Common use of Confidential Information State Records Clause in Contracts

Confidential Information State Records. Confidentiality Grantee shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines includingguidelines. If Grantee or any of its Subcontractors will or may receive the following types of data, without limitationGrantee or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax InformationInformation and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Agreement as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum Agreement attached to this ContractAgreement, if applicable. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. representative Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this ContractAgreement, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof. Safeguarding PII If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee Contractor shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this AgreementContract, permitted by law or approved in Writing by the State. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. .” Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee shall keep confidentialhold and maintain, and cause all Subcontractors to keep confidentialhold and maintain, any and all State RecordsRecords that the State provides or makes available to Grantee for the sole and exclusive benefit of the State, unless those State Records are publicly availableotherwise publically available at the time of disclosure or. Grantee shall not, without prior written approval of the State, useuse for Grantee’s own benefit, publish, copy, or otherwise disclose to any third party, or permit the use by any third party for its benefit or to the detriment of the State, any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign nondisclosure agreements containing nondisclosure provisions at least as protective as those in this ContractAgreement, and that the nondisclosure provisions agreements are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions restrictions to the State upon execution of the nondisclosure provisionsrequest. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee Contractor shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this AgreementContract, permitted by law or approved in Writing by the State. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee shall use its best efforts to keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines includingguidelines. If Grantee or any of its Subgrantees and Subcontractors will or may receive the following types of data, without limitationGrantee or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax InformationInformation and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Agreement as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum Agreement attached to this ContractAgreement, if applicable. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. representative Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns assigns, Subgrantees and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns assigns, Subgrantees and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, Subgrantees and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this ContractAgreement, and that the nondisclosure provisions are in force at all times the agent, employee, assign assign, Subgrantee or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns assigns, Subgrantees or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof. Safeguarding PII If Grantee or any of its Subgrantees or Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S. CONFLICTS OF INTEREST Actual Conflicts of Interest Grantee shall not engage in any business or activities, or maintain any relationships that conflict in any way with the full performance of the obligations of Grantee under this Agreement. Such a conflict of interest would arise when a Grantee, Subgrantee or Subcontractor’s employee, officer or agent were to offer or provide any tangible personal benefit to an employee of the State, or any member of his or her immediate family or his or her partner, related to the award of, entry into or management or oversight of this Agreement. Apparent Conflicts of Interest Xxxxxxx acknowledges that, with respect to this Agreement, even the appearance of a conflict of interest shall be harmful to the State’s interests. Absent the State’s prior written approval, Grantee shall refrain from any practices, activities or relationships that reasonably appear to be in conflict with the full performance of Xxxxxxx’s obligations under this Agreement. Disclosure to the State If a conflict or the appearance of a conflict arises, or if Grantee is uncertain whether a conflict or the appearance of a conflict has arisen, Grantee shall submit to the State a disclosure statement setting forth the relevant details for the State’s consideration. Failure to promptly submit a disclosure statement or to follow the State’s direction in regard to the actual or apparent conflict constitutes a breach of this Agreement.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidentialhold and maintain, and cause all Subcontractors to keep confidentialhold and maintain, any and all State RecordsRecords that the State provides or makes available to Contractor for the sole and exclusive benefit of the State, unless those State Records are otherwise publicly availableavailable at the time of disclosure or are subject to disclosure by Contractor under XXXX. Grantee Contractor shall not, without prior written approval of the State, useuse for Contractor’s own benefit, publish, copy, or otherwise disclose to any third party, or permit the use by any third party for its benefit or to the detriment of the State, any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the StateContract. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign nondisclosure agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions agreements are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions restrictions to the State upon execution of the nondisclosure provisionsrequest. Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines includingguidelines. If Grantee or any of its Subcontractors will or may receive the following types of data, without limitationGrantee or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax InformationInformation and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Agreement as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum Agreement attached to this ContractAgreement, if applicable. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. representative Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof. Safeguarding PII If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.

