SLL Certificate Licensing RFP

1 Department of Buildings and General Services Agency of Administration Office of Purchasing & Contracting 133 State Street [phone] 802-828-2211 Montpelier VT 05609-3001 [fax] 802-828-2222 http://bgs.vermont.gov/purchasing SEALED BID REQUEST FOR PROPOSAL SLL Certificate Licensing ISSUE DATE April 4, 2024 QUESTIONS DUE April 12, 2024 @ 4:30 PM (EST) RFP RESPONSES DUE BY April 23, 2024 @ 4:30 PM (EST) PLEASE BE ADVISED THAT ALL NOTIFICATIONS, RELEASES, AND ADDENDUMS ASSOCIATED WITH THIS RFP WILL BE POSTED AT: http://www.bgs.state.vt.us/pca/bids/bids.php THE STATE WILL MAKE NO ATTEMPT TO CONTACT INTERESTED PARTIES WITH UPDATED INFORMATION. IT IS THE RESPONSIBILITY OF EACH BIDDER TO PERIODICALLY CHECK THE ABOVE WEBPAGE FOR ANY AND ALL NOTIFICATIONS, RELEASES AND ADDENDUMS ASSOCIATED WITH THIS RFP. STATE CONTACT:

E-MAIL: Kristine Furman kristine.furman@vermont.gov USE SUBJECT: SSL CERTIFICATE LICENSING http://www.bgs.state.vt.us/pca/bids/bids.php mailto:SOV.ThePathForward@vermont.gov Page 2 of 28 1. OVERVIEW: 1.1. SCOPE AND BACKGROUND: Through this Request for Proposal (RFP) the State of Vermont, Agency of Digital Services (hereinafter the “State”) is seeking to establish contracts with one or more companies that can provide Secure Sockets Layer (SSL) Certificate Licensing. 1.2. CONTRACT PERIOD: Contracts arising from this RFP will be for a period of (3) THREE YEARS with an option to renew for up to one additional (2) TWO YEAR period. The State anticipates the start date will be August 12, 2024. 1.3. SINGLE POINT OF CONTACT: All communications concerning this RFP are to be addressed in writing to the State Contact listed on the front page of this RFP. Actual or attempted contact with any other individual from the State concerning this RFP is strictly prohibited and may result in disqualification. 1.4. BIDDERS’ CONFERENCE: A bidders’ conference will not be held. 1.5. QUESTION AND ANSWER PERIOD: Any vendor requiring clarification of any section of this RFP or wishing to comment on any requirement of the RFP must submit specific questions in writing no later than the deadline for question indicated on the first page of this RFP. Questions may be e-mailed to the point of contact on the front page of this RFP. Questions or comments not raised in writing on or before the last day of the question period are thereafter waived. At the close of the question period a copy of all questions or comments and the State's responses will be posted on the State’s web site http://www.bgs.state.vt.us/pca/bids/bids.php . Every effort will be made to post this information as soon as possible after the question period ends, contingent on the number and complexity of the questions. 1.6. CHANGES TO THIS RFP: Any modifications to this RFP will be made in writing by the State through the issuance of an Addendum to this RFP and posted online at http://www.bgs.state.vt.us/pca/bids/bids.php . Verbal instructions or written instructions from any other source are not to be considered. 2. DETAILED REQUIREMENTS/DESIRED OUTCOMES: 2.1. The State is responsible for ensuring the security of its systems and the Internet traffic of their citizens. Managing SSL certificates is essential to both missions. 2.2. A Managed SSL Service is a hosted service (“the Service”) that supports the issuance and management of OrganizationSSL (OV) certificates, OrganizationSSL (OV) Wildcard certificates, ExtendedSSL (EV) certificates, IntranetSSL certificates, CloudSSL certificates and other certificates that may be added to the Service (collectively “MSSL Certificates”) and are issued using company information and domain names previously vetted and registered in the Service. Certificates are managed through a web-based interface or via APIs. 2.3. The Service provides SSL certificate issuance and lifecycle management capabilities through a web-based user interface. The Certificate Administrator or his/her designee may: 1. Submit new or modified organizational information, in the form of a “Profile”, for vetting 2. Submit domains for vetting against one of the existing profiles to validate manually 3. Submit and then approve domains against one of the existing profiles using one of the provided domain validation methods. Profile and domain re-vetting shall be performed periodically. 2.4. The State of Vermont is interested in obtaining bids to meet the following business need(s): 2.4.1. A Licensing Agreement to manage up to 650 unique SANs annually and Secure Sockets Layer (SSL) certificates for website domains. 2.4.2. Contractor shall be paid annually as outlined in the Price Schedule. 3. GENERAL REQUIREMENTS: 3.1. PRICING: Bidders must price the terms of this solicitation at their best pricing. Any and all costs that Bidder wishes the State to consider must be submitted for consideration. If applicable, all equipment pricing is to include F.O.B. delivery to the ordering facility. No request for extra delivery cost will be honored. All equipment shall be delivered assembled, serviced, and ready for immediate use, unless otherwise requested by the State. http://www.bgs.state.vt.us/pca/bids/bids.php http://www.bgs.state.vt.us/pca/bids/bids.php Page 3 of 28 3.1.1. Prices and/or rates shall remain firm for the initial term of the contract. The pricing policy submitted by Bidder must (i) be clearly structured, accountable, and auditable and (ii) cover the full spectrum of materials and/or services required. 3.1.2. Cooperative Agreements. Bidders that have been awarded similar contracts through a competitive bidding process with another state and/or cooperative are welcome to submit the pricing in response to this solicitation. 3.1.3. Retainage. In the discretion of the State, a contract resulting from this RFP may provide that the State withhold a percentage of the total amount payable for some or all deliverables, such retainage to be payable upon satisfactory completion and State acceptance in accordance with the terms and conditions of the contract. 3.2. STATEMENT OF RIGHTS: The State shall have the authority to evaluate Responses and select the Bidder(s) as may be determined to be in the best interest of the State and consistent with the goals and performance requirements outlined in this RFP. The State of Vermont reserves the right to obtain clarification or additional information necessary to properly evaluate a proposal. Failure of vendor to respond to a request for additional information or clarification could result in rejection of that vendor's proposal. To secure a project that is deemed to be in the best interest of the State, the State reserves the right to accept or reject any and all bids, in whole or in part, with or without cause, and to waive technicalities in submissions. The State also reserves the right to make purchases outside of the awarded contracts where it is deemed in the best interest of the State. 3.2.1. Best and Final Offer (BAFO). At any time after submission of Responses and prior to the final selection of Bidder(s) for Contract negotiation or execution, the State may invite Bidder(s) to provide a BAFO. The state reserves the right to request BAFOs from only those Bidders that meet the minimum qualification requirements and/or have not been eliminated from consideration during the evaluation process. 3.2.2. Presentation. An in-person or webinar presentation by the Bidder may be required by the State if it will help the State’s evaluation process. The State will factor information presented during presentations into the evaluation. Bidders will be responsible for all costs associated with providing the presentation. 3.3. WORKER CLASSIFICATION COMPLIANCE REQUIREMENTS: In accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), Bidders must comply with the following provisions and requirements. 3.3.1. Self Reporting: For bid amounts exceeding $250,000.00, Bidder shall complete the appropriate section in the attached Certificate of Compliance for purposes of self-reporting information relating to past violations, convictions, suspensions, and any other information related to past performance relative to coding and classification of workers. The State is requiring information on any violations that occurred in the previous 12 months. 