HomeMy WebLinkAbout21-015 - Brycer, LLC - Compliance EngineCity of Tukwila
6200 Southcenter Boulevard, Tukwila WA
98188
21-015
Council Approval N/A
CONTRACT FOR SERVICES
CONTRACT NO. 21-015
This Agreement is entered into by and between the City of Tukwila, Washington, a non -charter optional
municipal code city hereinafter referred to as the City," and Brycer, LLC, a Delaware limited liability company.
hereinafter referred to as "the Contractor." whose principal office is located at 4355 Weaver Parkway, Suite 230,
Warrenville, IL 60555, individually a "party." and collectively the "parties".
WHEREAS, the City has determined the need to have certain services performed for its citizens but
does not have the manpower or expertise to perform such services; and
WHEREAS, the City desires to have the Contractor perform such services pursuant to certain
terms and conditions; now, therefore,
IN CONSIDERATION OF the mutual benefits and conditions hereinafter contained, the parties
hereto agree as follows
I I "
° The Contractor shall perform
those services described on Exhibit A, attached hereto and incorporated herein by this reference as if fully
set forth. In performing such services, the Contractor shall at all times comply with all Federal, State, and
local statutes, rules and ordinances applicable to the performance of such services and the handling of any
funds used in connection therewith. The Contractor shall request and obtain prior written approval from
the City if the scope or schedule is to be modified in any way.
2 Compensation and Method of Payujent. The total fees in connection with activities relating to the Solution
are described in Exhibit B.
3
This Agreement shall he in full force and effect commencing February 1,
2021 (the "Initial Term-) and continuing until January 311, 2024. Thereafter, the Term shall
automatically renew for successive three year periods unless terminated by rycer or Client in
writing at least 90 days prior to the expiration of the then current Term (each, a "Renewal Tem)" and
together with the Initial Term, the "Term"). Client shall have the right to terminate this agreement
for any reason upon giving 90 days written notice to Brycer.
11 1
° , I
4 Independent Contractor. Contractor and City agree that Contractor is an independent contractor with
respect to the services provided pursuant to this Agreement. Nothing in this Agreement shall be considered
to create the relationship of employer and employee between the parties hereto. Neither Contractor nor any
employee of Contractor shall be entitled to any benefits accorded City employees by virtue of the services
provided under this Agreement. The City shall not be responsible for withholding or otherwise deducting
federal income tax or social security or contributing to the State Industrial Insurance Program, or otherwise
assuming the duties of an employer with respect to the Contractor, or any employee of the Contractor.
City of Tukwila - Brycer IT Services Contract
Page 1 ()f7
1/1
S indemnificatiok
A. Mutual Indemnification. To the extent permitted under applicable law, each Party shall defend,
indemnify, and hold harmless the other Party, its affiliates, and their elected officials, officers, directors,
employees, and agents (the -indemnified parties") against and from any and all losses, liabilities,
damages, actions, claims, demands. settlements, judgments, and any other expenses (including reasonable
attorneys' fees), but only to the extent caused by (i) violation of law in the performance of its obligations
under this Agreement by the indemnifying Party, its affiliates, or the elected officials, officers, directors,
employees, or agents of such Party (the "indemnifying parties"); (ii) the gross negligence or willful
misconduct of the indemnifying Parties during the term of this Agreement; (iii) with respect to Brycer, a
breach of Client Data or violation, infringement or misappropriation of any U.S. patent, copyright, trade
secret or other intellectual property right; and (iv) with respect to the City, a breach by the City of its
obligations under Sections 1, 2 and 6 of Exhibit F. The indemnities in this section are subject to the
indemnified Parties promptly notifying the indemnifying Parties in writing of any claims or suits;
provided that an indemnified party's failure to so notify and request indemnification shall not relieve the
indemnifying party of any liability that the indemnifying party might have, except to the extent that such
failure prejudices the indemnifying party's ability to defend such claim or suit. City acknowledges that
Brycer does not create any of the Client Data input into the Solution and is not responsible for and does
not assess or make any suggestions or recommendations with respect to any Client Data.
B. RC W 4.24.115. However, should a court of competent jurisdiction determine that this Agreement is
subject to RCW 4.24.115. then, in the event of liability for damages arising out of bodily injury to persons
or damages to property caused by or resulting from the concurrent negligence of Contractor and City, its
officers, officials, employees, and volunteers, Contractor's liability. including the duty and cost to defend.
hereunder shall be only to the extent of Contractor's negligence, k is further specifically and expressly
understood that the indemnification provided herein constitutes Contractor's waiver of immunity under
Industrial Insurance, Title 51 RCW. solely for the purposes of this indemnification. This waiver has been
mutually negotiated by the parties. The provisions of this section shall survive the expiration or
termination of this Agreement.
C. Infringement Indemnification. In addition to Contractor's obligations under Section 6(a), Contractor shall
indemnify, defend, and hold harmless City and its directors, officers, employees, agents and other
representatives against any losses in connection with claims made or alleged against City by a third party
that the services, software or deliverables infringes a U.S. patent, copyright or other intellectual property
rights of any third party. The foregoing indemnification obligation does not apply to any claims or losses
arising out of or relating to any: (a) access to or use of the software in combination with any hardware,
system, software, network or other materials or service not provided or authorized by this Agreement or
otherwise in writing by Contractor; or (b) modification of the software other than: (i) by or on behalf of
Contractor; or (ii) with Contractor's written approval or in accordance with Contractor's written
specifications.
D. Mitigatign. lf any of the services, software or deliverables are, or in Contractor's opinion are likely to be,
claimed to infringe, misappropriate or otherwise violate any third -party intellectual property right, or if
City's or any Authorized User's use of the services, software or deliverables is enjoined or threatened to
be enjoined, Contractor may, at its option and sole cost and expense:
i. obtain the right for City to continue to use the services, software and deliverables materially as
contemplated by this Agreement
ii. modify or replace the services, software and deliverables, in whole or in part, to seek to make the
services, software and deliverables (as so modified or replaced) non -infringing, while providing
materially equivalent features and functionality; or
iii. by written notice to City, terminate this Agreementwith respect to all or part of the services,
City of Tukwila Brycer IT Services Contract
Page 2 of 7
software and deliverables, and require City to immediately cease any use of the services, software
and deliverables or any specified part or feature thereof, provided that if such termination occurs,
Contractor shall refund any prepaid fees to City and provide transition services free of charge.
E. UMITATION OFIJABILITY.
IN NO EVENT WILL EITHER PARTY BE LIABLE UNDER. OR 1N CONNECTION WITH
THIS AGREEMENT OR ITS SUBJECT MATTER UNDER ANY LEGAL OR EQUITABLE
THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE),
STRICT LIABILITY AND OTHERWISE, FOR ANY: (a) LOSS OF REVENUE OR PROFIT:
OR (b) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR
PUNITIVE DAMAGES, REGARDLESS OF WHETHER SUCH PERSONS WERE ADVISED'
OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR
DAMAGES WERE OTHERWISE FORESEEABLE, AND NOTWITHSTANDING THE
FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.
ii. CONTRACTOR'S LIABILITY FOR ITS LOSS OF CLIENT DATA SHALL NOT EXCEED
THE REPLACEMENT COST OF THE MEDIA ON WHICH THE DATA WAS STORED.
iii. THE LIMITATION OF LIABILITY SET FORTH IN THIS SECTION SHALL NOT APPLY TO:
(i) CONTRACTOR'S INDEMNIFICATION OBLIGATIONS FOR INFRINGEMENT CLAIMS
MADE OR BROUGHT AGAINST CITY BY A THIRD PARTY AS DESCRIBED HEREIN, OR
(ii) DAMAGES RELATED TO CLAIMS BROUGHT AGAINST CITY DUE TO
CONTRACTOR'S BREACH OF CITY'S DATA, INCLUDING BUT NOT LIMITED TO
DAMAGES, PENALTIES OR OTHER LIABILITIES ARISING FROM GOVERNMENT
ENFORCEMENT ACTIONS OR BREACH NOTIFICATION REQUIREMENTS OR (iii) THE
CITY'S BREAC OF SECTIONS I, 2 OR 6 OF EXHIBIT F. THE PROVISIONS OF THIS
SECTION SHALL SURVIVE THE EXPIRATION OR TERMINATION OF THIS
AGREEMENT.
