Payment Card Industry Data Security Standards (PCI DSS) Compliance Services

1 Request for Proposal (RFP) RFP No. 05222023 Payment Card Industry Data Security Standards (PCI DSS) Compliance Services RFP RELEASE DATE: May 22, 2023 PROPOSAL DUE DATE: June 23, 2023 PROPOSAL DUE TIME: 2:30 PM CST* BID OPENING EVENT: 2:30 PM CST SUBMIT ALL PROPOSALS TO: By USPS: University of Arkansas – Business Services UPTW Room 101 1 University of Arkansas Fayetteville, AR 72701 By FedEx, UPS or another private carrier to Physical Location: University of Arkansas – Business Services UPTW Room 101 1001 East Sain Street Fayetteville, AR 72703 Signature Required For Proposal Respondent complies with all articles of the Standard Terms and Conditions documents as counterpart to this RFP document, and with all articles within the RFP document. If Respondent receives the University’s purchase order, Respondent agrees to furnish the items and/or services listed herein at the prices and/or under the conditions as indicated in the RFP. Respondent Name: Mailing Address: City, State, Zip:

Telephone: Email: Authorized Signature: _______________________________________ Date: ______________ Typed/Printed Name of Signor: ________________________________ Title: ______________ *Under no circumstances will late bids be accepted. Failure to deliver by overnight carriers or other such methods shall not be taken into consideration. Bids MUST arrive and be time-stamped by the Procurement Office, located at: University of Arkansas – Business Services UPTW Room 101 1001 East Sain Street Fayetteville, AR 72703 prior to the due date/time specified in the RFP. RESPONDENT NAME, RFP NUMBER, AND PROPOSAL DUE DATE MUST BE CLEARLY NOTED ON OUTSIDE OF PACKAGE IN ORDER FOR BID TO BE 2 ACCEPTED. If planning to attend a bid opening event, please arrive in the building lobby prior to 2:30pm CST. In the event the University is closed to the public during a scheduled bid opening event, virtual access will be provided. Information on joining a virtual bid opening will be posted on HogBid prior to the bid opening date. INTERGOVERNMENTAL/COOPERATIVE USE OF COMPETITIVELY BID PROPOSALS AND CONTRACTS: In accordance with Arkansas Code Annotated § 19-11-249, any State public procurement unit, including any University of Arkansas System campus or unit, may participate in any contract resulting from this solicitation with a participating addendum signed by the contractor and approved by the chief procurement officer of the procurement agency issuing this solicitation. MINORITY AND WOMEN-OWNED BUSINESS (MWOB) POLICY: It is the policy of the State of Arkansas to support equal opportunity as well as economic development in every sector. In accordance with the Minority and Women-Owned Business Economic Development Act, UA shall support to the fullest all possible participation of companies owned and controlled by minority persons and women in state-funded and state-directed public programs and in the purchase of goods and services to meet an annual goal of fifteen percent (15%) of the total expended. Pursuant to Ark. Code Ann. § 19-11-229, 19-11-230 the State of Arkansas encourages all small, minority, and women owned business enterprises to submit competitive sealed bids and proposals for University projects. Encouragement is also made to all general contractors that in the event they subcontract portions of their work, consideration is given to the identified groups. A. Minority-Owned Business is defined by Arkansas Code Annotated § 15-4-303 as a business that is at least fifty-one percent (51%) owned by one (1) or more minority persons who are lawful permanent residents of the State of Arkansas: African American Hispanic American American Indian Pacific Islander American Asian American A Service-Disabled Veteran as designated by the United States Department of Veterans Affairs B. Women-Owned Business is defined by Act 1080 of the 91st General Assembly Regular Session 2017 as a business that is at least fifty-one percent (51%) owned by one (1) or more women who are lawful permanent residents of the State of Arkansas. C. Eligibility and Certification The Arkansas Economic Development Commission (AEDC) conducts a certification process for minority-owned and women-owned businesses. Increase the opportunity for your minority or women- owned business to sell products and services to the State of Arkansas: https://www.arkansasedc.com/community-resources/Minority-and-Women-Owned-Business-Enterprise- Resources/detail/get-certified. Certification indicates that your company has undergone a review process to show that it is 51% or more owned, controlled and operated by a minority or woman as defined above. Certification is granted for two years and allows participation in the procurement process as a MWOB. If certified, the Prospective Contractor’s Certification Number should be included on the Proposal/Response Signature Page. D. Recommended Resources Doing Business with UA o Vendor registration: https://businessservices.uark.edu/doing-business-at-university.php Doing Business with the State o Registering your company with the Office of State Procurement as a vendor allows you to do business with the State of Arkansas: https://www.dfa.arkansas.gov/procurement/vendor- information/ o Arkansas Procurement Technical Assistance Center assists Arkansas small businesses to succeed in obtaining government contracts: https://www.uaex.edu/business- communities/arkansas-ptac/default.aspx General Campus Background for University of Arkansas https://hogbid.uark.edu/ https://www.arkansasedc.com/community-resources/Minority-and-Women-Owned-Business-Enterprise-Resources/detail/get-certified https://www.arkansasedc.com/community-resources/Minority-and-Women-Owned-Business-Enterprise-Resources/detail/get-certified https://businessservices.uark.edu/doing-business-at-university.php https://www.dfa.arkansas.gov/procurement/vendor-information/ https://www.dfa.arkansas.gov/procurement/vendor-information/ https://www.uaex.edu/business-communities/arkansas-ptac/default.aspx https://www.uaex.edu/business-communities/arkansas-ptac/default.aspx 3 Founded in 1871 as a land-grant institution, the University of Arkansas, Fayetteville Arkansas (UofA), is the flagship campus of the University of Arkansas System. Our students represent all 50 states and more than 120 countries. The UofA comprises 10 colleges and schools offering an internationally competitive education for undergraduate and graduate students in more than 240 academic programs. The UofA contributes new knowledge, economic development, basic and applied research, and creative activity while also providing service to academic and professional disciplines. As of Fall 2022, student enrollment totaled approximately 30,936. The faculty count totaled 1,490 and the staff count totaled 3,350. The UofA is one of the nation’s top public research universities and the state’s foremost partner and resource for education and economic development. Its public service activities reach every county in Arkansas, throughout the nation, and around the world. The Carnegie Foundation classifies the UofA among only 3 percent (3%) of universities in America that have the highest level of research activity. 1. DESCRIPTION AND OVERVIEW OF RFP The Board of Trustees of the University of Arkansas, acting on behalf of the University of Arkansas, located in Fayetteville, Arkansas (UA) is seeking bid proposals from qualified and reputable Respondents to provide Payment Card Industry (PCI) compliance services, pursuant to the specifications, terms and conditions stated in this RFP (“Proposal(s)”). The University of Arkansas Office of Finance and Administration is responsible for PCI compliance with support from University IT services. The associated accounts are as follows: approximately 50 credit card merchant accounts and 175 online storefronts tied to 4 credit card merchant accounts. Merchant accounts have various functions which include, at a minimum, tuition or donation payments, tech store sales, fitness centers, parking services and athletic & performance ticketing. The Office of Finance and Administration has a lead representative that assists the merchants with compliance. As level-3 merchant these merchants perform their own assessments using internal questionnaires, device inventory and access control lists. Merchant transactions run the gamut including card-present, card-not-present, and e-commerce with various point-of-sale systems resulting in various Self Assessment Questionnaire (SAQ) levels that result in an SAQ-D roll-up to the bank. The University of Arkansas is also responsible for validating the PCI compliance for the Arkansas Alumni Association (AAA) and UAF related activity of the University of Arkansas Foundation. AAA is staffed by University employees and has one credit card merchant account used for online, in person and mail order/telephone transactions. Select University employees accept and process transactions on behalf of the Foundation across four credit card merchant accounts. UA is seeking to award a term contract for an initial period of four (4) years with a three (3) year option for renewal to the Respondent that can provide the best overall value to the University. This value will be determined by UA based on the overall competence, compliance, format and presentation of each RFP response and in-person presentation, as necessary. A Respondent presentation day may be held following the bid due date. Projected timeframe for when presentations could occur is specified in the “Projected Timetable of Activities” section of this RFP. Please keep these dates open to schedule a presentation if you are selected to present. UA expects to achieve the following goals (at minimum) through the selected Respondent: 1. Obtain a comprehensive assessment of the University’s Cardholder Data Environment (CDE) which includes the evaluation of policies and ensures that the University is compliant with Payment Card