3.3.2. Subcontractor Reporting: For bid amounts exceeding $250,000.00, Bidders are hereby notified that upon award of contract, and prior to contract execution, the State shall be provided with a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54). This requirement does not apply to subcontractors providing supplies only and no labor to the overall contract or project. This list MUST be updated and provided to the State as additional subcontractors are hired. A sample form is available online at http://bgs.vermont.gov/purchasing-contracting/forms. The subcontractor reporting form is not required to be submitted with the bid response. 3.4. EXECUTIVE ORDER 05-16: CLIMATE CHANGE CONSIDERATIONS IN STATE PROCUREMENTS: For bid amounts exceeding $25,000.00 Bidders are requested to complete the Climate Change Considerations in State Procurements Certification, which is included in the Certificate of Compliance for this RFP. After consideration of all relevant factors, a bidder that demonstrates business practices that promote clean energy and address climate change as identified in the Certification, shall be given favorable consideration in the competitive bidding process. Such favorable consideration shall be consistent with and not supersede any preference given to resident bidders of the State and/or products raised or Page 4 of 28 manufactured in the State, as explained in the Method of Award section. But, such favorable consideration shall not be employed if prohibited by law or other relevant authority or agreement. 3.5. METHOD OF AWARD: Awards will be made in the best interest of the State. The State may award one or more contracts and reserves the right to make additional awards to other compliant bidders at any time if such award is deemed to be in the best interest of the State. All other considerations being equal, preference will be given first to resident bidders of the state and/or to products raised or manufactured in the state, and then to bidders who have practices that promote clean energy and address climate change, as identified in the applicable Certificate of Compliance. 3.5.1. Evaluation Criteria: Consideration shall be given to the Bidder’s project approach and methodology, qualifications and experience, ability to provide the services within the defined timeline, cost, and/or success in completing similar projects, as applicable. 3.6. CONTRACT NEGOTIATION: Upon completion of the evaluation process, the State may select one or more Vendors with which to negotiate a contract, based on the evaluation findings and other criteria deemed relevant for ensuring that the decision made is in the best interest of the State. In the event State is not successful in negotiating a contract with a selected Vendor, the State reserves the option of negotiating with another Vendor, or to end the proposal process entirely. 3.7. COST OF PREPARATION: Bidder shall be solely responsible for all expenses incurred in the preparation of a response to this RFP and shall be responsible for all expenses associated with any presentations or demonstrations associated with this request and/or any proposals made. 3.8. CONTRACT TERMS: The selected bidder(s) will be expected to sign a contract with the State, including the Standard Contract Form and Attachment C as attached to this RFP for reference. If IT Attachment D is included in this RFP, terms may be modified based upon the solution proposed by the Bidder, subject to approval by the Agency of Digital Services. 3.8.1. Business Registration. To be awarded a contract by the State of Vermont a vendor (except an individual doing business in his/her own name) must be registered with the Vermont Secretary of State’s office http://www.sec.state.vt.us/tutor/dobiz/forms/fcregist.htm and must obtain a Contractor’s Business Account Number issued by the Vermont Department of Taxes http://tax.vermont.gov/ . 3.8.2. The contract will obligate the bidder to provide the services and/or products identified in its bid, at the prices listed. 3.8.3. Payment Terms. All invoices are to be rendered by the Contractor on the vendor's standard billhead and forwarded directly to the institution or agency ordering materials or services and shall specify the address to which payments will be sent. Payment terms are Net 30 days from receipt of an error-free invoice with all applicable supporting documentation. Percentage discounts may be offered for prompt payments of invoices; however, such discounts must be in effect for a period of 30 days or more in order to be considered in making awards. 3.8.4. Quality. If applicable, all products provided under a contract with the State will be new and unused, unless otherwise stated. Factory seconds or remanufactured products will not be accepted unless specifically requested by the purchasing agency. All products provided by the contractor must meet all federal, state, and local standards for quality and safety requirements. Products not meeting these standards will be deemed unacceptable and returned to the contractor for credit at no charge to the State. 3.9. DEMONSTRATION: An in-person or webinar demonstration by the Vendor may be required by the State if it will help the State’s evaluation process. The State will factor information presented during demonstrations into the evaluation. Vendors will be responsible for all costs associated with the providing the demonstration. 3.10. INDEPENDENT REVIEW: Certain State information technology projects require independent expert review as described under 3 V.S.A. § 3303(d). Such review, if applicable, will inform the State’s decision to award any contract(s) resulting from this RFP 4. CONTENT AND FORMAT OF RESPONSES: The content and format requirements listed below are the minimum requirements for State evaluation. These requirements are not intended to limit the content of a Bidder’s proposal. Bidders may include additional information or offer alternative solutions for the State’s consideration. However, the State discourages overly lengthy and costly proposals, and Bidders are advised to include only such information in their response as may be relevant to the requirements of this RFP. http://www.sec.state.vt.us/tutor/dobiz/forms/fcregist.htm http://tax.vermont.gov/ Page 5 of 28 4.1. Unsolicited Bidder-Confidential Information Prohibited. Bidders are hereby expressly directed not to include any confidential information in their proposal submissions. Additionally, Bidders must provide a redacted copy of the portions of their proposal that are permitted to contain confidential information. By submitting a proposal in response to this RFP, Bidders acknowledge and agree to abide by the terms and conditions outlined in this document, including the prohibition on submitting confidential information. 4.2. Disclosure of Proposals and Related Materials. All information received by the State in response to this RFP will become part of the contract file and subject to disclosure as required by the Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq., other law, court order, or a federal funding partner. This includes materials permitted to be marked as confidential, and for which a redacted copy has been provided, although the State agrees to take reasonable steps to protect such information consistent with those authorities. 4.3. State Not Responsible for Disclosure of Unsolicited, Unmarked, or Unredacted Bidder-Confidential Information. It is the sole responsibility of the Bidder to ensure that information it considers confidential is not included in their proposal materials except where specifically permitted by this RFP. The State shall have no responsibility for Bidder’s unsolicited or unmarked or unredacted disclosure of information that Bidder believes should not be publicly disclosed, including any 1) trade secrets or intellectual property, 2) proprietary financial or business information, 3) personal information, or 4) any other information that should not be disclosed to the public. For example, Bidders should avoid including in their proposal materials any details of their proprietary technologies or methodologies that they consider confidential. Further, any references to previous client engagements should be presented in a manner that does not disclose the client's confidential information. 4.4. The bid should include a Cover Letter and Technical Response and Price Schedule. 