Corporation (“Licensor” or “Contractor”) and the State of
Oregon, acting through its [agency]
(“Licensee” or “Agency”), dated [date],
a copy of which is attached as Part 2 of this Exhibit X,
amends and supersedes any provision to the contrary in the Terms of
entire agreement (collectively “Agreement”) between the parties
and merge all prior and contemporaneous communications with respect
to the matters described in this Agreement.
Agency agree as follows:
and describe service]
Service, the Application Services described in the Contract.
Date and Term.
This Agreement is
effective on [date]
or when it is fully executed and approved according to applicable
laws, rules and regulations, whichever date is later (“Effective
Date”). This Agreement
continues in effect until the Contract is terminated or expires.
in Section 1 of the Contract]
means information created and information stored by Agency through
the Services, and information
created and collected by Contractor regarding Agency and its
clients during the course of providing the Services[,
including Personal Information].
specified in the Contract, Agency owns all
Data provided to or collected by Contractor pursuant to this
a non-exclusive, royalty-free, world-wide license to use, copy,
display, distribute, transmit and prepare derivative works of
Data only to fulfill the purposes of this Agreement. Agency’s
license to Contractor
is limited by the term of the Agreement and the confidentiality
obligations of this Agreement.
on Data Mining. As specified in the Contract, Contractor shall not
capture, maintain, scan, index, share or use Agency Data stored or
transmitted by the Services, or otherwise use any data-mining
technology, for any non-authorized activity and shall not permit
its agents or subcontractors to do so. For purposes of this
requirement, “non-authorized activity” means the data mining or
processing of data, stored or transmitted through the Services, for
unrelated commercial purposes, advertising or advertising-related
purposes, or for any other purpose other than security analysis
that is not explicitly authorized in this Agreement.
Agreement termination, Contractor shall comply with Contract
Section 16.6, Return of Property, and ensure Agency will have
access to Agency Data in accordance with the Transition Plan agreed
upon under Contract Section 3.9.3.
obligation of Agency to maintain the confidentiality of
Contractor’s proprietary information provided
to Agency is conditioned by and
subject to Agency’s obligations under the Oregon Public Records
Law, Oregon Revised Statutes (ORS) 192.311 to 192.478, which may
require disclosure of proprietary information as a “public
record” unless exempt under ORS 192.501 or ORS 192.502,
as described in Contract Section 10, Contractor’s Proprietary
Information; Oregon Public Records Laws.
information Contractor or its employees, subcontractors, or agents
receive or acquire relating to Agency or Agency’s clients under
Duties of Confidentiality and Non-Disclosure, and other federal and
Oregon laws governing [Personal
Information and other forms of]
shall comply with the Oregon Consumer Identity Theft Protection
Act, ORS 646A.600 through 606A.628, to the extent applicable to
and Data Privacy
security measures, including as described in Section ##
of the Terms of Service, will meet [specify
security standard, including Contract Hosting and Security Exhibit
K] criteria throughout
the term of this Agreement.
and Security Training.
Licensor shall ensure its employees, agents, and contractors
receive periodic training on privacy and security obligations
relating to this Agreement.
Purposes. Contractor shall
limit the use or disclosure of Agency Data to persons directly
connected with the administration of this Agreement.
Overseas Access, Storage, or Transmission.
Agency Data will not be accessed from, transmitted, or stored
outside of the United States or its territories, including for any
maintenance, support, disaster recovery, or data backup.
on Data Mining.
Contractor shall not capture, maintain, scan, index, share or use
Agency Data, or otherwise use any data-mining technology, for any
non-authorized activity, and shall not permit its agents or
subcontractors to do so. For purposes of this requirement,
“non-authorized activity” means data mining or processing of
data, stored or transmitted by the service, for unrelated
commercial purposes, advertising or advertising-related purposes,
or for any other purpose other than security analysis that is not
explicitly authorized in this Agreement.
information exchanged between the parties may include Agency Data
subject to specific confidentiality protections under state or
federal law, and the implementing regulations of those laws.
Contractor, its employees, agents, and contractors shall comply
with laws and regulations applicable to the information, including
as those laws and regulations may be updated from time to time.
Contractor shall maintain protections required by law or this
Agreement for any retained Agency Data for so long as Contractor
(including through any third party) retains Agency Data.
[Contractor shall not suspend Agency’s access to Agency Data at
any time during the term of this Agreement or the post-termination
Access to Agency Data. Upon
Agreement termination (including by expiration), Contractor shall,
at Agency’s discretion, either return all Agency Data to Agency
(or delegate) in an agreed-upon format, or ensure Agency has access
and the ability to retrieve Agency Data for at least a 90 calendar
day period following termination. This 90 day period will be at no
additional charge to Agency. Contractor shall not retain any copies
of Agency Data following Agency’s written verification that
Agency no longer requires post-termination access, except as
necessary for audit verification purposes.
shall at Agency’s option provide transition services to support a
responsible and secure transition of Services and Agency Data to
another service provider or to Agency.]
to Contractor’s records retention obligations under the Contract,
Contractor shall not retain any copies of Agency Data following the
post-termination access period. Contractor shall not destroy Agency
Data without Agency’s written authorization.]
Contractor shall notify Agency of any conditions that make
returning all Agency Data not feasible. Upon Agency’s written
acknowledgement that returning all Agency Data is not feasible,
Contractor shall purge or destroy retained Agency Data in all its
forms (including copies of returned data) in accordance with the
most current version of NIST SP 800-88 [or
other agreed-upon standard]
and provide Agency with written certification of sanitization.
and Breach Notification.
In the event Contractor or its subcontractor or agents discover or
are notified of a security incident, or a breach or potential
breach of security or privacy, including a failure to comply with
Contractor’s confidentiality obligations, Contractor shall
immediately Agency’s point of contact
of the incident, breach, or potential breach. If Agency determines
that a breach or potential breach requires notification of its
clients, or other notification required by law, Agency will have
sole control over the notification content, timing, and method,
subject to Contractor’s obligations under applicable law.
for Agency Data.
In the event Contractor receives a third party request for Agency
Data, including any electronic discovery, litigation hold, or
discovery searches, Contractor shall first give Agency notice and
provide such information as may reasonably be necessary to enable
Agency to take action to protect its interests.
Each party will provide notice to the other of any change in law,
or any other legal development, which may significantly affect its
ability to perform its obligations.
with Laws, Regulations, and Policies.
and warrants it] and all
Contractor employees, contractors, and agents [shall]
comply with all applicable state and federal laws and regulations,
and State of Oregon policies governing use and disclosure of Agency
access to State of Oregon information assets],
including as those laws, regulations, and policies may be updated
from time to time. Applicable laws, regulations, and policies
include but are not limited to:
Oregon Consumer Identity Theft Protection Act, ORS 646A.600
through 646A.628, to the extent applicable.
and Security Measures.
Contractor represents and warrants it has established and will
maintain privacy and security measures that meet or exceed the
standards set in laws, rules, and regulations applicable to the
safeguarding, security, and privacy of Agency Data. Contractor
shall monitor, periodically assess, and update its physical,
technical, and logical security controls and risk to ensure
continued effectiveness of those controls.
Risk Management Plan.
Contractor shall ensure the level of security and privacy
protection required [by
this Agreement] [for
the Services] is
documented in a security risk management plan. Contractor will make
its plan available to Agency for review upon request.
Agency reserves the right to conduct periodic security testing
reasonable advanced notice to Contractor]
of the Services.
Checks. Contractor has
completed a criminal background check on its employees, agents, and
contractors providing services related to this Agreement [and
who have administrator-level access to Agency Data].
Upon reasonable written request of Agency, Contractor shall
certify in writing that such background checks have been completed,
and the checks revealed no negative findings pertaining to
dishonesty, fraud, or theft on employees, agents, or contractors
providing services related to this Agreement.
Services. Services are
provided via [provide
information on hosting services, including any named vendor and
certification], which are
located within the continental United States. Contractor networks
and systems and Agency Data will not be accessed from, transmitted,
or stored outside of the United States or its territories,
including for any maintenance, support, disaster recovery, or data
Party Audit. All aspects of
the Services must meet the criteria of the American Institute of
Certified Public Accounts for SOC 2 Type II, including access
controls; availability; processing integrity; data confidentiality;
and data privacy, collection, use, retention, disclosure, and
disposal. Contractor shall ensure it and its subservice
organizations undergo periodic examinations from an independent
auditor to verify continued compliance. Contractor shall provide an
exact copy of the most recent examination results report to Agency
Logs and Reports.
Contractor shall allow Agency access to system security logs that
affect the Services, Agency Data, or processes. This includes the
ability for Agency to request a report of the records that a
specific user accessed over a specified period of time.
Agency Audit Rights and Access.
Contractor shall maintain records in such a manner as to clearly
document its compliance with and performance under this Agreement,
and provide Agency, the Oregon Secretary of State[,
the federal government,]
and their duly authorized representatives access to Contractor’s
officers, agents, contractors, subcontractors, employees,
facilities and records to:
Contractor’s compliance with this Agreement,
Contractor’s written security risk management plan, or
or verify any additional information Agency may require to meet
any state or federal laws, rules, or orders, including those
regarding Agency Data.
Notice. Except as stated below for
security logs, access to facilities, systems, and records under
this section will be granted following reasonable notice to
Contractor. Records include paper or electronic form, and related
system components and tools (including hardware and software),
required to perform examinations and audits, and to make excerpts
and transcripts, including for data forensics.
Security Logs. Contractor shall provide designated Agency staff
on-demand access to system security logs [in
report form] for the
Services, including user-level access logs for both Agency and
Retention. Contractor shall
retain and keep accessible all records for a minimum of six (6)
years, or such longer period as may be required by applicable law,
following termination of this Agreement, or until conclusion of any
audit, controversy, or litigation arising out of or related to this
Agreement, whichever data is later.
Access and Audit rights.
audit rights in Section [##]
of the TOS are modified to provide:
audit will take place no more than once every 12 months, upon not
fewer than 30 calendar days’ written notice, during normal
business hours and in a manner that does not interfere unreasonably
with Agency’s operations. Agency will provide Contractor or the
independent auditor with information reasonably requested in
furtherance of the verification; however, Contractor has no right
of access to any locations, servers, computers, records, data,
accounts, or other information protected by law from disclosure. As
an alternative, Contractor can request Agency complete a self-audit
the agreed-upon final audit report reveals that Agency does not
have sufficient subscriptions to meet its actual use, Agency will
order sufficient subscriptions at Agency’s then-current prices,
or at prices available to similar-sized government clients in good
standing, whichever is lower. Agency will not pay a penalty. Agency
may at its option purchase additional Services or subscriptions.
party will bear its own costs of any activity conducted pursuant to
Section ## of the TOS.
Application Services warranties are as described in Contract Section
on Agency Indemnification.
To the extent Agency is
harmless against claims brought by third parties against Contractor,
Agency’s obligation to indemnify is subject to the limitations of
Article XI, section 7 of the Oregon Constitution and the Oregon Tort
Claims Act, ORS 30.260 through 30.300.
Limitation of Liability; Indemnification.
aggregate liability is as described in Contract Section 13.
indemnities are described in Contract Section 12.
of Claims. Contractor’s
rights and obligations as to control of defense and settlement under
Law; Jurisdiction; Venue. As
required by Contract Section 19.2, this Agreement is to be construed
and enforced in accordance with the laws of the State of Oregon,
without giving effect to its conflict of law principles, and
applicable federal law. Venue and jurisdiction for any dispute are
as described in Contract Section 19.1.
Fees. Neither party to this
Agreement is entitled to obtain judgment from the other party for
attorneys’ fees incurred in any litigation between the parties.
Except as specifically agreed upon in the Contract, neither party
may obtain judgment from the other party for attorneys’ fees
incurred in the defense of any claim asserted by a third party.
Resolution. Any dispute
through informal discussions may be submitted to mediation upon the
consent of both parties. If informal discussions or mediation are
unsuccessful, either party may initiate litigation to resolve the
dispute. The parties specifically disclaim any right to arbitration
of disputes. Neither party waives its right to a jury trial or right
to participate in class, collective, or representative claims.
Agency’s obligation to pay late charges is subject to ORS
of Oregon Statutes. ORS
279B.220, 279B.230 and 279B.235 are incorporated into this Agreement
for Lack of Funding. Without
limiting Agency’s right to terminate the Contract under Contract
Section 16, nothing in this Agreement may be construed to permit any
violation of Article XI, Section 7 of the Oregon Constitution or any
other law regulating liabilities or monetary obligations of the
State of Oregon. Agency’s payment for services performed or
license fees due after the last Calendar Day of the current biennium
is contingent upon Agency receiving funding, appropriations,
limitations, allotments or other expenditure authority from the
Oregon Legislative Assembly (including its Emergency Board)
sufficient to allow Agency, in the exercise of its reasonable
administrative discretion, to continue to compensate Contractor.
