HomeMy WebLinkAboutCDN 2019-11-26 Item 2B - Contract - Permit Tracking System with SuperionCity Of Tukwila
Allan Ekberg, Mayor
INFORMATIONAL MEMORANDUM
TO: Community Development and Neighborhood Committee
FROM: Joseph Todd (TIS), Joel Bush (TIS), Jack Pace (DCD)
BY: Tami Eberle -Harris (TIS) / Rachelle Ripley (DCD)
CC: Mayor Ekberg
DATE: November 26, 2019
SUBJECT: Permit system update /Trakit transition to Cloud/ New contract
ISSUE
Permitting software upgrade- Trakit system stabilization to support One Stop Permitting
BACKGROUND
The City's current permit tracking system is Trakit. We have used this system since 2013. It
is currently used by the City's Building Division, Planning, Public Works, Code Enforcement
and Rental Housing. Fire Department is transitioning permits issued by them into Trakit,
online services are limited to scheduling inspections or checking the status of permit. The city
desires to provide more robust online permitting services.
The City purchased the online permitting module eTrakit in 2013, but was unable to
implement it due to lack of technical support from the company. The company was sold
multiple times. Many of the vendor's long-term knowledgeable staff members quit. Upgrades
were notoriously buggy, which made the risk to upgrade outweigh the potential benefits.
Improvements to the system could be realized with an upgrade from Trakit9 to newer
releases, but vendor instability resulted in upgrade efforts stalling as the vendor was not able
to support customization and bug fixes that were required to get online permitting (eTrakit)
fully functioning.
Prevalent concerns with the stability of the vendor prompted TIS and DCD to publish an RFQ
for a new permitting system. This resulted in only five vendor responses.
DISCUSSION
In 2018, Trakit's vendor Superion was involved in a merger that formed Central Square
Technologies. Improvements in areas of support and road map are being observed with the
merger.
Contracting with Superion to move Trakit to Central Square's hosted cloud environment is
recommended to stabilize the system. This move wil► align with the cities strategic goals to
move to cloud and will include an update to a supported version of Trakit called Community
Development, on newer infrastructure with updated software.
The new environment will include a replacement for eTrakit with online portal called Citizen
Engagement. This will provide the capability for integrated online permitting, from the
application submittal, fee payment, through permit issuance.
23
INFORMATIONAL MEMO
Page 2
During contract negotiations, Superion agreed to waive the 2017 & 2018 maintenance fees
($70,143) and apply 2019 maintenance fees ($39,000) towards the new 2020 contract. There
are stipulations in the contract for availability targets; customer service and incident response
targets; and data and security requirements, along with recourse for non-performance.
The implementation will take 6-8 months to complete.
In the interim, we have been working to develop forms using Seamless docs to provide online
acceptance of permit applications. Seamless docs will be a temporary stopgap measure to
mitigate challenges with acceptance of online documents. The forms will not be integrated
directly into Trakit, which is why the long-term goal is to complete the transition of Trakit to
Central Square's cloud, and include the integrated Citizen Engagement functionality. This will
significantly improve service to the public.
FINANCIAL IMPACT
Due to the substandard performance of the vendor, the city did not pay maintenance costs
for 2017 and 2018. The vendor is willing to waive these charges, and credit the 2019/20
maintenance fees towards a transition to their hosted environment.
Back -fees Maintenance 2017 & 2018, waived: $70,143 (waived)
2019/20 Maintenance fees: $38,838
Additional funds required to complete transition: $18,744
Total cost of move to Cloud and 1 st year hosting fees $57,582
The cost of this project is below the current allocated 2019/2020 budget in the Department of
Community Development for the Permitting system. The city currently charges technology
fee in the amount of 5% of the permit fee for all permits that are processed through Trakit.
This fee was instituted in 2013 to recover implementation cost and annual expenses
associated with Trakit. The technology fee will recover ongoing fees associated with the
current upgrade.
Ongoing budget impacts:
Annual Access Fees Year 2 (2021) - $57,750.00
Annual Access Fees Year 3 (2022) - $60,637.50
Beginning in Year 4, Annual Access Fees shall be limited to a 3% escalation per year.
RECOMMENDATION
In order to mitigate risks, improve and stabilize the Trakit Permitting system in support of
the One Stop Permitting efforts throughout the City, the committee is being asked to
approve the contract with Superion to move Trakit to Central Square's hosted cloud
environment, and to forward to the Regular Meeting of 12/02/2019 Consent Agenda.
ATTACHMENTS
Contract - Superion Tukwila WA Host Q-00012021
24
SUPERION
Superion Solutions Agreement
This Superion Solutions Agreement (the "Agreement"), effective as of the latest date shown on the signature block
below (the "Effective Date"), is entered into between Superion, a Delaware Limited Liability Company with its
principal place of business in Lake Mary, FL ("Superion") and the City of Tukwila, WA ("Customer"), together
with Superion, the "Parties", and each, a "Party".
WHEREAS, Superion licenses and gives access to certain software applications ("Superion Solutions") to its
customers and also provides maintenance, support, migration, installation and other professional services; and
WHEREAS, Customer desires to license and/or gain access to certain Superion Solutions and receive professional
services described herein, and Superion desires to grant and provide Customer license and access to such offerings
as well as to support them with professional services, subject to the terms and conditions set forth in this Agreement.
NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other
good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, by the signatures
of their duly authorized representative below, the Parties intending to be legally bound, agree to all of the following
provisions and exhibits of this Agreement:
SUPERI�7N�
,
d,,
1000 Business Center Dr.
6300 Southcenter Blvd., Suite 100
Lake Mary, FL 32746
Tukwila, WA 98188
USX NAkmaw&
By:
By.
Print Name:
Print Name:
Print Title:
Print Title:
Date Signed:
Date Signed:
1. Superion Solution: Public Administration (Q-00012021)
2. Term.
2.1. Initial Term. The Initial Term of this Agreement commences as of the Effective Date and will continue in
effect for three (3) years from such date unless terminated earlier pursuant to any of the Agreement's
express provisions (the "Initial Term").
2.2. Renewal Term. This Agreement will automatically renew for additional successive one (1) year terms at
the then -current rates unless earlier terminated pursuant to any of the Agreement's provisions (a
"Renewal Term" and, collectively, with the Initial Term, the "Term").
2.3. Non -Renewal. Either Party may elect to end renewal of the contract by issuing a notice of non -renewal,
in writing, to the other party at least sixty (60) days prior to the expiration of the current contract term.
3. Fees. In consideration of the rights and services granted by Superion to Customer under this Agreement,
Customer shall make payments to Superion pursuant to the amounts and milestone -based payment schedule
and terms outlined in Exhibit 1 (the "Project Cost Summary").
4. Definitions. Capitalized terms not otherwise defined in this Agreement have the meanings set forth below:
4.1. "Action" means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of
violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil,
criminal, administrative, regulatory or other, whether at law, in equity, or otherwise.
4.2. "Affiliate" of a Person means any other Person that directly or indirectly, through one or more
intermediaries, controls, is controlled by, or is under common control with, such Person.
4.3. "Authorized User" means Customer's employees, consultants, contractors, and agents who are
authorized by Customer to access and use the Superion Solutions under the rights granted to Customer
pursuant to this Agreement, and for whom access to the Superion Solutions has been purchased.
25
4.4. "Baseline" means the version of a Superion Solution updated to the particular time in question through
Superion's warranty services and maintenance, but without any other modification whatsoever.
4.5. "Component System" means any one of the Superion Solutions identified in Exhibit 1, including all
copies of Source Code, Object Code and all related specifications, Documentation, technical information,
and all corrections, modifications, additions, development work, improvements and enhancements to and
all Intellectual Property Rights for such Component System.
4.6. "Customer Data" means information, data, and content, in any form or medium, collected, downloaded,
or otherwise received, directly or indirectly from Customer, an Authorized User or end -users by or through
the Superion Solutions, provided the data is not personally identifiable and not identifiable to Customer.
4.7. "Custom Modification" means a change that Superion has made at Customer's request to any
Component System in accordance with a Superion-generated specification, but without any other
changes whatsoever by any Person.
4.8. "Customer Systems" means the Customer's information technology infrastructure, including computers,
software, hardware, databases, electronic systems (including database management systems), and
networks, whether operated by Customer or through the use of third -party services.
4.9. "Defect" means a material deviation between the Baseline Superion Solution and its Documentation, for
which Defect Customer has given Superion enough information to enable Superion to replicate the
deviation on a computer configuration that is both comparable to the Customer Systems and that is under
Superion's control. Further, with regard to each Custom Modification, Defect means a material deviation
between the Custom Modification and the Superion-generated specification and documentation for such
Custom Modification, and for which Defect Customer has given Superion enough information to enable
Superion to replicate the deviation on a computer configuration that is both comparable to the Customer
Systems and that is under Superion's control.
4.10. "Documentation" means any manuals, instructions, or other documents or materials that Superion
provides or makes available to Customer publically on a website or in any form or medium and which
describe the functionality, components, features, or requirements of the Superion Solutions, including
any aspect of the installation, configuration, integration, operation, use, support, or maintenance thereof.
4.11. "Enhancements" means general release (as opposed to custom) changes to a Baseline Component
System or Custom Modification which increase the functionality of the Baseline Component System or
Custom Modification in question.
4.12. "Go Live Date" means the date the Customer certifies, in writing, that (a) Superion provided the current
version of Superion Solution(s) to Customer and (b) said Solution(s) is fully functioning, including being
free from any viruses or Harmful Code.
4.13. "Harmful Code" means any software, hardware, device or other technology, including any virus, worm,
malware, or other malicious computer code, the purpose or effect of which is to (a) permit unauthorized
access to, or to destroy, disrupt, disable, distort, or otherwise harm or impede any (i) computer, software,
firmware, hardware, system, or network; or (ii) any application or function of any of the foregoing or the
security, integrity, confidentiality, or use of any data Processed thereby; or (b) prevent Customer or any
Authorized User from accessing or using the Superion Solutions as intended by this Agreement.
4.14. "Intellectual Property Rights" means any and all registered and unregistered rights granted, applied
for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade
secret, database protection, or other intellectual property rights laws, and all similar or equivalent rights
or forms of protection, in any part of the world.
4.15. "Maintenance" means optimization, error correction, modifications, and updates to Superion Systems to
correct any known Defects and improve performance. Maintenance will be provided for each Component
System, the hours and details of which are described in Exhibit 2 ("Support Standards").
4.16. "New Releases" means new editions of a Baseline Component System or Custom Modification.
4.17. "Person" means an individual, corporation, partnership, joint venture, limited liability entity, governmental
authority, unincorporated organization, trust, association, or other entity.
4.18. "Personal Information" means any information that does or can identify a specific individual or by or
from which a specific individual may be identified, contacted, or located. Personal Information includes
all "nonpublic personal information" as defined under the Gramm -Leach -Bliley Act, "protected health
information" as defined under the Health and Insurance Portability and Accountability Act of 1996,
"Personal Data" as defined in the EU General Data Protection Regulation (GDPR 2018), "Personal
SUPER10N
26
Information" as defined under the Children's Online Privacy Protection Act of 1998, and all rules and
regulations issued under any of the foregoing.
4.19. "Professional Services" means installation, implementation, development work, training or consulting
services including custom modification programming, support relating to custom modifications, on -site
support services, assistance with data transfers, system restarts and reinstallations provided by Superion.
4.20. "Representatives" means, with respect to a party, that party's employees, officers, directors, agents,
subcontractors, and legal advisors.
4.21. "Superion Personnel" means all individuals involved in the performance of Support Services and
Professional Services as employees, agents, Subcontractors or independent contractors of Superion.
4.22. "Superion Solution(s)" means the Component Systems, Documentation, Custom Modifications,
development work, Superion Systems and any and all other information, data, documents, materials,
works, and other content, devices, methods, processes, hardware, software, technologies and inventions,
including any deliverables, technical or functional descriptions, requirements, plans, or reports, provided
or used by Superion or any Subcontractor in connection with Professional Services or Support Services
rendered under this Agreement.
4.23. "Superion Systems" means the information technology infrastructure used by or on behalf of Superion
to deliver Superion Solutions, including all computers, software, hardware, databases, electronic systems
(including database management systems), and networks, whether operated directly by Superion or
through the use of third -party services.
4.24. "Support Services" means Maintenance, Enhancements, implementation of New Releases, and
general support efforts to respond to incidents reported by Customer in accordance with the detailed
Support Standards outlined in Exhibit 2.
4.25. "Third -Party Materials" means materials and information, in any form or medium, including any software,
documents, data, content, specifications, products, related services, equipment, or components of or
relating to the Superion Solutions that are not proprietary to Superion.
5. License, Access & Services.
5.1. License Grant. Subject to and conditioned on the payment of Fees and compliance with all other terms
and conditions of this Agreement, Superion hereby grants to Customer a non-exclusive, non-
sublicenseable, and non -transferable license to the current version of the Superion Solution(s) outlined
in Exhibit 1 at the time of this Agreement's execution.
5.2. Access and Scope of Use. Subject to and conditioned on Customer and their Authorized Users'
compliance with the terms and conditions of this Agreement, Superion hereby grants Customer a non-
exclusive, non -transferable right to access and use the Solutions, solely by Authorized Users. Such use
is limited to Customer's internal use. Superion shall deliver to Customer the initial copies of the Superion
Solution(s) outlined in Exhibit 1 by (a) electronic delivery, by posting it on Superion's network for
downloading, or similar suitable electronic file transfer method, or (b) physical shipment, such as on a
disc or other suitable media transfer method. Physical shipment is on FOB-Superion's shipping point, and
electronic delivery is deemed effective at the time Superion provides Customer with access to download
the Superion Solutions. The date of such delivery shall be referred to as the "Delivery Date."
5.3. Documentation License. Superion hereby grants to Customer a non-exclusive, non-sublicenseable, non-
transferable license to use and reproduce the Documentation during the Term solely for Customer's
internal business purposes in connection with its use of the Superion Solutions.
5.4. Service and System Control. Except as otherwise expressly provided in this Agreement:
5.4.1. Superion has and will retain sole control over the operation, provision, maintenance, and
management of the Superion Solutions; and
5.4.2, Customer has and will retain sole control over the operation, maintenance, and management of,
and all access to and use of, the Customer Systems, and sole responsibility for access to and
use of the Superion Solutions by any Person by or through the Customer Systems or other means
controlled by Customer or any Authorized User, including any reports or results obtained from
any use of the Superion Solutions, and conclusions, decisions, or actions based on such use.