4.5. COVER LETTER: 4.5.1. Exceptions to Contract Terms and Conditions. If a Bidder wishes to propose an exception to any terms and conditions set forth in the Standard Contract Form and its attachments, such exceptions must be included in the cover letter to the RFP response. Failure to note exceptions when responding to the RFP will be deemed to be acceptance of the State contract terms and conditions. If exceptions are not noted in the response to this RFP but raised during contract negotiations, the State reserves the right to cancel the negotiation if deemed to be in the best interests of the State. Note that exceptions to contract terms may cause rejection of the proposal. 4.6. TECHNICAL RESPONSE. In response to this RFP, a Bidder shall: 4.6.1. Provide details concerning your form of business organization, company size and resources. 4.6.2. Describe your capabilities and particular experience relevant to the RFP requirements. 4.6.2.1. Identify all current or past State projects. 4.6.3. Identify the names of all subcontractors you intend to use, the portions of the work the subcontractors will perform, and address the background and experience of the subcontractor(s), as per RFP section 4.3.2 above. 4.7. REFERENCES. Provide the names, addresses, and phone numbers of at least three companies with whom you have transacted similar business in the last 12 months. You must include contact names who can talk knowledgeably about performance. 4.8. REPORTING REQUIREMENTS: Provide a sample of any reporting documentation that may be applicable to the Detailed Requirements of this RFP. 4.9. PRICE SCHEDULE: Bidders shall submit their pricing information in the Price Schedule attached to the RFP. 4.10. CERTIFICATE OF COMPLIANCE: This form must be completed and submitted as part of the response for the proposal to be considered valid. 5. SUBMISSION INSTRUCTIONS: 5.1. CLOSING DATE: Bids must be received by the State by the due date specified on the front page of this RFP. Late bids will not be considered. Page 6 of 28 5.1.1. The State may, for cause, issue an addendum to change the date and/or time when bids are due. If a change is made, the State will inform all bidders by posting it on the webpage indicated on the front page of this RFP. 5.2. BID DELIVERY INSTRUCTIONS: 5.2.1. ELECTRONIC: Electronic bids will be accepted. 5.2.1.1. E-MAIL BIDS. Emailed bids will be accepted. Bids will be accepted via email submission to SOV.ThePathForward@vermont.gov. Bids must consist of a single email with a single, digitally searchable PDF attachment containing all components of the bid. Multiple emails and/or multiple attachments will not be accepted. There is an attachment size limit of 40 MB. It is the Bidder’s responsibility to compress the PDF file containing its bid if necessary in order to meet this size limitation. 5.2.1.2. FAX BIDS: Faxed bids will not be accepted. 5.2.2. NUMBER OF COPIES: 5.2.3. Submit an original copy (clearly marked as such). 6. BID SUBMISSION CHECKLIST:  Cover Letter  Technical Response  Redacted Technical Response  References  Price Schedule  Signed Certificate of Compliance 7. ATTACHMENTS: 7.1. Certificate of Compliance 7.2. Price Schedule 7.3. Standard State Contract with its associated attachments mailto:SOV.ThePathForward@vermont.gov Page 7 of 28 RFP/PROJECT: SSL Certification Licensing DATE: Page 1 of 3 CERTIFICATE OF COMPLIANCE For a bid to be considered valid, this form must be completed in its entirety, executed by a duly authorized representative of the bidder, and submitted as part of the response to the proposal. A. NON COLLUSION: Bidder hereby certifies that the prices quoted have been arrived at without collusion and that no prior information concerning these prices has been received from or given to a competitive company. If there is sufficient evidence to warrant investigation of the bid/contract process by the Office of the Attorney General, bidder understands that this paragraph might be used as a basis for litigation. B. CONTRACT TERMS: Bidder hereby acknowledges that is has read, understands and agrees to the terms of this RFP, including Attachment C: Standard State Contract Provisions, and any other contract attachments included with this RFP. C. WORKER CLASSIFICATION COMPLIANCE REQUIREMENT: In accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), the following provisions and requirements apply to Bidder when the amount of its bid exceeds $250,000.00. Self-Reporting. Bidder hereby self-reports the following information relating to past violations, convictions, suspensions, and any other information related to past performance relative to coding and classification of workers, that occurred in the previous 12 months. Summary of Detailed Information Date of Notification Outcome Subcontractor Reporting. Bidder hereby acknowledges and agrees that if it is a successful bidder, prior to execution of any contract resulting from this RFP, Bidder will provide to the State a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), and Bidder will provide any update of such list to the State as additional subcontractors are hired. Bidder further acknowledges and agrees that the failure to submit subcontractor reporting in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54) will constitute non-compliance and may result in cancellation of contract and/or restriction from bidding on future state contracts. Page 8 of 28 RFP/PROJECT: SSL Certification Licensing DATE: Page 2 of 3 D. Executive Order 05 – 16: Climate Change Considerations in State Procurements Certification Bidder certifies to the following (Bidder may attach any desired explanation or substantiation. Please also note that Bidder may be asked to provide documentation for any applicable claims): 1. Bidder owns, leases or utilizes, for business purposes, space that has received:  Energy Star® Certification  LEED®, Green Globes®, or Living Buildings ChallengeSM Certification  Other internationally recognized building certification: ____________________________________________________________________________ 2. Bidder has received incentives or rebates from an Energy Efficiency Utility or Energy Efficiency Program in the last five years for energy efficient improvements made at bidder’s place of business. Please explain: _____________________________________________________________________________ 3. Please Check all that apply:  Bidder can claim on-site renewable power or anaerobic-digester power (“cow-power”). Or bidder consumes renewable electricity through voluntary purchase or offset, provided no such claimed power can be double-claimed by another party.  Bidder uses renewable biomass or bio-fuel for the purposes of thermal (heat) energy at its place of business.  Bidder’s heating system has modern, high-efficiency units (boilers, furnaces, stoves, etc.), having reduced emissions of particulate matter and other air pollutants.  Bidder tracks its energy consumption and harmful greenhouse gas emissions. What tool is used to do this? _____________________  Bidder promotes the use of plug-in electric vehicles by providing electric vehicle charging, electric fleet vehicles, preferred parking, designated parking, purchase or lease incentives, etc..  Bidder offers employees an option for a fossil fuel divestment retirement account.  