HomeMy WebLinkAboutP-21-280 NextRequest.pdf coU County of Fresno
�+ INTERNAL SERVICES DEPARTMENT
Facilities• Fleet• Graphics• Purchasing • Security•Technology
O� 1$5�O
PROCUREMENT AGREEMENT
Agreement Number P-21-280
August 23, 2021
NextRequest
548 Market St Ste PMB 77522
San Francisco, CA 94104
The County of Fresno (County) hereby contracts with NextRequest, a Delaware corporation (Contractor), for
Public Record Act (PRA) Request System in accordance with the text of this agreement and Attachment"A"
by this reference made a part hereof.
TERM: This Agreement shall become effective August 27, 2021 and shall remain in effect through August
26, 2024.
EXTENSION: This Agreement may be extended for two (2)additional one (1)year periods by the mutual
written consent of all parties.
MINIMUM ORDERS: Unless stated otherwise there shall be no minimum order quantity. The County
reserves the right to increase or decrease orders or quantities.
CONTRACTOR'S SERVICES: Contractor shall perform the services as described in Attachment"A"
attached, at the rates set forth in Attachment"A".
ORDERS: Orders will be placed on an as-needed basis by County Internal Services Department under this
Agreement.
PRICES: Prices shall be firm for the Agreement period. Any pricing changes which may take place during
the life of the Agreement must be submitted in writing to the County of Fresno Purchasing Manager and
received no less than thirty (30)days prior to becoming effective.
MAXIMUM: In no event shall compensation for services performed and/or fees paid under this Agreement
be in excess of One Hundred Eighty-Two Thousand Five Hundred Twenty-Six Dollars ($182,526.00).
ADDITIONAL ITEMS: The County reserves the right to negotiate additional items to this Agreement as
deemed necessary. Such additions shall be made in writing and signed by both parties.
DELIVERY: The F.O.B. Point shall be the destination within the County of Fresno. All orders shall be
delivered complete as specified. All orders placed before Agreement expiration shall be honored under the
terms and conditions of this Agreement.
DEFAULT: In case of default by Contractor, the County may procure the articles/services from another
source and may recover the loss occasioned thereby from any unpaid balance due the Contractor or by any
other legal means available to the County. The prices paid by County shall be considered the prevailing
333 W.Pontiac Way,Clovis,CA 93612/(559)600-7110
The County of Fresno is an Equal Employment Opportunity Employer
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 2
NextRequest
August 23, 2021
market price at the time such purchase is made. Inspection of deliveries or offers for delivery, which do not
meet specifications, will be at the expense of Contractor, subject to the limitations set forth in Attachment A.
INVOICING: An itemized invoice shall be mailed to requesting County department in accordance with
invoicing instructions included in each order referencing this Agreement. The Agreement number must
appear on all shipping documents and invoices. Invoice terms shall be Net 45 Days.
INVOICE TERMS: Net forty-five (45) days from the receipt of invoice.
TERMINATION: The County reserves the right to terminate this Agreement upon thirty (30)days written
notice to the Contractor. In the event of such termination, the Contractor shall be paid for satisfactory
services or supplies provided to the date of termination.
LAWS AND REGULATIONS: The Contractor shall comply with all laws, rules and regulations whether they
be Federal, State or municipal, which may be applicable to Contractor's business, equipment and personnel
engaged in service covered by this Agreement.
AUDITS AND RETENTION: Terms and conditions set forth in the agreement associated with the purchased
goods are incorporated herein by reference. In addition, the Contractor shall maintain in good and legible
condition all books, documents, papers, data files and other records related to its performance under this
contract. Such records shall be complete and available to Fresno County, the State of California, the federal
government or their duly authorized representatives for the purpose of audit, examination, or copying during
the term of the contract and for a period of at least three years following the County's final payment under the
contract or until conclusion of any pending matter(e.g., litigation or audit), whichever is later. Such records
must be retained in the manner described above until all pending matters are closed.
LIABILITY: The Contractor agrees to:
Subject to the limitations in Attachment A, pay all claims for damage to property in any manner arising from
Contractor's operations under this Agreement.
Indemnify, save and hold harmless, and at County's request defend the County, its officers, agents and
employees from any and all claims for damage or other liability, including costs, expenses (including
attorney's fees and costs), causes of action, claims or judgments resulting out of or in any way connected
with Contractor's negligent performance or failure to perform by Contractor, its agents, officers or employees
under this Agreement, and from any and all costs and expenses (including attorney's fees and costs),
damages, liabilities, claims, and losses occurring or resulting to any person, firm or corporation who may be
injured or damaged by the negligent performance, or failure to perform, of Contractor, its officers, agents, or
employees under this Agreement.
INSURANCE: Without limiting the COUNTY's right to obtain indemnification from CONTRACTOR or any
third parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect, the following
insurance policies or a program of self-insurance, including but not limited to, an insurance pooling
arrangement or Joint Powers Agreement(JPA)throughout the term of the Agreement:
A. Commercial General Liability: Commercial General Liability Insurance with limits of not less than One
Million Dollars ($1,000,000.00) per occurrence and an annual aggregate of Two Million Dollars
($2,000,000.00). This policy shall be issued on a per occurrence basis. County may require specific
coverage including completed operations, product liability, contractual liability, Explosion-Col lapse-
Underground, fire legal liability or any other liability insurance deemed necessary because of the nature
of the contract.
B. Automobile Liability: Comprehensive Automobile Liability Insurance with limits of not less than One
Million Dollars ($1,000,000.00) per accident for bodily injury and for property damages. Coverage should
include any auto used in connection with this Agreement.
C. Professional Liability: If Contractor employs licensed professional staff, (e.g., Ph.D., R.N., L.C.S.W.,
M.F.C.C.) in providing services, Professional Liability Insurance with limits of not less than One Million
Dollars ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate.
GAPUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 3
NextRequest
August 23, 2021
D. Worker's Compensation: A policy of Worker's Compensation insurance as may be required by the
California Labor Code.
E. Technology Professional Liability. Technology professional liability (errors and omissions) insurance with
limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must encompass all of
CONTRACTOR's obligations under this Agreement, including but not limited to claims involving Cyber
Risks.
F. Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per
occurrence. Coverage must include, but not be limited to, claims involving Cyber Risks. The cyber
liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or
destruction of intangible property(including but not limited to information or data)that is in the care,
custody, or control of CONTRACTOR.
Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breaches, which may
include Disclosure of Personal Information to an Unauthorized Third Party; (ii) breach of any of
CONTRACTOR's obligations under Exhibit A to this Agreement, "Data Security"; (iii) infringement of
intellectual property, including but not limited to infringement of copyright, trademark, and trade dress;
(iv) invasion of privacy, including release of private information; (v) information theft; (vi)damage to or
destruction or alteration of electronic information; (vii) extortion related to CONTRACTOR's obligations
under this Agreement regarding electronic information, including Personal Information; (viii) network
security; (ix) data breach response costs, including Security Breach response costs; (x) regulatory fines
and penalties related to CONTRACTOR's obligations under this Agreement regarding electronic
information, including Personal Information; and (xi) credit monitoring expenses. Capitalized terms in this
paragraph have the meaning given to them in Exhibit A, "Data Security."
G. Umbrella or Excess Policy
Minimum Limits of Insurance,"this insurance policy(ies) shall"follow form" and afford no less coverage
than the primary insurance policy(ies). In addition, such Umbrella or Excess insurance policy(ies) shall
also apply on a primary and non-contributory basis for the benefit of the COUNTY, its officers, officials,
employees, agents and volunteers.
Additional Requirements Relating to Insurance:
Contractor shall obtain endorsements to the Commercial General Liability insurance naming the County of
Fresno, its officers, agents, and employees, individually and collectively, as additional insured, but only
insofar as the operations under this Agreement are concerned. Such coverage for additional insured shall
apply as primary insurance and any other insurance, or self-insurance, maintained by County, its officers,
agents and employees shall be excess only and not contributing with insurance provided under Contractor's
policies herein. This insurance shall not be cancelled or changed without a minimum of thirty (30) days
advance written notice given to County.
Contractor hereby waives its right to recover from County, its officers, agents, and employees any amounts
paid by the policy of worker's compensation insurance required by this Agreement. Contractor is solely
responsible to obtain any endorsement to such policy that may be necessary to accomplish such waiver of
subrogation, but Contractor's waiver of subrogation under this paragraph is effective whether or not
Contractor obtains such an endorsement.
Within Thirty (30)days from the date Contractor signs and executes this Agreement, Contractor shall provide
certificates of insurance and endorsement as stated above for all of the foregoing policies, as required
herein, to the County of Fresno, ISDBusinessOffice(@FresnoCountyCA.gov, stating that such insurance
coverage have been obtained and are in full force; that the County of Fresno, its officers, agents and
employees will not be responsible for any premiums on the policies; that such Commercial General Liability
insurance names the County of Fresno, its officers, agents and employees, individually and collectively, as
additional insured, but only insofar as the operations under this Agreement are concerned; that such
coverage for additional insured shall apply as primary insurance and any other insurance, or self-insurance,
GAPUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 4
NextRequest
August 23, 2021
maintained by County, its officers, agents and employees, shall be excess only and not contributing with
insurance provided under Contractor's policies herein; and that this insurance shall not be cancelled or
changed without a minimum of thirty (30) days advance, written notice given to County. Certificates of
Insurance are to include the contract number at the top of the first page.
In the event Contractor fails to keep in effect at all times insurance coverage as herein provided, the County
may, in addition to other remedies it may have, suspend or terminate this Agreement upon the occurrence of
such event.
All policies shall be with admitted insurers licensed to do business in the State of California. Insurance
purchased shall be purchased from companies possessing a current A.M. Best, Inc. rating of A FSC VII or
better.
COMING ON COUNTY PROPERTY TO DO WORK: Contractor agrees to provide maintain and furnish
proof of Comprehensive General Liability Insurance with limits of not less than $500,000 per occurrence.
INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations assumed by Contractor
under this Agreement, it is mutually understood and agreed that Contractor, including any and all of
Contractor's officers, agents, and employees will at all times be acting and performing as an independent
contractor, and shall act in an independent capacity and not as an officer, agent, servant, employee,joint
venturer, partner, or associate of the County. Furthermore, County shall have no right to control or supervise
or direct the manner or method by which Contractor shall perform its work and function. However, County
shall retain the right to administer this Agreement so as to verify that Contractor is performing its obligations
in accordance with the terms and conditions thereof. Contractor and County shall comply with all applicable
provisions of law and the rules and regulations, if any, of governmental authorities having jurisdiction over
matters the subject thereof.
Because of its status as an independent contractor, Contractor shall have absolutely no right to employment
rights and benefits available to County employees. Contractor shall be solely liable and responsible for
providing to, or on behalf of, its employees all legally-required employee benefits. In addition, Contractor
shall be solely responsible and save County harmless from all matters relating to payment of Contractor's
employees, including compliance with Social Security, withholding, and all other regulations governing such
matters. It is acknowledged that during the term of this Agreement, Contractor may be providing services to
others unrelated to the County or to this Agreement.
NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this Agreement nor their rights or
duties under this Agreement without the written consent of the other party, provided Contractor may assign
this Agreement without the County's consent in connection with a stock sale, merger or sale of all or
substantially all of its assets to a third party.
NOTICES: The persons and their addresses having authority to give and receive notices under this
Agreement include the following:
COUNTY CONTRACTOR
COUNTY OF FRESNO NextRequest
Director of Internal Services/CIO CEO/CTO
333 West Pontiac Way 548 Market Street, PMB 77522
Clovis, CA 93612 San Francisco, CA 94104
All notices between the COUNTY and CONTRACTOR provided for or permitted under this Agreement must
be in writing and delivered either by personal service, by first-class United States mail, by an overnight
commercial courier service, or by telephonic facsimile transmission. A notice delivered by personal service is
GAPUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 5
NextRequest
August 23, 2021
effective upon service to the recipient. A notice delivered by first-class United States mail is effective three
COUNTY business days after deposit in the United States mail, postage prepaid, addressed to the recipient.
A notice delivered by an overnight commercial courier service is effective one COUNTY business day after
deposit with the overnight commercial courier service, delivery fees prepaid, with delivery instructions given
for next day delivery, addressed to the recipient. A notice delivered by telephonic facsimile is effective when
transmission to the recipient is completed (but, if such transmission is completed outside of COUNTY
business hours, then such delivery shall be deemed to be effective at the next beginning of a COUNTY
business day), provided that the sender maintains a machine record of the completed transmission. For all
claims arising out of or related to this Agreement, nothing in this section establishes, waives, or modifies any
claims presentation requirements or procedures provided by law, including but not limited to the Government
Claims Act(Division 3.6 of Title 1 of the Government Code, beginning with section 810).
AMENDMENTS: This Agreement constitutes the entire Agreement between the Contractor and the County
with respect to the subject matter hereof and supersedes all previous negotiations, proposals, commitments,
writings, advertisements, publications, Request for Proposals, Bids and understandings of any nature
whatsoever unless expressly included in this Agreement. This Agreement supersedes any and all terms set
forth in Contractor's invoice. This Agreement may be amended only by written addendum signed by both
parties.
INCONSISTENCIES: In the event of any inconsistency in interpreting the documents which constitute this
Agreement, the inconsistency shall be resolved by giving precedence in the following order of priority: (1)the
text of this Agreement (excluding Attachment"A") and (2)Attachment"A.
GOVERNING LAWS: This Agreement shall be construed, interpreted and enforced under the laws of the
State of California. Venue for any action shall only be in County of Fresno.
ELECTRONIC SIGNATURES: The parties agree that this Agreement may be executed by electronic
signature as provided in this section.
A. An "electronic signature" means any symbol or process intended by an individual signing this Agreement
to represent their signature, including but not limited to (1)a digital signature; (2) a faxed version of an
original handwritten signature; or(3) an electronically scanned and transmitted (for example by PDF
document)of a handwritten signature.
B. Each electronic signature affixed or attached to this Agreement (1) is deemed equivalent to a valid
original handwritten signature of the person signing this Agreement for all purposes, including but not
limited to evidentiary proof in any administrative or judicial proceeding, and (2) has the same force and
effect as the valid original handwritten signature of that person.
C. The provisions of this section satisfy the requirements of Civil Code section 1633.5, subdivision (b), in
the Uniform Electronic Transaction Act(Civil Code, Division 3, Part 2, Title 2.5, beginning with section
1633.1).
D. Each party using a digital signature represents that it has undertaken and satisfied the requirements of
Government Code section 16.5, subdivision (a), paragraphs (1)through (5), and agrees that each other
party may rely upon that representation.
This Agreement is not conditioned upon the parties conducting the transactions under it by electronic means
and either party may sign this Agreement with an original handwritten signature.
GAPUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 6
NextRequest
August 23, 2021
Please acknowledge your acceptance by returning all pages of this Agreement to my office via email or
USPS.
Please refer any inquiries in this matter to Heather Stevens, Purchasing Technician, at 559-600-7115 or
heastevens(cDFresnoCountyCA.gov.
FOR THE COUNTY OF FRESNO
Gary Co rn u e I I e Digitally signed by Gary Cornuelle
Date:2021.08.23 13:29:23-07'00'
Gary E. Cornuelle
Purchasing Manager
333 W. Pontiac Way
Clovis, CA 93612
GEC:HS
G:\PUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
PROCUREMENT AGREEMENT NUMBER: P-21-280 Page 7
NextRequest
August 23, 2021
CONTRACTOR TO COMPLETE:
NextRequest
Company:
Type of Entity:
❑ Individual ❑ Limited Liability Company
❑ Sole Proprietorship ❑ Limited Liability Partnership
® Corporation ❑ General Partnership
548 Market Street, PMB 77522 San Francisco, CA 94104
Address City State Zip
833-698-7778 info@nextrequest.com
TELEPHONE NUMBER FAX NUMBER E-MAIL ADDRESS
Print Name & Reed Duecy-Gibbs, CEO Print Name & Andrew Hull VP Engineering
Title: Title:
WDWX
Signature: Signature:
ACCOUNTING USE ONLY
ORG No.: 8905
Account No.: 7311
Requisition No.: 8905220052
(02/2021)
G:\PUBLIC\CONTRACTS&EXTRACTS\2021 CONTRACTS\P-21-280 NEXT REQUEST\P-21-280 NEXT REQUEST.DOCX
P-21-280
vN ext Req u est Attachment A
NextRequest for Fresno County
Prepared for: Christina Flores, Fresno County
Prepared by: Alissa Letkowski (NextRequest)
Date: Aug 20,2021
What do I get with An all-in-one platform for managing records requests across
NextRequest? your entire agency. It's an annual subscription and includes:
• Workflow Tools
• Document Hosting&Management
• Dashboards and Custom Reporting
• Request Diversion
• Regular Product Improvements and Feature Updates
Security? We protect your information using:
• SOC 2 Security Audit
• Encryption and Threat/Uptime Monitoring
• See a full overview at: nextrequest.com/security
Technical NextRequest Is entirely web based and software-as-a-service
Requirements? • Everything in the cloud-no downloads or installations
• Works on all modern web browsers
nextrequest.com 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 1 info@nextrequest.com 1(833)698-7778
P-21-280
vN ext Req u est Attachment A
NextRequest & Fresno County Agreement
Current Date: Aug 20,2021 (valid through Aug.27,2021)
Customer Fresno County Term Start August 27,2021
Address 333 W.Pontiac Way,Clovis,CA93612 Term End August 26,2024
Contact Christina Flores Invoicing Invoiced Annually
nextrequest.com 1 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 1 info@nextrequest.com 1(833)698-7778
P-21-280
vNextPequest Attachment A
Discount if Signed
Name Price QTY by 8/27/21 Subtotal
NextRequest Enterprise Annual $25,000.00 1 0% $25,000.00
License
• Kecord Request Management
Module&Document Module
• 250 users
• 3 TB Storage
• Redaction (unlimited licenses
across NextRequest users)
• Premier Security Package
• Universal Compliance
Package(Option to utilize
CJIS features&HIPAA BAA)
• Task assignment and tracking
• Premium Email Monitoring
Suite
• Custom URL
• Single Sign On (SSO)Annual
Maintenance+Set up
• Retention
• Time Tracking
• Generate Cost Estimates
• Payments&Invoicing(using
Stripe Payment Processor)
• Sandbox
• Email Support
• Training/Onboarding
• Phone Support
• Account Management
• API tokens available upon
request
Set Up (One-time) $5,250.00 1 100% $0.00
•Customer Success Plan+
Application Configuration
•Two webinar training sessions
(video recorded)
Universal Compliance Package $13,650.00 2 85% $4,095.00
Package Includes:
• CJIS compliance features
• HIPAA compliance features
• Business Associate Agreement
(BAA)
nextrequest.com 1 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 1 info@nextrequest.com 1(833)698-7778
P-21-280
vN ext Req u est Attachment A
CJ IS Features:
• Custom disclaimer text in
portal policy settings.
Meets CJIS section
5.5.4: "The information
system shall display an
approved system use
notification message,
before granting access,
informing potential
users of various usages
and monitoring rules"
• Point of contact can unlock
user accounts that are locked
• Sessions timeout after 30
minutes of inactivity.
Meets CJIS section 5.5.5
"Session Lock"
• Passwords expire after 90
days.
In combination with
other NextRequest
features,meets CJIS
section 5.6.2.1.1
"Password"
• New passwords cannot be
one of the last 10 passwords
used.
In combination with
other NextRequest
features,meets CJIS
section 5.6.2.1.1
"Password"
• Two factor authentication
through email.
Meets CJIS section
5.6.2.2"Advanced
Authentication"
H I PAA Features:
• Maps to HIPAA Security Rule
• Maps to HIPAA Privacy Rule
A fully executed Business
Associate Agreement(BAA)and
completed HIPAA configuration of
your portal by a NextRequest staff
member is required before using
your NextRequest portal for
nextrequest.com 1 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 info@nextrequest.com 1(833)698-7778
P-21-280
vN ext Req u est Attachment A
managing any HIPAA related
records and information.
Additional NextRequest Portal $13,125.00 1 70% $3,937.50
Includes an additional
NextRequest portal,cordoned off
from the agency's existing portal.
This portal can be used in
conjunction with the CJIS
compliance and/or HIPAA
compliance add-ons
(recommended) or for any
departments who plan to keep
requests and records separate
from the rest of the agency.
Note:Any optional modules your
agency chooses to add to its
"Additional Portal"will need to be
purchased separately from the
agency's main portal.
Year 1 Total(if signed by 8/27/21) $33,032.50
Year Price
Year 1 $33,032.50
Year 2 $34,684.12
Year 3 $36,418.33
Year (optional) $38,239.24
Year (optional) $40,151.21
Service Agreement
Welcome to NextRequest!Thanks for using our platform.This Service Agreement("Agreement")is entered between NextRequest Co.,with a place of
business at 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 USA("NextRequest"),and the Customer listed above("Customer"),as of the
Effective Date.This Agreement includes the above subscription and support(the"Services")and incorporates the above Order Form as well as the
enclosed Terms and Conditions and Service Level Agreement and which contains,among other things,warranty disclaimers,liability limitations and
use limitations.There shall be no force or effect to any different terms of any related purchase order or similar form even if signed by the parties after
the date hereof.
Renewals
nextrequest.com 1 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 1 info@nextrequest.com 1(833)698-7778
P-21-280
vN ext Req u est Attachment A
Pricing may be subject to a standard 5%annual increase to account for application improvements,new features and inflation.
Accounts Payable Info Will issue PO?
Name: Email: Phone: Yes: ❑ No: ❑
Download our W-9 at: nextrequest.com/w-9 (password:foiasoftware)
nextrequest.com 1 548 Market St.,Suite PMB 77522 San Francisco,CA 94104 linfo@nextrequest.com 1(833)698-7778
P-21-280
Attachment A
NextRequest
Master Service Agreement
Version 4.0 (April 6, 2021)
This Master Service Agreement ("MSA"), together with the Procurement Agreement Number P-21-280,
dated 8/23/21 ("Order Form") executed between NextRequest and Customer, which is incorporated
herein by reference, constitute a legally binding contract between NextRequest and Customer. The Order
Form, together with this MSA is referred to as the"Agreement" or"Service Agreement".
"NextRequest" means NextRequest Co., a Delaware Corporation with principal offices at 460 Brannan St.
#77208 San Francisco, CA 94107 and "Customer" means the entity or person identified as such in the
Order Form. Each of NextRequest and Customer may each be referred to as a"Party" and together as the
"Parties".
1. Defined Terms
1.1. "Business Day" or "Business Hours" means 9:00 a.m. — 6:00 p.m. Monday through Friday, U.S.
Pacific time, excluding public holidays in the United States.
1.2. "Confidential Information" means all information disclosed by one Party (the"Disclosing Party")to
the other Party(the"Receiving Party"),whether before or after the effective date of the Agreement,
that the recipient should reasonably understand to be confidential, including information that is
marked or otherwise conspicuously designated as confidential, and for NextRequest only, scripts
and other tools used in the Service. Information that is(i)independently developed by either Party,
without reference to the other's Confidential Information, (ii) is or becomes publicly available
(through no improper action or inaction by the Receiving Party or any affiliate, agent, consultant
or employee of the Receiving Party), (iii) was in its possession or known by it without restriction
prior to receipt from the Disclosing Party, or (iv) becomes available to either Party without
restriction other than through breach of the Agreement or applicable law, will not be "Confidential
Information" of the other Party. The Receiving Party may make disclosures required by law or
court order, provided the Receiving Party provides notice to the Disclosing Party so that the
Disclosing Party may obtain a protective order from the court, at the Disclosing Party's cost to the
extent permitted by law.
1.3. "Customer Content" means any content (including without limitation data, text, audio, video, or
images) that Customer provides or transfers to NextRequest for processing, storage or
transmission in connection with Customer's use of the Service, including without limitation, public
records requests Customer receives directly from Requesters and submits to the Service, as well
as any public records results (including redacted versions of documents)that Customer provides,
uploads, publishes, displays, transfers or otherwise makes available to NextRequest through its
use of the Services. Customer Content does not include Usage Data collected from Customer or
Requesters.
1.4. "Customer User" means a person authorized by Customer, such as a Customer employee, to use
the Service on Customer's behalf. Customer User does not include Requesters.
1.5. "Hourly Services" means hourly support or training services to be provided by NextRequest under
an applicable Order Form.
1.6. "Intellectual Property" or"IP" means all rights in, to, or arising out of: (i) any U.S., international or
foreign patent or any application therefor and any and all reissues, divisions, continuations,
renewals, extensions, continuations-in-part, utility models and supplementary protection
certificates thereof; (ii)inventions(whether patentable or not in any country), invention disclosures,
improvements, trade secrets, proprietary information or materials, know-how, technology and
technical data; (iii) copyrights, copyright registrations, mask works, mask work registrations, and
applications therefor in the U.S. or any foreign country, and all other rights corresponding thereto
throughout the world; (iv) trademarks, service marks, trade names, domain names, logos, trade
dress,and all goodwill associated therewith; and (v)any other proprietary rights or a similar nature
anywhere in the world.
1.7. "Prohibited Content" means content (i) that violates any third party's rights, including privacy or
Intellectual Property rights; (ii) that is libelous, harassing, abusive, fraudulent, defamatory,
P-21-280
Attachment A
excessively profane, obscene, abusive, hate related, violent, harmful to minors; (iii)that advocates
racial or ethnic intolerance; (iv) intended to advocate or advance computer hacking or cracking;
(v)gambling; (vi)other illegal activity; (vii)drug paraphernalia; (viii)phishing; (ix)malicious content;
and (x) other material, products or services that violate or encourage conduct that would violate
any laws or third-party rights.
1.8. "Requester" means a person that uses the Service to make a public records request or to access
or download publicly-available records.
1.9. "Requester Content" means information provided directly to NextRequest a Requester. Requester
Content does not include Usage Data collected from Requesters.
1.10. "Sensitive Information" means Confidential Information, such as financial data, personal
data, individually identifiable information about children, individually identifiable health information,
geolocation information about specific people, Social Security numbers, driver's license numbers,
other confidential ID numbers, financial account numbers, credit or debit card numbers, personal
identification numbers (PINs) or passwords, street addresses, phone numbers, or other personal
information designated in writing as sensitive by Customer.
1.11. "Service" means NextRequest's integrated web-based service,which assists customers in
responding to public records requests. The Service consists of a core web-based application and
any optional modules which may be purchased by Customer. The details of the Service subject to
this Agreement are set forth in the Order Form.
1.12."Service Level Agreement" or"SLA" means the NextRequest Service Level Agreement attached
as Exhibit A to this Agreement and incorporated by reference.
1.13."Service Providers" means third-party providers of services that are part of the Service.
1.14. "Usage Data" means information other than Customer Content or Requester Content that
is collected, directly or indirectly, from Customer or Requesters by or through the Service that
specifically tracks the usage or performance of the Service, including information that incorporates
or is derived from the processing, storage or transmission of information, data or content by or
through the Service as well as any information, data or other content derived from NextRequest's
or its Service Providers' monitoring of Customer's access to or use of the Service such as
information reflecting the access or use of the Service by or on behalf of Customer or any
Requester. All right, title, and interest in and to the Usage Data shall remain exclusively with
NextRequest. Usage Data shall be considered the Confidential Information of NextRequest.
NextRequest will employ commercially reasonable measures to ensure that access to Usage Data
is not provided to any third party unless such entity has a need to know in order for NextRequest
to perform its obligations under this Agreement. Notwithstanding anything else, Customer
acknowledges and agrees that NextRequest may: (a) use Usage Data as necessary to provide
Services under this Agreement, including for purposes of billing and providing reports to Customer;
and (b) use and disclose Usage Data provided that it is aggregated in a manner that does not
identify Customer, Customer's Users, or Requesters, and cannot be used to determine which
portion of the aggregated data is related or attributable to Customer.
2. Services
2.1. NextRequest Service. During the term of this agreement, NextRequest will use commercially
reasonable efforts to deploy, host, and maintain for Customer the Service further described in the
Order Form.
2.2. Service Level Agreement. NextRequest will provide support for the Service according to the
terms of the Service Level Agreement attached hereto as Exhibit A and incorporated by reference.
2.3. Other Services. If provided in the Order Form, NextRequest will provide Additional Services
consistent with industry standards and according to the terms in the Order Form. Services such
as setup or customer support will be provided during Business Hours, online, or by telephone,
unless otherwise agreed to by the Parties.
2.4. Excluded Services. Unless expressly provided in the Order Form, NextRequest is not responsible
for registering or maintaining domain names or DNS; hardware or software not provided as part
of the Service; integration between the Service and any other software or system(except for issues
originating with the Service or its interfaces); or providing direct support to Requesters.
2.5. Security.The Service is hosted by third-party Service Providers pursuant to agreements between
NextRequest and such Service Providers. NextRequest maintains the level of security outlined in
P-21-280
Attachment A
NextRequest's Security Policy ("Security Policy"), which is available at
https://www.https://www.nextrequest.com/compliance/security-policy.
3. Intellectual Property and Licenses.
3.1. Service. The Service is protected by copyright, trademark, trade secret, and other intellectual
property laws of both the United States and foreign countries. Except for the express licenses
granted in this Section 3.1, NextRequest reserves all rights in the Service. As between Customer
and NextRequest, NextRequest retains all and exclusive rights, title, and interest in and to the
Service, including all Intellectual Property rights or moral rights in the Service related thereto or
created, used, or provided by NextRequest for the purposes of this Agreement, and any products,
works, software used to provide the Service to Customer. During the Term and conditioned upon
Customer's compliance with all provisions of this Agreement, NextRequest hereby authorizes
Customer to access and use the Service for purpose of accepting, responding to and managing
public records requests and publishing responsive documents ("Purpose"), and grants to
Customer a personal, limited, royalty-free, non-exclusive, non-assignable, non-sublicensable and
non-transferable right and license to use the Service only for the Purpose. Customer shall not(and
shall not permit any third party to) directly or indirectly (a) copy, modify, translate or create
derivative works or improvements of the Service; (b) rent, lease, lend, sell, sublicense, assign,
distribute, publish, transfer or otherwise make available any Service or any part or derivative
thereof to any person; (c) reverse engineer, disassemble, decompile, decode, adapt or otherwise
attempt to derive or gain access to the source code, underlying ideas, algorithms, structure or
organization of the Service, in whole or in part; or (d) defeat, bypass, breach, deactivate, or
otherwise circumvent any security device or protection used by the Service or access or use the
Service other than through the use of its own then valid access credentials.
3.2. Customer Content. As between Customer and NextRequest, Customer retains ownership of all
Intellectual Property in Customer Content. Customer grants to NextRequest, its Service Providers
and each of NextRequest's respective subsidiaries, affiliates, and successors a worldwide, non-
exclusive, royalty-free, fully-paid-up, transferable, irrevocable, perpetual, unlimited, and sub-
licensable right and license to use, host, store, cache, reproduce, publish, publicly display,
perform, distribute,transmit,translate, publicly perform, adapt, modify, and otherwise fully use and
exploit Customer Content, in all media now known or later developed, for the purpose of providing
the Services.
3.3. Requester Content. Requester Content submitted directly by a Requester to NextRequest is
governed by the NextRequest Terms of Service. As set forth in the Terms of Service, Requester
grants to Customer a worldwide, non-exclusive, royalty-free, fully-paid-up, non-assignable, non-
transferrable, irrevocable, perpetual, and non-sublicensable right to use Requester Content solely
for the Purpose.
3.4. Feedback and improvements.Any suggestions provided by Customer in any form or medium to
NextRequest with respect to NextRequest's products or services shall be collectively deemed
"Feedback." NextRequest will be free to use Feedback without any obligation to Customer and
Customer hereby assigns to NextRequest all rights, title, and interest in and to any Feedback.
NextRequest will be considered the sole author of all modifications or improvements to the Service.
NextRequest may use Customer Content to improve the Service and shall be the sole owner of
any such improvements, so long as such use protects the confidentiality of Customer Content.
4. Customer Obligations and Restrictions
4.1. Security. Customer will protect the accounts, passwords, and other authentication information
Customer uses to access the Service and any NextRequest system, and is responsible for the use
of the Service by any Customer User, employee of Customer, any person Customer authorizes to
use the Service, any person to whom Customer has given access to the Service, and any person
who gains access to Customer Content or the Service as a result of Customer's failure to use
reasonable security precautions, even if such use was not authorized by Customer. Customer's
user names, passwords, other login information or personal information may be stored by
NextRequest or its Service Providers in the course of providing Service and may be available to
the Service and Service Providers.
4.2. Compliance with Laws. Customer is solely responsible for Customer Content and will comply
with all laws applicable to Customer's use of the Service, including without limitation, all local,
state, and federal public records law and privacy and security laws. NextRequest shall not be liable
P-21-280
Attachment A
for any damages that arise due to Customer's use of the Services or publication, processing,
storage or transmission of any information in violation of any law. Customer represents and
warrants that it has reviewed the Security Policy carefully and has made its own, independent
determination whether the levels of privacy and security set forth in the Security Policy are
sufficient for Customer's use of the Service. Customer acknowledges and agrees that the Service,
including without limitation the degree of privacy and security provided by the Service, may not
comply with special privacy and security requirements relating to the processing, storage or
transmission of Sensitive Information.Customer will not use the Service to process any information
subject to the Health Insurance Portability and Accountability Act ("HIPAK) without signing a
Business Associate Agreement with NextRequest. Customer agrees that if Customer uses the
Service to process Sensitive Information without a Business Associate Agreement, any such use
is at Customer's own risk and NextRequest will have no liability to Customer or any third party
arising out of or relating to such use. Customer will indemnify NextRequest and its Service
Providers against any and all damages, liabilities, costs, and expenses (including reasonable
attorneys' fees) arising out of or relating to such use. Customer will not disclose to NextRequest
or the Service any information that Customer is prohibited by any law or regulation from disclosing.
4.3. Acceptable Use Policy. Customer shall not use the Service (i)to send or facilitate the sending of
unsolicited bulk commercial email (spam)or inundating a target with communications requests so
the target cannot effectively respond to legitimate traffic; (ii)to send, upload, distribute, or transmit
or store Prohibited Content (iii) to distribute malware, including viruses, worms, Trojan horses,
corrupted files, hoaxes, or other items of a destructive or deceptive nature; (iv) to alter, disable,
interfere with, disrupt, circumvent or exploit vulnerabilities in any aspect of the Service or
NextRequest's or third parties'other services or systems; (vi) monitor data or traffic on the Service
without permission; (vii) forge TCP-IP packet headers, e-mail headers, or any part of a message
describing its origin or route; (viii)to infringe or misappropriate the Intellectual Property or privacy
rights of any person; (vii) to otherwise violate, or promote the violation of, any law or the legal
rights of any person; (viii) to impersonate another person; (ix) for any high risk use where failure
of the Service could lead to death or serious bodily injury or any person or to physical or
environmental damages, such as applications controlling transportation, medical systems or
weaponry systems; or (x) to otherwise access or use the Service beyond the scope of the
authorization granted under Section 2.1. If Customer becomes aware of any actual or threatened
activity prohibited under this section, Customer shall immediately take all reasonable measures to
stop the activity,to mitigate its effects, and to notify NextRequest. Customer is responsible for any
act or omission of any Customer User. NextRequest and its Service Providers may report any
activity, including disclosing appropriate information, if they suspect such activity violates any law
or regulation.
4.4. Service Policies and Privacy. Customer acknowledges that NextRequest is required by law to
provide a Privacy Policy for all users of the Service and visitors to NextRequest.com. Customer
acknowledges that all users of the Service are subject to the NextRequest Privacy Policy available
at https://www.nextrequest.com/privacypolicy,which applies to information and data collected with
respect to Requesters and Customers, including Requester Content, Usage Data and email
correspondence handled by the Service. The NextRequest privacy policy applies to Usage Data
relating to Customer Content, but does not apply to Customer Content itself. Customer
acknowledges that, in order to use the Service, all users of the Service are subject to the
NextRequest Terms of Service available at https://www.nextrequest.com/termsofservice which
may be updated from time to time.
4.5. Deletion of Customer Content. The Service enables Customer to delete Customer Content for
purposes of adhering to Customer's document retention or other policies, or any applicable law.
When Customer deletes Customer Content ("Deleted Content"), such Customer Content is
removed from databases accessible to Customer, Requester and/or the general public so that
Customer no longer has access to Deleted Content. However, copies and backups of Deleted
Content may continue to be stored on NextRequest's or its Service Providers' servers. Customer
acknowledges and agrees that after deletion, under no circumstances will NextRequest provide
Customer with copies of Deleted Content. NextRequest may provide Deleted Content to third
parties as required by law or a court order, and will notify Customer to the extent allowed by
applicable law.
P-21-280
Attachment A
4.6. Removal of Customer Content, Suspension of Service
4.6.1.NextRequest reserves the right to remove or prohibit any Customer Content or Requester
Content that NextRequest determines in its sole discretion violates applicable law or the
Acceptable Use Policy.
4.6.2.NextRequest may suspend or terminate Customer's use of the Services if NextRequest
reasonably believes in its sole discretion that: (a) it is required to do so by law or a regulatory
or government body, or doing so is necessary to protect the rights of NextRequest, its Service
Providers, a Requester, or its other Customers; (b) Customer has failed to comply with any
material term of this Agreement, including the Acceptable Use Policy; (c) Customer's use
violates applicable law or third-party rights; or(d) this Agreement expires or is terminated. In
the event of that Customer's use of the Services is suspended or terminated pursuant to this
Section 4.6.2, Customer shall be entitled as its sole remedy (and NextRequest's sole
obligation)to a proportionate refund of any prepaid unused Fees from the date of suspension
or termination and the Customer shall receive all Customer data from the system in an
acceptable .xsIx or.csv file format within 30 days of suspension, termination, or cancellation.
4.6.3.Notwithstanding the foregoing and for the avoidance of doubt, NextRequest shall have no
obligation to monitor,filter, or disable access to any Customer Content or Requester Content.
4.6.4.If NextRequest or a Service Provider elects to remove Customer Content or suspend the
Services, to the extent possible and permitted by applicable law, NextRequest will give
Customer advance notice of at least one (1) Business Day and will use commercially
reasonable efforts to provide removed Customer Content to Customer to maintain
Customer's business process continuity.
4.6.5.If Customer Content is removed as part of the notice-and-takedown procedure provided by
the Digital Millennium Copyright Act ("DMCA"), and Customer believes such Customer
Content was wrongly removed as a result of a copyright infringement notice, Customer may
notify NextRequest as provided in section 6.3 of the Terms of Service.
5. Customer Representations and Warranties. Customer represents, warrants, and covenants that:
5.1. It is duly organized, validly existing and in good standing under the laws of its jurisdiction of
incorporation;
5.2. It has the legal right and authority to enter into and perform its obligations under this Agreement;
5.3. The execution and performance of this Agreement will not conflict with or violate any provision of
any applicable federal, state, or municipal law, regulation, or ordinance;
5.4. This Agreement, when executed and delivered, will constitute a valid and binding obligation will
be enforceable against Customer in accordance with its terms;
5.5. To the best of Customer's knowledge, it has all necessary rights in the Customer Content to permit
Customer's use of the Service and to grant the licenses contained in this Agreement without
infringing the Intellectual Property or other rights of any third parties, violating any applicable laws,
or violating the terms of any license or agreement to which it is bound;
5.6. To the best of Customer's knowledge, Customer has the legal right and authority to provide
Customer Content to NextRequest, and to make such Customer Content and Requester Content
publicly available through the Service.
5.7. To the best of Customer's knowledge, Customer's disclosure to the Services of any Customer
Content or Requester Content will not violate any third-party Intellectual Property Rights or privacy
rights.
6. Fees and Invoicing.
6.1. Fees, Invoicing. Customer will pay all fees stated in the Order Form within 45 days of receiving
an invoice from NextRequest.
6.2. Payments Processing. This section applies to Customers who use NextRequest's online
payment tools and integrations (the "Payments Module"). The Payments Module and related
integrations is made available through agreement(s) with Stripe, Inc., the terms of which are
available at https://stripe.com/us/legal. By electing to use the Payments Module, Customer agrees
to abide by the relevant terms of NextRequest's agreements with Stripe, Inc., including without
limitation terms relating to compliance with applicable laws, data privacy, and permitted and
prohibited uses. Transactions processed using the Payments Module are handled directly
between Requesters, Customer and Customer's Payment processor (for example, Stripe).
NextRequest does not receive sensitive financial information (such as credit card or
P-21-280
Attachment A
bank numbers) relating to the transactions. The only data made available to NextRequest is a
record of the transaction including invoice information and the amount of the transaction.
6.3. Expenses. If Customer purchases Hourly Services, Customer will reimburse NextRequest for all
ordinary and necessary expenses incurred in connection with the performance of the Hourly
Services, including travel-related expenses. All travel will be pre-approved by Customer.
6.4. Taxes. Customer is responsible for any taxes that may be due as a result of this Agreement,
except for taxes on NextRequest's net income. Taxes payable by Customer will be billed as
separate items on NextRequest's invoices and will not be included in NextRequest's fees. If
Customer claims a tax exemption, Customer must provide documentation of the exemption to
NextRequest at the time of Customer order.
7. Confidential Information
7.1. Duty to Protect Confidential Information. Each Party will exercise the same degree of care and
protection with respect to the Confidential Information of the other Party that it exercises with
respect to its own Confidential Information, at least a reasonable degree of care. A Party will not
use the Confidential Information of the other Party except as permitted by this Agreement.
Notwithstanding the foregoing either Party may disclose the other's Confidential Information to its
employees and agents who have a need to know for the Purpose, provided that any agent to which
Confidential Information is disclosed is bound by non-disclosure terms at least as protective as
those in this Agreement.
7.2. Return of Confidential Information. Unless otherwise authorized, upon the earlier of termination
of this Agreement or request by the other Party, each Party will promptly return or, subject to
Section 3.7 and any applicable law, destroy all Confidential Information disclosed to it by the other
Party and provide certification that all such Confidential Information has been returned or
destroyed.
7.3. Notification Obligation. If a Party becomes aware of any unauthorized use or disclosure of the
Confidential Information of the other Party, it will make commercially reasonable efforts to notify
the other Party of the unauthorized use or disclosure and assist in seeking a protective order or
other appropriate remedy.
8. Publicity. In the event that customer has indicated a Publicity Contact on the Order Form,
NextRequest will request Customer's consent to use Customer's name and logo in NextRequest
promotional or marketing materials by contacting the Customer Publicity Contact. If Customer does
not respond to NextRequest's request within fourteen (14) days, or declines to identify a Publicity
Contact, Customer agrees that NextRequest may publicly disclose Customer's use of the Service and
may use Customer's name and logo to identify Customer as its customer in promotional or marketing
materials, including press releases.
9. Term and Termination
9.1. Term. The term of this agreement begins on the earlier of (1) acceptance of this Agreement by
Customer or (2) the first date on which NextRequest begins providing Services to Customer and
ends on the later of(a) the last day of the Initial Term as set forth in the Order Form, (b) the last
date of any renewal term, or (c) the last date on which NextRequest provides Services to
Customer.
9.2. Termination for Convenience. Customer may terminate for convenience at any time upon 30
days' written notice to NextRequest but will not be entitled to any refund of fees for any unused
portion of the Service or unused Hourly Services.
9.3. Termination for Breach. Either Party may terminate the Agreement for breach if the other Party
materially fails to meet any obligation stated in the Agreement and does not remedy that failure
within thirty (30) days of written notice from the nonbreaching Party describing the failure.
9.4. Effect of Termination. Upon expiration or termination of this Agreement for any reason, all
licenses and rights to use the Service granted to Customer shall terminate immediately, and
Customer shall immediately cease all use of the Service. If Customer has paid in advance for
Service, and this Agreement terminates due to material breach of this Agreement by NextRequest,
NextRequest shall refund Customer a prorated amount of any amount already paid. Upon
termination by Customer for convenience or due to material breach by Customer, in addition to
P-21-280
Attachment A
any remedy provided in this Agreement or provided in law or equity, NextRequest shall be entitled
to retain any amounts already paid. The following terms will survive expiration or termination of
the Agreement: Sections 3, 4, 6, 7, 8, 11, 12, and 13 as well as all other provisions of the
Agreement that by their nature are intended to survive expiration or termination of the Agreement.
10. Changes to Services. In order to improve the Service, NextRequest may change, upgrade, patch,
enhance, or fix any or all of the Service ("Updates") from time to time in order to provide the Service,
and such Updates will become part of the Service and subject to this Agreement; provided that Next
Request shall have no obligation under this Agreement or otherwise to provide any such Updates.
Customer understands that NextRequest may cease supporting old versions or releases of the Service
at any time; provided that NextRequest will make commercially reasonable efforts to give Customer
prior notice of any major changes to the Service.
11. Intellectual Property Infringement and Indemnification
11.1. NextRequest's Obligations for IP Infringement. If any action is instituted by a third party
against Customer based upon a claim that any part of the Service (an "Infringing Item"), infringes
any Intellectual Property right, NextRequest's sole obligation will be at its option and expense to
(a) procure for Customer the right to continue using the Infringing Item, (b) replace or modify the
Infringing Item so that it is no longer infringing but continues to provide comparable functionality,
or(c)terminate this Agreement and Customer's access to the Service, in which case NextRequest
shall refund a prorated amount of any amounts paid for which Service have not yet been received.
NextRequest shall have no liability to Customer for any infringement action to the extent such
action arises out of a breach of the terms and conditions of this Agreement by Customer or of the
use of the Service(or any component part thereof)after it has been modified by Customer without
NextRequest's prior written consent. NextRequest agrees to indemnify, save, hold harmless, and
at Customer's request, defend the Customer, its officers, agents, and employees from any and all
costs and expenses (including attorney's fees and costs), damages, liabilities, claims, and losses
occurring or resulting to Customer in connection with the performance, or failure to perform, by
NextRequest, its officers, agents, or employees under this Agreement, and from any and all costs
and expenses (including attorney's fees and costs), damages, liabilities, claims, and losses
occurring or resulting to any person, firm, or corporation who may be injured or damaged by the
negligent performance, or failure to perform, of NextRequest, its officers, agents, or employees
under this Agreement. This Section 11.1 states NextRequest's sole liability to Customer, and
Customer's exclusive remedy against NextRequest for infringement claims.
12. Customer's Indemnification of NextRequest. Unless prohibited under applicable law given
Customer's status as a public entity, Customer agrees to defend, indemnify and hold harmless
NextRequest and its affiliates and their respective directors, officers, employees, and agents from and
any and all damages, liabilities, costs, and expenses (including reasonable attorneys'fees) incurred as
a result of any claim,judgment, or proceeding relating to or arising out of: (a) Customer's breach of this
Agreement, including without limitation of any of Customer's warranties or representations or
NextRequest's Acceptable Use Policy or (b) any claim alleging that NextRequest has infringed or
secondarily infringed on the intellectual property or proprietary right of a third party as a result of
Customer Content or Customer's use of the Service, if Customer's Content or conduct actually infringes
on the intellectual property or proprietary right of a third party Disclaimers and Limitations on
NextRequest's Liability
12.1. NextRequest is not responsible to Customer or any third party for unauthorized access to
Customer Content or the unauthorized use of the Service unless the unauthorized access or use
results from NextRequest's failure to meet its security obligations under this Agreement.
12.2. Disclaimer of Warranty. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW,
THE SERVICE IS PROVIDED"AS IS"AND "AS AVAILABLE"AND NEXTREQUEST MAKES NO
WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR USE AND NONINFRINGEMENT, AND ALL WARRANTIES ARISING FROM
COURSE OF DEALING, USAGE OR TRADE PRACTICE. WITHOUT LIMITING THE
GENERALITY OF THE FOREGOING, NEXTREQUEST MAKES NO REPRESENTATION OR
WARRANTY (A) USE OF THE SERVICE WILL MEET CUSTOMER'S REQUIREMENTS, (B)
THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, OR (C) REGARDING
THE ACCURACY OR RELIABILITY OF ANY CONTENT.
P-21-280
Attachment A
12.3. Limitation of Liability. EXCEPT AS OTHERWISE PROVIDED IN SECTION 12.4, IN NO
EVENT WILL NEXTREQUEST OR ANY OF ITS SUCCESSORS, LICENSORS, OR SERVICE
PROVIDERS BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ITS
SUBJECT MATTER UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF
CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE FOR
(a) LOSS OF GOODWILL OR REPUTATION; (b) EXCEPT AS EXPRESSLY PROVIDED IN THE
SERVICE LEVEL AGREEMENT, USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR
RECOVERY OF THE SERVICE; (c)COST OF REPLACEMENT GOODS OR SERVICES; OR (d)
LOST REVENUES OR PROFITS OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL,
EXEMPLARY, ENHANCED OR PUNITIVE DAMAGES OR FOR THE FAILURE OF ANY
AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE. WITH THE EXCEPTION OF
THE INDEMNIFICATION REQUIREMENTS CONTAINED IN SECTION 11.1, IN NO EVENT WILL
THE COLLECTIVE AGGREGATE LIABILITY OF NEXTREQUEST AND ITS SUCCESSORS,
LICENSORS, OR SERVICE PROVIDERS ARISING OUT OF OR RELATED TO THIS
AGREEMENT OR ITS SUBJECT MATTER, WHETHER ARISING UNDER OR RELATED TO
BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR ANY
OTHER LEGAL OR EQUITABLE THEORY EXCEED THE TOTAL AMOUNT ACTUALLY PAID BY
CUSTOMER TO NEXTREQUEST UNDER THIS AGREEMENT. THE FOREGOING
LIMITATIONS APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. TO THE
EXTENT APPLICABLE LAW PROHIBITS THE FOREGOING LIMITATION OF LIABILITY,
NEXTREQUEST'S LIABILITY IS LIMITED TO THE GREATEST EXTENT ALLOWED BY
APPLICABLE LAW.
12.4. Nothing in this Agreement limits or excludes either Party's liability for its gross negligence or
willful misconduct.
13. General
13.1. State Agency Piggybacking. NextRequest agrees to allow Customer and other public
agencies in the State of California to purchase additional items, at the same terms and conditions
as this Agreement, excluding pricing and term length, and services to be provided, which will be
separately agreed upon NextRequest in a mutually executed Order Form.
13.2. Governing Law. Unless otherwise mutually agreed by the Parties in an Order Form, this
Agreement will in all respects be governed by and construed and enforced in accordance with the
laws of the State of California. Venue for any action shall only be in County of Fresno.
13.3. Notice. Written notice by either Party to the other may be given: (i) in person, and such notice
will be deemed valid on the date of delivery in person; (ii) by email to the Party contact identified
in the Order Form, or (iii) by first-class United States Mail, and such notice will be deemed valid
as of the proof of mailing date. For all claims arising out of or related to this Agreement, nothing in
this section establishes, waives, or modifies any claims presentation requirements or procedures
provided by law, including but not limited to the Government Claims Act (Division 3.6 of Title 1 of
the Government Code, beginning with section 810).
13.4. Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by
operation of law or otherwise, without the prior written consent of the other Party (not to be
unreasonably withheld). Notwithstanding the foregoing, either Party may assign this Agreement in
its entirety, without consent of the other Party, to its affiliate or in connection with a merger,
acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the
foregoing, this Agreement shall bind and inure to the benefit of the Parties, their respective
successors and permitted assigns. NextRequest may use Service Providers to perform all or any
part of the Service, but NextRequest remains responsible to Customer under this Agreement for
Service performed by its Service Providers to the same extent as if NextRequest performed the
Service itself.
13.5. Force Majeure. Neither Party will be in breach of the Agreement if the failure to perform the
obligation is due to an event beyond either Party's control, such as significant failure of a part of
the power grid, significant failure of the Internet, natural disaster, war, riot, insurrection, epidemic,
strikes or other organized labor action, terrorism, or other events of a magnitude or type for which
precautions are not generally taken in the industry.
13.6. Modifications. Unless otherwise expressly permitted in this Agreement, the Agreement may be
amended only by a formal amendment signed by both Parties. An Order Form may be amended
P-21-280
Attachment A
to modify,add,or remove services by mutual written agreement of the Parties, agreement by email
being sufficient. Any terms on Customer's purchase order or other business forms by which
Customer orders or pays for Service will not become part of this Agreement.
13.7. Entire Agreement. The Agreement, together with the Order Form, Terms of Use and Privacy
Policy, constitutes the complete and exclusive agreement between the Parties regarding the
Service and supersedes and replaces any prior understanding or communication, written or oral.
Customer acknowledges that it has not relied on any statement, promise or representation made
or given by or on behalf of NextRequest which is not set out in the Agreement.
13.8. Precedence. If there is a conflict between the Order Form and this Agreement, then this
Agreement will control.
13.9. Unenforceable Provisions. If any part of the Agreement is found unenforceable by a court, the
rest of the Agreement will nonetheless continue in effect, and the unenforceable part will be
reformed to the extent possible to make it enforceable but still consistent with the business and
financial objectives of the Parties underlying the Agreement.
13.10. No Waiver. Each Party may enforce its respective rights under the Agreement even if
it has waived the right or failed to enforce the same or other rights in the past.
13.11. No Partnership. The relationship between the Parties is that of independent
contractors and not business partners. Neither Party is the agent for the other, and neither Party
has the right to bind the other to any agreement with a third party.
13.12. No Third-party Beneficiaries. There are no third-party beneficiaries to this
Agreement.
13.13. Counterparts. This Agreement may be executed in two or more counterparts, each
of which will be considered a legal original for all purposes.
P-21-280
Attachment A
NextRequest
Service Level Agreement
This Service Level Agreement ("SLA") defines the support obligations of NextRequest Co., a Delaware
corporation ("NextRequest")to Customer, a purchaser of NextRequest's service. The terms of this SLA are
incorporated into and subject to the terms of the NextRequest Service Agreement. Capitalized terms not
defined in this SLA shall have the meanings given to them in the NextRequest Service Agreement.
1. Service Guarantees
1.1 Availability. NextRequest provides hosting for the NextRequest service through a Service Provider
("Hosting Provider"), which does not make guarantees about uptime. Based on past performance,
NextRequest anticipates 99.9% uptime of the application, with the exception of planned outages for
maintenance and upgrades for which NextRequest notifies the Customer 24 hours in advance ("Uptime").
If NextRequest fails to meet the Uptime,the Customer will be eligible for credits as described in section 3.2.
1.2 Security. NextRequest takes the security of the Customer's data seriously and protects it according to
the rigorous security practices described in our System Security Plan.The Hosting Provider utilizes certified
data centers managed by Amazon, which implements industry-leading physical, technical, and operational
security measures and has received ISO 27001 certification and Federal Information Security Management
Act (FISMA) Moderate Authorization and Accreditation from the U.S. General Services Administration. If
NextRequest becomes aware of any unauthorized access to its systems that poses any threat to the
Service or the Customer's data, NextRequest will notify the Customer in writing of the issue no later than
the close of the next Business Day after NextRequest learns of it.
1.3 Data Integrity. The Hosting Provider makes daily backups of Customers' systems and data. Seven (7)
daily backups and five (5)weekly backups are retained.
1.4 Location of Service. Service and Customer's data is hosted in the United States.
2. Service Request Process
2.1 Service Request Definition. A Service Request is any email, phone call, or in-app chat ticket sent to
NextRequest by the Customer indicating support action is necessary or desired.This includes Bug reporting
and Customer Support.
2.2 Severity Levels and Response Times. Each Service Request will be assigned a Severity Level by the
party initiating the request. If NextRequest reasonably determines that the Customer has assigned an
incorrect Severity Level to a ticket, NextRequest may assign a different Severity Level. The Severity Levels
are defined below, along with the corresponding Initial Response Time within which NextRequest(or, in the
case of Critical requests, our Hosting Partner) will respond to the Customer's request and begin work on
the issue:
Severity Level Definition Initial Response
(Priority) Time
and Channel
Critical Service is Service is inoperative, Customer's business operations or 2 hours during
inoperative productivity are severely impacted with no available workaround, Business Days
or a critical security issue exists. (phone or email)
Standard (High) Service is operating but issue is causing significant disruption of 1 Business Day
Customer's business operations; workaround is unavailable or (phone or email)
inadequate.
P-21-280
Attachment A
Standard Service is operating and issue's impact on the Customer's 1 Business Day
(Medium) business operations is moderate to low; a workaround or (email)
alternative is available.
Standard (Low) Issue is a minor inconvenience and does not impact business 1 Business Day
operations in any significant way; little or no time sensitivity. (email)
2.3 Standard Service Requests
2.3.1 Initiating Standard Service Requests. The Customer may initiate a Standard Service Request by
opening a ticket via the NextRequest in-app chat system. NextRequest support team members or systems
may also create tickets on the Customer's behalf in response to issues identified by monitoring systems.
2.3.2 Response and Resolution. Once NextRequest has responded to a Service Request, NextRequest
will work during Business Hours with the Customer's representatives and, as needed, our Hosting Partner
to resolve the problem or provide a workaround. NextRequest makes no guarantee regarding the time to
resolve a Service Request, only that NextRequest will use the reasonable efforts described above.
2.4 Critical Service Requests
2.4.1 Initiating Critical Service Requests. The Customer may initiate a Critical Service Request by calling
NextRequest directly at 833-698-7778 or emailing support@nextrequest.com. The Customer will be
directed to leave contact information and a detailed description of the issue.
2.4.2 NextRequest's Response. NextRequest's support staff will contact the Customer within 2 hours during
a Business Day of receiving the Customer's report of a Critical Service Request and will work continuously
until the issue is resolved or a workaround is available. NextRequest will provide the Customer with regular
updates until the issue is resolved and will coordinate with the Customer during Business Hours.
2.5 Customer Responsibilities. The Customer agrees to assist NextRequest as necessary to resolve
Service Requests and to provide any information NextRequest reasonably requests, including information
necessary to duplicate the issue. The Customer agrees to make available personnel capable of
understanding and accurately communicating technical details necessary to enable NextRequest to review
issues, and to assist NextRequest in diagnosing issues.
2.6 Bugs and Bug Reporting
2.6.1 Bug Definition. A Bug is defined as any issue where the NextRequest application does not function
as intended. It is at the sole discretion of NextRequest staff to determine if an issue is classified as a Bug.
None of the Customer's Customer Support hours will be deducted for reporting Bugs. The Customer may
submit a Service Request in order to report a Bug.
2.7 Customer Support
2.7.1 Customer Support Definition. Staff time spent by NextRequest assisting the Customer or Customer's
representatives after the Service Agreement has been signed is defined as Customer Support. This may
include helping users with account creation, account log in, configuration, or understanding features.
Customer Support hours exclude: bug reporting and related discussions and fixes; regularly scheduled
check-ins with NextRequest staff as specified in the Order Form; and training sessions specified in the
Order Form. The Customer may submit a Service Request in order to receive Customer Support.
3. Service Credits
P-21-280
Attachment A
3.1 Issuance. If NextRequest fails to meet the response time stated above, the Customer will be entitled to
a credit of 2 Service hours for each hour during which the response time guarantee is not met, up to a total
of 8 hours per incident. The Customer must request a credit in writing via a support ticket no later than 14
days following the occurrence of the event giving rise to the credit. Credits will be applied to invoices issued
in the future.
3.2 Sole Remedy. The credits stated in this Agreement are the Customer's sole remedy in the event
NextRequest fails to meet a guarantee for which credits are provided. If NextRequest fails to perform any
obligation for which a credit is not provided, the Customer's sole remedy is to have NextRequest perform
or re-perform the obligation, as applicable. The maximum total credit for failure to meet any guarantee
during any calendar month shall not exceed one twelfth of the annual recurring fee for the Service.
3.3 Credits for Downtime. During the term of the contract, the Service will be operational and available at
least 99.9% of the time in any calendar month, with the exception of planned outages for maintenance and
upgrades for which NextRequest notifies the Customer 24 hours in advance. If NextRequest does not
satisfy 99.9% uptime, the Customer will be eligible to receive the service credits described below. In order
to receive service credits,the Customer must request the credit in writing via a support ticket within 30 days
from the time the Customer becomes eligible to receive a service credit.
Monthly Uptime Days of Service added to the end of the service term at no
Percentage charge to Customer
99.9% to 99.0% 3
89.9.0%to 7
95.0%
< 94.9% 15
3.4 Extraordinary Events. The Customer is not entitled to a credit for downtime or outages resulting from
denial-of-service attacks, hacking attempts, or any other circumstances that are not within our control.
3.5 No Credit in Breach. The Customer is not entitled to a credit if: (i) the Customer is in breach of the
Agreement(including the Customer's payment obligations to NextRequest)at the time of the occurrence of
the event giving rise to the credit, (ii) the event giving rise to the credit results from the Customer's prior
breach of the Agreement, or(iii)to the extent our failure to meet an Initial Response Time guarantee results
from the Customer's delay or failure to meet the requirements of Section 2.5 ("Customer Responsibilities")
of this SLA.
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 A. Definitions.
2 Capitalized terms used in this Exhibit A have the meanings set forth in this section A.
3 "Authorized Employees" means CONTRACTOR's employees who have access to
4 Personal Information.
5 "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any
6 and all of CONTRACTOR's subcontractors, representatives, agents, outsourcers, and
7 consultants, and providers of professional services to CONTRACTOR, who have access to
8 Personal Information and are bound by law or in writing by confidentiality obligations
9 sufficient to protect Personal Information in accordance with the terms of this Exhibit A.
10 "Director" means COUNTY's Director of Internal Services-Chief Information Officer
11 or his or her designee.
12 "Disclose" or any derivative of that word means to disclose, release, transfer,
13 disseminate, or otherwise provide access to or communicate all or any part of any Personal
14 Information orally, in writing, or by electronic or any other means to any person.
15 "Person" means any natural person, corporation, partnership, limited liability
16 company, firm, or association.
17 "Personal Information" means any and all information, including any data,
18 provided, or to which access is provided, to CONTRACTOR by or upon the authorization of
19 COUNTY, under this Agreement, including but not limited to vital records, that: (i) identifies,
20 describes, or relates to, or is associated with, or is capable of being used to identify,
21 describe, or relate to, or associate with, a person (including, without limitation, names,
22 physical descriptions, signatures, addresses, telephone numbers, e-mail addresses,
23 education, financial matters, employment history, and other unique identifiers, as well as
24 statements made by or attributable to the person); (ii) is used or is capable of being used to
25 authenticate a person (including, without limitation, employee identification numbers,
26 government-issued identification numbers, passwords or personal identification numbers
27 (PINs), financial account numbers, credit report information, answers to security questions,
28 and other personal identifiers); or is personal information within the meaning of California
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). Personal Information
2 does not include publicly available information that is lawfully made available to the general
3 public from federal, state, or local government records.
4 "Privacy Practices Complaint" means a complaint received by COUNTY relating
5 to CONTRACTOR's (or any Authorized Person's) privacy practices, or alleging a Security
6 Breach. Such complaint shall have sufficient detail to enable CONTRACTOR to promptly
7 investigate and take remedial action under this Exhibit A.
8 "Security Safeguards" means physical, technical, administrative or organizational
9 security procedures and practices put in place by CONTRACTOR (or any Authorized
10 Persons) that relate to the protection of the security, confidentiality, value, or integrity of
11 Personal Information. Security Safeguards shall satisfy the minimal requirements set forth in
12 subsection C.(5) of this Exhibit A.
13 "Security Breach" means (i) any act or omission that compromises either the
14 security, confidentiality, value, or integrity of any Personal Information or the Security
15 Safeguards, or (ii) any unauthorized Use, Disclosure, or modification of, or any loss or
16 destruction of, or any corruption of or damage to, any Personal Information.
17 "Use" or any derivative thereof means to receive, acquire, collect, apply, manipulate,
18 employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal
19 Information.
20 B. Standard of Care.
21 (1) CONTRACTOR acknowledges that, in the course of its engagement by COUNTY
22 under this Agreement, CONTRACTOR, or any Authorized Persons, may Use Personal
23 Information only as permitted in this Agreement.
24 (2) CONTRACTOR acknowledges that Personal Information is deemed to be
25 confidential information of, or owned by, COUNTY (or persons from whom COUNTY
26 receives or has received Personal Information) and is not confidential information of, or
27 owned or by, CONTRACTOR, or any Authorized Persons. CONTRACTOR further
28 acknowledges that all right, title, and interest in or to the Personal Information remains in
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 COUNTY (or persons from whom COUNTY receives or has received Personal Information)
2 regardless of CONTRACTOR's, or any Authorized Person's, Use of that Personal
3 Information.
4 (3) CONTRACTOR agrees and covenants in favor of COUNTY that CONTRACTOR
5 shall: (i) keep and maintain all Personal Information in strict confidence, using such degree
6 of care under this Subsection B as is reasonable and appropriate to avoid a Security
7 Breach; (ii) Use Personal Information exclusively for the purposes for which the Personal
8 Information is made accessible to CONTRACTOR pursuant to the terms of this Exhibit A;
9 (iii) not Use, Disclose, sell, rent, license, or otherwise make available Personal Information
10 for CONTRACTOR's own purposes or for the benefit of anyone other than COUNTY,
11 without COUNTY's express prior written consent, which the COUNTY may give or withhold
12 in its sole and absolute discretion; and (iv) not, directly or indirectly, Disclose Personal
13 Information to any person (an "Unauthorized Third Party") other than Authorized Persons
14 pursuant to this Agreement, without the Director's and the Recorder's express prior written
15 consent.
16 Notwithstanding the foregoing paragraph, in any case in which CONTRACTOR
17 believes it, or any Authorized Person, is required to disclose Personal Information to
18 government regulatory authorities, or pursuant to a legal proceeding, or otherwise as may
19 be required by applicable law, Contractor shall to the extent permitted by law (a)
immediately notify COUNTY of the
20 specific demand for, and legal authority for the disclosure, including providing County with a
21 copy of any notice, discovery demand, subpoena, or order, as applicable, received by
22 CONTRACTOR, or any Authorized Person, from any government regulatory authorities, or
23 in relation to any legal proceeding, and (b) promptly notify COUNTY before such Personal
24 Information is offered by CONTRACTOR for such disclosure so that COUNTY may have
25 sufficient time to obtain a court order or take any other action COUNTY may deem
26 necessary to protect the Personal Information from such disclosure, and CONTRACTOR
27 shall cooperate with COUNTY to minimize the scope of such disclosure of such Personal
28 Information.
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 Subject to Section 12 of the Terms and Conditions, CONTRACTOR shall remain liable
to COUNTY for the actions and omissions of any
2 Unauthorized Third Party concerning its Use of such Personal Information as if they were
3 CONTRACTOR's own actions and omissions.
4 C. Information Security.
5 (1) CONTRACTOR covenants, represents and warrants to COUNTY that
6 Contractor's Use of Personal Information under this Agreement does and shall at all times
7 comply with all applicable federal, state, and local, privacy and data protection laws, as well
8 as all other applicable regulations and directives, including but not limited to California Civil
9 Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song-Beverly
10 Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with
11 section 1747). If CONTRACTOR Uses credit, debit or other payment cardholder information,
12 CONTRACTOR shall at all times remain in compliance with the Payment Card Industry Data
13 Security Standard ("PCI DSS") requirements, including remaining aware at all times of
14 changes to the PCI DSS and promptly implementing and maintaining all procedures and
15 practices as may be necessary to remain in compliance with the PCI DSS, in each case, at
16 CONTRACTOR's sole cost and expense.
17 (2) CONTRACTOR covenants, represents and warrants to COUNTY that, as of the
18 Effective Date, CONTRACTOR has not received notice of any violation of any privacy or
19 data protection laws, as well as any other applicable regulations or directives, and is not the
20 subject of any pending legal action or investigation by, any government regulatory authority
21 regarding same.
22 (3) Without limiting CONTRACTOR's obligations under subsection C.(1) of this
23 Exhibit A, CONTRACTOR's (or Authorized Person's) Security Safeguards shall be no less
24 rigorous than accepted industry practices and, at a minimum, include the following: (i)
25 limiting Use of Personal Information strictly to CONTRACTOR's and Authorized Persons'
26 technical and administrative personnel who are necessary for the CONTRACTOR's, or
27 Authorized Persons', Use of the Personal Information pursuant to this Agreement; (ii)
28 ensuring that all of CONTRACTOR's connectivity to County computing systems will only be
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 through COUNTY's security gateways and firewalls, and only through security procedures
2 approved upon the express prior written consent of the Director; (iii) to the extent that they
3 contain or provide access to Personal Information, (a) securing business facilities, data
4 centers, paper files, servers, back-up systems and computing equipment, operating
5 systems, and software applications, including, but not limited to, all mobile devices and other
6 equipment, operating systems, and software applications with information storage capability;
7 (b) employing adequate controls and data security measures, both internally and externally,
8 to protect (1) the Personal Information from potential loss or misappropriation, or
9 unauthorized Use, and (2) the COUNTY's operations from disruption and abuse; (c) having
10 and maintaining network, device application, database and platform security; (d) maintaining
11 authentication and access controls within media, computing equipment, operating systems,
12 and software applications; and (e) installing and maintaining in all mobile, wireless, or
13 handheld devices a secure internet connection, having continuously updated anti-virus
14 software protection and a remote wipe feature always enabled, all of which is subject to
15 express prior written consent of the Director; (iv) encrypting all Personal Information at
16 advance encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher
17 (a) stored on any mobile devices, including but not limited to hard disks, portable storage
18 devices, or remote installation, or (b) transmitted over public or wireless networks (the
19 encrypted Personal Information must be subject to password or pass phrase, and be stored
20 on a secure server and transferred by means of a Virtual Private Network (VPN) connection,
21 or another type of secure connection, all of which is subject to express prior written consent
22 of the Director); (v) strictly segregating Personal Information from all other information of
23 CONTRACTOR, including any Authorized Person, or anyone with whom CONTRACTOR or
24 any Authorized Person deals so that Personal Information is not commingled with any other
25 types of information; (vi) having a patch management process including installation of all
26 operating system/software vendor security patches; (vii) maintaining appropriate personnel
27 security and integrity procedures and practices, including, but not limited to, conducting
28
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 background checks of Authorized Employees consistent with applicable law; and (viii)
2 providing appropriate privacy and information security training to Authorized Employees.
3 (4) During the term of each Authorized Employee's employment by CONTRACTOR,
4 CONTRACTOR shall cause such Authorized Employees to abide strictly by
5 CONTRACTOR's obligations under this Exhibit A. CONTRACTOR further agrees that it shall
6 maintain a disciplinary process to address any unauthorized Use of Personal Information by
7 any Authorized Employees.
8 (5) CONTRACTOR shall, in a secure manner, backup daily, or more frequently if it is
9 CONTRACTOR's practice to do so more frequently, Personal Information received from
10 COUNTY, and the COUNTY shall have immediate, real time access, at all times, to such
11 backups via a secure, remote access connection provided by CONTRACTOR, through the
12 Internet.
13 (6) CONTRACTOR shall provide COUNTY with the name and contact information for
14 each Authorized Employee (including such Authorized Employee's work shift, and at least
15 one alternate Authorized Employee for each Authorized Employee during such work shift)
16 who shall serve as COUNTY's primary security contact with CONTRACTOR and shall be
17 available to assist COUNTY twenty-four (24) hours per day, seven (7) days per week as a
18 contact in resolving CONTRACTOR's and any Authorized Persons' obligations associated
19 with a Security Breach or a Privacy Practices Complaint.
20 D. Security Breach Procedures.
21 (1) Immediately upon CONTRACTOR's awareness or reasonable belief of a Security
22 Breach, CONTRACTOR shall (a) notify the Director of the Security Breach, such notice to
23 be given first by telephone at the following telephone number, followed promptly by email at
24 the following email address: (559) 600-6200 / ematthews@fresnocountyca.gov (which
25 telephone number and email address COUNTY may update by providing notice to
26 CONTRACTOR), and (b) preserve all relevant evidence (and cause any affected Authorized
27 Person to preserve all relevant evidence) relating to the Security Breach. The notification
28 shall include, to the extent reasonably possible, the identification of each type and the extent
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 of Personal Information that has been, or is reasonably believed to have been, breached,
2 including but not limited to, compromised, or subjected to unauthorized Use, Disclosure, or
3 modification, or any loss or destruction, corruption, or damage.
4 (2) Immediately following CONTRACTOR's notification to COUNTY of a Security
5 Breach, as provided pursuant to subsection D.(1) of this Exhibit A, the Parties shall
6 coordinate with each other to investigate the Security Breach. CONTRACTOR agrees to
7 fully cooperate with COUNTY, including, without limitation: (i) assisting COUNTY in
8 conducting any investigation; (ii) providing COUNTY with physical access to the facilities
9 and operations affected; (iii) facilitating interviews with Authorized Persons and any of
10 CONTRACTOR's other employees knowledgeable of the matter; and (iv) making available
11 all relevant records, logs, files, data reporting and other materials required to comply with
12 applicable law, regulation, industry standards, or as otherwise reasonably required by
13 COUNTY. To that end and subject to Section 12 of the Terms and Conditions,
CONTRACTOR shall, with respect to a Security Breach, be solely
14 responsible, at its cost, for all notifications required by law and regulation, or deemed
15 reasonably necessary by COUNTY, and CONTRACTOR shall provide a written report of the
16 investigation and reporting required to the Director within thirty (30) days after the
17 CONTRACTOR's discovery of the Security Breach.
18 (3) County shall promptly notify CONTRACTOR of the Director's knowledge, or
19 reasonable belief, of any Privacy Practices Complaint, and upon CONTRACTOR's receipt of
20 notification thereof, CONTRACTOR shall promptly address such Privacy Practices
21 Complaint, including taking any corrective action under this Exhibit A, all at
22 CONTRACTOR's sole expense and subject to Section 12 of the Terms and Conditions, in
accordance with applicable privacy rights, laws,
23 regulations and standards. In the event CONTRACTOR discovers a Security Breach,
24 CONTRACTOR shall treat the Privacy Practices Complaint as a Security Breach. Within
25 twenty-four (24) hours of CONTRACTOR's receipt of notification of such Privacy Practices
26 Complaint, CONTRACTOR shall notify COUNTY whether the matter is a Security Breach, or
27 otherwise has been corrected and the manner of correction, or determined not to require
28 corrective action and the reason therefor.
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 (4) CONTRACTOR shall take prompt corrective action to respond to and remedy any
2 Security Breach and take mitigating actions, including but not limiting to, preventing any
3 reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as
4 a result of such incident, all at CONTRACTOR's sole expense, in accordance with
5 applicable privacy rights, laws, regulations and standards. Subject to Section 12 of the Terms
and Conditions CONTRACTOR shall reimburse
6 COUNTY for all reasonable costs incurred by COUNTY in responding to, and mitigating
7 damages caused by, any Security Breach, including all costs of COUNTY incurred relation
8 to any litigation or other action described subsection D.(5) of this Exhibit A.
9 (5) CONTRACTOR agrees to cooperate, at its sole expense, with COUNTY in any
10 litigation or other action to protect COUNTY's rights relating to Personal Information,
11 including the rights of persons from whom COUNTY receives Personal Information.
12 E. Oversight of Security Compliance.
13 (1) CONTRACTOR shall have and maintain a written information security policy that
14 specifies Security Safeguards appropriate to the size and complexity of CONTRACTOR's
15 operations and the nature and scope of its activities.
16 (2) Upon COUNTY's written request no more than once per year, to confirm
CONTRACTOR's compliance with
17 this Exhibit A, as well as any applicable laws, regulations and industry standards,
18 CONTRACTOR grants COUNTY or, upon COUNTY's election, a third party on COUNTY's
19 behalf, permission to perform an assessment, audit, examination or review of all controls in
20 CONTRACTOR's physical and technical environment in relation to all Personal Information
21 that is Used by CONTRACTOR pursuant to this Agreement. CONTRACTOR shall fully
22 cooperate with such assessment, audit or examination, as applicable, by providing
23 COUNTY or the third party on COUNTY's behalf, access to all Authorized Employees and
24 other knowledgeable personnel, physical premises, documentation, infrastructure and
25 application software that is Used by CONTRACTOR for Personal Information pursuant to
26 this Agreement. In addition, CONTRACTOR shall provide COUNTY with the results of any
27 audit by or on behalf of CONTRACTOR that assesses the effectiveness of CONTRACTOR's
28 information security program as relevant to the security and confidentiality of Personal
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 Information Used by CONTRACTOR or Authorized Persons during the course of this
2 Agreement under this Exhibit A.
3 (3) CONTRACTOR shall ensure that all Authorized Persons who Use Personal
4 Information agree to the same restrictions and conditions in this Exhibit A. that apply to
5 CONTRACTOR with respect to such Personal Information by incorporating the relevant
6 provisions of these provisions into a valid and binding written agreement between
7 CONTRACTOR and such Authorized Persons, or amending any written agreements to
8 provide same.
9 F. Return or Destruction of Personal Information.
10 Upon the termination of this Agreement, CONTRACTOR shall, and shall instruct all
11 Authorized Persons to, promptly return to COUNTY all Personal Information, whether in
12 written, electronic or other form or media, in its possession or the possession of such
13 Authorized Persons, in a machine readable form used by COUNTY at the time of such
14 return, or upon the express prior written consent of the Recorder and the Director, securely
15 destroy all such Personal Information, and certify in writing to the COUNTY that such
16 Personal Information have been returned to COUNTY or disposed of securely, as
17 applicable. If CONTRACTOR is authorized to dispose of any such Personal Information, as
18 provided in this Exhibit A, such certification shall state the date, time, and manner (including
19 standard) of disposal and by whom, specifying the title of the individual. CONTRACTOR
20 shall comply with all reasonable directions provided by the Recorder and the Director with
21 respect to the return or disposal of Personal Information and copies thereof. If return or
22 disposal of such Personal Information or copies of Personal Information is not feasible,
23 CONTRACTOR shall notify COUNTY according, specifying the reason, and continue to
24 extend the protections of this Exhibit A to all such Personal Information and copies of
25 Personal Information. CONTRACTOR shall not retain any copy of any Personal Information
26 after returning or disposing of Personal Information as required by this section F.
27 CONTRACTOR's obligations under this section F survive the termination of this Agreement
28
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 and apply to all Personal Information that CONTRACTOR retains if return or disposal is not
2 feasible and to all Personal Information that CONTRACTOR may later discover.
3 G. Equitable Relief.
4 CONTRACTOR acknowledges that any breach of its covenants or obligations set
5 forth in this Exhibit A may cause COUNTY irreparable harm for which monetary damages
6 would not be adequate compensation and agrees that, in the event of such breach or
7 threatened breach, COUNTY is entitled to seek equitable relief, including a restraining order,
8 injunctive relief, specific performance and any other relief that may be available from any
9 court, in addition to any other remedy to which COUNTY may be entitled at law or in equity.
10 Such remedies shall not be deemed to be exclusive but shall be in addition to all other
11 remedies available to COUNTY at law or in equity or under this Agreement.
12 H. Indemnification.
13 CONTRACTOR shall, subject to Section 12 of the Terms and Conditions, defend,
indemnify and hold harmless COUNTY, its officers,
14 employees, and agents, (each, a "COUNTY Indemnitee") from and against any and all
15 third party claims relating to invasion of privacy, information theft, and extortion,
16 unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any
17 corruption of or damage to, Personal Information, Security Breach response and remedy
18 costs, credit monitoring expenses, forfeitures, losses, damages, liabilities, deficiencies,
19 actions, judgments, interest, awards, fines and penalties (including regulatory fines and
20 penalties), costs or expenses of whatever kind, including attorneys' fees and costs, the cost
21 of enforcing any right to indemnification or defense under this Exhibit A and the cost of
22 pursuing any insurance providers, arising out of or resulting from any third party claim or
23 action against any COUNTY Indemnitee in relation to CONTRACTOR's, its officers,
24 employees, or agents, or any Authorized Employee's or Authorized Person's, performance
25 or failure to perform under this Exhibit A or arising out of or resulting from CONTRACTOR's
26 failure to comply with any of its obligations under this section H. The provisions of this
27 section H do not apply to the acts or omissions of COUNTY. The provisions of this section H
P-21-280
Exhibit A
Exhibit A
"Data Security"
1 are cumulative to any other obligation of CONTRACTOR to, defend, indemnify, or hold
2 harmless any COUNTY Indemnity under this Agreement. The provisions of this section H
3 shall survive the termination of this Agreement.
4 I. Survival.
5 The respective rights and obligations of CONTRACTOR and COUNTY as stated in
6 this Exhibit A shall survive the termination of this Agreement.
7 J. No Third Party Beneficiary.
8 Nothing express or implied in the provisions of in this Exhibit A is intended to confer,
9 nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR
10 and their respective successors or assignees, any rights, remedies, obligations or liabilities
11 whatsoever.
12 L. No County Warranty.
13 COUNTY does not make any warranty or representation whether any Personal
14 Information in CONTRACTOR's (or any Authorized Person's) possession or control, or Use
15 by CONTRACTOR (or any Authorized Person), pursuant to the terms of this Agreement is or
16 will be secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint.
17
18
19
20
21
22
23
24
25
26
27
28