Industry Data Security Standards (PCI DSS) to accept, process, store and transmit credit card data.. This assessment may include, but is not limited to: penetration testing, internal/external scans, SAQ assistance, payment technology assessment, MID structure review, and training development/delivery, incident response plan review, and development of table top exercises 2. Detailed review of CDE, policies and procedures to understand if UA is compliant and meeting all the set of requirements with the Payment Card Industry Data Security Standards (PCI DSS) 3. Identify, if applicable, any risks and gaps with the payment ecosystems that can result in potential data breaches 4. Over the course of the agreement, UA requires thought leadership and industry expertise to ensure the University is held accountable and compliant with the set of standards of the PCI DSS. 5. Develop strategies to improve payment systems to ensure that UA has a secure and sustainable environment for all consumer information and data 6. Accountability and desire to work together to form a mutually beneficial long-term partnership 7. Vulnerability scans and penetration testing for all Finance and Administration systems that have been identified as containing personal financial data. 4 2. SCOPE OF WORK The University of Arkansas is seeking proposals to obtain PCI compliance services, pursuant to the specifications, terms, and conditions stated in this RFP (“Proposal(s)”). Compliance services will include overall recommendations to the UA regarding current industry best practices and thought leadership around PCI compliance assessments and related services. Services related to PCI DSS assessment: PCI DSS compliance assessment to evaluate the current framework of UA’s payment ecosystem Advise on the current structure and build out of UA’s CDE network and systems to prevent data breaches and fraudulent activities Implement penetration testing against the CDE to determine security measures to protect against malicious users gaining access to unauthorized data External and Internal scans/testing. External scan to be performed outside of UA’s network to identify known weaknesses in its CDE network structures. Internal scan to be performed within UA’s network to identify any vulnerabilities on its internal CDE hosts that could be exploited through a cyber-attack or data breach. Additional penetrating testing and internal/external scans for systems identified containing personal financial data Assistance and/or completion of SAQs to ensure that all proper security measures are captured to manage and protect cardholder data Assist PCI Compliance Officer in providing guidance and measurable tools in filling out SAQs to help ensure proper security Assist with the completion of annual SAQs based on UA’s need for the given year Review UA’s payment technology systems to assess if the current software(s) is installed appropriately to manage data security MID (Merchant IDs) structure review to provide a standardized methodology to identify merchants and manage the process of electronic payments Review UA’s organizational structure to determine if we are “right sized” for our size/scope and help determine if our current structure is optimally conducive to compliance and appropriate support of our CDE Provide technical guidance when facing issues with any related payment systems Assist with training development and strategies to ensure protection and security in UA’s payment system by a deadline that is acceptable and allowable to UA. 3. COSTS / PRICING Respondents must provide detailed/itemized retail pricing for each individual component, and/or the overall system, as listed on the Official Bid Price Sheet provided within this RFP document: Reference Appendix I Official Bid Price Sheet If pricing is dependent on any assumptions that are not specifically stated on the Official Price Sheet, please list those assumptions accordingly on a separate spreadsheet and show detailed pricing. Any additional pricing lists should remain attached to the Official Price Sheet for purposes of accurate evaluation. Pricing must be valid for one hundred twenty (120) days following the bid Proposal due date and time. Upon bid award, all pricing and/or discounts must be firm for a period of two (2) years. UA will not be obligated to pay any costs not identified on the Official Price Sheet. Respondents must certify that any costs not identified by the Respondent, but subsequently incurred in order to achieve successful operation of the service, will be borne by the Respondent. Failure to do so may result in rejection of the Proposal. 4. RESPONDENT REFERENCES Respondents must provide a minimum of three (3) references, preferably in higher education, (including the organization’s name, address, persons to contact, telephone numbers, and email addresses) located in the continental United States currently served by respondent. References are to be parties who can attest to the qualifications relevant to providing services requested. UA reserves the right to contact any references provided to evaluate the level of performance and customer satisfaction. Reference Appendix II for format. 5 5. MANDATORY PRE-PROPOSAL A mandatory conference call will be held by the University of Arkansas on the date, time, and through means as specified on the cover sheet of this RFP document. The purpose of the conference will be to provide a forum for bidders to obtain clarification about the RFP prior to finalizing their responses. Questions should be submitted to the contact listed below in advance of the scheduled conference for preparation purposes to make the best use of time during discussion. Respondents who anticipate responding to this RFP are required to participate in this pre-proposal conference to discuss information and clarifications. Proposals will NOT be considered from Respondents who have not participated in the mandatory pre-proposal conference. To participate in the mandatory pre-proposal meeting, provide contact information to: Ellen Ferguson (ellenf@uark.edu) no later than 2:30 PM CST, May 30, 2023. Ellen Ferguson, Procurement Coordinator Office of Business Services Email: ellenf@uark.edu 6. RESPONDENT’S RESPONSIBILITY TO READ RFP It is the Respondent's responsibility to thoroughly examine and read the entire RFP document, including any and all appendices. Failure of Respondents to fully acquaint themselves with existing conditions or the amount of goods and work involved will not be a basis for requesting extra compensation after the award of a Contract. This engagement is separate from any other engagement bidder may be currently pursuing with the University of Arkansas. Interpretation by and of the University of Arkansas is final. 7. PROJECTED TIMETABLE OF ACTIVITIES The following schedule will apply to this RFP, but may change in accordance with the UA's needs: 5/22/2023 RFP released to prospective respondents 5/30/2023 2:30PM CST – Last date/time UA will accept questions prior to Pre-Propsal Conference 6/2/2023 2:30 PM CST – Initial addendum for Q&A6/8/2023 Mandatory Pre-Proposal Conference 6/14/2023 Last date UA will issue an addendum (if necessary) 6/23/2023 Proposal Submission Deadline and Bid Opening Event 2:30 PM CST Note: Attendance at RFP opening is not required. No award will be made. Only names of respondents, and a preliminary determination of proposal responsiveness, will be made at this time. 7/7/2023 Notice of Intent to Award Upon Intent to Award TBD* Contract Negotiations Begin (upon intent to award) Upon Contract Approval: Service to Commence (upon final legislative approval, if applicable) *UA places a value on all elements of this RFP. As such, after evaluation of Proposals and selection of Contractor(s), the UA reserves the right to further negotiate with the selected respondent on any or all elements, and to award accordingly. 8. CONTRACT TERM AND TERMINATION The term (“Term”) of any resulting Contract will begin upon date of Contract award. If mutually agreed upon in writing by the Contractor and UA, the term shall be for an initial period of four (4) years, with option to renew at the end of the contract term for three (3) additional years, for a combined total of seven (7) years (or 84 months). The University of Arkansas may terminate this Agreement without cause, at any time during the Term (including any renewal periods), by giving the other party thirty (30) days advance written notice of termination. Additionally, in the event of non-appropriation of funds necessary to fulfill the terms and conditions of this Agreement during any period of the Term (including any renewal periods), the parties agree that this Agreement shall automatically terminate without notice. a) If at any time the services become unsatisfactory, UA will give thirty (30) days written notice to the Contractor. If at the end of the thirty (30) day period the services are still deemed unsatisfactory, the Contract shall be cancelled by UA, Office of Business Affairs. Additionally, the Contract may be mailto:ellenf@uark.edu 6 terminated, without penalty, by UA without cause by giving thirty (30) days written notice of such termination to Contractor. b) Upon award, the agreement is subject to cancellation, without penalty, either in whole or in part, if funds necessary to fulfill the terms and conditions of this Contract during any biennium period of the Term (including any renewal periods) are not appropriated. c) In no event shall such termination by UA as provided for under this section give rise to any liability on the part of UA, its trustees, officers, employees or agents including, but not limited to, claims related to compensation for anticipated profits, lost business opportunities, unabsorbed overhead, misrepresentation, or borrowing. UA’s sole obligation hereunder is to pay Contractor for services ordered and received prior to the date of termination. The terms, conditions, representations, and warranties contained in the Contract shall survive the termination of the Contract. 