Bidder offers products or services that reduce waste, conserve water, or promote energy efficiency and conservation. Please explain: ____________________________________________________________________________ ____________________________________________________________________________ 1. Please list any additional practices that promote clean energy and take action to address climate change: _____________________________________________________________________________ ____________________________________________________________________________ _____________________________________________________________________________ Page 9 of 28 RFP/PROJECT: SSL Certification Licensing DATE: Page 3 of 3 E. Executive Order 02 – 22: Solidarity with the Ukrainian People  By checking this box, Bidder certifies that none of the goods, products, or materials offered in response to this solicitation are Russian-sourced goods or produced by Russian entities. If Bidder is unable to check the box, it shall indicate in the table below which of the applicable offerings are Russian-sourced goods and/or which are produced by Russian entities. An additional column is provided for any note or comment that you may have. Provided Equipment or Product Note or Comment Bidder Name: Contact Name: Address: Fax Number: Telephone: E-Mail: By: Name: Signature of Bidder (or Representative) (Type or Print) END OF CERTIFICATE OF COMPLIANCE Page 10 of 28 PRICE SCHEDULE A. Fixed Price Deliverables: Deliverable Description Annual Price Total Year 1-3 License Agreement – Year 1 -3 $ Total Cost Contract Year 1 -3 $ B. This contract can be extended up to one (1) additional 2-year period with mutual agreement between both parties. Through an executed Amendment the following Option Years shall be added to the Contract: Deliverable Description Annual Price Total Year 4 & 5 License Agreement –Year 4 & Year 5 $ Total Cost Year 4 & 5 $ Page 11 of 28 STANDARD CONTRACT FOR SERVICES 1. Parties. This is a contract for services between the State of Vermont, _____________ (hereinafter called “State”), and _____________, with a principal place of business in _____________, (hereinafter called “Contractor”). Contractor’s form of business organization is _____________. It is Contractor’s responsibility to contact the Vermont Department of Taxes to determine if, by law, Contractor is required to have a Vermont Department of Taxes Business Account Number. 2. Subject Matter. The subject matter of this contract is services generally on the subject of SSL Certification Licensing. Detailed services to be provided by Contractor are described in Attachment A. 3. Maximum Amount. In consideration of the services to be performed by Contractor, the State agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a sum not to exceed $________.00. 4. Contract Term. The period of Contractor’s performance shall begin on _____________, 20__ and end on _____________, 20__. 5. Prior Approvals. This Contract shall not be binding unless and until all requisite prior approvals have been obtained in accordance with current State law, bulletins, and interpretations. 6. Amendment. No changes, modifications, or amendments in the terms and conditions of this contract shall be effective unless reduced to writing, numbered and signed by the duly authorized representative of the State and Contractor. 7. Termination for Convenience. This contract may be terminated by the State at any time by giving written notice at least thirty (30) days in advance. In such event, Contractor shall be paid under the terms of this contract for all services provided to and accepted by the State prior to the effective date of termination. 8. Primary Contacts. The Parties will keep and maintain current at all times a primary point of contact for this Agreement, which are presently as follows: a. For the Contractor: Name: ______________ Phone: ______________ Email: ______________ b. For the State: Name: ______________ Phone: _____________ Email: ______________ 9. Attachments. This contract consists of ___ pages including the following attachments which are incorporated herein: Page 12 of 28 Attachment A - Statement of Work Attachment B - Payment Provisions Attachment C – “Standard State Provisions for Contracts and Grants” a preprinted form (revision date 12/7/2023) Attachment D - Other Provisions Additional attachments may be lettered as necessary 10. Order of Precedence. Any ambiguity, conflict or inconsistency between the documents comprising this contract shall be resolved according to the following order of precedence: (1) Standard Contract (2) Attachment D (3) Attachment C (Standard Contract Provisions for Contracts and Grants) (4) Attachment A (5) Attachment B List other attachments, if any, in order of precedence Page 13 of 28 WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS CONTRACT By the State of Vermont: By the Contractor: Date: Date: Signature: Signature: Name: Name: Title: Title: Page 14 of 28 ATTACHMENT A – STATEMENT OF WORK 1. The Contractor shall provide a Managed SSL hosted service (“the Service”) that supports the issuance and management of OrganizationSSL (OV) certificates, OrganizationSSL (OV) Wildcard certificates, ExtendedSSL (EV) certificates, IntranetSSL certificates, CloudSSL certificates and other certificates that may be added to the Service (collectively “MSSL Certificates”) and are issued using company information and domain names previously vetted and registered in the Service. Certificates are managed through a web-based interface or via APIs. 2. The Service provides SSL certificate issuance and lifecycle management capabilities through a web-based user interface. The Certificate Administrator or his/her designee may: a) Submit new or modified organizational information, in the form of a “Profile”, for vetting b) Submit domains for vetting against one of the existing profiles to validate manually c) Submit and then approve domains against one of the existing profiles using one of the provided domain validation methods. 3. Profile and domain re-vetting shall be performed periodically. Page 15 of 28 ATTACHMENT B – PAYMENT PROVISIONS The maximum dollar amount payable under this contract is not intended as any form of a guaranteed amount. The Contractor will be paid for products or services actually delivered or performed, as specified in Attachment A, up to the maximum allowable amount specified on page 1 of this contract. 1. Prior to commencement of work and release of any payments, Contractor shall submit to the State: a. a certificate of insurance consistent with the requirements set forth in Attachment C, Section 8 (Insurance), and with any additional requirements for insurance as may be set forth elsewhere in this contract; and b. a current IRS Form W-9 (signed within the last six months). 2. Payment terms are Net 30 days from the date the State receives an error-free invoice with all necessary and complete supporting documentation. 3. Contractor shall submit detailed invoices itemizing all work performed during the invoice period, including the dates of service, rates of pay, hours of work performed, and any other information and/or documentation appropriate and sufficient to substantiate the amount invoiced for payment by the State. All invoices must include the Contract # for this contract. 4. Contractor shall submit invoices to the State in accordance with the schedule set forth in this Attachment B. Unless a more particular schedule is provided herein, invoices shall be submitted not more frequently than monthly. 5. Invoices shall be submitted to the State at the following address: ADS.ITPurchasing@vermont.gov. Agency of Digital Services One National Life Drive, 2nd Floor, Dewey Building Montpelier, VT 05602-2102 6. The payment schedule for delivered products, or rates for services performed, and any additional reimbursements, are as follows: Deliverable Description Annual Price Total Year 1-3 License Agreement – Year 1 -3 $ Total Cost Contract Year 1 -3 $ Deliverable Description Annual Price Total Year 4 & 5 License Agreement –Year 4 & Year 5 $ Total Cost Year 4 & 5 $ mailto:ADS.ITPurchasing@vermont.gov Page 16 of 28 ATTACHMENT C: STANDARD STATE PROVISIONS FOR CONTRACTS AND GRANTS REVISED DECEMBER 7, 2023 1. Definitions: For purposes of this Attachment, “Party” shall mean the Contractor, Grantee, or Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the form of the Agreement. “Agreement” shall mean the specific contract or grant to which this form is attached. 2. Entire Agreement: This Agreement, whether in the form of a contract, State-funded grant, or Federally-funded grant, represents the entire agreement between the parties on the subject matter. All prior agreements, representations, statements, negotiations, and understandings shall have no effect. Where an authorized individual is either required to click-through or otherwise accept, or made subject to, any electronic terms and conditions to use or access any product or service provided hereunder, such terms and conditions are not binding and shall have no force or effect. Further, any terms and conditions of Party’s invoice, acknowledgment, confirmation, or similar document, shall not apply, and any such terms and conditions on any such document are objected to without need of further notice or objection. 