Agency may immediately terminate this Agreement upon written notice
if Agency fails to receive funding, appropriations, limitations,
allotments, or other expenditure authority as contemplated by
Agency’s budget or spending plan and Agency determines, in its
assessment and ranking of the policy objectives explicit or implicit
in its budget or spending plan, that it is necessary to terminate
Contractor. As described in
Contract Section 5, Contractor shall act at all times as an
independent contractor and not as an agent or employee of Agency.
Contractor has no right or authority to incur or create any
obligation for or legally bind Agency in any way. Although Agency
reserves the right to evaluate the quality of Contractor’s
completed performance, Agency cannot and will not control the means
or manner by which Contractor performs its obligations under this
Agreement, except to the extent the means and manner in which these
obligations are to be performed is specifically set forth in this
Agreement. Contractor shall determine the appropriate means and
manner of performing its obligations. Contractor is not an
"officer," "employee" or "agent" of
Agency or any other agency, office, or department of the State of
Oregon, as those terms are used in ORS 30.265, and Contractor shall
make no representations to third parties to the contrary. Neither
party shall make any statements, representations, or commitments of
any kind or to take any action binding on the other except as
provided for in the Contract or authorized in writing by the party
to be bound.
of Precedence. In
the event of any conflict between the Contract, Rider, the Terms of
Use, and any terms and conditions published by Contractor on or
after the Effective Date of this Agreement and any terms presented
to an end user in a ‘click wrap’ or end user agreement, the
conflict will be resolved in that order.
As stated in Contract Section 9.9, Contractor
may disclose the form and existence of this Agreement in
advertising, press releases or other materials distributed to
prospective customers, but shall not otherwise attempt to obtain
publicity from its association with Agency or the State of Oregon,
whether or not such disclosure, publicity or association implies an
endorsement by Agency or the State of Oregon of Contractor’s
Application Services, without the prior written consent of Agency.
Maintenance and Access.
maintain all records in accordance with Contract Section 21.
This Rider may be executed in two or more counterparts, by
facsimile or otherwise, each of which is an original, and all of
which together constitute one and the same instrument,
notwithstanding that all parties are not signatories to the same
If the anticipated total value
of the Services to be provided under this Agreement is $150,000 or
more, Contractor certifies that it has a written policy and practice
that meets the requirements described in House
Bill 3060 (2017 Oregon Laws, chapter 212, codified at ORS
279A.212) for preventing sexual harassment,
sexual assault, and discrimination against employees who are members
of a protected class. Contractor agrees, as a material condition, to
maintain such policy and practice in force during the term of this
failure to maintain such policy and practice constitutes a breach
entitling Agency to terminate this Agreement for cause.
As required by
ORS 279B.235,Contractor shall comply with ORS 652.220 and not
unlawfully discriminate against any of its employees in the payment
of wages or other compensation for work of comparable character on
the basis of an employee’s membership in a protected class.
“Protected class” means a group of persons distinguished by
race, color, religion, sex, sexual orientation, national origin,
marital status, veteran status, disability, or age. Contractor’s
compliance with this section is a material term of this Agreement,
and Contractor’s failure to comply constitutes a breach entitling
Agency to terminate this Agreement for cause.
required by ORS 279B.235, Contractor may not prohibit any of its
employees from discussing the employee’s rate of wage, salary,
benefits, or other compensation with another employee or another
person. Contractor shall not retaliate against an employee who
discusses the employee’s rate of wage, salary, benefits, or other
compensation with another employee or another person.
Compliance Certificate. By
executing this Rider, the undersigned certifies under penalty of
perjury that the undersigned is authorized to act on behalf of
Contractor and that, to the best of the undersigned’s knowledge,
Contractor is not in violation of any Oregon Tax Laws. For purposes
of this certification, “Oregon Tax Laws” means a state tax
imposed by ORS 305.620 and ORS chapters 316, 317, and 318; (ii) Any
tax provisions imposed by a political subdivision of this state that
apply to Contractor, to Contractor’s property, operations,
receipts, or income, or to Contractor’s performance of or
compensation for any work performed by Contractor; (iii) Any tax
provisions imposed by a political subdivision of this state that
apply to Contractor, or to goods, services, or property, whether
tangible or intangible, provided by Contractor; and (iv) Any rules,
regulations, charter provisions, or ordinances that implemented or
enforced any of the foregoing tax laws or provisions.
State of Oregon, acting through
Procurement Services, Version 5.1 — February 2019 Page 1