5.5. Limitations. Customer must provide Superion with such facilities, equipment and support as are
reasonably necessary for Superion to perform its obligations under this Agreement, including, if required
by Superion, remote access to the Customer Systems. Superion is not responsible or liable for any delay
or failure of performance caused in whole or in part by any Customer delay or Customer's failure to
,�SUPERION
27
perform any obligations under this Agreement.
5.6. Exceptions. Superion has no obligation to provide Support Services relating to any Defect with the
Superion Solutions that, in whole or in part, arise out of or result from any of the following:
5.6.1. software, or media on which provided, that is modified or damaged by Customer or unauthorized
third party;
5.6.2. any operation or use of, or other activity relating to, the Superion Solutions other than as specified
in the Documentation, including any incorporation, or combination, operation or use of the
Superion Solutions in or with, any technology (software, hardware, firmware, system, or network)
or service not specified for Customer's use in the Documentation;
5.6.3. any negligence, abuse, misapplication, or misuse of the Superion Solution other than by Superion
personnel, including any Customer use of the Superion Solution other than as specified in the
Documentation or expressly authorized in writing by Superior;
5.6.4. any Customer's failure to promptly install any New Releases that Superion has previously made
available to Customer;
5.6.5. the operation of, or access to, Customer's or a third party's system, materials or network;
5.6.6. any relocation of the Superion Solution other than by Superion personnel;
5.6.7. any beta software, software that Superion makes available for testing or demonstration purposes,
temporary software modules, or software for which Superion does not receive a fee;
5.6.8. any breach of or noncompliance with any provision of this Agreement by Customer or any of its
Representatives or any Force Majeure Event (including abnormal physical or electrical stress).
5.7. Reservation of Rights. Except for the specified rights outlined in this Section, nothing in this Agreement
grants any right, title, or interest in or to any Intellectual Property Rights in or relating to the Support
Services, Professional Services, Superion Solutions, or Third -Party Materials, whether expressly, by
implication, estoppel, or otherwise. All right, title, and interest in the Superion Solutions, and the Third -
Party Materials are and will remain with Superion and the respective rights holders.
5.8. Changes. Superion reserves the right, in its sole discretion, to make any changes to the Support Services
and Superion Solutions that it deems necessary or useful to: (a) maintain or enhance the quality or
delivery of Superior's services to its customers, the competitive strength of or market for Superior's
services, or the Support Services' cost efficiency or performance; or (b) to comply with applicable law.
Without limiting the foregoing, either party may, at any time during the Term, request in writing at least
sixty (60) days in advance of changes to particular Support Services, Professional Services or their
product suite of Superion Solutions. The parties shall evaluate and, if agreed, implement all such
requested changes. No requested changes will be effective unless and until memorialized in either a
Superion issued Add -On Quote signed by the Customer, or a written change order or amendment to this
agreement signed by both parties.
5.9. Subcontractors. Superion may from time to time in its discretion engage third parties to perform
Professional Services or Support Services (each, a "Subcontractor") in accordance with the terms and
conditions of this Agreement.
5.10, Security Measures. The Superion Solution may contain technological measures designed to prevent
unauthorized or illegal use of the Superion Solution. Customer acknowledges and agrees that: (a)
Superion may use these and other lawful measures to verify compliance with the terms of this Agreement
and enforce Superior's rights, including all Intellectual Property Rights, in and to the Superion Solution;
(b) Superion may deny any individual access to and/or use of the Superion Solution if Superior, in its
reasonable discretion, believes that person's use of the Superion Solution would violate any provision of
this Agreement, regardless of whether Customer designated that person as an Authorized User; and (c)
Superion may collect, maintain, process, use and disclose technical, diagnostic and related non -
identifiable data gathered periodically which may lead to improvements in the performance and security
of the Superion Solutions.
6. Use Restrictions. Customer shall not, and shall not permit any other Person to, access or use the Superion
Solutions except as expressly permitted by this Agreement. For purposes of clarity and without limiting the
generality of the foregoing, Customer shall not, except as this Agreement expressly permits:
"SUPERIONjr
! .. r ': «,. r iw ;k✓;,.
W.
6.1. copy, modify, or create derivative works or improvements of the Superion Solutions, or rent, lease, lend,
sell, sublicense, assign, distribute, publish, transfer, or otherwise make available any Superion Solutions
to any Person, including on or in connection with the internet or any time-sharing, service bureau,
software as a service, cloud, or other technology or service;
6.2. reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access
to the source code of the Superion Solutions, in whole or in part;
6.3. bypass or breach any security device or protection used by Superion Solutions or access or use the
Superion Solutions other than by an Authorized User through the use of his or her own then valid access;
6.4. input, upload, transmit, or otherwise provide to or through the Superion Systems, any information or
materials that are unlawful or injurious, or contain, transmit, or activate any Harmful Code;
6.5. damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the
Superion Systems, or Superion's provision of services to any third party, in whole or in part;
6.6. remove, delete, alter, or obscure any trademarks, Specifications, Documentation, warranties, or
disclaimers, or any copyright, trademark, patent, or other intellectual property or proprietary rights notices
from any Documentation or Superion Solutions, including any copy thereof;
6.7. access or use the Superion Solutions in any manner or for any purpose that infringes, misappropriates,
or otherwise violates any Intellectual Property Right or other right of any third party, or that violates any
applicable law;
6.8. access or use the Superion Solutions for purposes of competitive analysis of the Superion Solutions, the
development, provision, or use of a competing software service or product or any other purpose that is
to Superion's detriment or commercial disadvantage or otherwise access or use the Superion Solutions
beyond the scope of the authorization granted under this Section.
7. Customer Obligations.
7.1. Customer Systems and Cooperation. Customer shall at all times during the Term: (a) set up, maintain,
and operate in good repair all Customer Systems on or through which the Superion Solutions are
accessed or used; (b) provide Superion Personnel with such access to Customer's premises and
Customer Systems as is necessary for Superion to perform the Support Services in accordance with the
Support Standards and Specifications; and (c) provide all cooperation as Superion may reasonably
request to enable Superion to exercise its rights and perform its obligations under and in connection with
this Agreement.
7.2. Effect of Customer Failure or Delay. Superion is not responsible or liable for any delay or failure of
performance caused in whole or in part by Customer's delay in performing, or failure to perform, any of
its obligations under this Agreement.
7.3. Corrective Action and Notice. If Customer becomes aware of any actual or threatened activity prohibited
by Section 6, Customer shall, and shall cause its Authorized Users to, immediately: (a) take all reasonable
and lawful measures within their respective control that are necessary to stop the activity or threatened
activity and to mitigate its effects (including, where applicable, by discontinuing and preventing any
unauthorized access to the Superion Solutions and permanently erasing from their systems and
destroying any data to which any of them gained unauthorized access); and (b) notify Superion of any
such actual or threatened activity.
8. Professional Services.
8.1. Compliance with Customer Policies. While Superion Personnel are performing services at Customer's
site, Superion will ensure that such personnel comply with Customer's reasonable security procedures
and site policies that are generally applicable to Customer's other suppliers providing similar services and
that have been provided to Superion in writing or in advance. Customer shall promptly reimburse
Superion for any pre -approved out-of-pocket costs incurred in complying with such procedures and
policies.
8.2. Contributed Material. In the process of Superion's performing Professional Services, Customer may, from
time to time, provide Superion with designs, plans, or specifications, improvements, works or other
material for inclusion in, or making modifications to, the Superion Solutions, the Documentation or any
other deliverables ("Contributed Material"). Customer grants to Superion a nonexclusive, irrevocable,
perpetual, transferable right, without the payment of any royalties or other compensation of any kind and
without the right of attribution, for Superion, Superion's Affiliates and Superion's licensees to make, use,
sell and create derivative works of the Contributed Material.
�.. S U P E R I ON,,.;,;u��Ir�a:irr�'ira��r�.�.:
s-@
29
9. Confidentiality,
9.1. Confidential Information. "Confidential Information" means information in any form or medium (whether
oral, written, electronic, or other) that the Disclosing Party considers confidential or proprietary, including
information consisting of or relating to the Disclosing Party's technology, trade secrets, know-how,
business operations, plans, strategies, customers, and pricing, and information with respect to which the
Disclosing Party has contractual or other confidentiality obligations. Without limiting the foregoing,
Confidential Information of Superion includes the Superion Solutions, all software provided with the
Superion Solutions, and algorithms, methods, techniques and processes revealed by the Source Code
of the Superion Solutions and any software provided with the Superion Solutions. In connection with this
Agreement each party (as the "Disclosing Party") may disclose or make available Confidential
Information to the other party (as the "Receiving Party"). It shall be the Disclosing Party's responsibility
to identify Confidential Information as such to the extent commercially reasonable and practical to do so
for purposes of facilitating compliance by the Receiving Party.
9.2. Exclusions. Confidential Information does not include information that: (a) was rightfully known to the
Receiving Party without restriction on use or disclosure prior to being disclosed or made available to the
Receiving Party in connection with this Agreement; (b) was or becomes generally known by the public
other than by the Receiving Party or any of its Representatives' noncompliance with this Agreement; (c)
was or is received by the Receiving Party on a non -confidential basis from a third party that was or is
independently developed by the Receiving Party without reference or use of any Confidential Information.
9.3. Protection of Confidential Information. As a condition to being provided with any disclosure of or access
to Confidential Information, the Receiving Party shall:
9.3.1. not access or use Confidential Information other than as necessary to exercise its rights or
perform its obligations under and in accordance with this Agreement;
9.3.2. not disclose or permit access to Confidential Information other than to its Representatives who:
(i) need to know such Confidential Information for purposes of the Receiving Party's exercise of
its rights or performance of its obligations under and in accordance with this Agreement; (ii) have
been informed of the confidential nature of the Confidential Information and the Receiving Party's
obligations under this Section; and (iii) are bound by written confidentiality or restricted use
obligations at least as protective of the Confidential Information as the terms in this Section;
9.3.3. safeguard the Confidential Information from unauthorized use, access, or disclosure using at
least the degree of care it uses to protect its sensitive information and in no event less than a
reasonable degree of care;
9.3.4. ensure its Representatives' compliance with, and be responsible and liable for any of its
Representatives' non-compliance with, the terms of this Section.
9.4. Compelled Disclosures. If the either Party or any of its Representatives is compelled by applicable law to
disclose any Confidential Information then, to the extent permitted by law, that Party shall: (a) promptly,
and prior to such disclosure, notify the other Party in writing of such requirement so that they can seek a
protective order or other remedy or waive its rights under Section .3; and (b) provide reasonable
assistance to the Disclosing Party in opposing such disclosure or seeking a protective order or other
limitations on disclosure. If the Disclosing Party waives compliance or, after providing the notice and
assistance required under this Section, the Receiving Party remains required by law to disclose any
Confidential Information, the Receiving Party shall disclose only that portion of the Confidential
Information that the Receiving Party is legally required to disclose.
9.5. Trade Secrets. Notwithstanding any other provisions of this Agreement, the Receiving Party's obligations
under this Section with respect to any Confidential Information that constitutes a trade secret under any
applicable law will continue until such time, if ever, as such Confidential Information ceases to qualify for
trade secret protection under one or more such applicable laws other than as a result of any act or
omission of the Receiving Party or any of its Representatives.
10. Security.
10.1. Superion will implement commercially reasonable administrative, technical and physical safeguards
designed to ensure the security and confidentiality of Customer Data, protect against any anticipated
threats or hazards to the security or integrity of Customer Data, and protect against unauthorized access
or use of Customer Data. Superion will review and test such safeguards on no less than an annual basis.
r
�,^ SUPERION
30
10.2. Customer shall maintain, in connection with the operation or use of the Superion Solutions, adequate
technical and procedural access controls and system security requirements and devices, necessary for
data privacy, confidentiality, integrity, authorization, authentication and non -repudiation and virus
detection and eradication.
10.3. To the extent that Authorized Users are permitted to have access to the Superion Solutions, Customer
shall maintain agreements with such Authorized Users that adequately protect the confidentiality and
Intellectual Property Rights of Superion in the Superion Solutions and Documentation, and disclaim any
liability or responsibility of Superion with respect to such Authorized Users.
11. Personal Data. If Superion processes or otherwise has access to any personal data or personal information
on Customer's behalf when performing Superion's obligations under this Agreement, then:
11.1. Customer shall be the data controller (where "data controller" means an entity which alone orjointly with
others determines purposes for which and the manner in which any personal data are, or are to be,
processed) and Superion shall be a data processor (where "data processor" means an entity which
processes the data only on behalf of the data controller and not for any purposes of its own);
11.2. Customer shall ensure that it has obtained all necessary consents and it is entitled to transfer the relevant
personal data or personal information to Superion so that Superion may lawfully use, process and transfer
the personal data and personal information in accordance with this Agreement on Customer's behalf,
which may include Superion processing and transferring the relevant personal data or personal
information outside the country where Customer and the Authorized Users are located in order for
Superion to provide the Superion Solutions and perform its other obligations under this Agreement; and
11.3. Superion shall process personal data and information only in accordance with lawful and reasonable
instructions given by Customer and as set out in and in accordance with the terms of this Agreement; and
11.4. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful
processing of the personal data and personal information or its accidental loss, destruction or damage so
that, having regard to the state of technological development and the cost of implementing any measures,
the measures taken ensure a level of security appropriate to the harm that might result from such
unauthorized or unlawful processing or accidental loss, destruction or damage in relation to the personal
data and personal information and the nature of the personal data and personal information being
protected. If necessary, the parties will cooperate to document these measures taken.
12. Representations and Warranties.
12.1. Software Warranty. Superion warrants to Customer that for a period of twelve (12) months from the Go -
Live Date, the Superion Solutions (as delivered to Customer by Superion and when properly used for the
purpose and in the manner specifically authorized by this Agreement), will perform as described in the
Documentation in all material respects, including being free from any viruses or Harmful Code.
12.2. Professional Services Representation and Warranty. Superion represents, warrants, and covenants to
Customer that during the Term, Superion will perform Professional Services using personnel of required
skill, experience, and qualifications and in a professional and workmanlike manner in accordance with
generally recognized industry standards for similar services and will devote adequate resources to meet
its obligations under this Agreement. If Customer reasonably believes that any Professional Services
were performed in violation of this warranty, it will notify Superion within thirty (30) days of service
performance describing the issue, together with adequate supporting documentation and data. Upon
receipt of such notice, Superion's obligation will be to re -perform the particular Professional Services
affected as soon as commercially reasonable at no additional charge
12.3. Support Services Representation and Warranty. Superion represents, warrants, and covenants to
Customer that during the Term, Superion will perform the Support Services using personnel of required
skill, experience, and qualifications and in a professional and workmanlike manner in accordance with
both generally recognized industry standards including applicable local authority, laws or codes specified
by Customer for similar services, and the specific guidance for support found in Exhibit 2, and will devote
adequate resources to meet its obligations under this Agreement. If Customer reasonably believes that
any Support Services failed to meet this warranty, they will follow their preferred escalation path outlined
in the Support Standards below, including receipt of service credit.
12.4. DISCLAIMER OF WARRANTIES. EXCEPT FOR THE EXPRESS LIMITED WARRANTIES SET FORTH
ABOVE, SUPERION MAKES NO WARRANTIES WHATSOEVER, EXPRESSED OR IMPLIED, WITH
"SUPER ION
GM
REGARD TO THE SUPERION SOLUTIONS, PROFESSIONAL SERVICES, SUPPORT SERVICES,
AND/OR ANY OTHER MATTER RELATING TO THIS AGREEMENT, AND THAT SUPERION
DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, OR OTHER, INCLUDING ALL
WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE, AND
SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, TITLE, AND NON -INFRINGEMENT. FURTHER, SUPERION EXPRESSLY
DOES NOT WARRANT THAT A SUPERION SOLUTION, ANY CUSTOM MODIFICATION OR ANY
IMPROVEMENTS WILL BE USABLE BY CUSTOMER IF THE SUPERION SOLUTION OR CUSTOM
MODIFICATION HAS BEEN MODIFIED BY ANYONE OTHER THAN SUPERION PERSONNEL, OR
WILL BE ERROR FREE, WILL OPERATE WITHOUT INTERRUPTION OR WILL BE COMPATIBLE
WITH ANY HARDWARE OR SOFTWARE TO THE EXTENT EXPRESSLY SET FORTH IN THE
DOCUMENTATION. ALL THIRD -PARTY MATERIALS ARE PROVIDED "AS -IS" AND ANY
REPRESENTATION OR WARRANTY OF OR CONCERNING ANY OF THEM IS STRICTLY BETWEEN
CUSTOMER AND THE THIRD -PARTY OWNER. THIS AGREEMENT DOES NOT AMEND, OR
MODIFY SUPERION'S WARRANTIES UNDER ANY AGREEMENT OR ANY CONDITIONS,
LIMITATIONS, OR RESTRICTIONS THEREOF.
13. Notices. All notices and other communications required or permitted under this Agreement must be in writing
and will be deemed given when delivered personally, sent by United States registered or certified mail, return
receipt requested; transmitted by facsimile or email confirmed by United States first class mail, or sent by
overnight courier. Notices must be sent to a Party at its address shown below, or to such other place as the
Party may subsequently designate for its receipt of notices in writing by the other Party.
If to Superion: Superion
1000 Business Center Dr.
Lake Mary, FL.
Phone: 407-304-3235 email: info(cDsuperion.com
Attention: Senior Counsel / Contracts Department
If to Customer: City of Tukwila
6300 Southcenter Blvd., Suite 100
Tukwila, WA 98188
Phone:
Attention:
14. Force Majeure.
email:
14.1. No Breach or Default. Neither Party will be liable to the other for any failure or delay in fulfilling or
performing any term of this Agreement (except for any payment obligation) when and to the extent such
failure or delay is caused by any circumstances beyond such Party's reasonable control (a "Force
Majeure Event"), including Acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion,
national or regional emergency, riot or other civil -unrest, acts and omissions of third parties,
governmental and judicial action (including embargoes, export or import restrictions) not the fault of the
Party failing or delaying in performance.
14.2. Affected Party Obligations. In the event of any failure or delay caused by a Force Majeure Event, the
affected Party shall give prompt written notice to the other Party stating the period of time the occurrence
is expected to continue and use commercially reasonable efforts to end the failure or delay and minimize
the effects of such Force Majeure Event.
15. Mutual Indemnification.
15.1. Superion Indemnification. Superion shall indemnify, defend, and hold harmless Customer and Customer's
officers, elected officials, directors, employees, agents, successors, and assigns from and against any
and all losses incurred by or resulting from any Action by a third party (other than an Affiliate of Customer)
that Customer's use of the Superion Solutions in accordance with this Agreement infringes or
misappropriates such third party's US Intellectual Property Rights, US patents, copyrights, or trade
secrets. The foregoing obligation does not apply to the extent that the alleged infringement arises from:
15.1.1. Third -Party Materials or Customer Data;
15.1.2. access to or use of the Superion Solutions in combination with any hardware, system, software,
network, or other materials or service not provided by Superion or specified for Customer's use
in the Documentation;
SUPERION `
32
15.1.3. modification of the Superion Solutions other than: by or on behalf of Superion or with Superion's
written approval in accordance with Superion's written specification;
15.1.4. failure to timely implement any modifications, upgrades, replacements, or enhancements made
available to Customer by or on behalf of Superion; or
15.1.5. act, omission, or other matter described in Section 15.2 below, whether or not the same results
in any Action against or losses by any Superion Indemnitee.
15.2. Customer Indemnification. Customer shall indemnify, defend, and hold harmless Superion and its
officers, directors, employees, agents, successors, and assigns from and against any and all losses
incurred by Superion resulting from any Action by a third party (other than an Affiliate of Superion) that
arise out of or result from, or are alleged to arise out of or result from:
15.2.1. Customer Data, including any Processing of Customer Data by or on behalf of Superion in
accordance with this Agreement;
15.2.2. Gross negligence or more culpable actor omission (including recklessness or willful misconduct)
by Customer, any Authorized User, or any third party on behalf of Customer or any Authorized
User, in connection with this Agreement.
15.3. Procedure. Each party shall promptly notify the other party in writing of any Action for which such party
believes it is entitled to be indemnified. The party seeking indemnification shall cooperate with the other
party at that party's sole cost and expense. The indemnitor shall promptly assume control of the defense
and shall employ counsel of its choice that is reasonably acceptable to the indemnitee to handle and
defend the same.
15.4. Sole Remedy. THIS SECTION SETS FORTH CUSTOMER'S SOLE REMEDIES AND SUPERION'S
SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT
THE SERVICES AND SUPERION SOLUTIONS OR ANY SUBJECT MATTER OF THIS AGREEMENT
INFRINGES, MISAPPROPRIATES, OR OTHERWISE VIOLATES ANY INTELLECTUAL PROPERTY
RIGHTS OF ANY THIRD PARTY.
16. Termination. This Agreement may be terminated:
16.1. For cause by either Party, effective on written notice to the other Party, if the other Party materially
breaches this Agreement and: (i) is incapable of cure; or (ii) being capable of cure, remains uncured thirty
(30) days after the non -breaching Party provides the breaching Party with written notice of such breach.
16.2. For lack of payment by written notice to Customer, if Customer's failure to pay amounts due under this
Agreement has continued more than ninety (90) days after delivery of written notice of non-payment.
17. Effect of Termination or Expiration. On the expiration or earlier termination of this Agreement:
17.1. all rights, licenses, and authorizations granted to Customer hereunder will immediately terminate and
Customer shall immediately cease all use of and other activities with respect to Superion's Confidential
Information relating to the Superion Solutions, and within thirty (30) days deliver to Superion, or at
Superion's request destroy and erase Superion's Confidential Information from all systems Customer
directly or indirectly controls; and
17.2. all licenses, access or subscription fees, services rendered but unpaid, and any amounts due by
Customer to Superion of any kind are immediately payable and due no later than thirty (30) days after
the effective date of the termination or expiration, including anything that accrues within those thirty days.
17.3. The provisions set forth in the following sections, and any other right or obligation of the parties in this
Agreement that, by its nature (including but not limited to: Use Restrictions, Confidential Information,
Warranty Disclaimers, Mutual Indemnifications & Limitations of Liability), should survive termination or
expiration of this Agreement, will survive any expiration or termination of this Agreement.
17.4. Return of Customer Data. Superion shall within 60 days following such expiration or termination, deliver
to Customer in a format as requested by Customer the then most recent version of Customer Data
maintained by Superion, provided that Customer has at that time paid all Fees then outstanding and any
amounts payable after or as a result of such expiration or termination.
17.5. Deconversion. In the event of (i) expiration or earlier termination of this Agreement, or (ii) Customer no
longer purchasing certain Superion Solutions (including those indicated to be Third -Party Materials), if
Customer requests assistance in the transfer of Customer Data to a different vendor's applications
("Deconversion"), Superion will provide reasonable assistance. Superion and Customer will negotiate in
good faith to establish the relative roles and responsibilities of Superion and Customer in effecting
'lkli,
Z'SUPER ]ON
33
Deconversion, as well as the appropriate date for completion. Superion shall be entitled to receive
compensation for any additional consultation, software and documentation required for Deconversion on
a time and materials basis at Superion's then standard rates.
18. Assignment. Customer shall not assign or otherwise transfer any of its rights, or delegate or otherwise transfer
any of its obligations or performance, under this Agreement, in each case whether voluntarily, involuntarily, by
operation of law, or otherwise, without Superion's prior written consent, which consent shall not be unreasonably
withheld or delayed. For purposes of the preceding sentence, and without limiting its generality, any merger,
consolidation, or reorganization involving Customer (regardless of whether Customer is a surviving or
disappearing entity) will be deemed to be a transfer of rights, obligations, or performance under this Agreement
for which Superion's prior written consent is required. No delegation or other transfer by a Party will relieve the
transferring Party of any of its obligations or performance under this Agreement. Any purported assignment,
delegation or transfer in violation of this Section is void. This Agreement is binding upon and inures to the
benefit of the Parties and their respective permitted successors and assigns.
19. No Waiver. A Party's failure to enforce its rights with respect to any single or continuing breach of this
Agreement will not act as a waiver of the right of that Party to later enforce any such rights or to enforce any
other or any subsequent breach.
20. Arbitration of Disputes. Intentionally Omitted
21. Jurisdiction and Governing Law. This Agreement and any dispute or claim arising, directly or indirectly, out
of or in connection with it or its subject matter or formation (including non -contractual disputes or claims) is
governed by, and shall be construed and enforced in accordance with, the laws of the State of Washington
excluding choice of law. Each party irrevocably (i) agrees that a County or Circuit Court in in and for King
County, Washington, or the United States District for the King County, Washington, shall have exclusive
jurisdiction to settle any dispute, controversy or claim arising, directly or indirectly, out of or in connection with
this Agreement, or the breach, termination or validity thereof (including non -contractual disputes or claims) and
that such court shall be the proper venue therefor and (ii) agrees that the prevailing party shall be entitled to
recover its reasonable attorney's fees, court costs and other legal expenses from the other party.
22. Severability. If any provision of this Agreement is illegal or unenforceable, it will be deemed stricken from the
Agreement and the remaining provisions of the Agreement will remain in full force and effect.
23. LIMITATIONS OF LIABILITY.
23.1. LIMITED LIABILITY OF SUPERION. SUPERION'S LIABILITY IN CONNECTION WITH THE
SERVICES, IMPROVEMENTS OR ANY OTHER MATTER RELATING TO THIS AGREEMENT WILL
NOT EXCEED THREE TIMES THE FEES THAT CUSTOMER ACTUALLY PAID TO SUPERION IN
CONNECTION WITH THIS AGREEMENT FOR THE INITIAL TERM OR RENEWAL TERM WHEN THE
RELEVANT ACTIONS LEADING TO SUCH LIABILITY AROSE. IN ANY EVENT, SUPERION SHALL
NOT BE LIABLE FOR ANY LOSSES RESULTING FROM THE CRIMINAL ACTS OF THIRD PARTIES.
23.2. EXCLUSION OF DAMAGES. REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN
FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL SUPERION, SUPERION
PERSONNEL, SUBCONTRACTORS OR SUPPLIERS BE LIABLE UNDER OR IN CONNECTION
WITH THIS AGREEMENT FOR ANY (1) LOSS OF DATA, BUSINESS, REVENUE, PROFIT,
GOODWILL, OR REPUTATION, (II) BUSINESS INTERRUPTION, INCREASED COSTS, OR
DIMINUTION IN VALUE, OR SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER
BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR
OTHERWISE; AND WHETHER OR NOT SUPERION, SUPERION PERSONNEL,
SUBCONTRACTORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.
23.3. BASIS OF THE BARGAIN. CUSTOMER ACKNOWLEDGES THAT SUPERION HAS SET ITS FEES
AND ENTERED INTO THIS AGREEMENT IN RELIANCE UPON THE LIMITATIONS OF LIABILITY
AND THE DISCLAIMERS OF WARRANTIES AND DAMAGES SET FORTH IN THIS AGREEMENT,
AND THAT THE SAME FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES.
24. Third -Party Materials. Customer is hereby advised that Superion provides front-line support services for third
parties, but these third parties assume all responsibility for and liability in connection with the Third -Party
Materials. Superion is not authorized to make any representations or warranties that are binding upon the third
party or to engage in any other acts that are binding upon the third party, excepting specifically that Superion is
authorized to represent the fees for the Third -Party Materials as the same is provided for in the Agreement and
SUPERION �,,.,.uth�R�d✓���Vrr;%r..�Jn �..
34
to accept payment of such amounts from Customer on behalf of the third party for as long as such third party
authorizes Superion to do so. As a condition precedent to installing or accessing any Third -Party Materials,
Customer may be required to execute a click -through, shrink-wrap EULA or similar agreement provided by the
Third -Party Materials provider.
25. Entire Agreement; Amendment and Modification. This Agreement contains the entire understanding of the
parties with respect to its subject matter, and supersedes and extinguishes all prior oral and written
communications between the parties about its subject matter. Any purchase order, agreement, or other
ordering document issued by Customer at any time for any reason, will not modify or affect this Agreement nor
have any other legal effect notwithstanding the inclusion of any additional or different terms or conditions in any
such ordering document and shall serve only the purpose of identifying the products or services ordered. No
modification of this Agreement will be effective unless it is in writing, is signed by each Party, and expressly
provides that it amends this Agreement.
26. No Third -Party Beneficiaries. This Agreement is for the sole benefit of the Parties and their respective
successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer on any
other person any legal or equitable right, benefit, or remedy of any nature under or by reason of this Agreement.
27. Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all
of which together are deemed to be one and the same agreement. A signed copy of this Agreement delivered
by facsimile, e-mail, or other means of electronic transmission is deemed to have the same legal effect as
delivery of an original signed copy of this Agreement.
28. Cooperative Purchases. This Contract may be used by other government agencies. Superion has agreed
to offer similar services to other agencies under the same terms and conditions as stated herein except that
the compensation may be negotiated between Superion and other agencies based on the specific revenue
expectations, agency reimbursed costs, and other agency requirements. The Customer will in no way
whatsoever incur any liability in relation to specifications, delivery, payment, or any other aspect of
purchases by such agencies.
29. Incorporated Exhibits to this Agreement:
29.1. Exhibit 1 — Project Cost Summary
29.2. Exhibit 2 - Maintenance & Support Standards
29.3. Exhibit 3 — Travel Expense Guidelines
29.4. Exhibit 4 - Statement of Work
29.5. Exhibit 5 - Vendor Security Requirements
29.6. Exhibit 6 - Data Protection and Information Security
SUPERION
35
36
rSUPERION
EXHIBIT 1
Project Cost Summary
Cloud/Hosted Fees
Product [Jame
Quantity
Amount
Community Development SaaS Standard - Contract Startup Fee
1
10,000.00
Community Development SaaS Standard
30
38,262.10
Citizen Engagement SaaS
1
7,500.00
Fusion Subscription SaaS
1
3,500.00
Total
59,162.10
Professional Services
Installation & Configuration
Product Name
Amount
Community Development Installation
2,800.00
Internet Installation
2,200.DO
Fusion Subscription Services
1,440.00
Tota 1
6,340.00
Development & Conversion
Product Flame
Amount
Fusion Subscription Services
2,700.G0
Total
2,700.00
Training
Product Flame
Amount
Internet, Training
1,280.00
Fusion Subscription Services
3,240.00
Total
4,520.00
Project Management
Product Name
Amount
Community Deve&opment Project Management
320.00
Internet Project Management
1,920.00
Fusion Subscription Services
1,440.00
Total
3,690.00
Total Professional Services
17,240.00
Summary
Product/Service
Amount
Cloud,lHosted Annual Access Fees
49,1E2.10
Contract Startup Fees
1o,ODMO
Professional Services
17,240.00
Subtotal
76,402.10 USD
Services Discounts
8,820.00 USD
Hosted/Cloud Fees Discount
10.000.G0 USD
Total
57,582.10 USD
Note: Pricing for Professional Services is a good faith estimate based on the information available to Superion at the time of execution of this Agreement.
The total amount that Customer may pay for these services can vary based on the actual number of hours required to complete the services. If required,
additional services will be provided on a time and materials basis at mutually agreed upon price rates for the services at issue.
37
Annual Access Fees Year 2 - $57,750.00
Annual Access Fees Year 3 - $60,637.50
Beginning in Year 4, Annual Access Fees shall be limited to a 3% escalation per year.
PAYMENT TERMS:
ONE TIME FEES
a. Start -Up Fees are due 30 calendar days after mutual execution of this Agreement.
b. Superion Professional Services Fees are due as follows: Specific Milestone Payments are due upon
completion of the respective deliverables associated with each individual Milestone Payment. Non -Milestone
Project Planning, Project Management, Consulting, Technical Services and Conversion are due on the
Execution Date. Training Fees, Travel & Living expenses and all other Professional Services are due as
incurred monthly. During the Initial Term, the applicable rates for Professional Services shall be the same as
the rates quoted hereunder for the same categories of Professional Services, for onshore resources, as
follows:
Training $160
Project Management $160
Basic Consulting $160
High Level Consulting $225
Development $200
Technical Services $200
Installation $175
Analytics $22
If offshore resources are used for Professional Services, Superion will notify the Customer of the
rates in advance for approval.
RECURRING FEES
c. The Annual Access Fee is due: on the Execution Date, and annually thereafter on the anniversary of the Go
Live Date per the fees listed above.
ANCILLARY FEES
d. Reimbursement of travel and living expenses will be governed by Exhibit 3 ("Travel Expense Guidelines")
attached hereto and will be invoiced monthly in arrears and due within forty-five (45) days from date of
invoice.
e. Customer is responsible for paying all taxes relating to this Agreement. Applicable tax amounts (if any) are
not included in the fees set forth in this Agreement. If Customer is exempt from the payment of any such
taxes, Customer must provide Superion valid proof of exemption; otherwise, Superion will invoice Customer
and Customer will pay to Superion all such tax amounts.
f. If Customer fails to make any payment when due, then Superion may charge interest on the past due
amount at the rate of one-half percent (0.5%) per month calculated daily and compounded monthly,
or, if lower, the highest rate permitted under applicable law; and If such failure continues for 90 days
following written notice thereof, Superion may suspend performance or access until past due amounts
have been paid.
SUPER ION J lw ^v 1r 3r o iiN
W.
r SUPERIO
EXHIBIT 2
Support Standards (CLOUD/ASP)
1. Superion Cloud Security Program
1.1. Access & Continuity. Logical access restrictions
include VLAN data segregation, extensive deny -by -
default access control lists, and Multi -Factor
authentication required for System Administration.
Business continuity is prioritized via daily encrypted
backup stored offsite, virtual tape backup
technology to counter loss of physical media, and
full replication to disaster recovery site, with
redundancy an availability through multiple carriers.
1.2. Security & Monitoring. SSL and IPSEC VPN with
256 bit encryption, web application firewalls, multi -
layered infrastructure model with recorded internal
and external CCTV, card access control, best of
breed HVAC/fire suppression/physical security,
and backed by 24-7 x 365 monitoring by a staffed
operations facility for: Intrusion detection &
prevention, DDOS mitigation, and automated
network incident creation and escalation.
1.3. Testing Audits & Compliance. 3,d party internal,
external, perimeter vulnerability and penetration
testing. Centrally managed patching, OS hardening
program, and endpoint protection on all servers.
Industry standard compliance includes annual
completion of: SSAE18/ISAE Data Center Audit,
SSAE18 Operations Audit, PCI-DSS Compliance
Audit, Vulnerability Testing & CVSS Audit, and
Control Self -Assessment Audit.
8 r��
.
. k
fi
�
�
R
IVI
ass %moo;
El
t✓
2. Service Level Commitments
2.1. Target. In each Service Period, the target for availability of the Superion Solutions is 99.99% ("Availability
Target"). "Service Period" means 24 hours per day Monday through Sunday each calendar month that
Customer receives the Superion Solutions, excluding Sundays between 12:00 AM and 12:00 PM Eastern
Time for scheduled maintenance. During this time, Customers may experience intermittent interruptions.
Superion will make commercially reasonable efforts to minimize the frequency and duration of these
interruptions and Superion will notify the Customer if the entire maintenance window will be required.
2.2. Support Terms. Beginning on the Execution Date and continuing for twelve (12) months thereafter ("Initial
Support Term"), Superion shall provide the ongoing Support Services described herein for the
corresponding Fees outlined in Exhibit 1. Upon expiration of the Initial Support Term, ongoing Support
Services shall automatically renew, with customer paying for additional annual support periods, each a
("Renewal Support Term"). This renewal will continue until termination of this Agreement provided that,
Superion shall not give notice of termination if it would be effective prior to a period equal to two times the
Agreement's Initial Term.
W
2.3. Measurement. Service availability is measured as the total time that the Superion Solutions are available
during each Service Period for access by Customer ("Service Availability"). Service Availability
measurement shall be applied to the production environment, and the points of measurement for all
monitoring shall be the servers and the Internet connections at Superion's hosted environment. Superion
has technology monitoring, measuring, and recording Service Availability. The Customer, at their discretion,
may also employ monitoring tools, not to override Superion's measurements for the purposes of calculating
Service Availability. Additionally, the use must be:
2.3.1.1. mutually agreed upon by Superion and the Customer.
2.3.1.2. paid, installed and maintained by the Customer.
2.3.1.3. non-invasive and may not reside on Superion's systems.
2.4. Calculation. Service Availability for a given month shall be calculated using the following calculation:
2.4.1. The total number of minutes which the service was NOT available in a given month shall be subtracted
from the total number of minutes available in the given month. The resulting figure is divided by the
total number of minutes available in the given month.
2.4.2. Service Availability Targets are subject to change due to the variance of the number of days in a month.
2.4.3. The total number of minutes which the service was NOT available in a given month shall exclude
minutes associated with Sunday outage window or for security patches that require emergency
maintenance.
2.5. Remedy. If the Service Period target measurement is not met then the Customer shall be entitled to a credit
calculated as follows:
Service Availability in; the relevant
Service Period
Percentage Reduction in; Monthly Fee for
tHe'Subse uent Seniice Period'
Less than 99.9% but greater than or equal to 99.0%
5%
Less than 99.0% but greater than or equal to 95.0%
25%
Less than 95%
50%
2.6. If not directly reported by Superion, credit entitlement must be requested by the Customer within sixty (60) days
of the failed Target. Customer shall not be entitled to offset any monthly Superion Solutions fee payments, nor
withhold fee payments, on account of a pending credit. Customer shall not be eligible for credits for any period
where Customer is more than thirty (30) days past due on their account. Superion will provide reporting, showing
performance and service levels. Credits will be calculated and offset from Customer's monthly or annual
Solutions fee payment, and Superion will separately provide a record of credits to the Customer.
2.7. Chronic Outage. Subject to the exclusions set forth in Section 8 herein, in the event the Customer experiences
Service Availability that is below 95.0% for any four (4) or more months in a rolling twelve (12) month period,
Customer shall have the right to claim that Superion is in material breach of the Agreement and may terminate
this Agreement in accordance with Section 16.1, excluding the rights and opportunity to cure provided under
Section 16.1(ii).
3. Server Performance & Capacity.
3.1. Superion shall provide sufficient server capacity for the duration of this hosting Agreement to meet the
reasonable performance requirements for the number of concurrent system users provided for in this
Agreement. If the Customer requests, at some later date, to add additional Superion Solutions, increase user
licenses, increase storage or processing requirements, and/or request additional environments, these requests
will be evaluated and if additional resources are required to support modifications, additional fees may apply.
In the event, Service Availability is below 99.9% for any three (3) or more months in a rolling twelve (12) month
period, Superion shall deploy additional server and network capacity to meet the performance requirements of
this Agreement at no additional expense to the Customer.
3.2. "In -network" is defined as any point between which the data packet enters the Superion environment and
subsequently departs the Superion environment. Any point of communications outside of the Superion
protected network environment shall be deemed as "out -of -network." Superion is not responsible for Internet
connectivity and/or performance out -of -network.
4. System Maintenance.
4.1. Superion Solutions maintenance and upgrades. Superion will provide all hosted systems and network
maintenance as deemed appropriate and necessary by Superion. Maintenance and upgrades will be scheduled
SUPER ION
L' WVJ
10 days in advance with the Customer's primary contact if they fall outside of the designated hours set aside
for this function of Sundays from 12:OOAM to 12:00 PM.
4.2. Hardware maintenance and upgrades. Hardware maintenance and upgrades will be performed outside of the
Customer's standard business hours of operation and the Customer will be notified prior to the upgrade.
4.3. Emergency maintenance. Emergency situations will be handled on a case -by -case basis in such a manner as
to cause the least possible disruption to overall system operations and availability without negatively affecting
system stability and integrity. Superion will attempt to notify the Customer promptly, however if no contact can
be made, Superion management may deem it necessary to move forward with the emergency maintenance.
5. Incident Response. Incidents are defined as interruptions to existing service and can range in priority from urgent
to low depending on the impact to the Customer. Superion will make commercially reasonable efforts to respond to
SUDerion Solutions incidents for live production systems usinq the followinq quidelines:
Priority
impact
.,;Description -
Performance Target " =
Minimumi<
Level
..,.
,Performance
,.
;,,Goal
1
Urgent
An Incident that results in loss
Superion will respond via a Support
95%
of Customer connectivity to all
Service Representative within 1 hour of t
of the Superion Solutions or
issue being reported with an initial
results in loss, corruption or
assessment for rectification, with a
damage to Customer's Data.
progress report twice per day.
2
Critical
An Incident that has an
Superion will respond via a Support
95%
adverse material impact on
Service Representative within 2 hours of
the performance of the
the issue being reported with an initial
Superion Solutions or
assessment for recitificaiton, with a
materially restricts Customer's
progress report once per day
day-to-day operations.
3
Non-
An Incident that does not
Superion will respond via a Support
95%
Critical
result in a failure of the
Service Representative within 4 hours of
Superion Solutions but a fault
the issue being reported with an initial
exists that restricts the
assessment for rectification, with a
Customer's use of the
progress report every 3 business days.
Superion Solutions.
4
Minor
An Incident that does not
Superion will respond via a Support
95%
affect or which has minimal
Service Representative within 24 hours o
adverse impact on the use of
the issue being reported.
the Superion Solutions.
5.1. Restoration Times. Superion shall track and report on responses from a Support Services representative and
resolution time for application and hosting support issues identified by the Customer, as follows: Priority 1 = 4
hours; Priority 2 = 1 business day; Priority 3 = 5 days; and Priority 4 = 10 days.
6. Disaster Recovery. Superion provides disaster recovery services for Superion Solutions. The costs for these
disaster recovery services are included in the monthly fees. In the event that a disaster renders the Customer's
data center inaccessible or non-functional, Superion will provide the ability to connect to the appropriate data center
using software provided by Superion. This will allow the Customer to connect to their systems from a remote site to
the previously identified critical functions, however functionality may be diminished due to lack of access to
hardware and/or software located in the Customer's facilities.
7. Exceptions. Superion shall not be responsible for failure to carry out its service and maintenance obligations under
this Agreement if the failure is caused by adverse impact due to:
7.1. defectiveness of the Customer's environment, Customer's systems, or due to Customer corrupt, incomplete, or
inaccurate data reported to the Superion Solutions, or documented Defect.
7.2. denial of reasonable access to Customer's system or premises preventing Superion from addressing the issue.
SUPERION
51
7.3. material changes made to the usage of the Superion Solutions by Customer where Superion has not agreed to
such changes in advance and in writing or the modification or alteration, in any way, by Customer or its
subcontractors, of communications links necessary to the proper performance of the Superion Solutions.
7.4. a force majeure event, or the negligence, intentional acts, or omissions of Customer or its agents.
8. Incident Resolution. Actual response times and resolutions may vary due to issue complexity and priority. For
critical impact level and above, Superion provides a continuous resolution effort until the issue is resolved.
9. Service Requests. Service requests are new requests that will take less than 8 hours to accomplish, For new
requests that require additional time, Superion will prioritize these requests, and determine if extra time is needed
to order equipment or software. Superion will respond via a Support Service Representative within 3 business days
to service requests.
10. Non -Production Environments. Superion will make commercially reasonable efforts to provide non -production
environment(s) during Customer business hours. Non -production environments are not included under the metrics
or service credit schedules discussed in this Exhibit.
10.1.Maintenance. All forms of maintenance to be performed on non -production environments will follow the exact
structure and schedules outlined above in Section 3 for regular System Maintenance.
10.2.Incidents and service requests. Non -production environment incidents are considered priority 3 or 4, dictated
by circumstances and will be prioritized and scheduled similar to production service requests.
11. Responsibility Summary Matrix.
Responsibility Summary Matrix
Description
Superion
Res onsi ility
Customer
Responsibility
ASP Server Hardware management
X
ASP Server Files stem management
X
ASP Server OS upgrades and maintenance
X
ASP Database product upgrades and maintenance
X
ASP V Party product upgrades and maintenance
X
Application Update Installation
Request to install application updates
X
Installation of application updates
X
ASP Backup Management
X
Data and or File restoration
Request to restore data and or files
X
Restoration of data and or files
X
Network
ASP Network up to and including the router at Superion's location
X
ASP Router at Customer's location
X
Customer's network up to the router at Customer's location
X
Customer Workstations
X
System Performance
X
X
Add/Change users
User add/change requests
X
User add/change implementation for System Access
X
User add/change implementation for Superion Solutions
X
Add/Change Printers
Printer add/change euests
X
Printer add/change implementation on ASP network
X
Printer add/change implementation for Superion Solutions
X
Disaster Recovery
X
Password Management
X
X
Application Management
Application Configuration
X
SUPERION
Application Security Management
X
Accuracy and Control of Data
X
Security
Intrusion and Penetration Testing
X
12. Virtual Private Network (VPN) Concentrator. If Customer's desired system configuration requires the use of a
VPN concentrator, including router, this will be provided by Superion. It will reside at Customer's location but is, and
shall remain the property of Superion.
13. Customer Cooperation. Customer may be asked to perform problem determination activities as suggested by
Superion. Problem determination activities may include capturing error messages, documenting steps taken and
collecting configuration information. Customer may also be requested to perform resolution activities including, for
example, modification of processes. Customer agrees to cooperate with such requests, if reasonable.
14. Training. Outside the scope of training services purchased, if any, Customer is responsible for the training and
organization of its staff in the operation of the Superion Solutions.
15. Development Work. The Support Standards do not include development work either (i) on software not licensed
from Superion or (ii) development work for enhancements or features that are outside the documented functionality
of the Superion Solutions, except such work as may be specifically purchased and outlined in Exhibit 1. Superion
retains all Intellectual Property Rights in development work performed and Customer may request consulting and
development work from Superion as a separate billable service.
16. Telephone Support & Support Portal
16.1.Hours. Superion shall provide to Customer, Monday through Friday, 8:00 A.M. to 5:00 P.M Eastern Time,
excluding holidays, at 800-695-6915, option 141, to answer or respond to calls and web portal inquiries.
Superion shall provide to Customer, during the Support Hours, commercially reasonable efforts in solving errors
reported by the Customer as well as making available an online support portal. Customer shall provide to
Superion reasonably detailed documentation and explanation, together with underlying data, to substantiate
errors and to assist Superion in its efforts to diagnose, reproduce and correct the error. This support shall be
provided by Superion at Customer location(s) if and when Superion and Customer agree that on -site services
are necessary to diagnose or resolve the problem. Customer must provide Superion with such facilities,
equipment and support as are reasonably necessary for Superion to perform its obligations under this
Agreement, including remote access to the Specified Configuration
16.2. Releases. Customer shall promptly install and/or use any Release provided by Superion to avoid or mitigate a
performance problem or infringement claim. All modifications, revisions and updates to the Superion Solutions
shall be furnished by means of new Releases of the Superion Solutions and shall be accompanied by updates
to the Documentation whenever Superion determines, in its sole discretion, that such updates are necessary.
16.3. Case Number and Escalation. Measured from the moment a Case number is created. As used herein a "Case
number" is created when a) a Superion support representative has been directly contacted by Customer either
by phone, in person, or through Superion's online support portal, and b) when Superion's support
representative assigns a case number and conveys that case number to the Customer. An incident must be
reported and recorded in Superion's support system, and any associated escalation for resolution of the Case
Number will proceed as follows:
a. Support Manager
b. Support Director or Director of Cloud
c. Assioned CSM (Customer Success Manager
d. Support VP
e. Public Administration General Manager
f. COO of Compan
g. CTO of Compan,
h. CEO of Compan
Z'SUPER ]ON
43
{��..�.yy) I\ fI r\/may/' 'A` r
S W P E R I V
EXHIBIT 3
Travel Expense Guidelines
Superion will adhere to the following guidelines when incurring travel expenses:
All arrangements for travel are to be made through the Superion Corporate Travel Agent unless other
arrangements have been made with the Customer and are documented in writing.
AIR TRAVEL — Superion will use the least expensive class of service available with a minimum of seven (7) day,
maximum of thirty (30) day, advance purchase. Upon request, Superion shall provide the travel itinerary as the
receipt for reimbursement of the airfare and any fees. Fees not listed on the itinerary will require a receipt for
reimbursement.
Trips fewer than 250 miles round are considered local. Unless a flight has been otherwise approved by the
Customer, Customer will reimburse the current IRS approved mileage rate for all local trips.
LODGING —Superion will use the most reasonable accommodations possible, dependent on the city. All movies,
and phone/internet charges are not reimbursable.
RENTAL CAR — Compact or Intermediate cars will be required unless there are three or more Superion
employees sharing the car in which case the use of a full size car is authorized. Gas is reimbursable however,
pre -paid gas purchases will not be authorized and all rental cars are to be returned with a full tank of gas. Upon
request, receipts for car rental and gas purchases will be submitted to Customer. Superion shall decline all rental
car insurance offered by the car rental agency as staff members will be covered under the Superion auto insurance
policy. Fines for traffic violations are not reimbursable expenses.
OTHER TRANSPORTATION — Superion staff members are expected to use the most economical means for
traveling to and from the airport (Airport bus, hotel shuttle service). Airport taxi or mileage for the employee's
personal vehicle (per IRS mileage guidelines) are reimbursable if necessary. Upon request, receipt(s) for the taxi
will be submitted to Customer. Proof of mileage may be required and may be documented by a readily available
electronic mapping service. The mileage rate will be the then -current IRS mileage guideline rate (subject to change
with any change in IRS guidelines).
OTHER BUSINESS EXPENSES — Parking at the airport is reimbursable. Tolls to and from the airport and while
traveling at the Customer site are reimbursable. Tipping on cab fare exceeding 15% is not reimbursable. Porter
tips are reimbursable, not exceeding $1.00 per bag. Laundry is reimbursable when travel includes a weekend day
or Company Holiday and the hotel stay is four nights or more. Laundry charges must be incurred during the trip
and the limit is one shirt and one pair of pants/skirt per day. With the exception of tips, receipts shall be provided
to Customer upon request for all of the aforementioned items.
MEALS — Standard per Diem. Subject to change due to cost of living.
'rrr""Arrril r yre'(vr
B17
SUPERION
t
EXHIBIT 4
Statement of Work
This document is the Statement of Work (SOW) and contains the approach for the implementation of
CentralSquare's Technology's ("CentralSquare") Public Administration Community Development migration
(Community Development Solution). This upgrade is solely related to the services expressly identified in the
Solutions Agreement (the "Agreement") for the City of Tukwila, Washington (the "Customer"). CentralSquare will
provide implementation services identified in the Agreement and as further described in this SOW to assist the
Customer in implementing the software solution. The SOW is an attachment incorporated as part of the Agreement
signed by CentralSquare and the Customer, and all actions directed herein shall be performed in accordance with
the aforementioned Agreement.
This SOW is intended to be a planning and control document, not the detailed requirements or design of the
Community Development Solution.
The purpose of this project is to migrate the Customer's current TRAKiT9 software to CentralSquare's Community
Development software. The project scope is comprised of the Community Development Solution applications and
services identified in the Agreement and further described throughout this SOW. Anything not specifically
designated in the Agreement or SOW should be considered out of scope and not part of this project.
Covered software does not include hardware, hardware vendor operating systems and/or other system software,
Customer developed software, or third -party software. CentralSquare will deliver computer software and database
structure for SQL/Server database.
The following list depicts the Community Development Solution modular applications and number of licensed
users associated with the Agreement.
Community Development
• Permitting
• Projects and Planning
• Code Compliance
• Land Management (includes Basic GIS)
• Citizen Response Management
• Mobiles
• Fusion
• Citizen Engagement
• Integrated Voice Response (IVR)
The following outlines the proposed services for the project management, installation, configuration, training,
testing, and other services work necessary for the implementation of the Community Development Solution and
represents a good -faith estimate based on our knowledge at time of the Agreement.
SUPERION
JlHS
NO,
SUPER ION
Service Description
Engagement
High Level Tasks
Key
Deliverables
Completion of this following tasks are
1. Project Management
accomplished through a combination of onsite
Plan
and remote visits:
2. Integrated Project
• Kick -Off meeting
Schedule
• Formal discovery sessions at start of
3. Communication Plan
project
4. Decision Workbook
• Detailed scope and contract review
o Discovery/design and workflow
Planning/Project
review
Initiation/Analysis
o Conversion scope review
• Assignment of project team and identify
key team members
• Identify improvement opportunities
through a workflow analysis
• Collaboratively develop a project
schedule that drives implementation
Remote installation tasks consisting of the
5. Monthly Status Report
following:
6. Issues Log
Software installation
7. Risk Register
Application installation
Network architecture review
Monitoring and
Comprehension design and configuration task
Control/
for the software solution:
Configuration
Creation of workflow
Report development
System configuration
Data converted
Third -party software Integration, where
applicable
Shared responsibilities for the following tasks:
8. Test Workbook
System validation
Application tests
Integration testing
Parallel testing
Testing
Completion of the following tasks are
accomplished through a combination of onsite
and distance learning sessions:
End user training
System administration training
Tasks to be completed at or near the end of the
9. Go Live Plan
implementation project:
10. Services to
Deployment/
Mock Go Live/Go Live Readiness review
Support/CSM Project
Closeout
Go Live activities
Closeout Report
Complete project documentation
Transition to support team
Transition to customer success manager
Cll
Service Assumptions
CentralSquare is implementing a Commercially Available Off -the -Shelf solution.
Customer and CentralSquare expect that this SOW may be modified from time to time as mutually agreed, given
that CentralSquare may be provided or may obtain a more thorough understanding of Customer's existing
policies, practices, and operations through the post -contract planning and discovery process.
Customer and CentralSquare will jointly develop the detailed and fully integrated project plan and schedule. Any
significant or material changes to the project, once the project plan is finalized, may result in the need for a
change order.
Customer may obtain the services of an additional consultant to provide project review, advice, and consultation
at their own cost. CentralSquare will make every attempt to cooperate with the efforts of this consultant within
the context of Customer's participation, deliverable review, and approval timeframes identified within this SOW
and the Agreement.
Both the Customer and CentralSquare will furnish resources with appropriate skills and experience to handle the
roles and responsibility described in this SOW.
CentralSquare is not responsible for quality of Customer's legacy data or for the correction or resolution of data
quality issues unless previously agreed upon.
Customer's existing reports (SSRS and/or Word) will be upgraded and migrated to the Community Development
Solution.
Customer's Python and SOL scripts will be updated and revised.
Customer Responsibilities
• Customer will change business processes as necessary to maximize efficiencies in the Community
Development Solution.
• Customer will make resources available to assist as needed to fulfill the responsibilities herein.
• Customer will form a Project Team and will make their Project Team members available for meetings; consulting
and training sessions; discussions and conference calls; and, other related project tasks or events requested
by CentralSquare, or as indicated in the project plan.
• Customer Project Team members will respond to information requests from CentralSquare staff in a timely
manner as to minimize delays in the project.
• Customer Project Manager, Project Team, Subject Matter Experts, and other key personnel (as determined
by Customer) will participate in the Kick -Off Meeting.
• Customer will cooperate with CentralSquare Project Manager to develop a mutually agreeable schedule and
agenda for the workflow discovery.
• Customer will review recommendations in the Workflow Analysis Report and attend the scheduled
presentation of the findings. Customer will submit written questions or requests for clarification/revision to the
CentralSquare Project Manager within five (5) business days of the presentation.
• Customer will participate in planning activities (conference calls, emails) with CentralSquare Application
Installation Consultant and Technical Lead.
• Customer will designate a representative as the Project Team's Project Manager. The Project Manager will
be the primary point of contact for project coordination throughout the project.
• Customer will provide adequate breakout and conference space, as well as an adequate workspace for each
onsite CentralSquare consultant, with access to network, Wi-Fi, telephone, and close proximity to the
Customer Project Team.
• Customer will provide adequate training space and computers for the scheduled training throughout the
project. The training spaces will include fully functioning networked computers, meeting the required
CentralSquare hardware standards. CentralSquare may consider alternative meeting options such as WebEx,
video conferencing, remote desktop, and conference calls when appropriate.
• Customer will act as the primary point of contact with non-CentralSquare third parties, including other vendors,
state agencies, and local agencies that control products and/or databases with which CentralSquare products
are to be interfaced.
• Customer will provide expertise in third -party data, data mapping, and data validation.
SUPERION
4 r r9/ y 9r rrr, � I r r. x i r Nl R 1 r u r � r rrdCrrfr% Ir
t ' '`�
SUPERION
r 'iuyfA'f r„ i///rla%ifrdr a1 "lKibi l m;
/ Diu .,,,,,i„-:> „, u.,r d r.ti✓w„dr✓ru7tiur..ul rl rr„<6�ei ,m,, �i��ru�r�a�w �. w:.nw�,Wl��rm,«r fniG, �,-,wlr ..,,..ra
• Customer will be responsible for validating all data transferred into the Community Development Solution and
data transferred from Community Development Solution into other third -party applications.
• Customer application owners will participate in testing activities.
• Customer will provide verification and validation of the converted data into the designated non -production
environment according to the Test Plan.
• Approval to proceed: Customer will provide sign off of the converted data set in a non -production environment,
approving the cycle to be completed in a production environment.
• Customer will identify and schedule appropriate personnel to attend training.
• Customer will complete all tasks on the Customer Go Live preparation checklist in the designated timeframes.
• Customer Project Manager and other key personnel (as determined by Customer) provide support and
assistance throughout Go Live event.
• Final conversion sign off: Customer will provide sign off of the converted data set into the production
environment.
Out of Scope
• Development of ad hoc reports.
• Modifications to baseline reports, forms, web pages.
t,Yx.
This project scope includes services to migrate the core solution only. Any additional cost associate with
interfaces or integrations between CentralSquare Community Development and other third party solutions are
not in scope.
r �b a ra e 'A
CentralSquare and Customer will conduct the following Installation as part of this project.
T«S'-;
itianpR*
tCiYTi: Role
CenQr'IScluare Role
1)
Installation
Initial Installation of
0 Attend
0 Discovery Call
CentralSquare's Community
Discovery Call
0 Complete
Development Solution
install and
software
data migration
2)
Test Account
Test Account Creation is the
0 Validate
0 Create Test
Creation
creation of the test account
Account
Account
which is cloned from the pre-
1
production environment.
Assumptions
• CentralSquare will provide the Community Development Solution software.
• Production Environment may have up to 4 application servers.
• CentralSquare will create one (1) Production Account and one (1) Test Account as part of the Agreement.
Additional accounts will require additional hours added under separate quote by mutual written agreement
at CentralSquare's prevailing rates.
o Production Environment may have up to 4 application servers
o Test, Development, and any Additional Environments will each have (1) application server
• System Administrative training comes standard with all the Community Development Solution installations
which will be completed remotely. CentralSquare will train Customer on doing a data refresh from
Production to other environments as part of admin training.
Roles and Responsibilities
CentralSquare:
• Load files and perform initial configuration of all licensed CentralSquare applications, including base and add -
on modules, and interfaces to third -party applications. Configuration includes activating appropriate modules,
SUPERION
i •
V
I\ fI
P E R' O N
1
{{{ xv
table set up, and selection of mandatory configuration settings based on combination of CentralSquare
applications purchased.
• Set up test environment as mirror copy of the production environment.
• Conduct knowledge transfer of installation/set up procedures to Customer IT staff and/or other designated
personnel responsible for set up and maintenance of end -user computers (4-6 people maximum).
• Conduct a test to verify that CentralSquare applications have been installed and configured successfully,
operating properly, and are ready to begin the implementation and configuration process. Note: Not all
CentralSquare components may be ready at this point, for a full test, but a reasonable effort ensures
CentralSquare components are ready for the next step in the process. CentralSquare installation services will
ensure that all needed components are prepared and ready prior to conducting subsequent activities for the
specific application area according to the agreed upon Project Schedule.
Customer:
• Participate in planning activities (conference calls, emails) with CentralSquare Application Installation
Consultant and Technical Lead.
• Attend knowledge transfer sessions focusing on how to prepare workstations or mobile computers to run
CentralSquare applications.
The purpose of the project governance is to define the resources required to adequately establish the business
needs, objectives and priorities of the project, communicate the goals to other Project participants and provide
support and guidance to accomplish these goals. Project governance also defines the structure for issue
escalation and resolution, change control review and authority, and organizational change management activities.
The preliminary governance structure establishes a clear escalation path when issues and risks require escalation
above the Project Manager level. Further refinement to the structure, the process and specific roles and
responsibilities may occur throughout the project. Changes to the governance will be mutually agreed upon,
properly documented, and communicated to all impacted parties.
Organizational change management plays a vital role in achieving high levels of user adoption and realization of
benefits from efficiencies gained during prescriptive process changes throughout the implementation. Managing
the organizational change acceptance through the establishment of a formal Change Management Team is a key
function that drives project success.
Customer Personnel
Sponsorship Team (ST)
The Customer's ST provides support to the project by allocating resources, providing strategic direction,
communicating key issues about the project and the project's overall importance to the organization. When called
upon, the ST will also act as the final authority on all escalated project issues. The ST engages in the project, as
needed, to provide necessary support, oversight, guidance, and escalation, and may participate in day-to-day
activities in their normal job roles. The ST will empower the Product Owner, Project Manager, Change Manager,
Project Management Team and the functional team leads to make critical business decisions for the Customer.
Specifically, the ST will:
• Understand and support the cultural change necessary for the project
• Oversee the project team and the project as a whole
• Participate in regular meetings so it is current on all project progress, project decisions, and achievement
of project milestones
• Communicate the importance of the project to City departments along with other department directors
and the Change Manager.
SURERION
F
t 1 / Y
I f
,(���Y) I` Jf ,wI / /, l�9fif j /ir�,)�sr 'r 'f 11� tv� fig ��%ru � ll
S V P E R I O 1 • f r% � X i(i ii y r %fJ 1. ,( /
i /� N tf F� J F l� r7� yr ff
„�eu�ak�,v�r -a� swdooe�oru(i�r �ntax �� a4G �Y m� ! u� M ./iA�n
• Be responsible for making timely decisions on critical project or policy issues.
The Project Management Team (PMT)
This team is made up of the Customer Project Manager and subject matter experts from major departments within
the organization. It will meet on a regular basis to monitor that overall project goals are realized. This team will
formulate strategy to the execution of the project plan and make decisions and recommendations regarding project
activities, changes, resources, issues, and risks. This team will also provide oversight and guidance for Change
Management, ensuring project and change management activities are properly aligned with overall objectives. In
short, this team will serve as a liaison between the Steering Committee and the day-to-day activities of the project.
Meeting frequency between this group and the CentralSquare Project Manager will be defined in the
Communications Plan.
Product Owner
The Product Owner (PO) is the management level resource that will be responsible for accurately communicating
the requirements, assumptions and constraints of the business unit to the team. The work performed by the PO
will include the clarification of business requirements, testing and communication of project status to staff. The
PO will work closely with the City's PM and Central Square's PM.
• The Customer's Product Owner will communicate and reinforce the vision
• Collaborate with stakeholders and the team to define and communicate the roadmap
• Collaborate with the Change Management Team
• Clarify requirements and priorities with stakeholders and team
• Manage the Functional Team Leads and SMEs
Project Manager
The Customer's Project Manager will:
• Be the primary contact for the project
• Coordinate Customer's project team members
• Coordinate all CentralSquare activities with the CentralSquare Project Manager
• Coordinate the subject matter experts (SMEs) at the City
• Be responsible for reporting to the ST
• Ensure all deliverables are reviewed on a timely basis by the Customer
• Co -manage the overall implementation schedule with the CentralSquare Project Manager
• Collaborate with the Change Management Team
Functional Team Leads
Customer project team members will work under the direction of the designated Functional Team Leads for each
area in the system. The functional leads have detailed subject matter expertise and are empowered to make or
obtain from the SC appropriate business process and configuration decisions in their respective areas.
The functional leads are tasked, by the Customer Project manager, with carrying out all project tasks described
in the SOW including business process analysis, configuration, documentation, testing, training, and all other
required Customer tasks. The functional leads will be responsible for and empowered to implement the new
system in the best interests of the Customer consistent with the project goals, project vision, and direction from
the Project Manager, the PMT and the ST.
Subject Matter Experts (SMEs)
�Z SUPERION
r
SUPER10N
SMEs have special, in-depth knowledge of Customer's current legacy systems and processes. Their opinions will
be sought in defining business needs, test requirements, and software functionality. During the implementation,
the Customer's SMEs will dedicate a considerable amount of their time to the project because they may be
involved in multiple roles, including participating in training and other workshops, conducting end user training,
reviewing project deliverables, performing various testing tasks, etc.
Quality Assurance Team (QAT)
The Customer will form a QAT made up of individual(s) who will participate in the review and acceptance of each
CentralSquare deliverable and conduct periodic project health checks to ensure tasks are completed on time, on
budget and to the satisfaction of the Customer. Furthermore, the QAT will work closely with the Project Manager
to ensure all contractual matters are in compliance and services delivered are in accordance with the terms and
conditions of the CentralSquare/Customer agreement as well as with the SOW.
Assumptions:
• The Customer may have multiple staff providing the roles outlined above and the same staff providing
multiple roles.
CentralSquare Personnel
Project Sponsor
CentralSquare Project Sponsor will have indirect involvement with the project and is part of the escalation process.
The sponsor will offer additional support to the CentralSquare project team and collaborate with other third -party
consultants who are involved on this project. Specifically, the Project Sponsor will:
• Provide support to Project Managers in reporting project progress to ST.
• Approve and sign -off on any material changes to project scope or staffing changes.
Project Manager
The CentralSquare Project Manager will coordinate all project activities with the Customer and perform the
following:
• Serve as the point person for all project issues (the first escalation point)
• Be responsible for project performance, deliverables as they are outlined in the SOW, and the milestones.
• Provide periodic updates to the Customer's ST and the PMT.
• Fulfill Go Live dates
• Support the Customer Project Manager in monitoring and reporting overall implementation progress
• Monitor and report progress on CentralSquare's responsibilities on a weekly basis
• Immediately notify the Customer Project Manager, the PMT and the ST of any issue that could delay the
project
• Ensure Software installation occurs as per the project schedule.
• Schedule CentralSquare Staff according to the project plan.
• Facilitate coordination between all CentralSquare departments.
• Monitor the work plan and schedule and make course corrections as necessary.
• Prepare bi-weekly status reports along with notes from meetings and calls.
• Develop meeting agendas.
• Provide issue resolution status, tracking, and procedures.
• Identify personnel, equipment, facilities and resources that will be required to perform services by
CentralSquare.
SUPERION
/n "'m �rt,I �lni L r1/r, �,wJ irlM/ili'i )�j" /r
n w ,u,%nor i � i( r I .r K'Jriv/aF ✓ii�ir {'�1 / i���w� ijr iir��ir✓�y �� � a ri�Iily y , A, A
S U P E R ( �...///��r,�j
��rffw✓;�� ,,,,6 re.�o r,,,.,..;, r.��au`,iGl!,.Gd"�,lrr�.:ad�:rr2lri�.nr,,,r�/r�J'�Gt�ti`.��ie���a✓,.�.,'";.
1
Functional Leads (Consultants, Developers, and Technical resources)
• Install application in agreed upon environments.
• Work with the Customer functional leads and SMEs to design and configure the functional components
of the Community Development Solution software for optimal long-term use.
• Document decisions made during configuration in the weekly site reports.
• Lead the Community Development Solution software configuration with assistance from the Customer's
functional leads.
• Check that software operates after configuration as per its documentation.
• Assist with the resolution of issues and tasks.
• Schedule the training of the Customer functional leads and SMEs during the configuration of software.
• Provide and assist with data conversion guides.
• Create and deliver interface programs according to Customer specifications and this SOW.
• Provide training on security and assist with set up.
• Provide training on workflow and assist with set up.
• Provide samples of and training on the creation of forms and reports.
Project Oversight
The CentralSquare Project Management Organization (PMO) will provide Project Oversight throughout the project
life cycle.
Assuring a project of this type is progressing as outlined in the project management plan and is achieving the
goals of the Customer is critical to overall project success and eventual adoption of the system by all stakeholders.
Said oversite includes, but is not necessarily limited to:
• Providing assistance with any areas of high risk identified throughout the project.
• Holding a monthly meeting with the Customer PMT to discuss and assess their view of the project
progress.
• Communicating any challenges internally to leadership throughout CentralSquare's organization to assist
in resolving issues.
• Providing feedback to CentralSquare project staff and CentralSquare PMO on the results of the oversight
activities.
• Helping identify lessons learned that can improve performance on future phases.
• Issues that will impact the quality, timeline, and overall goals will be identified, tracked, resolved and
documented in the Issues/Tasks Log. These issues will be presented to the PMT and the SC during the
regular cadence meetings as required.
G.,�"A .e �;,.> ��, wa . � o , � .r,,r ��o- r,✓' ��! � �, � a e f �,, ,a „, ,� ,. n � ,� �,e � „s � i !".1. ,
The Customer will review, approve and provide written acceptance for all Milestones outlined in the Agreement
by following the below process:
• The Customer will identify in writing any required changes, deficiencies, and/or additions necessary, within
fifteen (15) business days from the form being delivered to the customer for each completed Deliverable,
unless the review timeframe is deemed to be insufficient for a proper review. In such cases, the Customer
Project Manager will request an extension in writing to the CentralSquare Project Manager, and the parties
will mutually agree to a reasonable alternative to the original deadline.
S U P E R 10 N
��j
��||��[��l|/-��|
�� �� |� �� |^\ | \�� |`�
k -.
° Centra|Gquens will review deliverables which are not approved and create a plan to address the
deficiencies. Once the deliverable has been corrected or the milestone achievod, a revised completion
form will be submitted. The Customer will then review the deliverable or milestone and provide any
additional comments on any required uhangeo, defiuienoieo, and/or additions necessary within ten (10)
business days from the updated completion form being delivered to Customer. Again, if the review
timeframe is deemed to be insufficient for a proper review, the Customer Project Manager will request an
extension in writing to the Contne|Square Project K8anuger, and the parties will mutually agree to e
reasonable alternative tothe original deadline. This process will be repeated until the Customer grants
approval and eignnffonthe deliverable oxmilestone.
Upon approval of the deliverable or mi|onhono. the Customer Project Manager will sign the completion
form and return it to CentralSquare Project Manager.
�
The Customer and Centra|Squore should anticipate challenging issues to arise throughout the implementation
process due to the complex magnitude of this project. In order for these issues to be remedied in a timely fashion,
the Customer and CentralSquare will utilize the following Dispute Resolution Procedure:
All communication regarding thepnojeo should bedirected hothe respective Project Managers ofCantra|Square
and the Customer to maintain consistent communication between the parties. Scheduled weekly calls/meetings
will be maintained between the two Project Managers and the Customer's PMT.
All issues or concerns will be discussed actively and openly between all parties. If issues begin to interfere with
the progression of the implementation project, the Customer and/or Centra|Squave should escalate issues to
Centna|Squanymanagement inthe sequence below, ouneeded:
Michael DiOrio, Sr. Director of
Professional Services
407-304-3024
George Slyman, Sr. Director of
Professional Services
360-303-9362
I
Aydin Asil, VP Professional Services
604-340-1720
xj,�~� �—l����
The Customer and CentralSquare may request a change to this scope of work by following the process outlined
inthe Agreement.
SUPER ION
EXHIBIT 5
Vendor Security Requirements
Introduction
During the term of this agreement, the vendor shall operate an information security program designed to
meet the confidentiality, integrity, and availability requirements of the service or product being supplied. The
program shall include at a minimum the following security measures.
1. Information Security Policy: vendor shall develop, implement, and maintain an information security
policy and shall communicate the policy to all staff and contractors.
2. Information Security Accountability: vendor shall appoint an employee of at least manager level who
shall be accountable for the overall information security program.
3. Risk Management: vendor shall employ a formal risk assessment process to identify security risks
which may impact the products or services being supplied, and mitigate risks in a timely manner
commensurate with the risk.
4. Asset Inventory: vendor shall maintain an inventory of all hardware and software assets, including
asset ownership.
5. Data Classification: vendor shall develop, implement, and maintain a data classification scheme and
process designed to ensure that data is protected according to its confidentiality requirements.
6. Supplier Security Assessments: vendor shall engage in appropriate due diligence assessments of
potential suppliers which may impact the security of the services or products being supplied.
7. Security in Supplier Agreements: vendor shall ensure that agreements with suppliers who may impact
the security of the services or products being supplied contain appropriate security requirements.
Information Security Awareness: vendor shall develop and implement an information security
awareness program designed to ensure that all employees and contractors receive security education
as relevant to theirjob function.
Background Checks: vendor shall conduct appropriate background checks on all new employees based
on the sensitivity of the role that they are being hired for.
w.,Z:'
SUPERION
55
rl ✓■ UPER10
r� 'aui ., -�:. ., ii ,"s .�, i.,, ,,,. ,..r ,.a�i,,,�9ury �rv�.u,;G�!<✓{,r.t..,.�fr�G.u,f.Rr,.,P�ww v, aa,l.U�rr�:�i��;ra,L�, w�,�„a,
10. Authentication: vendor shall ensure that all access, by employees or contractors, to its information
systems used to provide services or products being supplied shall require appropriate authentication
controls that at a minimum will include:
a. Strong passwords or multi -factor authentication for users
b. Multi -factor authentication for all remote access
11. Authorization: vendor shall ensure that all access to its information systems used to provide services
or products being supplied shall be approved by management.
12. Privileged Account Management: vendor shall appropriately manage and control privileged accounts
on its information systems that at a minimum will include:
a. Use of dedicated accounts for privileged activity
b. Maintaining an inventory of privileged accounts
13. Access Termination: vendor shall develop and maintain a process designed to ensure that user access
is revoked upon termination of employment, or contract for contractors.
14. Encryption: vendor shall ensure that all laptops, mobile devices, and removable media, including those
that are owned by vendor employees or contractors, which may be used to store, process, or transport
organizational data are encrypted at all times. [Scoping guideline: This requirement may be removed if
the vendor is not expected to possess any confidential or sensitive organizational data]
15. Secure Disposal: vendor shall ensure that all media which may be used to store, process, or transport
organizational data is disposed of in a secure manner. [Scoping guideline: this requirement may be
removed if the vendor is not expected to possess any confidential or sensitive on arrizat:ional data]
16. Security Requirements: vendor shall ensure that information security requirements are defined for all
new information systems, whether acquired or developed.
17. Separation of Environments: vendor shall ensure that development and testing environments are
separate from their production environment.
18. Data Anonymization: vendor shall ensure that [Company's narne]'s data will not be used in the
development or testing of new systems unless the data is appropriately anonymized.
19. Secure Coding: vendor shall ensure that all applications are developed with secure coding practices,
including OWASP Top 10 Most Critical Web Application Security Risks.
20. Risk Assessment: vendor shall use a formal risk assessment methodology to identify physical and
environmental threats and shall implement controls to minimize the risks.
21. Hardening: vendor shall develop and implement security configuration baselines for all endpoint and
network devices types.
22. Network Segregation: vendor shall segregate its network into zones based on trust levels, and control
the flow of traffic between zones.
SUPERION
v �pn > r ✓ i r ✓ ✓ +I / r
a� ✓ r ' arr � ",, � J ld��n f i �'y ✓ '` � r�' F r $ ✓ f + ✓. i r l � � � � �1 ✓
F
�,yra � ,,,,,,.� „�, ,,,. ,�v ,. ,,. ,� .a„ ,ua. !�. u .,,,. .;, ..,b� ,.r,o �., ox � v L e,,r e.. ��✓ ur., .,
SUPER ION
23. Anti-Malware: vendor shall ensure that all information systems that are susceptible to malware are
protected by up-to-date anti-malware software.
24. Wireless Access Control: vendor shall ensure that wireless network access is protected, including at a
minimum:
a. All wireless network access should be encrypted
b. All wireless network access to the production network should be authenticated using multi -
factor authentication such as machine certificates
c. Wireless network access for personal devices and guest access should be segregated from the
production network
25. Patching: vendor shall evaluate, test, and apply information system patches in a timely fashion
according to their risk.
26. Backup and Recovery: vendor shall implement a backup and recovery process designed to ensure that
data can be recovered in the event of unexpected loss.
27. Logging: vendor shall ensure that security event logging requirements been defined, and that all
information systems are configured to meet logging requirements.
28. Intrusion Detection: vendor shall deploy intrusion detection or prevention systems at the network
perimeter.
29. URL Filtering: vendor shall deploy tools to limit web browsing activity based on URL categories.
30. Denial of Service Protection: vendor shall deploy control to detect and mitigate denial of service
attacks.
l�'i L�..A��.,J I, G oa it c � `Y... � �,t li `r,J` I ! k & 4 � vV`,,, r e P ✓;:u
31. Security Monitoring: vendor shall deploy automated tools to collect, correlate, and analyze security
event logs from multiple sources, and monitor them for suspected security incidents.
32. Vulnerability Assessments: vendor shall conduct vulnerability assessments against all Internet -facing
information systems on a regular basis, no less often than quarterly.
33, Penetration Testing: vendor shall perform penetration tests on all web applications and services, in
accordance with standard penetration testing methodologies, on a regular basis, no less often than
annually.
rii1wylr
34. Incident Response: vendor shall develop, implement, and maintain an information security incident
response process, and will test the process on a regular basis, no less often than annually.
SUPERION
57
SUPERION
EXHIBIT 6
Data Protection and Information Security
This Data Protection and Information Security Exhibit ("Exhibit") is an attachment to the Superion Solutions
Agreement and sets forth the data protection and information security requirements of City of Tukwila. This
Exhibit includes by reference the terms and conditions of the Agreement. In the event of any inconsistencies
between this Exhibit and the Agreement, the parties agree that the terms and conditions of the Exhibit will
prevail. Throughout the term of the Agreement and for as long as Superion controls, possesses, stores,
transmits, or processes Confidential Information as part of the Services provided to City of Tukwila, Superion will
comply with the requirements set forth in this Exhibit. Any breach of this Exhibit will be deemed a material
breach under the Agreement.
1. Definitions
"Authorized Personnel" for the purposes of this Exhibit, means Superion's employees or subcontractors who: (i)
have a need to receive or access Confidential Information or Personal Information to enable Superion to
perform its obligations under the Agreement; and (ii) are bound in writing with Superion by confidentiality
obligations sufficient for the protection of Confidential Information and Personal Information in accordance with
the terms and conditions set forth in the Agreement and this Exhibit.
"Common Software Vulnerabilities" (CSV) are application defects and errors that are commonly exploited in
software. This includes but is not limited to:
(i) The CWE/SANS Top 25 Programming Errors — see http://cwe.mitre.org/top25/ and
http://www.sans.org/top25-software-errors/
(ii) The Open Web Application Security Project's (OWASP) "Top Ten Project" — see
http://www.o asp.org
"Confidential Information" is as defined in the Agreement, and includes Personal Information; provided that,
Personal Information shall remain Confidential Information even if at the time of disclosure or collection, or later,
it is or becomes known to the public.
"Industry Standards" mean generally recognized industry standards, best practices, and benchmarks including
but not limited to:
(i) Payment Card Industry Data Security Standards ("PCI DSS") — see
http://www. pcisecuritystandards.org/
(ii) National Institute for Standards and Technology — see http://csrc.nist.gov/
(iii) ISO / IEC 27000-series — see http://www.iso27001security,com/
(iv) COBIT 5 — http://www.isaca.org/cobit/
(v) Cyber Security Framework — see http://www.nist.gov/cyberframework/
(vi) Cloud Security Alliance — see https://cloudsecurityalliance.org/
(vii) Other standards applicable to the services provided by Superion to CITY OF TUKWILA
"Information Protection Laws" mean all applicable local, state, federal statutes and regulations applicable to
Superion or City of Tukwila pertaining to data security, confidentiality, privacy, and breach notification.
"Personal Information" also known as Personally Identifiable Information (PII), is information of CITY OF
TUKWILA customers, employees and subcontractors or their devices gathered or used by Superion that can be
used on its own or combined with other information to identify, contact, or locate a person, or to identify an
individual in context. Examples of Personal Information include name, social security number or national
identifier, biometric records, driver's license number, either alone or when combined with other personal or
identifying information which is linked or linkable to a specific individual, such as date and place of birth,
mother's maiden name, etc. The definition of Personal Information defined under applicable state or federal law
in the event of a Security Incident shall govern.
"Security Incident" is any actual or suspected occurrence of:
SUPERION R1a2s,..,a..k
S U P E R 10 N
(i) Unauthorized access, use, alteration, disclosure, loss, theft of, or destruction of Confidential
Information or the systems / storage media containing Confidential Information
(i i) Illicit or malicious code, phishing, spamming, spoofing
(iii) Unauthorized use of, or unauthorized access to, Superion's systems
(iv) Inability to access Confidential Information or Superion systems as a result of a Denial of
Service (DOS) or Distributed Denial of Service (DDOS) attack
(v) Loss of Confidential Information due to a breach of security
"Security Vulnerability" is an application, operating system, or system flaw (including but not limited to
associated process, computer, device, network, or software weakness) that can be exploited resulting in a
Security Incident.
2. Roles of the Parties and Compliance with Information Protection Laws
As between THE CITY OF TUKWILA and Superion, THE CITY OF TUKWILA shall be the principal and
Superion shall be its agent with respect to the collection, use, processing and disclosure of all Confidential
Information. The Parties shall comply with their respective obligations as the principal (e.g., data
owner/controller/covered entity) and agent (e.g., data processor/business associate/trading partner) under all
Information Protection Laws. The Parties acknowledge that, with respect to all Confidential Information
processed by Superion for the purpose of providing the Services under this Agreement:
a) THE CITY OF TUKWILA shall determine the scope, purpose, and manner in which such Confidential
Information may be accessed or processed by Superion, and Superion shall limit its access to or use of
Confidential Information to that which is necessary to provide the Services, comply with applicable laws,
or as otherwise directed by THE CITY OF TUKWILA;
b) Each party shall be responsible for compliance with Information Protection Laws in accordance with
their respective roles; and
c) Superion and THE CITY OF TUKWILA shall implement the technical and organizational measures
specified in this Exhibit and any additional procedures agreed upon pursuant to a Statement of Work
("SOW") to protect Confidential Information against unauthorized use, destruction or loss, alteration,
disclosure or access.
3. General Security Requirements
Superion will have an information security program that has been developed, implemented and maintained in
accordance with Industry Standards. At a minimum, Superion's information security program will include, but
not be limited to, the following elements:
3.1 Information Security Program Management. Superion will have or assign a qualified member of its
workforce or commission a reputable third -party service provider to be responsible for the development,
implementation and maintenance of Superion's enterprise information security program.
3.2 Policies and Standards. To protect THE CITY OF TUKWILA's Confidential Information, Superion will
implement and maintain reasonable security that complies with Information Protection Laws and meets
data security Industry Standards.
a) Security Policies and Standards. Superion will maintain formal written information security policies and
standards that:
(i) Define the administrative, physical, and technological controls to protect the confidentiality,
integrity, and availability of Confidential Information, THE CITY OF TUKWILA systems, and
Superion systems (including mobile devices) used in providing Services to THE CITY OF
TUKWILA
(ii) Encompasses secure access, retention, and transport of Confidential Information
(iii) Provide for disciplinary or legal action in the event of violation of policy by employees or
Superion subcontractors and Superions
(iv) Prevent unauthorized access to CITY OF TUKWILA data, CITY OF TUKWILA systems, and
Superion systems, including access by Superion's terminated employees and subcontractors
SUPERION
59
L
x S U P E R I a N
pv°u/6 .0 /al.,e..%iCl iwtrrlrr`r,',,,`li,l.✓wfay,iM`✓Mra,u,✓>%a.!.G,4,��}...�rG.,,, ...
(v) Employ the requirements for assessment, monitoring and auditing procedures to ensure
Superion is compliant with the policies
(vi) Conduct an annual assessment of the policies, and upon CITY OF TUKWILA'S written request,
provide attestation of compliance.
b) In the SOW or other document, Superion will identify to THE CITY OF TUKWILA all third -party
Superions (including those providing subcontractors to Superion) involved in the provision of the
Services to THE CITY OF TUKWILA, and will specify those third -party Superions that will have access
to Confidential Information.
3.3 Security and Privacy Training. Superion, at its expense, will train new and existing employees and
subcontractors to comply with the data security and data privacy obligations under this Agreement and this
Exhibit. Ongoing training is to be provided at least annually and more frequently as appropriate or
requested by THE CITY OF TUKWILA. THE CITY OF TUKWILA may provide specific training material to
Superion to include in its employee/subcontractor training.
3.4 Access Control. Superion will reasonably ensure that THE CITY OF TUKWILA Confidential Information will
be accessible only by Authorized Personnel after appropriate user authentication and access controls
(including but not limited to two -factor authentication) that satisfy the requirements of this Exhibit. Each
Authorized Personnel shall have unique access credentials and shall receive training which includes a
prohibition on sharing access credentials with any other person. Superion should maintain access logs
relevant to THE CITY OF TUKWILA Confidential Information for a minimum of six (6) months or other
mutually agreed upon duration.
3.5 Data Backup. The parties shall agree in an SOW or other document upon the categories of THE CITY OF
TUKWILA Confidential Information that are required to be backed up by Superion. Unless otherwise
agreed to in writing by THE CITY OF TUKWILA, backups of CITY OF TUKWILA Confidential Information
shall reside solely in the United States. For the orderly and timely recovery of Confidential Information in
the event of a service interruption:
a) Superion will store a backup of Confidential Information at a secure offsite facility to meet needed data
recovery time objectives.
b) Superion will encrypt and isolate all CITY OF TUKWILA backup data on portable media from any
backup data of Superion's other customers.
3.6 Business Continuity Planning (BCP) and Disaster Recovery (DR). Superion will maintain an appropriate
business continuity and disaster recovery plan to enable Superion to adequately respond to, and recover
from business interruptions involving CITY OF TUKWILA Confidential Information or services provided by
Superion to CITY OF TUKWILA.
a) At a minimum, Superion will test the BCP & DR plan annually, in accordance with Industry Standards, to
ensure that the business interruption and disaster objectives set forth in this Exhibit have been met and
will promptly remedy any failures. Upon CITY OF TUKWILA's request, Superion will provide CITY OF
TUKWILA with a written summary of the annual test results.
b) In the event of a business interruption that activates the BCP & DR plan affecting the Services or
Confidential Information of CITY OF TUKWILA, Superion will notify CITY OF TUKWILA's designated
Security Contact as soon as possible.
c) Superion will allow CITY OF TUKWILA or its authorized third party, upon a minimum of thirty (30) days'
notice to Superion's designated Security Contact, to perform an assessment of Superion's BCP and DR
plans once annually, or more frequently if agreed to in an SOW or other document. Following notice
provided by CITY OF TUKWILA, the parties will meet to determine the scope and timing of the
assessment.
3.7 Network Security. Superion agrees to implement and maintain network security controls that conform to
Industry Standards including but not limited to the following:
a) Firewalls. Superion will utilize firewalls to manage and restrict inbound, outbound and internal network
traffic to only the necessary hosts and network resources.
SUPERION
I
^ / 1
f
b) Network Architecture. Superion will appropriately segment its network to only allow authorized hosts
and users to traverse areas of the network and access resources that are required for their job
responsibilities.
c) Demilitarized Zone (DMZ). Superion will ensure that publicly accessible servers are placed on a
separate, isolated network segment typically referred to as the DMZ.
d) Wireless Security. Superion will ensure that its wireless network(s) only utilize strong encryption, such
as WPA2.
e) Intrusion Detection/Intrusion Prevention (IDS/IPS) System — Superion will have an IDS and/or IPS in
place to detect inappropriate, incorrect, or anomalous activity and determine whether Superion's
computer network and/or server(s) have experienced an unauthorized intrusion.
3.8 Application and Software Security. Superion, should it provide software applications or Software as a
Service (SaaS) to CITY OF TUKWILA, agrees that its product(s) will remain secure from Software
Vulnerabilities and, at a minimum, incorporate the following:
a) Malicious Code Protection. Superion's software development processes and environment must protect
against malicious code being introduced into its product(s) future releases and/or updates.
b) Application Level Security. Superion must use a reputable V party to conduct static/manual application
vulnerability scans on the application(s) software provided to CITY OF TUKWILA for each major code
release or at the time of contract renewal. An internally produced static/manual test from the Superion
will not be accepted. Results of the application testing will be provided to CITY OF TUKWILA in a
summary report and vulnerabilities categorized as Very High, High or that have been identified as part
of the OWASP top 10 and SANS top 25 within ten (10) weeks of identification.
c) Vulnerability Management. Superion agrees at all times to provide, maintain and support its software
and subsequent updates, upgrades, and bug fixes such that the software is, and remains secure from
Common Software Vulnerabilities.
d) Logging. Superion software that controls access to Confidential Information must log and track all
access to the information.
e) Updates and Patches. Superion agrees to promptly provide updates and patches to remediate Security
Vulnerabilities that are exploitable. Upon CITY OF TUKWILA's request, Superion shall provide
information on remediation efforts of known Security Vulnerabilities.
3.9 Data Security. Superion agrees to preserve the confidentiality, integrity and accessibility of CITY OF
TUKWILA Confidential Information with administrative, technical and physical measures that conform to
Industry Standards that Superion then applies to its own systems and processing environment. Unless
otherwise agreed to in writing by CITY OF TUKWILA, Superion agrees that any and all CITY OF TUKWILA
Confidential Information will be stored, processed, and maintained solely on designated systems located in
the continental United States. Additionally:
a) Encryption. Superion agrees that all CITY OF TUKWILA Confidential Information and Personal
Information will be encrypted with a Federal Information Processing Standard (FIPS) compliant
encryption product, also referred to as 140-2 compliant. Symmetric keys will be encrypted with a
minimum of 128-bit key and asymmetric encryption requires a minimum of 1024 bit key length.
Encryption will be utilized in the following instances:
• CITY OF TUKWILA Confidential Information and Personal Information will be stored on any
portable computing device or any portable storage medium.
• CITY OF TUKWILA Confidential Information and Personal Information will be transmitted or
exchanged over a public network.
b) Data Segregation. Superion will segregate CITY OF TUKWILA Confidential Information and Personal
Information from Superion's data and from the data of Superion's other customers or third parties.
3.10 Data Re -Use. Superion agrees that any and all data exchanged shall be used expressly and solely for the
purposes enumerated in the Agreement. Data shall not be distributed, repurposed or shared across other
applications, environments, or business units of Superion. Superion further agrees that no Confidential
Information of any kind shall be transmitted, exchanged or otherwise passed to other parties except on a
case -by -case basis as specifically agreed to in writing by CITY OF TUKWILA.
SUPERION
M.
4SUPERION
3.11 Data Destruction and Data Retention. Upon expiration or termination of this Agreement or upon CITY OF
TUKWILA's written request, Superion and its Authorized Personnel will promptly return to CITY OF
TUKWILA all CITY OF TUKWILA Confidential Information and/or securely destroy CITY OF TUKWILA
Confidential Information; provided, the CITY OF TUKWILA must agree to any such destruction. At a
minimum, destruction of data activity is to be performed according to the standards enumerated by the
National Institute of Standards, Guidelines for Media Sanitization - see http://csrc.nist.gov/. If destroyed, an
officer of Superion must certify to CITY OF TUKWILA in writing within thirty (30) business days all
destruction of CITY OF TUKWILA Confidential Information. If Superion is required to retain any CITY OF
TUKWILA Confidential Information or metadata to comply with a legal requirement, Superion shall provide
notice to both the general notice contact in the Agreement as well as CITY OF TUKWILA's designated
Security Contact. Parties agree AWS meets the destruction/overwrite policies contained within the NIS.
3.12 Audit. Upon a minimum of thirty (30) days' written notice to Superion, Superion agrees to provide a copy of
Superion's annual audit.
3.13 Security Testing. Superion will provide CITY OF TUKWILA reports of Superion's Penentration testing and
Static/Dynamic code analysis. Should any vulnerabilities be discovered, Superion agrees to notify CITY OF
TUKWILA and create a reasonable and mutually agreed upon remediation plan to resolve the
vulnerabilities identified. Superion will not permit access to Superion's code.
4. Security Incident / Data Breach
4.1 Security Contact. The individuals identified below shall serve as each party's designated Security Contact
for security issues under this Agreement.
CITY OF TUKWILA Security Contacts:
Network & Security Architect:
Bao Trinh
Bao.Trinh@TukwilaWA.gov
Mobile: 206552-1280
Director & CIO:
Joseph Todd
Joseph.Todd(o7TukwilaWA.gov
Mobile: 206-850-9656
Superion Security Contact:
Name:
Address:
Phone:
4.2 Requirements. Superion will take commercially reasonable actions to ensure that CITY OF TUKWILA is
protected against any and all reasonably anticipated Security Incidents, including but not limited to:
(i) Superion's systems are continually monitored to detect evidence of a Security Incident
(ii) Superion has a Security Incident response process to manage and to take corrective
action for any suspected or realized Security Incident
(iii) Upon reasonable request Superion will provide CITY OF TUKWILA with a copy of its
Security Incident policies and procedures once a year. If a Security Incident affecting
CITY OF TUKWILA occurs, Superion, at its expense and in accordance with applicable
SUPERION
� I
S U P E R 10 N ,,02
Information Protection Laws, will immediately take action to prevent the continuation of
the Security Incident.
4.3 Notification. Within twenty four (24) hours of Superion's confirmation of an Incident which results in a data
breach affecting the clients data awareness of a Security Incident or other mutually agreed upon time
period, Superion will notify CITY OF TUKWILA of the incident by calling by phone the CITY OF TUKWILA
Security Contact(s) listed above.
Investigation and Remediation. Upon Superion's notification to CITY OF TUKWILA of a Security Incident,
the parties will coordinate to investigate the Security Incident. Superion shall be responsible for leading the
investigation of the Security Incident, but shall involve CITY OF TUKWILA to the extent CITY OF
TUKWILA's involvement is required in the investigation.
Superion will cooperate, at its expense, with CITY OF TUKWILA in any litigation or investigation deemed
reasonably necessary by CITY OF TUKWILA to protect its rights relating to the use, disclosure, protection
and maintenance of Confidential Information. Superion will reimburse CITY OF TUKWILA for actual costs
incurred by CITY OF TUKWILA in responding to, and mitigating damages caused by any Security Incident,
including all costs of notice and remediation which CITY OF TUKWILA, in its sole discretion, deems
necessary to protect such affected individuals in light of the risks posed by the Security Incident. Superion
will, at Superion's own expense, provide CITY OF TUKWILA with all information necessary for CITY OF
TUKWILA to comply with data breach recordkeeping, reporting and notification requirements pursuant to
Information Protection Laws. Superion will use reasonable efforts to prevent a recurrence of any such
Security Incident. Additionally, Superion will provide (or reimburse CITY OF TUKWILA) for at least one (1)
year of complimentary access for one (1) credit monitoring service, credit protection service, credit fraud
alert and/or similar services, which CITY OF TUKWILA deems necessary to protect affected individuals in
light of risks posed by a Security Incident.
4.4 Reporting. Superion will provide CITY OF TUKWILA with a final written incident report within five (5)
business days after resolution of a Security Incident or upon determination that the Security Incident cannot
be sufficiently resolved.
5. Confidential Information or Personal Information
5.1 Authorized Personnel. Superion will require all Authorized Personnel to meet Superion's obligations under
the Agreement with respect to Confidential Information or Personal Information. Superion will screen and
evaluate all Authorized Personnel and will provide appropriate privacy and security training, as set forth
above, in order to meet Superion's obligations under the Agreement. Upon CITY OF TUKWILA's written
request, Superion will provide CITY OF TUKWILA with a list of Authorized Personnel. Superion will remain
fully responsible for any act, error, or omission of its Authorized Personnel,
5.2 Handling of Confidential Information or Personal Information. Superion will:
(i) Keep and maintain all Confidential Information and Personal Information in strict
confidence in accordance with the terms of the Agreement
(ii) Use and disclose Confidential Information and/or Personal Information solely and
exclusively for the purpose for which the Confidential Information or Personal Information is
provided pursuant to the terms and conditions of the Agreement. Superion will not disclose
Confidential Information or Personal Information to any person other than to Authorized
Personnel without CITY OF TUKWILA's prior written consent, unless and to the extent
required by applicable law, in which case, Superion will use best efforts to notify CITY OF
TUKWILA before any such disclosure or as soon thereafter as reasonably possible. In
addition, Superion will not produce any Confidential Information or Personal Information in
response to a non -legally binding request for disclosure of such Personal Information.
5.3 Data and Privacy Protection Laws. Superion represents and warrants that its collection, access, use,
storage, disposal, and disclosure of Personal Information complies with all applicable United States federal,
state, and local data and privacy protection laws, as well as all other applicable United States regulations.
SUPERION
63
i pt 1 r i1, Wg"U"',
i
p, m '.✓ y r r f r r tr s r( lr r ij
00,
UPERION
ow
6. Third Party Security
6.1 Superion will conduct thorough background checks and due diligence on any third and fourth parties which
materially impact Superion's ability to provide the products and/or Services to CITY OF TUKWILA as
described in the Agreement.
6.2 Superion will not outsource any work related to its products or the Services provided to CITY OF TUKWILA
in countries outside the United States of America, which have not been disclosed in the Agreement or
without prior written approval from CITY OF TUKWILA Legal and Information Security. If Superion desires
to outsource certain work during the Term of the Agreement, Superion shall first notify CITY OF TUKWILA
so that the parties can ensure adequate security protections are in place with respect to the Services
provided to CITY OF TUKWILA.
7. Payment Cardholder Data
7.1 If Superion accesses, collects, processes, uses, stores, transmits, discloses, or disposes of CITY OF
TUKWILA and/or CITY OF TUKWILA customer credit, debit, or other payment cardholder information,
Superion agrees to the following additional requirements:
a) Superion, at its sole expense, will comply with the Payment Card Industry Data Security Standard ("PCI
DSS"), as may be amended or changed from time to time, including without limitation, any and all
payment card industry validation actions (e.g., third party assessments, self -assessments, security
vulnerability scans, or any other actions identified by payment card companies for the purpose of
validating Superion's compliance with the PCI DSS).
b) Superion will maintain a continuous PCI DSS compliance program. Annually, Superion agrees to
provide evidence of PCI DSS compliance in the form of a Qualified Security Assessor ("QSA")
Assessment Certificate, a PCI Report on Compliance ("ROC"), or evidence that Superion is included on
the Visa or MasterCard list of PCI DSS Validated Service Providers.
c) Superion will ensure that subcontractors approved by CITY OF TUKWILA, in accordance with Section
6.2, comply with and maintain a continuous PCI DSS compliance program if the subcontractor provides
any service on behalf of Superion that falls within PCI DSS scope. The Subcontractor must provide
evidence of PCI DSS compliance in the form of a Qualified Security Assessor ("QSA") Assessment
Certificate, a PCI Report on Compliance ("ROC"), or evidence that Subcontractor is included on the Visa
or MasterCard list of PCI DSS Validated Service Providers.
d) Superion will immediately notify CITY OF TUKWILA if Superion is found to be non -compliant with a PCI
DSS requirement or if there is any breach of cardholder data impacting CITY OF TUKWILA or its
customers.
8. Changes
In the event of any change in CITY OF TUKWILA's data protection or privacy obligations due to applicable
legislative or regulatory actions, Superion will work in good faith with CITY OF TUKWILA to promptly amend
this Exhibit accordingly.
"h'SUPER ION