3. Governing Law, Jurisdiction and Venue; No Waiver of Jury Trial: This Agreement will be governed by the laws of the State of Vermont without resort to conflict of laws principles. Any action or proceeding brought by either the State or the Party in connection with this Agreement shall be brought and enforced in the Superior Court of the State of Vermont, Civil Division, Washington Unit. The Party irrevocably submits to the jurisdiction of this court for any action or proceeding regarding this Agreement. The Party agrees that it must first exhaust any applicable administrative remedies with respect to any cause of action that it may have against the State regarding its performance under this Agreement. Party agrees that the State shall not be required to submit to binding arbitration or waive its right to a jury trial. 4. Sovereign Immunity: The State reserves all immunities, defenses, rights, or actions arising out of the State’s sovereign status or under the Eleventh Amendment to the United States Constitution. No waiver of the State’s immunities, defenses, rights, or actions shall be implied or otherwise deemed to exist by reason of the State’s entry into this Agreement. 5. No Employee Benefits For Party: The Party understands that the State will not provide any individual retirement benefits, group life insurance, group health and dental insurance, vacation or sick leave, workers compensation or other benefits or services available to State employees, nor will the State withhold any state or Federal taxes except as required under applicable tax laws, which shall be determined in advance of execution of the Agreement. The Party understands that all tax returns required by the Internal Revenue Code and the State of Vermont, including but not limited to income, withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the Vermont Department of Taxes. 6. Independence: The Party will act in an independent capacity and not as officers or employees of the State. 7. Defense and Indemnity: Page 17 of 28 A. The Party shall defend the State and its officers and employees against all third-party claims or suits arising in whole or in part from any act or omission of the Party or of any agent of the Party in connection with the performance of this Agreement. The State shall notify the Party in the event of any such claim or suit, and the Party shall immediately retain counsel and otherwise provide a complete defense against the entire claim or suit. The State retains the right to participate at its own expense in the defense of any claim. The State shall have the right to approve all proposed settlements of such claims or suits. B. After a final judgment or settlement, the Party may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to recoup costs only upon a showing that such costs were entirely unrelated to the defense of any claim arising from an act or omission of the Party in connection with the performance of this Agreement. C. The Party shall indemnify the State and its officers and employees if the State, its officers, or employees become legally obligated to pay any damages or losses arising from any act or omission of the Party or an agent of the Party in connection with the performance of this Agreement. D. Notwithstanding any contrary language anywhere, in no event shall the terms of this Agreement or any document furnished by the Party in connection with its performance under this Agreement obligate the State to (1) defend or indemnify the Party or any third party, or (2) otherwise be liable for the expenses or reimbursement, including attorneys’ fees, collection costs or other costs of the Party or any third party. 8. Insurance: During the term of this Agreement, Party, at its expense, shall maintain in full force and effect the insurance coverages set forth in the Vermont State Insurance Specification in effect at the time of incorporation of this Attachment C into this Agreement. The terms of the Vermont State Insurance Specification are hereby incorporated by reference into this Attachment C as if fully set forth herein. A copy of the Vermont State Insurance Specification is available at: https://aoa.vermont.gov/RiskClaims-COI. 9. Reliance by the State on Representations: All payments by the State under this Agreement will be made in reliance upon the accuracy of all representations made by the Party in accordance with this Agreement, including but not limited to bills, invoices, progress reports, and other proofs of work. 10. False Claims Act: Any liability to the State under the Vermont False Claims Act (32 V.S.A. § 630 et seq.) shall not be limited notwithstanding any agreement of the State to otherwise limit Party’s liability. 11. Whistleblower Protections: The Party shall not discriminate or retaliate against one of its employees or agents for disclosing information concerning a violation of law, fraud, waste, abuse of authority, or acts threatening health or safety, including but not limited to allegations concerning the False Claims Act. Further, the Party shall not require such employees or agents to forego monetary awards as a result of such disclosures, nor should they be required to report misconduct to the Party or its agents prior to reporting to any governmental entity and/or the public. 12. Use and Protection of State Information: A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain https://aoa.vermont.gov/Risk-Claims-COI https://aoa.vermont.gov/Risk-Claims-COI https://aoa.vermont.gov/Risk-Claims-COI Page 18 of 28 State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. Page 19 of 28 G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and- directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation. 13. Records Available for Audit: The Party shall maintain all records pertaining to performance under this Agreement. “Records” means any written or recorded information, regardless of physical form or characteristics, which is produced or acquired by the Party in the performance of this Agreement. Records produced or acquired in a machine-readable electronic format shall be maintained in that format. The records described shall be made available at reasonable times during the period of this Agreement and for three years thereafter or for any period required by law for inspection by any authorized representatives of the State or Federal Government. If any litigation, claim, or audit is started before the expiration of the three-year period, the records shall be retained until all litigation, claims, or audit findings involving the records have been resolved. 14. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the requirement of 21 V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the full extent applicable, and shall include this provision in all subcontracts for work performed in Vermont. Party shall also ensure, to the full extent required by the Americans with Disabilities Act of 1990, as amended, that qualified individuals with disabilities receive equitable access to the services, programs, and activities provided by the Party under this Agreement. 15. Offset: The State may offset any sums which the Party owes the State against any sums due the Party under this Agreement; provided, however, that any offset of amounts due the State of Vermont as taxes shall be in accordance with the procedures more specifically provided in 32 V.S.A. § 3113. 16. Taxes Due to the State: Party certifies under the pains and penalties of perjury that, as of the date this Agreement is signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay any and all taxes due the State of Vermont. 17. Taxation of Purchases: All State purchases must be invoiced tax free. An exemption certificate will be furnished upon request with respect to otherwise taxable items. 