Confidential Information State Records. Confidentiality Grantee shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contractguidelines. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee Contractor shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this AgreementContract, permitted by law or approved in Writing by the State. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines includingguidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, without limitationContractor or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax InformationInformation and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Contract as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum Agreement attached to this Contract, if applicable. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. .” Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this planmay, in its sole discretion and Grantee at Contractor’s sole expense, require Contractor to engage the services of an independent, qualified, State-approved third party to conduct a security audit. Contractor shall make provide the State with the results of such audit and evidence of Contractor’s planned remediation in response to any negative findings. Data Protection and Handling Contractor shall ensure that all modifications as directed by State Records and Work Product in the Statepossession of Contractor or any Subcontractors are protected and handled in accordance with the requirements of this Contract, including the requirements of any Exhibits hereto, at all times. Safeguarding PII If Grantee cannot produce Contractor or any of its analysis Subcontractors will or may receive PII under this Contract, Contractor shall provide for the security of such PII, in a manner and plan within the allotted time, form acceptable to the State, in its sole discretionincluding, may perform such analysis and produce a remediation planwithout limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and Grantee audits. Contractor shall reimburse the State for the reasonable costs thereofbe a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidentialhold and maintain, and cause all Subcontractors to keep confidentialhold and maintain, any and all State RecordsRecords that the State provides or makes available to Contractor for the sole and exclusive benefit of the State, unless those State Records are otherwise publicly availableavailable at the time of disclosure or are subject to disclosure by Contractor under XXXX. Grantee Contractor shall not, without prior written approval of the State, useuse for Contractor’s own benefit, publish, copy, or otherwise disclose to any third party, or permit the use by any third party for its benefit or to the detriment of the State, any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the StateContract. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contract. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. .” Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof.

Confidential Information State Records. Confidentiality Grantee Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee Contractor shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this AgreementContract, permitted by law or approved in Writing by the State. Grantee Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines includingguidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, without limitationContractor or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax InformationInformation and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Contract as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum Agreement attached to this Contract, if applicable. Grantee Contractor shall immediately forward any request or demand for State Records to the State’s principal representative. Other Entity Access and Nondisclosure Agreements Grantee Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this AgreementContract. Grantee Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Contract, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee Contractor shall provide the State with access, subject to GranteeContractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this AgreementContract, Grantee Contractor shall return State Records provided to Grantee Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Grantee Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee Contractor can establish that none of Grantee Contractor or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this planmay, in its sole discretion and Grantee at Contractor’s sole expense, require Contractor to engage the services of an independent, qualified, State-approved third party to conduct a security audit. Contractor shall make provide the State with the results of such audit and evidence of Contractor’s planned remediation in response to any negative findings. Data Protection and Handling Contractor shall ensure that all modifications as directed by State Records and Work Product in the Statepossession of Contractor or any Subcontractors are protected and handled in accordance with the requirements of this Contract, including the requirements of any Exhibits hereto, at all times. Safeguarding PII If Grantee cannot produce Contractor or any of its analysis Subcontractors will or may receive PII under this Contract, Contractor shall provide for the security of such PII, in a manner and plan within the allotted time, form acceptable to the State, in its sole discretionincluding, may perform such analysis and produce a remediation planwithout limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and Grantee audits. Contractor shall reimburse the State for the reasonable costs thereofbe a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.

Confidential Information State Records. Confidentiality Grantee shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Grantee shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Agreement, permitted by law or approved in Writing by the State. Grantee shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Contractguidelines. Grantee shall immediately forward any request or demand for State Records to the State’s principal representative. representative Other Entity Access and Nondisclosure Agreements Grantee may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Agreement. Grantee shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this ContractAgreement, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Grantee shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. Use, Security, and Retention Grantee shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Grantee shall provide the State with access, subject to Grantee’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Agreement, Grantee shall return State Records provided to Grantee or destroy such State Records and certify to the State that it has done so, as directed by the State. If Grantee is prevented by law or regulation from returning or destroying State Confidential Information, Grantee warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. Incident Notice and Remediation If Grantee becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Grantee can establish that none of Grantee or any of its agents, employees, assigns or Subcontractors are the cause or source of the Incident, Grantee shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Grantee shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole discretion and Grantee shall make all modifications as directed by the State. If Grantee cannot produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such analysis and produce a remediation plan, and Grantee shall reimburse the State for the reasonable costs thereof. Safeguarding PII If Grantee or any of its Subcontractors will or may receive PII under this Agreement, Grantee shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Grantee shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§00-00-000 et seq., C.R.S.