9. GENERAL INFORMATION FOR RESPONDENTS 9.1 Distributing Organization This RFP is issued by the Office of Business Affairs at UA. The University Purchasing Official is the sole point of contact during this process. Only written communication is considered formal and can be supported throughout this process. Respondent Questions and Addenda: Respondent questions concerning all matters of this RFP should be sent via email to:Ellen Ferguson, Procurement Coordinator Office of Business Services Email: ellenf@uark.edu Questions received via email will be directly addressed via email, and compilation of all questions and answers (Q&A), as well as any revision, update and/or addenda specific to this RFP solicitation will be made available on HogBid, the UA bid solicitation website: http://hogbid/. During the time between the bid opening and contract award(s), with the exception of Respondent’s questions during this process, any contact concerning this RFP will be initiated by the issuing agency and not Respondent. Specifically, the persons named herein will initiate all contact. Respondents shall not rely on any other interpretations, changes, or corrections. It is Respondent's responsibility to thoroughly examine and read the entire RFP document and any Q&A or addenda to this RFP. Failure of Respondents to fully acquaint themselves with existing conditions or information provided will not be a basis for requesting extra compensation after the award of a Contract. 9.2 Agency Employees and Agents Contractor shall be responsible for the acts of its employees and agents while performing services pursuant to the terms of any Contract. Accordingly, Contractor agrees to take all necessary measures to prevent injury and loss to persons or property while on the UA premises. Contractor shall be responsible for all damages to persons or property on and off campus caused solely or partially by Contractor or any of its agents or employees. Contractor’s employees shall conduct themselves in a professional manner and shall not use UA’s facilities for any activity or operation other than the operation and performance of services as herein stated. UA reserves the right to deny access to any individual. The following conduct is unacceptable for Contractor’s employees and agents: foul language, offensive or distasteful comments related to age, race, ethnic background or sex, evidence of alcohol influence or influence of drugs, refusal to provide services requested, refusal to make arrangements for additional services needed and general rudeness. Contractor shall require standard criminal background checks on all employees of the Contractor’s business in advance of the performance of any on-campus duties. Employees whose background checks reveal felony convictions of any type are to be either removed from all support activities on the UA campus or reported to UA for review and approval in advance of the performance of any on-campus duties. 9.3 Tobacco Free Campus Smoking and the use of tobacco products (including cigarettes, e-cigarettes, cigars, pipes, smokeless tobacco, and other tobacco products) by students, faculty, staff, contractors, and visitors, are prohibited at all times on and within all property, including buildings, grounds, and facilities, owned or operated by UA, including all vehicles on UA property. mailto:ellenf@uark.edu http://hogbid/ 7 9.4 Disputes Contractor and UA agree that they will attempt to resolve any disputes in good faith. Contractor and UA agree that the State of Arkansas shall be the sole and exclusive jurisdiction and venue for any litigation or proceeding that may arise out of or in connection with any Contract. The Respondent acknowledges, understands and agrees that any claims, demands, suits, or actions for damages against UA may only be initiated and pursued in the Arkansas Claims Commission, if at all. Under no circumstances does UA agree to binding mediation or arbitration of any disputes or to the payment of attorney fees, court costs or litigation expenses. 9.5 Conditions of Contract Contractor shall at all times observe and comply with federal and Arkansas State laws, local laws, ordinances, orders, and regulations existing at the time of or enacted subsequent to the execution of the Contract which in any manner affect the completion of work. Contractor shall indemnify and hold harmless UA and all its trustees, officers, employees, volunteers, students, and agents against any claim or liability arising from or based upon the violation of any such law, ordinance, regulation, order or decree by an employee, representative, or subcontractor of the Contractor. To the extent Contractor shall have access to, store or receive student education records, Contractor agrees to abide by the limitations on use and re-disclosure of such records set forth in the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and 34 CFR Part 99. Contractor agrees to hold student record information in strict confidence and shall not use or disclose such information except as authorized in writing by UA or as required by law. Contractor agrees not to use the information for any purpose other than the purpose for which the disclosure was made. Upon termination, Contractor shall return all student education record information or provide evidence that it was securely destroyed within thirty (30) days. When procuring a technology product or when soliciting the development of such a product, the State of Arkansas is required to comply with the provisions of Arkansas Code Annotated § 2526201 et seq., as amended by Act 308 of 2013, which expresses the policy of the State to provide individuals who are blind or visually impaired with access to information technology purchased in whole or in part with state funds. Contractor expressly acknowledges and agrees that state funds may not be expended in connection with the purchase of information technology unless that system meets the statutory requirements found in 36 C.F.R. § 1194.21, as it existed on January 1, 2019 (software applications and operating systems) and 36 C.F.R. § 1194.22, as it existed on January 1, 2019 (webbased intranet and internet information and applications), in accordance with the State of Arkansas technology policy standards relating to accessibility by persons with visual impairments. ACCORDINGLY, CONTRACTOR SHALL EXPRESSLY REPRESENT AND WARRANT to the State of Arkansas through the procurement process by submission of a Voluntary Product Accessibility Template (“VPAT”) or similar documentation to demonstrate compliance with 36 C.F.R. § 1194.21, as it existed on January 1, 2019 (software applications and operating systems) and 36 C.F.R. § 1194.22, as it existed on January 1, 2019 (webbased intranet and internet information and applications) that the technology provided to the State for purchase is capable, either by virtue of features included within the technology, or because it is readily adaptable by use with other technology, of: Providing, to the extent required by Arkansas Code Annotated § 2526201 et seq., as amended by Act 308 of 2013, equivalent access for effective use by both visual and nonvisual means; Presenting information, including prompts used for interactive communications, in formats intended for nonvisual use; After being made accessible, integrating into networks for obtaining, retrieving, and disseminating information used by individuals who are not blind or visually impaired; Providing effective, interactive control and use of the technology, including without limitation the operating system, software applications, and format of the data presented is readily achievable by nonvisual means; Being compatible with information technology used by other individuals with whom the blind or visually impaired individuals interact; Integrating into networks used to share communications among employees, program 8 participants, and the public; and Providing the capability of equivalent access by nonvisual means to telecommunications or other interconnected network services used by persons who are not blind or visually impaired. If the information technology product or system being offered does not completely meet these standards, the Respondent must provide an explanation within the VPAT detailing the deviation from these standards. State agencies cannot claim a product as a whole is not reasonably available because no product in the marketplace meets all the standards. If products are reasonably available that meet some but not all of the standards, the agency must procure the product that best meets the standards or provide written documentation supporting selection of a different product, including any required reasonable accommodations. For purposes of this section, the phrase “equivalent access” means a substantially similar ability to communicate with, or make use of, the technology, either directly, by features incorporated within the technology, or by other reasonable means such as assistive devices or services which would constitute reasonable accommodations under the Americans with Disabilities Act or similar state and federal laws. Examples of methods by which equivalent access may be provided include, but are not limited to, keyboard alternatives to mouse commands or other means of navigating graphical displays, and customizable display appearance. As provided in Arkansas Code Annotated § 25-26-201 et seq., as amended by Act 308 of 2013, if equivalent access is not reasonably available, then individuals who are blind or visually impaired shall be provided a reasonable accommodation as defined in 42 U.S.C. § 12111(9), as it existed on January 1, 2019. If the information manipulated or presented by the product is inherently visual in nature, so that its meaning cannot be conveyed non-visually, these specifications do not prohibit the purchase or use of an information technology product that does not meet these standards. 