18. Child Support: (Only applicable if the Party is a natural person, not a corporation or partnership.) Party states that, as of the date this Agreement is signed, Party is not under an obligation to pay child support or is in good standing with respect to or in full compliance with a plan to pay any and all child support payable under a support order. Party makes this statement with regard to support owed to any and all children residing in Vermont. In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support owed to any and all children residing in any other state or territory of the United States. https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives Page 20 of 28 19. Sub-Agreements: Party shall not assign, subcontract, or subgrant the performance of this Agreement or any portion thereof to any other Party without the prior written approval of the State. Party shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing work under this Agreement pursuant to an agreement with Party or any subcontractor. In the case this Agreement is a contract with a total cost in excess of $250,000, the Party shall provide to the State a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54), as amended by Section 17 of Act No. 142 (2010) and by Section 6 of Act No. 50 (2011). Party shall include the following provisions of this Attachment C in all subcontracts for work performed solely for the State of Vermont and subcontracts for work performed in the State of Vermont: Section 10 (“False Claims Act”); Section 11 (“Whistleblower Protections”); Section 12 (“Confidentiality and Protection of State Information”); Section 14 (“Fair Employment Practices and Americans with Disabilities Act”); Section 16 (“Taxes Due the State”); Section 18 (“Child Support”); Section 20 (“No Gifts or Gratuities”); Section 22 (“Certification Regarding Debarment”); Section 30 (“State Facilities”); and Section 32.A (“Certification Regarding Use of State Funds”). 20. No Gifts or Gratuities: Party shall not give title or possession of anything of substantial value (including property, currency, travel, and/or education programs) to any officer or employee of the State during the term of this Agreement. 21. Regulation of Hydrofluorocarbons: Party confirms that all products provided to or for the use of the State under this Agreement shall not contain hydrofluorocarbons, as prohibited under 10 V.S.A. § 586. 22. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, neither Party nor Party’s principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible, or excluded from participation in Federal programs, or programs supported in whole or in part by Federal funds. Party further certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, Party is not presently debarred, suspended, nor named on the State’s debarment list at: https://bgs.vermont.gov/purchasing-contracting/debarment. 23. Conflict of Interest: Party shall fully disclose, in writing, any conflicts of interest or potential conflicts of interest. 24. Vermont Public Records Act: Party acknowledges and agrees that this Agreement, any and all information obtained by the State from the Party in connection with this Agreement, and any obligations of the State to maintain the confidentiality of information are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. 25. Force Majeure: Neither the State nor the Party shall be liable to the other for any failure or delay of performance of any obligations under this Agreement to the extent such failure or delay shall have been wholly or principally caused by acts or events beyond its reasonable control rendering performance illegal or impossible (excluding strikes or lockouts) (“Force Majeure”). Where Force Majeure is asserted, the nonperforming party must prove that it made all reasonable efforts to remove, eliminate or minimize such cause of delay or damages, diligently pursued performance of its https://bgs.vermont.gov/purchasing-contracting/debarment https://bgs.vermont.gov/purchasing-contracting/debarment Page 21 of 28 obligations under this Agreement, substantially fulfilled all non-excused obligations, and timely notified the other party of the likelihood or actual occurrence of an event described in this paragraph. 26. Marketing: Party shall not use the State’s logo or otherwise refer to the State in any publicity materials, information pamphlets, press releases, research reports, advertising, sales promotions, trade shows, or marketing materials or similar communications to third parties except with the prior written consent of the State. 27. Termination: A. Non-Appropriation: If this Agreement extends into more than one fiscal year of the State (July 1 to June 30), and if appropriations are insufficient to support this Agreement, the State may cancel this Agreement at the end of the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that this Agreement is funded in whole or in part by Federal funds, and in the event Federal funds become unavailable or reduced, the State may suspend or cancel this Agreement immediately, and the State shall have no obligation to pay Party from State revenues. B. Termination for Cause: Either party may terminate this Agreement if a party materially breaches its obligations under this Agreement, and such breach is not cured within thirty (30) days after delivery of the non-breaching party’s notice or such longer time as the non-breaching party may specify in the notice. C. Termination Assistance: Upon nearing the end of the final term or termination of this Agreement, without respect to cause, the Party shall take all reasonable and prudent measures to facilitate any transition required by the State. All State property, tangible and intangible, shall be returned to the State upon demand at no additional cost to the State in a format acceptable to the State. 28. Continuity of Performance: In the event of a dispute between the Party and the State, each party will continue to perform its obligations under this Agreement during the resolution of the dispute until this Agreement is terminated in accordance with its terms. 29. No Implied Waiver of Remedies: Either party’s delay or failure to exercise any right, power, or remedy under this Agreement shall not impair any such right, power, or remedy, or be construed as a waiver of any such right, power, or remedy. All waivers must be in writing. 30. State Facilities: If the State makes space available to the Party in any State facility during the term of this Agreement for purposes of the Party’s performance under this Agreement, the Party shall only use the space in accordance with all policies and procedures governing access to, and use of, State facilities, which shall be made available upon request. State facilities will be made available to Party on an “AS IS, WHERE IS” basis, with no warranties whatsoever. 31. Requirements Pertaining Only to Federal Grants and Subrecipient Agreements: If this Agreement is a grant that is funded in whole or in part by Federal funds: A. Requirement to Have a Single Audit: The Subrecipient will complete the Subrecipient Annual Report annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will submit a copy of the audit report to the Federal Audit Clearinghouse within nine months. If a single audit is not required, only the Subrecipient Annual Report is required. A Page 22 of 28 Single Audit is required if the subrecipient expends $750,000 or more in Federal assistance during its fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a Single Audit is required. B. Internal Controls: In accordance with 2 CFR Part II, §200.303, the Party must establish and maintain effective internal control over the Federal award to provide reasonable assurance that the Party is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission. C. Mandatory Disclosures: In accordance with 2 CFR Part II, §200.113, Party must disclose, in a timely manner, in writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity violations potentially affecting the Federal award. Failure to make required disclosures may result in the imposition of sanctions which may include disallowance of costs incurred, withholding of payments, termination of the Agreement, suspension/debarment, etc. 32. Requirements Pertaining Only to State-Funded Grants: A. Certification Regarding Use of State Funds: If Party is an employer and this Agreement is a State-funded grant in excess of $1,000, Party certifies that none of these State funds will be used to interfere with or restrain the exercise of Party’s employee’s rights with respect to unionization. B. Good Standing Certification (Act 154 of 2016): If this Agreement is a State-funded grant, Party hereby represents: (i) that it has signed and provided to the State the form prescribed by the Secretary of Administration for purposes of certifying that it is in good standing (as provided in Section 13(a)(2) of Act 154) with the Agency of Natural Resources and the Agency of Agriculture, Food and Markets, or otherwise explaining the circumstances surrounding the inability to so certify; and (ii) that it will comply with the requirements stated therein. (End of Standard Provisions) Page 23 of 28 ATTACHMENT D INFORMATION TECHNOLOGY PROFESSIONAL SERVICES TERMS AND CONDITIONS (rev. 01/12/2024) 1. OWNERSHIP AND LICENSE IN DELIVERABLES 1.1 Contractor Intellectual Property. Contractor shall retain all right, title and interest in and to any work, ideas, inventions, discoveries, tools, methodology, computer programs, processes and improvements and any other intellectual property, tangible or intangible, that has been created by Contractor prior to entering into this Contract (“Contractor Intellectual Property”). Should the State require a license for the use of Contractor Intellectual Property in connection with the development or use of the items that Contractor is required to deliver to the State under this Contract, including Work Product (“Deliverables”), the Contractor shall grant the State a royalty-free license for such development and use. For the avoidance of doubt, Work Product shall not be deemed to include Contractor Intellectual Property, provided the State shall be granted an irrevocable, perpetual, non-exclusive royalty-free license to use any such Contractor Intellectual Property that is incorporated into Work Product. 