview Bidders should thoroughly review the detailed accessibility obligations below. As a brief summary, Bidders and the Vendor must: Prior to contract execution Provide a VPAT or accessibility testing results for any pre-existing software, including Third Party Software, that Vendor is delivering to the Commonwealth If Vendor is delivering a SaaS offering, provide access to the offering for accessibility testing Cooperate with the Commonwealth on addressing accessibility issues and entering into a mitigation letter if necessary After contract execution Build accessibility into every phase of the project Collaborate with the Commonwealth and the AAC on accessibility issues Test for accessibility before delivery and include testing results with all deliveries Cooperate with the Commonwealth’s accessibility testing after delivery Work to resolve any issues identified in testing and in the mitigation letter Definitions The “AT/IT List” is the Assistive Technology (“AT”)/Information Technology (“IT”) Environment List, which may be attached to this RFQ or available at www.mass.gov/accessibility/. “End User Deliverables” are any software, documentation, and other interfaces or materials, and any configuration, implementation, or customization thereof, used by end users and delivered by Vendor under this RFQ. End User Deliverables include, without limitation: any configuration, implementation, or customization of Third Party Software or vendor software; and any updates, new releases, versions, upgrades, improvements, bug fixes, patches or other modifications to software. “Enterprise Accessibility Standards” are the Enterprise Information Technology Accessibility Standards and the MassIT Web Accessibility Standards Version 2, available at www.mass.gov/accessibility/. The term “software,” as used in these accessibility requirements, includes without limitation commercial off-the-shelf software (“COTS”) and software as a service (“SaaS”). “Third Party Software” is software not published by Vendor. A “VPAT” is a Voluntary Product Accessibility Template based on the standardized form developed by the Information Technology Industry Council. A VPAT shows how a software product meets key regulations of Section 508 of the Rehabilitation Act, which requires all
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 45 of 59
agencies and departments of the U.S. federal government to make electronic information and technology accessible to federal employees and members of the public with disabilities.
Accessibility Obligations For SaaS service providers that are publicly held companies, the following accessibility rules apply: A. Vendor must submit a VPAT for the applicable cloud products with its bid. The extent to which the applicable cloud products, at the time of delivery, capable of providing comparable access to individuals with disabilities consistent with the applicable provisions of the Architectural and Transportation Barriers Compliance Board standards set out in 36 CFR Part 1194 (known as 'Section 508'), in effect as of the date of this Agreement, and the Web Content Accessibility Guidelines (WCAG), must be indicated by the comments and exceptions (if any) noted on the VPAT. B. Prior to contract execution, and preferably at the time that Vendor responds to the RFQ: 1.
Vendor will provide the Commonwealth with access to the applicable cloud products for purposes of conducting accessibility testing. The Commonwealth may conduct such accessibility testing directly and/or through a third party engaged by the Commonwealth at its expense.
2.
Upon request, Vendor must provide the Commonwealth with accessibility-related content in the technical reference manual or program documentation for the applicable cloud product.
3.
In connection with its accessibility testing as permitted above, the Commonwealth shall have the right to configure the applicable cloud product in accordance with the technical reference manual or program documentation for the Commonwealth’s accessibility needs.
C. Based on the results of the Commonwealth’s accessibility testing, the Commonwealth will determine whether it can proceed with considering Vendor’s bid. In the event that the Commonwealth does elect to keep Vendor’s bid in consideration, the Commonwealth (1) may require Vendor to enter into an agreement detailing the results of the accessibility testing, (2) will assume the risk of any non-conformance with the Commonwealth’s accessibility standards, and (3) requests that the selected Vendor make commercially reasonable efforts to correct any serious accessibility issues during the course of the engagement.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 46 of 59
For SaaS service providers that are privately held companies, the following accessibility rules apply: 1. Compliance with Commonwealth Standards Vendor is responsible for addressing accessibility problems in any implementation, configuration, or documentation delivered or performed by Vendor, and in any software published by Vendor and delivered under this RFQ. Vendor shall ensure that all End User Deliverables adhere to the current version (as of the date of this RFQ) of the Enterprise Accessibility Standards and interoperate with the environments listed on the AT/IT List. Vendor is encouraged to measure accessibility compliance using the World Wide Web Consortium's Web Content Authoring Guidelines, version 2, level AA (the WCAG2 Standards), as defined at http://www.w3.org/WAI/intro/wcag.php, in place of (1) Section 2, Technical Standards – Applications of the Enterprise Information Technology Accessibility Standards, and (2) Sections 1 through 5 and Section 8 of the MassIT Web Accessibility Standards. Vendor must ensure that accessibility and usability are addressed at every stage of the project. At the commencement of any project under this RFQ, prior to beginning any significant design or implementation work, Vendor’s project manager shall meet with the Commonwealth’s project manager and appropriate resources to review the Enterprise Accessibility Standards, the AT/IT List, and any accessibility guidance provided by software vendors, in order to discuss their impact on the project. On an ongoing basis, Vendor must incorporate accessibility testing into all test plans, and include users of assistive technology in end user testing. 2. Accessibility Testing Vendors The Commonwealth shall hire a third party Accessibility Testing Vendor to conduct accessibility testing for this project on the Commonwealth’s behalf. The Accessibility Testing Vendor will test each End User Deliverable against the Enterprise Accessibility Standards, and for interoperability with the AT and the IT environment described in the AT/IT List. Vendor shall cooperate with the Accessibility Testing Vendor. The Accessibility Testing Vendor’s testing will be in addition to Vendor’s own accessibility testing. Vendor may either use its internal resources or may hire its own third party accessibility testing vendor to conduct testing. 3. Accessibility Advisory Committee (AAC) The Commonwealth and Vendor will collaborate and communicate throughout the process of creating the End User Deliverables with any vendors of Third Party Software, and with the Accessibility Advisory Committee. The AAC shall be comprised of at least one representative from each Vendor and the Commonwealth, and representatives of certain agencies designated by the Commonwealth such as the Massachusetts Office on Disability, Executive Department disability coordinators, Massachusetts Rehabilitation Commission, Massachusetts Commission for the Blind and Massachusetts Commission on the Deaf and Hard of Hearing.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 47 of 59
The AAC shall convene its first meeting no later than ten (10) calendar days after the Effective Date of any Contract entered under this RFQ. Following this initial meeting, the AAC shall meet as mutually agreed to by the Commonwealth and Vendor in consultation with the AAC, but at a minimum, once a quarter. The purpose of these meetings shall be to prioritize the list of accessibility defects identified by the Vendor and/or the Commonwealth (through its Accessibility Testing Vendor), discuss any questions relating to accessibility testing and accessibility requirements, and to ensure that any concerns raised by a member of the AAC or a third party regarding accessibility of the Services are discussed, identified and addressed. 4. Training and Documentation Vendor shall coordinate with the Commonwealth and the AAC in the identification of all prospective attendees at Vendor training who require accommodation, and shall cooperate with the Commonwealth in its provision of such accommodation. All administrator and end user documentation and any training materials delivered by Vendor under this RFQ (whether in a classroom or online) must be accessible to users with disabilities, and must include alternative keyboard commands wherever a mouse command is specified. All such materials delivered under this RFQ and wholly owned by MassIT shall be in an agreedupon editable format. 5. Testing Accessibility testing must be incorporated as part of Vendor’s overall quality assurance process. Vendor shall test end user software for accessibility during any or all of unit testing, integration testing, final acceptance testing and system testing. 5.1 Testing of End User Deliverables Vendor shall test every End User Deliverable against the Enterprise Accessibility Standards, and for interoperability with the AT and IT environment listed in the AT/IT List. Vendor shall resolve any problems identified in such testing prior to delivering the End User Deliverable to the Commonwealth. Vendor shall deliver to the Commonwealth the results of the final testing, with all accessibility problems resolved, at the same time it delivers the End User Deliverable. The Commonwealth will conduct its own testing of the End User Deliverables following delivery by Vendor. 5.2 Testing of Third Party Software While Vendor is obligated to test any configuration, customization, or other modification it makes to Third Party Software, Vendor is not responsible for testing out-of-the-box, non-configured third party software for which accessibility testing has already been conducted and test results have already been provided to the Commonwealth in the form of a satisfactorily VPAT provided in response to this RFQ. If Vendor is recommending or providing Third Party Software is response to this RFQ, Vendor is responsible for working with the Commonwealth and the publisher of such Third Party Software to identify and resolve accessibility issues. However, if Vendor is configuring, installing, or otherwise working with Third Party Software that the Vendor did not recommend or provide to the Commonwealth, Vendor is not responsible for accessibility issues for such Third Party RFQ 15-24A – Disaster Recovery Notification SaaS
Page 48 of 59
Software that are not related to Vendor’s configuration, customization, or other modification of such Third Party Software. 5.3 Failure to Comply; Repeat Testing Following Vendor’s testing described above, the Commonwealth will test the End User Deliverables for compliance with the Enterprise Accessibility Standards and interoperability with the environments listed on the AT/IT List. If any End User Deliverables fail the Commonwealth’s initial post-delivery accessibility testing, Vendor shall provide a credit to the Commonwealth for any repeat Commonwealth testing that is needed. Such credits shall not exceed 5% of either (1) the total fixed price due Vendor under the initial contract resulting from this RFQ, or (2) the total not-to-exceed amount of the initial contract resulting from this RFQ if entered under a time and materials basis. 5.4 VPAT and Mitigation Letters Prior to Contract execution, Vendor must provide VPATs for any existing Vendor and third-party software with which end users will interact. With respect to software for which Vendor cannot provide satisfactorily detailed VPATs, Vendor shall provide any alternative accessibility testing information or test results to which it has access. If the Commonwealth determines that accessibility issues exist but can be resolved or mitigated after Contract execution, the Commonwealth may at its discretion file a request for a mitigation letter with MassIT’s Director of Accessibility. The mitigation letter permits the Commonwealth to enter into a contract with Vendor, provided that the Vendor cooperates with the Commonwealth in resolving or mitigating the accessibility problems within a reasonable period, to be specified in the mitigation letter, following contract execution. Any mitigation letter shall become part of the Contract resulting from this RFQ. 6. Obligations for SaaS Vendors For SaaS offerings, the Commonwealth reserves the right to test for accessibility or to engage a third party Accessibility Testing Vendor to test for accessibility prior to selecting a vendor. Bidders must cooperate with the Commonwealth or the Accessibility Testing Vendor, including providing appropriate access for such testing. The results of such accessibility testing, and the cooperation of the Bidder, will be taken into account in scoring and selecting a Vendor. If Vendor is a SaaS provider with over 500,000 users for the SaaS offering bid in response to this RFQ, the Commonwealth will negotiate with Vendor a commercially reasonable time for compliance with the Enterprise Accessibility Standards and interoperability with the environments on the AT/IT List. 7. Prioritizing and Remediating Accessibility Issues Vendor shall collaborate with the Commonwealth, the AAC and the Accessibility Testing Vendor to prioritize accessibility defects based on severity.
Vendor shall be responsible for curing each instance identified by the Commonwealth or by its own accessibility testing in which the End User Deliverables fail to comply with the Enterprise
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 49 of 59
Accessibility Standards or interoperate with the environments specified on the AT/IT List. Accessibility issues which pose a very minor inconvenience to disabled users but do not prevent them from using the software may not need to be remediated. Correction of accessibility issues may require, among other things, writing new core code, shutting off inaccessible features, providing users with third party software in addition to their assistive technology, or providing disabled users with an alternative pathway to the inaccessible feature or the business process that it automates. 8. Ongoing Maintenance If the Vendor has agreed to perform maintenance for the Commonwealth, Vendor’s obligations above apply to its performance of maintenance. During the maintenance period, unless otherwise agreed in writing by Vendor and the Commonwealth, Vendor must ensure that the system continues to interoperate with the environments specified on the AT/IT List, including any changes to the AT/IT List that occur during the maintenance period, and must collaborate with the Commonwealth and any pertinent Third Party Software vendor and Accessibility Testing Vendor to correct any problems identified regarding interoperability.
RFQ 15-24A – Disaster Recovery Notification SaaS
Page 50 of 59
ATTACHMENT D SAAS TERMS
LICENSE TERMS 1. Agreement must include (i) a license to access and use the service, (ii) a license to use underlying software as embodied or used in the service, and (iii) a license to view, copy, download (if applicable), and use documentation. 2. Licenses must be irrevocable during the term of the Agreement. 3. No terms shall apply to the Commonwealth that the Commonwealth has not expressly agreed to by including them in a signed agreement, including a standard click-through license or website terms of use or privacy policy.
SUPPORT AND TRAINING 1. Service Provider must provide technical support via online helpdesk and toll-free phone number at least during Business Hours (Monday through Friday from 8:00 a.m. to 6:00 p.m. Eastern Time). 2. Service Provider must make accessible training available online to users. 3. All support and training shall be provided at no cost to the Commonwealth, except for customized support and training expressly requested by the Commonwealth.
SERVICE LEVELS Service Provider must provide a Service Level Agreement (SLA) that contains, at minimum: 1. Specified guaranteed annual or monthly uptime percentage; at minimum 99.99%. 2. Uptime percentage may include scheduled maintenance, but should not include unscheduled maintenance 3. Scheduled maintenance must occur at agreed-upon times when a minimum number of users will be using the system and in no event during Business Hours 4. Service Provider must provide at least two (2) business days’ advance notice of scheduled maintenance 5. Scheduled maintenance must not exceed ten (10) hours in a month; scheduled maintenance in excess of 20 hours will constitute downtime 6. Response and resolution times for defects 7. At least three levels of defect classifications (severe, medium, low) 8. The Commonwealth and Service Provider should cooperate to classify defects
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 51
9. Any other applicable performance metrics (e.g., latency, transaction time) based on industry standards 10. Service Provider shall provide the Commonwealth with a written report of performance metrics, including uptime percentage and record of service support requests, classifications, and response and resolution times, at least [monthly] [quarterly] or as requested by the Commonwealth. 11. Representatives of Service Provider and Customer shall meet as often as may be reasonably requested by either party, but no less often than once each calendar quarter, to review the performance of the Service and to discuss technical plans, financial matters, system performance, service levels, and any other matters related to this Agreement. 12. Remedies for failure to meet guaranteed uptime percentage, response and resolution times, and other metrics, which may include fee reductions and extensions in service period at no cost 13. Repeated failures to meet SLA metrics result in (1) a refund of all fees paid by the Commonwealth for the period in which the failure occurred; (2) development by Service Provider in a root cause analysis and corrective action plan at the Commonwealth’s request; and (3) a right for the Commonwealth to terminate without penalty and without waiver of any rights upon written notice to Service Provider 14. Regular status reports during unscheduled downtime, at least twice per day or upon request 15. Root cause analysis within thirty (30) days of unscheduled downtime
UPDATES AND UPGRADES 1. Service Provider will make updates and upgrades available to the Commonwealth at no additional cost when Service Provider makes such updates and upgrades generally available to its users. 2. Service Provider will notify the Commonwealth at least sixty (60) days in advance prior to any major update or upgrade. 3. Service Provider will notify the Commonwealth at least five (5) business days in advance prior to any minor update or upgrade, including hotfixes and installation of service packs. 4. No update, upgrade or other change to the Service may decrease the Service’s functionality, adversely affect the Commonwealth’s use of or access to the Service, or increase the cost of the Service to the Commonwealth.
CUSTOMER DATA 1. The Commonwealth retains full right and title to data provided by the Commonwealth and any data derived therefrom, including metadata (collectively, the Customer Data).
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 52
2. Service Provider shall not collect, access, or use user-specific Customer Data except as strictly necessary to provide Service to the Commonwealth. No information regarding the Commonwealth’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall extend beyond the term of the Agreement in perpetuity. 3. Service Provider shall not use any information collected in connection with the Agreement, including the Customer Data, for any purpose other than fulfilling its obligations under the Agreement. 4. At no time may any Data or processes which either belong to Customer, or are intended for Customer’s exclusive use, be copied, disclosed, or retained by Service Provider for subsequent use in any transaction that does not include Customer. 5. Customer Data must remain at all times within the continental United States. Service Provider must disclose to the Commonwealth the identity of any third-party host of Customer Data prior to the signing of this Agreement. 6. The Commonwealth may export the Customer Data at any time during the term of the Agreement or for up to three (3) months after the term (so long as the Customer Data remains in the Service Provider’s possession) in a commonly used or agreed-upon file format and medium. 7. Three (3) months after the termination or expiration of the Agreement or upon the Commonwealth’s earlier written request, Service Provider shall at its own expense destroy and erase from all systems it directly or indirectly uses or controls all tangible or intangible forms of Customer’s Data or Confidential Information, in whole or in part, and all copies thereof except such records as are required by law. To the extent that any applicable law prevents Service Provider from destroying or erasing Customer Data as described in the preceding sentence, Service Provider shall retain, in its then current state, all such Customer Data then within its right of control or possession in accordance with the confidentiality, security and other requirements of this Agreement, and perform its obligations under this section as soon as such law no longer prevents it from doing so.
DATA PRIVACY AND SECURITY 1. Service Provider must comply with all applicable laws related to data privacy and security. 2. Service Provider shall provide a secure environment for Customer Data, and any hardware and software, including servers, network and data components provided by Service Provider as part of its performance under this Agreement, in order to protect, and prevent unauthorized access to and use or modification of, the Service and Customer Data. The secure environment must include, without limitation: (i) industry standard firewalls; (ii) industry standard encryption; and (iii) physical security measures, including securing all Customer Data on a secure server in locked data cabinets. 3. Customer Data must be partitioned from other data in such a manner that it will not be impacted or forfeited due to e-discovery, search and seizure or other actions by third parties RFQ 15-24A – Disaster Recovery Notification BusRef
Page 53
obtaining or attempting to obtain Service Provider’s records, information or data for reasons or activities that are not directly related to the Commonwealth’s business. 4. Service Provider shall not access Commonwealth user accounts, or Customer Data, except in the course of data center operations, response to service or technical issues, as required by the express terms of this Agreement, or at Customer’s written request. 5. Service Provider may not share Customer Data with its parent company or other affiliate without the Commonwealth’s express written consent. 6. In the event of any potential or actual breach of the Service’s security that adversely affects Customer Data or Service Provider’s obligations with respect thereto, Service Provider shall immediately (and in no event more than twenty-four hours after discovering such breach) notify the Commonwealth. Service Provider shall identify the affected Customer Data and inform the Commonwealth of the actions it is taking or will take to reduce the risk of further loss to the Commonwealth. Service Provider shall provide Customer the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. 7. In the event that personally identifiable information is compromised, Service Provider shall be responsible for providing breach notification to data owners in coordination with the Commonwealth as required by M.G.L. ch. 93H or other applicable law or Commonwealth policy. 8. Service Provider shall indemnify, defend, and hold the Commonweath harmless from and against any and all fines, criminal or civil penalties, judgments, damages and assessments, including reasonable expenses suffered by, accrued against, charged to or recoverable from the Commonwealth, on account of the failure of Service Provider to perform its obligations pursuant to this Section.
WARRANTY At minimum, Service Provider must warrant that: 1. Service Provider has acquired any and all rights, grants, assignments, conveyances, licenses, permissions and authorizations necessary for Service Provider to provide the Service to Customer; 2. Service Provider will host the Service on servers located within the continental United States; 3. The Service will perform materially as described in the Agreement; 4. Service Provider will provide to the Commonwealth commercially reasonable continuous and uninterrupted access to the Service, and will not interfere with the Commonwealth’s access to and use of the Service during the term of the Agreement; 5. The Service is compatible with and will operate successfully with Customer’s environment (including web browser and operating system), as Customer has represented such environment to Service Provider;
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 54
6. The Service will be performed in accordance with industry standards, provided however that if a conflicting specific standard is provided in this Agreement or the documentation provided by Service Provider, such specific standard will prevail; 7. Service Provider will maintain adequate and qualified staff and subcontractors to perform its obligations under this Agreement; and 8. Service Provider and its employees, subcontractors, partners and third party providers have taken all necessary and reasonable measures to ensure that all software provided under this Agreement shall be free of Trojan horses, back doors, known security vulnerabilities, malicious code, degradation, or breach of privacy or security. 9. The Service shall operate in substantial conformance with the specifications for the system or modifications for a minimum of [three (3) months] (the “Warranty Period”) after the service or modifications are introduced to Customer for its use. During the Warranty Period, Service Provider shall correct any Severity Level I or II defects, as defined below: (i) Severity Level I: A safety issue or an issue that affects a central requirement for which there is no workaround. It prevents either use or testing of the system. All substantive accessibility issues shall fall into this category. (ii) Severity Level II: An issue that affects a central requirement for which there is a workaround, where use or testing of the system can proceed in a degraded mode, or an issue that affects a non-central requirement for which there is no workaround, where the feature cannot be used. (iii) Severity Level III: An issue that affects a non-central requirement for which there is a workaround, or a cosmetic issue.
[Accessibility section removed from draft SaaS terms, but separate accessibility requirements included as Attachment B.]
SUBCONTRACTORS 1. Before and during the term of this Agreement, Service Provider must notify the Commonwealth prior to any subcontractor providing services, directly or indirectly, to the Commonwealth under this Agreement. The Commonwealth must approve all subcontractors identified after the effective date of the Agreement. 2. Service Provider is responsible for its subcontractors’ compliance with the Agreement, and shall be fully liable for the actions and omissions of subcontractors as if such actions or omissions were performed by Service Provider.
DISASTER RECOVERY 1. Service Provider agrees to maintain and follow a disaster recovery plan designed to maintain Customer access to the Service, and to prevent the unintended destruction or loss of Customer Data. The disaster recovery plan shall provide for and be followed by Service Provider such RFQ 15-24A – Disaster Recovery Notification BusRef
Page 55
that in no event shall the Service be unavailable to Customer for a period in excess of twentyfour (24) hours. 2. Service Provider shall review and test the disaster recovery plan regularly, at minimum twice annually. 3. Service Provider shall back up Customer Data no less than twice daily in an off-site “hardened” facility located within the continental United States. 4. In the event of Service failure, Service Provider shall be able to restore the Service, including Customer Data, with loss of no more than twelve (12) hours of Customer Data and transactions prior to failure.
RECORDS AND AUDIT 1. Records. Service Provider shall maintain accurate, reasonably detailed records pertaining to: (i)The costs and expenses for the Service provided under this Agreement, (ii) The substantiation of claims for payment under this Agreement, and (iii) Service Levels, including service availability and downtime. 2. Records Retention. Service Provider shall keep such records for a minimum retention period of [seven (7) years] from the date of creation, and will preserve all such records for [five (5) years] after termination of this Agreement. No applicable records may be discarded or destroyed during the course of any litigation, claim, negotiation, audit or other inquiry involving this Agreement. 3. Audit. Customer shall have the right, upon reasonable notice to Service Provider, to audit, review and copy, or contract with a third party to audit, any and all records collected by Service Provider pursuant to item (1) above, as well as any other Service Provider records that may reasonably relate to Customer’s use of the Service. Such records will be made available to Customer at no cost in a format that can be downloaded or otherwise duplicated. Customer’s right to audit may be exercised at Service Provider’s premises, during normal business hours, at mutually agreed upon times. 4. Code and Network Security Review. Customer shall have the right, at Customer’s expense, to conduct security reviews following launch of the Service, and after each major upgrade, and no more than once every six (6) months thereafter, upon reasonable notice to Service Provider. Notwithstanding the foregoing, if Customer has reasonable cause to believe Service Provider is not in compliance with this Agreement, Customer may perform an independent security review up to once every three (3) months. Security reviews may include code reviews, network reviews, and reviews of the physical security of the hosting facility and disaster recovery facility.
TRANSITION ASSISTANCE
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 56
1. Service Provider shall reasonably cooperate with other parties in connection with all services to be delivered under this Agreement, including without limitation any successor provider to whom Customer Data is to be transferred in connection with termination. 2. No later than sixty (60) days prior to termination, Service Provider and Customer shall jointly create a written Transition Plan Document. Both parties shall comply with the Transition Plan Document both prior to and after termination as needed. 3. At minimum, the Transition Plan Document will incorporate the following: (i) Customer Data and Documentation. During the transition period defined in the Transition Plan Document, Service Provider shall, at no cost to Customer and under reasonable terms of confidentiality, provide Customer with its Customer Data, including relevant technical documentation, data structures, relationships, business and system rules and triggers, in a format accessible without the use of the Service and as agreed to by Customer. (ii) System Integrity. Service Provider will provide read-only access to the production environment for a period of not less than thirty (30) days after termination at no charge to Customer. (iii) Consulting Services. Service Provider’s transition assistance shall include knowledge transfer and support necessary to facilitate Customer Data extraction, resulting in a final migration of all Customer Data back to Customer. Service Provider will perform reasonable transition services under a separate transition SOW on a time and materials basis either for a fixed fee or at rates to be mutually agreed upon by the parties.
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 57
ATTACHMENT E BUSINESS REFERENCE FORM M ASSIT PROJECT INFORMATION RFQ Number:
RFQ Name:
Number of References Required for this RFQ: Bidder Name:
Bidder Response Date:
REFERENCE INFORMATION Reference Company:
Reference 1,2 Name/Title :
Address: Street
Company Size
(CityStateZip):
(# Employees):
Phone:
eMail:
Project/Program Name:
First Installation Year:
Overview of Services/Products Provided:
Products Installed, including version numbers: Number of Users:
Total Contract price for current installation:
[Copy Reference Information table here for additional references.]
Notes: References will be contacted to confirm the bidder’s abilities and qualifications as stated in the bidder’s response. MassIT may deem the bidder’s response ‘unresponsive’ if a reference is not obtainable from a listed reference after reasonable attempts. 2. Most senior reference at the client is preferred. 1.
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 58
ATTACHMENT F ITS42 Software Resellers Engagement Letter [Official Company Letterhead] [Date] [Issuer Name] [Issuer Address] Dear Mr./Ms. [Issuer Last Name]: This letter affirms that our company has formally engaged with [Software Publisher Company Name] under the terms and conditions of Statewide Contract ITS42 Software Resellers for the purpose of responding to [RFQ Number and Title]. Our company has provided [Software Publisher Company Name] a pricing quote for [Product Name] in conformance with the terms and conditions of ITS42 for submission as part of their response to this RFQ. Our company hereby affirms its willingness to sign a three way agreement consistent with the requirements of ITS42 in conjunction with providing the software and services as proposed in [Software Publisher Company Name]’s bid. Thank you, Name Title Authorized ITS42 Software Reseller Company Name
RFQ 15-24A – Disaster Recovery Notification BusRef
Page 59