9.6 Contract Information Respondents should note the following regarding the State’s contracting authority and amend any documents accordingly. Failure to conform to these standards may result in rejection of Respondent’s bid: A. The State of Arkansas may not contract with another party to perform any of the following: 1. Pay any penalties or charges for late payment or any penalties or charges which in fact are penalties for any reason. 2. Indemnify or defend that party for liability or damages. Under Arkansas law UA may not enter into a covenant or agreement to hold a party harmless or to indemnify a party from prospective damages. 3. Pay all sums that become due under a contract upon default. 4. Pay damages, legal expenses, attorneys’ fees or other costs or expenses of any party. 5. Conduct litigation in a place other than the State of Arkansas. 6.Agree to be subject to or bound by governing law, jurisdiction, or venue of any state, country or province other than the State of Arkansas. 7.Agree to any provision of a contract that violates the laws or constitution of the State of Arkansas. B. A party wishing to contract with UA should: 1. Remove any language from its contract which grants to it any remedies other than: • The right to possession. • The right to accrued payment. • The right to expenses of de-installation. 2.Include in its contract that the laws of the State of Arkansas govern the contract and that the State of Arkansas is the exclusive jurisdiction and venue for any and all claims, disputes, actions or suits between the parties or related to the Contract. 3.Include in its Contract that the UA is an instrumentality of the State of Arkansas entitled to sovereign immunity from suit and that all claims, demands, suits, or actions for loss, expense, damage, liability or other relief, either at law or in equity, against UA or its trustees, officers, employees, volunteers, students, agents or designated representatives acting within the official scope of their position, must be brought before the Claims Commission of the State of Arkansas. 4.Include in its Contract all other terms and conditions stated in this RFP. 9 5. Acknowledge in its contract that contracts become effective when awarded by UA Purchasing Official. 9.7 Reservation This RFP does not commit UA to award a contract, to pay costs incurred in the preparation of a Proposal to this request, or to procure or contract for services or supplies. UA reserves the right to accept or reject (in its entirety), any Proposal received as a result of this RFP, if it is in the best interest of UA to do so. In responding to this RFP, respondents recognize that UA may make an award to a primary Respondent; however, UA reserves the right to purchase like and similar services from other agencies as necessary to meet operation requirements. 9.8 Qualifications of Respondent UA may make such investigations as deems necessary to determine the ability of Respondents to meet all requirements as stated within this RFP, and Respondent shall furnish to UA all such information and data for this purpose that UA may request. UA reserves the right to reject any bid if the evidence submitted by, or investigations of, such Respondent fails to satisfy UA that such Respondent is properly qualified to carry out the obligations of the Contract. 9.9 Non Waiver of Defaults Any failure of UA at any time, to enforce or require the strict keeping and performance of any of the terms and conditions of the Contract shall not constitute a waiver of such terms, conditions, or rights, and shall not affect or impair same, or the right of UA at any time to avail itself of same. 9.10 Independent Parties Contractor acknowledges that under the Contract it is an independent contractor and is not operating in any fashion as the agent of UA. The relationship of Contractor and UA is that of independent contractors, and nothing in this contract should be construed to create any agency, joint venture, or partnership relationship between the parties. 9.11 Governing Law This RFP, any resulting Contract and all performance thereunder, transactions and subsequent amendments thereto between Respondent(s) or Contractor(s) and UA shall be governed and construed in all aspects in accordance with the laws of the State of Arkansas without regard to its choice of law principles (including without limitation any and all disputes, claims, counterclaims, causes of action, suits, rights, remedies, promises, obligations, demands, and/or defenses related thereto that may be asserted by either party). The parties agree that the State of Arkansas shall be the sole and exclusive venue and jurisdiction for any litigation or proceeding that may arise out of or in connection with this RFP or any Contract with UA. The parties waive any objection to the laying of jurisdiction and venue of any claim, action, suit or proceeding arising out of the Contract or any transaction contemplated hereby, in the State of Arkansas, and hereby further waive and agree not to plead or assert that any claim, action, suit or proceeding has been brought in an inconvenient forum. Nothing contained herein shall be deemed or construed as a waiver of any immunities to suit available to UA or its trustees, officials, employees and representatives. In no event shall UA or any of its current and former trustees, officials, representatives and employees (in their official or individual capacities) be liable to Respondent(s) or Contractor(s) for special, indirect, punitive, or consequential damages, attorneys’ fees or costs or any damages constituting lost profits or lost business opportunities. 9.12 Proprietary Information Proprietary information submitted in response to this bid will be processed in accordance with applicable UA procurement procedures. All material submitted in response to this RFP becomes the public property of the State of Arkansas and will be a matter of public record and open to public inspection subsequent to bid opening as defined by the Arkansas Freedom of Information Act. Respondent is hereby cautioned that any part of its bid that is considered confidential, proprietary, or trade secret, must be labeled as such and submitted in a separate envelope along with the bid, and can only be protected to the extent permitted by Arkansas law. Note of Caution: Respondents should not attempt to mark the entire Proposal as "proprietary" or submit letterhead or similarly customized paper within the proposal to reference the page(s) as "Confidential" unless the information is sealed separately and identified as proprietary. Acceptable proprietary items 10 may include references, resumes, and financials or system/software/hardware manuals. Costs and pricing terms are not considered as proprietary. 9.13 Disclosure A. Contract and Grant Disclosure Disclosure is a condition of the resulting Contract and UA cannot enter into any contract for which disclosure is not made. Arkansas’s Executive Order 98-04 requires all potential contractors disclose whether the individual or anyone who owns or controls the business is a member of the Arkansas General Assembly, constitutional officer, state board or commission member, state employee, or the spouse or family member of any of these. If this applies to Respondent’s business, Respondent must state so in writing. B. Respondent Conflict of Interest Form Only when applicable, for any RFP that requires the disclosure of existing conflict of interest circumstances, Respondent should complete the Bidder Conflict of Interest Form and submit with bid Proposal. It is the responsibility of Respondent desiring to be considered for a bid award to complete and return this form, along with the Contract and Grant Disclosure and Certification Form. The purpose of these forms is to give Respondent an opportunity to disclose any actual or perceived conflicts of interest. The determination of UA regarding any questions of conflict of interest shall be final. 9.14 Proposal Modification Proposals submitted prior to the Proposal opening date may be modified or withdrawn only by written notice to UA. Such notice must be received by the UA Purchasing Official prior to the time designated for opening of the Proposal. Respondent may change or withdraw the Proposal at any time prior to Proposal opening; however, no oral modifications will be allowed. Only letters or other formal written requests for modifications or corrections of a previously submitted Proposal that are addressed in the same manner as the Proposal and that are received prior to the scheduled Proposal opening time will be accepted. The Proposal, when opened, will then be corrected in accordance with such written requests, provided that the written request is contained in a sealed envelope that is clearly marked with the RFP number and “Modification of Proposal”. No modifications of the Proposal will be accepted at any time after the Proposal due date and time. 9.15 Prime Contractor Responsibility Single and joint Respondent bids and multiple bids by Respondents are acceptable. However, the selected Respondent(s) will be required to assume prime contractor responsibility for the Contract and will be the sole point of contact with regard to the award of this RFP. 9.16 Period of Firm Proposal Prices for the proposed services must be kept firm for at least one hundred twenty (120) days after the Proposal Due Date specified on the cover sheet of this RFP. Firm Proposals for periods of less than this number of days may be considered non-responsive. The Respondent may specify a longer period of firm price than indicated here. If no period is indicated by the Respondent in the Proposal, the price will be firm for one hundred twenty (120) days or until written notice to the contrary is received from the Respondent, whichever is longer. 9.17 Intentionally Omitted 9.18 Errors and Omissions The Respondent is expected to comply with the true intent of this RFP taken as a whole and shall not avail itself of any errors or omissions to the detriment of the services. Should the Respondent suspect any error, omission, or discrepancy in the specifications or instructions, the Respondent shall immediately notify the UA Purchasing Official, in writing, and UA shall issue written instructions to be followed. The Respondent is responsible for the contents of its Proposal and for satisfying the requirements set forth in the RFP. 9.19 Award Responsibility The UA Purchasing Official will be responsible for award and administration of any resulting Contract(s). UA reserves the right to reject any or all bids, or any portion thereof, to re-advertise if deemed necessary, and to investigate any or all bids and request additional information as necessary in order to substantiate the professional, financial and/or technical qualifications of the Respondent(s). 11 Contract(s) will be awarded to the Respondent(s) whose Proposal adheres to the conditions set forth in the RFP, and in the sole judgment of UA, best meets the overall goals and financial objectives of UA. A resultant Contract will not be assignable without prior written consent of both parties. 9.20 Confidentiality and Publicity From the date of issuance of the RFP until the opening date, the Respondent must not make available or discuss its Proposal, or any part thereof, with any trustee, official, employee or agent of UA. The Respondent is hereby warned that any part of its Proposal or any other material marked as confidential, proprietary, or trade secret, can only be protected to the extent permitted by law. All material submitted in response to this RFP becomes the property of UA. News release(s) by a Respondent pertaining to this RFP or any portion of the project shall not be made without prior written approval of the UA Purchasing Official. Failure to comply with this requirement is deemed to be a valid reason for disqualification of the Respondent’s bid. The UA Purchasing Official will not initiate any publicity relating to this procurement action before the Contract award is completed. Employees of the Contractor may have access to records and information about UA processes, employees, including proprietary information, trade secrets, and intellectual property to which UA holds rights. Contractor agrees to keep all such information strictly confidential and to refrain from discussing this information with anyone else without written authorization from an authorized official of UA. 9.21 Respondent Presentations UA reserves the right to, but is not obligated to, request and require that final contenders determined by the Evaluation Committee provide a formal presentation of their Proposal at a date and time to be determined by the Evaluation Committee. Respondents are required to participate in such a request if the UA chooses to engage such opportunity. 9.22 Excused Performance Notwithstanding any other provisions in this RFP or any resultant Contract, in the event that the performance of any terms or provisions of this RFP or any resultant Contract shall be delayed or prevented because of compliance with any law, decree, or order of any governmental agency or authority, either local, state, or federal, or because of riots, war, acts of terrorism, public disturbances, unavailability of materials meeting the required standards, strikes, lockouts, differences with workmen, fires, floods, Acts of God, or any other reason whatsoever which is not within the control of the party whose performance is interfered with and which, by the exercise of reasonable diligence, such party is unable to prevent (the foregoing collectively referred to as “Excused Performance”), the party so interfered with may at its option suspend, without liability, the performance of its obligations during the period such cause continues, and extend any due date or deadline for performance by the period of such delay, but in no event shall such delay exceed six (6) months. 9.23 Funding Out Clause If, in the sole discretion of UA, funds are not allocated to continue any resultant Contract, or any activities related herewith, in any future period, then UA will not be obligated to pay any further charges for services, beyond the end of the then current period. Contractor will be notified of such non-allocation at the earliest possible time. No penalty shall accrue in the event this section is exercised. This section shall not be construed so as to permit UA to terminate any Contract awarded in order to acquire similar service from a third party. 9.24 Indicia The Respondents and the Contractor acknowledge and agree that UA owns the rights to its name and its other names, symbols, designs, and colors, including without limitation, the trademarks, service marks, designs, team names, facilities images, uniforms, nicknames, abbreviations, city/state names in the appropriate context, slogans, logo graphics, mascots, seals, color schemes, trade dress, and other symbols associated with or referring to UA that are adopted and used or approved for use by UA (collectively the “Indicia”) and that each of the Indicia is valid. Neither any Respondent nor Contractor shall have any right to use any of the Indicia, derivative, or any similar mark as, or a part of, a trademark, service mark, trade name, fictitious name, domain name, company or corporate name, a commercial or business activity, or advertising or endorsements anywhere in the world without the express prior written consent of an authorized representative of UA. Any domain name, trademark or service mark registration obtained or applied for that contains the Indicia or any similar mark upon request shall be assigned or transferred to UA or its Board of Trustees without compensation. 12 9.25 RFP Interpretation Interpretation of the wording of this document shall be the responsibility of UA and that interpretation shall be final. 9.26 Time is of the Essence Respondent and UA agree that time is of the essence in all respects concerning this RFP and any Contract and performance therein. 9.27 Formation of the Contract At its option, UA may take either one of the following actions in order to create a Contract between the UA and the selected Respondent: A. Accept a Proposal as written by issuing a written notice to the selected Respondent, which refers to the Request for Proposal and accept the Proposal submitted in response to it. B. Enter negotiations with one or more Respondents in an effort to reach a mutually satisfactory written agreement, which will be executed by all parties and will be based upon this Request for Proposal, the Proposal submitted by one or more Respondents and any negotiations concerning these documents. Because UA may use alternative (A) above, each Respondent shall accept the contents of this RFP which will be incorporated into any final Contract documents and will include standard UA terms and conditions. If the Respondent submits standard terms and conditions with the bid, and if any section of those terms is in conflict with the laws of the State of Arkansas, the State laws shall govern. Standard terms and conditions submitted may need to be altered to adequately reflect all the conditions of this RFP, the Respondent’s Proposals and Arkansas State law. Notwithstanding any terms or conditions to the contrary, nothing within the Contractor’s proposal shall constitute a waiver of any immunities to suit legally available to UA, its trustees, officers, employees or agents, including, but not limited state and federal constitutional and statutory sovereign immunity of the State of Arkansas and its officials. NOTE: The successful bidder may be required to enter into a Professional Services or Technical/General Services Contract that will require approval prior to any work conducted. See the following link for reference: http://procurement.uark.edu/_resources/documents/TGSForm.pdf. (Additional processing time must be allotted if subsequent contract is subject to this requirement). 9.28 Permits/Licenses and Compliance Contractor covenants and agrees that it shall, at its sole expense, procure and keep in effect all necessary permits and licenses required for its performance of obligations under this RFP, and shall post or display in a prominent place such permits and/or notices as required by law. Contractor is responsible for compliance with all applicable laws and regulations, including but not limited to, OSHA requirements as well as any Fair Labor Standards Act requirements pertaining to compensation of Contractors employees or subcontractor (if any) working on the project; further, upon request, Contractor shall provide copies of all such permits or licenses to UA. 9.29 Web Site Accessibility Respondent represents that web-based services substantially comply with the accessibility guidelines of Section 508 of the Rehabilitation Act of 1973 and with Web Content Accessibility Guidelines (“WCAG”) Version 2.0 Level AA, and agrees to promptly respond to and resolve any accessibility complaints received from UA. 9.30 Prohibition Against Boycotting Israel In accordance with Ark. Code Ann. § 25-1-503, Respondent hereby certifies to UA that Respondent: (a) is not currently engaged in a boycott of Israel; and (b) agrees for the duration of any Contract not to engage in any boycott of Israel. A breach of this certification will be considered a material breach of contract. In the event that Respondent breaches this certification, UA may immediately terminate any Contract without penalty or further obligation and exercise any rights and remedies available to it by law or in equity. http://procurement.uark.edu/_resources/documents/TGSForm.pdf 13 9.31 Campus Restrictions Contractor shall not permit tobacco, electronic cigarettes, alcohol, or illegal drugs to be used by any of its officers, agents, representatives, employees, subcontractors, licensees, partner organizations, guests or invitees while on the campus of UA. Respondents further agrees that it will not permit any of its officers, directors, agents, employees, contractors, subcontractors, licensees, partner organizations, guests or invitees to bring any explosives, firearms or other weapons onto the campus of UA, except to the extent expressly permitted by UA policies and the Arkansas enhanced concealed carry laws. Respondent shall not allow any of its officers, directors, agents, employees, contractors, subcontractors, licensees, partner organizations, guests or invitees that are registered sex offenders to enter the campus of the University. Respondent agrees that it will not permit any of its officers, directors, agents, employees, contractors, subcontractors, licensees, partner organizations, guests or invitees who have been convicted of a felony involving force, violence, or possession or use of illegal drugs to work on this campus. Respondent will fully comply with all applicable UA policies, and federal, state and local laws, ordinances, and regulations. 9.32 Performance Standards Contractor acknowledges that the use of performance-based standards on any resultant Contract by UA are required pursuant to Arkansas Code Annotated § 19-11-267. Contractor shall provide prompt, responsive, courteous, and high-quality products, services and customer service in the performance of its obligations under this RFP and any resulting Contract with UA. Contractor shall warrant that the equipment placed on the UA campus shall be of good quality, safe and suitable for their intended use by customers and properly installed. Contractor acknowledges that all products and services provided to UA or tailgate customers on the UA campus are to be of high quality and rendered in a timely and professional manner. Contractor represents and warrants that it will provide all products and services related to any resulting Contract in a manner consistent with industry standards. In addition, Contractor shall respond to all production, service, maintenance and customer service and support requests by in a polite and timely manner. Further, Contractor recognizes that failure to perform hereunder may cause UA financial or reputational harm or damages or require it to acquire replacement services on short notice. Therefore, any failure to provide the agreed upon products or services to UA or customers at the quality, times or in the manner specified, or for the duration required hereunder shall constitute a breach of any Contract between Contractor and UA subject to termination. 9.33 Background Checks Contractor shall be responsible to obtain and to pay for background checks (including, but not limited to, checks for registered sex offenders) for all individuals performing any services related to this RFP on the UA campus, whether on a paid or volunteer basis, in a manner requested by UA and consistent with procedures established by UA for its background checks. No person may perform any duties or services for Contractor on the UA campus under any circumstances whatsoever until a satisfactory background check has been completed for each individual and copies furnished to UA. 9.34 Service Expectations Contractor and its officers, employees, agents, volunteers, subcontractors and invitees understand that they are working at an institution of higher learning and are required to conduct themselves in a manner that is commensurate with that environment. Contractor, its officers, employees, agents, volunteers, subcontractors and invitees shall do all things reasonably necessary or required by UA to maintain the high standard of quality and management for the products and services outlined in this RFP and any resulting Contract. Contractor agrees that it shall hire, train, supervise and regulate all persons employed by it in the conduct of the related services so that they are aware of, and practice, standards of cleanliness, courtesy and service required and customarily followed in the conduct of similar operations. Contractor shall not employ any current student-athletes. Contractor shall be responsible for the conduct of its officers, employees, agents, volunteers, subcontractors, vendors, guests and other representatives including, without limitation, training and informing them that violations of UA policy, theft, violence, profanity, unlawful discrimination, boisterous or rude conduct, intoxication, mishandling funds, and offensive or disrespectful behavior toward spectators, customers and UA trustees, officials, employees, agents, licensees, contractors, subcontractors, vendors, students, alumni and guests is impermissible, will not be tolerated and could result in their removal from UA’s campus. 9.35 No Assignment and Sublicensing Respondents may not assign or sublicense any resulting Contract without the prior written consent of an authorized representative of UA as provided by UA’s Board of Trustee Policy. 9.36 PCI DSS Compliance Any third-party service provider utilized by the Contactor that engages in electronic commerce on behalf of the UA or other services contemplated under this RFP or any resulting Contract with UA, shall protect 14 all card holder data (“CHD”) and sensitive authentication data (“SAD”) in accordance with the Payment Card Industry Data Security Standard (“PCI DSS”), if applicable, or using secure standard financial industry practices, if PCI DSS standards are not applicable. UA reserves the right at any time to request either proof of PCI DSS compliance or a certification (from a recognized third-party security auditing firm) verifying that the Contactor (and/or any third party service provider utilized by the Contactor) uses secure standard financial industry practices in its financial transactions, and maintains ongoing compliance under PCI DSS standards and/or secure financial industry practices as they change over time. The Contactor will comply with all laws, rules and regulations relating to the access, transfer, storage, processing, collection, use, protection and breach of all CHD and SAD. The Contactor shall not share with the University or grant the University access to any CHD or SAD accessed, transferred, stored, processed, collected, used or transacted by the Contactor or any third party provider utilized by the Contactor related to the purchase, sale, resale, offer to resell, return, credit, or reserving the rights to any services contemplated under the RFP or any resulting Contract with UA. The Contactor further acknowledges that neither it nor any third-party service provider utilized by the Contactor shall be granted access to UA’s system in connection with any financial transaction under the Contract, and will not access, transfer, store, process, collect, use or otherwise transmit CHD or SAD using UA’s systems. The Contactor will provide their Attestation of PCI DSS Compliance and network scans to UA on an annual basis. The Contactor will give immediate notice to UA of any actual or suspected unauthorized disclosure of, access to or other breach of the CHD or SAD. The Contactor will indemnify UA for any third-party claim brought against UA arising from a breach by the Contactor of the representations or obligations of this section. This section and its indemnity will survive the termination of this RFP and any resulting Contract between Contractor and UA. 9.37 NCAA AND SEC The Contractor shall at all times comply with all NCAA and SEC rules and regulations, and the rules of any other conference or association to which UA’s athletic teams may belong. Any resulting Contract may be terminated for any such violations by the Contractor, its official, employees, representatives, agents, subcontractors or guests. This provision applies to those engagements involving the function of athletics and/or athletics activities and affairs. 10. INSTRUCTION TO RESPONDENTS 10.1 Respondents must comply with all articles of the Standard Terms and Conditions documents posted on our Hogbid website as counterpart to the RFP document, and any associated appendices, as well as all articles within the RFP document. UA is not responsible for any misinterpretation or misunderstanding of these instructions on the part of the Respondents. 10.2 Respondents must address each section of the RFP. A Word version of the RFP document will be posted on our Hogbid website. Respondents can insert Proposals into the document provided or create their own Proposal document making sure to remain consistent with the numbering and chronological order as listed in our RFP document. Ultimately, Respondents must “acknowledge” each section of our document in their bid Proposal. In the event that a detailed Proposal is not necessary, the Respondent shall state ACKNOWLEDGED as the response to indicate that the Respondent acknowledges, understands, and fully complies with the specification. If a description is requested, please insert detailed response accordingly. Respondent’s required Proposal should contain sufficient information and detail for UA to further evaluate the merit of the Respondent’s Proposal. Failure to respond in this format may result in bid disqualification. 10.3 Any exceptions to any of the terms, conditions, specifications, protocols, and/or other requirements listed in this RFP must be clearly noted by reference to the page number, section, or other identifying reference in this RFP. All information regarding such exceptions to content or requirements must be noted in the same sequence as its appearance in this RFP. 10.4 Proposals will be publicly opened in the Purchasing Office, located at UPTW Room 101, 1001 East Sain St., Fayetteville, AR 72703, at the date and time as listed on the coversheet of this RFP (bid opening event). All Proposals must be submitted in a sealed envelope with the Proposal number clearly visible on the OUTSIDE of the envelope/package. No responsibility will be attached to any person for the premature opening of a Proposal not properly identified. REQUIRED Respondents must submit one (1) signed original hard copy and two (2) soft copies of their Proposal (i.e. USB Flash drive). USB’s must match hard copy completely. 15 USB’s must be labeled with the Respondent’s name and the Bid Number, readable by UA, with the documents in Microsoft Windows versions of Microsoft Word, Microsoft Excel, Microsoft Visio, Microsoft PowerPoint, or Adobe PDF formats; other formats are acceptable as long as that format’s viewer is also included or a pointer is provided for downloading it from the Internet. Proposals must be received at the following location prior to the time and date specified within the timeline of this RFP: University of Arkansas - Business Services UPTW Room 101 1001 East Sain Street Fayetteville, Arkansas 72703 NOTE: No award will be made at bid opening. Only names of Respondents and a preliminary determination of Proposal responsiveness will be made at this time. If planning to attend a bid opening event, please arrive in the building lobby prior to 2:30pm CST. REQUIRED Additional Redacted Copy Proprietary information submitted in response to this RFP will be processed in accordance with applicable State of Arkansas procurement law. Documents pertaining to the RFP become the property of UA and shall be open to public inspection after a notice of intent to award is formally announced. It is the responsibility of the Respondent to identify all proprietary information included in their bid Proposal. The Respondent shall submit one (1) separate electronic copy of the Proposal from which any proprietary information has been removed, i.e., a redacted copy (marked “REDACTED COPY”). The redacted copy should reflect the same pagination as the original, show the empty space from which information was redacted, and should be submitted on a flash drive, preferably in a PDF format. Except for the redacted information, the redacted copy must be identical to the original hard copy submitted for the bid Proposal to be considered. The Respondent is responsible for ensuring the redacted copy on a flash drive is protected against restoration of redacted data. The redacted copy may be open to public inspection under the Freedom of Information Act (“FOIA”) without further notice to the Respondent after a notice of intent to award is formally announced. If during a subsequent review process the University determines that specific information redacted by the respondent is subject to disclosure under FOIA, the Respondent will be contacted prior to release of the information. Respondents may deliver their responses either by hand or through U.S. Mail or other available courier services to the address shown above. Include the RFP name and number on the outside of each package and/or correspondence related to this RFP. No call-in, emailed, or faxed Proposals will be accepted. The Respondent remains solely responsible for ensuring that its Proposal is received at the time, date, and location specified. UA assumes no responsibility for any proposal not so received, regardless of whether the delay is caused by the U.S. Postal Service, University Postal Delivery System, or some other act or circumstance. Proposals received after the time specified in this RFP will not be considered. All Proposals received after the specified time will be returned unopened. 10.5 For a Proposal to be considered, an official authorized to bind the Respondent to a resultant Contract must include signature in the blank provided on the RFP cover sheet. Failure to sign the Proposal as required will eliminate it from consideration. 10.6 All official documents, including Proposals and any responses to this RFP, and correspondence shall be included as part of any resultant Contract. 10.7 The UA Purchasing Official reserves the right to award a Contract or reject a Proposal for any or all line items of a bid received as a result of this RFP, if it is in the best interest of UA to do so. Bid Proposals may be rejected for one or more reasons not limited to the following: %5. Failure of the Respondent to submit the bid Proposal(s) and bid Proposal copies as required in this RFP on or before the deadline established by UA. %5. Failure of the Respondent to respond to a requirement for oral/written clarification, presentation, or demonstration in the Proposal. %5. Failure to provide the bid security or performance security if required. %5. Failure to supply Respondent references if required. %5. Failure to sign an Official Bid Proposal Document. %5. Failure to complete the Official Bid Price Sheet. 16 %5. Any wording by the Respondent in their Proposal or any response to this RFP, or in subsequent correspondence, which conflicts with or takes exception to a bid requirement in this RFP. If the Respondent submits standard terms and conditions with the bid, and if any section of those terms is in conflict with the laws of the State of Arkansas, the State laws shall govern. Standard terms and conditions submitted may need to be altered to adequately reflect all the conditions of this RFP, the Respondent’s Proposals and Arkansas State law. 10.8According to Ark. Code Ann. § 4-27-1501 and OSP Rule R4:19-11-217, A foreign corporation may not transact business in Arkansas until it obtains a certificate of authority from the Secretary of State. 10.9The University may make any decision or take any action that it, in its sole discretion, deems appropriate in order to comply with Act 1020 of 2021, the Transparency in Foreign Investment Act (Ark. Code Ann. § 6-60-1201 et seq.). 11. INDEMNIFICATION AND INSURANCE The successful Respondent or Contractor shall indemnify, defend, and hold harmless University, its trustees, officers, directors, employees, agents and volunteers from and against any and all losses, costs, expenses, damages, and liabilities resulting from or relating to: (a) any breach by Contractor or Contractor’s members, officers, employees, subcontractors, vendors, and agents of any representation, warranty, or other provision of this RFP, any resulting Contract or any document delivered by Contractor in connection with the products and services contemplated by this RFP; (b) any damage to property or bodily injury, including, but not limited to illness, paralyzation, dismemberment and death, arising from or relating to any products or services provided by the Contractor or uses of the UA campus by Contractor, its officers, employees, agents, volunteers, customers, subcontractors or guests under this RFP or any resulting Contract, or any other activities conducted on the UA campus (whether such activity is authorized or unauthorized by UA); (c) any use of or damage to UA property and any defect in any building and improvement thereon, including, but not limited to, any damage to any parking lots arising from or relating to any permitted uses under this RFP or any resulting Contract; (d) any act or omission of Contractor or any of its officers, agents, employees, invitees, or subcontractor’s employees and invitees; and (e) any violation by Contractor of any applicable NCAA or SEC rules or regulations or state, federal or local laws. The obligation to indemnify UA shall include, but shall not be limited to, the obligation to pay any and all losses, costs, expenses, attorneys' fees, damages, and liabilities incurred, as well as any attorneys’ fees and court costs (including, but not limited to, any appellate or appellate-related proceedings). At no cost or expense to UA, UA’s in-house counsel may participate in any proceedings. The indemnification obligations under this RFP or any resulting Contract shall survive the expiration or termination of such RFP or resulting Contract. The successful Respondent or Contractor shall purchase and maintain at Contractor’s expense, the following minimum insurance coverage for the period of any Contract. Certificates evidencing the effective dates and amounts of such insurance must be provided to UA: Workers Compensation: As required by the State of Arkansas. Additionally, the Contractor shall maintain Employer's Liability Insurance with a policy limit of not less than $100,000 each accident, $500,000 disease, and $100,000 disease each employee. Comprehensive General Liability, with no less than $1,000,000 each occurrence/$2,000,000 aggregate for bodily injury, products liability, contractual liability, and property damage liability. Comprehensive Automobile Liability, with no less than combined coverage for bodily injury and property damage of $1,000,000 each occurrence. Policies shall be issued by an insurance company authorized to do business in the State of Arkansas and shall provide that policy may not be canceled except upon thirty (30) days prior written notice to UA. Any policy shall cover any vehicle being used in the management, operation, or delivery deriving from Contractor’s operations on UA’s campus. Contractor shall also be responsible for payment of workers’ compensation insurance for all Contractor’s employees as required by the State of Arkansas. Contractor shall furnish UA with a certificate(s) of insurance effecting coverage required herein. Failure to file certificates or acceptance by UA of certificates which do not indicate the specific required coverages shall in no way relieve the Contractor from any liability under the Contract, nor shall the insurance requirements be construed to conflict with the obligations of Contractor concerning 17 indemnification. Any failure to comply with reporting provisions of the policies shall not affect coverage provided to UA, its trustees, officials, employees, agents or volunteers. Proof of Insurance must be included in bid Proposal. Contractor shall, at their sole expense, procure and keep in effect all necessary permits and licenses required for its performance under the Contract, and shall post or display in a prominent place such permits and/or notices as are required by law. 12. CONTRACTOR OVERVIEW The Contractor shall provide a general overview of its business including the following information: Foundation date Description of core activities Major company and distributor locations Total number of clients Total number of clients in higher education Current financial status and revenues – Overview only 13. BEST AND FINAL OFFER UA reserves the right to request an official “Best and Final Offer” from bid Respondents if it deems such an approach is in the best interest of the institution. In general, the “Best and Final Offer” will consist of an updated cost Proposal in addition to an opportunity for the Respondent to submit clarification response to specific questions or opportunities identified in subsequent discussions related to the original Proposal response submitted to UA. If the UA chooses to invoke a “Best and Final Offer” option, all responses will be re-evaluated by incorporating the information as requested in the official “Best and Final Offer” document, including costs and answers to specific questions presented in the document. The specific format for the official “Best and Final Offer” request will be determined during evaluation discussions. The official request for a “Best and Final Offer” will be issued by the UA Procurement Department. 14. SPECIFICATIONS / GOALS AND DELIVERABLES Each Proposal should contain the following information at a minimum: Company Overview: 1. Provide an overview and general background of your company in the PCI DSS assessment/compliant processing environment. 2. Describe the number of years you have been in business. 3. Describe your experience in performing similar scopes of work in Higher Education within the last 3 years, focusing on those that are similar in size to the University of Arkansas – Fayetteville. Approach and Strategies: 1. Give an overview of your approach to the scope of services outlined in this document. 2. Give examples of your approach where you have been awarded a contract with similar scopes of work in Higher Education. Organizational & Technical Capabilities: 1. Provide your company’s organizational (technical, management and financial) capability to provide services described in this RFP. 2. Demonstrate your company’s project management capabilities to manage the proposed scope of services. 3. Describe your company’s abilities and experiences related to compliance with the PCI DSS requirements 4. Provide information on any utilization of external, third-party relationships and explain how you manage these third-party deliverables. 5. Outline your staffing levels and staffing mix; identify the key personnel who will be assigned and their experiences and qualif ications related to the scope of work. Provide resumes and certif ication/l icenses for each individual. Technological Capabilities: 1. Describe your company’s capabilities in conducting PCI DSS assessments 2. Describe your company’s system requirements to provide secure and sustainable solutions. This includes, but is not limited to: technology, security, and accessibility requirements. 18 Deliverables: 1. Provide sample deliverables such as business cases or based on the scope of work described in this RFP. 2. Describe assessments, protocols and policies that are relevant for the requirements listed for this service. Milestones and Accountability: 1. Describe the typical milestones you would include as checkpoints to ensure the work is being achieved successfully. 2. Provide a sample outline on the overall execution plan to complete this initiative. 3. Describe how your company will accomplish the goals and scope of work described in this RFP. 15. EVALUATION AND SELECTION PROCESS It is the intent of the UA to award a Contract to the Respondent(s) deemed to be the most qualified and responsible firm(s), who submits the best overall Proposal based on an evaluation of all Proposal responses. Selection shall be based on UA assessment of the Respondent’s ability to provide adequate service, as determined by the evaluation committee elected to evaluate proposals. UA reserves the right to reject any or all Proposals or any part thereof, to waive informalities, and to accept the Proposal or Proposals deemed most favorable to UA. Where Contract negotiations with a Respondent do not proceed to an executed Contract within a time deemed reasonable by UA (for whatever reasons), UA may reconsider the Proposals of other Respondents and, if appropriate, enter into Contract negotiations with one or more of the other Respondents. Proposals shall remain valid and current for the period of one-hundred twenty (120) days after the due date and time for submission of Proposals. Each Proposal will receive a complete evaluation and will be assigned a score of up to 100 points possible based on the following items: A. Complete/Thorough Proposal (40 Points) Respondent with the highest rating shall receive forty (40) points. Points shall be assigned based on factors within this category, to include but are not limited to: • Understanding of the nature of the project • Adherence to University Requirements. • The Respondent’s compliance with all requirements of the RFP specifications. • Detailed proof of all requested qualifications and specified services. • Project timeline (capacity to complete the project within realistic timeframe). • Respondent Presentations B. Respondent Qualification (30 Points) Respondent with highest rating shall receive thirty (30) points. Points shall be assigned based on factors within this category, to include but are not limited to: • Profile of organization (Respondent Overview) • Number of years in business • Description of similar engagements • Higher Education References C. Cost (30 Points) Points shall be assigned for the cost of the specific categories of services, which comprise the overall system, including annual maintenance cost, as follows: • Cost points will be assigned on the specific component basis as reflected on the Official Price Sheet, for comparison and evaluation purposes. • The bid with the lowest estimated cost of the overall system will receive the maximum points possible for this section. • Remaining bids will receive points in accordance with the following formula: (a/b)(c) = d a = lowest cost bid in dollars b = second (third, fourth, etc.) lowest cost bid c = maximum points for Cost category (30) 19 d = number of points allocated to bid Failure of the Respondent to provide in his/her proposal any information requested in this RFP may result in disqualification of his/her proposal and shall be the responsibility of the respondent. 16. SERVICE PERFORMANCE STANDARDS Service Criteria AcceptablePerformance Compensation / Damages Adherence to University Requirements Reference standard terms, conditions and all articles of RFP Termination of Contract: Reference Section 8 of RFP. This termination clause will apply for insufficient performance of services by Contractor at the sole discretion of the University of Arkansas, Fayetteville. Scope of Services Reference Sections 1 & 2 of RFP: Description, Overview and Scope Termination of Contract: Reference Section 8 of RFP. This termination clause will apply for insufficient performance of services by Contractor at the sole discretion of the University of Arkansas, Fayetteville. Specifications, Goals and Deliverables Reference Section 14 of RFP: Specifications/Goals and Deliverables Termination of Contract: Reference Section 8 of RFP. This termination clause will apply for insufficient performance of services by Contractor at the sole discretion of the University of Arkansas, Fayetteville. APPENDIX I: OFFICIAL PRICE SHEET RFP NAME: Payment Card Industry Data Security Standards (PCI DSS) Compliance Services RFP NUMBER: 05222023 PROPOSAL DUE DATE/TIME: June 23, 2023 @ 2:30 PM CST RESPONDENT INFORMATION CONTACT: Ellen Ferguson PHONE/EMAIL: ellenf@uark.edu Reference Section 3-Costs / Pricing for further instruction, and the corresponding Bid Price Sheet provided below. Please complete the Price Sheet as provided and submit within your proposal. If pricing is dependent on any assumptions that are not specifically stated on the Official Price Sheet, please list those assumptions accordingly on a separate spreadsheet and show detailed pricing. Any additional pricing lists should remain attached to the Official Price Sheet for purposes of accurate evaluation. Pricing must be valid for one hundred twenty (120) days following the bid Proposal due date and time. mailto:ellenf@uark.edu 20 UA will not be obligated to pay any costs not identified accordingly. The Respondent must certify that any costs not identified by the Respondent, but subsequently incurred in order to achieve successful operation of the service, will be borne by the Respondent. Failure to do so may result in rejection of the bid. NOTE: Bids must be submitted on this official bid form to be considered. Respondents must use this Official Bid Price Sheet when submitting bids in response to this RFP. Provide pricing and/or discount where applicable next to the item listed below, per minimum specifications as listed within this bid document. Pricing must include shipping and handling charges. Item Description (add rows as needed) Total Price 1. PCI DSS Assessment Services (provide breakdown of services, if necessary, and/or provide annual costs, if applicable) $ 2. Self-Assessment Questionnaire (SAQ) – Validation Services (amount per merchant account) $ 3. Contact or Support Hourly Fee, if applicable 4. Cost related to Training Development $ 5. Other (Please Describe) $ 6. Not-to-exceed budgets for reimbursable expenses such as travel, communications, supplies, printing, etc. $ GRAND TOTAL $ APPENDIX II: RESPONDENT INFORMATION / REFERENCES Respondent must provide the following information as part of this proposal: 1. Respondent Representative Contact Name Telephone Email Address Address 2. References of your current customer(s) as specified in Section 4 of this RFP document: a. Company/Organization Name: Contact Name Telephone Email Address Address b. Company/Organization Name: Contact Name Telephone Email Address Address c. Company/Organization Name: 21 Contact Name Telephone Email Address Address