6. Insurance, Contractor will maintain at its sole cost and expense at least the following insurance covering its
obligations under this Agreement.
A Insurance Policies.
Commercial General Liability: With coverage of not less than Two Million Dollars ($1,000.000)
per occurrence, and Two Million Dollars ($2,000,000) general aggregate, which shall cover
liability arising from premises, operations, independent contractors. products -completed
operations, stop gap liability, personal injury and advertising injury, and liability assumed under
an insured contract.
ii. Cyber Liability Insurance: With coverage of not less than One Million Dollars ($1,000,000) per
occurrence and Five Million Dollars ($3,000,000) in the annual aggregate which shall include.
but not be limited to, coverage, including defense, for the following losses or services:
L Breach of City's Data, including but not limited to liability arising from theft, dissemination,
and/or use of City's confidential and personally identifiable information, including but not
limited to, any information about an individual maintained by City, including (i) any
information that can be used to distinguish or trace an individual's identity, such as name,
social security number, date and place of birth, mother's maiden name, or biometric records;
and (ii) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information regardless of how or where the
information is stored or transmitted:
City of Tukwila Brycer T Services Contract
Page 3 of 7
2. Network security liability arising from (i) the unauthorized access to, use of, or tampering with
computer systems, by an outside party, including hacker attacks or a virus introduced by a
third party; or (ii) the inability of an authorized third party to gain access to supplier systems
and/or City Data, including denial of service, unless caused by a mechanical or electrical
failure; (iii) introduction of any unauthorized software computer code or virus causing damage
to City Data or any other third party data;
3. Event management services and first -party loss expenses for a data breach response including
crisis management services, credit monitoring for individuals, public relations, legal service
advice, notification of affected parties, independent information security forensics firm, and
costs to re -secure, re-create and restore data or systems.
iii. Workers' Compensation coverage as required by the industrial Insurance laws of the State of
Washington.
iv. Automobile Liability Insurance of a minimum combined single limit for per occurrence for
bodily injury and property damage of $1,000,000 per accident, covering all owned, non -owned,
hired and leased vehicles; and
v. Professional Liability/Errors and Omissions Insurance (including Technology Errors and
Omissions) of at least ,000,000 per occurrence and S2,000,000 in the annual aggregate.
B. Additional Insurance Requirements,
i. The insurance required in Section 6 shall be in a form and on terms and written by insurers with
a current A.M. Best rating of not less than A: VII. The Commercial General Liability, Cyber
Liability Insurance and Automobile Liability Insurance shall name City as an additional insured,
and shall contain, or be endorsed to contain, that they shall be primary insurance as respect to
City. Any insurance, self-insurance, or self-insured pool coverage maintained by City shall be
excess of Contractor's insurance and shall not contribute with it.
ii. Contractor shall provide City with written notice of any policy cancellation within five (5),
business days of the receipt of such notice. Contractor shall obtain replacement insurance
policies rneeting the requirements of this Section 6.
iii. Failure of Contractor to maintain the insurance as required shall constitute a material breach of
this Agreement, upon which City may, after giving five (5) business daysnotice to Contractor to
correct such breach, immediately terminate this Agreement.
iv. Contractor's maintenance of insurance. its scope of coverage and limits as required herein shall
not be construed to limit the liability of Contractor to the coverage provided by such insurance,
or otherwise limit City's recourse to any remedy available at law or in equity.
v. Subcontractor's Insurance. Contractor shall cause each and every subcontract utilized by
Contractor in connection with the provision of Services ("Subcontractors"), to provide insurance
coverage that complies with all applicable requirements of the Contractor -provided insurance as
set forth herein, except the Contractor shall have sole responsibility for determining the limits of
coverage required to be obtained by Subcontractors. Contractor shall ensure that City is an
additional insured on each and every Subcontractor's Commercial General liability insurance
policy The Contractor shall cause each and every Subcontractor to provide insurance coverage
that complies with all applicable requirements of the Contractor -provided insurance as set forth
herein, except the Contractor shall have sole responsibility fordetermining the limits of coverage
required to be obtained by Subcontractors. The Contractor shall ensure that the City is an
additional insured on each and every Subcontractor's Commercial General liability insurance
City ofTukwil a — Brycer 11 Se ry ices, Contract
Page 4 (47
7.
policy.
vi. Contractor shall furnish City with original certificates and a copy of the amendatory
endorsements, including but not necessarily limited to the additional insured endorsements,
evidencing the insurance requirements of Contractor before commencement of the work. Upon
request by City, Contractor shall furnish certified copies of all required insurance policies,
including endorsements, required in this Agreement and evidence °fall subcontractors' coverage.
t ao
A. The Contractor shall maintain accounts and records, including personnel, property, financial and
programmatic records which sufficiently and properly reflect all direct and indirect costs of any nature
expended and services performed in the performance of this Agreement and other such records as may
be deemed necessary by the City to ensure the performance of this Agreement.
B. These records shall be maintained as described in Exhibit A.
& Breach Notification.
A. Contractor shall maintain a data breach plan and shall implement the procedures required under such data
breach plan on the occurrence of a data breach, in compliance with the requirements of Washington's data
breach notification law codified at RC W 42.56.590, Contractor shall report, in writing, to City any data
breach involving data maintained by Contractor on behalf of the City ("City Data") including any
reasonable belief that an unauthorized individual has accessed City Data. The report shall identify the
nature of the event, a list of the affected individuals and the types of data, and the mitigation and
investigation efforts of Contractor. Contractor shall make the report to City immediately upon discovery
of the data breach, but in no event more than five (5) business days after discovery of the data breach.
Contractor shall provide investigation updates to City.
B. Contractor shall promptly reimburse City in full for all costs incurred by City in any investigation,
remediation or litigation resulting from any data breach. Contractor's duty to reimburse City includes but
is not limited to, reimbursing to City its cost incurred in doing the following:
i. Notification to third parties whose information may have been or were compromised and to
regulatory bodies, law enforcement agencies or other entities as may be required by law or
contract; and
ii. Payment of legal fees and expenses, audit costs, fines and penalties, and other fees imposed upon
City by a regulatory agency, court ofa, or contracting partner as a result of the data breach.
C. Upon a data breach. Contractor is not permitted to notify affected individuals without the express written
consent of City. Unless Contractor is required by law to provide notification to third parties or the affected
individuals in a particular manner, City shall control the time, place, and manner of such notification.
9, Termination, This Agreement may at any time be terminated by the City giving to the Contractor thirty
(30) days written notice of the City's intention to terminate the same. Failure to provide products on schedule
may result in contract termination, I f the Contractor's insurance coverage is canceled for any reason, the City
shall have the right to terminate this Agreement immediately.
The Consultant, with regard to the work performed by it under this
Agreement, will not discriminate on the grounds of race, religion, creed, color, national origin, age,
veteran status, sex, sexual orientation, gender identity, marital status, political affiliation , the presence
City of Tukwila Brycer T Services Contract
Page 5 or7
of any disability , or any other protected class status under state or federal law, in the selection and
retention of employees or procurement of materials or supplies .
11. Assignment and Subcontract. The Contractor shall not assign or subcontract any portion of the services
contemplated by this Agreement without the written consent of the City; provided, however, that consent
shall not be required in the event of the sale of all or substantially all of the Contractor's assets or equity
interests.
12. Additional Terms. Attached to this Agreement are Exhibits AF which are incorporated by reference and
include in this Agreement as if set forth herein.
13. Entire Agreement: Modification, This Agreement, together with attachments or addenda, represents the
entire and integrated Agreement between the City and the Contractor and supersedes all prior negotiations,
representations, or agreements written or oral. No amendment or modification of this Agreement shall be of
any force or effect unless it is in writing and signed by the parties.
1
If any term, condition or provision of this Agreement is declared void or
unenforceable or limited in its application or effect, such event shall not affect any other provisions hereof
and all other provisions shall remain fully enforceable. The provisions of this Agreement, which by their
sense and context are reasonably intended to survive the completion, expiration or cancellation of this
Agreement, shall survive termination of this Agreement,
IS Notices, Notices to the City of Tukwila shall be sent to the following address: City
Clerk, City of Tukwila
6200 Southcenter Blvd.
Tukwila, Washington 98188
Notices to the Contractor shall be sent to the address provided by the Contractor upon the signature
line below.
16. Applicable Law: Venue: Attorney's Fees, This Agreement shall be governed by and construed in
accordance with the laws of the State of Washington without reference to the choice -of -law principles of the
State. in the event any suit, arbitration, or other proceeding is instituted to enforce any term of this
Agreement, the parties specifically understand and agree that venue shall be properly laid in King County,
Washington . The prevailing party in any such action shall be entitled to its attorney's fees and costs of suit.
17. Conflict in Terms, in the event of a conflict between the terms of this Agreement and the terms in any other
document, including but not limited to all Exhibits hereto, the terms of the applicable Exhibit shall prevail.
Exhibit A: Scope of Services
Exhibit B: Rates and Fees
Exhibit C: Service Level Agreement
Exhibit D: City of Tukwila Security Requirements
Exhibit E: Data Protection and Security Exhibit
Exhibit F: BRYCER Terms and Conditions
[signatures on following page)
DATED this 22nd_day of January_
City of Tukwtta Brycer IT Services Contract
Page 6 of 7
CITY OF ILK A
Allan Ekberg, Mayor
01/22/2021
ATTEST/AUTHENTICATED:
Oh4.€4 j <T% (ahh&cr-J
City Clerk, Christy
U"FIaherty
APPROVED AS T(1) FORM:
C-'r4-cttq 07.16-~/ez
Office ofCity Attorney
ly of Tukwila [ ry r I,"'r ,evwaces Coot ta et
Page 7 of 7
710
Exhibit A
Sco c of Servic
BRYCER, LLC
4355 Weaver Parkway
Suite 230
Warrenville, IL 60555
City of Tukwila
444 Andover Park E
7lukwil1, 'WA 98188
Re: "The Compliance En2ine"
Dear Tukwi la Fire Department:
We look forward to providing you with "The Compliance Engine" (the "Solution"). This proposal
letter provides the basic terms by which Brycer, EEC (13rycer") will provide you, Tukwila Fire Department
("Client"), with the Solution. The basic terms, in addition to the completed terms and conditions established
M Agreement, as well as Exhibit IF, are as follows:
1 Term: Brycer will provide Client with the Solution in accordance with Section 3 of the Agreement.
Following the expiration or termination of the Tenn, Client shall stop using the Solution; provided,
however, Brycer shall make available, and Client shall have the right to download Client Data pursuant
to Section 4(c) and 4(e) below.
.. Definitions,
a."Authorized User" means Client's employees, consultants, contractors, and agents who are
authorized by Client to access and use the Solution under the rights granted to Client pursuant
to this Agreement.
b. "Client Data" means information, data, and content, collected, downloaded, or input, directly
or indirectly from Client, an Authorized User into the Solution, provided the data is not
personally identifiable and not identifiable to Client.
c. "Solution" means The Compliance Engine, documentation, modifications, development work,
and any and all other information, data, documents, materials, works, and other content,
devices, methods, processes, hardware, software, technologies and inventions, including any
deliverables, technical or functional descriptions, requirements, plans, or reports, provided or
used by Brycer or any subcontractor of Brycer in connection with the performance under this
Agreement.
3. Fees: Brycer shall provide the Solution at no cost to Client; provided that Brycer will charge a
processing fee equal to 6.5% of the fee Brycer charges to third party inspectors to use of the Solution
(Inspector Fee). See Exhibit B for additional pricing information.
4. Brycer Responsibilities: During the Term, Brycer shall be responsible for the following in connection
with Client's use of the Solution:
(FTM2329398.1)OCX;3/13175.000001/
a. Availability. Brycer shall make the Solution available to Client as set forthin Exhibit C.
The maintenance schedule for the Solution is also set forth in Exhibit C.
b. Service Level. Brycer shall provide commercially reasonable levels of customer service
with respect to the Solution to all third parties who transact business with Client and access
the Solution,
c. Backup. Brycer shall backup the database used in connection with the Solution to a
separate server located within the same web hosting firm which the Solution is being hosted
on a real time basis. Upon request by Client (which can be no more than once a month) or
made prior to or within 60 days after the effective date of termination of the Term, Brycer
will make available to Client a complete and secure (i.e. encrypted and appropriately
authenticated) download file of all Client Data in a fOrm reasonably approved by Client
including all schema and attachments in their native format,
d. Security. Brycer shall maintain commercially reasonable administrative, physical and
technical safeguards for protection of the security, confidentiality and integrity of Client
Data. Brycer shall not (a) modify Client Data or (b) disclose Client Data except as required
by law.
e. Retention qf Infirmation. Brycer shall maintain all Client Data entered into the database
by third party inspectors for at least seven years from the time such Client Data is entered
into the database. Prior to Brycer removing or otherwise purging any Client Data entered,
into the database, Brycer shall first provide Client with a with a notice that all Client Data
will be purged so that Client may request a complete and secure file of all Client Data
pursuant to Section 4(c) above.
f Notices. Brycer shall be responsible for generating and delivering the following notices,
in accordance with Section 5(c) below, to third parties in connection with the Solution: (a)
reminders of upcoming inspections that are due, (b) notices that an inspection is past due;
and (c) notices of completed inspection reports which contain one or more deficiencies.
Center. Phone calls by Brycer on behalf of the Client to the property for EACII
life -safety system overdue for service based on dates automatically tracked within the
Solution. Brycer is not an agent of the Client and all scripts for the overdue calls will be
approved by the Client.
h. Updates and Enhancements. In the event Brycer releases any updates, corrections, or
enhancements to the Solution during the Term, Brycer shall promptly provide such updates
or corrections to Client free of any charge or fee.
5. Client Responsibilities: During the Term, Client shall be responsible for the following in connection
with Client's use of the Solution:
a. Operating System. Client shall he solely responsible for providing a proper operating
environment, including computer hardware or other equipment and software, for any portion
of the Solution installed on the Client's equipment (the "Client Access Software") and for the
installation of network connections to the Internet. In addition to any other Client Access
Software requirements, Client must use version Internet Explorer 11.0, Edge, Firefox version
37, Chrome 40 or Safari 7.1 (or more recent versions), in addition to having a .pdf reader
installed on machines to view attachments.
b. Training. Client shall allow Brycer to conduct trainings for all necessmy personnel of Client
at Client's facilities if such meetings are coordinated with Client and approved in writing in
advance.
c. Infrrmation. Client shall promptly provide Brycer with all appropriate information necessary
for Brycer to create the database for the Solution, including without limitation: (a) all
commercial building addresses within the City of Tukwila for Brycer's initial upload, (b)
schedule for notices issued pursuant to Section 4(f) above; and (c) quarterly updates to in a
format acceptable to Brycer in its discretion.
;EFM2329398 DOCX;3/13175 00000,1/
d, EnfOreenteot. Client shall take all actions necessary to require (e.g. resolution, ordinance, fire
policy, code amendment) the use of the Solution by third party inspection companies.
e. Reports, Client will require all compliant and deficient test results to be submitted,
6, Ownership of Data. Client owns all Client Data input into The Compliance Engine with respect to
Client or properties located in Client's jurisdiction. Brycer shall maintain commercially reasonable
administrative, physical and technical safeguards for protection of the security, confidentiality and
integrity of Client Data,
M2329398 DCK'X3/13 75,00000 I /
Rates and Fees Exhibit B
REVENUE SHARE WITH BR CER
BRYCER will collect the fees due and payable by third party inspectors pursuant to this
Exhibit B in connection with activities relating to the Solution plus any additional fees
charged by the Tukwila Fire Department.
BRYCER will charge the Tukwila Fire Department with a processing fee equal to 6.5% of
all fees.
BRYCER will remit to Tukwila Fire Department, on a quarterly basis, the amount by
which the Tukwila Fire Department Fees exceed the amount of fees due and payable to
BRYCER in connection with third party inspectors use of the Solution.
The amount of the fees due and payable to BRYCER in connection with third party
inspectors use of the Solution may be changed from time to time by mutual written
agreement of the Parties.
Tukwila Fire Department Pricing Schedule with Revenue Share
BRYCER FEE BRYCER PROCESSING FEE
FOR REVENUE SHARE
$15 $i,95 ($30 x 6.5%)
9403.D
BRYCER will receive 05
Tukwila Revenue Share ($
.9
TOTAL CHARGE
$30
6.95
.05
EXHIBIT C
SERVICE LEVEL AGREEMENT (SLA)
Service Level Agreement: The Services, in a production environtnent„ are provided with the service: levels
described in this Exhibit A. SLAs are only applicable to production environments, SLAs wifl be available upon
Customers signature of Company's Go Live Acceptance Form for Custorner's production environment.
Maintenance Schedule and Minimum Service Levels
Uptuue and Maintenance.
The Solution shall he available 24 hours per day during the term of this Agreement. The
Solution shall he fully functional, timely and accessible by Client at least 99.5% of the time
or better and Brycer shall use reasonable efforts to pro ide Client with advance notice of
any unscheduled downtime.
2. Response Time.
Brycer shall respond to telephone calls .from Client within two hours of the call and/or
message and all mails '.from Client within two hours of the receipt of the email,
3. Customer Support
Customer® support hours are 24/7/365. The toll free number is 1-855-279-2371
Brycer will assign client a dedicated customer representative with direct access to their
email and work number.
(6P.4hjAM DOCX: 3175 000012/
Rev 08132018
Exhibit D
City of Tukwila Security Requirements
Introduction
During the term of this agreement, the Company shall operate an information security program designed
to meet the confidentiality, integrity, and availability requirements of the service or product being
supplied. The program shall include at a minimum the following security measures.
Governance
1. information Security Policy: Company shall develop, implement, and maintain an information
security policy and shall communicate the policy to all staff and contractors.
2. Information Security Accountability: Company shall appoint an employee of at least manager
level who shall be accountable for the overall information security program.
. Risk Management: Company shall employ a formal risk assessment process to identify security
risks which may impact the products or services being supplied, and mitigate risks in a timely
manner commensurate with the risk,
Asset Management
4. Asset Inventory: Company shall maintain an inventory of all hardware and software assets,
including asset ownership.
5. Data Classification: Company shall develop, implement, and maintain a data classification
scheme and process designed to ensure that data is protected according to its confidentiality
requirements.
Supply Chain Risk Management
6. Supplier Security Assessments: Company shall engage in appropriate due diligence
assessments of potential suppliers which may impact the security of the services or products
being supplied.
7, Security in Supplier Agreements: Company shall ensure that agreements with suppliers who
may impact the security of the services or products being supplied contain appropriate security
requirements.
Human Resource Security
{EFM2343746 DOCX;1/13175 D00001/ }
Information Security Awareness: Company shall develop and implement an information
security awareness program designed to ensure that all employees and contractors receive
security education as relevant to their job function.
9, Background Checks: Company shall conduct appropriate background checks on all new
employees based on the sensitivity of the role that they are being hired for.
Identity Management, Authentication and Access Control
10. Authentication: Company shall ensure that all access, by employees or contractors, to its
information systems used to provide services or products being supplied shall require appropriate
authentication controls that at a minimum will include:
a. Strong passwords or multi -factor authentication for users
b. Multi -factor authentication for all remote access
1 1 . Authorization: Company shall ensure that all access to its information systems used to provide
services or products being supplied shall be approved by management.
12. Privileged Account Management: Company shall appropriately manage and control privileged
accounts on its information systems that at a minimum will include:
a. Use of dedicated accounts for privileged activity
b. Maintaining an inventory of privileged accounts
13. Access Termination: Company shall develop and maintain a process designed to ensure
user access is revoked upon termination of employment, or contract for contractors.
Data Security
14. Encryption; Company shall ensure that all laptops, mobile devices, and removable media,
including those that are owned by Company employees or contractors, which may be used to
store, process, or transport organizational data are encrypted at all times. Scoping guideline: this
requirement may be removed if the Company is not expe2ted to possess any confidential or
sensitive organizational data)
15. Secure Disposal: Company shall ensure that all media which may be used to store, process, or
transport organizational data is disposed of in a secure manner. [Sewing guideline: this
requirement may he removed iftlte 'on -pally is not expected to possess any con Ndeatiai or
sensitive organizational data]
System Acquisition, Development and Maintenance
16. Security Requirements: Company shall ensure that information security requirements are
defined for all new information systems, whether acquired or developed.
17. Separation of Environments: Company shall ensure that development and testing environments
are separate from their production environment.
(EFM2343746 DOCX; 1/13175.00000 } 2
18. Data Anonymization: Company shall ensure that 1Compam, 's name's data will not be used in
the development or testing of new systems unless the data is appropriately anonymized.
19. Secure Coding: Company shall ensure that all applications are developed with secure coding
practices, including OWASP Top 10 Most Critical Web Application Security Risks.
Physical and Environmental Security
20. Risk Assessment: Company shall use a formal risk assessment methodology to identify physical
and environmental threats and shall implement controls to minimize the risks.
Information Protection Processes and Procedure
21. Hardening: Company shall develop and implement security configuration baselines for all
endpoint and network devices types.
22. Network Segregation; Company shall segregate its network into zones based on trust levels,
and control the flow of traffic between zones.
23. Anti-Malware: Company shall ensure that all information systems that are susceptible to
malware are protected by up-to-date anti-malware software.
24. Wireless Access Control: Company shall ensure that wireless network access is protected,
including at a minimum:
a. All wireless network access should be encrypted
b. All wireless network access to the production network should be authenticated using
multi -factor authentication such as machine certificates
c. Wireless network access for personal devices and guest access should be segregated from
the production network
25. Patching: Company shall evaluate, test, and apply information system patches in a timely
fashion according to their risk.
26. Backup and Recovery: Company shall implement a backup and recovery process designed to
ensure that data can be recovered in the event of unexpected loss.
Protective Technology
27. Logging: Company shall ensure that security event logging requirements been defined, and that
all information systems are configured to meet logging requirements.
28, Intrusion Detection: Company shall deploy intrusion detection or prevention systems at the
network perimeter.
29. URL Filtering: Company shall deploy tools to limit web browsing activity based on URL
categories.
30. Denial of Service Protection: Company shall deploy controls to detect and mitigate denial of
service attacks.
{EFM2 3746 0 CX ;1/13175 0000
Security Continuous Monitoring
31, Security Monitoring: Company shall deploy automated tools to collect, correlate, and analyze
security event Jogs from multiple sources, and monitor them for suspected security incidents.
32. Vulnerability Assessments: Company shall conduct vulnerability assessments against all
Internet -facing information systems on a regular basis, no less often than quarterly.
33. Penetration Testing: Company shall perform penetration tests on all web applications and
services, in accordance with standard penetration testing methodologies, on a regular basis, no
less often than annually.
Information Security Incident Management
34. Incident Response: Company shall develop, implement, and maintain an information security
incident response process, and will test the process on a regular basis, no less often than
annually.
{EFM2343746 DOCX;1/1317 000001/} 4
Exhibit E
Data Protection and Information Security
This Data Protection and Information Security Exhibit (Exhibit") is an attachment to the Agreement and sets forth
the data protection and information security requirements of City of Tukwila, This Exhibit includes by reference the
terms and conditions of the Agreement. In the event of any inconsistencies between this Exhibit and the
Agreement, the parties agree that the terms and conditions of the Exhibit will prevail. Throughout the term of the
Agreement and for as long as Vendor controls, possesses, stores, transmits, or processes Confidential
Information as part of the Services provided to City of Tukwiia, Vendor will comply with the requirements set forth
in this Exhibit. Any breach of this Exhibit will be deemed a material breach under the Agreement,
1. Definitions
"Authorized Personner for the purposes of this Exhibit, means Vendor's employees or subcontractors who: (i)
have a need to receive or access Confidential Information or Personal Information to enable Vendor to perform its
obligations under the Agreement; and (ii) are bound in writing with Vendor by confidentiality obligations sufficient
for the protection of Confidential Information and Personal Information in accordance with the terms and
conditions set forth in the Agreement and this Exhibit.
"Common Software Vulnerabilities" (CSV) are application defects and errors that are commonly exploited in
software. This includes but is not limited to:
The CWE/SANS Top 25 ProgrammingErrors - see http://cwe.mitre.orq/top25/ and
http://www,sans, Ofti /too25-softwa re -erro rs/
(ii) The Open Web Application Security Project's (OWASP) "Top Ten Project' - see
htto://www.owaspi.org
"Confidential information' is as defined in the Schedule F of the Agreement, and includes Personal Information;
provided that, Personal Information shall remain Confidential Information even if at the time of disclosure or
collection, or later, it is or becomes known to the public.
"Industry Standards" mean generally recognized industry standards, best practices, and benchmarks including but
not limited to:
(i) Payment Card Industry Data Security Standards ("PCI DSS") - see
http.//www,pcisecuribistandards.ore/
(ii) National Institute for Standards and Technology - see htto://csrc.nist. cavi
(iii) ISO / IEC 27000 -series - see http://vvww.iso27001security.comi
(iv) Other standards applicable to the services provided by Vendor to City of Tukwila
"Information Protection Laws" mean all local, state, federal and international laws, standards, guidelines, policies,
regulations and procedures applicable to Vendor or City of Tukwila pertaining to data security, confidentiality,
privacy, and breach notification.
"'Personal Information" also known as Personally identifiable Information (P11), is information of City ofTukwila
customers, employees and subcontractors or their devices gathered or used by Vendor that can be used on its
own or combined with other information to identify, contact, or locate a person, or to identify an individual or his or
her device in context. Examples of Personal Information include name, social security number or national
identifier, biometric records, driver's license number, device identifier, IP address, MAC address, either alone or
when combined with other personal or identifying information which is linked or linkable to a specific individual or
device, such as date and place of birth, mother's maiden name, etc. Personal Information might also be defined
under applicable state or federal law in the event of a Security Incident.
"Security Incident" is any actual or suspected occurrence of:
Unauthorized access, use, alteration, disclosure, loss, theft of, or destruction of Confidential
Information or the systems 1 storage media containing Confidential Information
(ii) Illicit or malicious code, phishing, spamming, spoofing
(iii) Unauthorized use of, or unauthorized access to, Vendor's systems
(iv) Inability to access Confidential Information or Vendor systems as a result o a Denial of
Service (DOS) or Distributed Denial of Service (000S) attack
(v) Loss of Confidential information due to a breach of security
{ FM 2329400. DOCX; 2/13175.000001/ )
5579092/3 13399000
"Security Vulnerability" is an application, operating system, or system flaw (including but not limited to associated
process, computer, device, network, or software weakness) that can be exploited resulting in a Security Incident
2. Roles of the Parties and Compliance with Information Protection Laws
The Parties shall comply with their respective obligations as the principal (e,g,, data owner/controller/covered
entity) and agent (e.g,, data processor/business associate/trading partner) under all Information Protection Laws
The Parties acknowledge that, with respect to all Confidential information processed by Vendor for the purpose of
providing the Services under this Agreement.
a) City of Tukwila shall determine the scope, purpose, and manner in which such Confidential Information
may be accessed or processed by Vendor, and Vendor shall limit its access to or use of Confidential
Information to that which is necessary to provide the Services, comply with applicable laws, or as
otherwise directed by City of Tukwila;
b) Each party shall be responsible for compliance with Information Protection Laws in accordance with their
respective roles; and
c) Vendor and City of Tukwila shall implement the technical and organizational measures specified in this
Exhibit and any additional procedures agreed upon pursuant to a Statement of Work ("SOW) to protect
Confidential Information against unauthorized use, destruction or loss, alteration, disclosure or access.
3. General Security Requirements
Vendor will have an information security program that has been developed, implemented and maintained in
accordance with Industry Standards At a minimum, Vendor's information security program will include, but not
be limited to, the following eiements:
3.1 Information Security Program Management. Vendor will have or assign a qualified member of its workforce
or commission a reputable third -party service provider to be responsible for the development„ implementation
and maintenance of Vendor's enterprise information security program.
3.2 Policies and Standards. To protect City of Tukwila Confidential Information, Vendor will implement and
maintain reasonable security that complies with Information Protection Laws and meets data security
Industry Standards,
a) Security Policies and Standards. Vendor will maintain formal written information security policies and
standards that.
(i) Define the administrative, physical, and technological controls to protect the Iconfidentiality,
integrity, and availability of Confidential Information, City of Tukwila systems, and Vendor
systems (including mobile devices) used in providing Services to City of Tukwila
(ii) Encompasses secure access, retention, and transport of Confidential Information
(iii) Provide for disciplinary or legal action in the event of violation of policy by employees or Vendor
subcontractors and vendors
(iv) Prevent unauthorized access to City of Tukwila data, City of Tukwila systems, and Vendor
systems, including access by Vendor's terminated employees and subcontractors
(v) Employ the requirements for assessment, monitoring and auditing procedures to ensure Vendor
is compliant with the policies
(vi) Conduct an annual assessment of the policies, and upon City of Tukwila written request, provide
attestation of compliance.
b) In the SOW or other document, Vendor will cause all third -party vendors (including those providing
subcontractors to Vendor) involved in the provision of the Services to City of Tukwila, to comply with the
requirements of this Exhibit.
3.3 Security and Privacy Training. Vendor, at its expense, will train new and existing employees and
subcontractors to comply with the data security and data privacy obligations under this Agreement and this
Exhibit. Ongoing training is to be provided at least annually and more frequently as appropriate.
3.4 Access Control. Vendor will ensure that City of Tukwila Confidential Information will be accessible only by
Authorized Personnel after appropriate user authentication and access controls that satisfy the requirements
1EFM2329400 DOCX;2/13175.1300001,/ )
5579092/3/13399 000
of this Exhibit. Each Authorized Personnel shall have unique access credentials and shall receive training,
which includes a prohibition on sharing access credentials with any other person. Vendor should maintain
access logs relevant to City of Tukwila Confidential Information for a minimum of six (6) months or other
mutually agreed upon duration.
3,5 Data Backup. The parties shall agree in an SOW or other document upon the categories of City of Tukwila
Confidential Information that are required to be backed up by Vendor. Unless otherwise agreed to in writing
by City of Tukwila, backups of City of Tukwila Confidential Information shall reside solely in the United
States. For the ordeily and timely recovery of Confidential Information in the event of a service interruption.
a) Vendor will store a backup of Confidential Information at a secure offsite facility and maintain a
contemporaneous backup of Confidential Information on-site to meet needed data recovery time
objectives.
b) Vendor will encrypt and isolate all City of Tukwila backup data on portable media from any backup data of
Vendor's other customers.
3.6 Business Continuity Planning (BCP) and Disaster Recovery (DR). Vendor will maintain an appropriate
business continuity and disaster recovery plan to enable Vendor to adequately respond to, and recover from
business interruptions involving City of Tukwila Confidential Information or services provided by Vendor to
City of Tukwila.
a) At a minimum, Vendor will test the BCP & DR plan annually, in accordance with Industry Standards, to
ensure that the business interruption and disaster objectives set forth in this Exhibit have been met and
will promptly remedy any failures. Upon City of Tukwila's request, Vendor will provide City of Tukwila with
a written summary of the annual test results.
b) In the event of a business interruption that activates the BCP & DR plan affecting the Services or
Confidential Information of City of Tukwila, Vendor will notify City of Tukwila's designated Security
Contact as soon as possible.
c) Vendor will allow City of Tukwila or its authorized third party, upon a minimum of thirty (30) days' notice to
Vendor's designated Security Contact, to perform an assessment of Vendor's BCP and DR plans once
annually. Following notice provided by City of Tukwila, the parties will meet to determine the scope and
timing of the assessment.
3.7 Network Security. Vendor agrees to implement and maintain network security controls that conform to
Industry Standards including but not limited to the following:
a) Firewalls. Vendor will utilize firewalls to manage and restrict inbound, outbound and internal network
traffic to only the necessary hosts and network resources.
b) Network Architecture, Vendor will appropriately segment its network to only allow authorized hosts and
users to traverse areas of the network and access resources that are required for their job
responsibilities.
c) Demilitarized Zone (DMZ). Vendor will ensure that publicly accessible servers are placed on a separate,
isolated network segment typically referred to as the DMZ.
d) Wireless Security, Vendor will ensure that its wireless network(s) only utilize strong encryption, such as
WPA2.
e) Intrusion Detection/Intrusion Prevention (IDS/IPS) System — Vendor will have an IDS and/or IPS in place
to detect inappropriate, incorrect, or anomalous activity and determine whether Vendor's computer
network and/or server(s) have experienced an unauthorized intrusion.
Application and Software Security, Vendor, should it provide software applications or Software as a Service
(SaaS) to City of Tukwila, agrees that its product(s) will remain secure from Software Vulnerabilities and, at a
minimum, incorporate the following:
a) Malicious Code Protection. Vendor's software development processes and environment must protect
against malicious code being introduced into its product(s) future releases and/or updates,
b) Application Level Security. Vendor must use a reputable 3"1 party to conduct static/manual application
vulnerability scans on the application(s) software provided to City of Tukwila for each major code release
or at the time of contract renewal. An internally produced static/manual test from the Vendor will not be
{1E FM2329400 DOCX ; 2/13175.000001/ }
5579092a/13399.000
accepted. Results of the application testing will be provided to City of Tukwila in a summary report and
vulnerabilities categorized as Very High, High or that have been identified as part of the OVVASP top 10
and SANS top 25 within ten (10) weeks of identification,
c) Vulnerability Management. Vendor agrees at all times to provide, maintain and support its software and
subsequent updates, upgrades, and bug fixes such that the software is, and remains secure from
Common Software Vulnerabilities.
d) Logging. Vendor software that controls access to Confidential information must log and track all access to
the information,
e) Updates and Patches, Vendor agrees to promptly provide updates and patches to remediate Security
Vulnerabilities that are exploitable, Upon City of Tukwila's request, Vendor shall provide information on
remediation efforts of known Security Vulnerabilities,
3.9 Data Security. Vendor agrees to preserve the confidentiality, integrity and accessibility of City of Tukwila
Confidential information with administrative, technical and physical measures that conform to Industry
Standards that Vendor then applies to its own systems and processing environment. Unless otherwise
agreed to in writing by City of Tukwila, Vendor agrees that any and all City of Tukwila Confidential
Information will be stored, processed, and maintained solely on designated systems located in the
continental United States, Additionally -
a) Encryption. Vendor agrees that all City of Tukwila Confidential Information and Personal Information will
be encrypted with a Federal information Processing Standard (FIPS) compliant encryption product, also
referred to as 140-2 compliant. Symmetric keys will be encrypted with a minimum of 128 -bit key and
asymmetric encryption requires a minimum of 1024 bit key length. Encryption will be utilized in the
following instances
• City of Tukwila Confidential Information and Personal Information will be stored on any
portable computing device or any portable storage medium.
• City of Tukwila Confidential Information and Personal Information will be transmitted or
exchanged over a public network,
3.10 Data Re -Use. Vendor agrees that any and all data exchanged shall be used expressly and solely for the
purposes enumerated in the Agreement. Data shall not be distributed, repurposed or shared across other
applications, environments, or business units of Vendor. Vendor further agrees that no Confidential
Information of any kind shall be transmitted, exchanged or otherwise passed to other parties except on a
case-by-case basis as specifically agreed to in writing by City of Tukwila.
3.11 Data Destruction and Data Retention. Upon expiration or termination of this Agreement or upon City of
Tukwila's written request, Vendor and its Authorized Personnel will promptly return to City of Tukwila all City
of Tukwila Confidential Information and/or securely destroy City of Tukwila Confidential Information. At a
minimum, destruction of data activity is to be performed according to the standards enumerated by the
National Institute of Standards, Guidelines for Media Sanitization - see http://csrc.nist*ovi, If destroyed, an
officer of Vendor must certify to City of Tukwila in writing within ten (10) business days all destruction of City
of Tukwila Confidential Information If Vendor is required to retain any City of Tukwila Confidential
Information or metadata to comply with a legal requirement, Vendor shall provide notice to both the general
notice contact in the Agreement as well as City of Tukwila's designated Security Contact.
3.12 Security Testing. Upon the City's written request, Vendor will provide the City with a copy of the most recent
results of Vendor's security testing.
4. Security Incident Data Breach
4.1 Security Contact The individuals identified below shall serve as each party's designated Security Contac or
security issues under this Agreement*
City of Tukwila Security Contact:
Bao Trinh - bao.trinhatukwilawa,gov
Joel Bush —
(EFfkA23 29400.1DOCX:2113175.00000 V 1
55790913/13399000
City of Tukwila
TIS Department
6200 Southcenter Boulevard
Tukwila, WA
Vendor Security Contact:
Name: Jeff Mueller
Address, 4355 Weaver Parkway, Sute 230
Warrenville, IL 60555
Phone: 630-672-4223
4.2 Requirements. Vendor MI take commercially reasonable actions to ensure that City of Tukwila is protected
against any and all reasonably anticipated Security Incidents, including but not ilimited to:
(i) Vendor's systems are continually monitored to detect evidence of a Security Incident
(u) Vendor has a Security lIncident response process to manage and to take corrective action
for any suspected or realized Security Incident
(iii) Upon request Vendor will provide City of Tukwila with a copy of its Security Incident
policies and procedures. If a Security Incident affecting City of Tukwila occurs, Vendor, at
its expense and in accordance with applicable Information Protection Laws, will
immediately take action to prevent the continuation of the Security Incident.
4.3 Notification. Within eight (8) hours of Vendor's initial awareness of a Security Incident or other mutually
agreed upon time period, Vendor will notify City of Tukwila of the Incident by calling by phone the City of
Tukwila Security Contact(s) listed above,
4.4 Investigation and Remediation. Upon Vendor's notification to City of Tukwila of a Security Incident, the
parties will coordinate to investigate the Security Incident, Vendor shall be responsible for leading the
investigation of the Security Incident, but shall cooperate with City of Tukwila to the extent City of Tukwila
requires involvement in the investigation. Vendor shall involve law enforcement in the investigation' if
requested by City of Tukwila
Vendor mil cooperate, at its expense, with City of Tukwila in any litigation or investigation deemed
reasonably necessary by City of Tukwila to protect its rights relating to the use, disclosure, protection and
maintenance of Confidential Information. Vendor will reimburse City of Tukwila for actual costs incurred by
City of Tukwila in responding to, and mitigating damages caused by any Security Incident, including altl costs
of notice and remediation which City of Tukwila, in its sole duscretion, deems necessary to protect such
affected individuals in light of the risks posed by the Security Incident. Vendor wiil, at Vendor's own
expense, provide City of Tukwila with all information necessary for City of Tukwila to comply with data breach
recordkeeping, reporting and notification requirements pursuant to Information Protection Laws. Vendor will
use reasonable efforts to prevent a recurrence of any such Security Incident Additionally, Vendor will
provide (or reimburse City of Tukwila) for at least one (1) year of complimentary access for one (1) credit
monitoring service, credit protection service, credit fraud alert and/or similar services, which City of Tukwila
deems necessary to protect affected individuals in light of risks posed by a Security Incident
45 Reporting. Vendor will provide City of Tukwila with a final written incident report within five (5) business days
after resolution of a Security Incident or upon determination that the Security Incident cannot be sufficiently
resolved.
5. Confidential Information or Personal information
5.1 Authorized Personnel. Vendor will require all Authorized Personnel to meet Vendor's obligations under the
Agreement with respect to Confidential Information or Personal Information. Vendor will screen and evaluate
all Authorized Personnel and will provide appropriate privacy and security training, as set forth above, in
order to meet Vendor's obligations under the Agreement, Upon City of Tukwilla's written request, Vendor wild
fEFM2329400.00CX;2/13175.000001/
5579092/3/13399000
provide City of Tukwila with a list of Authorized Personnel Vendor will remain fully responsible f�r any act,
error, or omission of its Authorized Personnel
5.2 Data and Privacy Protection Laws. Vendor represents and warrants that its colleofion, access, use, storage,
disposal, and disclosure of Personal Information complies with all applicable federal, state, local and foreign
data arid privacy protection laws, as well as all other applicable regulations and directives.
6. Third Party Security
6.1 Vendor will conduct thorough background checks and due diligence on any third and fourth parties which
materially impact Vendor's ability to provide the products and/or Services to City of Tukwila as described in
the Agreement.
6.2 Vendor will not outsource any work related to its products or the Services provided to City of Tukwila in
countries outside the United States of America, which have not been disclosed in the Agreement or without
prior written approval from City of Tukwila Legal and Information Security If Vendor desires to outsource
certain work Iduring the Term of the Agreement, Vendor shall first notify City of Tukwila so that the parties
can ensure adequate security protections are in place with respect to the Services provided to City of
Tukwila,
7. Payment Cardholder Data
7.1 If Vendor accesses, collects, processes, uses, stores, transmits, discloses, or disposes of City of Tukwila
and/or City of Tukwila customer credit, debit, or other payment cardholder information, Vendor agrees to the
following additional requirements'
a) Vendor, at its sole expense, will comply with the Payment Card Industry Data Security Standard (PC0
DSS"), as may be amended or changed from time to time, including without limitation, any and all
payment card industry validation actions (e.g third party assessments, self -assessments, security
vulnerability scans, or any other actions identified by payment card companies for the purpose of
validating Vendor's compliance with the PCI DSS).
b) Vendor will maintain a continuous PCI DSS compliance program, Annually, Vendor agrees to provide
evidence of PCI DSS compliance in the form of a Qualified Security Assessor ("QSA") Assessment
Certificate, a PCi Report on Compliance ("ROC"), or evidence that Vendor is included on the Visa or
MasterCard list of PC 1 DSS Validated Service Providers.
c) Vendor will ensure that subcontractors approved by City of Tukwila, in accordance with Section 6.2,
comply with and maintain a continuous PCI DSS compliance program if the subcontractor provides any
service on behalf of Vendor that falls within PCI DSS scope. The Subcontractor must provide evidence of
PCI DSS compliance in the form of a Qualified Security Assessor ("QSA") Assessment Certificate, a PCI
Report on Compliance (ROC"), or evidence that Subcontractor is included on the Visa or MasterCard list
of PCI DSS Validated Service Providers.
d) Vendor will immediately notify City of Tukwila if Vendor is found to be non-compliant with a PCI DSS
requirement or if there is any breach of cardholder data impacting City of Tukwila or its customers.
Changes
In the event of any change in City of Tukwila's data protection or privacy obligations due to legislative or
regulatory actions, industry standards, technology advances, or contractual obligations, Vendor will work in
good faith with City of Tukwila to promptly amend this Exhibit accordingly.
VIFM23294 .DOCX;2/13175
5579092/3/13399 000
Exhibit F
Terrns and 'Conditions
Any capitalized terms not defined in these Terms and Conditions shall have the meaning assigned to 1 in that certain proposal letter
by and between Brycer, LLC and the City of Tukwila {the 'Agreement),
1. Restrictions on Use. Client shall not copy, distribute, create derivative works of or modify the Solution in any way. Client agrees that:
(a) it shall only permit Authorized Users to use the Solution for the benefit of Client; (b) it shall use commercially reasonable efforts to
prevent the unauthorized use or disclosure of the Solution; (c) it shall not sell, resell, rent or tease the Solution; (d) it shall not use the
Solution to store or transmit infringing or otherwise unlawful or tortious material, or to store or transmit material In violation of third party
rights; (e) it shall not interfere with or disrupt the integrity or performance of the Solution or third -party data contained therein; (f) it shall
not reverse engineer, translate, disassemble, decompille or otherwise attempt to create any source code which is derived from the Solution
(g) it shall not permit anyone other than the Authorized Users to view or use the Solution and any screen shots of the Solution and (h) it
shall riot disclose the features of the Solution to anyone other than the Authorized Users. Client is responsible for ail actions taken by the
Authorized Users in connection with the Solution.
2, Proprietary Rights, All right, title and interest in and to the Solution, the features of the Solution and images of the Solution as well any and
all derivative works or modifications thereof the "Derivative Works*), and any accompanying documentation, manuals or otlher materials
used or supplied under this Agreement or with respect to the Solution or Derivative Works (the "Documentation% and any reproductions
works made thereof, remain with IBrycer, Client shall not remove any product identification or notices of such proprietary rights from the
Solution, Client acknowledges and agrees that, except for the limited use rights established hereunder, Client has no right, title or Interest
on the Solution, the Derivative Works or the Documentation.
independent Contractor, Nothing in the Agreement may be construed or interpreted as constituting either party hereto as the agent,
principal, employee or joint venturer of the other. Each of Client and Brycer Is an independent contractor. Neither may assume, either
directly or indirectly, ary lialbility of or for the other party. Neither party has the authority to bind or obligate the other party and neither
party may represent that it has such authority,
4. Reservation of Rights. Brycer reserves the right in its sole discretion and with prior notice to Client, to discontinue, add, adapt, or otherwise
modify any design or specification of the Solution and/or Brycees policies, procedures, and requirements specified or related hereto. All
rights not expressly granted to Client are reserved to Brycer, Including the right to provide all or any part of the Solution to other parties,
Use of Logos. During the term af thus Agreement, Brycer shall havethe right to use Client's logos for the purpose of providing the Solution
to Client.
Confidential Information, Brycer and Client acknowledge and agree that in providing, the Solution, Brycer and Client, as the case may be,
may disclose to the other party certain confidential, proprietary trade secret information ("Confidential Information"). Confidential
Information shall inciode, but Is not limited to, the Solution, computer programs,, screen shots, flowcharts, diagrams, manuals, schematics,
development tools, specifications, design documents, marketing, Information, security testing results, penetration testing results, financial
information or business plans.
a. Each party agrees that it will not, without the express prior written consent of the other party, disclose any Confidential Information or any
part thereof to any third party. Notwithstanding the foregoing, the parties acknowledge that Client and Brycer shall be permitted to comply
with any and all federal and state laws concerning disclosure provided that the City shall endeavor to ensure that any such required
disclosure will not include any of Brycer's screen shots. The disclosing party shall provide reasonable prior written notice of any required
disclosure of the nordisclosing party's Confidential Information to the nondisclosing party andl shall disclose only the information that is
required to be disclosed by law. The nondisclosing party shall have the right to seek a protective order or other relief with respect to such
disciosure. In the event that Client requests from Brycer any reports or other information for purposes of complying with federal and state
disclosure laws, Brycer shall provide such information within five business day following such request, Confidential Information excludes
Information; (a) that is or becomes generally available to the publlic through no fault of the receiving party; (b) that is rightfully received by
the receiving party from a thirdparty without limitation as to its use; or (c) that is independently developed by receiving party without use
of any Confidentiai Information, At the termination of this Agreement, each party will return the other party all Confidential information
of the other party. Each party also agrees that It shall not duplicate, translate, modify, copy, printout, disassemble, decompile or otherwise
tamper with any Confidential Information of the other party or any firmware, circuit board or software provided therewith.
7.Iirycer Warrant/. Brycer represents and warrants to Client that Brycer has all rights necessary in and to any patent, copyright, trademark,
service mark or other intellectual property right used in, or associated with, the Solution, and that Brycer Is duly authorized to enter into
this Agreement and provide the Solution to Client pursuant to this Agreement
8. Disclaimer. All information entered into Brycer's database is produced by third party inspectors and their agents, THEREFORE, BRYCER
SPECIFICALLY DISCLAIMS ANY REPRESENTATION OR WARRANTY AS TO THE ACCURACY OR COMPLETENESS OF ANY INFORMATION
ENTERED INTO ORyCER'S DATABASE By EITHER CLIENT OR THIRD PARTY INSPECTORS. EXCEIPT AS SET FORTH IN SECTION 6, BRYCER
MAKES NO OTHER WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO THE SOLUTION OR ANY OTHER INFORMATION AND ALL OTHER
448,DOCX3/1 3 I 75„ 000
WARRANTIES, WHETHER EXPRESS OR IMPLIED, ARE HEREBY DISCLAIMED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. BRYCERS S011 LIABILITY FOR BREACH OF THE
REPRESENTATION AND WARRANTY SET FORTH IN SECTION 6. AND CLIENTS SOLE REMEDY, SHALL BE THAT BRYCER SHALL INDEMNIFY
AND HOLD CLIENT HARMLESS FROM AND AGAINST ANY LOSS, SUIT, DAMAGE, CLAIM OR DEFENSE ARISING OUT OF BREACH OF THE
REPRESENTATION AND WARRANTY.
9. Risks Inherent to Internet. Client acknowledges that (a) the Internet is a worldwide network of computers, (b) communication on the
Internet may not be secure, (c) the Internet Is beyond the control of Brycer, and (d) Brycer does not own, operate or manage the Internet.
Client also acknowledges that there are inherent risks associated with rsing the Solution, inducting bet not limited to the risk of breach of
security, the risk of exposure to computer viruses and the risk of interception, distortion, or loss of communications, Client assumes these
risks knowingly and voluntarily. Not in, limitation of the foregoing, Client hereby assumes the risk, and Brycer shall have no responsibility or
liability of any kind hereunder, for: (1) errors in the Solution resulting from misuse, negligence, revision, modification, or improper use of
all or any part of the Solution by arty entity other than Brycer or Its authorized representatives; (2) any version of the Solution other than
the then -current unmodified version provided to Client; (3) Client's failure to timely or correctly install any updates to the Client Access,
Software; (4) problems caused by connecting or failure to connect to the Internet; 15) failure to provide and maintain the technical aridl
connectivity configurations for the use and operation of the Solution that meet Brycer's recommended requirements; (6) nonconformities
resulting from or problems to or caused by non-Brycer products or services; or (7) data or data input, output, accuracy, and suitability, which
shall be deemed under Client's exclusive control
10. Breach. Either Party shall have the right to terminate or suspend this Agreement Immediately upon delivering written notice to the other
Party detailing that Party's breach of any provision of this Agreement and providing five (5) days to cure the breach, If that Party fails to
cure such breach within 5 days of receiving written notice thereof, the Agreement may be terminated,
11. Illegal Payments, Client acknowledges and agrees that it has not received or been offered any illegal or improper bribe, kickback, payment,
gift or anything of value from any employee or agent of Brycer in connection with the Agreement.
12. Beneficiaries. There are no third party beneficiaries to the ,Agreement
13. Force Majeure. Neither party shali be responsible for any failure to perform due to unforeseen, non-commercial circumstances beyond its
reasonable control, Including but not limited to acts of God, war, riot, embargoes, acts of civil or military authorities, fire, flood's,
earthquakes, blackouts, accidents, or strikes. In the event DI any such delay, any applicable period of time for action by said party may be
deferred for a period of time equal to the time of such delay, except that a party's failure to make any payment when due hereunder shall
not be so excused.
1E:M2329448, CX;3 175.000001/