ALL PRIME CONTRACT VEHICLES TERMS AND CONDITIONS

These Terms and Conditions are entered into by and between TD SYNNEX Corporation (“TD SYNNEX”) and/or DLT Solutions, LLC (“DLT” and, together with TD SYNNEX, “Distributor”), as the case may be, and Vendor. Capitalized terms used herein and not otherwise defined shall have the meanings ascribed to them in the agreement entered into by Distributor and Vendor governing the purchase, resale and distribution of Vendor’s products and services (the “Agreement”).

  1. Professional Services, as applicable. Vendor shall (a) perform the Professional Services as set forth in the Statement of Work; and (b) for Orders that authorize use of Distributor Labor categories under a Prime Contract, assign personnel to specific labor category/titles and provide the assigned personnel’s resume. DLT shall pay invoices and/or expenses Vendor submits for the Professional Services only upon Customer’s approval of such invoices and/or expenses.
  2. Training, as applicable.
    1. Vendor shall provide (a) written materials (e.g., manuals, handbooks, texts) normally provided with course offerings, which shall become the attendee’s property upon completion of the training class; (b) one-to-one assignment of IT equipment to attendees for hands-on training courses for any training Orders under Distributor’s GSA Schedule; (c) a Certificate of Training upon completion of each training course; and (d) unlimited telephone support/online support for a period of one (1) year from the completion of the training course during which time period an attendee may request refresher assistance and/or ask questions related course curriculum questions.
    2. For any training Orders, Distributor shall (a) notify Vendor at least seventy-two (72) hours before the scheduled training date if its designated attendee cannot attend and may, upon End User Customer’s request, elect to cancel the training Order or reschedule the training within ninety (90) days from the original course date, at no additional charge; and (c) in the event Distributor elects to reschedule the training, modify its original training Order to specify the time and date of the rescheduled training class. Vendor shall (i) permit End User Customer to substitute attendees up to the first day of class; and (ii) in the event Vendor is unable to conduct classroom training on the date in the Order, notify DLT and/or its End User Customer at least seventy-two (72) hours before the scheduled training date.
  3. Order Procedure; Shipment.
    1. Unless the Parties agree in writing, there are no (a) minimum quantity for Orders; (b) minimum or required product mix; or (c) initial stocking order required. Vendor shall only supply new Products along with the commercial warranty associated with such Products unless Distributor informs Vendor at the time of the quote that Refurbished Products are required or acceptable.
    2. Vendor shall (a) ship all Products F.O.B. Destination; (b) bear all risk of loss or damage in transit; (c) provide Distributor written notice of shipping or entitlement that references Distributor’s purchase order number and date of shipment/entitlement, Customer name, Customer ship-to address, items and quantities shipped, shipping method, carrier and tracking number.
  4. Vendor Price List Changes; Defective Products; COTS.
    1. Within a commercially reasonable period of time, Vendor shall notify Distributor of any new Offerings or price changes to current Offerings. Upon commercial availability of a new Offering, it shall be deemed added to the Vendor Price List. Vendor acknowledges and agrees that changes made to Offerings on a Prime Contract may require End User Customer approval before such change is effective. Notwithstanding the foregoing, the Parties acknowledge and agree that revised or new prices shall not apply to any Offering, Order, and valid Vendor Quote absent End User Customer’s prior written acceptance.
    2. In the event of an increase to the Vendor Price List for Offerings on a Prime Contract, (a) Vendor shall submit Documentation to Distributor supporting the reasonableness of the price increase with the request for a price increase; (b) Distributor shall submit the Documentation to the Government under the Prime Contract, provided the Prime Contract permits such price increases; and (c) at least a thirty (30) calendar days must elapse between requested increases. In the event the Government rejects the price increase, Distributor shall (shall notify Vendor of the Government’s rejection and shall not be bound by the price increase. Vendor shall (i) notify Distributor within fifteen (15) calendar days whether Vendor will agree to continue to sell Offerings at the price prior to the increase, or a lower negotiated price, or if Vendor wants the Offerings removed from the Prime Contract; and (ii) continue to sell the Offerings until such Offerings are removed from the Prime Contract.
    3. In the event of a decrease to the price for Offerings on a Prime Contract, either temporarily or permanently during the Term, Vendor shall (a) notify Distributor as soon as practical and acknowledges pricing on the Prime Contract will be reduced proportionately; and (b) grant Distributor a purchase credit against any purchase not yet shipped to End User Customer.
    4. With respect to any Offering to be listed on a Prime Contract, Vendor shall (a) complete, execute and return to Distributor the Letter of Supply; and (b) promptly notify DLT in the event an Offering no longer qualifies as a Commercial Product or a Commercial Service.