1.2 State Intellectual Property. The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or on behalf of the State or any agency, commission or board thereof, and to all information that is created under this Contract, including, but not limited to, all data that is generated under this Contract as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos and other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Contract (collectively, “State Intellectual Property”). Contractor may not use State Intellectual Property for any purpose other than as specified in this Contract. Upon expiration or termination of this Contract, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property. Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property. 1.3 Work Product. All Work Product shall belong exclusively to the State, with the State having the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name and/or for its own benefit, all patents and copyrights, and all applications and registrations, renewals and continuations thereof and/or any and all other appropriate protection. To the extent exclusive title and/or complete and exclusive ownership rights in and to any Work Product may not originally vest in the State by operation of law or otherwise as contemplated hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign, transfer and convey to the State all right, title and interest therein. “Work Product” means any tangible or intangible ideas, inventions, improvements, modifications, discoveries, development, customization, configuration, methodologies or processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns, devices, compilations, databases, computer programs, work of authorship, specifications, operating instructions, procedures manuals or other documentation, technique, know-how, secret, or intellectual property right whatsoever or any interest Page 24 of 28 therein (whether patentable or not patentable or registerable under copyright or similar statutes or subject to analogous protection), that is specifically made, conceived, discovered or reduced to practice by Contractor, either solely or jointly with others, pursuant to this Contract. Work Product does not include Contractor Intellectual Property or third party intellectual property. To the extent delivered under this Contract, upon full payment to Contractor in accordance with Attachment B, and subject to the terms and conditions contained herein, Contractor hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive, irrevocable, royalty-free license to use for State’s internal business purposes, any Contractor Intellectual Property included in the Deliverables in connection with its use of the Deliverables and, subject to the State’s obligations with respect to Confidential Information, authorize others to do the same on the State’s behalf. Except for the foregoing license grant, Contractor or its licensors retain all rights in and to all Contractor Intellectual Property. The Contractor shall not sell or copyright a Deliverable without explicit permission from the State. If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or Contractor Intellectual Property developed outside of this Contract with no assistance from State. 2. CONFIDENTIALITY AND NON-DISCLOSURE; SECURITY BREACH REPORTING 2.1 For purposes of this Contract, confidential information will not include information or material which (a) enters the public domain (other than as a result of a breach of this Contract); (b) was in the receiving party’s possession prior to its receipt from the disclosing party; (c) is independently developed by the receiving party without the use of confidential information; (d) is obtained by the receiving party from a third party under no obligation of confidentiality to the disclosing party; or (e) is not exempt from disclosure under applicable State law. 2.2 Confidentiality of Contractor Information. The Contractor acknowledges and agrees that this Contract and any and all Contractor information obtained by the State in connection with the performance of this Contract are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. The State will not disclose information for which a reasonable claim of exemption can be made pursuant to 1 V.S.A. § 317(c), including, but not limited to, trade secrets, proprietary information or financial information, including any formulae, plan, pattern, process, tool, mechanism, compound, procedure, production data, or compilation of information which is not patented, which is known only to the Contractor, and which gives the Contractor an opportunity to obtain business advantage over competitors who do not know it or use it. The State shall immediately notify Contractor of any request made under the Access to Public Records Act, or any request or demand by any court, governmental agency or other person asserting a demand or request for Contractor information. Contractor may, in its discretion, seek an appropriate protective order, or otherwise defend any right it may have to maintain the confidentiality of such information under applicable State law within three business days of the State’s receipt of any such request. Contractor agrees that it will not make any claim against the State if the State makes available to the public any information in accordance with the Access to Public Records Act or in response to a binding order from a court or governmental body or agency compelling its production. Contractor shall indemnify the State for any costs or expenses incurred by the State, including, but not limited to, attorneys’ fees awarded in accordance with 1 V.S.A. § 320, in connection with any action brought in connection with Contractor’s Page 25 of 28 attempts to prevent or unreasonably delay public disclosure of Contractor’s information if a final decision of a court of competent jurisdiction determines that the State improperly withheld such information and that the improper withholding was based on Contractor’s attempts to prevent public disclosure of Contractor’s information. The State agrees that (a) it will use the Contractor information only as may be necessary in the course of performing duties, receiving services or exercising rights under this Contract; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor information as it provides to protect its own similar confidential and proprietary information; (c) except as required by the Access to Records Act, it will not disclose such information orally or in writing to any third party unless that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Contract; (d) it will take all reasonable precautions to protect the Contractor’s information; and (e) it will not otherwise appropriate such information to its own use or to the use of any other person or entity. Contractor may affix an appropriate legend to Contractor information that is provided under this Contract to reflect the Contractor’s determination that any such information is a trade secret, proprietary information or financial information at time of delivery or disclosure. 3. SECURITY OF STATE INFORMATION. 