The URL can be used to link to this page

Home My WebLink AboutAgreement A-19-115 with Pacific Storage Company.pdf1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 AGREEMENT THIS AGREEMENT ("Agreement") is made and entered into this __ day of ______ _ 2019 ("Effective Date"), by and between the County of Fresno, a Political Subdivision of the State of California, ("COUNTY"), and Pacific Storage Company, a California corporation, whose address is 523 N. Hunter Street, Stockton, CA 95202 ("CONTRACTOR"). WI TN E S S ETH: WHEREAS, the COUNTY has a need for countywide confidential document shredding and information media destruction services; WHEREAS, the COUNTY issued Request for Quotation No. 19-029 ("the RFQ"), dated November 28, 2018, which solicited bids from qualified vendors to provide confidential document shredding and information media destruction services; WHEREAS, the CONTRACTOR submitted the most responsive bid for providing the services requested in the RFQ; WHEREAS, the CONTRACTOR is qualified and willing to perform said services as stated in the CONTRACTOR's response to the RFQ ("the Response"). NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows: 1.OBLIGATIONS OF THE CONTRACTOR A.CONTRACTOR shall provide all countywide on-site and off -site confidential document shredding services and information media destruction services in accordance with the specifications, requirements, terms, conditions, etc. of the RFQ and the Response, which are attached hereto as Exhibit "B" and Exhibit "C", respectively, and incorporated herein by reference. 2.OBLIGATIONS OF THE COUNTY A.COUNTY shall provide CONTRACTOR with a list of all COUNTY facilities to be serviced by CONTRACTOR under this Agreement, which shall further specify the particular department or division of the COUNTY to which the services for each such facility shall be billed. B.COUNTY shall provide CONTRACTOR with the following information when requesting service: -1- 12th March Agreement No. 19-115 1 2 i.Department name and/or program name ii.Contact person and telephone number 3 iii.Address location for picking up collection containers 4 C.The COUNTY's departments shall place only confidential paper documents, such 5 as criminal records, photographs, arrest reports, case histories, medical records, legal documents, etc. 6 in the collection containers provided by CONTRACTOR. 7 3.TERM 8 The term of this Agreement shall be for a period of three (3) years, commencing on Effective Date 9 through and including March 11, 2022. This Agreement may be extended for two (2) additional consecutive 1 O twelve ( 12) month periods upon written approval of both parties no later than thirty (30) days prior to the first 11 day of the next twelve (12) month extension period. The Director of Internal Services/Chief Information 12 Officer (CIO) or his or her designee is authorized to execute such written approval on behalf of COUNTY 13 based on CONTRACTOR'S satisfactory performance. 14 4.TERMINATION 15 A Non-Allocation of Funds -The terms of this Agreement, and the services to be 16 provided hereunder, are contingent on the approval of funds by the appropriating government agency. 17 Should sufficient funds not be allocated, the services provided may be modified, or this Agreement 18 terminated, at any time by giving the CONTRACTOR thirty (30) days advance written notice. 19 B.Breach of Contract -The COUNTY may immediately suspend or terminate this 20 Agreement in whole or in part, where in the determination of the COUNTY there is: 21 1) An illegal or improper use of funds; 22 2)A failure to comply with any term of this Agreement; 23 24 3) 4) A substantially incorrect or incomplete report submitted to the COUNTY; Improperly performed service. 25 In no event shall any payment by the COUNTY constitute a waiver by the COUNTY of any breach 26 of this Agreement or any default which may then exist on the part of the CONTRACTOR. Neither shall such 27 payment impair or prejudice any remedy available to the COUNTY with respect to the breach or default. 28 The COUNTY shall have the right to demand of the CONTRACTOR the repayment to the COUNTY of any -2- 1 funds disbursed to the CONTRACTOR under this Agreement, which in the judgment of the COUNTY were 2 not expended in accordance with the terms of this Agreement. The CONTRACTOR shall promptly refund 3 any such funds upon demand. 4 C.Without Cause -Under circumstances other than those set forth above, this 5 Agreement may be terminated by COUNTY upon the giving of thirty (30) days advance written notice of an 6 intention to terminate to CONTRACTOR. 7 5.COMPENSATION/INVOICING: COUNTY agrees to pay CONTRACTOR and 8 CONTRACTOR agrees to receive compensation as follows: $50,000.00 annually for all-inclusive onsite and 9 offsite document shredding and information media destruction services, including departmental purges, 1 O containers, and locks. Information media destruction includes, but is not limited to, hard drives, 11 microfiche/microfilm, CD/DVDs, USB drives, zip disks, cell phones, pagers, and tablets. CONTRACTOR 12 shall submit monthly invoices referencing the provided contract number, either electronically or via email, in 13 triplicate to the County of Fresno, Internal Services Department, ATTN: Business Office, 333 W. Pontiac 14 Way, Clovis, CA 93612, (isdbusinessoffice@fresnocountyca.gov). 15 In no event shall services performed under this Agreement exceed $250,000.00 during the possible 16 five-year term of this Agreement. It is understood that all expenses incidental to CONTRACTOR'S 17 performance of services under this Agreement shall be borne by CONTRACTOR. COUNTY shall pay 18 CONTRACTOR within forty-five (45) days of receipt of an approved invoice. 19 6.INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations 20 assumed by CONTRACTOR under this Agreement, it is mutually understood and agreed that 21 CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and employees will at all 22 times be acting and performing as an independent contractor, and shall act in an independent capacity and 23 not as an officer, agent, servant, employee, joint venturer, partner, or associate of the COUNTY. 24 Furthermore, COUNTY shall have no right to control or supervise or direct the manner or method by which 25 CONTRACTOR shall perform its work and function. However, COUNTY shall retain the right to administer 26 this Agreement so as to verify that CONTRACTOR is performing its obligations in accordance with the 27 terms and conditions thereof. 28 CONTRACTOR and COUNTY shall comply with all applicable provisions of law and the rules and -3- 1 regulations, if any, of governmental authorities having jurisdiction over matters the subject thereof. 2 Because of its status as an independent contractor, CONTRACTOR shall have absolutely no right 3 to employment rights and benefits available to COUNTY employees. CONTRACTOR shall be solely liable 4 and responsible for providing to, or on behalf of, its employees all legally-required employee benefits. In 5 addition, CONTRACTOR shall be solely responsible and save COUNTY harmless from all matters relating 6 to payment of CONTRACTOR'S employees, including compliance with Social Security withholding and all 7 other regulations governing such matters. It is acknowledged that during the term of this Agreement, 8 CONTRACTOR may be providing services to others unrelated to the COUNTY or to this Agreement. 9 7.MODIFICATION: Any matters of this Agreement may be modified from time to time by the 1 O written consent of all the parties without, in any way, affecting the remainder. 11 8.NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this Agreement 12 nor their rights or duties under this Agreement without the prior written consent of the other party. 13 9.HOLD HARMLESS: CONTRACTOR agrees to indemnify, save, hold harmless, and at 14 COUNTY'S request, defend the COUNTY, its officers, agents, and employees from any and all costs and 15 expenses (including attorney's fees and costs), damages, liabilities, claims, and losses occurring or 16 resulting to COUNTY in connection with the performance, or failure to perform, by CONTRACTOR, its 17 officers, agents, or employees under this Agreement, and from any and all costs and expenses (including 18 attorney's fees and costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, 19 or corporation who may be injured or damaged by the performance, or failure to perform, of 20 CONTRACTOR, its officers, agents, or employees under this Agreement. 21 The provisions of this Section 9 shall survive the termination of this Agreement. 22 10.INSURANCE 23 Without limiting the COUNTY's right to obtain indemnification from CONTRACTOR or any third 24 parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect, the following insurance 25 policies or a program of self-insurance, including but not limited to, an insurance pooling arrangement or 26 Joint Powers Agreement (JPA) throughout the term of the Agreement: 27 A Commercial General Liability 28 Commercial General Liability Insurance with limits of not less than Two Million Dollars -4- 1 ($2,000,000.00) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000.00). This 2 policy shall be issued on a per occurrence basis. COUNTY may require specific coverages including 3 completed operations, products liability, contractual liability, Explosion-Collapse-Underground, fire legal 4 liability or any other liability insurance deemed necessary because of the nature of this contract. 5 B.Automobile Liability 6 Comprehensive Automobile Liability Insurance with limits of not less than One Million Dollars 7 ($1,000,000.00) per accident for bodily injury and for property damages. Coverage should include any auto 8 used in connection with this Agreement. 9 C.Professional Liability 10 If CONTRACTOR employs licensed professional staff, (e.g., Ph.D., RN., L.C.S.W., M.F.C.C.) in 11 providing services, Professional Liability Insurance with limits of not less than One Million Dollars 12 ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate. 13 D.Worker's Compensation 14 A policy of Worker's Compensation insurance as may be required by the California Labor 15 Code. 16 Additional Requirements Relating to Insurance 17 CONTRACTOR shall obtain endorsements to the Commercial General Liability insurance naming 18 the County of Fresno, its officers, agents, and employees, individually and collectively, as additional 19 insured, but only insofar as the operations under this Agreement are concerned. Such coverage for 20 additional insured shall apply as primary insurance and any other insurance, or self-insurance, maintained 21 by COUNTY, its officers, agents and employees shall be excess only and not contributing with insurance 22 provided under CONTRACTOR's policies herein. This insurance shall not be cancelled or changed without 23 a minimum of thirty (30) days advance written notice given to COUNTY. 24 CONTRACTOR hereby waives its right to recover from COUNTY, its officers, agents, and 25 employees any amounts paid by the policy of worker's compensation insurance required by this 26 Agreement. CONTRACTOR is solely responsible to obtain any endorsement to such policy that may be 27 necessary to accomplish such waiver of subrogation, but CONTRACTOR's waiver of subrogation under 28 this paragraph is effective whether or not CONTRACTOR obtains such an endorsement. -5- 1 Within thirty (30) days from the date CONTRACTOR signs and executes this Agreement, 2 CONTRACTOR shall provide certificates of insurance and endorsement as stated above for all of the 3 foregoing policies, as required herein, to the County of Fresno, Internal Services Department, ATTN: 4 Business Office, 333 W. Pontiac Way, Clovis, CA 93612, stating that such insurance coverage have been 5 obtained and are in full force; that the County of Fresno, its officers, agents and employees will not be 6 responsible for any premiums on the policies; that for such worker's compensation insurance the 7 CONTRACTOR has waived its right to recover from the COUNTY, its officers, agents, and employees any 8 amounts paid under the insurance policy and that waiver does not invalidate the insurance policy; that such 9 Commercial General Liability insurance names the County of Fresno, its officers, agents and employees, 1 O individually and collectively, as additional insured, but only insofar as the operations under this Agreement 11 are concerned; that such coverage for additional insured shall apply as primary insurance and any other 12 insurance, or self-insurance, maintained by COUNTY, its officers, agents and employees, shall be excess 13 only and not contributing with insurance provided under CONTRACTOR's policies herein; and that this 14 insurance shall not be cancelled or changed without a minimum of thirty (30) days advance, written notice 15 given to COUNTY. 16 In the event CONTRACTOR fails to keep in effect at all times insurance coverage as herein 17 provided, the COUNTY may, in addition to other remedies it may have, suspend or terminate this 18 Agreement upon the occurrence of such event. 19 All policies shall be issued by admitted insurers licensed to do business in the State of California, 20 and such insurance shall be purchased from companies possessing a current AM. Best, Inc. rating of A 21 FSC VII or better. 22 11.AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during business 23 hours, and as often as the COUNTY may deem necessary, make available to the COUNTY for examination 24 all of its records and data with respect to the matters covered by this Agreement. The CONTRACTOR 25 shall, upon request by the COUNTY, permit the COUNTY to audit and inspect all of such records and data 26 necessary to ensure CONTRACTOR'S compliance with the terms of this Agreement. 27 If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR shall be subject to 28 the examination and audit of the California State Auditor for a period of three (3) years after final payment -6- 1 under contract (Government Code Section 8546.7). 2 12.NOTICES: The persons and their addresses having authority to give and receive notices 3 under this Agreement include the following: 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNTY COUNTY OF FRESNO Internal Services Director/Chief Information Officer 333 W. Pontiac Wav Clovis, CA 93612 CONTRACTOR PACIFIC STORAGE COMPANY 523 North Hunter Street PO Box334 Stockton, CA 95201 All notices between the COUNTY and CONTRACTOR provided for or permitted under this Agreement must be in writing and delivered either by personal service, by first-class United States mail, by an overnight commercial courier service, or by telephonic facsimile transmission. A notice delivered by personal service is effective upon service to the recipient. A notice delivered by first-class United States mail is effective three COUNTY business days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice delivered by an overnight commercial courier service is effective one COUNTY business day after deposit with the overnight commercial courier service, delivery fe es prepaid, with delivery instructions given for next day delivery, addressed to the recipient. A notice delivered by telephonic facsimile is effective when transmission to the recipient is completed (but, if such transmission is completed outside of COUNTY business hours, then such delivery shall be deemed to be effective at the next beginning of a COUNTY business day), provided that the sender maintains a machine record of the completed transmission. For all claims arising out of or related to this Agreement, nothing in this section establishes, waives, or modifies any claims presentation requirements or procedures provided by law, including but not limited to the Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with section 810). 13.GOVERNING LAW: Venue for any action arising out of or related to this Agreement shall only be in Fresno County, California. The rights and obligations of the parties and all interpretation and performance of this Agreement shall be governed in all respects by the laws of the State of California. 14.DISCLOSURE OF SELF-DEALING TRANSACTIONS This provision is only applicable if the CONTRACTOR is operating as a corporation (a for-profit -7- 1 or non-profit corporation) or if during the term of the agreement, the CONTRACTOR changes its status 2 to operate as a corporation. 3 Members of the CONTRACTOR's Board of Directors shall disclose any self-dealing transactions 4 that they are a party to while CONTRACTOR is providing goods or performing services under this 5 agreement. A self-dealing transaction shall mean a transaction to which the CONTRACTOR is a party 6 and in which one or more of its directors has a material financial interest. Members of the Board of 7 Directors shall disclose any self-dealing transactions that they are a party to by completing and signing a 8 Self-Dealing Transaction Disclosure Form, attached hereto as Exhibit A and incorporated herein by 9 reference, and submitting it to the COUNTY prior to commencing with the self-dealing transaction or 1 O immediately thereafter. 11 15.ENTIRE AGREEMENT: This Agreement constitutes the entire agreement between the 12 CONTRACTOR and COUNTY with respect to the subject matter hereof and supersedes all pr evious 13 Agreement negotiations, pro posals, commitments, writings, advertisements, publications, and 14 understanding of any nature whatsoever unless expressly included in this Agreement. 15 Ill 16 Ill 17 Ill 18 Ill 19 Ill 20 Ill 21 Ill 22 Ill 23 Ill 24 Ill 25 Ill 26 Ill 27 Ill 28 Ill -8- 1 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the day and year 2 first here inabove written . 3 4 5 6 7 8 9 CON~ (btrt1, o rized Title \ ~'SI Ofc,;v, Uo Pv Bo:x 3 '$ 3 COUNTY OF FRESNO ~ z-'f-::> Nathan Magsig , Chairman of the Board of Supervisors of the County of Fresno 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Ma iling Address ATTEST: FOR ACCOUNTING USE ONLY: Fund : 1020 Subclass : 10000 ORG : 8905 Accoun t: 7295 Bernice E. Seidel Clerk of the Board of Supervisors County of Fresno , State of Ca li forn ia -9- 1 EXHIBIT A 2 SELF-DEALING TRANSACTION DISCLOSURE FORM 3 In order to conduct business with the County of Fresno (hereinafter referred to as "County"), members of a 4 contractor's board of directors (hereinafter referred to as "County Contractor''), must disclose any self- s dealing transactions that they are a party to while providing goods, performing services, or both for the 6 County. A self-dealing transaction is defined below: 7 8 "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more 9 of its directors has a material financial interest" 10 11 The definition above will be utilized for purposes of completing this disclosure form. 12 13 INSTRUCTIONS 14 (1) 15 (2) 16 (3) 17 18 19 20 21 (4) 22 23 (5) 24 25 26 27 28 Enter board member's name, job title (if applicable), and date this disclosure is being made. Enter the board member's company/agency name and address. Describe in detail the nature of the self-dealing transaction that is being disc losed to the County. At a minimum, include a description of the following: a.The name of the agency/company with which the corporation has the transaction; and b.The nature of the material financial interest in the Corporation's transaction that the board member has. Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. Form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). -10- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 (1)Company Board Member Information: Name:Date: Job Title: (2)Company/Agency Name and Address: (3)Disclosure (Please describe the nature of the self-dealing transaction you are a party to): (4)Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233 (a): (S)Authorized Signature Signature: I Date: I -11- G:\Public\RFQ\FY 2018-19\19-029 Document Shredding & Media Destruction Services\19-029 Document Shredding & Media Destruction Services.doc COUNTY OF FRESNO REQUEST FOR QUOTATION NUMBER: 19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES Issue Date: November 28, 2018 Closing Date: JANUARY 10, 2019 AT 2:00 P.M. All Questions and Responses must be electronically submitted on the Bid Page on Public Purchase. For assistance, contact Bryan Hernandez at Phone (559) 600-7110. BIDDER TO COMPLETE Undersigned agrees to furnish the commodity or service stipulated in the attached at the prices and terms stated in this RFQ. Bid must be signed and dated by an authorized officer or employee. Except as noted on individual items, the following will apply to all items in the Quotation Schedule: • A cash discount of % days will apply. County does not accept terms less than 15 days. COMPANY CONTACT PERSON ADDRESS CITY STATE ZIP CODE ( ) TELEPHONE NUMBER E-MAIL ADDRESS AUTHORIZED SIGNATURE PRINT NAME TITLE Purchasing Use: BH:yj ORG/Requisition: 8905 / 8905190004 Exhibit B Quotation No. 19-029 Page 2 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC TABLE OF CONTENTS PAGE KEY DATES .................................................................................................................... 3 OVERVIEW ..................................................................................................................... 3 SCOPE OF WORK .......................................................................................................... 4 BID INSTRUCTIONS....................................................................................................... 5 GENERAL REQUIREMENTS & CONDITIONS ............................................................... 6 INSURANCE REQUIREMENTS ................................................................................... 17 PARTICIPATION ........................................................................................................... 23 REFERENCE LIST ........................................................................................................ 24 COMPLY/NOT COMPLY............................................................................................... 25 QUOTATION SCHEDULE ............................................................................................. 28 CHECK LIST ................................................................................................................. 29 Quotation No. 19-029 Page 3 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC KEY DATES RFQ Issue Date: Vendor Conference: Written Questions for RFQ Due: RFQ Closing Date: November 28, 2018 December 11, 2018 at 10:00 A.M. County of Fresno - Purchasing 4525 E. Hamilton Avenue, 2nd Floor Fresno, CA 93702 December 18, 2018 at 10:00 A.M. Questions must be submitted on the Bid Page at Public Purchase. January 10, 2019 at 2:00 P.M. Quotations m ust be electronically submitted on the Bid Page. VENDOR CONFERENCE: A vendor conference will be held in which the scope of the project and quotation requirements will be explained. Addenda will be prepared and distributed to all bidders only if necessary to clarify substantive items raised during the vendor conference. Bidders are to contact Bryan Hernandez at County of Fresno - Purchasing, (559) 600-7110, if they are planning to attend. OVERVIEW The County of Fresno is soliciting bids to provide all labor, materials, equipment, permits, fees, taxes and insurance, etc. for both on-site and off-site shredding of confidential documents as well as media destruction services as provided for in this Request for Quotation. Quotation No. 19-029 Page 4 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC SCOPE OF WORK The County of Fresno on behalf of the Internal Services Department is requesting bids to provide on-site and off-site shredding of confidential documents and information media destruction services. The types of paper to be shredding include, but are not limited to: •Computer paper •Mixed paper (with ACCO fasteners, staples, paper clips, plastic, etc.) •Confidential criminal and health records, including used, unwanted manila folders, crime photos, arrest reports, used ballots, election materials, and assorted paper forms. The types of media to be destroyed include, but are not limited to: •Hard drives •CD’s/DVD’s •USB drives •Zip disks •Microfiche/microfilm •Cell phones •Pagers •Tablets Quantity Information: •Quantities and pick-up totals listed in Attachment “A” are based on current services. •No minimum or maximum is guaranteed or implied. •The number of containers, locations, containers’ sizes, and frequency of service may change upon request by the County of Fresno in accordance with their needs. The County will notify the vendor in writing with any changes, additions, deletions, etc. On-site shredding services are currently being utilized by Auditor-Controller/Treasurer-Tax Collector (AC/TTC), County Clerk/Elections, and the Department of Public Health on an infrequent and “as-needed” basis (for example, AC/TTC typically requires on-site shredding approximately three times per year with roughly four containers that need to be shredded each time). Additional departments may require on-site shredding services as needed. The successful bidder must be certified by the National Association for Information Destruction (NAID) and submit a copy of the certification with their bid. The NAID certification must remain active for the duration of the contract term. The NAID certification must be for both Service Platforms: Plant-Based and Mobile/Onsite. Both platforms, Plant-Based and Mobile/Onsite-Based, must cover the following Data Destruction Services: •Paper Records •Micro-Media Destruction •Non-Paper Media Destruction •Computer Media Destruction-Physical •Computer Media Destruction-Sanitization Quotation No. 19-029 Page 5 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC BID INSTRUCTIONS •Bidders must electronically submit bid package in pdf format, no later than the quotation closing date and time as stated on the front of this document, to the Bid Page on Public Purchase. The County will not be responsible for and will not accept late bids due to slow internet connection or incomplete transmissions. •Bids received after the closing time will NOT be considered. •All quotations shall remain firm for 180 days. •Interpretation: Should any discrepancies or omissions be found in the bid specifications or doubt as to their meaning, the bidder shall notify the Buyer in writing at once. The County shall not be hel d responsible for verbal interpretations. Questions regarding the bid must be received by Purchasing prior to the date and time stated within this document. All addenda issued shall be in writing, duly issued by Purchasing and incorporated into the contract. •ISSUING AGENT/AUTHORIZED CONTACT: This RFQ has been issued by County of Fresno, Purchasing. Purchasing shall be the vendor’s sole point of contact with regard to the RFQ, its content, and all issues concerning it. All communication regarding this RFQ shall be directed to an authorized representative of County Purchasing. The specific buyer managing this RFQ is identified on the cover page, along with his or her telephone number, and he or she should be the primary point of contact for discussions or information pertaining to the RFQ. Contact with any other County representative, including elect ed of ficials, for the purpose of discussing this RFQ, its content, or any other issue concerning it, is prohibited unless authorized by Purchasing. Violation of this clause, by the vendor having unauthorized contact (verbally or in writing) with such other County representatives, may constitut e grounds for rejection by Purchasing of the vendor’s quotation. The above stated restriction on vendor contact with County representatives shall apply until the County has awarded a purchase order or contract to a vendor or vendors, except as follows. First, in the event that a vendor initiates a formal protest against the RFQ, such vendor may contact t he appropriate individual, or individuals who are managing that protest as outlined in the County’s established protest procedures. All such contact must be in accordance with the sequence set forth under the protest procedures. Second, in the event a public hearing is scheduled before the Board of Supervisors to hear testimony prior to its approval of a purchase order or contract, any vendor may address the Board. •APPEALS: Appeals must be submitted in writing within seven (7) working days after notification of proposed recommendations for award. A “Notice of Award” is not an indication of County’s acceptance of an offer made in response to this RFQ. Appeals shall be submitted to County of Fresno Purchasing, 4525 E. Hamilton Avenue 2nd Floor, Fresno, California 93702-4599 and in Word format to gcornuelle@FresnoCountyCA.gov . Appeals should addr ess only areas regarding RFQ contradictions, procurement errors, quotation rating discrepancies, legality of procurement context, conflict of interest, and inappropriate or unfair competitive procurement grievance regarding the RFQ process. Purchasing will provide a written response to the complainant within seven (7) working days unless the complainant is notified more time is required. If the appealing bidder is not satisfied with the decision of Purchasing, bidder shall have the right to appeal to the County Administrative Office within seven (7) working days after Purchasing’s notification; if the appealing bidder is not satisfied with CAO’s decision, the final appeal is with the Board of Supervisors. Please contact Purchasing if the appeal will be going to the Board of Supervisors. Quotation No. 19-029 Page 6 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC GENERAL REQUIREMENTS & CONDITIONS LOCAL VENDOR PREFERENCE AND DISABLED VETERAN BUSINESS ENTERPRISE BID PREFERENCE: The Local Vendor Preference and Disabled Veteran Business Enterprise Preference do not apply to this Request for Quotation. DEFINITIONS: The terms Bidder, Proposer, Contractor and Vendor are all used interchangeably and refer to that person, partnership, corporation, organization, agency, etc. which is offering the quotation and is identified on page one of this Request For Quotation (RFQ). INTERPRETATION OF RFQ: Vendors must make careful examination of the requirements, specifications and conditions expressed in the RFQ and fully inform themselves as to the quality and character of services required. If any person planning to submit a quotation finds discrepancies in or omissions from the RFQ or has any doubt as to the true meaning or interpretation, correction thereof may be requested in writing from Purchasing by December 18, 2018, cut-off. Questions must be submitted on the Bid Page at Public Purchase or contact Bryan Hernandez at (559) 600- 7110. NOTE: Time constraints will prevent County from responding to questions submitted after the cut-off date. Any change in the Request for Quotation will be made by written addendum issued by the County. The County will not be responsible for any other explanations or interpretations. AWARD: Award will be made to the vendor(s) offering the services, products, prices, delivery, equipment and system deemed to be to the best advantage of the County. Past performance (County contracts within the past seven years) and references may factor into awarding of a contract. The County shall be the sole judge in making such determination. Award Notices are tentative: Acceptance of an offer made in response to this RFQ shall occur only upon execution of an agreement by both parties or issuance of a valid written Purchase Order by Fresno County Purchasing. RIGHT TO REJECT BIDS: The County reserves the right to reject any and all bids and to waive informalities or irregularities in bids. Failure to respond to all questions or not to supply the requested information could result in rejection of your quotation. CODES AND REGULATIONS: All work and material to conform to all applicable Federal, State, local and special district building codes, laws, ordinances, and regulations. TAXES: The quoted amount must include all applicable taxes. If taxes are not specifically identified in the quotation it will be assumed that they are included in the total quoted. SALES TAX: Fresno County pays California State Sales Tax in the amount of 7.975% regardless of vendor's place of doing business. TAXES, PERMITS & FEES: The successful bidder shall pay for and include all federal, state and local taxes direct or indirect upon all materials; pay all fees for, and obtain all necessary permits and licenses, unless otherwise specified herein. TAXES, CHARGES AND EXTRAS: A)DO NOT include Federal Excise Tax. County is exempt under Registration No. 94-73-03401-K. B)County is exempt from Federal Transportation Tax. Exemption certificate is not required where shipping papers show consignee as County of Fresno. C)Charges for transportation, containers, packing, etc. will not be paid unless specified in bid. Quotation No. 19-029 Page 7 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC SPECIFICATIONS AND EQUALS: Brand names, where used, are a means of establishing quality and style. Bidders are invited to quote their equals. Alternate offers are to be supported by literature, which fully describes items that you are bidding. No exceptions to or deviations from this specification will be considered unless each exception or deviation is specifically stated by the bidder, in the designated places. If no exceptions or deviations are shown, the bidder will be required to furnish items exactly as specified herein. The burden of proof of compliance with this specification is the responsibility of the bidder. LITERATURE: Bidders shall submit literature, which fully describes items on which they are bidding, not later than the closing date of this bid. Any and all literature submitted must be stamped with bidders name and address. MERCHANDISE RETURNABLE FOR FULL CREDIT : Bidder agrees to accept for full credit any merchandise sold by him on contract or award resulting from this bid, if returned in good condition by the County. GUARANTEE AGAINST DEFECTS: All items are to carry a full guarantee against defects in materials and workmanship and guarantee against breakage and other malfunctions when performing work for which they are designed. PACKAGING: Each item listed in the bid gives as part of its description the minimum packaging size that the County would order. The County feels it more reasonable to order the successful bidder's standard "carton" sizes; therefore, each bidder is asked to fill in the information for each item. Normally the circumstances resort to minimum package size orders. Be sure to fill in your "standard" carton size on the quotation schedule if different from stated. Quote separate prices on each individual item in County unit of measure (i.e., EA, DZ, PG, not your standard carton price). VENDOR ASSISTANCE: Successful bidder shall furnish, at no cost to the County, a representative to assist County departments in determining their product requirements. MINOR DEVIATIONS: The County reserves the right to negotiate minor deviations from the prescribed terms, conditions and requirements with the selected vendor. BIDDERS’ LIABILITIES: County of Fresno will not be held liable for any cost incurred by vendors in responding to the RFQ. PRICE RESPONSIBILITY: The selected vendor will be required to assume full responsibility for all services and activities offered in the quotation, whether or not they are provided directly. Further, the County of Fresno will consider the selected vendor to be the sole point of contact with regard to contractual matters, including payment of any and all charges resulting from the contract. The contractor may not subcontract or transfer the contract, or any right or obligation arising out of the contract, without first having obtained the express written consent of the County. PRICES: Bidder agrees that prices quoted are for the contract period, and in the event of a price decline such lower prices shall be extended to the County of Fresno. Prices shall be quoted F.O.B. destination. CONFIDENTIALITY: Bidders shall not disclose information about the County's business or business practices and safeguard confidential data which vendor staff may have access to in the course of system implementation. HIPAA: All services performed by vendor shall be in strict conformance with all applicable Federal, State of California and/or local laws and regulations relating to confidentiality, including but not limited to, California Civil Code, California Welfare and Institutions Code, Health and Safety Code, California Code of Regulations, Code of Federal Regulations. Vendor shall submit to County’s monitoring of said compliance. Quotation No. 19-029 Page 8 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Vendor may be a business associate of County, as that term is defined in the “Privacy Rule” enacted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a HIPAA Business Associate, vendor may use or disclose protected health information (“PHI”) to perform functions, activities or services f or or on behalf of County as specified by the County, provided that such use or disclosure shall not violate HIPAA and its implementing regulations. The uses and disclosures if PHI may not be more expansive than those applicable to County, as the “Covered Entity” under HIPAA’s Privacy Rule, except as authorized for management, administrative or legal responsibilities of the Business Associate. Vendor shall not use or further disclose PHI other than as permitted or required by the County, or as required by law without written notice to the County. Vendor shall ensure that any agent, including any subcontractor, to which vendor provides PHI received from, or created or received by the vendor on behalf of County, shall comply with the same restrictions and conditions with respect to such information. NEWS RELEASE: Vendors shall not issue any news releases or otherwise release information to any third party about this RFQ or the vendor's quotation without prior written approval from the County of Fresno. BACKGROUND REVIEW: The County reserves the right to conduct a background inquiry of each proposer/bidder which may include collection of appropriate criminal history information, contractual and business associations and practices, employment histories and reputation in the business community. By submitting a quotation/bid to the County, the vendor consents to such an inquiry and agrees to make available to the County such books and records the County deems necessary to conduct the inquiry. ADDENDA: In the event that it becomes necessary to revise any part of this RFQ, addenda will be provided to all agencies and organizations that receive the basic RFQ. CONFLICT OF INTEREST: The County shall not contract with, and shall reject any bid or quotation submitted by the persons or entities specified below, unless the Board of Supervisors finds that special circumstances exist which justify the approval of such contract: 1.Employees of the County or public agencies for which the Board of Supervisors is the governing body. 2.Profit-making firms or businesses in which employees described in Subsection (1) serve as officers, principals, partners or major shareholders. 3.Persons who, within the immediately preceding twelve (12) months, came within the provisions of Subsection (1), and who were employees in positions of substantial responsibility in the area of service to be performed by the contract, or participated in any way in developing the contract or its service specifications. 4.Profit-making firms or businesses in which the former employees described in Subsection (3) serv e as officers, principals, partners or major shareholders. 5.No County employee whose position in the County enables him to influence the selection of a contractor for this RFQ, or any competing RFQ, and no spouse or economic dependent of such em ployee, shall be employees in any capacity by a bidder, or have any other direct or indirect financial interest in the selection of a contractor. INVOICING: All invoices are to be emailed to isdap-ar@fresnocountyca.gov or mailed to County of Fresno, Internal Services, Attn: Accounts Payable, 333 W. Pontiac Way, Clovis, CA 93612. Reference shall be made to the purchase order/contract number and equipment number if applicable on the invoice. PAYMENT: Upon satisfactory completion of work, specified herein and approval by the County, payment will be made in full. Terms of payment will be net forty-five (45) days. County will consider the Bidder’s Cash discount Offer, in lieu of the net forty-five (45) days payment terms. CONTRACT TERM: It is County’s intent to contract with the successful bidder for a term of three (3) years. Quotation No. 19-029 Page 9 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC RENEWAL: Agreement may be renewed for a potential of two (2) one (1) year periods, based on the mutual written consent of all parties. QUANTITIES: Quantities shown in the bid schedule are approximate and the County guarantees no minimum amount. The County reserves the right to increase or decrease quantities. ORDERING: Orders will be placed as required by the various County Departments. TERMINATION: The County reserves the right to terminate any resulting contract upon written notice. INDEPENDENT CONTRACTOR: In performance of the work, duties, and obligations assumed by Contractor under any ensuing Agreement, it is mutually understood and agreed that CONTRACTOR, including any and all of Contractor’s officers, agents, and employees will at all times be acting and performing as an independent contractor, and shall act in an independent capacity and not as an officer, agent, servant, employee, joint venturer, partner, or associate of the COUNTY. Furthermore, County shall have no right to control or supervise or direct the manner or method by which Contractor shall perform its work and function. However, County shall retain the right to administer this Agreement so as to verify that Contractor is performing its obligations in accordance with the terms and conditions thereof. Contractor and County shall comply with all applicable provisions of law and the rules and regulations, if any, of governmental authorities having jurisdiction over matters the subject thereof. Because of its status as an independent contractor, Contractor shall have absolutely no right to employment rights and benefits available to County employees. Contractor shall be solely liable and responsible for providing to, or on behalf of, its employees all legally-required employee benefits. In addition, Contractor shall be solely responsible and save County harmless from all matters relating to payment of Contractor's employees, including compliance with Social Security, withholding, and all other regulations governing such matters. It is acknowledged that during the term of the Agreement, Contractor may be providing services to others unrelated to the County or to the Agreement. SELF-DEALING TRANSACTION DISCLOSURE: Contractor agrees that when operating as a corporation (a for-profit or non-profit corporation), or if during the term of the agreement the Contractor changes its status to operate as a corporation, members of the Contractor’s Board of Directors shall disclose any self-dealing transactions that they are a party to while Contractor is providing goods or performing services under the agreement with the County. A self -dealing transaction shall mean a transaction to which the Contractor is a party and in which one or more of its directors has a material financial interest. Members of the Board of Directors shall disclose any self -dealing transactions that they are a party to by completing and signing a Fresno County Self-Dealing Transaction Disclosure Form and submitting it to the County prior to commencing with the self -dealing transaction or immediately thereafter. HOLD HARMLESS CLAUSE: Contractor agrees to indemnify, save, hold harmless and at County's request, defend the County, its officers, agents and employees, from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims and losses occurring or resulting to County in connection with the performance, or failure to perform, by Contractor, its officers, agents or employees under this Agreement and from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims and losses occurring or resulting to any person, firm or corporation who may be injured or damaged by the performance, or failure to perform, of Contractor, its officers, agents or employees under this Agreement. MATERIALS TO BE NEW: All materials shall be new and of merchantable grade, free from defect. No bid will be considered unless it is accompanied by a complete list of manufacturer's catalog numbers of the items, which the bidder proposes to furnish, together with full descriptive literature on all items so enumerated. If i tem proposed differs from these specifications, bidder shall present specific explanation of functioning and structural characteristics for those details which differ from the specifications listed herein. SAFETY DATA SHEETS: With the invoice or within twenty-five (25) days of delivery, the seller must provide to the County a Safety Data Sheet for each product, which contains any substance on “The List of 800 Hazardous Substances”, published by the State Director of Industrial Relations. (See Hazardous Substances Information and Training Act, California State Labor Code Sections 6360 through 6399.7.) Quotation No. 19-029 Page 10 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC RECYCLED PRODUCTS/MATERIALS: Vendors are encouraged to provide and quote (with documentation) recycled or recyclable products/materials which meet stated specifications. EXAMINATION OF SITE: Where work is to be performed on County site, each bidder shall have examined the site of work before bidding and shall be responsible for having acquired full knowledge of the job and of all problems affecting it. No variations or allowance from the contract sum will be made because of lack of such examination. DAMAGE TO EXISTING WORK: Damage to existing construction, equipment, planting, etc., by the contractor in the performance of his work shall be replaced or repaired and restored to original condition by the contractor. CLEAN UP: The Contractor shall at all times, keep the premises clean from accumulation of waste materials or rubbish caused by his employees or work and shall remove all resulting work debris from the job site. WATER, POWER & TOILET FACILITIES: Successful bidder may use County owned water, power and toilet facilities at job site (when existing) at no expense to the successful bidder. Successful bidder will be required, however, to provide piping, fittings and other items as necessary to bring water and power from existing service to job site. COORDINATE WORK WITH OWNER: Successful bidder shall coordinate and schedule the work with the County so that any interruption to the normal business operations be kept to a minimum. INSPECTION: All material and workmanship shall be subject to inspection, examination and test by the County at any and all times during which manufacture and/or construction are carried on. The County shall have the right to reject defective material and workmanship or require its correction. SUPERVISION: The Contractor shall give efficient supervision to the work, using therein the skill and diligence for which he is remunerated in the contract price. He shall carefully inspect the site and study and compare all drawings, specifications and other instructions, as ignorance of any phase of any of the features or conditions affecting the contract will not excuse him from carrying out its provisions to its full intent. STANDARD OF PERFORMANCE: All work shall be performed in a good and workmanlike manner. SAFEGUARDS: The contractor shall provide safeguards, in conformity with all local codes and ordinances as may be required. PERFORMANCE BOND: The successful bidders may be required to furnish a faithful performance bond. BONDING COMPANY: The company issuing bonds shall be a corporate surety admitted by the California Insurance Commissioner to do business in the State of California with an A.M Best rating of B++ VIII or better. COORDINAT ION AND COMPLETION: The successful bidder shall contact and meet with the County Coordinator at the job site prior to commencement and completion of any work. Successful bidder shall complete the job as instructed and described in writing by the contract, bid or amendment. Any problem or questions that arise in the scope of work, the County must be contacted and the appropriate written amendment generated. GUARANTEE: The successful bidder shall fully guarantee all aspects of the project for the minimum period of one (1) year. Such one (1) year period shall commence upon the date of final acceptance by County. The guarantee shall include but in no way be limited to workmanship, equipment and materials. DISPUTE RESOLUTION: The ensuing contract shall be governed by the laws of the state of California. Any claim which cannot be amicably settled without court action will be litigated in the U.S. District Court for the Eastern District of California in Fresno, CA or in a state court for Fresno County. Quotation No. 19-029 Page 11 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC DEFAULT: In case of default by the selected bidder, the County may procure the services from another source and may recover the loss occasioned thereby from any unpaid balance due the selected bidder, or by any other legal means available to the County. Regardless of F.O.B. point, vendor agrees to bear all risks of loss, injury or destruction to goods and materials ordered herein which occur prior to delivery and such loss, injury or destruction shall not release vendor from any obligation hereunder ASSIGNMENTS: The ensuing proposed contract will provide that the vendor may not assign any payment or portions of payments without prior written consent of the County of Fresno. ASSURANCES: Any contract awarded under this RFQ must be carried out in full compliance with the Civil Rights Act of 1964, the Americans With Disabilities Act of 1990, their subsequent amendments, and any and all other laws protecting the rights of individuals and agencies. The County of Fresno has a zero tolerance for discrimination, implied or expressed, and wants to ensure that policy continues under this RFQ. The contractor must also guarantee that services, or workmanship, provided will be performed in compliance with all applicable local, state, or federal laws and regulations pertinent to the types of services, or project, of the nature required under this RFQ. In addition, the contractor may be required to provide evidence substantiating that their employees have the necessary skills and training to perform the required services or work. OBLIGATIONS OF CONTRACTOR: Contractor warrants on behalf of itself and all subcontractors engaged for the performance of the ensuing contract that only persons authorized to work in the United States pursuant to the Immigration Reform and Control Act of 1986 and other applicable laws shall be employed in the performance of the work hereunder. TIE BIDS: With all other factors being equal, the contract shall be awarded to the Fresno County vendor or, if neither or both are Fresno County vendors, the tied vendors will be granted the opportunity to submit new bids or the entire bid may be rejected and re-bid. If the General Requirements of the RFQ state that they are applicable, the provisions of the Fresno County Local Vendor Preference shall take priority over this paragraph. DATA SECURITY: Individuals and/or agencies that enter into a contractual relationship with the County for the purpose of providing services must employ adequate controls and data security measures, both internally and externally to ensure and protect the confidential information and/or data provided to contractor by the County, preventing the potential loss, misappropriation or inadvertent access, viewing, use or disclosure of County data including sensitive or personal client information; abuse of County resources; and/or disruption to County operations. Individuals and/or agencies may not connect to or use County networks/systems via personally owned mobile, wireless or handheld devices unless authorized by County for telecommuting purposes and provide a secure connection; up to date virus protection and mobile devices must have the remote wipe feature enabled. Computers or computer peripherals including mobile storage devices may not be used (County or Contractor device) or brought in for use into the County’s system(s) without prior authorization from County’s Chief Information Officer and/or designee(s). No storage of County’s private, confidential or sensitive data on any hard-disk drive, portable storage device or remote storage installation unless encrypted according to advance encryption standards (AES of 128 bit or higher). The County will immediately be notified of any violations, breaches or potential breaches of security related to County’s confidential information, data and/or data processing equipment which stores or processes County data, internally or externally. County shall provide oversight to Contractor’s response to all incidents arising from a possible breach of security related to County‘s confidential client information. Contractor will be responsible to issue any notification to affected individuals as required by law or as deemed necessary by County in its sole discretion. Contractor will be responsible for all costs incurred as a result of providing the required notification. Quotation No. 19-029 Page 12 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC AUDITS AND RETENTION: The Contractor shall maintain in good and legible condition all books, documents, papers, data files and other records related to its performance under this contract. Such records shall be complete and available to Fresno County, the State of California, the federal government or their duly authorized representatives for the purpose of audit, examination, or copying during the term of the contract and for a period of at least three (3) years following the County's final payment under the contract or until conclusion of any pending matter (e.g., litigation or audit), whichever is later. Such records must be retained in the manner described above until all pending matters are closed. Quotation No. 19-029 Page 13 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC BIDDER TO COMPLETE: GUARANTEED PICK UP AND/OR DELIVERY: Bidder will be considered in award of bid only if they can guarantee. Enter guarantee on this line (i.e. number of days from receipt of order to delivery): WARRANTY AND SERVICE LOCATION: State the warranty and/or guarantee provisions applicable to this equipment or attach warranty form with your bid. State specific location, where service and/or maintenance can be obtained. Failure to furnish this information will be cause for rejection of bid. SUBCONTRACTORS: List all subcontractors that would perform work in excess of one/half of one percent of the total amount of your bid, and state general type of work such subcontractor would be performing. The primary contractor is not relieved of any responsibility by virtue of using a subcontractor: Quotation No. 19-029 Page 14 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC BIDDER QUESTIONNAIRE - BIDDER SHALL RESPOND TO ALL OF THE FOLLOWING QUESTIONS: 1.Number of years your firm has been providing both on-site and off-site shredding services: a.Location of Destruction Facility: 2. Describe Facility (i.e. alarm, fire sprinklers, etc.): a.How long are materials kept in facility prior to being shredded? 3.On a separate sheet of paper, address each of the following procedures and include a current copy of your firm’s policy and procedure manual relating to each procedure. A.Personnel Security Screening B.Collection and Handling Procedures C.Destruction Facility Security Procedures D.Shredding Procedures **NOTE: Failure to provide this information may be considered as cause to reject bid.** 4.Describe how an infringement of any of the security procedures by your personnel is handled. Quotation No. 19-029 Page 15 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC 5.Do you belong to any professional associations including the National Association of Information Destruction (NAID)? Yes No a.If yes, please name: 6.List all principals, key employees, owners, partners, and any other person controlling the business of the bidder, including their titles. NAME TITLE Quotation No. 19-029 Page 16 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC 7.Number of people employed full-time:Part-time: a.List the names, length of service, and full-time or part-time status for each employee. EMPLOYEE NAME LENGTH OF SERVICE STATUS (FULL- OR PART -TIME) Quotation No. 19-029 Page 17 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC INSURANCE REQUIREMENTS INSURANCE: Without limiting the County’s right to obtain indemnification from Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect, the following insurance policies or a program of self-insurance, including but not limited to, an insurance pooling arrangement or Joint Powers Agreement (JPA) throughout the term of the Agreement: A.Commercial General Liability: Commercial General Liability Insurance with limits of not less than Two Million Dollars ($2,000,000.00) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000.00). This policy shall be issued on a per occurrence basis. County may require specific coverage including completed operations, product liability, contractual liability, Explosion-Collapse- Underground, fire legal liability or any other liability insurance deemed necessary because of the nat ure of the contract. B.Automobile Liability: Comprehensive Automobile Liability Insurance with limits of not less than One Million Dollars ($1,000,000.00) per accident for bodily injury and for property damages. Coverage should include any auto used in connection with this Agreement. C. Professional Liability: If Contractor employs licensed professional staff, (e.g., Ph.D., R.N., L.C.S.W., M.F.C.C.) in providing services, Professional Liability Insurance with limits of not less than One Million Dollars ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate. This coverage shall be issued on a per claim basis. Contractor agrees that it shall maintain, at its sole expense, in full force and effect for a period of three years following the termination of this Agreement, one or more policies of professional liability insurance with limits of coverage as specified herein. D.Worker's Compensation: A policy of Worker's Compensation insurance as may be required by the California Labor Code. Additional Requirements Relating to Insurance: Contractor shall obtain endorsements to the Commercial General Liability insurance naming the County of Fresno, its officers, agents, and employees, individually and collectively, as additional insured, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insured shall apply as primary insurance and any other insurance, or self -insurance, maintained by County, its officers, agents and employees shall be excess only and not contributing with insurance provided under Contractor's policies herein. This insurance shall not be cancelled or changed without a minimum of thirty (30) days advance written notice given to County. Contractor hereby waives its right to recover from County, its officers, agents, and employees any amounts paid by the policy of worker’s compensation insurance required by this Agreement. Contractor is solely responsible to obtain any endorsement to such policy that may be necessary to accomplish such waiver of subrogation, but Contractor’s waiver of subrogation under this paragraph is effective whether or not Contractor obtains such an endorsement. Quotation No. 19-029 Page 18 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Within thirty (30) days from the date Contractor executes this Agreement, Contractor shall provide certificates of insurance and endorsement as stated above for all of the foregoing policies, as required herein, to the County of Fresno, Quotation No. 19-029 Page 19 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC BIDDER QUESTIONNAIRE - BIDDER SHALL RESPOND TO ALL OF THE FOLLOWING QUESTIONS: 8.Number of years your firm has been providing both on-site and off-site shredding services: b.Location of Destruction Facility: 9.Describe Facility (i.e. alarm, fire sprinklers, etc.): b.How long are materials kept in facility prior to being shredded? 10.On a separate sheet of paper, address each of the following procedures and include a current copy of your firm’s policy and procedure manual relating to each procedure. A.Personnel Security Screening B.Collection and Handling Procedures C.Destruction Facility Security Procedures D.Shredding Procedures **NOTE: Failure to provide this information may be considered as cause to reject bid.** 11.Describe how an infringement of any of the security procedures by your personnel is handled. Quotation No. 19-029 Page 20 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC 12.Do you belong to any professional associations including the National Association of Information Destruction (NAID)? Yes No b.If yes, please name: 13.List all principals, key employees, owners, partners, and any other person controlling the business of the bidder, including their titles. NAME TITLE Quotation No. 19-029 Page 21 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC 14.Number of people employed full-time:Part-time: b.List the names, length of service, and full-time or part-time status for each employee. EMPLOYEE NAME LENGTH OF SERVICE STATUS (FULL- OR PART -TIME) Quotation No. 19-029 Page 22 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC , stating that such insurance coverage have been obtained and are in full force; that the County of Fresno, its officers, agents and employees will not be responsible for any premiums on the policies; that such Commercial General Liability insurance names the County of Fresno, its officers, agents and employees, individually and collectively, as additional insured, but only insofar as the operations under this Agreement are concerned; that such coverage for additional insured shall apply as primary insurance and any other insurance, or self-insurance, maintained by County, its officers, agents and employees, shall be excess only and not contributing with insurance provided under Contractor's policies herein; and that this insurance shall not be cancelled or changed without a minimum of thirty (30) days advance, written notice given to County. In the event Contractor fails to keep in effect at all times insurance coverage as herein provided, the County may, in addition to other remedies it may have, suspend or terminate this Agreement upon the occurrence of such event. All policies shall be with admitted insurers licensed to do business in the State of California. Insurance purchased shall be purchased from companies possessing a current A.M. Best, Inc. rating of A FSC VII or better. Quotation No. 19-029 Page 23 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC BIDDER TO COMPLETE THE FOLLOWING: PARTICIPATION The County of Fresno is a member of the Central Valley Purchasing Group. This group consists of Fresno, Kern, Kings, and Tulare Counties and all governmental, tax supported agencies within these counties. Whenever possible, these and other tax supported agencies co-op (piggyback) on contracts put in place by one of the other agencies. Any agency choosing to avail itself of this opportunity, will make purchases in their own name, make payment directly to the contractor, be liable to the contractor and vice versa, per the terms of the original contract, all the while holding the County of Fresno harmless. If awarded this contract, please indicate whether you would extend the same terms and conditions to all tax supported agencies within this group as you are proposing to extend to Fresno County. Yes, we will extend contract terms and conditions to all qualified agencies within the Central Valley Purchasing Group and other tax supported agencies. No, we will not extend contract terms to any agency other than the County of Fresno. (Authorized Signature) Title Quotation No. 19-029 Page 24 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC VENDOR MUST COMPLETE AND RETURN WITH REQUEST FOR QUOTATION. Firm: REFERENCE LIST Provide a list of at least five (5) customers for whom you have recently provided similar products/services. If you have held a contract for similar services with the County of Fresno within the past seven (7) years, list the County as one of your customers. Please list the person most familiar with your contract. Be sure to include all requested information. Reference Name: Contact: Address: City: State: Zip: Phone No.: ( ) Date: Service Provided: Reference Name: Contact: Address: City: State: Zip: Phone No.: ( ) Date: Service Provided: Reference Name:Contact: Address: City: State: Zip: Phone No.: ( ) Date: Service Provided: Reference Name: Contact: Address: City: State: Zip: Phone No.: ( ) Date: Service Provided: Reference Name:Contact: Address: City: State: Zip: Phone No.: ( ) Date: Service Provided: Failure to provide a list of at least five (5) customers may be cause for rejection of this RFQ. Quotation No. 19-029 Page 25 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC COMPLY/NOT COMPLY Compliance and understanding of the specification is to be noted by marking “COMPLY” on the line provided to the right of the specification. Non-compliance is to be indicated by marking “NOT COMPLY” on the line. A detailed statement explaining why they fail to meet the stated specification or requirement must accompany all non-compliant items. Failure to mark this page could result in your quotation being non-responsive. BIDDER TO COMPLETE THE FOLLOWING: SPECIFICATION COMPLY/ NOT COMPLY A.CONTAINERS •Successful bidder shall provide the approximate number and size of locked, secured containers, and distribute the containers to the various locations as listed in the information provided in Attachment “A” as well as any new locations in existence at the effective date of the new agreement. •Containers shall be equipped with an attached lid, locking device, and (preferably) wheels. •Containers shall be of uniform color and clearly marked to indicate the container is only for “Confidential Documents for Destruction”. •Successful bidder shall submit a complete description of the container (including the material, type, size, color, signage, and other features), and include a picture. •Successful bidder shall be responsible for maintaining all containers in good working order and providing replacement and/or additional containers as may be requested by the County of Fresno during the contract terms and any renewals. •Containers shall remain the property of the Contractor. •Successful bidder shall remove the containers in a timely manner upon request by the County of Fresno. B.SECURITY •All of the successful bidder’s personnel involved in the shredding process must be bonded in the minimum amount of twenty-five thousand dollars ($25,000). •Because of the confidentiality of the documents, the successful bidder must take ex tra precautions to ensure that all of the materials received shall remain confidential and shall not be open to examination for any purpose or be used in any other way except for destruction. •Successful bidder shall not make public, disclose, use or cause to be published, disclosed, or used any confidential record. •Successful bidder shall provide the County of Fresno with a certificate of destruction. County departments may require individual certificates of destruction be provided directly to them upon request. Include a sample of this certificate with your response to this Request for Quotation. Quotation No. 19-029 Page 26 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC SPECIFICATION COMPLY/ NOT COMPLY C.SERVICES •Successful bidder’s personnel shall install the containers and coordinate destruction schedule with County coordinators. •Only fully loaded containers will be processed, unless otherwise requested by the County of Fresno. •County employees shall not be required to separate materials (i.e. folders, computer paper, mixed paper, etc.) or to remove fasteners, staples, paper clips, rubber bands, etc. •County of Fresno will pay only for destruction services, not for delivery or use of the successful bidder’s containers. •Successful bidder must be able to provide services under any agreement resulting from the Request for Quotation in accordance with current and/or change to State, Federal, or County of Fresno policies or regulations. a.On-Site Service •Successful bidder will be required to provide on-site shredding services for the County departments on an as-needed basis for the destruction of confidential documents, checks, and information media (e.g. hard drives, microfilm/microfiche, etc.). •The Sheriff-Coroner’s office requires that on-site destruction be observed by one of their authorized employees from beginning to the end. Other departments may also require this on an as-needed basis. •Successful bidder has adequate liability coverage for the transport and destruction of the checks. •Successful bidder shall allow the option for County staff to visually ensure destruction of the checks. •Shredder is able to handle paper clips and rubber bands. b.Off-Site Service The Sheriff-Coroner’s office will require all staff (everyone who has access t o the Sheriff-Coroner’s information) to do the following: •Review the information for the Sheriff-Coroner’s Security Awareness Policies (every 2 years). •Pass a background check. •Sign a FBI Criminal Justice Information Services (CJIS) Security Addendum after being tentatively awarded a contract. •Complete Department of Justice Management Control Agreement after being tentatively awarded a contract. D.INVOICING/REPORTS •Submit monthly invoice to the County of Fresno no later than the fifth (5th) working day of each calendar month. •Invoice terms shall be Net Forty-five (45) days, payable in arrears. •The successful bidder will be required to provide a monthly destruction summary, including Department name, contact person, number/size of Quotation No. 19-029 Page 27 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC SPECIFICATION COMPLY/ NOT COMPLY containers, pick-up dates (see Attachment “A”) and a signed pick-up receipt by department. D.INVOICING/REPORTS (CONT’D.) •Upon request, the successful bidder will provide annual usage reports for services provided under any agreement resulting from the Request for Quotation. Report information to include the following information: o Department name o Contact person/phone number o Address location of bins o Quantity and size of each bin o Service frequency Reports must be delivered to County of Fresno, Purchasing, 4525 E. Hamilton Avenue, Fresno, CA 93702, Attention Bryan Hernandez, no later than thirty (30) days following the end of the period. The agreement number should be referenced on all reports. E.EMPLOYEES •Proper conduct is expected of the successful bidder’s personnel when on County premises and/or providing service to the County. •Successful bidder’s personnel shall be easily identifiable (i.e. work uniforms, badges, etc.). **Please Note: Failure to comply to all services requested will not automatically disqualify any Bidder. Quotation No. 19-029 Page 28 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC QUOTATION SCHEDULE COMPANY: All bids must be submitted on the forms provided. Failure to bid in the format specified will be considered as cause to reject bid. Current Container Sizes: TYPE OF CONTAINER APPOXIMATE WEIGHT (in pounds) 4’ X 4’ Bin 625 174 Gallon 263 96 Gallon 220 64 Gallon 175 32 Gallon 88 Large Banker Box 55 Regular Banker Box 35 Small Banker Box 17.5 Description Quantity Unit Unit Price Total All labor, materials, taxes, containers, insurance, etc. as necessary to provide on and off -site unlimited confidential document shredding and information media destruction as specified within this Request for Quotation (includes departmental purges, special pick-ups, etc.). •Billing to one location •Vendor will provide monthly usage report (by County department) with invoice, along with copies signed by department. 12 Month $ $ Quotation No. 19-029 Page 29 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC CHECK LIST This Checklist is provided to assist the vendors in the preparation of their bid response. Included in this list, are important requirements and is the responsibility of the bidder to submit with the bid package in order to make the bid compliant. Because this checklist is just a guideline, the bidder must read and comply with the bid in its entirety. Check off each of the following: 1.The Request for Quotation (RFQ) has been signed and completed. 2.Addenda, if any, have been signed and included in the bid package. 3.The completed Reference List as provided with this RFQ. 4.The Quotation Schedule as provided with this RFQ has been completed, price reviewed for accuracy and any corrections initialed. 5.Indicate all of bidder exceptions to the County’s requirements, conditions and specifications as stated within this RFQ. 6.The Participation page as provided within this RFQ has been signed and included 7.Bidder to Complete page as provided with this RFQ. 8.Return checklist with RFQ response. 9.Completed RFQ in pdf format, electronically submitted to the Bid Page on Public Purchase. 19-029 Attachment A 19-029 Attachment A 19-029 Attachment A Fresno County DEPT. OF SOCIAL SERVICES -3 64-gallon & 8 32- INTAKE BLDG 4468 E. Kings Canyon Rd. Fresno, CA 93702 gallon Weekly 11 DEPT. OF SOCIAL SERVICES -3 64-gallon & 1 KERMAN PROTEUS 15010 W, Whitesbridge Kerman, CA 93630 console Monthly 4 DEPT. OF SOCIAL SERVICES - "L" STREET 1404 "L" Street Fresno, CA 93721 9 64-gallon Weekly 9 DEPT. OF SOCIAL SERVICES - MAIN -Bldg. 315(Barton), 313(Commissary), 341 (Fairgrounds 4449, 4455, 4468 & 4499 E. Kings 37 64-gallon & 8 32- Annex), 340(Fairgrounds Bldg.) Canyon Rd. Fresno, CA 93702 gallon Twice a week 45 DEPT, OF SOCIAL SERVICES - MODULAR C 4445 E. Inyo Fresno, CA 93702 3 64-gallon Every other Week 3 DEPT. OF SOCIAL SERVICES - MODULAR D 4452 E. Kings Canyon (Modular D) Fresno, CA 93702 2 64-gallon Twice a week 2 DEPT, OF SOCIAL SERVICES - PELCO ADMINISTRATION 205 Pontiac Way Clovis, CA 93612 7 64-gallon Weekly 7 DEPT. OF SOCIAL SERVICES - PROTEUS 1815 Van Ness Avenue Fresno, CA 93721 1 64-gallon Monthly DEPT. OF SOCIAL SERVICES -6 64-gallon & 1 36" REEDLEY REGIONAL CENTER 1680 East Manning Reedley, CA 93654 console Weekly 7 DEPT. OF SOCIAL SERVICES -5 64-gallon & 1 36" SELMA SOUTHEAST REG. CENTER 3800 McCall Selma, CA console Weekly 6 DEPT. OF SOCIAL SERVICES - SENIOR CARE-ADULT PROTECTIVE 2025 E. Dakota Ave. 2nd Floor Fresno, CA 93726 2 64-gallon Weekly 2 DEPT. OF SOCIAL SERVICES - SEQUOIA (IHSS Sequoia Building) 3821 N. Clark Fresno, CA 93726 4 64-gallon Weekly 4 DEPT. OF SOCIAL SERVICES -5 64-gallon & 1 SENIOR RESOURCE CENTER 2025 E. Dakota, 4th Fir Fresno, CA 93726 console & 2 32-gallon Weekly 8 DEPT. OF SOCIAL SERVICES -10 32-gallon & 8 64-SUNNYSIDE 5693 E. Kings Canyon Fresno, CA 93727 gallon & 1 console Weekly 19 DEPT. OF SOCIAL SERVICES - TAFT 3688 E. Shields Ave. Fresno, CA 93726 1 64-gallon Weekly 19-029 Attachment A 19-029 Attachment A 19-029 Attachment A 19-029 Attachment A 19-029 Attachment A 19-029 Attachment A G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 ADDENDUM 1.DOC COUNTY OF FRESNO ADDENDUM NUMBER: ONE (1) RFQ NUMBER: 19-029 DOCUMENT SHREDDING AND MEDIA DESTRUCTION SERVICES Issue Date: December 20, 2018 CLOSING DATE: JANUARY 10, 2019 AT 2:00 P.M. Submit all Questions and Quotations on the Bid Page at Public Purchase. For assistance contact Bryan Hernandez at (559) 600-7110. NOTE THE ATTACHED ADDITIONS, DELETIONS AND/OR CHANGES TO THE REQUIREMENTS OF REQUEST FOR QUOTATION NUMBER: 19-029 AND INCLUDE THEM IN YOUR RESPONSE. PLEASE SIGN AND RETURN THIS ADDENDUM WITH YOUR QUOTATION. Questions and Answers ACKNOWLEDGMENT OF ADDENDUM NUMBER ONE (1) TO RFQ 19-029 COMPANY NAME: (PRINT) SIGNATURE: NAME & TITLE: (PRINT) Purchasing Use: BH:yj ORG/Requisition: 8905 / 8905190004 ADDENDUM NO. ONE (1) Page 2 REQUEST FOR PROPOSAL NUMBER 19-029 December 20, 2018 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 ADDENDUM 1.DOC (12/02) QUESTIONS AND ANSWERS Q1. Will there be an opportunity to look at changes to current services? A1. The most recent change to our current services is the addition of on-site services for our Sheriff’s Office. The Department of Justice (DOJ) requirements for the Sheriff’s Office was made available on the RFQ. Bids should be submitted to the exact bid specifications. Q2. Are on-site services the preferred method for the Sheriff’s Office? A2. Yes, on an as-needed basis. Q3. Is the County open to looking at other types of containers? A3. The opportunity to revisit current services and container specifications could be made available to the awarded vendor. Bids should be submitted to the exact bid specifications. Q4. Is the inventory list different from the one posted in the recently canceled bid? A4. No. The inventory list is the same. Q5. Is the County willing to split the award between vendors (i.e. one for the document shredding and one for the media destruction)? A5. No, the County is seeking one vendor to provide both on-site and off-site document shredding and media destruction services. Bids should be submitted to the exact bid specifications. Exhibit C COUNTY OF FRESNO ADDENDUM NUMBER: ONE (1) RFQ NUMBER: 19-029 DOCUMENT SHREDDING AND MEDIA DESTRUCTION SERVICES Issue Date: December 20, 2018 CLOSING DATE: JANUARY 10, 2019 AT 2:00 P.M. Submit all Questions and Quotations on the Bid Page at Public Purchase. For assistance contact Bryan Hernandez at (559) 600-7110. NOTE THE ATTACHED ADDITIONS, DELETIONS AND/OR CHANGES TO THE REQUIREMENTS OF REQUEST FOR QUOTATION NUMBER: 19-029 AND INCLUDE THEM IN YOUR RESPONSE. PLEASE SIGN AND RETURN THIS ADDENDUM WITH YOUR QUOTATION. ►Questions and Answers ACKNOWLEDGMENT OE ADDENDUM NUMBER ONE (1) TO RFQ 19-029 COMPANY NAME: SIGNATURE: NAME & TITLE: Purchasing Use: BH:yj (PAINT) ORG/Requlsltlon: 8905 / 8905190004 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 ADDENDUM 1.DOC Quotation No. 19-029 Page 24 VENDOR MUST COMPLETE AND RETURN WITH REaUEST FOR OUOJAJION, Firm: FMM c.. 5bv-eCA{ 05 REFERENCE LIST Provide a list of at least five (5) customers for whom you have recently provided similar products/services. If you have held a contract for similar services with the County of Fresno within the past seven (7) years, list the County as one of your customers. Please list the person most familiar with your contract. Be sure to include all requested information. Reference Name: Mc.eCnvO\ �ci<.,, k.$-:\t,wContact: �Ati\.-€.hT� \ov Address: -=Ho'-\'":\-N. f;re...S>--1-D =:,½r::� City: F:ce,.S1'.\ 0 State: � Zip: 9 33::W Phone No.: (559._ ) � � 939� Date: '2£)1 Z. -{>I l--.S.E.DIService Provided: s a O ,� Failure to provide a list of at least five (5) customers may be cause for rejection of this RFQ. G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 28 .. QUOTATION SCHEDULE coMPANv: ·Vaec-Hc All bids must be submitted on the forms provided. Failure to bid in the format specified will be considered as cause to reject bid. Current Container Sizes: TYPE OF CONTAINER 4' X4' Bin 174 Gallon 96 Gallon 64 Gallon 32 Gallon Large Banker Box Regular Banker Box Small Banker Box All labor, materials, ta>ces, containers, insurance, etc. as necessary to provide on and off-site unlimited confidential document shredding and information media destruction as specified within this Request for Quotation (includes departmental purges, special pick-ups, etc.). •Billing to one location •Vendor will provide monthly usage report (by County department) with invoice, along with copies signed by department. APPOXIMATE WEIGHT (in pounds) 625 263 220 175 88 55 35 17.5 12 Month G:\PUBLIC\RFO\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC , ,·. 7 RE Quotation No. 19-029 Pacific does not have any exceptions or deviations from this specification and accepts the requirement, conditions and specifications as stated within this RFQ Quotation No. 19-029 Page 23 BIDDER TO COMPLETE THE FOLLOWING: PARTICIPATION G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 13 G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 BIDDER QUESTIONNAIRE BIDDER SHALL RESPOND TO ALL OF THE FOLLOWING QUESTIONS: 1.Number of years your firm has been providing both on-site and off-site shredding services:Qo '\ews. a.Location of Destruction Facility: Slolc \ N • l'")o �� O.:\:Rc e,\ 'V d • 2.Describe Facility (i.e. alarm, fire sprinklers, etc.):Sc:-E �TI A£, b:P c\ a.How long are materials kept in facility prior to being shredded? � 4 - 4 9, \-\-bu v� Page 14 3.On a separate sheet of paper, address each of the following procedures and include a current copy of your firm's policy and procedure manual relating to each procedure. A.Personnel Security Screening B.Collection and Handling Procedures C.Destruction Facility Security Procedures D.Shredding Procedures **NOTE: Failure to provide this information may be considered as cause to reject bid .... 4.Describe how an infringement of any of the security procedures by your personnel is handled. G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 15 5.Do you belong to any professional associations including the National Association of Information Destruction (NAID)? Yes� No □ 6.List all principals, key employees, owners, partners, and any other person controlling the business of the bidder, including their titles. NAME TITLE CEO G:\PUBLICIRFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 16 7.Number of people employed full-time: __ \�l,� ___ Part-time: ____ -0-____ _ a.List the names, length of service, and full-time or part-time status for each employee. EMPLOYEE NAME � ('\ P-A,\[\ \t)('("\-\..P -"Robe.� �+\ �e..+- �� e_ p..,_e_.c.a._'('('°'-.. (::r-� \) '("' \ p \ r () ro tJo....dO G '. \ \)e,,T (' 1\ 'C'O 10 a.. c\ 0 R..Q.'-\_ ('C'\O('I� ('<\ -f' c\ :_ "-.lr~ � \O...'\J PrCAc-A� f...,_ u � "' \ A C...-c "-$)., h fq�.C,,_ f> \ -1" .... \ \ p� �1'-\.\e)� 1 o S \ \ VCi-.... !\( f't'f'-i \�JDLJ 'w/T' I'-\ �\ �-e.AA. 11=>\-\ \ \ \ � p (-., $(> f,/\C-0 \')\ r\f'. \L-P,\ .\-o�, l'-IA \ \ � ""� \i..)�,1 .LJ. L.(l,e-, \Q'-1. <;R_'('( � \ LENGTH OF SERVICE l--\'-jf> ?:. \1r-S 2.. ,, (' <: ' '-/ rsI "If' .5 I c; "J r.51 � 'Jr,S, f Y \j,5 1(11 '-/rS ·z_y ')r5::2.S-'-Ir> IS ,1 r(; l_p \J ,c; 1-\J,g,:3 '/r5 \ l-. 'HS STATUS (FULL-OR PART-TIME) )::°U\ \ t.=u\ \ 1-V I I kV\' \'::\)\ \ \-UI\ ,-u \ \ \.==v\ \ \,-Ul I r-:-ul \ �Vll l-LJl\\rl-' I \c,11 Ir.:u \ \i::-v \ \ G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 BIDDER QUESTIONNAIRE BIDDER SHALL RESPOND TO ALL OF THE FOLLOWING QUESTIONS: 8.Number of years your firm has been providing both on-site and off-site shredding services:�2 a \\ ecA<C..$ b.Location of Destruction Facility: � QS� � $�lo\ �. Co \�::§5io -,�< \\ r<B S\l o , CA- . q33: 1-2 9.Describe Facility (i.e. alann, fire sprinklers, etc.�1 SQ; krrAc� b.How long are materials kept in facility prior to being shredd� cPY -4 <? t\ou<"-S Page 19 10.On a separate sheet of paper, address each of the following procedures and include a current copy of your firm's policy and procedure manual relating to each procedure. A.Personnel Security Screening B.Collection and Handling Procedures C.Destruction Facility Security Procedures D.Shredding Procedures **NOTE: Failure to provide this information may be considered as cause to reject bid.** 11.Describe how an infringement of any of the security procedures by your personnel is handled. G:\PUBLIC\RFQ\FY 2018-19\19.029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19.029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 20 12.Do you belong to any professional associations including the National Association of Information Destruction (NAID)? Yes� No D 13. List all princip als, key employees, owners, partners, and any other person controlling the business of the bidder, including their titles. NAME TITLE G:IPUBLICIRFQIFY 2018-19\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 21 14.Number of people employed full-time: ---1'P'Eb .#'---Part-time: __ -&----'==------- b. List the names, length of service, and full-time or part-time status for each employee. EMPLOYEE NAME i� ,.., -.f'I -1 '.-, ,�rru.e... QnhP,,.' �-+\ .._\ -f' +-ST€.tv+> e,p r r1 II' ,ro..__ I�{'� \ r No N ct--l f', r'-... ·, \}'\DAI',-roro l\)e--_r\ 0 \2P-.i. "'�" A f'<\e,.l.: NsC--... Q...l\-..1 ,• A"-1 �rl\ c:.r. -1 (�,) o � '... .J. S--rNe h "v,, .c-.-{) \ T-e..\\ .. P:2- � \ 0 S \ \ \JC,...., "ti ,0 A'J'-'-1 Pou ) f> .r< r·¼r·, � eJ.A 0 h · \ \ � r.'i P::,n P ,r-./'t[) \),(')<-\.C..0 \--\..,n.._ \ I l'VU \ \ 1-.. \ \A)� ,f I ....cL <:;.A+...l. . \/ \. \._ �lf',r ....... ,.., ~ I , LENGTH OF SERVICE u \.J v-C....... '-2.. \ ?--I ' \ c; \ \ I l\: \ L� 7J\. 7.F--. \S l.,, � R \j� STATUS (FULL-OR PART-TIME) \; u__,\ \ f=u\ \ '\'.= \J l \ r::-LH \ \:=U l \ � ,.� \ c:::tJ{\ t:=l J.[ \ r::i H \ �Ul\ P1l\ t:;·;11 t:="C J l \ "R..L_ \\ � 1 I l C:.-1 ·JI \ G:IPUBLICIRFQ\FY 2018-19\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 25 COMPLY/NOT COMPLY Compliance and understanding of the specification is to be noted by marking "COMPLY" on the line provided to the right of the specification. Non-compliance is to be indicated by marking "NOT COMPLY" on the line. A detailed statement explaining why they fail to meet the stated specification or requirement must accompany all non-compliant items. Failure to mark this page could result in your quotation being non-responsive. BIDDER TO COMPLETE THE FOLLOWING: SPECIFICATION A.CONTAINERS •Successful bidder shall provide the approximate number and size of locked, secured containers, and distribute the containers to the various locations as listed in the information provided in Attachment "A" as well as any new locations in existence at the effective date of the new agreement. •Containers shall be equipped with an attached lid, locking device, and (preferably) wheels. •Containers shall be of uniform color and clearly marked to indicate the container is only for "Confidential Documents for Destruction". •Successful bidder shall submit a complete description of the container (including the material, type, size, color, signage, and other features), and include a picture. •Successful bidder shall be responsible for maintaining all containers in good working order and providing replacement and/or additional containers as may be requested by the County of Fresno during the contract terms and any renewals. •Containers shall remain the property of the Contractor. •Successful bidder shall remove the containers in a timely manner upon request by the County of Fresno. B.SECURITY •All of the successful bidder's personnel involved in the shredding process must be bonded in the minimum amount of twenty-five thousand dollars ($25,000). •Because of the confidentiality of the documents, the successful bidder must take extra precautions to ensure that all of the materials received shall remain confidential and shall not be open to examination for any purpose or be used in any other way except for destruction. •Successful bidder shall not make public, disclose, use or cause to be published, disclosed, or used any confidential record. •Successful bidder shall provide the County of Fresno with a certificate of destruction. County departments may require individual certificates of destruction be provided directly to them upon request. Include a sample of this certificate with your response to this Request for Quotation. COMPLY/ NOT COMPLY �{)\'\ &� 0''1 �<um 0 \ '-L CQJ'N>\ \_l 0'°&--0 \ "l Ootnp)" G:\PUBLIC\RFQ\FY 2018-19\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 SPECIFICATION C.SERVICES •Successful bidder's personnel shall install the containers and coordinate destruction schedule with County coordinators. •Only fully loaded containers will be processed, unless otherwise requested by the County of Fresno. •County employees shall not be required to separate materials (i.e. folders, computer paper, mixed paper, etc.) or to remove fasteners, staples, paper clips, rubber bands, etc. •County of Fresno will pay only for destruction services, not for delivery or use of the successful bidder's containers. •Successful bidder must be able to provide services under any agreement resulting from the Request for Quotation in accordance with current and/or change to State, Federal, or County of Fresno policies or regulations. a.On-Site Service •Successful bidder will be required to provide on-site shredding services for the County departments on an as-needed basis for the destruction of confidential documents, checks, and information media (e.g. hard drives, microfilm/microfiche, etc.). •The Sheriff-Coroner's office requires that on-site destruction be observed by one of their authorized employees from beginning to the end. Other departments may also require this on an as-needed basis. •Successful bidder has adequate liability coverage for the transport and destruction of the checks. •Successful bidder shall allow the option for County staff to visually ensure destruction of the checks. •Shredder is able to handle paper clips and rubber bands. b.Off-Site Service The Sheriff-Coroner's office will require all staff (everyone who has access to the Sheriff-Coroner's information) to do the following: •Review the information for the Sheriff-Coroner's Security Awareness Policies (every 2 years). •Pass a background check. •Sign a FBI Criminal Justice Information Services (CJIS) Security Addendum after being tentatively awarded a contract. •Complete Department of Justice Management Control Agreement after being tentatively awarded a contract. D.INVOICING/REP ORTS •Submit monthly invoice to the County of Fresno no later than the fifth (51h) working day of each calendar month. •Invoice terms shall be Net Forty-five (45) days, payable in arrears. •The successful bidder will be required to provide a monthly destruction summary, including Department name, contact person, number/size of Page 26 COMPLY/ NOT COMPLY Cbft\ n \\\ ea�i)\� Cv\'Y\\? \ \\Co� p \\\ eaM () \ "\ e__a f\r\ o I ·,._J \ & � � \ \,\ I Go'"N\ O \ '.\\ Co"1p 1� CDW"\ Q '� Cnm.p \ , ,\ OnM p \"-\ �p\\� �{)\\\ ��{)\'1 \Go "b. {J \'-' \mW\, C)\,, \Ct0"""'� \ ,, ero�o,"' \ G:IPUBLICIRFQ\FY 2018-19119--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 27 SPECIFICATION containers, pick-up dates (see Attachment "A") and a signed pick-up receipt by department. D.INVOICING/REPORTS (CONT'D.) •Upon request, the successful bidder will provide annual usage reports for services provided under any agreement resulting from the Request for Quotation. Report information to include the following information: o Department name o Contact person/phone number o Address location of bins o Quantity and size of each bin o Service frequency Reports must be delivered to County of Fresno, Purchasing, 4525 E. Hamilton Avenue, Fresno, CA 93702, Attention Bryan Hernandez, no later than thirty (30) COMPLY/ NOT COMPLY \ days following the end of the period. The agreement number should be ('I~ referenced on all reports. l.,(!d�tJJ\j, E.EMPLOYEES •Proper conduct is expected of the successful bidder's personnel when on County premises and/or providing service to the County. •Successful bidder's personnel shall be easily identifiable (i.e. work uniforms, badges, etc.). **Please Note: Failure to comply to all services requested will not automatically disqualify any Bidder. G:IPUBLICIRFQIFY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Quotation No. 19-029 Page 29 CHECK LIST This Checklist is provided to assist the vendors in the preparation of their bid response. Included in this list, are important requirements and is the responsibility of the bidder to submit with the bid package in order to make the bid compliant. Because this checklist is just a guideline, the bidder must read and comply with the bid in its entirety. Check off each of the following: 1.�he Request for Quotation (RFQ) has been signed and completed. 2.�ddenda, if any, have been signed and included in the bid package. 3.✓ The completed Reference List as provided with this RFQ. 4. / The Quotation Schedule as provided with this RFQ has been completed, price reviewed for --accuracy and any corrections initialed. 5./ Indicate all of bidder exceptions to the County's requirements, conditions and specifications --as stated within this RFQ. 6._0he Participation page as provided within this RFQ has been signed and included 7./ Bidder to Complete page as provided with this RFQ. 8..,/' Return checklist with RFQ response. 9._L Completed RFQ in pdf format, electronically submitted to the Bid Page on Public Purchase. G:\PUBLIC\RFQ\FY 2018-19\19-029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES\19--029 DOCUMENT SHREDDING & MEDIA DESTRUCTION SERVICES.DOC Fresno County Secure Shredding Shredding Services For most paper intensive organizations, scheduled shredding services are an integral part of a document management program. Documents that have become inactive and no longer need to be retained take up costly office space. Not to mention, these records may contain sensitive and confidential information that poses a security risk to your business. Unfortunately, feeding sensitive documents through office shredders represents time that can be used more productively. As a result, some employees may be tempted to simply toss documents in a wastebasket. Pacific Records Management’s scheduled shredding services make it easy to dispose of confidential office documents in a secure and timely manner. We provide shredding containers that come in a variety of sizes to fit your business specific needs. These locked containers are placed strategically throughout the workplace and do not require an additional time inve stment for your staff. Confidential documents are simply placed inside without requiring the removal of paper clips, staples and rubber bands. Once documents are placed in a shredding container they cannot be retrieved, thus providing a secure repository f or your private information. You choose a rotation schedule that works best for your organization: weekly, monthly, or quarterly. All Pacific Storage Company employees are required to undergo a background check prior to hiring. Information required in background checks includes: previous employment, criminal search, civil search, education, DMV report, and drug test. Locations: Our 4 locations in the Central Valley can assist you if you need services in multiple cities: Stockton: Sacramento: 734 Wilshire Ave. 4601 Beloit Dr. Stockton, CA 95203 Sacramento, CA 95838 Modesto: Fresno: 820 Business Park Dr. 5661 N. Golden State Blvd. Modesto, CA 95354 Fresno, CA 93722 Containers: We offer a number of secure containers for your use. In addition to the ones below, we have others for a more custom application. The executive console looks much nicer in an office environment, or in smaller locations. The tote is best used for larger quantities. Executive Console: Secure Tote: 100 # Capacity Locking Shred Cabinets 200# Capacity Locking Tote 36” H x 21.5” W x 16” D 41.5” H x 23 ” W x 29” D As a NAID AAA certified company, you can be assured that Pacific is well trained in the handling and processing of your critical data. The following are some of the security specifications that NAID Auditors verify: •Persons with a known history of related – crimes are not employed, •Security and operations policies and procedures are written and followed, •Access to materials is restricted at all times, •There is an audit trail, including CCTV image capture and retention, and a thorough, documented chain of custody. This short video explains the value of NAID Certification in establishing the ongoing compliance and security of data destruction companies. It also explains how, by selecting a NAID AAA Certified company, customers are actually fulfilling important regulatory requirements to validate the policies and procedures of their data destruction company contain specific language and provisions. http://pacific-records.com/shred-services/naid-aaa-certification Recycling: After the confidential material is shredded, the material is then recycled. This adds another level of security and assurance that the confidential material will not get into the wrong hands. It also provides an economic savings to our environment by saving precious natural resources. We support the continued efforts to recycle. It is part of our way of protecting our environment and providing a better quality of life. Why Pacific? Pacific Records Management is a family-owned business with a 150-year history of building strong and deep relationships with businesses throughout Sacramento, Stockton, and the California Central valley. We believe in the importance of understanding each client’s unique business needs. This enables us to deliver dependable service and personalized support for each client. As a long-time member of the records management community, we also understand the magnitude of protecting and managing information assets. Our expertise is supported by superior facilities, leading-edge technology and security systems necessary for providing our clients with regulatory compliance, enhanced information security and improved business processes. Focus on Security: a)Sonitrol (www.sonitrol.com) monitors all entry points. The ability to verify an alarm event in real time gives Sonitrol unrivaled credibility with local law enforcement. This is a key advantage as a growing number of municipalities pass Verified Response regulations requiring verification that an intrusion is actually taking place before police will dispatch personnel to the site. b)Extensive background checks on all employees prior to hiring. We also conduct regular re-checks as part of our regular SOP’s. c)Access controls on all doors—ensuring no unauthorized entry at any anytime. d)Digital cameras recording all activity and archived for 180 days. e)Employees trained on HIPAA, PCI Compliance, FACTA and data protection. f)Detailed Disaster Recovery Plan that is reviewed and monitored. Focus on Technology: a)Web-based ordering system offering the ability to email a receipt of the order placement, an electronic receipt of all containers picked up and delivered, ability to view inventory online and ability to manage expedites and run reports. b)Strict internal SOP’s regarding handling of containers and files, including receipt at facility, inventory management within our operation and internal audits. c)GPS tracking on all vehicles with exception monitoring. d)Propriety software (Oneil Software—www.oneilsoft.com) supported by the largest provider of records management software in the country. e)Internal database managed by independent third-party company, with redundant backups in different locations; also, in the event of a disaster, the ability to restore service from a number of remote locations. f)Cell-phone coverage by all employees with after-hour access if needed or required. Focus on Personal Approach: a)Dedicated professional staff that is established and well trained. b)Standard Next Day delivery supported by a guaranteed commitment on our part. c)We also offer a Same Day delivery option or Expedited Service that ensures delivery within two hours from the time the order is placed. d)Availability of additional resources from other offices if needed. No need to utilize outside resources like third-party couriers. e)Seasoned employee base (over 65 employees) with established company SOP’s. f)Over 40 years’ experience managing over 1,400,000 containers and 1,300 customers. g)Well respected within the legal community. We are currently the largest provider of services to the legal community in Sacramento, Stockton and Modesto. h)Active member of the National Fire Protection Association (NFPA); currently we represent our industry association on the Records Management national committee. i)Active in industry associations including PRISM (Professional Records Information Services Management), NAID (National Association of Information Destruction), NRC (National Records Centers) and AIIM (Association for Information and Image Management). Bidder Questionnaire (Bidder to Complete): 2) Describe Facility: At Pacific Shredding, our storage facilities are designed to support and protect your information, records and data at the highest possible level. Each of our facilities employ industry leading security and protection technology including fire, intrusion and other related programs to support the long-term stability of your records or data assets. They meet all requirements as set forth by the National Fire Protection Agency (NFPA) and the State of California Department of Public Health (CDPH). Our fire-suppression system is monitored 24 hours a day, 7 days a week, and 365 days a year. Our intrusion protection system is provided by Sonitrol at each facility and monitored via central station. Back up security measures are in place for our fire and intrusion system in case of power loss. Both our fire and intrusion protection systems are continuously tested and reviewed. Each facility is inspected as required by the NFPA Standard by a licensed fire protection company and copies of recent inspections are available for review. Only authorized personnel are allowed in our facility; any visitors or contractors are always personally escorted. Access to any of our buildings is digitally recorded via cameras that are in place at all access points. Motion is recorded and archived in our secure data vault. Our Fresno location is at 5661 North Golden State Blvd, Fresno, CA 93722. It is a 30,000 square foot concrete facility. 3: See attached SOP’s 4: Describe how an infringement of any of the security procedures by your personnel is handle. Our first approach will be to investigate and determine if there was any breach of security. We work closely with the local authorities and security monitoring company to determine the breadth and depth. We also work closely with our professional liability insurance company that has a legal team on retainer to assist with notification laws and requirements. Management will report, following discovery and without unreasonable delay, to the customer any release of, or unauthorized access to the customer’s confidential material that poses a threat to the security or confidentiality of that information. Any such report shall include the identification (if known) of each individual whose confidential information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. All destruction personnel and drivers will report, following discovery and without unreasonable delay, to management any release of, or unauthorized access to the customer’s confidential material that poses a threat to the security or confidentiality of that information. Any such report shall include the identification (if known) of everyone suspected of causing the breach, as well as each individual whose confidential information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Any such report shall be kept confidential and management will not retaliate against any employee who has reported, in good faith, a potential or actual data breach. 1 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Information Destruction Operational Policy & Procedures Manual 2 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 TABLE OF CONTENTS 1 Plant-based Destruction Facility Procedures 1.1 Access to Facility 1.2 Security Measures at the Facility 1.3 Handling Incidents of Unauthorized Access 1.4 Reporting Breaches in Security & Safety 1.5 The “Nothing Leaves” Policy 1.6 Daily Facility Preparations/Inspections 1.7 Receiving Destruction Materials 1.8 Staging Destruction Materials 1.9 Destroying of Materials 1.10 Witnessed Destruction Process 1.11 Post Destruction Process 1.12 Closing Procedures 1.13 Collection Facility Procedures 1.14 Transfer Processing Station Procedures 2 Driver Procedures 2.1 Access to Vehicles 2.2 Security and Safety Measures for Vehicle Usage 2.3 No Unauthorized Access to Truck 2.4 Driver Demeanor 2.5 Vehicle Preparation 2.6 Driver Authority 2.7 Enroute 2.8 While at Client’s Facility 2.9 Collecting, Receiving & Destroying Confidential Materials for Mobile Destruction 2.10 Collecting and Receiving Confidential Materials for Plant-based Destruction 2.11 Reporting Damage to a Client’s Facility 2.12 Ending the Destruction Assignment 3 Quality Control 3.1 Frequency of QC 3.2 Method of QC 3 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 3.3 Corrective Actions 4 Data Breach Notifications 4.1 Management Notification to Customer 4.2 Employee Notification to Management 5 Unannounced Audit Policies 5.1 Unannounced Audits at the Office or Destruction Facility 5.2 Unannounced Audits in the Field or at a Customer’s Site 4 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 1 PLANT-BASED DESTRUCTION FACILITY PROCEDURES 1.1 Access to Facility This company desires to keep a secure environment for all employees with the following rules and regulations: Only Management and designated employee representatives will be allowed to have keys to the facility. Employees are not allowed on the company’s property after hours without prior authorization from Management. 1.2 Security Measures at the Facility In addition to the access limitations, the company utilizes the following security measures: Perimeter doors to the company should be secured at all times. Visitors and employees that do not have the security lock combination will be advised by signage to alert the occupants of their presence by pushing a doorbell. The use of cameras at the company in areas where confidential materials are located is prohibited without prior authorization from Management. This includes mobile phone cameras. Employees are forbidden from possessing firearms on the premises of the company. Any employee found violating this policy will be dismissed. The outside lights are to be automatically set to be on from dusk to dawn, and inside security lights are to be left on whenever the facility is unattended. It is the responsibility of the Shift Supervisor to control the lighting and to see that all the lights are in working order. The fire and burglary alarm shall be activated whenever the facility is left unattended. The contact individual at the company, when an alarm is activated, is a Management/Access individual. The company has installed closed circuit internal video security to monitor the ingress and egress from the secured areas of the building. In addition, recorded closed circuit video monitoring with sufficient clarity to identify people and their activity is used at the company in the secured area of the building during the working hours. All monitoring data or tapes will be saved for a minimum of 90 days. The company has ensured that there is a secure area within the building devoted only to destroying media. No baling of unshredded paper may take place in this area except cardboard. OR If a secured area within the building is required, it meets the following specifications: There must be enough space within this area to stage all materials to be destroyed. 5 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 The wall or fence securing this area must be a minimum of six feet tall and have a lockable gate or door. If the wall or fence does not go all the way to the ceiling, then it must have a ceiling mounted sensor alarm inside and over the perimeter of the secure destruction area (or similar, suitable device) to detect if and when individuals have climbed over or come through a section of the secured area fence/wall. Management will complete an Operational Security Maintenance Log to check, record and maintain the facility’s operational security functions, Alarms, Lighting and Visitor Logs on a monthly basis. The CCTV system log will be be completed on a weekly basis. The company will maintain the Operational Security Maintenance Logs for a minimum of one year. 1.3 Handling Incidents of Unauthorized Access Every employee at the company should be on guard for unauthorized access to the facility. Any employee noticing a visitor who is not being escorted by an appropriate agent of the company should immediately contact Management. The unauthorized visitor should then be escorted to the main reception area to have them sign in and be properly escorted in the facility. At the slightest resistance to cooperation, notify the police immediately. Do not physically restrain the individual in any case. If they leave in a vehicle and the license of that vehicle is discernible, it should be noted for further investigation. 1.4 Reporting Breaches in Security & Safety All employees at the company are to notify the Management of any breach in the security or safety policies of the company, regardless of its source. Any employee found to have knowledge of a breach in safety or security as stated in the company’s policy manual that does not report it may be dismissed. This would also include reading confidential material entrusted to the company. 1.5 The “Nothing Leaves” Policy As a security measure, employees at the company may take nothing into or out of the destruction area without the permission of Management. As a rule, these materials should be left in the employee’s locker. Any employee found taking materials into or out of the destruction area without the knowledge and permission of Management may be terminated without any previous disciplinary action having been taken. 6 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 1.6 Daily Facility Preparations/Inspections The daily operations of the company are the backbone of our success. The following operations procedures are in place at the company to ensure that our success continues: Management will complete a visual inspection of the facility at the beginning and end of each shift. Management will look for breaches in security, make sure that the floor is completely clean of paper debris and that all conveyors, balers, shredders and other equipment are in proper working order. In the event of any equipment not being operational, Management will be responsible for arranging all necessary repairs as warranted. Management will inspect all collection containers used by the company to transport between client, vehicles and facility to make sure the equipment protects confidential materials from loss due to wind or other atmospheric conditions. Management is responsible for making sure that all Drivers and Helpers are within the dress code policy and that Identification Badges are utilized. Management will inspect the forklifts, checking battery and/or fluid levels. All electrically operated forklifts should be charged during the night, as well as the propane supply for fueled units. Management will inspect the company’s vehicles to ensure roadworthiness and verify that all proper paperwork for the vehicle’s most recent inspection comply with the time frames stated in the applicable state law regarding the nature and frequency of inspections. Management will inspect the company’s vehicles to verify that all cab doors and truck boxes are lockable and that locks work properly. Management will assist the Drivers in their preparations for the day. Management can use any or all employees to expedite the departure of the Drivers on a timely basis. 1.7 Receiving Destruction Materials The company’s business is media destruction. The following standards are in place to ensure that the company’s facility and employee’s provide secured destruction for their clients at all times. All materials to be destroyed are always attended by an Access employee or physically secured from unauthorized access while in the custody of the company before they are destroyed. Securing the company’s vehicle cabs and boxes during transport is also required. Management controls the receipt, inspection, weighing, and staging of all materials delivered to the destruction facility. All materials are to be weighed/checked in immediately upon delivery to the destruction facility. The material will be unloaded from the truck and separated by client. The containers will be weighed/received and that weight will be 7 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 submitted to Management. Management will confirm the weight and transfer it onto the client’s Receiving Ticket. The receiving ticket should be completed upon receipt of the materials, documenting the name of the client, date, weight of the material, and the driver. Management should also note if the materials are to be staged for other than the standard destruction process or to be destroyed with no sorting. In the event that materials are delivered to the destruction facility during non-operational hours, Management should weigh the materials as soon as possible. Materials should be clearly labeled by the Driver who left them. The associated receiving ticket should be left in the designated location. All materials from routine, regular service will enter the destruction process immediately upon arrival at the destruction facility. Incoming service bins will be emptied and rotated among those regularly serviced customers. Exceptions would include acts of God, breakdowns, or client instructions to retain the media for a longer period. The Access employees that are responsible for sorting incoming materials will stage materials in the designated area by the order in which they arrived at the facility. At time of media pick-up, customer must be provided with a receipt or certificate of destruction indicating type and quantity of media being collected and the destruction services being provided for the media/materials collected. This must include the type of service operations (Mobile or Plant-based) and destruction (paper shredding, micro media or computer hard drive) being provided to the customer. Since customers of NAID Certified companies assume that all services provided to them are Certified, the Company must have written notification to the customer when any destruction services rendered are not NAID Certified. This notification should be contained on a materials receipt, certificate of destruction or another written agreement between the service provider and customer. 1.8 Staging Destruction Materials After materials have been received at the company, proper care should be taken by Access employees in preparing for the physical destruction of the materials. The following steps should be utilized. Sorting is to be performed according to the material type designations posted at the sorting station(s). When the materials have been completely sorted, they should be moved to the designated secure holding area. 8 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Non-information bearing material (unmarked binders, plastic file inserts, among other things) should be placed into the designated bin for storage until Management approves their disposal. If confidential materials are found in the non-information bearing trash, they should be immediately removed and placed in the proper pre-destruction area. 1.9 Destroying of Materials Efficiency and care should be used once materials are ready for destruction at the company. All destruction of confidential materials received at the company will take place within 3 business days of receipt. Exceptions to this would have to be made between Management and the client through a written agreement. Guidelines for proper destruction of each specific material are as followed: Paper materials should be destroyed by shredding and baled by grade if possible. The specifications for particle sizes should be no larger than those listed below: Continuous Shred: 5/8 inch Width (max) & Indefinite Length Cross Cut or Pierce & Tear: 3/4 inch Width (max) & 2.5 inches Length (max) Pulverized (Equipment w/ Screens): 2 inch diameter (max) Screen holes If adjustable screens are used, Management will be responsible for ensuring that a Screen Changing Log is kept on or near each machine. The log will record the starting point of the log and the pertinent information regarding any screen changes thereafter. The company will maintain the Screen Changing Logs for a minimum of one year. Microfiche or Microfilm can be destroyed by either a disintegrator or by equipment/process which produces a particle size of 1/8 inch maximum dimension or less. Destroyed materials should be properly discarded. Computer Hard Drives or CPUs will be recorded by serial numbers and then physically destroyed according to the separate written method provided by management. Management will decide the appropriate method to use to destroy atypical media or non-media materials that require destruction. On a _____________ basis, Management will inspect the destroyed materials prior to disposal, to ensure that the destroyed information is within the original equipment manufacture specifications and within certification specifications. 1.10 Witnessed Destruction Process Occasionally a client will need to witness the destruction of materials at the company. Management has the authority to agree to an appointment for witnessed destruction. The company will do its utmost to accommodate the client’s needs in scheduling the appointment. Management is responsible for handling all witnessed destruction projects. Materials will be delivered to the facility either by a Driver or by the client. If delivered by the Driver, the materials should be securely stored until the client’s representative 9 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 arrives. The witness must sign the visitor’s log and be escorted by an Access employee to the Witnessing Area to watch the destruction process. The process should be conducted as close to the time of the client’s arrival as possible. 1.11 Post Destruction Process Once materials have been properly destroyed, Management will review that all procedures have been followed and that the job has been completed. Management will use the following procedures: Management will record the date the materials are destroyed, whether in a batch or singularly, on the receiving ticket. Management will inspect containers, boxes or security receptacles to verify they are free of the materials to be destroyed. If confidential materials are found, Management will remove the materials and immediately destroy them. Receptacles or boxes to be returned to clients will be returned on the next scheduled pick-up. The emptied and inspected boxes that are not to be returned to the client will be processed into bales. Security containers owned by the company that are used by the clients will be rotated through a service plan agreed upon by the client and the company. Any unused security receptacles will be stored in the holding area. Management will instruct individuals to stack the bales of destroyed media in rows designated by grade and in rows in the inventory storage area. No weak or mushy bales should be stacked. Weak or mushy bales must be reprocessed. Management will weigh bales and record the weight on appropriate documents before they are shipped to a disposal agent. The company’s policy is to have destroyed materials be disposed of in a responsible manner which does not include any type of reuse (for purposes such as animal bedding or packing materials.) Management will oversee all bales and upon achieving threshold inventory levels, will determine the destination of all baled materials and schedule all shipments. Management will record the tallied total weight of the shipment on the Bill of Lading. Management will be responsible for completing the Bill of Lading compiled from the shipping information and the tallied bale weights. 1.12 Closing Procedures The destruction process is not complete at the company until these final steps have been done. At the end of a shift, an Access employee/individual(s) should sweep the entire exposed floor and pass the sweepings through the destruction process. Management will check waste receptacles and areas directly outside of the information destruction building/area to see that no unshredded, confidential 10 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 information has been deposited in waste receptacles or that no loose information- bearing materials are scattered around or near the destruction building. Management is responsible for relieving employees of duty at the end of each shift. At this time, employee identification badges should be returned and any company-related items. Once all employees have been relieved from a shift, Management is responsible for touring the facility and completing a visual security check. Management will ensure that all processed receiving tickets are placed in the appropriate holding box located in the business office. 1.13 Collection Facility Procedures This destruction facility utilizes an offsite Collection Facility at (Address) to collect and store customer material awaiting transport to the destruction facility. Following are procedures and policies related to the use of this Collection Facility: The Collection Facility is used only to store material in preparation for transfer to the destruction facility; no destruction is to take place at the collection facility. Bins are to remain closed and locked until transferred to the destruction facility. The bins will not be tipped, and material is not to be processed in anyway. Bins/material intended for destruction will be transferred via secure transport to the destruction facility within 3 business days of arriving at the Collection facility. If material cannot be transferred within this timeframe, the customer will be notified in writing of the actual timeframe. Building security requirements: o Only screened access employees may enter the secure storage area. o All visitors must sign the visitor log, and logs will be kept for 12 months. o I.D. Badges are to be worn by employees and visitors at all times. o Building perimeter is protected by a third party monitored alarm system, which is to be armed at all times during which the building is unattended. Media is to be brought to the designated secure storage area immediately upon arriving at the Collection Facility. Other material, which is not intended for eventual destruction, is never to be staged or processed in this designated area. 1.14 Transfer Processing Station Procedures This destruction facility utilizes an offsite Transfer Processing Station at (Address) to collect, process and store customer material awaiting transport to the destruction facility. Following are procedures and policies related to the use of the Transfer Processing Station: The Transfer Processing Station is used only to store and/or process material in preparation for transfer to the destruction facility, no destruction is to take place at the Transfer Processing Station. 11 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Material intended for destruction will be transferred via secure transport to the destruction facility within 15 business days of arriving at the Transfer Processing Station. If material cannot be transferred within this timeframe, the customer will be notified in writing of the actual timeframe. Building security requirements: o Only screened access employees may enter the secure storage/processing area. o All visitors must sign the visitor log, and logs will be kept for 12 months. o I.D. Badges are to be worn by employees and visitors at all times. o Building perimeter is protected by a third party monitored alarm system, which is to be armed at all times during which the building is unattended. o A closed circuit camera system (CCTV) is maintained with 90 days of recording, monitoring all ingress/egress points into the secure building/area and processing activity with sufficient clarity to identify people and their activities. Media is to be brought to the designated secure storage area immediately upon arriving at the Transfer Processing Station. Other material, which is not intended for eventual destruction, is never to be staged or processed in this designated area. 2 DRIVER PROCEDURES 2.1 Access to Vehicles The company wants to ensure that the utmost security precautions are taken by all employees. The company’s access rules and regulations are as follows for those employees whose job duties involve driving: Only Management and designated employee Drivers will be allowed to have keys to vehicles. Two sets of keys will be issued to each driver. Employees are not allowed to utilize the company’s vehicles for personal use without prior authorization from Management. Drivers are to follow the management-designated routes in providing services. 2.2 Security and Safety Measures for Vehicle Usage In addition to the access limitations, the company utilizes the following security and safety measures for all drivers: Driver’s Manual will be kept in every vehicle for reference purposes. Each driver has been provided with a readily accessible two-way communication device. The device should be kept on at all times unless it is prohibited while inside a customer’s facility. All doors to the vehicles should be locked unless in use and attended. 12 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 All drivers should exercise extreme caution in all phases of vehicle operation. At no time should any employee put themselves or others at risk for accessing a loading area or loading materials. The use of cameras in or around vehicles where confidential materials are located is prohibited without prior authorization from Management. Employees are forbidden from possessing firearms while using the company’s vehicles. Any employee found violating this policy may be dismissed. 2.3 No Unauthorized Access to Truck Under no circumstances are there to be any unauthorized persons permitted to have access to the cab, body, box, payload or tail-lift of the truck. Similarly, no unauthorized person shall be transported as a passenger in the truck at any time. Only Management can authorize access to the truck or permission to provide transportation to any Non Access employee or visitor. 2.4 Driver Demeanor The company’s drive to provide professional and prompt service requires that all company employees, particularly drivers, be polite and conduct themselves without excessive interaction with the client’s personnel. The goal is to provide superior service with a minimum of distraction to their production. 2.5 Vehicle Preparation Prior to driving to a client’s location, all drivers must ensure that they are properly prepared for travel. Drivers must do the following prior to departure: Drivers must be certain that all vehicle paperwork required by the state is in the vehicle and up-to-date. This also includes any driver’s license required. Drivers must make sure the truck is loaded with any security containers, carts, or pallets that are required to execute the assigned work orders. The driver should have a Receiving Ticket for each customer. The driver is also responsible to make sure there is a sufficient supply of the company’s business cards in the truck. Drivers must make certain that the truck has adequate fuel to complete the route. There is no excuse for running out of fuel. Such incidents will be noted and considered in employee evaluations. If a vehicle is in need of repair, the driver should complete a Maintenance Request form and notify Management. 2.6 Driver Authority Unless it is stipulated otherwise, while completing assignments the driver is the company’s sanctioned authority and is responsible for instructing any other assistants in 13 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 order to execute their assignments and duties safely, securely and as efficiently as possible. The driver is the lead representative and in charge of all client communications and interactions, unless a higher company authority is present. In the event that a destruction facility is unattended when a driver arrives or departs, the driver will be responsible for its security. The driver should relock any doors and set the alarm before they leave the building unattended. If no security procedures have been established with the client prior to arrival, the driver must either contact the client or the company’s management to determine how to handle the situation. 2.7 Enroute The success of the company’s business is dependent upon the knowledge and reliability of its drivers while completing an assignment. Drivers should familiarize themselves with all aspects of the company’s business and the expectations of their drivers. Specifically, drivers should ensure that the following are adhered to while traveling to or from an assignment: Follow scheduled and designated routes to, from and between clients. It is driver’s responsibility to inform Management of all developments that affect the timeliness and efficiency of executing the route. Drivers are required to notify the Management in advance of any period of time that they will be unable to be reached via the company-issued two-way communications device. The driver should always make sure that any confidential materials on the vehicle are secure at all times. In the event of a breakdown, the driver should immediately contact Management of the company and inform them of the situation. The driver or a representative of the company should then contact any client(s) that will be affected by the delay. Arrangements to service the vehicle should then be made. The driver should stay with the truck until help arrives. The driver should never leave a disabled truck unattended for any reason other than their safety or the safety of others. The driver should keep Management informed of the estimated time required for repairs. In the event of a collision or other accident, the driver should contact any emergency authority required first. If able, the driver should then notify Management or a representative of the company of the situation and if the vehicle will be operational. The driver or a representative of the company should then contact any client(s) that will be affected by the delay. The driver should also make sure the materials in the truck are secure. If they are not secure, the driver and any assistants should do their best to secure them. Management may need to dispatch help if required to secure the materials. Except for the police, the driver and any assistants should not engage in a dialogue with anyone regarding the accident, unless otherwise directed by Management. If a driver arrives at a loading area that is occupied, the driver should assess how long the delay will be. If it will be a long delay (more than 15 minutes) or if the 14 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 length of the delay is indeterminable, the driver should locate an alternate loading area. If no alternative is available, the driver should notify the client to make alternative arrangements. 2.8 While at Client’s Facility Upon arrival at the client’s facility, all drivers and any assistants of the company should remember to be professional and courteous at all times. The following guidelines should also be used: There may be instances where a client makes a request outside of the scope of the assignment that will need to be dealt with immediately. If the request is reasonable and does not seriously delay the route, then the driver should comply with the request and notify Management of the company later. (Management will inform the client of the problem with such requests later or assess a charge for the extra service.) If a client makes a request that is unreasonable, delays the route, compromises security, or is otherwise inappropriate, the driver should notify Management of the company immediately. Once apprised, Management will advise the driver regarding how to proceed. While at the client’s facility, if a vehicle is required to be left unattended, the cab and box should be locked. No materials in the company’s custody should be left unattended ever. If destruction of confidential material is not performed at the client’s facility, then the driver should secure all containers before moving them. No person, not even an employee of the client, is allowed to examine or retrieve materials taken into the company’s possession. If a situation requires that a client look through the materials or retrieve something from them, then the driver should contact Management first to get approval. If a customer expresses a complaint about a driver or the company, the driver should offer to convey their dissatisfaction or give them the company’s business card. 2.9 Collecting, Receiving and Destroying Confidential Materials for On-site, Mobile Destruction The company adheres to the following general policies in the collection, receipt and destruction of materials for on-site, mobile destruction: All materials taken into the company’s custody are to be destroyed before proceeding to the next client, unless otherwise prearranged. All materials to be destroyed are always attended by an Access employee/individual or physically secured from unauthorized access while in the custody of the company before they are destroyed. Securing the company’s vehicle cabs and boxes during transport is also required. 15 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 If vehicle is left running and unattended while collecting media at the client site, driver should use duplicate keys to lock the vehicle cab and box. At time of media pick-up, customer must be provided with a receipt or certificate of destruction. The driver should use the following steps in receiving/collecting and transporting confidential materials for destruction: At time of media pick-up, customer must be provided with a receipt indicating type and quantity of media (paper, micro media, computer hard drives, etc.) being collected and that mobile destruction services are being provided for the media/materials collected and whether or not such services are NAID Certified. Management will instruct driver as to proper recording of this information on the receipt. The driver should complete the Receiving Ticket, have it signed by the client’s representative, and leave the receipt with the client. The driver must return the work order to Management. The company’s destruction process procedures are as follows: Paper materials should be destroyed by shredding and baled by grade if possible. The specifications for particle sizes should be no larger than those listed below: Continuous Shred: 5/8 inch Width (max) & Indefinite Length Cross Cut or Pierce & Tear: 3/4 inch Width (max) & 2.5 inches Length (max) Pulverized (Equipment w/ Screens): 2-inch diameter Screen Size holes (max) If adjustable screens are used, Management will be responsible for ensuring that a Screen Changing Log be kept on the truck denoting the starting point of the log and the pertinent information regarding any screen changes. The company will maintain the Screen Changing Logs for a minimum of one year. Microfiche or Microfilm can be destroyed by either a disintegrator or by equipment/process which produces a particle size of 1/8 inch maximum dimension or less. Destroyed materials should be properly discarded. Computer Hard Drives or CPUs will be recorded by serial numbers and then physically destroyed according to the separate written method provided by management. Management will decide the appropriate method to use to destroy atypical media or non-media materials that require destruction. On a (daily/weekly/monthly) basis, Management will inspect the destroyed materials prior to disposal, to ensure that the destroyed information is within the original equipment manufacture specifications and within certification specifications. 16 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Paperwork verifying destruction should be returned and signed by an authorized agent of the client, preferably the person that witnessed the destruction process. Prior to leaving a client’s facility, the driver should ensure that no confidential materials or trash are left on the ground where the loading or destruction took place. When leaving equipment at a client’s facility, the driver should make sure it is in reasonable condition considering the environment in which it is located. Containers that are to be left in an office area require a much better appearance than those to be left in a warehouse. The driver should never leave equipment that does not function properly. 2.10 Collecting and Receiving Confidential Materials for Plant-based Destruction All materials to be destroyed are always attended by an Access employee/individual or physically secured from unauthorized access while in the custody of the company before they are destroyed. Securing the company’s vehicle cabs and boxes during transport is also required. At time of media pick-up, customer must be provided with a receipt indicating type (paper, micro media, computer hard drives, etc.) and quantity of media being collected and that Plant-based destruction services are being provided and whether or not such services are NAID Certified. Management will instruct driver as to proper recording of this information on the receipt. 2.11 Reporting Damage to a Client’s Facility The company takes pride in providing quick and honest employees. In the event that any accidental damages occur during an assignment, the driver must notify the client immediately about any damages to their property. The client should be assured that the company takes responsibility for actions that caused the damages and will pay for any damages resulting from those actions. The driver or assistant should notify Management at the company of such an occurrence as soon as possible. Management will be responsible for inspecting the damage and reconciling the issue with the client. 2.12 Ending the Destruction Assignment Upon completion of an assignment, the driver and any assistants will unload all materials at the designated secure location. Each client’s material should be individually staged and weighed. The driver will inspect and accept the materials, as they are unloaded from the truck. The driver will turn the Receiving Ticket over to Management upon verification that all materials have been removed from the vehicle. Management is responsible for materials once they are unloaded at the designated secure location. Management will weigh bales and record the weight on appropriate documents before they are shipped to a disposal agent. The driver and any assistants will return their ID Badge to Management or the designated location in the office upon completion of the shift. 17 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 3 QUALITY CONTROL 3.1 Frequency of QC On a (daily/weekly/monthly) basis, Management will inspect the destroyed materials prior to disposal, to ensure that the destroyed information is within the original equipment manufacture specifications and within certification specifications. 3.2 Method of QC Daily/Weekly/Monthly Log will include the following: Date Name/Initials of individual performing he check Items checked: o Particle size (paper and micro media shredders). Is the equipment performing according to OEM and Certification specifications? o Quality of physical hard drive destruction. Are the internal discs destroyed in a manner that prevents them from being put back on the hard drive mechanism to spin? o Paperwork control Weekly/monthly logs Visitor logs Recordation of serial numbers o Length of time unshredded material is held. Corrective Actions, if any 3.3 Corrective Actions o If the particle size is too large and/or the equipment is underperforming. Perform maintenance of the blades and/or other components, as recommended by the OEM o If material has been staged for more than 72 hours, or for a longer period of time than previously agreed upon with the customer. Notify the customer in writing (email is acceptable) of the actual/revised timeframe If the reason for the delay is due to employee error or oversight, retrain employees and document the training. o If visitor, Operational Security Maintenance and/or Serial Number logs are not being filled out in accordance with NAID Certification standards. Retrain employees on proper Certification procedures. 18 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Document the training, including a roster of the employees who were trained. o If a sanitized drive is found to have data on it The entire batch/lot is checked for recoverable data and/or The entire batch/lot is sanitized again 4 DATA BREACH NOTIFICATIONS 4.1 Management Notification to Customer Management will report, following discovery and without unreasonable delay, to the customer any release of, or unauthorized access to the customer’s confidential material that poses a threat to the security or confidentiality of that information. Any such report shall include the identification (if known) of each individual whose confidential information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. 4.2 Employee Notification to Management All destruction personnel and drivers will report, following discovery and without unreasonable delay, to management any release of, or unauthorized access to the customer’s confidential material that poses a threat to the security or confidentiality of that information. Any such report shall include the identification (if known) of each individual suspected of causing the breach, as well as each individual whose confidential information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Any such report shall be kept confidential and management will not retaliate against any employee who has reported, in good faith, a potential or actual data breach. 5 UNANNOUNCED AUDIT POLICIES As part of our NAID Certification, we are subject to an unannounced audit at any time. The auditor has the authority to challenge our security and to review any item that would be reviewed during a scheduled audit to ensure that our practices are consistent with Certification standards. 5.1 Unannounced Audits at the Office or Destruction Facility The following procedures must be followed in the event that a NAID Auditor arrives at the office or destruction facility to conduct an unannounced audit: Ask to see the Auditor’s identification. All NAID Auditors have a photo ID Badge issued by NAID. 19 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 Verify that the Auditor has an Auditor Assignment and Confidentiality agreement, which has been signed and dated by a NAID official. Call the NAID office if there is any reason to doubt the legitimacy of the audit. Ask the Auditor to sign the visitor log and provide the Auditor with a visitor badge. Contact Dallin Woodruff to accompany the auditor during the audit. If Dallin Woodruff is not available, contact Richard Steed. Dallin Woodruff or Richard Steed will escort the Auditor throughout the audit process and will allow access to all requested areas and documentation, if such request is not a hardship and does not unreasonably disrupt daily operations. Only if Dallin Woodruff or Richard Steed is unavailable, any employee may assist and accompany the Auditor during the audit, provided that they are cleared for access to confidential customer material. Sign the Auditor’s report if asked. Your signature acknowledges that the audit took place; it does NOT indicate your agreement with the report. 5.2 Unannounced Audits in the Field or at the Customer’s Site The following procedures must be followed in the event that a NAID Auditor arrives at a location where a driver or driver’s assistant is picking up customer material for onsite destruction or transportation back to the destruction facility: Ask to see the Auditor’s identification. All NAID Auditors have a photo ID Badge issued by NAID. Verify that the Auditor has an Auditor Assignment and Confidentiality agreement, which has been signed and dated by a NAID official. Call the NAID office if there is any reason to doubt the legitimacy of the audit. Contact Dallin Woodruff to report the audit. If Dallin Woodruff is not available, contact Richard Steed. Sign the Auditor’s report if asked. Your signature acknowledges that the audit took place; it does NOT indicate your agreement with the report. 20 of 20 Pacific Shredding * Operational Policy & Procedures Manual * rev Jan13 I, __________________________________, have received and read a copy of the Operational Policies and Procedures Manual of (Company Name), which outlines the goals, policies and expectations of (Company Name), as well as my responsibilities as an employee. I have familiarized myself with the contents of these written policies and procedures. By my signature below, I acknowledge, understand, accept and agree to comply with the information contained herein. I understand the Operational Policies and Procedures Manual is not intended to cover every situation that may arise during my employment, but is simply a general guide to the goals, policies, practices and expectations of (Company Name). I understand that this is not a contract of employment and should not be deemed as such. _____________________________________ (Employee Name - Printed) _____________________________________ ___________ (Employee Signature) (Date) _____________________________________ (Manager Name - Printed) _____________________________________ ___________ (Manager signature) (Date) ___________________ (Date of update) National Association for Information Destruction, Inc. NAID® Multi-Location Certification 3-24 Branches (U.S. and Canada) 2018 World Headquarters 3030 N. 3rd St., Suite 940, Phoenix, AZ 85012 Phone: (602) 788-6243 & Fax: (480) 658-2088 E-mail: certification@naidonline.org ® Page 3 of 3 MultiLocCertOVERVIEW (3-24) NAID® MULTI-LOCATION CERTIFICATION (FOR COMPANIES WITH 3-24 BRANCHES) PROGRAM OVERVIEW Qualifications for Program In order to qualify for the program, an applicant (the “Company” or the “Applicant”) must have at least three (3)corporately-owned destruction Branches (or at least three (3) destruction Franchisees with uniform and corporately managed operating procedures) and the Applicant must be committed to achieving 100% compliance with the NAID Certification specifications at all information destruction-related locations and agreeing that all such facilities will be subject to the scrutiny of audits on a country-specific basis. Fees Branches will be audited at the standard Certification fee as listed on Page 1 of the Multi-location Headquarters Application for companies with 3-24 branches. Where an Applicant’s records are maintained in a centralized manner, there will be an additional annual Headquarters Audit for an additional fee. Fees are to be paid at the time of the application submission. Initial Application and Audit Process (first 12 months or less) A Headquarters Audit (if necessary) and audits of all of the Applicant’s Branches are required for each location wanting to become certified. If participating in the Multi-Location Program 100% of all locations must be NAID Certified. Each Transfer Processing Station will be audited in conjunction with the destruction facility to which it is linked. Linking does not require that all shipments from such Transfer Processing Station must go to the linked destruction facility. NAID will notify the Company in writing when it has achieved NAID Certified Company status. The Applicant may not make any reference regarding an enterprise-wide NAID Certification until they are in receipt of the official notice from NAID. Re-Audit Process and Unannounced Audits After successful completion of the initial application and audit process, and notification that the Company is NAID Certified, the Multi-location Company will be audited as follows: a) One-third of the Company’s Branches shall be audited each year on a scheduled, announced basis at the standard rates. The selection of the locations shall be in a manner that all Branches are audited over a 3 year period. b) All of the Company’s Branches are subject to unannounced audits and will be chosen for such unannounced audits by the same process and with the same probability as all NAID Certified locations, which is currently approximately 25% per year. Branches belonging to Multi-Location Companies will be in a distinct multi-location audit pool, separate from the audit pool for single- location NAID-Certified Companies. This Multi-location Certification Program will not change without being mutually agreed upon between the Multi-location Certification Council. This limitation does not include any modification to an audit schedule that is made on a company-specific basis as a result of a series of a Company’s transgressions over time. Such company-specific modifications to the Multi-location audit schedule would, however, be considered a change that is subject to established due process and NAID Board of Directors’ approval. The logic for conducting audits of less than all of a Multi-location Company’s locations each year is that the number of locations audited (one-third on a scheduled basis, plus random unannounced audits of other Branches) constitutes a representative sample of the Applicant’s sites. Therefore, the enterprise-wide NAID Certification status is dependent upon and measured by the cumulative results of each year’s audits. An audit failure of a single Branch (or a Transfer Processing Station or Collection Facility) of a Multi- location Company may result automatically in such Company losing its NAID Certified status. However, evidence of serious breaches of NAID standards (particularly breaches that might allow unauthorized access to confidential customer media) may lead to heightened scrutiny of the Company at the discretion of the Certification Review Board (CRB). Non-compliance/Transgressions and Due Process If the Certification Review Board (CRB) becomes sufficiently concerned over a pattern of transgressions at a Company because of results of audits, it may result in the filing of a complaint with the Complaint Resolution Council (CRC). The CRC would use the same due process established for all ethical transgressions in formulating its recommendations to the NAID Board of Directors. The NAID Board of Directors would ultimately decide to approve, modify or decline the CRC recommendations. As the final element of due process, a member appeal of a NAID Board decision would be afforded to the Respondent in the complaint. The CRB has the authority to require remedial actions to restore compliance to NAID Certification specifications. The primary purpose of the authority to require restored compliance with NAID Certification specifications is the protection of the clients and the reputation of the NAID Certification program. Therefore, the timeframe required by the CRB to make such adjustments is totally dependent upon the risk to the client and the reputation of the NAID Certification program as determined by the CRB. The CRB is also charged with establishing the precedents regarding when transgressions, or a pattern of transgressions, are referred to the CRC for disciplinary action. The CRC is ultimately responsible to see that due process is applied to all relevant situations, as well as establishing the precedents under which disciplinary action is warranted. Only the NAID Board of Directors may fine, sanction, terminate, deny or suspend NAID Certification, or terminate or suspend NAID Membership. Page 1 of 16 MLCertHQ(3-24US&Can)2018 NAID® Multi-location Certification (U.S. & Canada Applicants with 3-24 Branches only) 2018 Headquarters Application Company Name: __________________________________________________________________________________________ Pres/VP of Info Destruction: _____________________________________________________ Audit Process Coord: __________________________________________________ Title: _______________________________________________ Title: _____________________________________________ Email address :_______________________________________ Email address :_____________________________________ Headquarters Address: __________________________________________________ Unit/Ste: ________________________ City: _______________________________________ State/Prov:_________________ Postal Code: _________________ Country: ____________________________________________ Website: __________________________________________ Telephone Number: ___________________________________ Fax Number: ______________________________________ Profile Information: Year Company Established: _______________ & Year Destruction Services Established (if different): _______________ General Liability (Aggregate/Umbrella Indemnification Level)  for each location OR  company-wide: $_____________ Total Number of Branches providing information destruction services (and therefore included in this Application): _________ Application Information: Initial Year of Certification – all Branches will be audited this year as indicated in the payment determination below. Recertification Audits for One-Third of the Total Branches as indicated in the payment determination below. Headquarters Audit* Required: No (no charge)  Yes and @ $1200 = $__________________ Number of Mobile Only branches: ______ @ $965 per branch = $__________________ Number of Plant-Based Only branches: ______ @ $965 per branch = $__________________ Number of Both Mobile & Plant-Based branches: ______ @ $1075 per branch = $__________________ Mobile Operation associated w/ Transfer Processing Station: No  Yes and Number: _____ @ $1075 per site = $__________________ Transfer Processing Station(s): No  Yes and Number _____ @ $775 per TPS = $__________________ TOTAL payment = $__________________ *Headquarters Audit – If the company cannot provide originals or copies of all necessary documentation or records to be verified at the Branch, then an audit of the Headquarters/central location, where those documents are held, will be required. NAID Use Only New or Recert: Auditor: Audit # : Audit Required: YES NO Received: Complete: DBU: Expires: Company Name:______________________________________________ Page 2 of 16 MLCertHQ(3-24US&Can)2018 Employment Information Disclaimer All organizations applying for NAID Certification are expected to comply with any and all national, state, local, or other laws regarding the collection, maintenance and disclosure of employee information, and all laws regulating employment practices, in the jurisdiction governing the location for which the applicant Company is applying for NAID Certification or does business. NAID is not responsible for the compliance of its individual NAID Certified members. Therefore, if the applicant Company believes that anything in this Application or the audit process is, or may be, violative of any laws applicable to the applicant Company, such Company must notify NAID, concurrently with the submission of its NAID Certification Application or during the audit, as applicable, of the practices or disclosures which are believed by the applying organization to be in conflict with or violative of any relevant laws. In addition, such notification must include a statement of and citation to the applicable law, code, ordinance or other legal authority. NAID will then analyze the law, code, ordinance or other legal authority to determine whether the applicant Company may be exempted from the particular criteria, practice or disclosure. NAID will notify the applicant Company in writing of such determination. In addition, a particular requirement of this application, although permissible under applicable laws and regulations, may violate applicable laws and regulations if applied in an impermissible manner, particularly in regard to hiring and retention practices. You should consult your own legal counsel to determine whether your hiring and retention policies and practices comply with all applicable laws and regulations. Additional Required Materials: (to be submitted with application) 1)Access Individuals and Non-Access Individuals List - A list of all employees/individuals broken down by “Access Individuals” and “Non-Access Individuals” indicating title/position/responsibility (driver, owner, manager, processing, etc), and date of hire. Also, the Applicant must indicate any employees who are not citizens of the employer’s country. (See the Definitions document for detailed descriptions of Access Individuals and Non-Access Individuals). 2)List of Destruction and Collection Vehicles – A List of all mobile information destruction and collection vehicles, including Vehicle make & model, VIN, License Plate Number and the State the vehicle is licensed in. 3) List of Recipients of Destroyed Media – List should include all companies receiving destroyed media from Applicant within the last year and ultimate responsible disposition of materials (pulping, incineration, smelting, etc.). 4)Subcontractor list (if applicable) – A list of all companies or agents used within the last year to subcontract any part of the information destruction process indicating what aspects of the process for which they are responsible and accept custody (See Definitions page). 5)Special Consideration Letter (only applicable for hardship or extreme circumstances) – Letter requesting a temporary or conditional qualification for a specific NAID Certification criteria; only considered under extreme or special circumstances, applicant must submit this written request (on Company letterhead & signed by an official Company representative) with their NAID Certification Application. The letter must identify the specific criteria, detail the hardship or special circumstance for consideration, and state how the applicant will achieve the intent of the criteria given their circumstances. The NAID Certification Review Board will review and respond to all requests. We agree with and are bound to the following: (Please sign on bottom to indicate agreement with the following items.) Multi-Location Program Specific Agreements: 1.The Company has at least three (3) corporately-owned destruction Branches (or at least three (3) destruction Franchisees with uniform and corporately managed operating procedures) and there is a commitment for 100% of all information destruction locations and 100% of all destruction operations to be in compliance with the NAID Certification specifications and subject to the scrutiny of audits on a country-specific basis (or region which is no less than one country). 2.The Company and all Branches or Franchisees participating in the Multi-location program are members of NAID in good standing and with no outstanding debt to the association. In order to gain or maintain NAID Certification, all locations must be NAID members in good standing. 3.All locations (and their associated Transfer Processing Stations, if applicable) would be audited at the standard Multi-location Certification fee, paid at the time of application. 4.The Company has included with this Application a list of all current information destruction locations of the Company in the country to which this Application applies, and a tentative schedule of locations and dates for the audits to be conducted in the initial year. If this is the initial year, the Company understands that the audits must occur within one year of this Application and that the audit schedule must be approved by NAID. 5.The Company may not refer to itself as a “NAID Certified Company” until the agreed upon one-third Branches or Franchisees have successfully completed their audits with CRB approval and NAID has provided written notification of such status. Individual locations are considered as “NAID Certified” as soon as the audit for such sites have been completed and NAID has notified the Company that such site passed the audit. Company Name:______________________________________________ Page 3 of 16 MLCertHQ(3-24US&Can)2018 6.The Company understands that ALL NAID certifiable services/operations being offered to the Company’s customers at every destruction location/branch within the specified region or country must be Certified in order to gain and maintain NAID Multi-location Certified status. If the Company adds a certifiable operation at any established destruction location and/or adds a new destruction location after Certification has been approved, it has 6 months in which to apply for Certification of the new location or operation. Failure to apply for and/or successfully pass an audit of all certifiable operations at all destruction locations within the specified region may result in the removal of all NAID Certifications. 7.If the Company maintains documentation/records in a centralized manner or cannot provide the locations with the necessary documentation or records that must be verified by the auditor, then an additional audit of these “headquarters” records must be conducted for a fee of $2970. 8.From the time of the initial filing of the NAID Certification Application, the Company will notify NAID of any new Company Branch or Franchisee locations, including acquisitions, within 60 days. The Company will agree in writing to operate all such new locations under the NAID Certification standards as soon as possible, and would not be audited for at least six (6) months after acquisition/start- up, but would have to be audited within the current three-year audit cycle unless acquired within the last six (6) months of such cycle. 9.As an Applicant for this Multi-location Program, the Company will be assured that the audit schedule, consisting of a first-year audit of all Company locations, followed by a three-year period when one-third of the total locations will be audited in each year, will remain consistent for the first three-year period from the time the Company submits the initial Headquarters Application. This does not include any modification to such schedule that is made on a company-specific basis as a result of a series of transgressions over time. Such company-specific modification to the Multi-location audit schedule would be considered a program change that is subject to due process and NAID Board of Directors’ approval. 10.After the period of time in which all locations on the initial year/original Multi-location Application have been audited and the Company is deemed a NAID Certified Company, the process will be as follows: a) One-third of the locations shall be audited each year on a scheduled, announced basis for the current standard Multi-location Application fee. Two months prior to the established expiration of the annual period, NAID will determine and notify the Company of those audits to be conducted each year. b) Each year, one month prior to the established expiration of the annual period, the Company must submit the Headquarters Application and the requisite one-third of Branch Applications for audit during that year’s cycle. c) The selection of the locations shall be conducted in a manner so that all facilities are checked over a 3 year period. 11.All Company locations are subject to unannounced audits once the Company is NAID Certified. Twenty-five percent (25%) of the locations will be chosen for unannounced audits each year. Multi-location NAID companies shall be in their own multi-location pool. However, while initial audits are taking place, only locations that have successfully undergone the initial audit are subject to unannounced audits. 12.The Company, upon achieving a participation threshold where the organization is considered NAID Certified across the entire enterprise, shall be considered so ONLY within the country or region specified in this Application. General Certification Program Agreements: 1.NAID Certification is optional and is not required for NAID membership. 2.The Company is an Active or Franchise Member of NAID in good standing and with no outstanding debt to the association. In order to gain or maintain NAID Certification, the Company must be a NAID member in good standing. 3.Owners or Senior management of the Division of the Company that conduct the secure shredding operation have read and understand the NAID Certification Audit Methodology, which makes clear the documentation, facilities and equipment that each location will be required to have available and immediately accessible to the NAID Auditor. 4.Any failure to make accessible for inspection all documentation, facilities, and equipment on the date, time and location identified on the Auditor Assignment & Confidentiality Agreement (Appointment) Form may result in failure to be NAID Certified, forfeiture of the application fee, additional fees for the failures, re-auditing or other expenses, and/or require that we reapply if we want to pursue this credential. Also, failure to meet the criteria for the type(s) indicated on this application may be considered a failure of the audit. 5.All application fees are non-refundable, except in the instance where the NAID Auditor fails to conduct the audit on the date, time and location indicated on the Auditor Assignment & Confidentiality Agreement (Appointment) form; and when, in such circumstance, the Company decides to withdraw their application. 6.At no time will the label “NAID Certification” or “NAID Certified” be applied, referenced or inferred to facilities or operations of the Company where 1) the location and operating details related to the facility or operation have not been specifically and formally provided to NAID for participation in the NAID Certification program, or 2) the facility or operation does not have any involvement related to the collection, transport, processing and/or destruction of Confidential Customer Materials. Company Name:______________________________________________ Page 4 of 16 MLCertHQ(3-24US&Can)2018 7.The Company must reapply for NAID Certification on an annual basis, prior to the expiration of the current NAID Certification. If the Company chooses not to reapply and/or not to submit to the required audit, it will result in loss of NAID Certification. Loss of NAID Certification will not affect NAID membership. 8.The Company understands that NAID Certification status is public information. Information regarding renewals, lapses, certified operations and endorsements, Company contact information, and the Certification expiration date are displayed on the NAID website and made available to email subscribers. 9.The Company will hold NAID harmless from any claim of damage or loss as a result of the Company’s failure to achieve NAID Certification. 10.The Company agrees that any location seeking NAID Certification will be NAID Certified for Micro Media (Microfiche and Microfilm) destruction only if the Company: 1) indicates in the application for such location that the location possesses equipment that meets the required specification; 2) the equipment was inspected by the NAID Auditor at the time of the NAID Certification audit; and 3) the destruction is being performed at the location (generally only at plant-based operations) for which the Company is seeking NAID Certification. 11.The Company agrees that any location seeking NAID Certification will be NAID Certified for Computer Hard Drive destruction only if: 1) the Company has an established and published standard destruction method for physically destroying computer hard drives; 2) all Customers receiving Computer Hard Drive Destruction services have agreed to or have been notified in writing to these standard procedures or other specific procedures; 3) these standard procedures have been demonstrated to the NAID Auditor during the NAID Certification audit of this location; and 4) the destruction is being performed at the location (generally only at plant-based operations) for which the Company is seeking NAID Certification. 12.The Company understands and agrees that if a location becomes NAID Certified for Mobile Operations only, then the Company must always destroy while on or near the Customer’s premises unless the Customer has agreed in writing (including notification to the Customer by e-mail or as part of the Customer’s agreement with the Company) to permit destruction at a site remote from the Customer’s location. If the Company’s mobile unit performs the shredding away from the Customer site without such written consent or notice, the Company will be considered to be no longer following the Mobile Certification standards and may be subject to review and investigation by the NAID Certification Review Board. 13.The Company understands and agrees that if the Company is applying for Plant-based Operations, the Company must maintain at least 90 days of CCTV recordings for each plant or Transfer Processing Station and must be able to produce them during the time of an audit. If the Company is unable to produce the 90 days of recordings at an audit, the Company may be subject to a reaudit, including associated costs for this reaudit. 14.The Company understands that the specifications and fees for NAID Certification are subject to change at the discretion of the NAID Board of Directors. 15.All of the Company’s employees are legally registered to work in the country to which this Application applies, and the Company has all necessary documentation to confirm this (see the Employment Information Disclaimer). 16.The Company understands that it is responsible for ensuring that background checks of current and prospective employees and any use of consumer reports for employment purposes comply with the mandates of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. 17.If restrictive employment agreements are in place that would prevent the Company from conducting drug screening and/or criminal record searches, the Company will provide a detailed description of such restrictions with this application. 18.The Company understands that random Unannounced Audits are part of the NAID Certification Program. Only if asked and not a hardship, the Company will allow access to a NAID Auditor for purposes of conducting such Unannounced Audits. 19.The Company understands that the NAID Certification Review Board tracks verified reports of certification non-compliance per company/location and may issue fines and/or sanctions or recommend removal of certification for certification violations, in accordance with the Certification Review Board Guidelines. Such fines and/or sanctions are in addition to any remedial actions ordered by the Certification Review Board (CRB) to bring the operation back into compliance. All fines must be paid within 30 days, unless the Company chooses to appeal the CRB’s decision, in which case a formal appeal must be submitted to NAID Headquarters no later than 45 days after the date of notification of the fine/sanction. The Company understands that the NAID Complaint Resolution Council (CRC) will review appeals of CRB fines/sanctions, and the Company will be granted the opportunity to provide spoken testimony within 30 days of the formal submission of the appeal. The NAID Board of Directors will review the CRC’s recommendation and make the final decision on all appeals. The Company will accept the ruling of the NAID Board of Directors as final and seek no further remedy, legal or otherwise. 20.The Company understands and agrees that the NAID Auditor may inspect and test its access control systems related to the facilities, containers and vehicles used to provide secure destruction services during announced and unannounced audits and will not consider such inspection and testing to be a violation of the law, provided such inspection and testing does not result in property damage or the risk of personal injury and is undertaken solely for the purpose of ascertaining compliance with NAID Certification. Company Name:______________________________________________ Page 5 of 16 MLCertHQ(3-24US&Can)2018 21.At any time during the application and/or audit process or after NAID Certification is approved by the NAID Certification Review Board, the Company acknowledges that NAID, its agents and/or the NAID Auditor may investigate or require additional information or documentation from the Company in order to verify information on this Application or the NAID Certification criteria. 22.The Company understands and agrees that all of its employees and agents will refrain from any false or misleading claims, suggestions or references regarding NAID Certification, including but not limited to such claims used in advertising produced in advance and/or in anticipation of NAID Certification at some future date. 23.If the Company has a change in address, ownership, or the operations/services it offers to Customers any time during a pending NAID Certification application or audit, or while the Company is NAID Certified, the Company must notify NAID in writing within 15 business days of this status change. Failure to do so may result in fines, sanctions and/or revocation of NAID Certification. 24.The Company agrees that all destruction locations will utilize Company service paperwork or contract that includes Customer acknowledgement, receipt or agreement regarding the specific service it is receiving. If destruction services rendered by the Company after it is NAID Certified are not among those for which the Company is NAID Certified, but such services could be NAID Certified (plant-based, mobile operations or sanitization operations, and/or destruction endorsements for paper/printed media, micro media or computer hard drives) and/or are recycling services of unshredded/intact paper, then the Customer must be notified in writing that such service is NOT NAID Certified. This written notification may be contained on a materials receipt, certificate of destruction, current Customer agreement/contract or another written notice (including e-mail or another electronic method that may be printed) delivered by the Company to the Customer/recipient of services. 25.The Company agrees that if any location for which it is seeking NAID Certification becomes NAID Certified, then if at any time during the audit process or NAID Certification the Company elects to discontinue any or all NAID Certification operations or endorsements for such location, the Company must notify NAID in writing within 30 days of this status change and has an ethical responsibility to inform clients (aware of the Company’s NAID Certification status) of the change. 26.The Company understands that ALL NAID certifiable services/operations being offered to the Company’s Customers must be NAID Certified in order to gain and maintain NAID Certified status. If the Company adds a certifiable operation after NAID Certification has been approved, it has 6 months in which to apply for NAID Certification of the new operation. Failure to apply for and/or successfully pass an audit of all certifiable operations may result in the removal of all NAID Certifications. 27.The Company understands that the NAID Auditor does NOT approve or deny NAID Certification. The Auditor’s findings will be submitted to the NAID Certification Review Board for approval, determination of remedial or corrective actions and/or additional fees necessary to approve NAID Certification, or denial of application. 28.The Company has 14 business days (as determined by the date on the notice sent to the Company regarding the results of an audit) to submit to the NAID Complaint Resolution Council in writing any protest of the results of an audit. The Company understands that the protest should clearly state the perceived reason of the failure to achieve NAID Certification and why the finding is incorrect. The Company understands that the NAID Complaint Resolution Council will review the dispute in accordance with the Complaint Resolution Council Guidelines, and any ruling on the appeal is subject to the approval of the NAID Board of Directors. The Company will accept the ruling as final and seek no further remedy, legal or otherwise, except to reapply for NAID Certification at the Company’s discretion. 29.This Application is truthful and accurately represents the daily operating procedures of the Company’s secure shredding operations. The Company understands that if any of its representatives willfully deceive NAID or a NAID Auditor, the Company could be immediately removed from NAID, or the NAID Certification may be revoked. 30.Indications of the signatory’s initials above and the signature below acknowledge that I am an owner, corporate officer or official representative of the Company submitting this Application. The undersigned has full authority to request that the Company apply for NAID Certification and submit to any requisite audits, with full knowledge of the Company’s operation to accurately complete the Application, and the authority to execute this agreement. This information provided in this application is truthful and accurate. I have permission and legal authority to bind the organization to the above agreements in this application. By signing below, I agree to adhere to the above agreements. Signed: Date: Print Name: Title: Company Name:______________________________________________ Page 6 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology EMPLOYEE REQUIREMENTS 1.1 Applicant Claims ______________ All Access Employees and Non-Access Employees must have the following on file: •Confidentiality Agreement •I-9 Form U.S. employees hired after November 7, 1986 or proper work registration for non-citizens (See Employment Information Disclaimer.) The Auditor will request evidence of the appropriate documentation in the employee files as follows: •7 or fewer Access and/or Non-Access Employees: Auditor will view employee files for all Access and Non-Access Employees. OR •More than 7 Access and/or Non-Access Employees: Auditor will view employee files as a random sample , totaling 25% of the entire Access and Non-Access Employees List, with a minimum of 7 employees and a maximum of 15 employees. Auditor must inspect applicable documentation for all Non-Citizen Employees and Access Employees who are owners, partners or senior managers (of destruction division) of the Company. The following Access Employees are exempt from the Employment Verification, Drug Screening and I-9: 1)officers, directors, owners and/or partners of the Company not engaged in the day-to-day operations; 2)others who have access to or can grant authorize access to the Confidential Customer Media to be destroyed at the applicant’s location but are not engaged in the day-to-day destruction operations; and/or 3)independent contractors, subcontractors or employees. Any Access Employees representing the Headquarters of the Company’s information destruction division, minimally the President/Vice President of area &/or Audit Coordinator, whether at the location listed on this application or at another location, must have criminal background searches conducted. Auditor will review the results of the Social Security Header Search and criminal background checks of the selected employees. Criminal background checks must include a list and the results of the jurisdictions searched. No person subject to a felony conviction in the last 7 years for any crime involving theft (of tangible or intangible property), fraud, burglary or larceny, and no person currently incarcerated for any crime may be employed in a capacity where they may come in contact with Confidential Customer Media. This applies to all Access Employees. The employment screening is applicable to all Access Employees (other than those exempt from these requirements as mentioned above) regardless of length of service or pre-existing employment status, except where there is a restrictive employment agreement in place. Access Employees whose employment predates the implementation of NAID Certification, must state that they have been employed with the company for the past 7 years. NAID USE ONLY Verified by _______________ 1.2 Applicant Claims ______________ Access Employees must have the below employment screening requirements: When searches are being conducted in places outside of the U.S. every effort should be made to have the searches done at a level comparable to the county and state searches done in the U.S. •7 Year Criminal Record Search: o Social Security Header Search listing all associated addresses of the employee. (Must be conducted prior to the criminal background investigation to ensure all counties, states, and federal district courts of residence and employment have been included and verified in the investigation) o County records search for all counties on Social Security Header Search o Statewide records search for all states on Social Security Header Search o Federal Records Search for all Federal Districts in all states on Social Security Header Search •Pre-hire or Initial Drug Screening •7 Year Employment History Verification which must include the following for each place of employment: o Name, City and State of the previous employer o Dates of employment, as reported by the employee o Date of verification (or attempted verification if the previous employer cannot be reached) o Indication of if the previous employer was able to verify the dates employment. The criminal record search must be conducted by a third-party. County and state checks must be pulled directly from the county and state repositories. Federal checks must be pulled from the federal district courts or via PACER. The use of a secondary database, often referred to as a SuperSearch, InstaSearch and/or National/Nationwide Search is not allowed. If federal, statewide and/or county searches are not available in a particular state, the applicant must complete the ones available and provide documentation to support the unavailability of the other. If a location has restrictive employee agreements in place that prevents drug screening and/or criminal record searches for certain employees, a letter must be submitted stating who and what employee screening restrictions are in place. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 7 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 1.3 Applicant Claims ______________ Access Employees are monitored for drugs/substance abuse by one of the following methods (check one): Option #1: On a random basis, 50% of access employees are drug screened annually. OR Option #2: Management has been trained in a “Substance Abuse Recognition Awareness Program” pre-approved by NAID. Auditor will verify evidence of the method indicated: Option #1: Invoices/results from drug testing lab for random sampling drug screening of 50% of employees OR Option #2: Documentation showing Program approval from NAID and proof that on-site management has completed this Substance Abuse Recognition training within the last year.NAID USE ONLY Verified by _______________ 1.4 Applicant Claims ______________ Ongoing criminal record searches on Access Employees by one of the following methods (check one): Option #1: One-third of Access Employees have been randomly selected and criminal record searches conducted annually. Option #2: One-third of all Access Employees are screened the first year, a different 1/3 are screened the following year, and the remaining 1/3 are screened in the third year. Option #3: All Access Employees have criminal record searches conducted every three years. Year of most recent search: __________ Auditor will review the results of the criminal record search of the employees based upon the method indicated. NAID USE ONLY Verified by _______________ 1.5 Applicant Claims ______________ Drivers meet all licensing requirements of the governmental jurisdiction. The applicable law or regulation for commercial driver licenses will be made available and examined by the Auditor. Auditor will request any items required by law for all drivers listed on the Access and Non-Access Employees List. NAID USE ONLY Verified by _______________ OPERATIONAL SECURITY 2.1a Applicant Claims ______________ The firm has written policies and procedures for drivers and destruction processing employees. Auditor to inspect copy of policies and procedures manuals. NAID USE ONLY Verified by _______________ 2.1b Applicant Claims ______________ Prior to gaining access to confidential material, all drivers and destruction processing employees must sign an acknowledgement indicating that they have received, read and understand the Company’s current written policies and procedures. A new acknowledgment must be signed by employees on an annual basis. Auditor to inspect employee files for a signed acknowledgement of the Company’s current written policies and procedures. This form must reference the version of the written policies and procedures that it applies to. A new acknowledgment must be signed by employees on an annual basis.NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 8 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 2.1c Applicant Claims ______________ The Company has a written policy in place, stating that it will notify any Customer of a potential release of, or unauthorized access to, that Customer’s Confidential Customer Media that poses a threat to the security or confidentiality of that information as soon as reasonably possible. Auditor will check procedures manual to ensure that there is a written policy stating that it will notify any Customer of a potential release of, or unauthorized access to, that Customer’s Confidential Customer Media that poses a threat to the security or confidentiality of that information as soon as reasonably possible. NAID USE ONLY Verified by _______________ 2.1d Applicant Claims ______________ The Company has a written Incident Response Plan for responding to suspected or known security incidents. The Incident Response Plan must include a post-incident business impact analysis and a process for documenting all incidents and their outcomes. Auditor will review the Company’s written Incident Response Plan to ensure there is a policy addressing post-incident business impact analysis and documentation of all incidents and their outcomes. NAID USE ONLY Verified by _______________ 2.1e Applicant Claims ______________ The Company has a written policy in place instructing and requiring employees to notify management of a potential release of, or unauthorized access to, Confidential Customer Media that poses a threat to the security or confidentiality of the information. Auditor will check procedures manual to ensure that there is a written policy instructing and requiring employees to notify management of a potential release of, or unauthorized access to, Confidential Customer Media that poses a threat to the security or confidentiality of the information.NAID USE ONLY Verified by _______________ 2.1f Applicant Claims ______________ The Company has a written policy that addresses the procedures for employees to follow during an unannounced audit. This policy must name at least one person or position of contact with physical access to the information the auditor may ask to review, which is to be contacted in the event of an unannounced audit at the destruction plant or the office. Should circumstances prevent the designated point of contact from being available at the time of the unannounced audit, the Certification Review Board may request additional information to be provided at a later date. Auditor will review the Company’s written policies and procedures for their written policy instructing employees in the procedures to follow during an unannounced audit. NAID USE ONLY Verified by _______________ 2.1g Applicant Claims ______________ All Access Employees must be trained annually to comply with the NAID AAA Certification requirements: Option #1: All Access Employees have taken and passed the NAID Access Employee Training Program (AETP). (Submit AETP Licensing Form with application.) Option #2: All Access Employees have taken and passed a third-party training course which has been pre- approved by NAID. (Submit AETP approval form and outline of training with application.) Option #3: All Access Employees have taken and passed an in-house training. If NAID has not already approved the training course for this purpose, an approval form and outline of the program is included with this application. (Submit AETP approval form and outline of training with application.) Auditor will review evidence of annual training to ensure all Access Employees have passed a training program which complies with the NAID AAA Certification requirements. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 9 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 2.2 Applicant Claims ______________ Access Employees display Company-issued photo I.D. badges at all times while on duty. Badges must minimally include a photo, employee name and Company name. Auditor will inspect the Company policies and procedures manual to ensure there is a written policy for Access Employees to display a Company-issued photo I.D. badge at all times while on duty. Auditor will also inspect employees present to verify that they are wearing photo I.D. badges.NAID USE ONLY Verified by _______________ 2.3 Applicant Claims ______________ While at Customer’s location, drivers and other employees of contractor must wear a specific uniform (minimum of Company shirt) to improve recognition by Customers. Auditor to inspect uniform of at least one driver and confirm that wearing a uniform is specified in policies and procedure manual(s). NAID USE ONLY Verified by _______________ 2.4 Applicant Claims ______________ At the time that media is transferred from the Customer’s custody to the custody of the destruction Company’s employees, the Customer must be provided with a receipt or certificate of destruction indicating type and quantity of media and an acknowledgement of the services rendered. An electronic receipt is acceptable, provided there is a verifiable electronic audit trail and the ability to provide the Customer with the printed information. If destruction services rendered by the Company after NAID Certification are not NAID Certified, but such services could be NAID Certified (plant-based or offsite services, mobile operations or sanitization operations, and/or destruction endorsements for paper/printed media, micro media or computer hard drives) and/or are recycling services of unshredded/intact paper, then the recipient of the services must be notified in writing that such service is NOT NAID Certified. This written notification may be contained on a materials receipt, certificate of destruction, current Customer agreement/contract or another written notice (including e- mail or another electronic method that may be printed) delivered by the Company to the Customer/recipient of services. Auditor will inspect the Company policies and procedures manual to ensure that Customer documentation process contains the requisite information and will inspect a copy or sample of the Customer documentation. If applicable, Auditor must inspect a copy or sample of the Customer documentation when destruction or recycling services are NOT NAID Certified to verify such notification is stated. For Plant-based operations and Transfer Processing Stations only: If a Subcontractor is used for transport prior to destruction, the Subcontractor must provide the Customer and the Applicant Company with the Customer receipt documentation. Auditor to verify documentation has been provided by the Subcontractor and is being utilized by inspecting a copy of a past Customer receipt.. NAID USE ONLY Verified by _______________ 2.5 Applicant Claims ______________ All media for destruction are always attended by a Company employee or physically secured from unauthorized access while in the custody of the destruction contractor before they are destroyed. The Auditor will verify that containers used in the field to transport media for destruction from the Customer’s facility to the destruction provider’s vehicle have operable locks. Auditor will inspect the Company policies and procedures manual to assure that custody of the media for destruction is addressed. For Plant-based operations and Transfer Processing Stations, Auditor will determine that there is a secured area designated for holding media when unattended until that media can be destroyed. NAID USE ONLY Verified by _______________ 2.6 Applicant Claims ______________ All media are securely contained during transfer from Customers’ custody to transportation vehicle to prevent loss from wind or other atmospheric conditions. Auditor to inspect collection equipment used by the contractor in the field to make sure it protects the media from loss due to wind, tipping/spillage or other atmospheric conditions. If in the field, Auditor to check area around collection or destruction vehicle to verify it is free from loose information- bearing media.NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 10 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 2.7 Applicant Claims ______________ All vehicles used for transfer of media will have the applicable government inspection for roadworthiness on file. Auditor will review paperwork from the most recent inspection of all the Company’s commercial vehicles within the time frame stated in the applicable state law regarding the nature and frequency of these inspections. If there is a jurisdiction that does not require an inspection of commercial vehicles, Auditor will require a copy of the government statement saying so. Three vehicle records will be checked. NAID USE ONLY Verified by _______________ 2.8 Applicant Claims ______________ All vehicles used for transfer and/or destruction of media (whether intact or destroyed) will have lockable cabs and lockable, fully enclosed boxes. These vehicle cabs and boxes must be locked during transport and when unattended by Access Individual. Auditor will inspect trucks made available by the Company to verify that all cab doors and truck boxes are lockable and that locks work properly. Auditor will inspect the Company policies and procedures manual to assure that vehicle cab and box locking is addressed. Note: If there are 3 trucks or less in either separate category (Mobile Shredding and Collection Only), all trucks in each category must be made available for inspection. If there are 4 or more trucks in each category, 75% of the fleet in each category must be made available for inspection. If trucks are not made available, the Company must provide written testimony that those trucks not presented for inspection are of equal or superior condition of roadworthiness and security. The testimony must be on Company letterhead and signed by an officer of the Company. NAID USE ONLY Verified by _______________ 2.9 Applicant Claims ______________ All drivers of collection or destruction vehicles must have readily accessible two-way communication devices. Auditor to verify each driver has the stated and operable two-way communication device with them or in the vehicle. NAID USE ONLY Verified by _______________ 2.10 Applicant Claims ______________ Not Applicable ______________ APPLIES TO MOBILE CERTIFICATION ONLY The Company must perform mobile destruction services at the Customer’s site. Auditor will verify that the Company policies and procedures manual indicates that mobile destruction services must be performed at the Customer’s site, unless there is a written Customer agreement stating otherwise. A Records Center is considered the Customer’s site when all media for destruction comes from within it. NAID USE ONLY Verified by _______________ 2.11 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY Unauthorized access to Confidential Customer Media in the designated secure destruction area and/or storage/staging areas is effectively prevented. Auditor to inspect all entrances to see that unauthorized access to secured area is effectively preventable when media are not attended. Auditor will verify that the Company policies and procedures manual covers access control and unauthorized access interdiction measures. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 11 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 2.12 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY All visitors entering the secure destruction building or Transfer Processing Station sign a log with their name, time in, affiliation, and time out. Visitors must be issued a Visitor Badge and be escorted or under the supervision of an Access Employee at all times while in the building. This log info/record must be maintained for one year. Auditor will examine visitor/contractor logs and verify records maintained for one year. NAID USE ONLY Verified by _______________ 2.13 Applicant Claims ______________ Not Applicable ______________ Auditor Verifies ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a secure area within the building devoted only to processing and/or destroying media. No baling of unshredded paper may take place in secure areas of the plant-based destruction facility except cardboard. In the event that the facility also stores records (or is a records center), recycles or bales intact/unshredded paper, or conducts other activities, the collection and processing of media for destruction must be in a designated (or delineated) area or secured area. Auditor to inspect building to determine that secured area for information destruction and/or media processing exists and that no baling of unshredded paper takes place in the plant-based destruction facility. If a secured area within the building is required*, it must meet the following specifications: •There must be enough space within this area to stage all media to be destroyed. •The wall or fence securing this area must be a minimum of six feet tall and have a lockable gate or door. •If the wall or fence does not go all the way to the ceiling, then it must have a ceiling mounted sensor alarm inside and over the perimeter of the secure destruction and /or secure staging/processing area(s) (or similar, suitable device) to detect if and when individuals have climbed over or come through a section of the secured area fence/wall. *If the only operations taking place within the building are related to information destruction, AND if ALL employees with access into the building are screened in accordance with Section 1.2 herein and are listed as access employees herein, a separate secure area is not required and the entire building is considered the secure area. NAID USE ONLY Verified by _______________ 2.14 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a monitored alarm system in place and utilized when the secure destruction building or Transfer Processing Station is unoccupied. Auditor is to inspect alarm system to make sure it is operational and examine alarm test reports &/or invoices from alarm monitoring service. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 12 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 2.15 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a closed circuit camera system monitoring all access points into the secure buildings/areas where confidential media is stored, processed and/or destroyed. All processing activities are monitored with sufficient clarity to identify people and their activities. There must be enough lighting during non-business hours to ensure that all images have sufficient clarity. The Company has a written policy in place, stating that branches will notify senior management within a specified amount of time of the discovery of problems with the CCTV system which result in a loss of data. Recordings must be retained for 90 consecutive days in an organized, retrievable manner. Number of days of recordings (as of the date of application):________ Auditor to inspect the closed circuit monitoring system to ensure that it meets criteria. This includes checking that the system has sufficient cameras and image quality to identify individuals and capture all activities in the secure destruction building from point of entry through final destruction, including any unauthorized access to the confidential information. Auditor will also inspect the policies and procedures manual to ensure there is a written policy for notifying NAID within 48 hours of the discovery of problems with the CCTV system which result in a loss of data. 90 days of CCTV playback must be available at the time of the scheduled audit. Auditor to inspect recording library system and to review four 4-minute samples: •Two random samples during operational hours •One random sample during non-operational hours •One sample from the 90th day back from the current date Recording of operations may be suspended for playback recordings. NAID USE ONLY Verified by _______________ 2.16 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED CERTIFICATION WITH A COLLECTION FACILITY Collection Facilities are used to store media intermittently to be transferred to a plant-based destruction facility within 3 business days. Facility has restricted access with a monitored alarm system. The list of all Collection Facility locations associated with this plant-based operation is included with this Application. Number of Collection Facilities:_________ ADDRESS: ____________________________________ ____________________________________ Auditor will check policy and procedures manual to assure that media for destruction is not processed and not stored for more that 3 business days and that the following are maintained: •Access is restricted to Access Employees •Visitor’s Log •I.D. badges are worn by employees and visitors •Monitored Alarm System •In the event that the facility also stores records, recycles or bales intact/unshredded paper, or conducts other activities, the collection of media for destruction must be in a designated (or delineated) area or secured area. (See Item 2.13) Auditor may or may not check the actual facility for requirements at the time of an audit. NAID USE ONLY Verified by _______________ 2.17 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY The following Operational Security systems are checked and maintained on a monthly basis: •Alarm System •Lighting •Door Locks •Visitor Logs In addition to monthly Operational Security system checks, the CCTV system must be checked on a weekly basis, including a minimum of five minutes of playback to ensure that all cameras and recording systems are working correctly. Monthly and Weekly Logs must be kept for one year using the NAID-issued Forms (or the information/content contained on it). Auditor to review the Monthly and Weekly Operational Security Maintenance Logs used to check, record and maintain the facility’s operational security functions, including CCTV (except for a Collection Facility), Alarms, Lighting, Door Locks and Visitor Logs – records must be kept for one year. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 13 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology ENDORSEMENTS & THE DESTRUCTION PROCESS 3.1 Applicant Claims ______________ Not Applicable ______________ PAPER/PRINTED MEDIA ENDORSEMENT Paper/Printed Media is destroyed by commercial grade destruction equipment and meets the particle size as stated by the equipment’s OEM specifications. Acceptable deviant tolerance: 1/16 inch Continuous Shred: Width (max): 5/8 inch & Length: Indefinite Cross Cut or Pierce & Tear: Width (max): 3/4 inch & Length (max): 2.5 inches Pulverizer, Disintegrator or Hammermill* Screen Size (max): 2-inch diameter holes Unspecified Equipment Please describe the type of equipment and cutting mechanism specifications (screen hole size*, blade width, etc.): ___________________________________ Maximum allowable sizes listed create a particle deemed reasonable for regulatory compliance. Customers may specify a smaller particle size at their discretion, which should be codified contractually with the NAID Certified service provider. Mobile or Plant Equipment:__________________________ Manufacturer: ____________________________________ Model: _________________________________________ Serial #: _________________________________________ Capacity/Throughput (lbs/hr): ________________________ Horsepower: ______________________________________ See attached form listing additional equipment info The Auditor will verify that the particles produced by the equipment are reasonably consistent with the OEM specifications and that the equipment is of commercial grade. *Auditor will review the Screen Changing Logs during the audit, if applicable. PULPING OR INCINERATION (PLANT-BASED ONLY) In-House Pulping or Incineration must not require any Transfer of Custody: If the NAID Member owns or leases the pulping or incineration equipment and building, and does not transfer custody of media to a third party for transport or processing before media is pulped or incinerated, then the results of the pulping or incineration must effectively reduce the media to a size or condition that is not reconstructible. NAID USE ONLY Verified by _______________ 3.2 Applicant Claims ______________ Not Applicable ______________ MICRO MEDIA DESTRUCTION The ability to destroy Micro Media (Microfiche or Microfilm only) is NAID Certified based on commercial grade destruction equipment or process which produces a particle size of 1/8 inch maximum dimension or less. Mobile or Plant Equipment:__________________________ Manufacturer: ____________________________________ Model :__________________________________________ Auditor will determine the applicant has equipment with an OEM cutter mechanism of 1/8 inch at its maximum cut dimension by: Using the OEM specs listed on an invoice or spec sheet that matches the serial number on the equipment. OR Measuring the width of the cutters and/or screens Acceptable deviant tolerance: 1/16 inch. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 14 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 3.3 Applicant Claims ______________ Not Applicable ______________ PHYSICAL DESTRUCTION OF HARD DRIVES ENDORSEMENT Computer Hard Drives are physically destroyed (not wiping or overwriting) in accordance with the Company’s standard method of destruction which includes: •Prior to destruction the Company must provide the Customers with a written description of the process for destroying the hard drives. •Serial numbers of all hard drives or CPUs being destroyed for each Customer are recorded, unless the Customer has signed an opt-out agreement. •The log of recorded serial numbers is returned to the Customer upon the completion of the service, unless the Customer has opted out of this requirement. •Hard drives must be damaged to the point where the platters will not spin. Method of Physical Destruction: ______________________________________________ Auditor will review the Company’s written policies and procedures for their standard physical destruction (not wiping or overwriting) of computer hard drives. Auditor will also review verification that the Customer has been notified of the process of destruction. Auditor will also review the serial number recordation log and any opt-out agreements Customers signed. NAID USE ONLY Verified by _______________ 3.4 Applicant Claims ______________ Not Applicable ______________ NON-PAPER MEDIA ENDORSEMENT Non-Paper Media is destroyed in accordance with the Company’s standard method of destruction. Any method that deviates from the standard method of destruction must be communicated to the Customer in writing. Types of Non-Paper Media physically destroyed: Optical Media: ________________________________ Magnetic Media: ______________________________ Flash Media: _________________________________ Other: ______________________________________ Method of Destruction: ______________________________________________ Equipment:______________________________________ Manufacturer: ____________________________________ Model:__________________________________________ Auditor will review the Company’s written policies and procedures for their standard physical destruction of Non-Paper Media. Auditor will also review written policies and copies of documentation provided to the Customer for methods of destruction that deviate from the standard method. NAID USE ONLY Verified by _______________ 3.5 Applicant Claims ______________ Not Applicable NAID USE ONLY Verified _______________ PRODUCT DESTRUCTION ENDORSEMENT Product Destruction is destroyed in accordance with the Company’s standard method of destruction which includes: •Product Destruction is provided in a manner consistent with the company’s policies and procedures manual. •The policies and procedures manual must state that customer receiving the product destruction endorsement will be provided a detailed account of the process used to destroy the specific product in advance of the project. Such product destruction agreements must be kept on file for 3 years from the date of the destruction. •Employee Confidentiality Agreements must contain language wherein the employee agrees that products accepted for destruction are to be considered confidential and that removal or use by the employee is a violation punishable by dismissal and subject to possible legal prosecution. Auditor will review the Company’s written policies and procedures for their standard Product Destruction. Auditor will also review verification that the Customer has been notified of the process of destruction with a detailed account of the process used to destroy the product. The notification to the Customer must be kept on file for 3 years from the date of destruction. Auditor will review the employee confidentiality agreements to verify that language stating that the employee agrees that products accepted for destruction are to be considered as confidential and that removal or use by the employee is a violation punishable by dismissal and subject to possible legal prosecution. Has modified policies and procedures to specifically state that clients receiving product destruction services will be provided a detailed accounting of the process used to destroy the specific product in advance of the project, and that such product destruction agreements be kept on file for 3 years from the date of the destruction. (Audit methodology: Reviewed by auditor) Company Name:______________________________________________ Page 15 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 3.6 Applicant Claims ______________ Not Applicable ______________ APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY The destruction of confidential media must take place within 3 business days from the arrival at the destruction facility. For purges, the destruction of confidential media must take place within 15 business days For Transfer Processing Stations, the confidential material must be transferred to a Plant-based Destruction Operation within 15 business days. If destruction does not occur in the stated timeframe, the Customer must be notified in writing. Auditor will check the policy and procedures manual to assure that all media is destroyed within the stated timeframe. Exceptions include acts of God, breakdowns or Customer notification to retain media for a longer period. NAID USE ONLY Verified by _______________ 3.7 Applicant Claims ______________ Destruction process has a method of quality control in place to ensure destroyed information is within the stated standards for the specific media endorsements for which the Company has applied. Auditor will check procedures manual to assure that there is a regular quality control procedure in place for ensuring destroyed information are within stated standards. NAID USE ONLY Verified by _______________ 3.8 Applicant Claims ______________ Destroyed paper/printed media and micro media must be disposed (sold, gifted, or discarded) in a responsible manner, which does not include any type of reuse. Destroyed remnants of hard drives and circuit boards must be disposed (sold, gifted, or discarded) in a responsible manner, which includes a requirement that the recipient of the destroyed electronic media is registered by the International Organization for Standardization (ISO) as being compliant with the 14001 standard. Applicant must attach a list of all current recipients of destroyed paper/printed media, micro media and hard drives, indicating the final disposition of materials by the recipients. Requests for a hardship exemption must be submitted in writing to the Certification Review Board. Auditor will review list of recipients and manner in which paper/printed media and micro media (micro fiche and micro film) are disposed subsequent to destruction and verify that Company has written agreements or documentation in place to support stated responsible disposal, i.e. pulping, incineration, smelting, etc. Auditor to check waste receptacles and area directly outside of the information destruction building/area to see that no paper/printed media and micro media (micro fiche and micro film), whether shredded or unshredded, has been deposited in waste receptacles or that no loose information-bearing materials are scattered around or near the destruction building. NAID USE ONLY Verified by _______________ Company Name:______________________________________________ Page 16 of 16 MLCertHQ(3-24US&Can)2018 Initial Criteria Audit Methodology 3.9 Applicant Claims ______________ Not Applicable ______________ TRANSFER OF CUSTODY (IF APPLICABLE) Transfer of custody is used for each as indicated (Check all that apply): Temporary Staffing Transportation (of media prior to destruction) Other: ______________________________________ If media destruction is subcontracted, all Customers must be notified in writing of the following information: o name of the subcontractor company o the method of the destruction All Access Employees of the companies in the chain of custody must acknowledge in writing that they understand that all media with which they come in contact is confidential, and they accept fiduciary responsibility. All Access Employees of the companies must submit to the same background screening requirements as NAID Certification. All companies accepting custody of media must meet the NAID Certification criteria. If Company does not meet the NAID Certification criteria then the Customer must be notified in writing that such service is not NAID Certified. Auditor will check documentation to verify that the customer was notified if transfer of custody occurs. If a site visit is required for verification, the Applicant assumes responsibility for any additional fees of the Auditor. NAID USE ONLY Verified by _______________ COMPANY ASSURANCES 4.1 Applicant Claims ______________ Company is a legally registered business in the state of residence. Auditor to examine business license, Certificate of Incorporation or SEC filing. NAID USE ONLY Verified by _______________ 4.2 Applicant Claims ______________ General liability insurance (aggregate or umbrella) of $2,000,000 or more. Auditor to examine valid insurance documents, which could be an ACORD Certificate, a certificate of insurance or a letter from broker verifying coverage limits. Letter must be dated no earlier than one month prior to audit. NAID USE ONLY Verified by _______________ Please submit application via: FAX: (480)658-2088 EMAIL: certification@naidonline.org QUESTIONS: (602)788-6243 Page 1 of 15 MLCertApBranch(US&Can)2018 NAID® Certification Application 2018 Branch Application U.S. & Canada Applicants only Company Name: Audit Contact: Physical Address: Unit/Ste: City: State: Postal Code: Phone: Fax: Email: Profile Information No. of Destruction Employees: __________ No. Of Vehicles: Destruction: _____ Collection: _____ Hours of Operation: ______________________ First Truck Dispatched Time: ______________________ Are any of your Destruction or Collection Vehicles stored at a location other than address above? No Yes (list address): ________________________________________________________________ Type of Audit: Initial If an initial audit are you using a NAID approved consultant? No Yes Name of Consulting Firm: _________________________________________ (Consulting firm must be pre-approved by NAID) Recertification Operation(s) & Endorsement(s): MOBILE PAPER OR PRINTED MEDIA MICRO MEDIA (Microfiche or Microfilm only) PHYSICAL HARD DRIVES NON-PAPER MEDIA PRODUCT DESTRUCTION PLANT-BASED PAPER OR PRINTED MEDIA MICRO MEDIA (Microfiche or Microfilm only) PHYSICAL HARD DRIVES NON-PAPER MEDIA PRODUCT DESTRUCTION Other than information destruction, what other operations take place within the building (check all that apply)? None Recycling (of unshredded paper) Records Storage Other (please indicate):_____________________ TRANSFER PROCESSING STATION(S) Associated Plant (City, State): _______________________ Do you offer any other certifiable services, for which you are NOT seeking NAID Certification? No Yes (list):_____________ Custodial Service: If you accept intermediary or temporary custody of confidential material prior to destruction then the entire process is eligible for certification. (If you would like to add this to your certification please check all that apply and fill out the NAID Custodial Membership/Certification Addendum.) Records Storage Data Recovery/Forensic Breach Investigation Document Scanning/Imaging Online Backup Aggregator/Transportation Backup Tape Rotation NAID Use Only New or Recert: Auditor: Audit # : Audit Required: YES NO Received: Complete: DBU: Expires: Company Name:______________________________________________ Page 2 of 15 MLCertApBranch(US&Can)2018 Employment Information Disclaimer All organizations applying for NAID Certification are expected to comply with any and all national, state, local, or other laws regarding the collection, maintenance and disclosure of employee information, and all laws regulating employment practices, in the jurisdiction governing the location for which the applicant Company is applying for NAID Certification or does business. NAID is not responsible for the compliance of its individual NAID Certified members. Therefore, if the applicant Company believes that anything in this Application or the audit process is, or may be, in violation of any laws applicable to the applicant Company, such Company must notify NAID, concurrently with the submission of its NAID Certification Application or during the audit, as applicable, of the practices or disclosures which are believed by the applying organization to be in conflict with or in violation of any relevant laws. In addition, such notification must include a statement of and citation to the applicable law, code, ordinance or other legal authority. NAID will then analyze the law, code, ordinance or other legal authority to determine whether the applicant Company may be exempted from the particular criteria, practice or disclosure. NAID will notify the applicant Company in writing of such determination. In addition, a particular requirement of this application, although permissible under applicable laws and regulations, may violate applicable laws and regulations if applied in an impermissible manner, particularly in regard to hiring and retention practices. You should consult your own legal counsel to determine whether your hiring and retention policies and practices comply with all applicable laws and regulations. Additional Required Materials: (Must use NAID Approved Forms. To be submitted with application.) 1)Access and Non-Access Employee List - A list of all employees indicating job, date of hire, citizen and access/non-access. 2)List of Destruction and Collection Vehicles – A List of all destruction and collection vehicles including the vehicle make and model, VIN, license plate number and the state the vehicle registered. 3)List of Recipients of Destroyed Media – A list of all companies who receive the destroyed media and are responsible for disposition of materials (pulping, incineration, smelting, etc.). 4)Subcontractor list (if applicable) – A list of all companies used to subcontract any part of the information destruction process. 5)Special Consideration Letter (only applicable for hardship) – Letter requesting a temporary or conditional qualification for a specific NAID Certification criteria; only considered under extreme or special circumstance. Applicant must submit a written request identifying the specific hardship or special circumstance for consideration, and state how the applicant will achieve the intent of the criteria given their circumstances. The NAID Certification Review Board will review and respond to all requests. We agree with and are bound to the following: (Please sign on bottom to indicate agreement with the following items.) 1.NAID Certification is optional and is not required for NAID membership. 2. The Company is an Active or Franchise Member of NAID in good standing and with no outstanding debt to the association. In order to gain or maintain NAID Certification, the Company must be a NAID member in good standing. 3. Owners or Senior management of the Division of the Company that conduct the secure shredding operation have read and understand the NAID Certification Audit Methodology, which makes clear the documentation, facilities and equipment that each location will be required to have available and immediately accessible to the NAID Auditor. 4. Any failure to make accessible for inspection all documentation, facilities, and equipment on the date, time and location identified on the Auditor Assignment & Confidentiality Agreement (Appointment) Form may result in failure to be NAID Certified, forfeiture of the application fee, additional fees for the failures, re-auditing or other expenses, and/or require that we reapply if we want to pursue this credential. Also, failure to meet the criteria for the type(s) indicated on this application may be considered a failure of the audit. 5. All application fees are non-refundable, except in the instance where the NAID Auditor fails to conduct the audit on the date, time and location indicated on the Auditor Assignment & Confidentiality Agreement (Appointment) form; and when, in such circumstance, the Company decides to withdraw their application. 6.At no time will the label “NAID Certification” or “NAID Certified” be applied, referenced or inferred to facilities or operations of the Company where 1) the location and operating details related to the facility or operation have not been specifically and formally provided to NAID for participation in the NAID Certification program, or 2) the facility or operation does not have any involvement related to the collection, transport, processing and/or destruction of Confidential Customer Materials. 7. The Company must reapply for NAID Certification on an annual basis, prior to the expiration of the current NAID Certification. If the Company chooses not to reapply and/or not to submit to the required audit, it will result in loss of NAID Certification. Loss of NAID Certification will not affect NAID membership. 8.The Company understands that NAID Certification status is public information. Information regarding renewals, lapses, certified operations and endorsements, Company contact information, and the Certification expiration date are displayed on the NAID website and made available to email subscribers. 9. The Company will hold NAID harmless from any claim of damage or loss as a result of the Company’s failure to achieve NAID Certification. Company Name:______________________________________________ Page 3 of 15 MLCertApBranch(US&Can)2018 10.The Company agrees that any location seeking NAID Certification will be NAID Certified for Micro Media (Microfiche and Microfilm) destruction only if the Company: 1) indicates in the application for such location that the location possesses equipment that meets the required specification; 2) the equipment was inspected by the NAID Auditor at the time of the NAID Certification audit; and 3) the destruction is being performed at the location (generally only at plant-based operations) for which the Company is seeking NAID Certification. 11.The Company agrees that any location seeking NAID Certification will be NAID Certified for Computer Hard Drive destruction only if: 1) the Company has an established and published standard destruction method for physically destroying computer hard drives; 2) all Customers receiving Computer Hard Drive Destruction services have agreed to or have been notified in writing to these standard procedures or other specific procedures; 3) these standard procedures have been demonstrated to the NAID Auditor during the NAID Certification audit of this location; and 4) the destruction is being performed at the location (generally only at plant-based operations) for which the Company is seeking NAID Certification. 12. The Company understands and agrees that if a location becomes NAID Certified for Mobile Operations only, then the Company must always destroy while on or near the Customer’s premises unless the Customer has agreed in writing (including notification to the Customer by e-mail or as part of the Customer’s agreement with the Company) to permit destruction at a site remote from the Customer’s location. If the Company’s mobile unit performs the shredding away from the Customer site without such written consent or notice, the Company will be considered to be no longer following the Mobile Certification standards and may be subject to review and investigation by the NAID Certification Review Board. 13. The Company understands and agrees that if the Company is applying for Plant-based Operations, the Company must maintain at least 90 days of CCTV recordings for each plant or Transfer Processing Station and must be able to produce them during the time of an audit. If the Company is unable to produce the 90 days of recordings at an audit; the Company may be subject to a reaudit, including associated costs for this re-audit. 14. The Company understands that the specifications and fees for NAID Certification are subject to change at the discretion of the NAID Board of Directors. 15. All of the Company’s employees are legally registered to work in the country to which this Application applies, and the Company has all necessary documentation to confirm this (see the Employment Information Disclaimer). 16.The Company understands that it is responsible for ensuring that background checks of current and prospective employees and any use of consumer reports for employment purposes comply with the mandates of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. 17. If restrictive employment agreements are in place that would prevent the Company from conducting drug screening and/or criminal record searches, the Company will provide a detailed description of such restrictions with this application. 18.The Company understands that random Unannounced Audits are part of the NAID Certification Program. Only if asked and not a hardship, the Company will allow access to a NAID Auditor for purposes of conducting such Unannounced Audits. 19. The Company understands that the NAID Certification Review Board tracks verified reports of certification non-compliance per company/location and may issue fines and/or sanctions or recommend removal of certification for certification violations, in accordance with the Certification Review Board Guidelines. Such fines and/or sanctions are in addition to any remedial actions ordered by the Certification Review Board (CRB) to bring the operation back into compliance. All fines must be paid within 30 days, unless the Company chooses to appeal the CRB’s decision, in which case a formal appeal must be submitted to NAID Headquarters no later than 45 days after the date of notification of the fine/sanction. The Company understands that the NAID Complaint Resolution Council (CRC) will review appeals of CRB fines/sanctions, and the Company will be granted the opportunity to provide spoken testimony within 30 days of the formal submission of the appeal. The NAID Board of Directors will review the CRC’s recommendation and make the final decision on all appeals. The Company will accept the ruling of the NAID Board of Directors as final and seek no further remedy, legal or otherwise. 20.The Company understands and agrees that the NAID Auditor may inspect and test its access control systems related to the facilities, containers and vehicles used to provide secure destruction services during announced and unannounced audits and will not consider such inspection and testing to be a violation of the law, provided such inspection and testing does not result in property damage or the risk of personal injury and is undertaken solely for the purpose of ascertaining compliance with NAID Certification. 21. At any time during the application and/or audit process or after NAID Certification is approved by the NAID Certification Review Board, the Company acknowledges that NAID, its agents and/or the NAID Auditor may investigate or require additional information or documentation from the Company in order to verify information on this Application or the NAID Certification criteria. 22.The Company understands and agrees that all of its employees and agents will refrain from any false or misleading claims, suggestions or references regarding NAID Certification, including but not limited to such claims used in advertising produced in advance and/or in anticipation of NAID Certification at some future date. 23.If the Company has a change in address, ownership, or the operations/services it offers to Customers any time during a pending NAID Certification application or audit, or while the Company is NAID Certified, the Company must notify NAID in writing within 15 business days of this status change. Failure to do so may result in fines, sanctions and/or revocation of NAID Certification. Company Name:______________________________________________ Page 4 of 15 MLCertApBranch(US&Can)2018 24.The Company agrees that all destruction locations will utilize Company service paperwork or contract that includes Customer acknowledgement, receipt or agreement regarding the specific service it is receiving. If destruction services rendered by the Company after it is NAID Certified are not among those for which the Company is NAID Certified, but such services could be NAID Certified (plant-based, mobile operations or sanitization operations, and/or destruction endorsements for paper/printed media, micro media or computer hard drives) and/or are recycling services of unshredded/intact paper, then the Customer must be notified in writing that such service is NOT NAID Certified. This written notification may be contained on a materials receipt, certificate of destruction, current Customer agreement/contract or another written notice (including e-mail or another electronic method that may be printed) delivered by the Company to the Customer/recipient of services. 25.The Company agrees that if any location for which it is seeking NAID Certification becomes NAID Certified, then if at any time during the audit process or NAID Certification the Company elects to discontinue any or all NAID Certification operations or endorsements for such location, the Company must notify NAID in writing within 30 days of this status change and has an ethical responsibility to inform clients (aware of the Company’s NAID Certification status) of the change. 26.The Company understands that ALL NAID certifiable services/operations being offered to the Company’s Customers must be NAID Certified in order to gain and maintain NAID Certified status. If the Company adds a certifiable operation after NAID Certification has been approved, it has 6 months in which to apply for NAID Certification of the new operation. Failure to apply for and/or successfully pass an audit of all certifiable operations may result in the removal of all NAID Certifications. 27. The Company understands that the NAID Auditor does NOT approve or deny NAID Certification. The Auditor’s findings will be submitted to the NAID Certification Review Board for approval, determination of remedial or corrective actions and/or additional fees necessary to approve NAID Certification, or denial of application. 28.The Company has 14 business days (as determined by the date on the notice sent to the Company regarding the results of an audit) to submit to the NAID Complaint Resolution Council in writing any protest of the results of an audit. The Company understands that the protest should clearly state the perceived reason of the failure to achieve NAID Certification and why the finding is incorrect. The Company understands that the NAID Complaint Resolution Council will review the dispute in accordance with the Complaint Resolution Council Guidelines, and any ruling on the appeal is subject to the approval of the NAID Board of Directors. The Company will accept the ruling as final and seek no further remedy, legal or otherwise, except to reapply for NAID Certification at the Company’s discretion. 29. This Application is truthful and accurately represents the daily operating procedures of the Company’s secure shredding operations. The Company understands that if any of its representatives willfully deceive NAID or a NAID Auditor, the Company could be immediately removed from NAID or the NAID Certification may be revoked. 30. Indications of the signatory’s signature below acknowledge that I am an owner, corporate officer or official representative of the Company submitting this Application. The undersigned has full authority to request that the Company apply for NAID Certification and submit to any requisite audits, with full knowledge of the Company’s operation to accurately complete the Application, and the authority to execute this agreement. This information provided in this application is truthful and accurate. I have permission and legal authority to bind the organization to the above agreements in this application. By signing below, I agree to adhere to the above agreements. Signed: Date: Print Name: Title: Company Name:______________________________________________ Page 5 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology EMPLOYEE REQUIREMENTS 1.1 Applicant Claims ______________ All Access Employees and Non-Access Employees must have the following on file: •Confidentiality Agreement •I-9 Form U.S. employees hired after November 7, 1986 or proper work registration for non-citizens (See Employment Information Disclaimer.)) The Auditor will request evidence of the appropriate documentation in the employee files as follows: •7 or fewer Access and/or Non-Access Employees: Auditor will view employee files for all Access and Non-Access Employees. OR •More than 7 Access and/or Non-Access Employees: Auditor will view employee files as a random sample , totaling 25% of the entire Access and Non-Access Employees List, with a minimum of 7 employees and a maximum of 15 employees. Auditor must inspect applicable documentation for all Non-Citizen Employees and Access Employees who are owners, partners or senior managers (of destruction division) of the Company. The following Access Employees are exempt from the Employment Verification, Drug Screening and I-9: 1)officers, directors, owners and/or partners of the Company not engaged in the day-to-day operations; 2)others who have access to or can grant authorize access to the Confidential Customer Media to be destroyed at the applicant’s location but are not engaged in the day-to-day destruction operations; and/or 3)independent contractors, subcontractors or employees. Any Access Employees representing the Headquarters of the Company’s information destruction division, minimally the President/Vice President of area &/or Audit Coordinator, whether at the location listed on this application or at another location, must have criminal background searches conducted. Auditor will review the results of the Social Security Header Search and criminal background checks of the selected employees. Criminal background checks must include a list and the results of the jurisdictions searched. No person subject to a felony conviction in the last 7 years for any crime involving theft (of tangible or intangible property), fraud, burglary or larceny, and no person currently incarcerated for any crime may be employed in a capacity where they may come in contact with Confidential Customer Media. This applies to all Access Employees. The employment screening is applicable to all Access Employees (other than those exempt from these requirements as mentioned above) regardless of length of service or pre-existing employment status, except where there is a restrictive employment agreement in place. Access Employees whose employment predates the implementation of NAID Certification, must state that they have been employed with the company for the past 7 years. NAID USE ONLY Verified _______________ 1.2 Applicant Claims ______________ Access Employees must have the below employment screening requirements: When searches are being conducted in places outside of the U.S. every effort should be made to have the searches done at a level comparable to the county and state searches done in the U.S. •7 Year Criminal Record Search: o Social Security Header Search listing all associated addresses of the employee. (Must be conducted prior to the criminal background investigation to ensure all counties, states, and federal district courts of residence and employment have been included and verified in the investigation) o County records search for all counties on Social Security Header Search o Statewide records search for all states on Social Security Header Search o Federal Records Search for all Federal Districts in all states on Social Security Header Search •Pre-hire or Initial Drug Screening •7 Year Employment History Verification which must include the following for each place of employment: o Name, City and State of the previous employer o Dates of employment, as reported by the employee o Date of verification (or attempted verification if the previous employer cannot be reached) o Indication of if the previous employer was able to verify the dates employment. The criminal record search must be conducted by a third-party. County and state checks must be pulled directly from the county and state repositories. Federal checks must be pulled from the federal district courts or via PACER. The use of a secondary database, often referred to as a SuperSearch, InstaSearch and/or National/Nationwide Search is not allowed. If federal, statewide and/or county searches are not available in a particular state, the applicant must complete the ones available and provide documentation to support the unavailability of the other. If a location has restrictive employee agreements in place that prevents drug screening and/or criminal record searches for certain employees, a letter must be submitted stating who and what employee screening restrictions are in place. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 6 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 1.3 Applicant Claims ______________ Access Employees are monitored for drugs/substance abuse by one of the following methods (check one): Option #1: On a random basis, 50% of access employees are drug screened annually. OR Option #2: Management has been trained in a “Substance Abuse Recognition Awareness Program” pre-approved by NAID. Auditor will verify evidence of the method indicated: Option #1: Invoices/results from drug testing lab for random sampling drug screening of 50% of employees OR Option #2: Documentation showing Program approval from NAID and proof that on-site management has completed this Substance Abuse Recognition training within the last year. NAID USE ONLY Verified _______________ 1.4 Applicant Claims ______________ Ongoing criminal record searches on Access Employees by one of the following methods (check one): Option #1: One-third of Access Employees have been randomly selected and criminal record searches conducted annually. Option #2: One-third of all Access Employees are screened the first year, a different 1/3 are screened the following year, and the remaining 1/3 are screened in the third year. Option #3: All Access Employees have criminal record searches conducted every three years. Year of most recent search: __________ Auditor will review the results of the criminal record search of the employees based upon the method indicated. NAID USE ONLY Verified _______________ 1.5 Applicant Claims ______________ Drivers meet all licensing requirements of the governmental jurisdiction. The applicable law or regulation for commercial driver licenses will be made available and examined by the Auditor. Auditor will request any items required by law for all drivers listed on the Access and Non- Access Employees List. NAID USE ONLY Verified _______________ OPERATIONAL SECURITY 2.1a Applicant Claims ______________ The Company has a written policies and procedures for drivers and destruction processing employees. Auditor to inspect a copy of policies and procedures manuals. NAID USE ONLY Verified _______________ 2.1b Applicant Claims ______________ Prior to gaining access to confidential material, all drivers and destruction processing employees must sign an acknowledgement indicating that they have received, read and understand the Company’s current written policies and procedures. A new acknowledgment must be signed by employees on an annual basis. Auditor to inspect employee files for a signed acknowledgement of the Company’s current written policies and procedures. This form must reference the version of the written policies and procedures that it applies to. A new acknowledgment must be signed by employees on an annual basis. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 7 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 2.1c Applicant Claims ______________ The Company has a written policy in place, stating that it will notify any Customer of a potential release of, or unauthorized access to, that Customer’s Confidential Customer Media that poses a threat to the security or confidentiality of that information as soon as reasonably possible. Auditor will check procedures manual to ensure that there is a written policy stating that it will notify any Customer of a potential release of, or unauthorized access to, that Customer’s Confidential Customer Media that poses a threat to the security or confidentiality of that information as soon as reasonably possible NAID USE ONLY Verified _______________ 2.1d Applicant Claims ______________ The Company has a written policy in place instructing and requiring employees to notify management of a potential release of, or unauthorized access to, Confidential Customer Media that poses a threat to the security or confidentiality of the information. Auditor will check procedures manual to ensure that there is a written policy instructing and requiring employees to notify management of a potential release of, or unauthorized access to, Confidential Customer Media that poses a threat to the security or confidentiality of the information. NAID USE ONLY Verified _______________ 2.1e Applicant Claims ______________ The Company has a written Incident Response Plan for responding to suspected or known security incidents. The Incident Response Plan must include a post-incident business impact analysis and a process for documenting all incidents and their outcomes. Auditor will review the Company’s written Incident Response Plan to ensure there is a policy addressing post-incident business impact analysis and documentation of all incidents and their outcomes. NAID USE ONLY Verified _______________ 2.1f Applicant Claims ______________ The Company has a written policy that addresses the procedures for employees to follow during an unannounced audit. This policy must name at least one person or position of contact with physical access to the information the auditor may ask to review, which is to be contacted in the event of an unannounced audit at the destruction plant or the office. Should circumstances prevent the designated point of contact from being available at the time of the unannounced audit, the Certification Review Board may request additional information to be provided at a later date. Auditor will review the Company’s written policies and procedures for their written policy instructing employees in the procedures to follow during an unannounced audit. NAID USE ONLY Verified _______________ 2.1g Applicant Claims ______________ ______________ NAID USE ONLY Verified ______________ All Access Employees must be trained annually to comply with the NAID AAA Certification requirements: Option #1: All Access Employees have taken and passed the NAID Access Employee Training Program (AETP). (Submit AETP Licensing Form with application.) Option #2: All Access Employees have taken and passed a third-party training course which has been pre- approved by NAID. (Submit AETP approval form and outline of training with application.) Option #3: All Access Employees have taken and passed an in-house training. If NAID has not already approved the training course for this purpose, an approval form and outline of the program is included with this application. (Submit AETP approval form and outline of training with application.) Auditor will review evidence of annual training to ensure all Access Employees have passed a training program which complies with the NAID AAA Certification requirements. Company Name:______________________________________________ Page 8 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 2.2 Applicant Claims ______________ Access Employees must display a Company-issued photo I.D. badge at all times while on duty. Badges must minimally include a photo, employee name and Company name. Auditor will inspect the Company policies and procedures manual to ensure there is a written policy for Access Employees to display a Company-issued photo I.D. badge at all times while on duty. Auditor will also inspect employees present to verify that they are wearing photo I.D. badges. NAID USE ONLY Verified _______________ 2.3 Applicant Claims ______________ While at the Customer’s location, drivers and other employees of contractor must wear a specific uniform (minimum of Company shirt) to improve recognition by Customers. Auditor will inspect the Company policies and procedures manual to ensure there is a written policy for drivers and other employees of contractor must wear a specific uniform while at the Customer’s location. Auditor will also inspect drivers present to verify they are wearing uniforms. NAID USE ONLY Verified _______________ 2.4 Applicant Claims ______________ At the time that media is transferred from the Customer’s custody to the custody of the destruction Company’s employees, the Customer must be provided with a receipt or certificate of destruction indicating type and quantity of media and an acknowledgement of the services rendered. An electronic receipt is acceptable, provided there is a verifiable electronic audit trail and the ability to provide the Customer with the printed information. If destruction services rendered by the Company are not NAID Certified, but such services could be NAID Certified and/or are recycling services of unshredded/intact paper, then the recipient of the services must be notified in writing that such service is NOT NAID Certified. This written notification may be contained on a materials receipt, certificate of destruction, current Customer agreement/contract or another written notice (including e- mail or another electronic method that may be printed) delivered by the Company to the Customer/recipient of services. Auditor will inspect the Company policies and procedures manual to ensure that Customer documentation process contains the requisite information and will inspect a copy or sample of the Customer documentation. If applicable, Auditor must inspect a copy or sample of the Customer documentation when destruction or recycling services are NOT NAID Certified to verify such notification is stated. For Plant-based operations and Transfer Processing Stations only: If a Subcontractor is used for transport prior to destruction, the Subcontractor must provide the Customer and the Applicant Company with the Customer receipt documentation. Auditor to verify documentation has been provided by the Subcontractor and is being utilized by inspecting a copy of a past Customer receipt. NAID USE ONLY Verified _______________ 2.5 Applicant Claims ______________ All media for destruction must always be attended by an access employee or physically secured from unauthorized access while in the custody of the destruction contractor before they are destroyed. The Auditor will verify that containers used in the field to transport media for destruction from the Customer’s facility to the destruction provider’s vehicle have operable locks. Auditor will inspect the Company policies and procedures manual to assure that custody of the media for destruction is addressed. For Plant-based operations and Transfer Processing Stations: Auditor will determine that there is a secured area designated for holding media when unattended until that media can be destroyed. NAID USE ONLY Verified _______________ 2.6 Applicant Claims ______________ All media is securely contained during transfer from Customers’ custody to transportation vehicle to prevent loss from wind or other atmospheric conditions. Auditor to inspect collection equipment used in the field to verify it protects the media from loss due to wind, tipping/spillage or other atmospheric conditions. If in the field, Auditor to check area around collection or destruction vehicle to verify it is free from loose information-bearing media. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 9 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 2.7 Applicant Claims ______________ All vehicles used for transfer of media will have the applicable government inspection for roadworthiness on file. Auditor will review paperwork from the most recent inspection of all the Company’s commercial vehicles within the time frame stated in the applicable state law regarding the nature and frequency of these inspections. If there is a jurisdiction that does not require an inspection of commercial vehicles, Auditor will require a copy of the government statement saying so. Three vehicle records will be checked.NAID USE ONLY Verified _______________ 2.8 Applicant Claims ______________ All vehicles used for transfer and/or destruction of media (whether intact or destroyed) will have lockable cabs and lockable, fully enclosed boxes. These vehicle cabs and boxes must be locked during transport and when unattended by Access Employee. Auditor will inspect trucks to verify that all cab doors and truck boxes are lockable and that locks work properly. Auditor will inspect the Company policies and procedures manual to assure that vehicle cab and box locking is addressed. Note: If there are 3 trucks or less in either category (Mobile Shredding and Collection Only), all trucks in each category must be made available for inspection. If there are 4 or more trucks in either category, 75% of the vehicles in either category must be made available for inspection. If trucks are not made available, the Company must provide written testimony that those trucks not presented for inspection are of equal or superior condition of roadworthiness and security. The testimony must be on Company letterhead and signed by an officer of the Company. NAID USE ONLY Verified _______________ 2.9 Applicant Claims ______________ All drivers of vehicles must have readily accessible two-way communication device. Auditor to verify each driver has an operable two-way communication device with them or in the vehicle. NAID USE ONLY Verified _______________ 2.10 Applicant Claims ______________ Not Applicable APPLIES TO MOBILE CERTIFICATION ONLY The Company must perform mobile destruction services at the Customer’s site. Auditor will verify that the Company policies and procedures manual indicates that mobile destruction services must be performed at the Customer’s site, unless there is a written Customer agreement stating otherwise. A Records Center is considered the Customer’s site when all media for destruction comes from within it. NAID USE ONLY Verified _______________ 2.11 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY Unauthorized access to Confidential Customer Media in the designated secure destruction area, storage area and/or staging area is effectively prevented. Auditor to inspect all entrances to verify that unauthorized access to secured area is effectively prevented when media is not attended. Auditor will verify that the Company policies and procedures manual covers access control and unauthorized access interdiction measures. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 10 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 2.12 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY All visitors entering the secure destruction building or Transfer Processing Station must sign a log with their name, time in, affiliation, and time out. Visitors must be issued a Visitor Badge and be escorted or under the supervision of an Access Employee at all times while in the building. The log must be maintained for one year. Auditor will examine visitor logs and verify the logs are maintained for one year. NAID USE ONLY Verified _______________ 2.13 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a secure area within the building devoted only to processing and/or destroying media. No baling of unshredded paper may take place in secure areas of the plant-based destruction facility except cardboard. In the event that the facility also stores records, recycles, bales intact/unshredded paper or conducts other activities, the collection and processing of media for destruction must be in a designated (or delineated) area or secured area. Auditor to inspect building to determine that the secured area for destruction and/or media processing exists and that no baling of unshredded paper takes place in the plant-based destruction area. If a secured area within the building is required, it must meet the following specifications: •There must be enough space within this area to stage all media to be destroyed. •The wall or fence securing this area must be a minimum of six feet tall and have a lockable gate or door. •If the wall or fence does not go all the way to the ceiling, then it must have a ceiling mounted sensor alarm inside and over the perimeter of the secure destruction, secure staging and processing areas (or similar, suitable device) to detect if and when individuals have climbed over or come through a section of the secured area fence/wall. If the only operations taking place within the building are related to information destruction, and if ALL employees with access into the building are screened in accordance with Section 1.2 and are listed as access employees, a separate secure area is not required and the entire building is considered the secure area. NAID USE ONLY Verified _______________ 2.14 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a third-party monitored alarm system in place and utilized when the secure destruction building or Transfer Processing Station is unoccupied. Auditor is to inspect alarm system to make sure it is operational and examine alarm test reports &/or invoices from alarm monitoring service. NAID USE ONLY Verified _______________ 2.15 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY There is a closed circuit camera system monitoring all access points into the secure buildings/areas where confidential media is stored, processed and/or destroyed. All processing activities are monitored with sufficient clarity to identify people and their activities. There must be enough lighting during non-business hours to ensure that all images have sufficient clarity. The Company has a written policy, stating that branches will notify management within a specified timeframe of the discovery of a loss of data. There must also be a written policy defining the steps to be taken by senior management in correcting the problems with the CCTV system reported by branch. Recordings must be retained for 90 consecutive days in an organized, retrievable manner. Number of days of recordings (as of the date of application):________ Auditor to inspect the closed circuit monitoring system to ensure that it meets criteria. This includes checking that the system has sufficient cameras and image quality to identify individuals and capture all activities in the secure destruction building from point of entry through final destruction, including any unauthorized access to the confidential information. Auditor to review written policies and procedures to ensure there is a policy for branches to notify senior management within a specified timeframe of the discovery of a loss of data. Auditor will also review written policies and procedures to ensure there is a policy defining the steps to be taken by senior management correcting the problems with the CCTV system reported by branch locations. 90 days of CCTV playback must be available at the time of the scheduled audit. Auditor to inspect recording library system and to review four 4-minute samples: •Two random samples during operational hours •One random sample during non-operational hours •One sample from the 90th day back from the current date Recording of operations may be suspended for playback recordings. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 11 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 2.16 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED CERTIFICATION WITH A COLLECTION FACILITY Collection Facilities are used to store media intermittently to be transferred to a plant-based destruction facility within 3 business days. Facility has restricted access with a monitored alarm system. The list of all Collection Facility locations associated with this plant-based operation is included with this Application. Number of Collection Facilities:_________ ADDRESS: ____________________________________ ____________________________________ Auditor will check policy and procedures manual to assure that media for destruction is not processed and not stored for more that 3 business days and that the following are maintained: •Access is restricted to Access Employees •Visitor’s Log •I.D. badges are worn by employees and visitors •Monitored Alarm System •In the event that the facility also stores records, recycles or bales intact/unshredded paper, or conducts other activities, the collection of media for destruction must be in a designated (or delineated) area or secured area. (See Item 2.13) Auditor may or may not check the actual facility for requirements at the time of an audit. NAID USE ONLY Verified _______________ 2.17 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY The following Operational Security systems are checked and maintained on a monthly basis: •Alarm System •Lighting •Door Locks •Visitor Logs The CCTV system must be checked on a weekly basis, including a minimum of five minutes of playback to ensure that all cameras and recording systems are working correctly. Monthly and Weekly Logs must be kept for one year. Auditor will exam the Monthly and Weekly Operational Security Maintenance Logs and verify the are maintained for one year. NAID USE ONLY Verified _______________ ENDORSEMENTS & THE DESTRUCTION PROCESS 3.1 Applicant Claims ______________ Not Applicable PAPER/PRINTED MEDIA ENDORSEMENT Paper/Printed Media is destroyed by commercial grade destruction equipment and meets the particle size as stated by the equipment’s OEM specifications. Acceptable deviant tolerance: 1/16 inch Continuous Shred: Width (max): 5/8 inch & Length: Indefinite Cross Cut or Pierce & Tear: Width (max): 3/4 inch & Length (max): 2.5 inches Pulverizer, Disintegrator or Hammermill* Screen Size (max): 2-inch diameter holes Unspecified Equipment Please describe the type of equipment and cutting mechanism specifications (screen hole size*, blade width, etc.): ___________________________________ Maximum allowable sizes listed create a particle deemed reasonable for regulatory compliance. Customers may specify a smaller particle size at their discretion, which should be codified contractually with the NAID Certified service provider. Mobile or Plant Equipment:__________________________ Manufacturer: ____________________________________ Model: _________________________________________ Serial #: _________________________________________ Capacity/Throughput (lbs/hr): ________________________ Horsepower: ______________________________________ The Auditor will verify that the particles produced by the equipment are reasonably consistent with the OEM specifications and that the equipment is of commercial grade. *Auditor will review the Screen Changing Logs during the audit, if applicable. PULPING OR INCINERATION (PLANT-BASED ONLY) In-House Pulping or Incineration must not require any Transfer of Custody: If the NAID Member owns or leases the pulping or incineration equipment and building, and does not transfer custody of media to a third party for transport or processing before media is pulped or incinerated, then the results of the pulping or incineration must effectively reduce the media to a size or condition that is not reconstructible. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 12 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 3.2 Applicant Claims ______________ Not Applicable MICRO MEDIA ENDORSEMENT Micro Media (Microfiche or Microfilm only) is destroyed by commercial grade destruction equipment which produces a particle size of 1/8 inch maximum dimension or less. Mobile or Plant Equipment:__________________________ Manufacturer: ____________________________________ Model :__________________________________________ The Auditor will verify that the particle produced by the equipment is 1/8 inch maximum or less and that the equipment is of commercial grade. Acceptable deviant tolerance: 1/16 inch. NAID USE ONLY Verified _______________ 3.3 Applicant Claims ______________ Not Applicable PHYSICAL DESTRUCTION OF HARD DRIVES ENDORSEMENT Computer Hard Drives are physically destroyed (not wiping or overwriting) in accordance with the Company’s standard method of destruction which includes: •Prior to destruction the Company must provide the Customers with a written description of the process for destroying the hard drives. •Serial numbers of all hard drives or CPUs being destroyed for each Customer are recorded, unless the Customer has signed an opt-out agreement. •The log of recorded serial numbers is returned to the Customer upon the completion of the service, unless the Customer has opted out of this requirement. •Hard drives must be damaged to the point where the platters will not spin. Method of Physical Destruction: ______________________________________________ Auditor will review the Company’s written policies and procedures for their standard physical destruction (not wiping or overwriting) of computer hard drives. Auditor will also review verification that the Customer has been notified of the process of destruction. Auditor will also review the serial number recordation log and any opt-out agreements Customers signed. NAID USE ONLY Verified _______________ 3.4 Applicant Claims ______________ Not Applicable _______________ NAID USE ONLY Verified _______________ NON-PAPER MEDIA ENDORSEMENT Non-Paper Media is destroyed in accordance with the Company’s standard method of destruction. Any method that deviates from the standard method of destruction must be communicated to the Customer in writing. Types of Non-Paper Media physically destroyed: Optical Media: ________________________________ Magnetic Media: ______________________________ Flash Media: _________________________________ Other: ______________________________________ Method of Destruction: ______________________________________________ Auditor will review the Company’s written policies and procedures for their standard physical destruction of Non-Paper Media. Auditor will also review written policies and copies of documentation provided to the Customer for methods of destruction that deviate from the standard method. Company Name:______________________________________________ Page 13 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 3.5 Applicant Claims ______________ Not Applicable NAID USE ONLY Verified _______________ PRODUCT DESTRUCTION ENDORSEMENT Product Destruction is destroyed in accordance with the Company’s standard method of destruction which includes: •Product Destruction is provided in a manner consistent with the company’s policies and procedures manual. •The policies and procedures manual must state that customer receiving the product destruction endorsement will be provided a detailed account of the process used to destroy the specific product in advance of the project. Such product destruction agreements must be kept on file for 3 years from the date of the destruction. •Employee Confidentiality Agreements must contain language wherein the employee agrees that products accepted for destruction are to be considered confidential and that removal or use by the employee is a violation punishable by dismissal and subject to possible legal prosecution. Auditor will review the Company’s written policies and procedures for their standard Product Destruction. Auditor will also review verification that the Customer has been notified of the process of destruction with a detailed account of the process used to destroy the product. The notification to the Customer must be kept on file for 3 years from the date of destruction. Auditor will review the employee confidentiality agreements to verify that language stating that the employee agrees that products accepted for destruction are to be considered as confidential and that removal or use by the employee is a violation punishable by dismissal and subject to possible legal prosecution. Has modified policies and procedures to specifically state that clients receiving product destruction services will be provided a detailed accounting of the process used to destroy the specific product in advance of the project, and that such product destruction agreements be kept on file for 3 years from the date of the destruction. (Audit methodology: Reviewed by auditor) 3.6 Applicant Claims ______________ Not Applicable APPLIES TO PLANT-BASED AND/OR TRANSFER PROCESSING STATION CERTIFICATION ONLY The destruction of confidential media must take place within 3 business days from the arrival at the destruction facility. For purges, the destruction of confidential media must take place within 15 business days For Transfer Processing Stations, the confidential material must be transferred to a Plant-based Destruction Operation within 15 business days. If destruction does not occur in the stated timeframe, the Customer must be notified in writing. Auditor will check the policy and procedures manual to assure that all media is destroyed within the stated timeframe. Exceptions include acts of God, breakdowns or Customer notification to retain media for a longer period. NAID USE ONLY Verified _______________ 3.7 Applicant Claims ______________ The destruction process has a method of quality control in place to ensure destroyed information is within the stated standards. Auditor will check policy and procedures manual to assure that there is a quality control procedure in place for ensuring destroyed information is within stated standards. NAID USE ONLY Verified _______________ Company Name:______________________________________________ Page 14 of 15 MLCertApBranch(US&Can)2018 Initial Criteria Audit Methodology 3.8 Applicant Claims ______________ Destroyed paper/printed media and micro media must be disposed (sold, gifted, or discarded) in a responsible manner, which does not include any type of reuse. Destroyed remnants of hard drives and circuit boards must be disposed (sold, gifted, or discarded) in a responsible manner, which includes a requirement that the recipient of the destroyed electronic media is registered by the International Organization for Standardization (ISO) as being compliant with the 14001 standard. Applicant must attach a list of all current recipients of destroyed paper/printed media, micro media and hard drives, indicating the final disposition of materials by the recipients. Requests for a hardship exemption must be submitted in writing to the Certification Review Board. Auditor will review list of recipients and manner in which paper/printed media, micro media and computer hard drives are disposed. Auditor will verify that the Company has written agreements in place to support stated responsible disposal. Auditor to check waste receptacles and area directly outside of the information destruction building/area to see that no paper/printed media, micro media and computer hard drives whether destroyed or intact has been deposited in waste receptacles. NAID USE ONLY Verified _______________ 3.9 Applicant Claims ______________ Not Applicable NAID USE ONLY Verified _______________ TRANSFER OF CUSTODY Transfer of custody is used for each as indicated (Check all that apply): Temporary Staffing Transportation (of media prior to destruction) Other: ______________________________________ If media destruction is subcontracted, all Customers must be notified in writing of the following information: o name of the subcontractor company o the method of the destruction All Access Employees of the companies in the chain of custody must acknowledge in writing that they understand that all media with which they come in contact is confidential, and they accept fiduciary responsibility. All Access Employees of the companies must submit to the same background screening requirements as NAID Certification. All companies accepting custody of media must meet the NAID Certification criteria. If Company does not meet the NAID Certification criteria then the Customer must be notified in writing that such service is not NAID Certified. Auditor will check documentation to verify that the customer was notified if transfer of custody occurs. If a site visit is required for verification, the Applicant assumes responsibility for any additional fees of the Auditor. COMPANY ASSURANCES 4.1 Applicant Claims ______________ Company is a legally registered business in the state of residence. Auditor to examine business license, Certificate of Incorporation or SEC filing. NAID USE ONLY Verified _______________ 4.2 Applicant Claims ______________ General liability insurance (aggregate or umbrella) of $2,000,000 or more. Auditor to examine valid insurance documents, which could be an ACORD Certificate, a certificate of insurance or a letter from broker verifying coverage limits. Letter must be dated no earlier than one month prior to audit and be for the amount of $2,000,000 or more. NAID USE ONLY Verified _______________ Page 1 of 1 GrandfatheringCustodialCertApp_2018 NAID® Custodial Membership/Certification Addendum (For companies applying for NAID AAA Certification of destruction services, which also take intermediary or temporary custody of confidential material prior to destruction) COMPANY INFORMATION Company Name: Audit Contact: City/State: Email: Phone: COMPANY PROFILE: Type of Custodial Operations (Check all that apply.): Records Storage Data Recovery/Forensic Breach Investigation Document Scanning/Imaging Online Backup Aggregator/Transportation Backup Tape Rotation Other (describe): We agree with and are bound to the following (Please initial each item and sign on bottom.): ________ 1.The custodial services indicated are provided from the same corporation or legal entity and under the same name and from the same or immediately adjacent facilities. ________ 2.Discarded information resulting from providing the indicated services are destroyed by our NAID certified destruction service when destruction is required. ________ 3.The background screening of all employees engaged in providing the indicated custodial services is equal to or exceeds NAID certification requirements prior to unsupervised access to client information. ________ 4.Access control measures related to providing the indicated custodial services meets or exceeds NAID Certification Plant- based Operation requirements. ________ 5. Custodial services are provided under documented with written security policies and procedures. ________ 6.Employees engaged in providing indicated custodial services have acknowledged the fiduciary nature of their obligation to protect client information from unauthorized access and to report to management any situation that could or has allowed unauthorized access (see NAID Confidentiality Agreement). ________ 7.During future scheduled and unannounced NAID Certification audits, the NAID auditor will be allowed to verify any of the stipulations herein. ________ 8.NAID will be immediately informed (5 business days) of any change in the above stipulations or any in the nature or type of the custodial services offered. Upon receipt of this agreement, NAID would then add the indicated services to the member’s certification profile, resulting in said services being reflected/searchable on the new NAID membership directory. Signed: Date: Print Name: Title: NAID Use Only Audit #: Received: Complete: DBU: Cert Expires: Processed by: AETPOrderForm – 2018 NAID Access Employee Training Program Order Form and Licensing Agreement Please Note : The NAID Access Employee Training Program is only available to NAID Members Company Name: Individual: Street Address: City: State: Postal Code: Country: Phone: Fax: Email: Will the NAID Access Employee Training Program be utilized at multiple locations?  No  Yes If yes, please provide the city and state of the other locations that will be utilizing this program (must be the same company): 1.Company: ________________________ City: ____________________ State/Prov.:_____ Country: _________________ 2.Company: ________________________ City: ____________________ State/Prov.:_____ Country: _________________ 3.Company: ________________________ City: ____________________ State/Prov.:_____ Country: _________________ NAID Access Employee Training Program $79.95 This one-time fee grants the NAID Member company (Licensee) rights to use the NAID Access Employee Training Program (Program), including training video, test, test key, and forms to document successful completion of training by Access Employees to fulfil the requirements for access employee training according to Section 2.1g of the NAID Certification Application. Upon processing of payment, a web link to download the training materials will be sent to the email address provided above. By initialing the following statements it is agreed and understood the following stipulations are a legally binding condition of NAID Access Employee Training Program and Video (Program) use: The NAID Access Employee Training Program and Video (Program) continues to be the intellectual property of NAID in perpetuity, incorporating all rights and privileges afforded such ownership. The Member licensing the use of the Program may not reproduce or copy it, in whole or part, in any manner, including written transcripts or excerpts. Licensees are permitted to electronically copy the Program to a computer hard drive with the understanding that the Licensee has the capability and legal responsibility to prevent unauthorized access at all times. The Member may not post the video, in whole or part, to a publicly accessible website or intranet. The Member may not allow access to, or allow use by, any other company, entity, agency or individual. The Member understands the violation of any provisions herein, or a violation of NAID’s copyright, and or any effort to circumvent, mitigate, eliminate or prevent NAID’s ability to control the distribution of the Video or images from the Video, as determined by NAID, may mean revocation of license, sanctions by NAID including loss of membership or certification, and civil or criminal remedies as NAID may determine appropriate. Only Members with a copy of this license agreement, which will be stored at NAID Headquarters, may use the Program to fulfil the requirements for Access Employee training according to Section 2.1g of the NAID Certification application. NAID Certification allows for the use of third party or in-house resources for Access Employee training, subject to NAID approval, and the use of the Program to fulfil the NAID Certification requirement for access employee training according to Section 2.1g of the NAID Certification application is the sole discretion of the Member. Updated versions of the Program are not necessarily included in this licensing agreement fee and may need to be licensed separately as they become available. Signed: Date: Print Name: Title: NAID Use Only Member#: Received: Shipped: Completed by: AETPOrderForm – 2018 NAID Access Employee Training Program Payment Form Company Name: ________________________________Individual: _________________________________ Street Address (required): _____________________________________________________________________ City: ________________________________________ State: __________ Postal Code: __________________ TOTAL REMITTANCE: USD $ Payment is by: Enclosed Check (Payable to "NAID") Check No.: AmEx  Discover  MasterCard  Visa #-- - Expires (mo/yr): / CVV code: Name on Card: Signature: Page 1 of 1 AETPApprForm 2018 NAID® CERTIFICATION PROGRAM ACCESS EMPLOYEE TRAINING PROGRAM APPROVAL SUBMISSION FORM Please complete this form and submit to NAID for approval of your Access Employee Training Program (AETP). Upon approval of your program a confirmation email will be sent. Please remember that all access employees must go through the program annually. Company: ___________________________________ Contact Name: ___________________________________ Contact Email: ________________________________________________________________________________________________ Physical Address: ________________________________________________________________________________________________ City: _________________________________________ State/Prov: _______________________ Postal Code: ___________________ Total # Access Employees Trained: _________ (all access employees must be trained, per Section 2.1g of the NAID AAA Certification Application) Is the application for multiple locations?  No  Yes (If yes, please provide the Company name, city and state of the other location(s) that will be utilizing this program.) 1.Company:____________________________________ City:____________________ State/Prov:______ Country:______________ 2.Company:____________________________________ City:____________________ State/Prov:______ Country:______________ 3.Company:____________________________________ City:____________________ State/Prov:______ Country:______________ Agency administering the program: __________________________________________________________________________________ Contact person at Agency: _________________________________________________________________________________________ Title of Program: ________________________________________________________________________________________________ Date the program was last conducted (or is to be conducted): _____________________________________________________________ I am providing the following program information: Type of or sample of dated documentation indicating the successful completion of the program: Certificate Graded test Signed attendance roster Other, explain ___________________________ AND Outline of Program & Handouts/materials used during training Company Signature: _____________________________________________________________ Date: __________________________ Print Name: _____________________________________________________________ Title: __________________________ NAID Use Only Signed: ______________________________________________________________ Date: _______________________________ Print Name: ______________________________________________________________ Title: _______________________________ Please submit the form via: FAX: (480)658-2088 EMAIL: certification@naidonline.org QUESTIONS: (602)788-6243 Page 1 of 1 SARPApprForm 2018 NAID® CERTIFICATION PROGRAM SUBSTANCE ABUSE RECOGNITION TRAINING PROGRAM APPROVAL SUBMISSION FORM Please complete this form and submit to NAID for approval of your Substance Abuse Program Training (SARP). Upon approval of your program a confirmation email will be sent. Please remember that manager(s) and/or supervisors must go through the program annually. Company: _____________________________________________ Contact Name: _______________________ Contact Email: Physical Address: City: ________________________________________ State/Prov: __________________ Postal Code: _______________ Total # Supervisors Trained at above Operation: Total # Destruction Employees at above Operation: Is the application for multiple locations?  No  Yes (If yes, please provide the Company name, city and state of the other locations that will be utilizing this program.) 1.Company:____________________________ City:______________________ State/Prov:______ Country:______________ 2.Company:____________________________ City:______________________ State/Prov:______ Country:______________ 3.Company:____________________________ City:______________________ State/Prov:______ Country:______________ Agency administering the program: __________________________________________________________________________________ Contact person at Agency: _________________________________________________________________________________________ Agency phone number: __________________________________ Email address : _________________________________________ Title of Program: ________________________________________________________________________________________________ Date the program was last conducted (or is to be conducted): _____________________________________________________________ I am providing the following program information: Certificate Graded test Signed attendance roster Other, explain ___________________________ AND Outline of Program & Handouts/materials used during training OR Proof of DOT approved program Company Signature: ____________________________________________________ Date: __________________________ Print Name: ____________________________________________________ Title: __________________________ NAID Use Only Signed: ______________________________________________________________ Date: _______________________________ Print Name: ______________________________________________________________ Title: _______________________________ Please submit the form via: FAX: (480)658-2088 EMAIL: certification@naidonline.org QUESTIONS: (602)788-6243 AGREEMENT FOR RESPONSIBLE DISPOSAL OF DESTROYED MATERIALS (between a Secure Destruction Service and Disposal Agent) The following Secure Destruction Service is NAID® Certified or seeking NAID® Certification and is in possession of destroyed materials as identified below that it must responsibly dispose: SECURE DESTRUCTION SERVICE firm: Address: Destroyed Materials consisting of: The following Disposal Agent accepts the Destroyed Materials and will responsibly dispose of these materials in the method identified below: DISPOSAL AGENT firm: Address: Final Disposition Method of Materials Received: If destroyed computer hard drives are being disposed, the above Disposal Agent must be registered by the International Organization for Standardization (ISO) as being compliant with the 14001 standard. By signature below, the Disposal Agent agrees to the following in accepting the Destroyed Materials from the Secure Destruction Service: •Disposal Agent agrees to process and route the Destroyed Material by a mutually acceptable method and to a mutually agreed destination that fulfills the obligation to keep them from entering the public realm in a manner in which they could be reconstituted (such as in packing materials or animal bedding) or that is violation of any environmental regulations. •The Disposal Agent agrees that the final disposition method identified above will be adhered to unless notice and permission have been obtained from the Secure Destruction Service firm in writing in advance. •The Disposal Agent understands that the decision to use their firm to accept the Destroyed Material and process it under the agreed manner is required by the NAID Certification standards. •The Disposal Agent understands that the decision by the Secure Destruction Service to transfer the Destroyed Materials to the Disposal Agent is made only in consideration of their ability and willingness to comply with this agreement. •The Disposal Agent agrees to process and dispose of the Destroyed Materials as agreed herein •The Secure Destruction Service also agrees that this is not an agreement that transfers any obligation or intention on the part of the Disposal Agent to provide secure destruction services. Disposal Agent Representative’s Signature: Date: Representative’s Printed Name: Representative’s Title: Agreement for Responsible Disposal NAID® AAA CERTIFICATION PROGRAM AUDIT PREPARATION CHECKLIST The following checklist has been prepared to help you expedite a successful Certification audit. You should review this checklist at least one week prior to your scheduled audit to ensure all items are in place. EMPLOYEE REQUIREMENTS All employee must have Confidentiality Agreements and an I-9 form (Item 1.1) All Access Employee must have an Employment History Verification, Criminal Record Search and Drug Screening Results (Item 1.2) Ongoing annual Access Employee Drug/Substance Screenings: (Item 1.3) Option 1 - Drug/Substance Screening on annual random basis must include a file containing documentation supporting the 50% annual random Access Employee drug testing should be available. OR Option 2 – Substance Abuse Recognition Program Form must be on file containing proof of completed yearly management training. Ongoing Access Employee Criminal Record Searches. (Item 1.4) Drivers must have a copy of a valid driver license and/or commercial driver license and any additional items required by governmental jurisdiction for drivers. (Item 1.5) OPERATIONAL SECURITY  Policies and Procedures manual must include: (Item 2.1a) Policy for notifying customers of a potential release of, or unauthorized access to confidential material (Item 2.1c) Policy for notifying management of a potential release of, or unauthorized access to confidential material (Item 2.1d)  Incident Response Plan for responding to suspected or known security incidents (Item 2.1e)  Unannounced Audit procedure and process (Item 2.1f) All Access employees must wear a photo I.D. badge while on duty (Item 2.2) A Company Uniform must be worn by employees (Item 2.3) Customer documentation process that includes customer acknowledgement, receipt or agreement of the specific services they have received (Sample of documentation must be available for the auditor) (Item 2.4) Containers used to transport confidential materials have operable locks (Item 2.8) The Company must perform mobile destruction services at the Customer’s site. (Mobile Operation Only) (Item 2.10) Access controls and unauthorized access to the secure destruction area (Plant-based Operations Only) (Item 2.11) Method of physical computer hard drive destruction (if applicable) (Item 3.3) Method of non-paper media destruction for each type of non-paper media destroyed (if applicable) (Item 3.4) Destruction timeframe of media (Item 3.5) Quality control procedures (Item 3.6) If the information destruction service being proposed to the Customer is not NAID Certified or if the service will involve subcontractors, the customer must be notified in writing at the time of the bid. (Item 3.9) All drivers and destruction processing employee files must contain an annual Acknowledgement of the company’s written policies and procedures. (Item 2.1b) All access employees have been trained to comply with NAID AAA Certification requirements (AETP) (Item 2.1g) Customers are provided with a receipt at the time of Media pickup, which includes the following: (Item 2.4) Type of Media (Paper, Micro Media or Computer Hard Drives) Quantity of Media Acknowledgement of the services rendered Customers are notified in writing when provided with a service that is NOT NAID Certified. This notification may be contained on a materials receipt, or another written agreement between the service provider and recipient of services. (Item 2.4) Material must be protected from loss due to wind, tipping/spillage or other atmospheric conditions (Item 2.6) Most recent inspections of all commercial vehicles. (Item 2.7) The required number of vehicles to be inspected will be available on the day of audit. (Requirements are: If three or less mobile and/or collection vehicles, all must be available. If four or more mobile and/or collection vehicles, 75% must be available.) (Item 2.8) Readily accessible, operable two-way communication devices for all drivers. (Item 2.9) IF APPLYING FOR PLANT-BASED OPERATION: All visitors must sign visitor log, be issued a visitors badge and be escorted by an Access Employee at all times. Visitor logs must be retained for one year. (Item 2.12) A secured area designated is available for holding confidential materials when unattended until destroyed. (Item 2.13) AUDIT PREPARATION CHECKLIST A secured area devoted only to destroying media is available. (No baling of unshredded paper may take place in this area, except cardboard.) If the building is not devoted solely to destruction operations, then a secured area within building must meet the following requirements: (Item 2.13) Wall or fence securing the area must be a minimum of 6ft tall. (If the wall or fence does not go all the way to the ceiling then the area must have a ceiling mounted sensor alarm inside and over the perimeter of the secured destruction area to detect breach of secured fence/wall.) Wall or fence securing the area must have lockable gate or door. Monitored alarm system when secure destruction building is unoccupied. (Item 2.14) Closed circuit camera system (CCTV) monitoring all access points into secure destruction building/area. (Item 2.15) The CCTV must provide sufficient clarity to identify individuals and their activities. There must be enough lighting at night or during other non-business hours to ensure that all images have sufficient clarity. 90 days of CCTV recordings must be available from date of audit. Alarm, Lighting, Door Locks and Visitor Logs are checked on a monthly basis and the CCTV system is checked on a weekly basis and documented via the Operational Security Maintenance Logs . Logs must be retained for one year. (Item 2.18) ENDORSEMENTS & THE DESTRUCTION PROCESS PAPER OR PRINTED MEDIA DESTRUCTION ENDORSEMENT: (Item 3.1) Paper/Printed Media destruction particle sizes: Continuous Shred: Width (max): 5/8 inch & Length: Indefinite Cross Cut or Pierce & Tear: Width (max): 3/4 inch & Length (max): 2.5 inches Pulverized: (max): 2 inch diameter holes via screens Screen Changing Logs MICRO MEDIA DESTRUCTION ENDORSEMENT: (Item 3.2) Micro Media destruction particle size must be 1/8 inch max or less. PHYSICAL HARD DRIVE DESTRUCTION ENDORSEMENT: (Item 3.3) Must have the following information: Recorded serial numbers of all hard drives or CPUs destroyed for each customer Log of customers that have opted out of serial number recordation (if applicable) Signed Opt-Out Agreements (if applicable) Copies of written standards/agreements for computer hard drive destruction for these customers NON-PAPER MEDIA DESTRUCTION ENDORSEMENT: (Item 3.4) A Standard method of destruction must be used. If any methods used deviate from the standard, the customer must be notified in writing describing the destruction process. PRODUCT DESTRUCTION ENDORSEMENT: (Item 3.5) Must have the following information: Consistent with the company’s policies and procedures manual Customer notification of a detailed account of the destruction process and must be retained on file for 3 years from the date of the destruction. Employee Confidentiality Agreements must contain language stating that the employee agrees that products accepted for destruction are confidential and that removal or use by the employee is a violation punishable by dismissal and subject to possible legal prosecution. Signed Agreement for Responsible Disposal of Materials (or customized document with similar wording) between you and the recipient indicating the type of media being destroyed and the final disposition of the media. (Item 3.7) Transfer of custody documentation including subcontractor list, subcontractor agreements, client agreements and proof of meeting certification requirements. (if applicable) (Item 3.8) COMPANY ASSURANCES Business license (Item 4.1) Proof of General Liability Insurance (aggregate or umbrella) of $2,000,000.00 or more. (Item 4.2) : Indicates sample forms available online at www.naidonline.org. Pacific Shredding is Hereby Granted NAID AAA Certification by the National Association for Information Destruction The National Association for Information Destruction (NAID®) is the non-profit trade association recognized globally as the secure data destruction industry's standards setting and oversight body. The certificate holder has met the rigorous requirements of the NAID AAA Certification program and demonstrated through announced and unannounced audits that its security processes, procedures, systems, equipment, and training meet the standards of care required by all known data protection regulations.* As a result, NAID AAA Certification also serves to meet all data controller vendor selection due diligence regulatory requirements. Valid Through: August 31, 2019 The certificate holder is NAID AAA Certified for the following services and media types: •Mobile & Plant-based Operations for Paper/Printed Media, Micro Media, Physical Hard Drive & No n-Paper Media Applicable to the following location(s): •5661 N. Golden State Blvd. #104, Fresno, CA 93722 � CU;,u :2 'f?-7 a,..h,ma <!#NAID Certijicatio11 Program Off1cial *NAID AAA Certification specifications are regularly evaluatecL'amended as necessary and service provider compliance is verified to ensure ongoing conformance with all known data protection regulations including The Privacy Act (,\ustralia). GDPR (Europe), HIPAA, GLBA, FACTA. Statl!-level requirements (USA), and PIPEDA, PIPA. PHIPA (Canada) in their relevant jurisdiction(s), as well as with related risk assessment, incident reporting and data breach reporting procedures and training as required therein or separately. PP.EE�IC: SHREDDING Document Destruction Services Certificate of Destruction I� National Association for _ Information Destruction, Inc . . ... . . . 1-866-2-SHRED3 www.pacific-records.com