    5. Vendor (a) shall provide a Vendor Price List augmented with several data fields required for additions of the Offerings to the Prime Contracts; and (b) may modify the Vendor Price List in accordance with this Section 9 (in which case such list shall be deemed to have been automatically amended to reflect the alteration of such products and associated prices).
    6. Vendor shall notify Distributor ninety (90) days in advance of the date on which Vendor intends to discontinue an Offering. DLT shall promptly request the removal of the Offering from all Prime Contracts and Subcontracts. The discontinued Offering shall be deemed deleted from the Vendor Price List once the Offering has been removed from all applicable Prime Contracts and Subcontracts.
    7. In accordance with FAR clause 52.225-5, the Trade Agreements Act or an equivalent government procurement regulation, Vendor shall provide DLT with the country of origin for each of the Offerings and promptly notify DLT of any changes thereto.
    8. Distributor or a Customer may return to Vendor at Vendor’s expense, and Vendor shall accept, any defective or damaged Products that Distributor or a Customer return within the Warranty Period. Any such return need not be accompanied by an Order. DLT shall comply with Vendor’s reasonable policies concerning return authorization procedures including, if necessary, obtaining a return authorization number from Vendor’s shipping department prior to returning the Product, and Vendor shall use commercially reasonable efforts to promptly approve and effectuate any such Product returns.
    9. Vendor may provide to Distributor an updated Commercial License Agreement from time to time, without amendment to this Agreement, and Distributor shall provide the updated Commercial License Agreement to Customer, subject to any approval and review processes of the applicable Prime Contract. Vendor shall deliver any updated Commercial License Agreement or other terms and conditions to dan.smith@dlt.com or, in the case of Commercial License Agreement used under a Prime Contract, to pmo@dlt.com.
  5. Acknowledgements. Vendor acknowledges and agrees that, (a) pursuant to 31 U.S.C. 3324 and any other equivalent government procurement regulations, End User Customers may be unable to make payments in advance for services such as maintenance and/or training despite Vendor’s standard commercial practice and that while Distributor will make reasonable efforts to honor Vendor’s standard commercial payment terms, in cases where an End User Customer requires invoicing and payment for Services in arrears, Distributor will issue or re-issue its Order to Vendor and make payment in arrears to Vendor in accordance with the End User Customer’s mandated schedule; (b) End User Customers cannot obligate funds beyond their current fiscal year or accept Services or XaaS without conducting a compliant procurement and, as such, Services and XaaS may not auto-renew or be eligible for multi-year durations; (c) in the event of a Government shut down, Distributor’s payment of invoiced amounts may be delayed or suspended until such time as the Government re-opens and resumes processing and payment of invoiced amounts owed to Distributor.
  6. Termination for Convenience; Stop Work Order.
    1. Termination for Convenience. Distributor may terminate an Order immediately if the Government: (a) terminates the Prime Contract or the portion of the Prime Contract corresponding to an Order’ or (b) changes the Prime Contract such that Vendor’s Offerings are no longer required under the Prime Contract. In the event of such termination, Vendor shall immediately stop all work under the Order and cause any and all of its subcontractors to cease work. Subject to the terms of this Agreement, Distributor shall pay Vendor a percentage of the Order price reflecting the percentage of the work Vendor performed prior to the notice of termination, plus reasonable charges resulting from the termination Vendor can demonstrate to DLT’s satisfaction; provided, however, that Distributor not be responsible for (i) any termination costs in excess of the amount the Government pays Distributor for Vendor’s termination costs; (ii) any work performed or costs incurred which reasonably could have been avoided.
    2. Stop Work Order. Distributor may direct Vendor to immediately stop work on any Order issued to Vendor if the Government issues a stop work order under the Prime Contract for Vendor’s scope of work. In the event of such stop work order, Vendor shall immediately stop all work under the Order, direct its suppliers and subcontractors to stop work and wait for further directions from Distributor.2.1 Vendor shall provide (a) written materials (e.g., manuals, handbooks, texts) normally provided with course offerings, which shall become the attendee’s property upon completion of the training class; (b) one-to-one assignment of IT equipment to attendees for hands-on training courses for any training Orders under Distributor’s GSA Schedule; (c) a Certificate of Training upon completion of each training course; and (d) unlimited telephone support/online support for a period of one (1) year from the completion of the training course during which time period an attendee may request refresher assistance and/or ask questions related course curriculum questions.


 

NASPO TERMS AND CONDITIONS

These NASPO Terms and Conditions are entered into by and between TD SYNNEX Corporation (“TD SYNNEX”) and/or DLT Solutions, LLC (“DLT” and, together with TD SYNNEX, “Distributor”), as the case may be, and Vendor. Capitalized terms used herein and not otherwise defined shall have the meanings ascribed to them in the Agreement as defined below.

WHEREAS, Distributor and Vendor entered into an agreement governing the purchase, resale and distribution of Vendor’s products and services (the “Agreement”); 

WHEREAS, NASPO and DLT entered into the (i) Master Agreement; and (ii) Participating Addendums (the “Participating Addendums” and, together with the Master Agreement and any additional Participating Addendums into which DLT and Participating States execute on or after the Effective Date the “NASPO Contract”); and 

WHEREAS, Distributor and Vendor desire to add Vendor to the NAPSO Contract. 

NOW THEREFORE in consideration of the mutual promises and covenants contained herein and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby agree as follows:

  1. NASPO Contract. Vendor shall provide documentation required to add a vendor to the NASPO Contract including, but not limited to, the requirements set forth in https://www.dlt.com/naspo-requirements and its End User License Agreement(s) applicable to the Services and tailored to the public sector (“EULA(s)”). Upon receipt of all required documentation, Distributor will request NASPO to add Vendor and its EULA(s) to the NASPO Contract for the purpose of providing the Services.
  2. Price Decrease. If Vendor’s commercial list price for the Services decreases, Purchasing Entities shall automatically receive the immediate benefit of such price decrease for the applicable Services under new Orders without any need for a modification. If Purchasing Entity disputes and withholds payment of an invoice in whole or in part for the Services, Distributor’s payment may be delayed beyond forty-five (45) days.
  3. Termination; Effect of Termination; Transition Assistance
    1. Term. This Amendment shall commence on the Effective Date and continue thereafter until expiration or termination as set forth in the Agreement and herein. Each Order shall commence on the date set forth therein and continue thereafter until expiration or termination as set forth therein or in the Agreement and herein.
    2. Termination. Lead State may immediately terminate all or some of the documents comprising the NASPO Contract, any related contracts or part thereof, or the Services provided thereunder or part thereof, without advance written notice or a cure period if Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis; provided, however, that if Lead State affords Vendor, as applicable, an advance written notice or a cure period and Vendor fails to cure the default within the period specified in the written notice of default, Lead State may (i) terminate all or some of the documents comprising the NASPO Contract, any related contracts or part thereof, or the Services or part thereof; (ii) suspend Distributor’s ability to respond to future bid solicitations; (iii) suspend the Services or part thereof; or (iv) withhold payment to Distributor until Vendor remedies the default.
    3. Effect of Termination. In the event of expiration or termination of all or some of the documents comprising the NASPO Contract or any related contracts or part thereof relevant to the Services:
      1. Vendor shall (a) perform in accordance with the terms of any Orders existing at the time of such expiration or termination unless Services thereunder are suspended thereunder, but shall not renew such existing Orders or honor any Orders placed after such expiration or termination; (b) implement an orderly return of the Data in a CSV or other mutually agreeable format; (c) allow Purchasing Entity to extract its Data; and (d) securely dispose of the Data in all of its forms, such as disk, CD/ DVD, backup tape and paper.
      2. Vendor shall not intentionally erase any Data, other than allowing the continued deletion of Data in accordance with mutually agreed upon data retention parameters, if any, for a period of (a) 45 days after the effective date of termination for convenience; or (b) 60 days after the effective date of termination for cause. After expiration of the applicable time period, Vendor shall not be obligated to maintain or provide any Data and shall, unless legally prohibited, (i) permanently delete all Data in the Systems or otherwise in its possession or under its control and ensure that it is not recoverable according to National Institute of Standards and Technology (NIST)-approved methods; and (ii) upon request, provide certificates of destruction to Purchasing Entity. During any period of Service suspension, Vendor shall not intentionally erase or otherwise dispose of any of the Data, other than allowing the continued deletion of Data in accordance with the mutually agreed upon data retention parameters.
    4. Transition Assistance. Vendor shall (a) reasonably cooperate with DISTRIBUTOR in connection with transitioning the Services to a successor service provider to whom Data is transferred in connection with the expiration or termination of any of the NASPO Contract or any related contracts or part thereof, which may be subject to an additional cost and a separate transition Order; (b) assist Purchasing Entity in exporting and extracting its Data at no additional cost to Purchasing Entity; (c) provide post-termination assistance generally made available with respect to the services, unless the parties have established a unique Data retrieval arrangement as part of an SLA.
  4. Confidentiality. Vendor acknowledges that Personnel may, in the course of providing the Services, be exposed to or acquire Purchasing Entity’s Confidential Information. Vendor shall (a) hold such Confidential Information in confidence, using at least the industry standard of confidentiality and shall not, unless Purchasing Entity instructs, copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such Confidential information to third parties (other than to its Representatives) or use such Confidential Information for any purposes other than as permitted hereunder; (b) advise Personnel of their obligations to keep such Confidential Information confidential; (c) use commercially reasonable efforts to assist Purchasing Entity in identifying and preventing any unauthorized use or disclosure of such Confidential Information; (d) advise Purchasing Entity and Lead State immediately if Vendor learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms herein; (e) at its expense, cooperate with Purchasing Entity in seeking injunctive or other equitable relief in the name of Purchasing Entity or Vendor against any such person; and (f) upon termination or at Purchasing Entity’s request, turn over to Purchasing Entity all Confidential Information in Vendor’s possession; provided, however, that Vendor may keep one copy of such Confidential Information necessary for quality assurance, audits and evidence of the performance hereunder. Vendor acknowledges that (i) breach of this Section 4 will cause irreparable injury to Purchasing Entity that may be inadequately compensable in damages; and (ii) accordingly, Purchasing Entity may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies that may be available.
  5. Right to Publish. Vendor shall secure Distributor’s prior written approval to (a) release any information that pertains to the work or activities under the NASPO Contract including, but not limited to, reference to or use of Lead State or a Participating Entity’s name, Great Seal of the State, Coat of Arms, any agency or other subunits of the State government, or any State official or employee, for commercial promotion which is strictly prohibited; (b) publish news releases or release broadcast e-mails pertaining to the NASPO Contract; or (c) make any representations of NASPO, Lead State or any Participating Entities’ opinion or position as to the quality or effectiveness of the Services.
  6. Insurance
    1. Vendor shall (a) maintain the insurance described herein during the term; (b) acquire the insurance from an insurance carrier(s) licensed to conduct business in each Participating Entity’s state with a rating of A-, Class VII or better in the most recently published edition of Best’s Reports; (c) pay premiums on all insurance policies; and (d) comply with any applicable State Workers Compensation or Employers Liability Insurance requirements. Vendor’s failure to maintain the required insurance and/or provide evidence of such coverage may result in the termination of the NASPO Contract, a Participating Addendum and an Order. Coverage shall be written on an occurrence basis with the minimum acceptable limits as indicated below with no deductible for each of the following categories:
      1. Commercial General Liability covering premises operations, independent Vendors, products and completed operations, personal injury (including death), advertising liability, and property damage, with a limit of not less than $1 million per occurrence/$2 million general aggregate. Vendor will meet these requirements with a combination of primary and umbrella liability limits.
      2. Cloud Minimum Insurance Coverage
        Level of Risk Data Breach and Privacy/Cyber Liability including Technology Errors and Omissions Minimum Insurance Coverage
        Low Risk Data $2,000,000
        Moderate Risk Data $5,000,000
        High Risk Data $10,000,000
      3. Professional Liability Insurance of at least $1,000,000 per occurrence and $1,000,000 in the aggregate written on an occurrence form that provides coverage for work undertaken pursuant to each Participating Addendum.
      4. Upon request, Vendor shall provide to Distributor (a) a written endorsement to Vendor’s general liability insurance policy or other documentary evidence acceptable to Distributor that Vendor has additional insured endorsement that automatically includes those entities requiring to be additional insureds when required by written contract and does not specifically name additional insured; and (b) copies of certificates of insurance and renewal certificates of insurance within seven (7) business such request. Certificates of insurance shall expressly indicate compliance with insurance requirements herein; name and address of insured; name, address, telephone number and signature of authorized agent; name of insurance company (authorized to operate in all states); description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements); and acknowledgment of requirement for notice of cancellation provided Vendor. Coverage and limits shall not limit Vendor’s liability and obligations hereunder.
  7. Indemnification. Vendor shall defend, indemnify and hold harmless Participating Entities and Distributor and their officers, directors, employees and agents from and against any and all third-party claims, direct damages or causes of action, including reasonable attorney’s fees and related costs, for any death, injury or damage to property arising directly from acts, errors or omissions of Vendor and its officers, directors, employees and agents relating to the performance herein.
  8. Data Access Controls. Vendor shall (a) ensure that, prior to being granted access to the Data, Personnel (i) successfully complete annual instruction of a nature sufficient to enable them to effectively comply with the Data protection provisions herein; and (ii) possess all qualifications appropriate to the nature of the Personnel’s duties and the sensitivity of the Data they will be handling; (b) promote and maintain an awareness among Personnel of the importance of securing the Data; (c) enforce separation of job duties, require commercially reasonable non-disclosure agreements, and limit Personnel knowledge of the Data to that which is absolutely necessary to perform job duties.
  9. Data Ownership. Purchasing Entity shall own all Intellectual Property Rights in and to the Data. Vendor shall not (a) access Purchasing Entity’s user accounts or Data except (i) in the course of data center operations; (ii) in response to service or technical issues; (iii) as required in order to perform the Services in accordance with the terms of the NASPO Contract and any related contract documents; or (iv) at Purchasing Entity’s written request; (b) collect, access, or use the Data for any purpose other than to provide the Services; (c) disclose, provide, rent or sell information regarding a Purchasing Entity’s use of the Services to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction; or (d) copy, disclose or retain Data or processes that either belong to or are intended for the use of Purchasing Entity or its officers, agents or employees for subsequent use in any transaction that does not include Purchasing Entity. This Section 9 shall survive and extend beyond the term of the NASPO Contract.
  10. Data Protection. Vendor shall (a) ensure that protection of Personal Data is an integral part of Vendor’s business activities to ensure there is no inappropriate or unauthorized use of the Personal Data at any time; (b) comply with all applicable laws related to data privacy and security, including IRS Pub 1075; (c) upon request, cooperate with Distributor to determine whether Vendor will hold, store, or process High Risk Data, Moderate Risk Data and/or Low Risk Data; (d) safeguard the confidentiality, integrity and availability of Purchasing Entity information stored on the Systems; (e) implement and maintain appropriate administrative, technical and organization security measures designed to safeguard against unauthorized access, disclosure or theft of Personal Data and Non-Public Data in accordance with recognized industry practice and not less stringent than the measures Vendor applies to its own Personal Data and Non-Public Data of similar kind; (f) encrypt Personal Data and Non-Public Data at rest and in transit with controlled access in accordance with the level of protection and encryption identified in the SLA; or (g) ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2 Security Requirements for Cryptographic Modules for all Personal Data, unless Purchasing Entity submits a justifiable position in writing for the storage of Personal Data on a Vendor portable device in order to perform the Services and Purchasing Entity approves such position.
  11. Data Centers. Vendor shall (a) provide the Services and store the Data on Systems solely from data centers in the U.S.; (b) instruct its personnel or its contractors’ personnel to store Data only on portable devices, including personal computers, used and kept at data centers in the U.S.; provided, however, that Vendor personnel and contractors may access Data remotely as required to provide technical support on a 24/7 basis using a Follow-the-Sun model, unless a Participating Addendum prohibits such model.
  12. Security Incident or Data Breach Notification.
    1. Vendor shall immediately notify Distributor and Purchasing Entity (a) of a Security Incident or Data Breach; and (b) if Vendor must communicate with outside parties regarding a Security Incident or Data Breach (e.g., contacting law enforcement, fielding media inquiries, seeking external expertise). The notice in subparagraph (a) herein shall include, (i) to the best of Vendor’s knowledge at that time, the persons affected, their identities, and the Confidential Information and Data disclosed; and/or (ii) a statement that some or all of this information is unknown, if applicable. Vendor shall discuss the Security Incident and/or Data Breach on an urgent as-needed basis, including mitigation measure Vendor has and will implement.
    2. If Vendor has actual knowledge of a confirmed Data Breach that affects the security of any Data that is subject to applicable data breach notification law, Vendor shall immediately (a) notify Purchasing Entity within 24 hours or sooner; and (b) take commercially reasonable measures to address the Data Breach in a timely manner.
  13. Personal Data Breach Responsibilities.
    1. In the event a Data Breach occurs with respect to Personal Data within Vendor’s possession or control, Vendor shall (a) immediately notify Distributor and Purchasing Entity by telephone in accordance with the agreed upon security plan or security procedures, unless applicable law requires a shorter time, if it (i) reasonably believes there has been a Security Incident and/or a Data Breach; or (ii) has confirmed that there is a Security Incident and/or Data Breach; (c) upon request, cooperate with Purchasing Entity to investigate and resolve the Security Incident and/or Data Breach; (d) promptly document and implement necessary remedial measures related to the Security Incident and/or Data Breach, including any post‐incident review of events and actions taken to make changes in business practices in providing the services.
    2. If a Data Breach is a direct result of Vendor’s breach of its obligation to encrypt Personal Data or otherwise prevent its release, Vendor shall bear the costs associated with (a) investigation and resolution of the Data Breach; (b) notifications to affected individuals, regulators or others as federal and state laws require or the parties otherwise agree; (c) a credit monitoring service for up to twelve (12) months for affected individuals as federal and state laws require or the parties otherwise agree; (d) a website or a toll‐free number and call center for affected individuals as federal and state laws require — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis Ponemon Institute published at the time of the Data Breach; and (e) complete all corrective actions as Vendor reasonably determine necessary based on root cause.
  14. Legal Requests. Vendor shall (a) to the extent applicable law permits, contact Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Data or which in any way might reasonably require access to the Data; and (b) to the extent practicable, not respond to subpoenas, service of process and other legal requests related to Purchasing Entity without first notifying and obtaining Purchasing Entity’s approval, unless applicable law prohibits providing such notice.
  15. Background Checks. Vendor shall conduct criminal background checks on Personnel and not use Personnel to fulfill the obligations of the NASPO Contract and the Agreement who have been convicted of any crime of dishonesty including, but not limited to, criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to one (1) year is an authorized penalty. If Purchasing Entity determines, in its sole discretion, that Personnel are not acceptable as a result of the criminal background check, Purchasing Entity, at its sole option, may either (a) request immediate replacement of the person; or (b) immediately terminate the Participating Addendum and any related SLA. In such cases, Distributor may immediately terminate the Order related to such terminated Participating Addendum and any related SLA.
  16. Security Logs; Reports. Vendor shall provide System reports per the SLA or as the parties otherwise agree. Specifically for IaaS, the report shall focus on the Vendor-controlled infrastructure upon which Purchasing Entity’s account resides. Reports shall (a) include latency statistics, user access, user access IP address, user access history and security logs to and for the Systems and, in the case of IaaS, the public jurisdiction, a history of all API calls for Purchasing Entity account that includes the identity of API caller, time of API call, source IP address of API caller, request parameters and response elements Vendor returned; and (b) be sufficient to enable Purchasing Entity to perform security analysis, resource change tracking and compliance auditing. Vendor and Purchasing Entity recognize that security responsibilities are shared, all of which will be identified in the SLA. At a minimum, Vendor shall provide a secure infrastructure, and Purchasing Entity shall provide a secure guest operating system, firewalls and other logs captured within the guest operating system.
  17. Audits.
    1. Records Audit. Vendor shall (a) maintain books, records, documents, and other evidence (collectively, the “Records”) pertaining to invoices and payments for the Services for a period of six (6) years from the effective date of an Order; (b) permit Lead State, a Participating Entity, a Purchasing Entity, the federal government (including its grant awarding entities, U.S. Comptroller General, and any other duly authorized agent of a governmental agency) to audit, inspect, examine, copy and/or transcribe the Records no more than once per year, at Participating Entity’s cost; provided, however, that such audit does not unreasonably interfere with Vendor’s normal business operations.
    2. Security Audit. Vendor shall (a) upon request, provide Purchasing Entity with its (i) most recent SOC II, Type 2 report regarding the Systems; and (ii) completed Standardized Information Gathering (SIG) questionnaire (or similar document) for the Systems (the “Security Documentation”); (b) upon Purchasing Entity’s reasonable notice to Vendor, once per year during normal business hours, make appropriate Personnel reasonably available to Purchasing Entity to discuss Vendor’s compliance with the security obligations hereunder. In advance of such discussion, Vendor may, in addition to the Security Documentation, provide Purchasing Entity with access to additional information or documentation concerning Vendor’s information security practices as they relate to the NASPO Contract including, but not limited to, access to any security assessment reports designed to be shared with third parties. Vendor-provided information shall be considered Vendor’s Confidential Information subject to the confidentiality section in Vendor’s EULA.
    3. Data Center Audit. Vendor (a) shall perform a third party audit of its data centers at least annually at its expense and, upon request, provide an unredacted version of the audit report to Purchasing Entity; and (b) may remove its proprietary information from the unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent sets the minimum level of a third‐party audit.
  18. Change Control. Vendor shall (a) notify Purchasing Entity in writing at least sixty (60) days in advance prior to any Major Upgrades, minor upgrades or system changes to the Services or System (collectively, the “Changes”); provided, however, that if a Change(s) may impact service availability and performance, Vendor shall notify Purchasing Entity in writing at least forty eight (48) hours in advance; and (b) make Changes available to Purchasing Entity at no additional cost if Vendor makes such Changes generally available to other users at no additional cost. Changes may not decrease the functionality of the Services, adversely impact Purchasing Entity’s use of or access to the Services or increase the cost of the Services.
  19. Import and Export of Data. Vendor shall, and shall ensure that its Business Partners, (a) ensure that Purchasing Entity can, at its discretion, import or export Data in piecemeal or in its entirety without Vendor or Business Partner interference at any time during the term; and (b) specify if Purchasing Entity must provide its own tools or purchase Vendor or Business Partner tools if Vendor and Business Partner applications are unable to provide this functionality directly.
  20. Other Responsibilities. Vendor shall (a) acquire and operate all hardware, software and network support related and establish, manage and maintain the environments for the Services; and (c) provide 24/7/365 availability (with agreed-upon maintenance downtime) for the Systems and Services; (d) identify all Business Partners; (e) use Web services exclusively to interface with the Data in near real time; and (f) in the event of a System failure, use its best efforts to restore or assist in restoring the system to operational capacity.
  21. Right to Remove Individuals. Purchasing Entity may, at any time, require that Vendor remove Personnel that Purchasing Entity believes is detrimental to its working relationship with Vendor by providing written notification of its determination and the reasons it requests removal, provided that such removal does not violate any law, statute, ordinance, rule or regulation of any government or governmental body. If Purchasing Entity signifies that a potential security violation exists with respect to the request, Vendor shall immediately remove such individual. Vendor shall not assign the person to any aspect of the NASPO Contract or future Orders thereunder without Purchasing Entity’s consent.
  22. BC Plan; SSP. Vendor shall (a) maintain and, upon request, provide to Participating Entity a BC Plan or a summary thereof; (b) perform an annual Disaster Recover test correct any issues detected during the test in a timeframe upon which Vendor and Purchasing Entity agree; (c) ensure that Purchasing Entity’s recovery time objective (RTO) of XXX hours/days is met; and (d) maintain and, upon request, provide to Participating Entity a system security plans (SSP) or security processes (e.g., virus checking and port sniffing) and technical limitations.
  23. Accessibility Standards. Vendor shall comply with the Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973 and any other applicable state laws or administrative regulations. The extent to which an offering is, at the time of delivery, capable of providing comparable access to individuals with disabilities consistent with Section 508 of the Rehabilitation Act of 1973, in effect as of the Amendment No. 1 Effective Date, is indicated by the comments and exceptions (if any) specified on the applicable Voluntary Product Accessibility Template (VPAT), provided that such offering is used in accordance with the applicable documentation and that any assistive technologies and any other products used with the offering properly interoperate with such Offering. In the event that a VPAT is unavailable for a particular offering, the outcome may be that an offering is still being evaluated for accessibility, may be scheduled to meet accessibility standards in a future release, or may not be scheduled to meet accessibility standards at all.
  24. License. Vendor grants to Purchasing Entity a license to (i) access and use the Service for its business purposes; (ii) for PaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Vendor’s documentation. No Vendor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in the NASPO Contact.
  25. Definitions.

    “BC Plan” means a business continuity and disaster recovery plan that, among other things, describes measures a party will implement in the event of a disaster. 

    “Business Partners” means all strategic business partners, subcontractors or other entities or individuals who may be a party to a joint venture or other agreement with Vendor and who may be engaged to perform some or all of the Services or involved in any application development and/or operations of the Services and/or Systems.

    “Cloud Infrastructure” means underlying cloud infrastructure including network, servers, operating systems and storage.

    “Confidential Information” means a Purchasing Entity’s records, personnel records, and information concerning individuals. 

    “Data” means all information stored in the Services and on the Systems created by or in any way originating with a Participating Entity or Purchasing Entity and all information that is the output of any computer processing or other electronic manipulation of any information created by or in any way originating with a Participating Entity in the course of using and configuring the Services. 

    “Data Breach” means any actual or reasonably suspected non-authorized access to or acquisition of computerized Non-Public Data and/or Personal Data stored on the Systems that compromises the security, confidentiality, or integrity of the Non-Public Data and/or Personal Data or Purchasing Entity’s ability to access the Non-Public Data and/or Personal Data. 

    “Data Categorization” means the process of risk assessment of Data. 

    “Disabling Code” means computer instructions or programs, subroutines, code, instructions, data or functions (including, but not limited to, viruses, worms, date bombs or time bombs) including, but not limited to, other programs, data storage, computer libraries and programs that self-replicate without manual intervention, instructions programmed to activate at a predetermined time or upon a specified event, and/or programs purporting to do a meaningful function but designed for a different function, that alter, destroy, inhibit, damage, interrupt, interfere with or hinder the operation of the Purchasing Entity’s software, applications and/or its end users processing environment, the system in which it resides, or any other software or data on such system or any other system with which it is capable of communicating, except for malware samples. 

    “Effective Date” means the date of last signature of this Amendment. 

    “FIPS PUB 199” means FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems. 

    “High Risk Data” is as defined in FIPS PUB 199. 

    “Infrastructure as a Service (IaaS)” means the capability for an end user to provision processing, storage, networks, and other fundamental computing resources where the end user can deploy and run arbitrary software, which can include operating systems and applications where the end user does not manage or control the underlying Cloud Infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components (e.g., host firewalls).

    “Intellectual Property Rights” means any and all patents, copyrights, service marks, trademarks, trade secrets, trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and all rights, title, and interest therein. 

    “Lead State” means the State set forth in https://www.dlt.com/naspo-lead-state-participating-entities

    “Low Risk Data” is as defined in FIPS PUB 199. 

    “Major Upgrade” means an upgrade Vendor provides to customers with the same offering such a replacement of hardware, software or firmware with a newer version in order to bring the system up to date or to improve its characteristics and usually includes a new version number. 

    “Master Agreement” means the Master Agreement, dated December 30, 2016, executed by DLT and Lead State, as amended from time to time, and any successor agreement. 

    “Moderate Risk Data” is as defined in FIPS PUB 199. 

    “Non-Public Data” means High Risk Data and Moderate Risk Data that (i) not subject to distribution to the public as public information; and (ii) a Purchasing Entity deem sensitive and confidential because it contains information that is exempt by statute, ordinance or administrative rule from access by the general public as public information. 

    “Order” means a task order, purchase order, statement of work or other similar document into which Vendor and DLT enter in order to perform the Services described in the documents comprising the NASPO Contract and any related contract documents, the Agreement and this Amendment. 

    “Participating Addendum” means an agreement DLT and Participating Entity execute that incorporates the Master Agreement and any additional requirements (e.g., ordering procedures). 

    “Participating Entity” means a Participating State that executed a Participating Addendum, the current list of which is set forth in https://www.dlt.com/naspo-lead-state-participating-entities

    “Participating State” means a state, the District of Columbia or one of the territories of the United States that is listed in the Request for Proposal as intending to participate. 

    “Personal Data” means Data that includes information relating to an individual that identifies the individual by name, identifying number, mark or description and can be readily associated with a particular individual and which is not a public record which may include, but not be limited to, (i) government-issued identification numbers (e.g., Social Security, driver’s license, passport); or (ii) financial account information, including account number, credit or debit card numbers. 

    “Personnel” means employees, consultants and agents of Vendor and its Business Partners that perform the obligations under the NASPO Contract and the Agreement. 

    “Platform as a Service (PaaS)” means deploying consumer- created or -acquired applications created using Vendor-supported programming languages and tools onto the cloud infrastructure; provided however, Purchasing Entity does not manage or control the underlying Cloud Infrastructure, but has control over the deployed applications and possibly application hosting environment configurations; and provided, further, that this capability does not necessarily preclude the use of compatible programming languages, libraries, services, and tools from other sources. 

    “Purchasing Entity” means a state, city, county, district, or other political subdivision of a State, or a nonprofit organization under the laws of some states if authorized by a Participating Addendum that issues a purchase order against the Master Agreement and becomes financially committed to the purchase. 

    “Representatives” means a party’s employees, counsel, accountants, and financial advisors. 

    “Security Incident” means (i) possible or actual unauthorized access to a Purchasing Entity’s Non-Public Data and/or Personal Data that Vendor believes could reasonably result in the use, disclosure or theft of a Purchasing Entity’s Non-Public Data and/or Personal Data within Vendor’s possession or control; (ii) a major security breach to the Systems, regardless if Vendor is aware of unauthorized access to a Purchasing Entity’s Non-Public Data. A Security Incident may or may not turn into a Data Breach. 

    “SLA” means a service level agreement whereby Vendor provides to Purchasing Entity: (i) technical service level performance promises, (i.e., metrics for performance, intervals for measure); (ii) description of Service quality; (iii) identification of roles and responsibilities; (iv) remedies (e.g., credits) and how they are calculated and issued. 

    “Services” means IaaS, PaaS, SaaS or any combination thereof, as the case may be, that Vendor provides to a Purchasing Entity under the NASPO Contract and the Agreement. 

    “Software as a Service” or “SaaS” means the capability provided to the consumer to use Vendor’s applications running on Vendor’s infrastructure whereby (i) the applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Web-based email), or a program interface; and (ii) the consumer does not manage or control the underlying Cloud Infrastructure or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. 

    “Solicitation” means the document describing Purchasing Entity’s needs and expectations with respect to the Services. 

    “Systems” means Vendor’s systems and infrastructure that enables and hosts the Services.

ITS86 STATEWIDE IT CONTRACT TERMS AND CONDITIONS

The ITS86 Statewide IT Contract Terms and Conditions located at https://www.dlt.com/its86-statewide-it-contract-terms-and-conditions are entered into by and between TD SYNNEX (“TD SYNNEX”) and/or DLT Solutions, LLC (“DLT” and, together with TD SYNNEX, “Distributor”), as the case may be, and Vendor, and shall apply to transactions leveraging the ITS86 Statewide IT Contract.

APPLICABLE FAR CLAUSES

Vendor shall comply with the applicable FAR clauses and agency-specific clauses located at https://www.dlt.com/applicable-far-and-other-agency-clauses for transactions leveraging federal government contracting vehicles.