3.1 Security Standards. To the extent Contractor has access to, processes, handles, collects, transmits, stores or otherwise deals with State Data, the Contractor represents and warrants that it has implemented and it shall maintain during the term of this Contract the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 4 or higher) and Federal Information Processing Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre- employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of State Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis. 3.2 Security Breach Notice and Reporting. The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below, which shall be made available to the State upon request. In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach or reasonable belief of an actual Page 26 of 28 security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (a “Security Breach”), the Contractor shall notify the State within 24 hours of its discovery. Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. Contractor shall analyze and document the incident and provide all notices required by applicable law. In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or, if applicable, Vermont Department of Financial Regulation (“DFR”), within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. The Contractor agrees to fully cooperate with the State and assume responsibility at its own expense for the following, to be determined in the sole discretion of the State: (i) notice to affected consumers if the State determines it to be appropriate under the circumstances of any particular Security Breach, in a form recommended by the AGO; and (ii) investigation and remediation associated with a Security Breach, including but not limited to, outside investigation, forensics, counsel, crisis management and credit monitoring, in the sole determination of the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors. 4. CONTRACTOR’S REPRESENTATIONS AND WARRANTIES 4.1 General Representations and Warranties. The Contractor represents, warrants and covenants that: (i) The Contractor has all requisite power and authority to execute, deliver and perform its obligations under this Contract and the execution, delivery and performance of this Contract by the Contractor has been duly authorized by the Contractor. (ii) There is no pending litigation, arbitrated matter or other dispute to which the Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be expected to have a material adverse effect on the Contractor’s ability to fulfill its obligations under this Contract. (iii) The Contractor will comply with all laws applicable to its performance of the services and otherwise to the Contractor in connection with its obligations under this Contract. (iv) The Contractor (a) owns, or has the right to use under valid and enforceable agreements, all intellectual property rights reasonably necessary for and related to delivery of the services and provision of the services as set forth in this Contract; (b) shall be responsible for and have full Page 27 of 28 authority to license all proprietary and/or third party software modules, including algorithms and protocols, that Contractor incorporates into its product; and (c) none of the services or other materials or technology provided by the Contractor to the State will infringe upon or misappropriate the intellectual property rights of any third party. (v) The Contractor has adequate resources to fulfill its obligations under this Contract. (vi) Neither Contractor nor Contractor’s subcontractors has past state or federal violations, convictions or suspensions relating to miscoding of employees in NCCI job codes for purposes of differentiating between independent contractors and employees. 4.2 Contractor’s Performance Warranties. Contractor represents and warrants to the State that: (i) Each and all of the services shall be performed in a timely, diligent, professional and skillful manner, in accordance with the highest professional or technical standards applicable to such services, by qualified persons with the technical skills, training and experience to perform such services in the planned environment. (ii) Any time software is delivered to the State, whether delivered via electronic media or the internet, no portion of such software or the media upon which it is stored or delivered will have any type of software routine or other element which is designed to facilitate unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or unauthorized interference with the operation of any hardware, software, data or peripheral equipment of or utilized by the State. Without limiting the generality of the foregoing, if the State believes that harmful code may be present in any software delivered hereunder, Contractor will, upon State’s request, provide a new or clean install of the software. Notwithstanding the foregoing, Contractor assumes no responsibility for the State’s negligence or failure to protect data from viruses, or any unintended modification, destruction or disclosure. (iii) To the extent Contractor resells commercial hardware or software it purchased from a third party, Contractor will, to the extent it is legally able to do so, pass through any such third party warranties to the State and will reasonably cooperate in enforcing them. Such warranty pass- through will not relieve the Contractor from Contractor’s warranty obligations set forth herein. 5. REMEDIES FOR DEFAULT. In the event either party is in default under this Contract, the non- defaulting party may, at its option, pursue any or all of the remedies available to it under this Contract, including termination for cause, and at law or in equity. 6. TERMINATION 6.1. Contractor shall reasonably cooperate with other parties in connection with all services to be delivered under this Contract, including without limitation any successor provider to whom State Data, State Intellectual Property or other State information and materials are to be transferred in connection with termination. Contractor shall assist the State in exporting and extracting any and all State data, in a format usable without the use of the Services and as agreed to by State, at no additional cost. Any transition services requested by State involving additional knowledge transfer and support may be subject to a contract amendment for a fixed fee or at rates to be mutually agreed upon by the parties. If the State determines in its sole discretion that a documented transition plan is necessary, then no later than sixty (60) days prior to termination, Contractor and the State shall mutually prepare a Transition Plan identifying transition services to be provided. 6.2. Return of Property. Upon termination of this Contract for any reason whatsoever, Contractor shall immediately deliver to State all State Intellectual Property and State Data (including without limitation any Deliverables for which State has made payment in whole or in part), that are in the Page 28 of 28 possession or under the control of Contractor in whatever stage of development and form of recordation such State property is expressed or embodied at that time. 7. DESTRUCTION OF STATE DATA. At any time during the term of this Contract within thirty days of (i) the State’s written request or (ii) termination or expiration of this Contract for any reason, Contractor shall securely dispose of all copies, whether in written, electronic or other form or media, of State Data according to National Institute of Standards and Technology (NIST) approved methods, and certify in writing to the State that such State Data has been disposed of securely. Further, upon the relocation of State Data, Contractor shall securely dispose of such copies from the former data location according to National Institute of Standards and Technology (NIST) approved methods and certify in writing to the State that such State Data has been disposed of securely. Contractor shall comply with all reasonable directions provided by the State with respect to the disposal of State Data. 8. SOV Cybersecurity Standard Update 2023-01: Contractor confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard 2023-01, which prohibits the use of certain branded products in State information systems or any vendor system that is supporting State information systems, and is available on-line at: https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives