Commonwealth of Massachusetts – Operational Services Division

ITS86 Statewide IT Contract - Template v 5.1.0

 

  1. Definitions.

    “Cloud Services” means Commercial off-the-Shelf Software, SaaS, PaaS, and IaaS. 

    “Commonwealth” refers to the Commonwealth of Massachusetts, State of Maine and State of Vermont. 

    “Contract” means these terms and conditions, the Maine Terms and the Vermont Terms. 

    “Contractor” means DLT Solutions, LLC. 

    “Data Breach” means an event where unauthorized parties gain access to sensitive or Confidential Information, including Eligible Entity Data.  

    “Deliverable” includes, but is not limited to, any tangible or intangible product, good, or service Vendor provides to Eligible Entity as an element of Performance under an Ordering Document. 

    “Eligible Entities” means Massachusetts Eligible Entities, Maine Eligible Entities, Vermont Eligible Entities, Eligible Government Entities, and such other entities the Commonwealth designates from time to time that are eligible to purchase Offerings under the IT86 Statewide Contract. 

    “Eligible Entity Data” means an Eligible Entity’s data, metadata, records, documents, files and other information and data derived from the aforementioned, Personal Data and Security-Sensitive Information. 

    “Eligible Government Entities” means certain companies the Commonwealth designates as “Eligible Entities” to enable them to purchase Offerings under the ITS86 Statewide Contract on Eligible Entities’ behalf. 

    “Engagement-Specific Documents” means terms and conditions governing a particular engagement upon which Eligible Entity and Contractor expressly agree in writing including, but not limited to, Order Documents and End User License Agreements; provided, however, that the following shall be null and void: (i) terms that violate applicable laws or regulations; (ii) terms that conflict with, modify, wait or alter a provision of an Ordering Document or Contract, unless Contactor expressly approves in writing; and (iii) EULAs and updates to EULAs to which an Eligible Entity does not expressly agree.  

    “Environmentally Preferable Product” or “EPP” means a product or service that has a reduced effect on human health and the environment when compared to competing product or service that serve the same purpose including, but not limited to, those which contain recycled content, minimize waste, conserve energy or water, and reduce the disposal or consumption of toxic materials. 

    “Generative AI” or “GenAI” means a type of artificial intelligence technology that generates many forms of content including, but not limited to, texts, images and multimedia which includes (i) GenAI Vendor will use to fulfill its obligations under an Ordering Document; and (ii) GenAI tools Vendor will provide directly to an Eligible Entity for its own use. 

    “ITS86 Statewide Contract” means the contract awarded to Contractor, including the shared terms therein as well as the Maine Terms and Vermont Terms, pursuant to which Eligible Entities of each participating state of the Commonwealth may purchase Offerings. 

    “Infrastructure as a Service” or “IaaS” means the capability to provision processing, storage, networks and other fundamental computing resources on which Customer deploys and runs arbitrary software, which can include operating systems and applications. 

    “Maine Eligible Entities” means all state agencies, other branches of state government, political subdivisions (i.e., cities, town, schools, quasi-public agencies), public institutions of higher education and technical schools as authorized by law. 

    “Maine Terms” means the terms and conditions located at https://www.dlt.com/its86-maine-terms and such other terms and conditions, forms and certifications the State of Maine may require, all of which are incorporated herein by this reference. 

    “Major Update” means a release to an Offering which (i) introduces substantial new features, enhancements, architectural changes, and significant differences to the user experience; and (ii) typically involves a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. 

    “Massachusetts Eligible Entities” means (a) cities, towns, districts, counties, and other political subdivisions; (b) executive, legislative and judicial branches, including all departments and elected offices therein; (c) independent public authorities, commissions, and quasi-public agencies; (d) local public libraries, public school districts and charter schools; (e) Massachusetts-owned hospitals; (f) public institutions of higher education; (g) public purchasing cooperatives; (h)non-profit organizations doing business with Commonwealth of Massachusetts; (i) other entities Commonwealth of Massachusetts designates from time to time. 

    “Minor Update” means a release to an Offering which makes minor changes to features, including patches, bug fixes, fixes bugs, service packs, hot fixes, to enhance performance. 

    “Offerings” means Cloud Services, Software, Implementation Services, License Management Services and such other services the Commonwealth deems the ITS86 Statewide Contract covers. 

    “Ordering Document” means a statement of work, purchase order or other document into which Contractor and Vendor enter hereunder for Vendor’s Performance. 

    “Operational Services Division” or “OSD” means the Massachusetts’ procurement agency tasked with advancing climate-responsible purchasing in accordance with, among other things, the Environmentally Preferrable Products and Services Guide. 

    “Performance” includes, is not limited to, Offerings or Deliverables Vendor provides to an Eligible Entity, obligations due, costs incurred, or other commitments set forth in this Contract or an Ordering Document, 

    “Platform as a Service” or “PaaS” means the capability to deploy customer-created or -acquired applications onto the cloud infrastructure using Vendor-supported programming languages and tools. 

    “Request for Response” or RFR” means the Commonwealth-issued solicitation to which Contractor submitted a Response. 

    “RFQ” means Request for Quote. 

    “Response” means Contractor’s response to an RFR. 

    “Security Incident” means an event that compromises or has the potential to compromise the security of an organizations information systems and/or the information it processes, stores or transmits including, but not limited to, a Data Breach. 

    “Security-Sensitive Information” mean blueprints, plans, policies, procedures and schematic drawings which relate to internal layout and structural elements, security measures, emergency preparedness, threat, or vulnerability assessments, and/or any other records relating to the security or safety of persons or buildings, structures, facilities, utilities, transportation, information technology or other infrastructure located within the Commonwealth. 

    “Severity Level I” means an issue that affects a central requirement for which there is no workaround and prevents either use or testing of the system. 

    “Severity Level II” means an issue that affects a central requirement for which there is a workaround, where use or testing of the system can proceed in a degraded mode, or an issue that affects a non-central requirement for which there is no workaround, where the feature cannot be used. 

    “Severity Level III” means an issue that affects a non-central requirement for which there is a workaround, or a cosmetic issue (i.e., information is correctly shown but the appearance is wrong, such as misspelled words, wrong font, wrong indentation, etc.) 

    “Software as a Service” or “SaaS” means Vendor’s cloud infrastructure and the applications thereon that are accessible from a variety of client devices through a thin client interface (e.g., a Web browser or a program interface). 

    “Subcontractor” means Vendor’s representatives, agents, affiliates, consultants, volunteers, suppliers, service providers, hosting providers, providers of third-party software imbedded in Vendor’s Offering, or any other entity with whom Vendor is in privity of oral or written contract and whom Vendor intends to perform under an Ordering Document. 

    “Specifications” means the functionality, performance and interoperability requirements set forth in the RFP and Response, Ordering Documents, Engagement-Specific Documents and Vendor-published documentation. 

    “Term” means the period of performance set forth in an Ordering Document, unless earlier terminated. 

    “Unauthorized Code” means viruses, Trojan horses, back doors, malicious code, worms, spyware or other software routines or equipment components designed to permit unauthorized access or disable, erase, or otherwise harm software, equipment or data. 

    “Updates” means Major Updates and Minor Updates. 

    “Vendor” means the Named Software Publisher whose products Contractor intends to offer on the ITS86 Statewide Contract. 

    “Vendor Representative” is a Vendor’s point-of-contact for Contractor and an Eligible Entity for the Offerings. 

    “Vermont Additional Purchasers” means political subdivisions of the State of Vermont (including, but not limited to, cities, towns, and school districts) and any institution of higher education chartered in Vermont and accredited or holding a certificate of approval from the State Board of Education. 

    “Vermont Eligible Entities” means Vermont State Purchasers and Vermont Additional Purchasers 

    “Vermont State Purchasers” means all departments, offices, institutions, and other agencies of the State of Vermont and counties. 

    “Vermont Terms” means the terms and conditions located at https://www.dlt.com/its86-vermont-terms and such other terms and conditions, forms and certifications the State of Vermont may require from time to time, all of which are incorporated herein by this reference. 

    “Warranty Period” means the period commencing on the date on which an Eligible Entity accepts an Offering and continuing thereafter for twelve (12) months.
     
  2. Order of Precedence. In the event of a conflict, the order of precedence is as follows: (a) this Contract or, with respect to the State of Maine and the State of Vermont, the Maine Terms and then this Contract and the Vermont Terms and then this Contract, respectively; (b) Standard Contract Form and Standard Contract Form Instructions and Contractor Certifications or, with respect to the State of Maine and the State of Vermont, other required standard contract documents; (c) RFR; (d) Response; (e) Eligible Entity-issued solicitation for a particular engagement (e.g., RFQ); (f) Engagement-Specific Documents; and (g) response to Eligible Entity’s solicitation; and (h) the Aggregation Agreement or other agreement into which Vendor and DLT Solutions, LLC or TD SYNNEX Corporation, as the case may be, entered.
     
  3. Vendor Responsibilities. Vendor shall (a) identify (i) qualifications, roles, job titles and number of full time employees dedicated to providing the Offerings and process for training such employees; and (ii) a Vendor Representative; (b) upon Contractor’s request, (i) remove a Vendor employee; (ii) provide administration responsibilities, manage enrollment process and renewals and track usage and assist with true-ups, new volume license agreements, customer satisfaction surveys, transition services, reporting, presales assistance, and audits of Contractor; (iii) attend meetings to review Performance; (iv) provide an incident escalation path and software maintenance, including Updates to eliminate vulnerabilities and remove flaws that may facilitate security breaches or hinder operation of the Offerings; (c) respond to telephone calls and emails within four (4) business hours; (c) be responsible for Subcontractors’ acts and omissions; (d) honor quotes for thirty (30) days; (e) offer and label products with sustainability certifications and attributes, if applicable; (f) notify Contractor in writing (i) as soon as possible of price changes based on usage; (ii) ninety (90) days prior to expiration of Offerings or, if contract value exceeds $100,000,000, 120 days prior to expiration of Offerings and ensure access continues until Vendor provides the aforementioned notifications; (iii) at least six (6) months in advance of changes to Engagement-Specific Documents; (iv) at least twelve (12) months in advance if an Offering is nearing end of life or end of support; (v) as soon as possible of use of Offerings in excess of capacity or quantities Eligible Entity purchased; (g) work with Contractor and Eligible Entities on usage verification methods, the scope of verification, the time and frequency of verification and the party which shall conduct such verification (e.g., self-verification by an Eligible Entity, Vendor verification or independent, third party auditor verification); and (h) commit to purchasing supplies and services from certified minority or women-owned businesses, small businesses or businesses socially or economically disadvantaged persons or persons with disabilities own. Upon Eligible Entity’s receipt of notice described in Section 3.1(f)(v), Eligible Entity may, in its sole discretion, reduce its usage within thirty (30) days thereafter, and Vendor will not charge any additional fees for Eligible Entity’s excessive usage before or during such thirty (30) day period.
     
  4. Representations and Warranties. Contractor shall remediate all warranty claims that it is or should be reasonably aware of at no cost to Eligible Entity.
    1. During the Warranty Period, Vendor represents and warrants that the Offerings will conform to the Specifications. If, during the Warranty Period, Eligible Entity discovers a non-conformity in the Offerings including, but not limited to, a Severity Level I, Severity Level II or Severity Level II issue, then Vendor shall use commercially reasonable efforts, at its option, to correct the non-conformity, provide a workaround or software patch, or replace the Offering at no charge. If Vendor is unable to remedy a non-conformity within a reasonable period of time, then Contractor may terminate the Ordering Document by providing thirty (30) days prior written notice to Vendor, and Vendor shall pay to Contractor an amount equivalent to all amounts Contractor already paid but for which Vendor has not rendered the Offering.
    2. During the Warranty Period, Vendor represents and warrants that (a) the Offerings will achieve in all material respects the functionality described in the applicable Ordering Document or in Vendor’s user guides and other related documentation, and that Vendor shall maintain such functionality in all material respects in subsequent Updates; (b) use best efforts to modify the Offerings to achieve in all material respects the functionality described in the Ordering Document or in Vendor’s user guides and other related documentation and, if it is unable to deliver such functionality within a reasonable period of time, then Contractor may notify Vendor of its intent to terminate the Ordering Document in thirty (30) days, and Vendor shall pay to Contractor an amount equivalent to all amounts Contractor already paid but for which Vendor has not rendered the Performance.
    3. During the Warranty Period, Vendor represents and warrants that (a) the Offerings do not contain any Unauthorized Code and will be free from defects; (b) it shall provide all authorization codes necessary for successful installation of the Offering; (c) it will employ appropriately qualified and trained personnel to provide the Offerings with due care and diligence and to a high standard of quality as is customary in the industry in compliance with the Contract, the Ordering Document and all applicable professional standards for the field of expertise; (d) its documentation shall be sufficiently detailed so as to allow suitably skilled, trained, and educated Eligible Entity personnel to understand the operation of the Offerings. If Vendor is unable to remedy a breach of the aforementioned representations and warranties within a reasonable period of time, then Contractor may notify Vendor of its intent to terminate the Ordering Document in thirty (30) days, and Vendor shall pay to Contractor an amount equivalent to all amounts Contractor already paid but for which Vendor has not rendered the Offering.
    4. Vendor represents and warrants that (a) it has full power and authority to grant the title, license and/or use of any Offerings and any other rights granted to Eligible Entity with respect to the Offerings; (b) neither Vendor’s Performance, nor Eligible Entity’s use of the Offerings as permitted by the Ordering Document, nor the license of and authorized use by Eligible Entity of the Offerings, including any third party materials Vendor supplies or specifies for incorporation in the Offerings will in any way constitute an infringement or other violation of any copyright, trade secret, trademark, patent, invention, proprietary information, non-disclosure, or other rights of any third party; (c) it will monitor all personnel granted access to Eligible Entity systems and/or confidential data and properly train such personnel on system security and handling confidential data; (d) GenAI shall be accurate and generate unbiased results and, if Vendor breaches this warranty, it shall remedy, at no cost to Eligible Entity, any such defects in the GenAI system/solution; and (c) Vendor and its Subcontractors shall, for the applicable Term, and in the case of claims-made policies for two (2) years following termination of the applicable Ordering Document, maintain or cause to be maintained insurance coverage in such types and amounts as are customarily required for contracts of similar scope and nature, including but not limited to, Worker’s Compensation/Employer’s Liability, Commercial General Liability, Bodily Injury, Property Damage, Automobile Liability, Professional Liability/Errors & Omissions, first and third party Cyber Liability, and Umbrella Liability; (i) all personnel granted access to Eligible Entity systems and/or confidential data are monitored and have been properly trained on system security and handling. Notwithstanding the foregoing, any subscription term licenses Vendor provides shall be warranted for the duration of the subscription term.
       
  5. GenAI
    1. Generative AI. Vendor shall (a) use Eligible Entity Data for training, tuning, or testing the GenAI model only after receipt of Eligible Entity’s written consent for both the use of the GenAI tool and the Eligible Entity Data; (b) strictly limit inputs to the data and inputs provided hereunder and not any other Eligible Entity intellectual property; (c) strictly use Eligible Entity Data necessary to provide the Offerings; and (d) delete all Eligible Entity Data within thirty (30) days of receipt of written notification from Eligible Entity and confirm in writing that it deleted such data; (d) implement robust quality control measures to review and approve, through non-automated means, all content the GenAI tools generate before publication, distribution or use; (e) ensure that GenAI use strictly aligns with the Ordering Document and any additional Eligible Entity guidelines; (f) document and mitigate any biases, discrimination or otherwise unlawful outcomes based on race, color, religion, sex, national origin, disability, age, genetic information, or any other protected characteristic under applicable law in the GenAI solution or services; (g) regularly monitor the GenAI system performance to detect and rectify system behavior that violates any of the requirements herein; (h) promptly communicate the discovery of system behavior that violates any of the requirements herein; (i)  provide reasonable advance notice to Eligible Entity of any updates to the GenAI model/platform that may substantially impact the Offerings; (j) enable Eligible Entity to oversee the development and testing of the GenAI and, where necessary, override its functionality through human intervention; (k) as of the termination date of the Ordering Document, cease use of GenAI in service delivery to Eligible Entity, disengage GenAI components, and provide transition/termination assistance; (l) provide access to the full functionality the GenAI systems/solutions used in the Offerings offers by including, but not limited to, the ability to use the system, develop and test solutions, and make copies (with appropriate commercial mechanisms) without any limitations or restrictions; (m) obtain approval for hosting and storing in a cloud location. Vendor shall certify, in writing on an annual basis or upon Eligible Entity’s request, that (i) its GenAI systems, models, or platforms, and related processes, training materials, training data sets, and its use and management of synthetic data, comply with the requirements herein; and (ii) it retains GenAI audit logs.
    2. Usage Disclosure. Vendor shall (a) disclose to Contractor, prior to Contractor submitting its bid or proposal, whether the Offerings include or will include artificial intelligence, GenAI, or any GenAI components; and (b) continually notify Contractor in writing prior to inclusion of any artificial intelligence, GenAI, or GenAI components in the Offerings (including Subcontractor’s use of such tools or including of such tools in third party products used in the performance of this Contract) during the Term. The notice must detail how Vendor is using artificial intelligence, GenAI, or GenAI components in performance of the Ordering Document, and the impact of its inclusion on how Eligible Entity Data is accessed, used, shared, or stored.
    3. Copyright. All content GenAI may create is a work made for hire under U.S. Copyright law. To the extent any GenAI content may not be considered a work made for hire under applicable law, as part of the Contract, Vendor assigns to the applicable Eligible Entity, in perpetuity, all right and interest to such GenAI content without the need for further consideration. In addition, content created from the Commonwealth-provided prompt (“Creative Content”) is not a derivative work of the GenAI training data. Notwithstanding the preceding sentence, in the event a court of competent jurisdiction determines that Creative Content constitutes a derivative work of the GenAI training data, Vendor hereby grants Eligible Entity an unlimited, irrevocable, worldwide, perpetual, royalty-free, non-exclusive right, and license to use, modify, reproduce, perform, release, display, create derivative works from, and disclose the Creative Content for any Commonwealth business.
       
  6. Use Restrictions. The following use restrictions will apply unless the Commonwealth approved the use restrictions in Vendor’s EULA.
    1. General Use Restrictions. Vendor hereby grants Eligible Entity a non-exclusive right to access and use the Offerings during the applicable Term for Eligible Entity’s business purposes. An Eligible Entity may transfer or assign, in part or in whole, its right to access and use the Offerings to another Eligible Entity.
    2. No Redistribution or Resale. Eligible Entity shall not (a) commercially sell, resell, license or sublicense the Offerings to a third party; or (b) permit more than one user to use a set of individual user login credentials for an Offering, except to the extent Vendor permits. Eligible Entity and its authorized users shall access and use the Offerings in compliance with all applicable terms and conditions, laws and regulations. Eligible Entity will not be liable for acts or omissions of users that occur outside of Eligible Entity’s reasonable control or in violation of Eligible Entity’s policies or instructions, provided Eligible Entity has implemented and maintained reasonable access controls and compliance measures.
    3. Illegal Use; Reverse Engineering. Eligible Entity shall not (a) knowingly use the Offerings for any unlawful purpose or in a manner that materially violates applicable laws or regulations; or (b) modify, reverse engineer, or create derivative works based on the underlying source code or core functionality of the Offerings; provided, however, that Eligible Entity may configure the Offerings, including through permitted APIs, user interfaces, or other documented functionality, to align with its business needs, provided such configuration does not violate this Contract, the Ordering Document or Engagement-Specific Documents or interfere with the Offerings’ operation or security.
       
  7. Intellectual Property. Vendor retains ownership of all intellectual property rights in the Offerings, including all trademarks, trade names, copyrights, service marks, source code, object code and documentation Contractor solely develops. Notwithstanding the foregoing, Eligible Entity retains all rights, title, and interest in any of its data (including data derived therefrom), metadata, configurations, workflows, reports, or other materials or input made by or on behalf of Eligible Entity. Ownership of derivate works created in violation of this Contract shall not transfer to Eligible Entity, but nothing in this section shall restrict Eligible Entity’s right to use and configure the Offerings as permitted hereunder or in Engagement-Specific Documents. Eligible Entity shall own all rights, title and interest in all Deliverables purchased or developed with funds Eligible Entity pays. Vendor shall not access Eligible Entity user accounts or Eligible Entity Data, except (a) in the course of data center operations; (b) in response to service or technical issues; (c) as permitted by this Contract, an Ordering Document or applicable policies; or (d) at Eligible Entity’s request. Vendor shall not (i) collect, access, or use user-specific Eligible Entity Data except as strictly necessary to provide the Offerings; or (ii) share or disclose an Eligible Entity’s use of the Offerings with any third party unless law, regulation or an order of court of competent jurisdiction requires such sharing or disclosure.
     
  8. Updates. Vendor shall (a) make Updates available to Eligible Entity at no additional cost when Vendor makes such Updates generally available to its users; (b) except in the event of an emergency (e.g., security breach), notify Eligible Entity at least (i) five (5) days prior to any Minor Update; (ii) sixty (60) days prior to any Major Update. Updates shall not (i) decrease the Offerings’ functionality or degrade the service levels; (ii) adversely affect Eligible Entity’s use of, or access to, the Offerings; or (iii) increase the cost to Eligible Entity.
     
  9. Shipping; Delivery; Standard Business Expenses. All items covered under this Contract are exempt from shipping charges, FOB destination, unless Contractor submits an Ordering Document that includes expedited shipment and related charges. For goods delivered physically, Vendor shall provide delivery within a maximum of ten (10) business days after receipt of an Ordering Document, unless (a) item is out of stock or delayed by distributor; (b) extreme weather conditions or disasters or other causes factually beyond Vendor’s control and without its fault or negligence impede Vendor’s business operations; or (c) a shorter guaranteed delivery time is desirable. For goods delivered electronically, Vendor shall provide delivery within a maximum of three (3) business days after receipt of an Ordering Document, unless (i) extreme weather conditions or disasters or other causes factually beyond Vendor’s control and without its fault or negligence impede Vendor’s business operations; or (ii) a shorter guaranteed delivery time is desirable. Vendor shall deliver or drop ship software items to any mutually-agreed upon location. If the software is defective or the incorrect product was delivered, Vendor shall accept returns and be responsible for return shipping, packaging costs and restocking charges, if applicable. Vendor shall replace any defective or incorrectly delivered media by overnight delivery at Vendor’s expense if Eligible Entity requests. Vendor shall (i) assist Eligible Entity within eight (8) business hours of being informed of difficulty in downloading or installing the software; and (ii) upon Eligible Entity’s request, download information, including keys if applicable, to a party other than the individual placing the order. Standard Business Expenses may be allowed with Contractor’s prior written authorization.
     
  10. Enterprise Policy and Standards; Accessibility. All IT systems and applications Vendor develops for Eligible Entities shall conform with the Enterprise Information Security Policies and Standards at https://www.mass.gov/handbook/enterprise-information-security-policies-and-standards. Vendor shall (a) request approval for non-conforming IT systems and applications; and (b) if applicable, comply with the digital accessibility obligations set forth in the Vendor Digital Accessibility Contract Language and Vendor Digital Accessibility Testing Obligations, and any subsequent versions or amendments.
     
  11. Security Requirements. Vendor shall (a) encrypt Eligible Entity Data while at rest; (b) maintain an audit trail to assist in determining if there has been any unauthorized access to or disclosure of Eligible Entity Data; (c) select and monitor any Subcontractors to ensure their compliance with all applicable laws in the locality where Eligible Entity Data is processed, stored and transmitted; (d) ensure that Subcontractors are contractually obligated to carry insurance from a licensed insurance provider; (e) obtain written consent from Eligible Entity prior to providing Subcontractors access to Eligible Entity Data; (f) provide (i) proof of its certification to meet NIST’s “Recommended Security Controls for Federal Information systems and Organizations” (SP 800-53 Rev. 5) or (ii) if not certified, an attestation that Vendor has met the same level of security controls; (g) if Vendor knows or has reason to know of a Security Incident that may affect the security of Eligible Entity Data, notify such Eligible Entity as soon as practicable from the date of the Security Incident and in no event more than twenty four (24) hours and cooperate with Eligible Entity to meet requirements under applicable law; (h) in the event of a Security Incident, take commercially reasonable steps to mitigate the effects, resolve the Security Incident in a timely manner, and put measures in place to prevent the recurrence of similar Security Incidents; (i) if Eligible Entity requests or applicable law requires, provide notice as soon as practicable to those individuals whose Personal Data was affected or may have been affected by a Data Breach; (j) if the Security Incident is due to Vendor’s negligence, provide all requested and/or required notices at its sole expense; (k) promptly provide any additional information related to the Security Incident in its possession within 24 hours of Eligible Entity’s request; (m) cooperate with Eligible Entity to investigate and resolve the Security Incident; (n) promptly implement necessary remedial measures, if necessary; (o) document responsive actions taken related to the Security Incident, including any post-incident review of events and actions taken to make changes in business practices in providing the Offerings, if necessary; (p) if Eligible Entity reasonably determines that a Data Breach is a direct result of Vendor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its release, bear the costs associated with (i) the investigation and resolution of the Data Breach; (ii) notifications to individuals, regulators or others required by applicable laws; (iii) a credit monitoring service required by applicable law or as the parties otherwise agree; (iv) a website or a toll-free number and call center for affected individuals required by applicable law; (q) complete all corrective actions as Contractor reasonably determines based on root cause; (r) upon an Eligible Entity’s request, disclose its non-proprietary system security plans, security processes and technical limitations to Eligible Entity such that Eligible Entity and Vendor can attain adequate protection and flexibility; (s) communicate with outside parties regarding a Security Incident (e.g., contacting law enforcement, fielding media inquiries and seeking external expertise) only on an urgent as-needed basis in accordance with Vendor’s communication and mitigation processes, this Contract and applicable law; and (t) provide reports to Eligible Entity in a mutually agreed upon format that include latency statistics, user access, user access IP address, user access history and security logs for all public jurisdiction files related to the Offerings.
     
  12. Notification of Legal Requests. Vendor shall (a) contact Contractor and Eligible Entity upon receipt of any electronic discovery, litigation holds, discovery searches, public records requests, and expert testimonies related to Eligible Entity’s data or which in any way might reasonably require access to Eligible Entity Data; and (b) not respond to subpoenas, service of process and other legal requests related to Eligible Entity without first notifying and obtaining Eligible Entity’s approval, unless applicable law prohibits such notice.
     
  13. Background Checks. Vendor shall (a) upon Eligible Entity’s request, conduct criminal background checks and not use any staff, including Subcontractor staff, who have been convicted of any crime of dishonesty including, but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to one (1) year is an authorized penalty; (b) promote and maintain an awareness of the importance of securing Eligible Entity Data among its employees and agents. If Eligible Entity deems any of the stated personnel providing the Offerings is not acceptable as a result of the criminal background check, Eligible Entity, in its sole option may (i) request Vendor to immediately replace the person and ensure a transfer of knowledge without any additional cost to Eligible Entity, and/or (ii) immediately terminate the Offerings.
     
  14. Audits. Eligible Entity may audit Vendor’s Performance at Eligible Entity’s cost. Vendor shall perform an independent audit of its data centers at least annually at its expense and provide an unredacted version of the audit report upon Eligible Entity’s request. Vendor may remove its proprietary information from the unredacted version.
     
  15. Import and Export of Data. During the applicable Term, Eligible Entity shall have the ability to import or export data in piecemeal or in its entirety at its discretion without Vendor interference. Vendor shall specify whether (a) Vendor applications provide this functionality directly; (b) Eligible Entity must provide its own tools for this purpose; and (c) Vendor provides tools for Eligible Entity to purchase and use for this purpose.
     
  16. Payments. Vendor shall pay for Performance in accordance with the Ordering Document. Vendor may, in its sole discretion, pre-pay for subscription-based Offerings for the applicable Term. All payments are subject to appropriation or availability of sufficient non-appropriated funds and shall be subject to intercept pursuant to M.G.L. c. 7A, § 3 and 815 CMR 9.00. Vendor shall reimburse overpayments. Vendor’s acceptance of any payment or partial payment, without written objection, shall in each instance release and discharge Contractor from all claims, liabilities or other obligations relating to the Performance applicable thereto.
     
  17. Termination; Suspension.
    1. In addition to any other remedies available at law, in equity or set forth in this Contract, an Ordering Document or Engagement-Specific Documents, Contractor may, terminate or suspend, in whole or in part and without penalty, an Ordering Document (a) immediately without cause in its sole discretion for any reason and without penalty; (b) upon five (5) days’ notice in the event of an elimination of an appropriation or availability of sufficient funds for an Ordering Document; (c) immediately in the event of an unforeseen public emergency mandating immediate action; and (d) upon fifteen (15) days written notice if Vendor fails in its Performance. In the event of termination or suspension pursuant to paragraph (d) herein, Contractor may require Vendor to prepare and implement a corrective action plan. Vendor shall cooperate with Contractor and the Eligible Entity to transition the Offerings to another Vendor at no additional cost in the event Vendor cannot remediate the issues. If Eligible Entity has pre-paid for subscription services, Vendor shall refund Eligible Entity the as-yet unused pro-rata portion of such pre-payment as of the date of termination.
    2. Upon termination of an Ordering Document, whether in whole or in part, Vendor shall (a) return Eligible Entity’s data in a mutually agreeable format; (b) allow Eligible Entity to extract its data and subsequently securely dispose Eligible Entity’s data; (c) neither erase Eligible Entity’s data for a period of ninety (90) days after the effective date of termination unless the parties otherwise agree nor impose fees for access and retrieval of Eligible Entity Data during this ninety (90) day period; (d) after such ninety (90) day period, not be obligated to maintain or provide any Eligible Entity’s data and shall thereafter, unless legally prohibited, delete all Eligible Entity’s data in its systems or otherwise in its possession or under its control; (e) provide post-termination assistance to Eligible Entity with respect to the Offerings; (f) securely dispose of all Eligible Entity’s data in all of its forms, such as disk, CD/ DVD, backup tape and paper, unless Eligible Entity otherwise stipulates; (g) permanently delete such data and ensure that it is not recoverable; and (h) upon Eligible Entity’s request, provide certificates of destruction. During any period of service suspension, Contractor shall not take any action to intentionally erase or otherwise dispose of any Eligible Entity’s data.
       
  18. Protection of Data. Vendor shall (a) safeguard, ensure the physical security of and restrict access to any Eligible Entity Data which Vendor possesses or uses in its Performance; (b) comply with all applicable laws, rules, and regulations relating to Personal Data including, but not limited to, M.G.L. c. 66A if Vendor becomes a “holder” of “personal data” and M.G.L. c. 93H if Vendor accesses “personal information,” and the Enterprise Information Security Policies and Standards https://www.mass.gov/handbook/enterprise-information-security-policies-and-standards; and (c) if Vendor accesses Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA), comply with all applicable HIPAA requirements, including those governing business associates, and shall execute a “Business Associate Agreement” as necessary.
     
  19. Risk of Loss. Vendor shall bear the risk of loss for any Vendor materials used for an Ordering Document, and all Deliverables and Eligible Entity Data which Vendor possesses or uses in its Performance until possession, ownership, or full legal title, as applicable, to the materials, Deliverables or Eligible Entity Data are transferred to and accepted by the Eligible Entity.
     
  20. Forum; Choice of Law; Mediation. Any actions arising out of an Ordering Document shall be governed by the laws of Massachusetts and brought and maintained in state court in Massachusetts, unless a federal court in Massachusetts has exclusive jurisdiction thereof. Eligible Entity, subject to Office of the Attorney General’s (AGO) approval, may (i) consent to the jurisdiction of federal courts outside of Massachusetts; or (ii) agree to the established voluntary mediation process through the Massachusetts Office of Public Collaboration (MOPC) of any Ordering Document dispute and will share the costs of such mediation with Vendor. This Section 27 shall not limit the parties’ legal or equitable rights.
     
  21. Marketing. Vendor shall not (a) use graphics, logos, page headers, icons, or scripts unique to the Commonwealth without Eligible Entity’s prior written permission; and (b) display the Commonwealth of Massachusetts coat of arms or Seal for commercial purposes.
     
  22. Subcontracting. Subcontracts will not relieve or discharge Vendor from any duty, obligation, responsibility or liability arising under an Ordering Document.