HomeMy WebLinkAboutFIN 2024-07-22 Item 1A - Contract - Tax and License Software with HdL CompaniesCity of Tukwila
Thomas McLeod, Mayor
INFORMATIONAL MEMORANDUM
TO: Finance and Governance Committee
FROM: Tony Cullerton, Deputy Finance Director
BY: Adam Schierenbeck, Senior Fiscal Coordinator
CC: Mayor McLeod
DATE: July 16, 2024
SUBJECT: Tax & License Software Budget Approval
ISSUE
Staff are requesting approval to enter into a contract for the set-up and use of tax and licensing
software with HdL Companies. The software solution will enable the City to maintain a database
of businesses operating in the City, improve the business license application approval process,
aid the City in administering its business taxes, and allow businesses to file and pay business
tax returns online.
BACKGROUND
The City's business and occupation (B&O) tax took effect on January 1, 2024. The B&O tax
generally applies to every business activity engaged in within the City (unless specifically
exempt), thereby significantly increasing the number of businesses that are subject to City
taxes.
Prior to the effective date of the B&O tax, staff consulted with other local taxing jurisdictions and
met with numerous software vendors to find a solution that will provide the City with an internal
system of record to aid in administering the tax while allowing businesses to file and pay tax
returns online and. This solution was sought not only for B&O tax but also to administer the
City's other business taxes on admissions, gambling, parking, and utilities.
At this time, businesses must send tax returns by mail with payment made by check or money
order. Finance Department staff must manually process each individual tax return and use
Microsoft Excel to record and maintain the tax return information and business details. Thus, the
processes required by both City staff and businesses are manual and labor-intensive. Excel is
also used to route business license applications through multiple departments for approval.
On January 31, 2024, the City published a request for proposals (RFP) for a tax administration
and online filing system. On March 29, 2024, HdL Companies provided a response and cost
proposal. Through subsequent discussions and software demonstrations, HdL Companies has
established that its software solution will meet the City's desired requirements within budgetary
constraints.
DISCUSSION
Approximately 3,400 B&O tax returns are expected to be received by the City annually, in
addition to 1,600 returns for taxes due on admissions, gambling, parking and utilities.
To properly administer and enforce the City's business taxes, staff must maintain a list of
businesses that are subject to the tax; identify whether required tax returns have been filed and
whether they were paid timely; and identify whether the correct amount of tax has been paid.
Administering B&O tax is especially challenging compared to the City's other business taxes
1
INFORMATIONAL MEMO
Page 2
due to the larger number of tax filers and the additional complexities related to B&O tax —
including an annual taxable threshold, multiple tax rates, and multiple calculation schedules.
While Microsoft Excel has been used as a means to track tax return data and maintain a list of
businesses in the City, this method is time-consuming to maintain and prone to errors and
omissions. The alternative software solution offered by HdL Companies provides an internal
system of record that will allow a streamlined method for viewing, sorting, and analyzing tax
return and business information. Staff anticipate that such software will lead to efficiency for
routine tasks while improving the ability to monitor and enforce tax compliance.
Importantly, HdL Companies' software solutions will allow businesses to file and pay City tax
returns online, thereby providing a more efficient means for businesses to comply with the City's
requirements. This also will reduce the staff time needed for manually processing payments.
Finally, the solution offered by HdL Companies provides functionality related to business license
application approvals, allowing applications to be routed through the various departments
involved in the approval process. This task is currently being handled in Microsoft Excel,
whereas the proposed solution would provide greater efficiency, accuracy, and timeliness.
While the City did not receive a formal response to the RFP from other software vendors, a
preliminary estimate provided by another vendor, Tyler Technologies, showed a first -year cost
of $167,665 and recurring annual fees of over $28,000. An alternative option is to pursue an
interlocal agreement with FileLocal, pending a vote of other member cities. FileLocal is a
municipal subdivision of the State of Washington that was created to provide an online filing
option for municipal B&O tax (and municipal business licensing). FileLocal does not, however,
provide an internal system of record, and therefore, would solve only part of the solution. Staff
recommend entering into an agreement with HdL Companies because the solution meets both
the needs of staff and those of external customers at a similar cost to FileLocal.
Staff conducted reference checks with the City of Bellingham and with Henry County, GA, both
of which use HdL Companies' software solution to administer their taxes and/or license fees.
Positive feedback was received from these references, with an emphasis on ease of use and
timely responsiveness by the vendor.
The draft contract and associated schedules have been reviewed and approved by the City
Attorney's Office.
FINANCIAL IMPACT
The proposed software solution from HdL Companies will cost $84,500 in the first year, which
includes a one-time startup cost of $65,000 and an annual recurring fee of $19,500. The total
contract amount for two years — the length of time sought by the City for the initial agreement —
is $104,000 (plus a CPI increase for the second year). This does not include additional training
time beyond the amount specified in the contract (i.e. one day), and it does not include
customization to the software. Should the City find that additional costs are needed as the
project progresses, a contract amendment would be sought at that time.
RECOMMENDATION
Review and respond to the proposed budgetary approval. The Council is being asked to
approve the budget for this contract at the Regular Meeting on August 5, 2024.
ATTACHMENTS
A. HdL Company Profile and Project
Approach
B. Draft contract and exhibits
2
A. COVER LETTER AND COMPANY OVERVIEW
March 29, 2024
Vicky Carlsen, Finance Director
City of Tukwila
Dear Ms. Carlsen,
HdL Companies (HdL) is pleased to submit our proposal for Tax Administration and Online Filing System.
With 40 years of experience, HdL provides revenue enhancement and consulting services to local
governments. Our firm serves over 700 cities, counties and special districts across the nation and has
recovered more than $3 billion in revenue. We use our expertise to analyze tax data to provide relevant
insights to support your financial strategies. Our commitment to innovative solutions and quality customer
service is valued by our clients, proven by our 99.6% client retention rate and the over 60 municipalities
who have switched to HdL from other service providers.
Our contact information is:
Robert Gray, Director of Tax and Fee Administration/CIO
HdL Companies
120 S. State College Blvd., Suite 200
Brea, CA 92821
Company Overview
Hinderliter, de Llamas and Associates (HdL) was established in 1983 to maximize local government
revenues by providing allocation audits, analytical services, and software products to local governments.
The firm, which is a 100% employee -owned company, provides audit and consulting services for sales, use
and transaction taxes, and other locally administered taxes. HdL Software was formed in 1996 to provide
innovative software processing tools for business licensing, hospitality taxes, and other locally
administered revenues. HdL's systematic and coordinated approach to revenue management, tax
administration, and economic data analysis is currently being utilized by over 700 agencies nationwide.
Currently partnering with over 700 cities and counties for services including business license
tax/registration, hospitality tax, and short-term rentals, HdL processes hundreds of millions in revenue
annually from locally collected taxes. To date, HdL has recovered more than $3 billion in revenue for client
agencies.
41
$3B
RECOVERED REVENUE
J
700+
LOCAL GOVERNMENT
CLIENTS
'u'
41
>99%
CLIENT RETENTION
HdL employs over 250 employees. The firm will not be using any subcontractors or consultants for this
project.
HdL Companies
Proposal for Tax Administration and Online Filing System 3
3
HdL offers the following advantages:
• Relevant, timely and ongoing staff support by a team with decades of direct experience in municipal
finance and budgeting, economic development, and maximization of revenues.
• Technology -driven resources for data analysis and reporting capabilities, providing immediate and
convenient access to the most up-to-date tax and fee information.
• Expertise, analysis, recaptured revenues, and precise budget forecasts to maximize your revenue
streams.
• Reliable continuity of service by a firm with stable employee ownership and a low staff turnover rate.
HdL is uniquely suited to delivering high quality and full -service solutions to the City and its business
community in the areas outlined in this proposal. HdL will provide unparalleled service, reporting, and
analytics as requested by the City.
HdL is committed to providing the City with the dedication time, personnel and resources needed for this
project. We look forward to reviewing the proposal with you in more detail and demonstrate how HdL can
enhance the City's bottom line. Please call if you have questions or need additional information. I can be
reached at 714.879.5000 or by email at rgray@hdlcompanies.com.
Sincerely,
ia(Ac (-0(
Robert Gray
Director of Tax and Fee Administration
HdL Companies
4
Proposal for Tax Administration and Online Filing System 4
B. EXECUTIVE SUMMARY
Firm Profile
HdL was established in 1983 to maximize local government revenues by providing allocation audits,
analytical services, and software solutions to local governments. The firm provides municipal revenue and
software solutions for business license tax, lodging tax, sales, use and transaction tax, and various other
locally administered taxes. In 1996, HdL introduced innovative software and revenue solutions for business
license, transient occupancy tax and other locally administered revenues. HdL is an S-corporation and 100%
employee owned.
Qualifications
HdL is uniquely suited to delivering high quality, full -service software solutions to the City and its business
community. HdL will provide unparalleled service, reporting, and analytics. As local tax experts, the firm offers
comprehensive software and services which assist municipalities with Business License Administration and
Compliance, Hospitality Administration and Audits, Short Term Rentals Discovery and Administration, Rental
Unit Registration, Operations Support, Fee and Ordinance Analysis and other analytical services that allow
cities and counties to expand the effectiveness of related internal operations.
HdL has grown from one employee to over 250 and is proud to be 100% employee owned. HdL empowers
each employee -owner to fulfill our mission of helping local government agencies increase revenues, gain
actionable insights, maintain regulatory compliance, and operate more efficiently. This approach has led to
steady long-term growth and financial stability, making HdL an ideal partner.
HdL acknowledges the City's request to assist with Business Licensing Software and is proposing HdL's Prime
solution to meet the City's desire for a business license solution. HdL's Best -of -Breed local tax software
solution is utilized by hundreds of municipalities. Our team of professionals has the capacity to meet and
exceed the expectations set forth in the City's RFP, as related to local tax software.
Unlike ERP software providers, HdL has a dedicated local tax team which spends 100% of its time on local
tax solutions and support for our municipal clients. As a direct result, HdL's best of breed business license
solution is preferred by a variety of municipalities throughout the nation, while maintaining an over 99.6%
customer retention rate. Our staff brings hundreds of years of combined local government experience,
including Certified Revenue Officers (CRO), business tax supervisors, finance directors and city managers. We
have a broad and intimate understanding of the complex needs of local government. As former government
professionals ourselves, our dedication to local government is second to none. Guided by this experience and
our client relationships, HdL's Prime local tax solution continually improves in ease of use and functionality.
HdL's Prime solution will support the City's identified core activities including business license fee collection,
additional taxes/assessments, monitoring current activity, auditing license activity, and improving operations
efficiency. Whether business license tax, hospitality tax/STR, UUT, parking facilities tax, rental unit
registration, or other similar locally administered programs, HdL Prime will provide an efficient platform for
both City staff and the City's business community. HdL also goes above and beyond in our service, pro-
actively monitoring local and state legislation for potential impacts on locally administered revenue programs,
both to ensure our systems are ready when legislation goes into effect, and also to shape potential legislation,
when possible, to benefit local governments.
HdL Companies
Proposal for Tax Administration and Online Filing System 5
5
HdL's best of breed solution supports integrating with the City's other systems, allowing the City to benefit
from the best available local tax solution for business license tax without requiring compromise by other
departments. HdL Prime can be integrated with the City's finance, cashiering, permitting, GIS, and other
systems as may be desired.
The HdL Prime solution is built, continually enhanced, and supported by tax experts for local agencies.
Equipment
HdL's local tax software solution is offered as Software as a Service (SaaS). The City only needs to provide its
users with reliable internet access and a computing device supporting a standard internet browser. The
solution is hosted in the highly secure Microsoft Azure Government cloud, which adheres to security controls
for the most rigorous security and compliance standards including ISO 27001, ISO 27018, SOC 1, SOC 2,
SOC 3, FedRAMP and HITRUST.
Azure Gov Cloud Environment
Azure SQL
•
I
Prime Cloud
Application Service
Prime Web
Application Service
---
■=EN■
---
Azure Firewall
Security Services
<-Frn's->
in
Client Session
HdL Companies
6
Proposal for Tax Administration and Online Filing System 6
C. KEY PERSONNEL
Tax & Fee Administration Services Team
HdL's key staff has extensive local government experience, having previously held positions in city
management, finance, planning, economic development, and revenue collection. The HdL team includes
several experienced business license tax department supervisors and certified revenue officers (CROs). The
firm has the staffing and capacity to provide the services requested by the City. HdL's intimate understanding
of local government needs coupled with our extensive databases and advanced methodology provides for the
most relevant, productive, and responsive revenue solutions, software systems and customer service. The firm
is properly staffed to provide these services to the City.
Robert Gray - Chief Information Officer, Director of Tax and Fee Administration
Mr. Gray serves as Chief Information Officer and Director of Tax and Fee Administration and
has been with the firm since 1996. He has extensive experience in the design, development,
implementation and operation of revenue management solutions for local government. He
introduced HdL's local tax services, which provide tax administration and consulting services to an increasing
number of municipalities. While leading HdL's Tax and Fee Division through a period of significant growth, he
has ensured that HdL maintains its commitment to providing excellent customer service. He earned a Bachelor
of Science degree in Computer Science and an MBA from Azusa Pacific University.
Josh Davis - Director of Professional Services
Mr. Davis has over 25 years of experience with local tax administration, discovery, and audit, and
oversees a skilled team which provides the most sophisticated local tax administration services
available to municipalities. Trained in revenue audit and discovery techniques, he is skilled in
navigating the complex scenarios and needs often encountered during such services. He also possesses strong
technical and business process capabilities which he employs to aid HdL clients in meeting their strategic
objectives. His reputationamongst municipalities is that of a very capable local taxation expert who will help the
municipalityachieve their objectives while providing excellent customer service throughout the engagement.
Bret Harmon - Director of Client Experience
Mr. Harmon serves as the Director of Client Experience. With over 20 years of experience
leading and consulting local governments, Mr. Harmon understands firsthand the opportunities
and struggles facing HdL clients. He leads the Client Experience division, which is dedicated to the success of
each client. His team supports clients through implementation, going live, and ongoing needs. He is well-
known for building strong relationships with his clients, mentoring his staff, and lifting organizations to new
levels of success. Mr. Harmon earned a Master of Public Administration degree from Brigham Young
University.
HdL Companies
Proposal for Tax Administration and Online Filing System 7
7
Connor Duckworth - Client Advisor
Mr. Duckworth has over ten years of experience working for both State and local municipalities
and providing political consulting to candidates on a number of races and referendums. As a
project manager, he is responsible for the development and implementation of business license,
tax, and revenue related products and services. He has served as a lecturer and mentor to municipalities
nationwide and served as a Vice -President on both Division and State Boards for the CMRTA. He has won the
CMRTA Lighthouse Award of Excellence for creating the top business license and revenue program in the State.
Additionally, Mr. Duckworth also previously served on a countywide office which serves the needs of over
200,000 residents.
HdLL Companies
8
Proposal for Tax Administration and Online Filing System 8
D. PROJECT APPROACH AND SCOPE OF WORK
Project Approach
HdL's Prime Cloud tax software solution has the built-in capabilities to meet the City's needs for business
licensing tax. HdL's solution is a unique combination of technology, expertise, and service. We have a broad,
deep and intimate understanding of the complex needs of local government. As former government
professionals ourselves, our dedication to local government is second to none. Guided by this experience and
our client relationships, HdL's Prime local tax solution continually improves in ease of use and functionality.
HdL's Prime solution will support the City's identified core activities including business license fee collection,
additional taxes/assessments, monitoring current activity, auditing license activity, and improving operations
efficiency. Whether business license tax, hospitality tax/STR, UUT, parking facilities tax, rental unit
registration, or other similar locally administered programs, HdL Prime will provide an efficient platform for
both City staff and the City's business community.
HdL's solution can print QR codes on applications and renewal forms which can then be scanned to pull up
accounts for payments or batch processing. Each account has a comments section for staff to enter
information where their information is timestamped in the system. This also applies to HdL's approvals portal,
which allows multiple departments to review and approve new applications through a workflow with the
ability to attach photos, documents, and notes, see location history, and much more. There are two types of
activity logs to track activity: the individual account log and the system event log. HdL's cloud software
solution is accessible from anywhere via an internet connection. Each user's access is secured through
permissions assigned allowing for only specific activities to be performed. Permissions can be updated at any
time by the named system administrators.
HdL's solution offers robust inquiry and reporting capabilities, allowing users to create various reports from
data collected in the system and generated into a pdf, xls, or csv file. Additionally, the system comes with
dozens of helpful built-in reports. Ad -hoc lists can be easily generated through a sophisticated query system
which allows powerful and immediate access to the City's valuable business data. All reports and emails can
be saved for future use in the system.
HdL's solution can be integrated with the City's other systems as may be desired, including cashiering, finance,
permitting, GIS, and more. Daily journal entry files can automatically be generated, data can be pushed to
other software platforms, and an available API can facilitate enhanced access or exchange of information.
HdL also offers optional supporting services in partnership with our software solution, such as business license
discovery and compliance or hospitality tax audits. HdL's business license discovery and compliance program
will scour City provided and HdL proprietary data sources to identify businesses conducting activity within
the City but not currently registered with the City. Upon confirmation of these leads, HdL can work with the
business to get them registered and current on any applicable City taxes/fees.
HdL Companies
Proposal for Tax Administration and Online Filing System 9
9
Description of Work Plan
HdL's Prime local tax software solution has the built-in capabilities to meet the City's needs for business
licensing software solutions. HdL's solution is a unique combination of technology, expertise, and service. We
have a broad, deep and intimate understanding of the complex needs of local government. As former
government professionals ourselves, our dedication to local government is second to none. Guided by this
experience and our client relationships, HdL's Prime local tax solution continually improves in ease of use and
functionality. HdL's Prime solution will support the City's identified core activities including business license
fee collection, additional taxes/assessments, monitoring current activity, auditing license activity, and
improving operations efficiency. Whether business license tax, HVT/STR, UUT, parking facilities tax, rental
unit registration, or other similar locally administered programs, HdL Prime will provide an efficient platform
for both City staff and the City's business community.
HdL's solution has the ability to print QR codes on applications and renewal forms which can then be scanned
to pull up accounts for payments or batch processing. Each account has a comments section for staff to enter
information where their information is timestamped in the system. This also applies to HdL's approvals portal,
which allows multiple departments to review and approve new applications through a workflow with the
ability to attach photos, documents and notes, see location history, and much more. There are two types of
activity logs to track activity; the individual account log and the system event log. HdL's cloud software
solution is accessible from anywhere via an internet connection. Each user's access is secured through
permissions assigned allowing for only specific activities to be performed. Permissions can be updated at any
time by the named system administrators.
HdL's solution offers robust inquiry and reporting capabilities, allowing users to create various reports from
data collected in the system and generated into a pdf, xis, or csv file. Additionally, the system comes with
dozens of helpful built-in reports. Ad -hoc lists can be easily generated through a sophisticated query system
which allows powerful and immediate access to the City's valuable business data. All reports and emails can
be saved for future use in the system.
HdL's solution can be integrated with the City's other systems as may be desired, including cashiering, finance,
permitting, GIS, and more. Daily journal entry files can automatically be generated, data can be pushed to
other software platforms, and an available API can facilitate enhanced access or exchange of information.
Scope of Work
Technology Environment
HdL's local tax software solution is offered as Software as a Service (SaaS). The City only need provide its
users with reliable internet access and a computing device supporting a standard Internet browser. The
solution is hosted in the highly secure Microsoft Azure Government cloud, which adheres to security controls
for the most rigorous security and compliance standards including ISO 27001, ISO 27018, SOC 1, SOC 2,
SOC 3, FedRAMP and HITRUST. HdL's solution includes PCI compliant online payment processing powered
via Nuvei's payments platform. Integrations with alternative payment processers can be built at the request
of the City.
HdL Companies
Proposal for Tax Administration and Online Filing System 10
Software Hosting Services
As a Software as a Service (SaaS) solution, the majority of IT concerns are offloaded to HdL's hosting team;
including system upgrades, hardware and software maintenance, database management, disaster recovery,
and security updates and monitoring. The City will be responsible for maintaining its workstations and
providing a high speed, reliable internet connection. HdL will handle the rest. Website functionality will be
hosted using a City specific sub -domain on HdL's special purpose hdlgov.com domain.
1. Workstation Specifications - Workstations will access the software through HdL's cloud hosting
service. All workstations require 8+GB Memory, 1280x1024 screen resolution, and a modern internet
web browser.
2. Network Specifications - HdL's hosted service requires reliable, high speed internet
connectivity. High-speed internet connections are always helpful, but the service will also run over
slower WAN connections such as mobile broadband.
3. Printer Specifications - The software is designed to work with laser printers. A PCL compliant laser
printer is recommended. Each make and model of printer has different drivers and therefore has
slightly different results when printing. We design forms/reports using HP LaserJet printers.
Please find the following documents for the City's review:
✓ SLA - Prime Hosted Services
V Disaster Recovery Plan
Implementation Plan for Prime Business License Software and Web Module
HdL's Responsibilities
1. Project Manager - HdL will provide a project manager (PM) to guide the software implementation
process. The primary responsibility for the PM is to ensure successful and timely completion of each
step of the software implementation schedule. The PM will work closely with the City's designated
project manager to define the software implementation schedule, identify the City' needs and
configure the software accordingly, validate the data conversion, and provide user training.
2. IT Support - HdL will provide a dedicated IT staff member to provide IT support during the software
implementation process.
HdP Companies
Proposal for Tax Administration and Online Filing System 11
11
3. Management Support - HdL will assist the City in evaluating current policies and procedures in order
to enhance operational efficiency. This may include suggestions to redesign forms/reports, implement
new processes, or adopt new strategies for improving communication with the business community
and other City departments.
4. Training - HdL will provide software training for the City's users as defined in the fees schedule. The
timing, size and participants of each training session will be determined by HdL and the City's PMs.
Client's Responsibilities
1. Project Manager - The City will designate a staff member to serve as the City's project manager
(PM). This individual must be intimately involved in the daily business processes which the software
will automate, and be empowered to make, or quickly secure from management, decisions required
for the configuration and implementation of the software. The primary responsibility for the City PM
is to ensure that all City responsibilities during the software implementation process are met according
to the agreed upon software implementation schedule.
The City's PM will be instrumental in the successful implementation of the software; working closely
with HdL's PM to verify data conversion, review and approve reports, establish business rules, and
confirm configuration and behavior of the software.
2. IT Support - The City will designate an IT staff member to work with HdL staff throughout the
software implementation process. This individual must be knowledgeable about the City's computing
environment and be authorized to access any equipment or services required for proper access to and
operation of the software.
Data Conversion
HdL will convert the City's existing data as provided. The City agrees to provide its current data in a format
agreed upon by HdL and the City. Acceptable formats include Microsoft SQL Server backup file, Excel,
Access, and ASCII delimited text file. The City will provide all available documentation to assist with identifying
the contents of the data files, including but not limited to file layout documentation, database schema, and
screenshots from five (5) sample accounts. The City will provide the data a minimum of two times during the
conversion process. The City understands that the second (and any subsequent) data must be provided in the
same format and layout as the first data set. Any inconsistencies between the first and final data sets will
result in a delayed installation date and additional charges for conversion.
Schedule
The timeline for software implementation (including "Go Live") will be determined in discussions with the City,
considering resource availability, and final project scope and constraints. HdL estimates that implementation
for the City will required between 10 to 16 weeks from receipt of initial discovery materials and data.
Implementations which have multiple customizations and integrations are subject to an updated timeline as
agreed upon by both parties. When the Agreement is signed by all parties, HdL will immediately work with
the City to establish a concrete implementation schedule which is agreeable to both the City and HdL.
Company Approach to Project Management
HdL's approach to assisting the City of Tukwila include:
• Local Tax Solution Provider of Choice by Local Governments - HdL has been partnering with local
governments for 40 years and is the preferred provider of local tax solutions, having been selected by
more agencies than any other provider while maintaining an over 99% customer retention rate. Our
broad and informed customer base and unmatched dedication to serving local governments have
helped us to deliver local tax solutions of the highest quality.
Hd2L Companies
1
Proposal for Tax Administration and Online Filing System 12
• Exceptional Customer Support - Our staff represents hundreds of years of local government
experience, including CROs, business tax supervisors, finance directors and city managers. We have a
broad, deep and intimate understanding of the complex needs of local government. As former
government professionals ourselves, our dedication to local government is second to none.
• Full -Service Provider - HdL is the only firm which provides software as well as tightly integrated local
tax services as needed, including modernizing your municipal code and tax structure, discovery and
audit services, and consulting services which encompass any circumstance which may be encountered
in the realm of local government licensing and taxes.
• Integrations - HdL offers a best of breed local tax solution without compromise, as Prime can be
integrated with the City's other systems, such as finance, cashiering, permit tracking, lockbox
processing, sales tax data, property tax data, and more.
HdL has built a track record of successful implementations by listening to our client's needs and tailoring our
process as needed. We understand that the City of Tukwila has unique business processes and requirements,
so our methodology is a combination of structure and flexibility. The result is a process that predictably moves
the project towards completion while allowing for the unique requirements of the project. The HdL
Implementation Methodology consists of three phases as pictured here below, each with a planning, delivery,
and closure stage. Our goal is to keep the process structure as simple as possible, which minimizes disruption
of City operations and keeps the project burden on City staff as small as possible. The HdL Project Manager
works with the City Project Manager at every phase and stage to ensure a successful project.
The first project deliverable will be a detailed project plan, determined through coordination between HdL
and the City, pending further project requirements discovery and documentation of project specifications.
`Signed Agreement
`Trardition to
Implementation Team
1-1dL Software Implementation Methodology
Prepare
'identify Prole d Team
Kink-Dff Call
*Collect rust ome r
Ordinances. Requirements,
Forms
*Project Schedule and Plan
*In it iai Sv.ste m Configuration
`install Software In Test
Environment
Client S, n-Off.
Implement Deploy
'Schedule Staff and
Re sou roes
*Install Software in Live
Environment (TEST model
*Data Conversion
*Forms
°System Configuration
*AdminTraining
'Define GO-LNE plan
`Finalize Schedule
`Verify Availahilily of
Resources and Staff
'Fin al Conversion
*End l}serTraining
*Switch to Production Lim
Iran sitivn pporc T eam
II
HdL Companies
Proposal for Tax Administration and Online Filing System
13
13
Client Support
HdL will provide the City with no charge support by telephone and email during the term of the
agreement. Support is available as follows: For customer support between the hours of 8:00 am and 5:00 pm
Pacific time, Monday through Friday, email support@hdlcompanies.com or call (909) 861-4335 and ask for
software support. For urgent off hours support before 8:00 am or after 5:00 pm Pacific time, Monday through
Friday (or anytime Saturday), email 911@hdlcompanies.com and HdL's on call support personnel will be
notified. Please only include your name, agency and contact phone number in emails to
911@hdlcompanies.com. HdL will contact you as soon as possible.
Response Time
In the event that the City encounters an error and/or malfunction whereby the software does not conform
to expected behavior in accordance with the software design, HdL will assign one of the following severity
levels and render support services in a timely manner consistent with the urgency of the situation.
• Severity Level 1 - a critical problem has been encountered such that the software is essentially
inoperable and without a reasonable workaround. HdL will respond within one (1) business hour to
diagnose the problem. A response is defined as an email or call to the City's designated support
contact. HdL and the City will work diligently and continuously to correct the problem as quickly as
possible.
• Severity Level 2 - a problem has been encountered that does not prevent use of the software, but
the software is not operating correctly. HdL will diagnose the problem within 48 hours and advise
the City of any available work -around. Upon HdL's confirmation that the software is not operating
correctly, HdL will provide a software update to repair the defect and confirm with the City that the
update resolved the issue.
• Severity Level 3 - a minor problem has been encountered. The software is usable but could be
improved by correction of a minor defect or addition of a usability enhancement. HdL will assess
the request within fifteen (15) business days and, depending on priorities, schedule a software
update for a future release, advise City that the request will not be implemented, or offer the option
of implementing the request as a custom software enhancement at additional cost.
Support Policy Regarding Reports
HdL will assist with modifications to reports as needed during the term of the agreement with the City. Typical
report modifications require 7 to 10 business days to complete. Very complex reports or reports required in
a very short time frame may incur development costs, in which case an estimate will be provided for approval
before the work is begun.
Software Upgrades
Except to the extent that upgrades of the software include new modules or features not previously offered
as part of the software as of the date hereof, the City is entitled to upgrades of the software within the terms
of the agreement with the City. Though rare, additional costs may apply depending on the extent of the
upgrade. Potential additional costs include training, configuration, or other consulting services.
Online Payment Processing
HdL's software is bundled with PCI compliant payment gateway services powered by Nuvei, which supports
both credit card and eCheck transactions. If a different payment gateway is required there will be a
programming cost to establish the custom payment gateway integration.
HdL Companies
14
Proposal for Tax Administration and Online Filing System 14
Payment Processing
HdL will provide its services to support payments remitted to the City. HdL will transmit transactions for
authorization and settlement through HdL's certified payment processor. Funds for transactions processed
by HdL will be submitted to the City's designated bank account as follows:
(i) no more than two (2) business banking days after all Transactions (other than electronic Check
Transactions) that are successfully processed prior to 5:00 p.m. ET on each business banking day (e.g.,
a Transaction authorized at 2:00 p.m. ET on Monday will be submitted on Wednesday; a Transaction
successfully processed at 8:00 p.m. ET on Monday will be submitted on Thursday); and
(ii) no more than five (5) business banking days for all electronic Check Transactions that are successfully
processed prior to 5:00 p.m. ET on each business banking day. HdL makes no representation or
warranty as to when funds will be made available by the City's bank.
Electronic Check Authorization
If the City elects to accept electronic Checks as a form of payment, the following subsections apply. For the
purpose of this section, "checks" means checks drawn on accounts held in the U.S. ("Check(s)").
1. As part of the implementation plan, the City will select risk management controls governing Check
acceptance and assumes sole responsibility for the choice of controls.
2. HdL will II provide confirmation on a submitted ABA number as part of the Service to assist the City
with the decision whether to accept a Check and shall route accepted Checks.
3. The City authorizes HdL to debit the City's financial institution account in the amount of any returned
item that is received by HdL.
Client Responsibilities
1. As a condition to its receipt of the Service, the City shall execute and deliver any and all applications,
agreements, certifications or other documents required by Networks or other third parties whose
consent or approval is necessary for the processing of Transactions. "Network" is an entity or
association that operates, under a common service mark, a system which permits participants to
authorize, route, and settle Transactions among themselves, including, for example, networks
operated by VISA USA and Mastercard, Inc., NYCE Corporation, American Express, and Discover.
2. The City agrees that it will comply with applicable laws and regulations and network rules, regulations
or operating guidelines. We request that the City notify HdL in writing as soon as possible in the event
a claim is either threatened or filed against the City by any governmental organization having
jurisdiction over the City or a Customer related to the Service. We also ask that the City notify HdL
in writing as soon as possible in the event a claim is either threatened or filed against the City relating
to Transactions or the Services or a fine or other penalty is assessed or threatened relating to
Transactions or the Services.
3. The City agrees that it will continue to be in full compliance with all applicable requirements of the
City's Information Security Program of VISA, the Site Data Protection Program of MasterCard, and
similar programs of other Networks, and any modifications to such programs that may occur from time
to time. Upon the request of HdL, the City shall provide HdL with documentation verifying compliance
with this Section.
4. We request that the City grant HdL the full right, power and authority to request, receive and review
any Data or records reflected in a Transaction report.
HdL Companies
Proposal for Tax Administration and Online Filing System 15
15
16
City of Tukwila
6200 Southcenter Boulevard, Tukwila WA 98188
Contract Number:
CONTRACT FOR SERVICES
This Agreement is entered into by and between the City of Tukwila, Washington, a non -charter
optional municipal code city hereinafter referred to as "the City," and HdL Companies hereinafter
referred to as "the Contractor," whose principal office is located at 120 S State College Blvd Ste 200,
Brea, CA 92821. The City and the Contractor are each individually a "Party" and collectively the
"Parties."
WHEREAS, the City has determined the need to have certain services performed for its citizens
but does not have the manpower or expertise to perform such services; and
WHEREAS, the City desires to have the Contractor perform such services pursuant to certain terms
and conditions; now, therefore,
IN CONSIDERATION OF the mutual benefits and conditions hereinafter contained, the parties
hereto agree as follows:
1. Scope and Schedule of Services to be Performed by Contractor. The Contractor shall perform
those services described on Exhibit A attached hereto and incorporated herein by this reference
as if fully set forth. In performing such services, the Contractor shall at all times comply with all
Federal, State, and local statutes, rules and ordinances applicable to the performance of such
services and the handling of any funds used in connection therewith. The Contractor shall request
and obtain prior written approval from the City if the scope or schedule is to be modified in any way.
2 Compensation and Method of Payment. The City shall pay the Contractor for services rendered
according to the rate and method set forth on Exhibit B attached hereto and incorporated herein
by this reference. The total amount to be paid shall not exceed a one-time cost of $65,000 and an
annual software user fee of $19,500 plus CPI adjustment as set forth on Exhibit B.
a Contractor Budget. The Contractor shall apply the funds received under this Agreement within
the maximum limits set forth in this Agreement. The Contractor shall request prior approval from
the City whenever the Contractor desires to amend its budget in any way.
4. Duration of Agreement. This Agreement shall be in full force and effect for a period commencing
August 10, 2024, and ending August 9, 2026, unless sooner terminated under the provisions
hereinafter specified.
5. Independent Contractor. The Contractor and the City agree that the Contractor is an independent
contractor with respect to the services provided pursuant to this Agreement. Nothing in this
Agreement shall be considered to create the relationship of employer and employee between the
parties hereto. Neither the Contractor nor any employee of Contractor shall be entitled to any
benefits accorded City employees by virtue of the services provided under this Agreement. The
City shall not be responsible for withholding or otherwise deducting federal income tax or social
security or contributing to the State Industrial Insurance Program, or otherwise assuming the duties
of an employer with respect to the Contractor, or any employee of the Contractor.
TIS Contract for Svcs Template 02-2021 Page 1 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
17
6. Indemnification.
A. Contractor Indemnification. The Contractor shall indemnify, defend and hold harmless the City
its officers, officials, employees, volunteers and permitted successors and assigns harmless
from any and all claims, injuries, damages, losses or suits including attorney fees (collectively,
"Losses"), in connection with any claims, demands, suits or proceedings (collectively, "Claims")
made or alleged against the City by a third party arising out of or resulting from the acts, errors
or omissions, or the intentional or negligent performance of the Contractor in performance of
this Agreement, except for injuries and damages caused by the sole negligence of the City.
B. RCW 4.24.115. However, should a court of competent jurisdiction determine that this
Agreement is subject to RCW 4.24.115, then, in the event of liability for damages arising out of
bodily injury to persons or damages to property caused by or resulting from the concurrent
negligence of the Contractor and the City, its officers, officials, employees, and volunteers,
Contractor's liability, including the duty and cost to defend, hereunder shall be only to the extent
of Contractor's negligence. It is further specifically and expressly understood that the
indemnification provided herein constitutes Contractor's waiver of immunity under Industrial
Insurance, Title 51 RCW, solely for the purposes of this indemnification. This waiver has been
mutually negotiated by the parties. The provisions of this section shall survive the expiration
or termination of this Agreement.
C. Infringement Indemnification. In addition to Contractor's obligations under Section 6.A., the
Contractor shall indemnify, defend, and hold harmless the City and its directors, officers,
employees, agents and other representatives against any Losses in connection with Claims
made or alleged against the City by a third party that the services, software or deliverables
infringes a U.S. patent, copyright or other intellectual property rights of any third party. The
foregoing indemnification obligation does not apply to any Claims or Losses arising out of or
relating to any: (a) access to or use of the software in combination with any hardware, system,
software, network or other materials or service not provided or authorized by this Agreement or
otherwise in writing by the Contractor; or (b) modification of the software other than: (i) by or
on behalf of the Contractor; or (ii) with the Contractor's written approval or in accordance with
Contractor's written specifications.
D. Mitigation. If any of the services, software or deliverables are, or in Contractor's opinion are
likely to be, claimed to infringe, misappropriate or otherwise violate any third -party intellectual
property right, or if the City's or any Authorized User's use of the services, software or
deliverables is enjoined or threatened to be enjoined, the Contractor may, at its option and sole
cost and expense:
i. obtain the right for the City to continue to use the Services, Software and Deliverables
materially as contemplated by this Agreement;
ii. modify or replace the services, software and deliverables, in whole or in part, to seek to
make the services, software and deliverables (as so modified or replaced) non -infringing,
while providing materially equivalent features and functionality; or
iii. by written notice to the City, terminate this Agreement with respect to all or part of the
Services, Software and Deliverables, and require the City to immediately cease any use of
the Services, Software and Deliverables or any specified part or feature thereof, provided
that if such termination occurs, the Contractor shall refund any prepaid fees to the City and
provide transition services free of charge.
TIS Contract for Svcs Template 02-2021 Page 2 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
18
E. Limitation of Liability. In no event will either party be liable under or in connection with this
agreement or its subject matter under any legal or equitable theory, including breach of
contract, tort (including negligence), strict liability and otherwise, for any: (i) loss of revenue or
profit; or (ii) consequential, incidental, indirect, exemplary, special, or punitive damages,
regardless of whether such persons were advised of the possibility of such losses or damages
or such losses or damages were otherwise foreseeable, and notwithstanding the failure of any
agreed or other remedy of its essential purpose. In no event shall the aggregate liability of
either party arising out of or related to this agreement exceed the greater of two times the fees
paid under the agreement or $1,000,000; provided however, the limitation of liability set forth in
this section shall not apply to: (i) Contractor's indemnification obligations for infringement
claims made or brought against the City by a third party as described herein, or (ii) damages
related to claims brought against the City due to Contractor's breach of City's data, including
but not limited to damages, penalties or other liabilities arising from government enforcement
actions or breach notification requirements. The provisions of this section shall survive the
expiration or termination of this agreement.
7. Insurance. Prior to commencing the Services, the Contractor shall procure and maintain at its sole
cost and expense at least the following insurance, covering its obligations under this Agreement.
A Insurance Policies.
i. Commercial General Liability: With coverage of not less than $2,000,000 per
occurrence, $2,000,000 general aggregate, and $2,000,000 products -completed
operations aggregate limit, which shall cover liability arising from premises, operations,
independent contractors, products -completed operations, stop gap liability, personal injury
and advertising injury, and liability assumed under an insured contract. Commercial
General Liability insurance shall be as least at broad as ISO occurrence form CG 00 01
and shall cover liability arising from premises, operations, independent contractors,
products -completed operations, stop gap liability, personal injury and advertising injury,
and liability assumed under an insured contract. The Commercial General Liability
insurance shall be endorsed to provide a per project general aggregate limit using ISO
form CG 25 03 05 09 or an equivalent endorsement. There shall be no exclusion for
liability arising from explosion, collapse or underground property damage. The City shall
be named as an additional insured under the Contractor's Commercial General Liability
insurance policy with respect to the work performed for the City using ISO Additional
Insured endorsement CG 20 10 10 01 and Additional Insured -Completed Operations
endorsement CG 20 37 10 01 or substitute endorsements providing at least as broad
coverage.
ii. Cyber Liability Insurance: With coverage of not less than $1,000,000 per occurrence
and $5,000,000 in the annual aggregate which shall include, but not be limited to,
coverage, including defense, for the following losses or services:
(1) Breach of City's Data, including but not limited to liability arising from theft,
dissemination, and/or use of City's confidential and Personal Information as defined
by RCW 42.56.590, including but not limited to, any information about an individual
maintained by City, including: (a) any information that can be used to distinguish or
trace an individual's identity, such as name, social security number, date and place
of birth, mother's maiden name, or biometric records; and (b) any other information
that is linked or linkable to an individual, such as medical, educational, financial, and
employment information regardless of how or where the information is stored or
transmitted.
TIS Contract for Svcs Template 02-2021
{0 E R4877-7680-5839; 2/13175.000001/}
Page 3 of 10
19
(2) Network security liability arising from: (a) the unauthorized access to, use of, or
tampering with computer systems, by an outside party, including hacker attacks or a
virus introduced by a third party; or (b) the inability of an authorized third party to gain
access to supplier systems and/or City Data, including denial of service, unless
caused by a mechanical or electrical failure; (c) introduction of any unauthorized
software computer code or virus causing damage to City Data or any other third party
data.
(3)
Event management services and first -party loss expenses for a data breach response
including crisis management services, credit monitoring for individuals, public
relations, legal service advice, notification of affected parties, independent information
security forensics firm, and costs to re -secure, re-create and restore data or systems.
iii. Workers' Compensation coverage as required by the Industrial Insurance laws of the State
of Washington.
iv. Automobile Liability Insurance of a minimum combined single limit for per occurrence for
bodily injury and property damage of $1,000,000 per accident, covering all owned, non -
owned, hired and leased vehicles. Coverage shall be written on Insurance Services Office
(ISO) form CA 00 01 or a substitute form providing equivalent liability coverage. If
necessary, the policy shall be endorsed to provide contractual liability coverage.
v. Professional Liability/Errors and Omissions Insurance (including Technology Errors and
Omissions) of at least $1,000,000 per occurrence and $2,000,000 in the annual aggregate.
B. Additional Insurance Requirements.
i. If the Contractor maintains higher insurance limits than the minimums shown above, the
City shall be insured for the full available limits of Commercial General and Excess or
Umbrella liability maintained by the Contractor, irrespective of whether such limits
maintained by the Contractor are greater than those required by this Agreement or whether
any certificate of insurance furnished to the City evidences limits of liability lower than
those maintained by the Contractor.
ii. The insurance required in Section 7 shall be in a form and on terms and written by insurers
with a current A.M. Best rating of not less than A: VII. The Commercial General Liability,
Cyber Liability Insurance and Automobile Liability Insurance shall name the City as an
additional insured, and shall contain, or be endorsed to contain, that they shall be primary
insurance as respect to the City. Any insurance, self-insurance, or self -insured pool
coverage maintained by the City shall be excess of the Contractor's insurance and shall
not contribute with it.
iii. The Contractor shall provide the City with written notice of any policy cancellation within
two business days of the receipt of such notice. Contractor shall obtain replacement
insurance policies meeting the requirements of this Section 7.
iv. Failure of the Contractor to maintain the insurance as required shall constitute a material
breach of this Agreement, upon which the City may, after giving five business days' notice
to the Contractor to correct such breach, immediately terminate this Agreement.
v. The Contractor's maintenance of insurance, its scope of coverage and limits as required
herein shall not be construed to limit the liability of the Contractor to the coverage provided
by such insurance, or otherwise limit the City's recourse to any remedy available at law or
in equity.
TIS Contract for Svcs Template 02-2021 Page 4 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
20
vi. Subcontractor's Insurance. The Contractor shall cause each and every subcontractor
utilized by the Contractor in connection with the provision of Services ("Subcontractors"),
to provide insurance coverage that complies with all applicable requirements of the
Contractor -provided insurance as set forth herein, except the Contractor shall have sole
responsibility for determining the limits of coverage required to be obtained by
Subcontractors. The Contractor shall ensure the City is an additional insured on each and
every Subcontractor's Commercial General liability insurance policy, using an
endorsement as least as broad as ISO CG 20 10 10 01 for ongoing operations and CG 20
37 10 01 for completed operations.
vii. The Contractor shall furnish the City with original certificates and a copy of the amendatory
endorsements, including but not necessarily limited to the additional insured
endorsements, evidencing the insurance requirements of the Contractor before
commencement of the work. Upon request by the City, the Contractor shall furnish
certified copies of all required insurance policies, including endorsements, required in this
Agreement and evidence of all subcontractors' coverage.
8. Record Keeping and Reporting.
A. Records Maintenance. The Contractor shall maintain accounts and records, including
personnel, property, financial and programmatic records which sufficiently and properly reflect
all direct and indirect costs of any nature expended and services performed in the performance
of this Agreement and other such records as may be deemed necessary by the City to ensure
the performance of this Agreement.
B. Retention Period. These records shall be maintained for a period of seven years after
termination hereof unless permission to destroy them is granted by the office of the archivist
in accordance with RCW Chapter 40.14 and by the City.
C. Public Records Requests. The Contractor acknowledges that the City is a public entity and is
subject to the Public Records Act under Chapter 42.56 RCW. To the extent permitted by law,
the City shall treat as exempt from treatment as a public record, and shall not disclose in
response to a request made pursuant to any applicable public records law, any of the
Contractor's Confidential Information. If a request is received for records the Contractor has
submitted to the City and has identified as Confidential Information, the City will use its best
efforts to provide the Contractor with notice of the request in accordance with RCW 42.56.540
and a reasonable time within which the Contractor may seek an injunction to prohibit the City's
disclosure of the requested record. The City shall comply with any injunction or court order
requested by the Contractor which prohibits the disclosure of any such Confidential
Information; however, in the event a higher court overturns such injunction or court order, the
Contractor shall reimburse the City for any fines or penalties imposed for failure to disclose
such records. Nothing in this section prohibits the City from complying with RCW 42.56, or
any other applicable law or court order requiring the release of public records, and the City
shall not be liable to the Contractor for compliance with any law or court order requiring the
release of public records.
D. Compelled Disclosures. If either the Party or any of its Representatives is compelled by
applicable law to disclose any Confidential Information then, to the extent permitted by law,
that Party shall: (a) promptly, and prior to such disclosure, notify the other Party in writing of
such requirement so that they can seek a protective order or other remedy or waive its rights
under Section 3; and (b) provide reasonable assistance, at the Disclosing Party's cost, to the
Disclosing Party in opposing such disclosure or seeking a protective order or other limitations
on disclosure. If the Disclosing Party waives compliance or, after providing the notice and
assistance required under this section, the Receiving Party remains required by law to disclose
TIS Contract for Svcs Template 02-2021
{0 E R4877-7680-5839; 2/13175.000001/}
Page 5 of 10
21
any Confidential Information, the Receiving Party shall disclose only that portion of the
Confidential Information that the Receiving Party is legally required to disclose. This Section
8.2 shall not apply to Subscriber's response to a request made under the Public Records Act,
Chapter 42.56 RCW.
9. Breach Notification.
A. The Contractor shall maintain a data breach plan and shall implement the procedures required
under such data breach plan on the occurrence of a data breach, in compliance with the
requirements of Washington's data breach notification law codified at RCW 42.56.590. The
Contractor shall report, in writing, to the City any data breach involving data maintained by the
Contractor on behalf of the City ("City Data") including any reasonable belief that an
unauthorized individual has accessed City Data. The report shall identify the nature of the
event, a list of the affected individuals and the types of data, and the mitigation and
investigation efforts of the Contractor. The Contractor shall make the report to the City
immediately upon discovery of the data breach, but in no event more than five business days
after discovery of the data breach. The Contractor shall provide investigation updates to the
City.
B. The Contractor shall promptly reimburse the City in full for all costs incurred by the City in any
investigation, remediation or litigation resulting from any data breach. The Contractor's duty
to reimburse the City includes but is not limited to, reimbursing to the City its cost incurred in
doing the following:
i. Notification to third parties whose information may have been or were compromised and
to regulatory bodies, law enforcement agencies or other entities as may be required by
law or contract;
ii. Establishing and monitoring call center(s) and credit monitoring and/or identity
restoration services to assist each person impacted by a data breach of a nature that, in
the City's sole discretion, could lead to identity theft; and
iii. Payment of legal fees and expenses, audit costs, fines and penalties, and other fees
imposed upon the City by a regulatory agency, court of law, or contracting partner as a
result of the data breach.
C. Upon a data breach, the Contractor is not permitted to notify affected individuals without the
express written consent of the City. Unless the Contractor is required by law to provide
notification to third parties or the affected individuals in a particular manner, the City shall
control the time, place, and manner of such notification.
10. City Data. The Contractor does not claim ownership of, and assumes no responsibility with respect
to any City Data defined as information, data, and content, in any form or medium, collected,
downloaded, or otherwise received, directly or indirectly from the City, an Authorized Personnel or
end -users by or through the Contractor's Services.
11. Audits and Inspections. The records and documents with respect to all matters covered by this
Agreement shall be subject at all times to inspection, review or audit by law during the performance
of this Agreement.
12 Termination. This Agreement may at any time be terminated by the City giving to the Contractor
30 days written notice of the City's intention to terminate the same. Failure to provide products on
schedule may result in contract termination. If the Contractor's insurance coverage is canceled for
any reason, the City shall have the right to terminate this Agreement immediately.
TIS Contract for Svcs Template 02-2021 Page 6 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
22
13. Effect of Termination or Expiration. On the expiration or earlier termination of this Agreement:
A. Each Party shall continue to hold such Confidential Information in confidence pursuant to Section
8; and
B. Each Party shall pay to the other all undisputed amounts accrued prior to and through the date
of termination of this Agreement; and
C. The provisions set forth in the following sections, and any other right or obligation of the parties
in this Agreement that, by its nature should survive termination or expiration of this Agreement,
will survive any expiration or termination of this Agreement.
D. Within 60 days following such expiration or termination, the Contractor shall deliver to the City,
in a format as requested by the City, the then most recent version of City Data maintained by
the Contractor, provided that the City has at that time paid all undisputed fees then outstanding
and any amounts payable after or as a result of such expiration or termination.
E. In the event of (i) expiration or earlier termination of this Agreement, or (ii) the City no longer
purchasing certain Services from the Contractor, if the City requests assistance in the transfer
of City Data to a different vendor's applications ("Deconversion"), the Contractor will provide
reasonable assistance. The Parties will negotiate in good faith to establish the relative roles and
responsibilities of the Parties in effecting Deconversion, as well as the appropriate date for
completion.
14. Taxes. The Contractor shall be solely responsible for the payment of any and all applicable taxes
related to the Services provided under this Agreement; if such taxes are required to be passed
through to the City by law, the same shall be duly itemized on timely billings submitted to the City
by the Contractor.
15. Waiver. A waiver of any breach by either Party shall not constitute a waiver of any subsequent
breach.
16. Third Party Beneficiaries. This Agreement is solely for the conveniences of the Parties and there
are no third party beneficiaries to this Agreement.
17. Compliance with Laws. The Consultant shall comply with all applicable federal, state, and local
laws and regulations in performing this Agreement.
18. Discrimination Prohibited. The Consultant, with regard to the work performed by it under this
Agreement, will not discriminate on the grounds of race, religion, creed, color, national origin, age,
veteran status, sex, sexual orientation, gender identity, marital status, political affiliation, the
presence of any disability, or any other protected class status under state or federal law, in the
selection and retention of employees or procurement of materials or supplies.
19. Assignment and Subcontract. The Contractor shall not assign or subcontract any portion of the
services contemplated by this Agreement without the written consent of the City.
20. Entire Agreement: Modification. This Agreement, together with attachments or addenda,
represents the entire and integrated Agreement between the City and the Contractor and
supersedes all prior negotiations, representations, or agreements written or oral. No amendment
or modification of this Agreement shall be of any force or effect unless it is in writing and signed by
the parties.
TIS Contract for Svcs Template 02-2021
{0 E R4877-7680-5839; 2/13175.000001/}
Page 7 of 10
23
21. Severability and Survival. If any term, condition or provision of this Agreement is declared void
or unenforceable or limited in its application or effect, such event shall not affect any other
provisions hereof and all other provisions shall remain fully enforceable. The provisions of this
Agreement, which by their sense and context are reasonably intended to survive the completion,
expiration or cancellation of this Agreement, shall survive termination of this Agreement.
22 Notices. Notices to the City of Tukwila shall be sent to the following address:
City Clerk
City of Tukwila
6200 Southcenter Blvd.
Tukwila, Washington 98188
Notices to the Contractor shall be sent to the address provided by the Contractor upon the
signature line below.
23. Applicable Law: Venue: Attorney's Fees. This Agreement shall be governed by and construed
in accordance with the laws of the State of Washington. In the event any suit, arbitration, or other
proceeding is instituted to enforce any term of this Agreement, the parties specifically understand
and agree that venue shall be properly laid in King County, Washington. The prevailing party in
any such action shall be entitled to its attorney's fees and costs of suit.
24. Force Majeure. Neither Party shall be responsible for failure to fulfill its obligations hereunder or
liable for damages resulting from delay in performance as a result of war, fire, strike, pandemic, riot
or insurrection, natural disaster, delay of carriers, governmental order or regulation, complete or
partial shutdown of plant, unavailability of equipment, software, or services from suppliers, default
of a subcontractor or vendor to the Party if such default arises out of causes beyond the reasonable
control of such subcontractor or vendor, the acts or omissions of the other Party, or its officers,
directors, employees, agents, contractors, or elected officials, and/or other occurrences beyond the
Party's reasonable control ("Excusable Delay" hereunder). In the event of such Excusable Delay,
performance shall be extended on a day for day basis or as otherwise reasonably necessary to
compensate for such delay.
25. Counterparts. This Agreement may be executed in several counterparts, each of which when so
executed shall be deemed to be an original, and such counterparts shall constitute one and the
same instrument. This Amendment shall be considered properly executed by a Party if executed
by that Party and transmitted by facsimile or other electronic means including, without limitation,
SeamlessDocs or other City -approved program, Tagged Image Format Files (TIFF), or Portable
Document Format (PDF).
26. Conflict in Terms. In the event of a conflict between the terms of this Agreement and the terms
in any other document, including but not limited to all Exhibits hereto, the terms of this Agreement
shall prevail.
27. Additional Exhibits and Documents Incorporated by Reference. Exhibit C (Service Level
Agreement), Exhibit D (City of Tukwila Security Requirements), and Exhibit E (Data Protection and
Information Security Exhibit) are all attached hereto and incorporated herein by this reference. In
addition, the City of Tukwila RFP for Tax Administration Software Solution and Online Tax Filing
Software Solution, (issue date January 31, 2024), including exhibits, and the HdL Companies RFP
Response "City of Tukwila Proposal for Tax Administration and Online Filing System" dated March
29, 2024, including exhibits, are incorporated herein by this reference.
TIS Contract for Svcs Template 02-2021 Page 8 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
24
Exhibit A: Scope of Services
Exhibit B: Compensation Schedule
Exhibit C: Service Level Agreement (SLA)
Exhibit D: City of Tukwila Security Requirements
Exhibit E: Data Protection and Information Security Exhibit
TIS Contract for Svcs Template 02-2021
{0 E R4877-7680-5839; 2/13175.000001/}
Page 9 of 10
25
** City signatures to be obtained by ** Contractor signature to be obtained by
City Clerk's Staff ONLY. ** sponsor staff. **
CITY OF TUKWILA CONTRACTOR:
By:
Thomas McLeod, Mayor
Date
ATTEST/AUTHENTICATED:
Andy Youn, City Clerk
APPROVED AS TO FORM:
Office of the City Attorney
Printed Name:
Title:
Address:
Date:
TIS Contract for Svcs Template 02-2021 Page 10 of 10
{0 E R4877-7680-5839; 2/13175.000001/}
26
Hinderliter De llamas &
Associates HdL Prime Software
City of Tukwila, WA
EXHIBIT A - SCOPE OF SERVICES
Consultant will provide the following Services relative to Consultant's local tax software solution.
1. Software Implementation
1.1. Consultant's responsibilities
1.1.1. Project manager - Consultant will provide a project manager (PM) to guide the software
implementation process. The primary responsibility for the Consultant PM is to ensure
successful and timely completion of each step of the software implementation schedule. The
Consultant PM will work closely with the Client's designated project manager to define the
software implementation schedule, identify Client needs and configure the software accordingly,
validate the data conversion, and provide user training.
1.1.2. IT support - Consultant will provide a dedicated IT staff member to provide IT support during
the software implementation process.
1.1.3. Management support - Consultant will assist the Client in evaluating current policies and
procedures in order to enhance operational efficiency. This may include suggestions to redesign
forms/reports, implement new processes, or adopt new strategies for improving communication
with the business community and other Client departments.
1.1.4. Training - Consultant will provide software training for Client users as defined in the fees
schedule. The timing, size and participants of each training session will be determined by the
Consultant's and Client's PMs.
1.2. Client's responsibilities
1.2.1. Project manager - Client will designate a staff member to serve as the Client's project manager
(PM). This individual must be intimately involved in the daily business processes which the
software will automate, and be empowered to make, or quickly secure from management,
decisions required for the configuration and implementation of the software. The primary
responsibility for the Client PM is to ensure that all Client responsibilities during the software
implementation process are met according to the agreed upon software implementation schedule.
The Client PM will be instrumental in the successful implementation of the software; working
closely with the Consultant PM to verify data conversion, review and approve reports, establish
business rules, and confirm configuration and behavior of the software.
1.2.2. IT support - Client will designate an IT staff member to work with Consultant staff throughout
the software implementation process. This individual must be knowledgeable about the Client's
computing environment and be authorized to access any equipment or services required for
proper access to and operation of the software.
1.3. Data Conversion - Consultant will convert the Client's existing data as provided by Client. Client
agrees to provide its current data in a format agreed upon by Consultant and Client. Acceptable
formats include Microsoft SQL Server backup file, Excel, Access, and ASCII delimited text file.
Client will provide all available documentation to assist with identifying the contents of the data files,
including but not limited to file layout documentation, database schema, and screenshots from five
(5) sample accounts. Client will provide the data a minimum of two times during the conversion
process. Client understands that the second (and any subsequent) data must be provided in the same
format and layout as the first data set. Any inconsistencies between the first and final data sets will
result in a delayed installation date and additional charges for conversion.
1.4. Schedule — The default timeline for software implementation (including "Go Live") is approximately
60 days from receipt of initial discovery materials. When the Agreement is signed by all parties,
Consultant will immediately work with the Client to establish a defined implementation schedule
which is agreeable to both Client and Consultant.
1211802. Page 1 of 4
27
Hinderliter De llamas &
Associates HdL Prime Software
City of Tukwila, WA
2. Software Hosting Services — Consultant's hosting services offload the majority of IT concerns to
Consultant's hosting team; including system upgrades, hardware and software maintenance, database
management, and disaster recovery. Client will be responsible for maintaining its workstations and a
reliable internet connection. Consultant will handle the rest. Website functionality will be hosted using a
Client specific sub -domain on Consultant's special purpose hdlgov.com domain.
2.1. Workstation Specifications — Workstations will access the software through a remote application
session with Consultant's hosting service. All workstations require 4+GB Memory, 1280x1024
screen resolution, and MS Windows 10/11 operating system.
2.2. Network Specifications — Consultant's hosted service requires reliable, high speed internet
connectivity. High-speed local area network connections are always helpful, but the service will also
run without difficulty over slower WAN connections such as T1 or mobile broadband.
2.3. Printer Specifications - The software is designed to work with laser printers. A PCL compliant laser
printer is recommended. Each make and model of printer has different drivers and therefore has
slightly different results when printing. We design forms/reports using HP LaserJet printers.
3. Software Support
3.1. Client Support - Consultant will provide Client's users no charge support by telephone, email and
the web during the term of this Agreement. In the United States support is available as follows: For
customer support between the hours of 8:00 am and 5:00 pm Pacific time, Monday through Friday,
email support@hdlcompanies.com or call (909) 861-4335 and ask for software support. For urgent
off hours support before 8:00 am or after 5:00 pm Pacific time, Monday through Friday (or anytime
Saturday), email 911@hdlcompanies.com and Consultant's on call support personnel will be notified.
Please only include your name, agency and contact # in emails to 911@hdlcompanies.com. You will
be contacted as soon as possible.
3.2. Response Time — In the event that Client encounters an error and/or malfunction whereby the
software does not conform to expected behavior in accordance with the software design, Consultant
will assign one of the following severity levels and render support services in a timely manner
consistent with the urgency of the situation.
3.2.1. Severity Level 1— a critical problem has been encountered such that the software is essentially
inoperable and without a reasonable workaround. Consultant will respond within one (1)
business hour to diagnose the problem. A response is defined as an email or call to the Client's
designated support contact. Consultant and Client will work diligently and continuously to
correct the problem as quickly as possible.
3.2.2. Severity Level 2 — a problem has been encountered that does not prevent use of the software,
but the software is not operating correctly. Consultant will diagnose the problem within 48 hours
and advise Client of any available work -around. Upon Consultant's confirmation that the
software is not operating correctly, Consultant will provide a software update to repair the defect
and confirm with Client that the update resolved the issue.
3.2.3. Severity Level 3 — a minor problem has been encountered. The software is usable but could be
improved by correction of a minor defect or addition of a usability enhancement. HdL will assess
the request within fifteen (15) business days and, depending on priorities, schedule a software
update for a future release, advise Client that the request will not be implemented, or offer the
option of implementing the request as a custom software enhancement at additional cost.
3.3. Support Policy Regarding Reports - Consultant will assist with modifications to reports as needed
during the term of this agreement. Typical report modifications require 7 to 10 business days to
complete. Very complex reports or reports required in a very short time frame may incur development
costs, in which case an estimate will be provided for approval before the work is begun.
3.4. Software Upgrades - Except to the extent that upgrades of the software include new modules or
features not previously offered as part of the software as of the date hereof, Client is entitled to
1211802. Page 2 of 4
28
Hinderliter De llamas &
Associates HdL Prime Software
City of Tukwila, WA
upgrades of the software within the terms of this Agreement. Additional costs may apply depending
on the extent of the upgrade. Potential additional costs include training, consulting, configuration, or
other requested services.
3.5. Out of Scope Support — Client agrees to pay additional hourly fees according to Consultant's then
current hourly rates if the Client desires Consultant's assistance for matters which are not caused by
any defects in Consultant's software.
4. Online Payment Processing
4.1. Standard Payment Processing Solution — Consultant's software includes PCI compliant prayment
processing services, supporting both credit card and eCheck transactions. Consultant guarantees
continued support of the Standard Payment Processing Solution across all releases of Consultant's
software and the Standard Payment Processing Solution, at no cost to Client.
4.1.1. Payment Processing - Consultant shall provide its Services to support payments remitted to
Client. Consultant shall transmit transactions for authorization and settlement through
Consultant's certified payment processor. Funds for transactions processed by Consultant
hereunder shall be submitted to Client's designated bank account as follows: (i) no more than
two (2) business banking days after all Transactions (other than electronic Check Transactions)
that are successfully processed prior to 5:00 p.m. ET on each business banking day (e.g., a
Transaction authorized at 2:00 p.m. ET on Monday will be submitted on Wednesday; a
Transaction successfully processed at 8:00 p.m. ET on Monday will be submitted on Thursday);
and (ii) no more than five (5) business banking days for all electronic Check Transactions that
are successfully processed prior to 5:00 p.m. ET on each business banking day. Consultant makes
no representation or warranty as to when funds will be made available by Client's bank.
4.1.2. Support - Consultant shall provide Client with payment processing related customer service as
needed. Client shall timely report any problems encountered with the service. Consultant shall
promptly respond to each report problem based on its severity, the impact on Client's operations
and the effect on the service. Consultant shall either resolve the problem or provide Client with
the information needed to enable the Client to resolve it.
4.1.3. Transaction Errors - Consultant's sole responsibility for any Transaction error or reversed
Transaction is to determine whether the result indicates a problem with Consultant's service and,
if necessary, reprocess and resubmit the Transaction without additional charge. In the event that
a Transaction is reversed or refunded to any Customer of Client, for any reason, Consultant may
offset such amount against funds remitted to Client, or invoice Client for such amount, at
Consultant's discretion. Client shall pay any such invoice within 30 days of receipt.
4.1.4. Electronic Check Authorization - If Client elects to accept electronic Checks as a form of
payment, the following subsections apply. For the purpose of this section, "checks" means
checks drawn on accounts held in the U.S. ("Check(s)").
4.1.4.1. As part of the implementation plan, Client shall select risk management controls governing
Check acceptance and assumes sole responsibility for the choice of controls.
4.1.4.2. Consultant shall provide confirmation on a submitted ABA number as part of the Service
to assist Client with the decision whether to accept a Check and shall route accepted
Checks.
4.1.4.3. Client hereby authorizes Consultant to debit the Client's financial institution account in the
amount of any returned item that is received by Consultant.
4.1.5. Client Responsibilities
4.1.5.1. As a condition to its receipt of Consultant's Standard Payment Processing Solution, Client
shall execute and deliver a payments services/merchant application with Consultant's
Standard Payment Processing Solution vendor to establish Client's merchant account for
payments processing, and any and all applications, agreements, certifications or other
1211802.
Page 3 of 4
29
Hinderliter De llamas &
Associates HdL Prime Software
City of Tukwila, WA
documents required by Networks or other third parties whose consent or approval is
necessary for the processing of Transactions. This includes "Network" is an entity or
association that operates, under a common service mark, a system which permits
participants to authorize, route, and settle Transactions among themselves, including,
for example, networks operated by VISA USA and Mastercard, Inc., NYCE
Corporation, American Express, and Discover.
4.1.5.2. Client represents, warrants, and agrees that it does and will comply with applicable
Laws and regulations and Network rules, regulations or operating guidelines. Client
shall notify Consultant in writing as soon as possible in the event a claim is either
threatened or filed against Client by any governmental organization having
jurisdiction over Client or a Customer related to the Service. Client shall also notify
Consultant in writing as soon as possible in the event a claim is either threatened or
filed against Client relating to Transactions or the Services or a fine or other penalty
is assessed or threatened relating to Transactions or the Services.
4.1.5.3. Client represents, warrants and agrees that it is and will continue to be in full
compliance with all applicable requirements of the Client Information Security
Program of VISA, the Site Data Protection Program of MasterCard, and similar
programs of other Networks, and any modifications to such programs that may occur
from time to time. Upon the request of Consultant, Client shall provide Consultant
with documentation reasonably satisfactory to Consultant verifying compliance with
this Section.
4.1.5.4. Client hereby grants Consultant the full right, power and authority to request, receive
and review any Data or records reflected in a Transaction report. Client represents and
warrants that it has the full right and authority to grant these rights.
4.2. Custom Payment Processing Solution - Should Client require a different payment processing
solution than Consultant's designated standard solution, Client will pay an initial custom
development fee to establish the integration as well as an increase to the annual use fee to
maintain the integration across regular maintenance releases of Consultant's software and
Client's custom payment processing solution. The annual use fee does not include significant
redevelopment of the integration as may be required for major updates to Consultant's software
or Client's custom payment processing solution. Before commencing any work Consultant will
provide a statement of work (SOW) defining the scope of work to be performed, timeline for
development, and all associated costs.
1211802. Page 4 of 4
30
Hinderliter De llamas & Associates
HdL Prime Software
City of Tukwila, WA
EXHIBIT B — COMPENSATION SCHEDULE
1. Pricing Adjustments — All pricing listed in this Schedule will be honored during the first twelve months
of software services. Any additional/optional services needed after this period will be provided using
Consultant's current pricing schedule at the time the service is requested.
2. Software Services
2.1. One Time Costs
Item
Price
Comments
Software License Fee
$37,500.00
5 Named users
WA Department of Revenue
Business License Integration
$5,000.00
Custom Integration
Implementation
$10,500.00
Project management,
installation, configuration,
report design, training, etc.
Data conversion
$12,000.00
Travel Expenses
TBD
At cost
Training - 1 Day
Included
Additional days available at
$2,000/day
TOTAL
$65,000
Total one-time costs
2.1.1. Software License Fee — Fee includes use of the software by the specified number of users and
all standard forms and reports. Additional user licenses are available for $1,500.00 license fee
plus $450 annual software use fee.
2.1.2. Data Conversion — Fee includes two (2) conversions of Client data. The first for the pre -install
environment used for testing and training, and the second at go -live. Additional conversions can
be performed, upon request, at a cost of $2,500 per conversion. Includes up to 30 hours of
developer time. Unusually complex conversions or poor data quality may require additional
effort beyond the 30 hours, which will be charged at the developer hourly rate.
2.1.3. Travel Expenses — Travel and lodging expenses are billed at cost and apply to all meetings;
including process, pre -installation, installation, training, and support. Consultant is dedicated to
conserving public funds, and ensures any travel costs are required and reasonable.
2.1.4. Customizing Services — Consultant's software is a customizable off the shelf system (COTS),
and has been designed to meet all common needs of municipalities. Should the need occur,
Consultant is available to provide custom enhancements to the software on a time and material
basis. No work shall be performed without prior written approval of Client.
2.2. Recurring Costs
Item
Price
Comments
Software User Fee
$19,500
Due at Prime Cloud core
system "Go Live", and
annually thereafter + CPI.
Includes HdL cloud -hosted
database with 5 named users.
31
Hinderliter De llamas & Associates
HdL Prime Software
City of Tukwila, WA
2.2.1. Software Use Fee — Software Use Fee is billed annually, and provides for ongoing customer
support and updates to the software.
2.2.2. Hosting Services — The fee for software hosting services is billed annually in advance, along
with the software use fee.
2.2.3. CPI — Recurring costs will be increased as of January 1st of each calendar year with reference
to the 12-month percent change in the most recently published annual Consumer Price Index for
All Urban Consumers (CPI-U), West Region, as reported by the U.S. Bureau of Labor Statistics
(the "CPI Change"). Each annual increase in the Fees will be equal to the greater of two percent
(2%) or the actual CPI Change and the lesser of ten percent (10%) or the actual CPI Change. For
example, if the actual CPI Change is 1.5%, then the annual increase will be 2%, if the actual CPI
Change is 3.5%, then the annual increase will be 3.5%, and if the actual CPI Change is 12%,
then the annual increase will be 10%.
3. Payment Processing — Consultant's Standard Payment Processing Solution will configure payment
processing services to utilize either a taxpayer funded model (service/convenience fee) or Agency funded
model, as directed by Client. Client may switch between these models upon written request to Consultant.
Fees for each of these payment processing models are detailed here.
3.1. Taxpayer funded model — Client authorizes Consultant to collect each convenience fee from the
taxpayer at time of payment.
3.1.1. Credit and debit card processing — 2.9% of transaction amount, minimum of $2.00
3.1.2. ACH/eCheck processing - $2.50 per transaction
3.1.3. ACH/eCheck returns - $0.00 per return
3.1.4. Chargebacks - $0.00 per chargeback
3.1.5. Payment Account Hosting and Maintenance - $35.00 per month
3.2. Agency funded interchange passthrough model
3.2.1. Credit and debit card processing — 2.9% of transaction amount, + $0.30 per transaction
3.2.2. ACH/eCheck processing - $0.75 per transaction
3.2.3. ACH/eCheck returns - $10.00 per return
3.2.4. Chargebacks - $25.00 per chargeback
3.2.5. Payment Account Hosting and Maintenance - $35.00 per month
3.3. Consultant reserves the right to review and adjust pricing related to payment processing services on
an annual basis. Consultant will communicate any such adjustment to Client in writing, with 60 days
advance notice. Items that will be considered in the review of fees may include, but are not limited
to: regulatory changes, card association rate adjustments, card association category changes,
bank/processor dues and assessments, average consumer payment amounts, card type utilization, and
costs of service.
3.4. Fees do not include expenses, late fees or charges, or taxes, all of which shall be the responsibility of
Client. In addition to the charges specified, Client shall be responsible for (a) all interchange and
network provider fees, (b) all dues, fees, fines and assessments established and owed by Client to Visa
and/or Mastercard, (c) for all costs and fees associated with changes to ATM protocol caused by
Client's conversion to the Services, and (d) any increase in postage charges, provided that any increase
in charges resulting from (a) through (d) shall not exceed the actual increase incurred by Consultant.
4. Payment Schedule
4.1. All one-time project costs and the first year service fees shall be paid as follows:
4.1.1. 60% shall be due within 30 days of the effective date of the Agreement.
4.1.2. 30% shall be due within 60 days of the effective date of the Agreement.
4.1.3. The final 10% shall be due within 30 days of full system delivery or first production use of the
software, whichever comes first.
32
Hinderliter De llamas & Associates
HdL Prime Software
City of Tukwila, WA
4.2. Any travel and lodging expenses are billed at cost as they are incurred. Such expenses shall be due
within 30 days of the billing date.
4.3. Recurring software service fees will be invoiced each year on the anniversary of the effective date of
the Agreement, and shall be due within 30 days of the invoice date.
4.4. Payment processing service fees are invoiced monthly for the prior month's activity, and shall be due
within 30 days of the invoice date.
33
34
EXHIBIT C
SERVICE LEVEL AGREEMENT (SLA)
Service Level Agreement: The Services, in a production environment, are provided with the
service levels described in this Exhibit C. SLAs are only applicable to production environments.
SLAs will be available upon Customer's signature of Contractor's Go Live Acceptance Form for
Customer's production environment.
"Contractor" means HdL Companies.
99.9% Application Availability
Actual Application Availability % = (Monthly Minutes (MM) minus Total Minutes Not Available
(TM)) multiplied by 100) and divided by Monthly Minutes (MM), but not including Excluded Events
Service Credit Calculation: An Outage will be deemed to commence when the Applications are
unavailable to Customer in Customer's production environment hosted by Contractor and end
when Contractor has restored availability of the Applications. Failure to meet the 99.9%
Application Availability SLA, other than for reasons due to an Excluded Event, will entitle
Customer to a credit as follows:
Actual Application Availability %
(as measured in a calendar
month)
Service Credit to be applied
to Customer's monthly invoice
for the affected month
<99.9% to 99.75%
10%
<99.75% to 98.25%
15%
<98.25% to 97.75%
25%
<97.75% to 96.75%
35%
<96.75%
50%
"Outage" means the accumulated time, measured in minutes, during which Customer is unable
to access the Applications for reasons other than an Excluded Event.
"Excluded Event" means any event that results in an Outage and is caused by: (a) the acts or
omissions of Customer, its employees, customers, contractors or agents; (b) the failure or
malfunction of equipment, applications or systems not owned or controlled by Contractor,
including without limitation Customer Content, failures or malfunctions resulting from circuits
provided by Customer, any inconsistencies or changes in Customer's source environment,
including either intentional or accidental connections or disconnections to the environment; (c)
Force Majeure events; (d) expected downtime during the Maintenance Periods described below;
(e) any suspension of the Services in accordance with the terms of the Agreement to which this
Exhibit C is attached; (f) the unavailability of required Customer personnel, including as a result of
failure to provide Contractor with accurate, current contact information; or (g) using an Application
in a manner inconsistent with the Documentation for such Application.
"Maintenance Period" means scheduled maintenance periods established by Contractor to
maintain and update the Services, when downtime may be necessary, as further described below.
The Maintenance Period is used for purposes of the Service Credit Calculation; Contractor
continuously maintains the production environment on a 24x7 basis to reduce disruptions.
TIS EXH—Service Level Agreement 02-2021 Page 1 of 3
35
Customer Specific Maintenance Period
1. Customer will choose one of the following time zones for their Maintenance Period:
a. United States Eastern Standard Time,
b. GMT/UTC,
c. Central European Time (CET) or
d. Australian Eastern Standard Time (AEST).
2. Customer will choose one of the following days of the week for their Maintenance Period:
Saturday, Sunday, Wednesday or Thursday.
3. Contractor will use up to 6 hours in any two consecutive rolling months (specifically:
January and February; March and April; May and June; July and August; September and
October; November and December) to perform Customer Specific Maintenance,
excluding any customer requested Application updates. Downtime in excess of these six
hours will be deemed to be an Outage.
4. Customer Specific Maintenance will occur between 12 am - 6 am during Customer's
selected time zone.
5. Excluding any customer requested Application updates, Contractor will provide notice for
planned downtime via an email notice to the primary Customer contact at least seven days
in advance of any known downtime so planning can be facilitated by Customer.
6. Customer Specific Maintenance Windows also include additional maintenance windows
mutually agreed upon by Customer and Contractor.
7. In absence of instruction from Customer, Contractor will by default perform Maintenance
in the time zone where the Data Center is located.
Non -Customer Specific Maintenance Period
Contractor anticipates non -Customer Specific Maintenance to be performed with no or little (less
than three hours per month) Customer downtime. If for any reason non -Customer Specific
Maintenance requires downtime, Contractor will provide as much notice as reasonably possible
of the expected window in which this will occur. Downtime in excess of three hours per month for
Non -Customer Specific Maintenance will be deemed to be an Outage.
"Monthly Minutes (MM)" means the total time, measured in minutes, of a calendar month
commencing at 12:00 am of the first day of such calendar month and ending at 11:59 pm of the
last day of such calendar month.
"Total Minutes Not Available (TM)" means the total number of minutes during the calendar
month that the Services are unavailable as the result of an Outage.
Reporting and Claims Process: Service Credits will not be provided if: (a) Customer is in breach
or default under the Agreement at the time the Outage occurred; or (b) the Outage results from
an Excluded Event.
TIS EXH—Service Level Agreement 02-2021 Page 2 of 3
36
Contractor will provide Customer with an Application Availability report on a monthly basis for
each prior calendar month. Within 60 days of receipt of such report, Customer must request the
applicable Service Credit by written notice to Contractor. Customer waives any right to Service
Credits not requested within this time period. All performance calculations and applicable Service
Credits are based on Contractor records and data unless Customer can provide Contractor with
clear and convincing evidence to the contrary.
The Service Level Agreements in this Exhibit, and the related Service Credits, apply on a per
production environment basis. For the avoidance of doubt, Outages in one production
environment may not be added to Outages in any other production environment for purposes of
calculating Service Credits.
Customer acknowledges that Contractor manages its network traffic in part on the basis of
Customer's utilization of the Services and that changes in such utilization may impact Contractor's
ability to manage network traffic. Therefore, notwithstanding anything else to the contrary, if
Customer significantly changes its utilization of the Services from what is contracted with
Contractor and such change creates a material and adverse impact on the traffic balance of the
Contractor network, as reasonably determined by Contractor, the parties agree to cooperate, in
good faith, to resolve the issue.
TIS EXH—Service Level Agreement 02-2021 Page 3 of 3
37
38
Exhibit D
City of Tukwila Security Requirements
Introduction
During the term of this agreement, Contractor shall operate an information security program
designed to meet the confidentiality, integrity, and availability requirements of the service or
product being supplied. The program shall include at a minimum the following security measures.
Governance
1. Information Security Policy: Contractor shall develop, implement, and maintain an
information security policy and shall communicate the policy to all staff and contractors.
2. Information Security Accountability: Contractor shall appoint an employee of at least
manager level who shall be accountable for the overall information security program.
3. Risk Management: Contractor shall employ a formal risk assessment process to identify
security risks which may impact the products or services being supplied, and mitigate risks
in a timely manner commensurate with the risk.
Asset Management
4. Asset Inventory: Contractor shall maintain an inventory of all hardware and software
assets, including asset ownership.
5. Data Classification: Contractor shall develop, implement, and maintain a data
classification scheme and process designed to ensure that data is protected according to
its confidentiality requirements.
Supply Chain Risk Management
6. Supplier Security Assessments: Contractor shall engage in appropriate due diligence
assessments of potential suppliers which may impact the security of the services or
products being supplied.
7. Security in Supplier Agreements: Contractor shall ensure that agreements with
suppliers who may impact the security of the services or products being supplied contain
appropriate security requirements.
Human Resource Security
8. Information Security Awareness: Contractor shall develop and implement an
information security awareness program designed to ensure that all employees and
contractors receive security education as relevant to their job function.
9. Background Checks: Contractor shall conduct appropriate background checks on all
new employees based on the sensitivity of the role that they are being hired for.
Identity Management, Authentication and Access Control
10. Authentication: Contractor shall ensure that all access, by employees or contractors, to
its information systems used to provide services or products being supplied shall require
appropriate authentication controls that at a minimum will include:
TIS EXH—Security Requirements 02-2021 Page 1 of 3
39
a. Strong passwords or multi -factor authentication for users
b. Multi -factor authentication for all remote access
11. Authorization: Contractor shall ensure that all access to its information systems used to
provide services or products being supplied shall be approved by management.
12. Privileged Account Management: Contractor shall appropriately manage and control
privileged accounts on its information systems that at a minimum will include:
a. Use of dedicated accounts for privileged activity
b. Maintaining an inventory of privileged accounts
13. Access Termination: Contractor shall develop and maintain a process designed to
ensure that user access is revoked upon termination of employment, or contract for
contractors.
Data Security
14. Encryption: Contractor shall ensure that all laptops, mobile devices, and removable
media, including those that are owned by Contractor employees or contractors, which may
be used to store, process, or transport organizational data are encrypted at all times.
[Scoping guideline: This requirement may be removed if Contractor is not expected to
possess any confidential or sensitive organizational data]
15. Secure Disposal: Contractor shall ensure that all media which may be used to store,
process, or transport organizational data is disposed of in a secure manner. [Scoping
guideline: This requirement may be removed if Contractor is not expected to possess any
confidential or sensitive organizational data]
System Acquisition, Development and Maintenance
16. Security Requirements: Contractor shall ensure that information security requirements
are defined for all new information systems, whether acquired or developed.
17. Separation of Environments: Contractor shall ensure that development and testing
environments are separate from their production environment.
18. Data Anonymization: Contractor shall ensure that the City of Tukwila's data will not be
used in the development or testing of new systems unless the data is appropriately
anonymized.
19. Secure Coding: Contractor shall ensure that all applications are developed with secure
coding practices, including OWASP Top 10 Most Critical Web Application Security Risks.
Physical and Environmental Security
20. Risk Assessment: Contractor shall use a formal risk assessment methodology to identify
physical and environmental threats and shall implement controls to minimize the risks.
TIS EXH—Security Requirements 02-2021 Page 2 of 3
40
Information Protection Processes and Procedure
21. Hardening: Contractor shall develop and implement security configuration baselines for
all endpoint and network devices types.
22. Network Segregation: Contractor shall segregate its network into zones based on trust
levels, and control the flow of traffic between zones.
23. Anti-Malware: Contractor shall ensure that all information systems that are susceptible
to malware are protected by up-to-date anti-malware software.
24. Wireless Access Control: Contractor shall ensure that wireless network access is
protected, including at a minimum:
a. All wireless network access should be encrypted
b. All wireless network access to the production network should be authenticated using
multi -factor authentication such as machine certificates
c. Wireless network access for personal devices and guest access should be segregated
from the production network
25. Patching: Contractor shall evaluate, test, and apply information system patches in a
timely fashion according to their risk.
26. Backup and Recovery: Contractor shall implement a backup and recovery process
designed to ensure that data can be recovered in the event of unexpected loss.
Protective Technology
27. Logging: Contractor shall ensure that security event logging requirements have been
defined, and that all information systems are configured to meet logging requirements.
28. Intrusion Detection: Contractor shall deploy intrusion detection or prevention systems
at the network perimeter.
29. URL Filtering: Contractor shall deploy tools to limit web browsing activity based on URL
categories.
30. Denial of Service Protection: Contractor shall deploy controls to detect and mitigate
denial of service attacks.
Security Continuous Monitoring
31. Security Monitoring: Contractor shall deploy automated tools to collect, correlate, and
analyze security event logs from multiple sources, and monitor them for suspected
security incidents.
32. Vulnerability Assessments: Contractor shall conduct vulnerability assessments against
all Internet -facing information systems on a regular basis, no less often than quarterly.
33. Penetration Testing: Contractor shall perform penetration tests on all web applications
and services, in accordance with standard penetration testing methodologies, on a regular
basis, no less often than annually.
Information Security Incident Management
34. Incident Response: Contractor shall develop, implement, and maintain an information
security incident response process, and will test the process on a regular basis, no less
often than annually.
TIS EXH—Security Requirements 02-2021 Page 3 of 3
41
42
Exhibit E
Data Protection and Information Security
This Data Protection and Information Security Exhibit ("Exhibit") is an attachment to the
Agreement and sets forth the data protection and information security requirements of City of
Tukwila. This Exhibit includes by reference the terms and conditions of the Agreement. In the
event of any inconsistencies between this Exhibit and the Agreement, the parties agree that the
terms and conditions of the Exhibit will prevail. Throughout the term of the Agreement and for as
long as Contractor controls, possesses, stores, transmits, or processes Confidential Information
as part of the Services provided to City of Tukwila, Contractor will comply with the requirements
set forth in this Exhibit. Any breach of this Exhibit will be deemed a material breach under the
Agreement.
1. Definitions
"Authorized Personnel" for the purposes of this Exhibit, means Contractor's employees or
subcontractors who: (i) have a need to receive or access Confidential Information or Personal
Information to enable Contractor to perform its obligations under the Agreement; and (ii) are
bound in writing with Contractor by confidentiality obligations sufficient for the protection of
Confidential Information and Personal Information in accordance with the terms and conditions
set forth in the Agreement and this Exhibit.
"Common Software Vulnerabilities" (CSV) are application defects and errors that are commonly
exploited in software. This includes but is not limited to:
(i)
The CWE/SANS Top 25 Programming Errors — see http://cwe.mitre.orq/top25/ and
http://www.sans.orq/top25-software-errors/
(ii) The Open Web Application Security Project's (OWASP) "Top Ten Project" — see
http://www.owasp.orq
"Confidential Information" means certain non-public proprietary information that has economic
value and is protected with reasonable safeguards to maintain its secrecy. Confidential
Information may include, but is not limited to any financial data, business and other plans,
specifications, equipment designs, electronic configurations, design information, product
architecture algorithms, quality assurance plans, inventions (whether or not the subject of pending
patent applications), ideas, discoveries, formulae, models, requirements, standards, trade and
manufacturing secrets, drawings, samples, devices, demonstrations, technical information, all
Personal Information as defined in RCW 42.56.590 that come within the Contractor's possession
in the course of performance under this Agreement, as well as any and all intellectual and
industrial property rights contained therein or in relation thereto; provided that, Personal
Information shall remain Confidential Information even if at the time of disclosure or collection, or
later, it is or becomes known to the public.
"Industry Standards" mean generally recognized industry standards, best practices, and
benchmarks including but not limited to:
(i) Payment Card Industry Data Security Standards ("PCI DSS") — see
http://www.pcisecuritystandards.orq/
(ii) National Institute for Standards and Technology — see http://csrc.nist.qov/
(iii) ISO / IEC 27000-series — see http://www.iso27001security.com/
TIS EXH—Data Protection and Info Security 02-2021 Page 1 of 10
43
(iv) COBIT 5 — http://www.isaca.orq/cobit/
(v) Cyber Security Framework — see http://www.nist.gov/cyberframework/
(vi) Cloud Security Alliance — see https://cloudsecurityalliance.org/
(vii) Other standards applicable to the services provided by Contractor to City of Tukwila
"Information Protection Laws" mean all local, state, federal and international laws, standards,
guidelines, policies, regulations and procedures applicable to Contractor or City of Tukwila
pertaining to data security, confidentiality, privacy, and breach notification.
"Personal Information" also known as Personally Identifiable Information (PII), is defined in RCW
42.56.590 and includes information of City of Tukwila customers, employees and subcontractors
or their devices gathered or used by Contractor that can be used on its own or combined with
other information to identify, contact, or locate a person, or to identify an individual or his or her
device in context. Examples of Personal Information include name, social security number or
national identifier, biometric records, driver's license number, device identifier, IP address, MAC
address, either alone or when combined with other personal or identifying information which is
linked or linkable to a specific individual or device, such as date and place of birth, mother's
maiden name, etc.
"Security Incident" is any actual or suspected occurrence of:
(i)
Unauthorized access, use, alteration, disclosure, loss, theft of, or destruction of
Confidential Information or the systems / storage media containing Confidential
Information
(ii) Illicit or malicious code, phishing, spamming, spoofing
(iii) Unauthorized use of, or unauthorized access to, Contractor's systems
(iv) Inability to access Confidential Information or Contractor systems as a result of a
Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack
(v) Loss of Confidential Information due to a breach of security
"Security Vulnerability" is an application, operating system, or system flaw (including but not
limited to associated process, computer, device, network, or software weakness) that can be
exploited resulting in a Security Incident.
2. Roles of the Parties and Compliance with Information Protection Laws
As between City of Tukwila and Contractor, City of Tukwila shall be the principal and Contractor
shall be its agent with respect to the collection, use, processing and disclosure of all Confidential
Information. The Parties shall comply with their respective obligations as the principal (e.g., data
owner/controller/covered entity) and agent (e.g., data processor/business associate/trading
partner) under all Information Protection Laws. The Parties acknowledge that, with respect to all
Confidential Information processed by Contractor for the purpose of providing the Services under
this Agreement:
a. City of Tukwila shall determine the scope, purpose, and manner in which such
Confidential Information may be accessed or processed by Contractor, and Contractor
shall limit its access to or use of Confidential Information to that which is necessary to
TIS EXH—Data Protection and Info Security 02-2021 Page 2 of 10
44
provide the Services, comply with applicable laws, or as otherwise directed by City of
Tukwila;
b. Each party shall be responsible for compliance with Information Protection Laws in
accordance with their respective roles; and
c. Contractor and City of Tukwila shall implement the technical and organizational
measures specified in this Exhibit and any additional procedures agreed upon pursuant
to a Statement of Work ("SOW") to protect Confidential Information against unauthorized
use, destruction or loss, alteration, disclosure or access.
3. General Security Requirements
Contractor will have an information security program that has been developed, implemented and
maintained in accordance with Industry Standards. At a minimum, Contractor's information
security program will include, but not be limited to, the following elements:
3.1 Information Security Program Management. Contractor will have or assign a qualified
member of its workforce or commission a reputable third -party service provider to be
responsible for the development, implementation and maintenance of Contractor's
enterprise information security program.
3.2 Policies and Standards. To protect City of Tukwila Confidential Information, Contractor
will implement and maintain reasonable security that complies with Information Protection
Laws and meets data security Industry Standards.
a. Security Policies and Standards. Contractor will maintain formal written information
security policies and standards that:
(i) Define the administrative, physical, and technological controls to protect the
confidentiality, integrity, and availability of Confidential Information, City of Tukwila
systems, and Contractor systems (including mobile devices) used in providing
Services to City of Tukwila
(ii) Encompasses secure access, retention, and transport of Confidential Information
(iii) Provide for disciplinary or legal action in the event of violation of policy by
employees or Contractor subcontractors and vendors
(iv) Prevent unauthorized access to City of Tukwila data, City of Tukwila systems, and
Contractor systems, including access by Contractor's terminated employees and
subcontractors
(v) Employ the requirements for assessment, monitoring and auditing procedures to
ensure Contractor is compliant with the policies
(vi) Conduct an annual assessment of the policies, and upon City of Tukwila written
request, provide attestation of compliance.
b. In the SOW or other document, Contractor will identify to City of Tukwila all third -party
vendors (including those providing subcontractors to Contractor) involved in the
provision of the Services to City of Tukwila, and will specify those third -party vendors
that will have access to Confidential Information.
TIS EXH—Data Protection and Info Security 02-2021 Page 3 of 10
45
3.3 Security and Privacy Training. Contractor, at its expense, will train new and existing
employees and subcontractors to comply with the data security and data privacy obligations
under this Agreement and this Exhibit. Ongoing training is to be provided at least annually
and more frequently as appropriate or requested by City of Tukwila. City of Tukwila may
provide specific training material to Contractor to include in its employee/subcontractor
training.
3.4 Access Control. Contractor will ensure that City of Tukwila Confidential Information will be
accessible only by Authorized Personnel after appropriate user authentication and access
controls (including but not limited to two -factor authentication) that satisfy the requirements
of this Exhibit. Each Authorized Personnel shall have unique access credentials and shall
receive training which includes a prohibition on sharing access credentials with any other
person. Contractor should maintain access logs relevant to City of Tukwila Confidential
Information for a minimum of six years or other mutually agreed upon duration.
3.5 Data Backup. The parties shall agree in an SOW or other document upon the categories
of City of Tukwila Confidential Information that are required to be backed up by Contractor.
Unless otherwise agreed to in writing by City of Tukwila, backups of City of Tukwila
Confidential Information shall reside solely in the United States. For the orderly and timely
recovery of Confidential Information in the event of a service interruption:
a. Contractor will store a backup of Confidential Information at a secure offsite facility and
maintain a contemporaneous backup of Confidential Information on -site to meet needed
data recovery time objectives.
b. Contractor will encrypt and isolate all City of Tukwila backup data on portable media
from any backup data of Contractor's other customers.
3.6 Business Continuity Planning (BCP) and Disaster Recovery (DR). Contractor will
maintain an appropriate business continuity and disaster recovery plan to enable Contractor
to adequately respond to, and recover from, business interruptions involving City of Tukwila
Confidential Information or services provided by Contractor to City of Tukwila.
a. At a minimum, Contractor will test the BCP and DR plan annually, in accordance with
Industry Standards, to ensure that the business interruption and disaster objectives set
forth in this Exhibit have been met and will promptly remedy any failures. Upon City of
Tukwila's request, Contractor will provide City of Tukwila with a written summary of the
annual test results.
b. In the event of a business interruption that activates the BCP and DR plan affecting the
Services or Confidential Information of City of Tukwila, Contractor will notify City of
Tukwila's designated Security Contact as soon as possible.
c. Contractor will allow City of Tukwila or its authorized third party, upon a minimum of 30
days' notice to Contractor's designated Security Contact, to perform an assessment of
Contractor's BCP and DR plan once annually, or more frequently if agreed to in an SOW
or other document. Following notice provided by City of Tukwila, the parties will meet
to determine the scope and timing of the assessment.
TIS EXH—Data Protection and Info Security 02-2021 Page 4 of 10
46
3.7 Network Security. Contractor agrees to implement and maintain network security controls
that conform to Industry Standards including but not limited to the following:
a. Firewalls. Contractor will utilize firewalls to manage and restrict inbound, outbound and
internal network traffic to only the necessary hosts and network resources.
b. Network Architecture. Contractor will appropriately segment its network to only allow
authorized hosts and users to traverse areas of the network and access resources that
are required for their job responsibilities.
c. Demilitarized Zone (DMZ). Contractor will ensure that publicly accessible servers are
placed on a separate, isolated network segment typically referred to as the DMZ.
d. Wireless Security. Contractor will ensure that its wireless network(s) only utilize strong
encryption, such as WPA2.
e. Intrusion Detection/Intrusion Prevention (IDS/IPS) System. Contractor will have an IDS
and/or IPS in place to detect inappropriate, incorrect, or anomalous activity and
determine whether Contractor's computer network and/or server(s) have experienced
an unauthorized intrusion.
3.8 Application and Software Security. Contractor, should it provide software applications or
Software as a Service (SaaS) to City of Tukwila, agrees that its product(s) will remain secure
from Software Vulnerabilities and, at a minimum, incorporate the following:
a. Malicious Code Protection. Contractor's software development processes and
environment must protect against malicious code being introduced into its product(s)
future releases and/or updates.
b. Application Level Security. Contractor must use a reputable third party to conduct
static/manual application vulnerability scans on the application(s) software provided to
City of Tukwila for each major code release or at the time of contract renewal. An
internally produced static/manual test from the Contractor will not be accepted. Results
of the application testing will be provided to City of Tukwila in a summary report and
vulnerabilities categorized as Very High, High or that have been identified as part of the
OWASP Top 10 and SANS Top 25 within 10 weeks of identification.
c. Vulnerability Management. Contractor agrees at all times to provide, maintain and
support its software and subsequent updates, upgrades, and bug fixes such that the
software is and remains secure from Common Software Vulnerabilities.
d. Logging. Contractor software that controls access to Confidential Information must log
and track all access to the information.
e. Updates and Patches. Contractor agrees to promptly provide updates and patches to
remediate Security Vulnerabilities that are exploitable. Upon City of Tukwila's request,
Contractor shall provide information on remediation efforts of known Security
Vulnerabilities.
3.9 Data Security. Contractor agrees to preserve the confidentiality, integrity and accessibility
of City of Tukwila Confidential Information with administrative, technical and physical
measures that conform to Industry Standards that Contractor then applies to its own
systems and processing environment. Unless otherwise agreed to in writing by City of
Tukwila, Contractor agrees that any and all City of Tukwila Confidential Information will be
stored, processed, and maintained solely on designated systems located in the continental
United States. Additionally:
TIS EXH—Data Protection and Info Security 02-2021 Page 5 of 10
47
a. Encryption. Contractor agrees that all City of Tukwila Confidential Information and
Personal Information will be encrypted with a Federal Information Processing Standard
(FIPS) compliant encryption product, also referred to as 140-2 compliant. Symmetric
keys will be encrypted with a minimum of 128-bit key and asymmetric encryption
requires a minimum of 1024 bit key length. Encryption will be utilized in the following
instances:
• City of Tukwila Confidential Information and Personal Information will be stored on
any portable computing device or any portable storage medium.
• City of Tukwila Confidential Information and Personal Information will be
transmitted or exchanged over a public network.
b. Data Segregation. Contractor will segregate City of Tukwila Confidential Information
and Personal Information from Contractor's data and from the data of Contractor's other
customers or third parties.
3.10 Data Re -Use. Contractor agrees that any and all data exchanged shall be used expressly
and solely for the purposes enumerated in the Agreement. Data shall not be distributed,
repurposed or shared across other applications, environments, or business units of
Contractor. Contractor further agrees that no Confidential Information of any kind shall be
transmitted, exchanged or otherwise passed to other parties except on a case -by -case basis
as specifically agreed to in writing by City of Tukwila.
3.11 Data Destruction and Data Retention. Upon expiration or termination of this Agreement
or upon City of Tukwila's written request, Contractor and its Authorized Personnel will
promptly return to City of Tukwila all City of Tukwila Confidential Information and/or securely
destroy City of Tukwila Confidential Information. At a minimum, destruction of data activity
is to be performed according to the standards enumerated by the National Institute of
Standards, Guidelines for Media Sanitization — see http://csrc.nist.gov/. If destroyed, an
officer of Contractor must certify to City of Tukwila in writing within 10 business days all
destruction of City of Tukwila Confidential Information. If Contractor is required to retain any
City of Tukwila Confidential Information or metadata to comply with a legal requirement,
Contractor shall provide notice to both the general notice contact in the Agreement as well
as City of Tukwila's designated Security Contact.
3.12 Right to Audit. Upon a minimum of 30 days' written notice to Contractor, Contractor agrees
to allow City of Tukwila or a mutually agreed upon independent third party under a Non -
Disclosure Agreement to perform an audit of Contractor's policies, procedures, software,
system(s), and data processing environment at City of Tukwila's expense to confirm
compliance with this Exhibit. Prior to commencement of the audit, the parties will discuss
the scope of the audit and the schedule. Contractor shall provide reasonable support to the
audit team. Upon request Contractor will provide any relevant third party assessment
reports such as SOC 2, PCI DSS Report on Compliance, or ISO 27001 certification. Unless
critical issues are identified during the audit, such audits will be restricted to once in any 12
month period. If issues are identified, Contractor shall provide a remediation plan to City of
Tukwila to remedy such issues at Contractor's expense.
TIS EXH—Data Protection and Info Security 02-2021 Page 6 of 10
48
3.13 Security Testing. Contractor, at its expense, will allow City of Tukwila to conduct static,
dynamic, automated, and/or manual security testing on its software products and/or
services, hardware, devices, and systems to identify Security Vulnerabilities on an ongoing
basis. Should any vulnerabilities be discovered, Contractor agrees to notify City of Tukwila
and create a mutually agreed upon remediation plan to resolve all vulnerabilities identified.
City of Tukwila has the right to request or conduct additional reasonable security testing
throughout the Term of the Agreement.
4. Security Incident / Data Breach
4.1 Security Contact. The individuals identified below shall serve as each party's designated
Security Contact for security issues under this Agreement.
City of Tukwila Security Contact:
Name
Address
Phone
Email
Contractor Security Contact:
Name
Address
Phone
Email
TIS EXH—Data Protection and Info Security 02-2021 Page 7 of 10
49
4.2 Requirements. Contractor will take commercially reasonable actions to ensure that City of
Tukwila is protected against any and all reasonably anticipated Security Incidents, including
but not limited to:
(i)
Contractor's systems are continually monitored to detect evidence of a Security
Incident
(ii) Contractor has a Security Incident response process to manage and to take corrective
action for any suspected or realized Security Incident
(iii) Upon request Contractor will provide City of Tukwila with a copy of its Security Incident
policies and procedures. If a Security Incident affecting City of Tukwila occurs,
Contractor, at its expense and in accordance with applicable Information Protection
Laws, will immediately take action to prevent the continuation of the Security Incident.
4.3 Notification. Within eight hours of Contractor's initial awareness of a Security Incident or
other mutually agreed upon time period, Contractor will notify City of Tukwila of the incident
by calling by phone the City of Tukwila Security Contact(s) listed above.
4.4 Investigation and Remediation. Upon Contractor's notification to City of Tukwila of a
Security Incident, the parties will coordinate to investigate the Security Incident. Contractor
shall be responsible for leading the investigation of the Security Incident, but shall cooperate
with City of Tukwila to the extent City of Tukwila requires involvement in the investigation.
Contractor shall involve law enforcement in the investigation if requested by City of Tukwila.
Depending upon the type and scope of the Security Incident, City of Tukwila personnel may
participate in: (i) interviews with Contractor's employees and subcontractors involved in the
incident; and (ii) review of all relevant records, logs, files, reporting data, systems, Contractor
devices, and other materials as otherwise required by City of Tukwila.
Contractor will cooperate, at its expense, with City of Tukwila in any litigation or investigation
deemed reasonably necessary by City of Tukwila to protect its rights relating to the use,
disclosure, protection and maintenance of Confidential Information. Contractor will
reimburse City of Tukwila for actual costs incurred by City of Tukwila in responding to, and
mitigating damages caused by any Security Incident, including all costs of notice and
remediation which City of Tukwila, in its sole discretion, deems necessary to protect such
affected individuals in light of the risks posed by the Security Incident. Contractor will, at
Contractor's own expense, provide City of Tukwila with all information necessary for City of
Tukwila to comply with data breach recordkeeping, reporting and notification requirements
pursuant to Information Protection Laws. Contractor will use reasonable efforts to prevent
a recurrence of any such Security Incident. Additionally, Contractor will provide (or
reimburse City of Tukwila) for at least one year of complimentary access for one credit
monitoring service, credit protection service, credit fraud alert and/or similar services, which
City of Tukwila deems necessary to protect affected individuals in light of risks posed by a
Security Incident.
4.5 Reporting. Contractor will provide City of Tukwila with a final written incident report within
five business days after resolution of a Security Incident or upon determination that the
Security Incident cannot be sufficiently resolved.
TIS EXH—Data Protection and Info Security 02-2021 Page 8 of 10
50
5. Confidential Information or Personal Information
5.1 Authorized Personnel. Contractor will require all Authorized Personnel to meet
Contractor's obligations under the Agreement with respect to Confidential Information or
Personal Information. Contractor will screen and evaluate all Authorized Personnel and will
provide appropriate privacy and security training, as set forth above, in order to meet
Contractor's obligations under the Agreement. Upon City of Tukwila's written request,
Contractor will provide City of Tukwila with a list of Authorized Personnel. Contractor will
remain fully responsible for any act, error, or omission of its Authorized Personnel.
5.2 Handling of Confidential Information or Personal Information. Contractor will:
a. Keep and maintain all Confidential Information and Personal Information in strict
confidence in accordance with the terms of the Agreement
b. Use and disclose Confidential Information and/or Personal Information solely and
exclusively for the purpose for which the Confidential Information or Personal
Information is provided pursuant to the terms and conditions of the Agreement.
Contractor will not disclose Confidential Information or Personal Information to any
person other than to Authorized Personnel without City of Tukwila's prior written
consent, unless and to the extent required by applicable law, in which case, Contractor
will use best efforts to notify City of Tukwila before any such disclosure or as soon
thereafter as reasonably possible. In addition, Contractor will not produce any
Confidential Information or Personal Information in response to a non -legally binding
request for disclosure of such Personal Information.
5.3 Data and Privacy Protection Laws. Contractor represents and warrants that its collection,
access, use, storage, disposal, and disclosure of Personal Information complies with all
applicable federal, state, local and foreign data and privacy protection laws, as well as all
other applicable regulations and directives.
6. Third Party Security
6.1 Contractor will conduct thorough background checks and due diligence on any third and
fourth parties which materially impact Contractor's ability to provide the products and/or
Services to City of Tukwila as described in the Agreement.
6.2 Contractor will not outsource any work related to its products or the Services provided to
City of Tukwila in countries outside the United States of America, which have not been
disclosed in the Agreement or without prior written approval from City of Tukwila Legal and
Information Security. If Contractor desires to outsource certain work during the Term of the
Agreement, Contractor shall first notify City of Tukwila so that the parties can ensure
adequate security protections are in place with respect to the Services provided to City of
Tukwila.
TIS EXH—Data Protection and Info Security 02-2021 Page 9 of 10
51
7. Payment Cardholder Data
7.1 If Contractor accesses, collects, processes, uses, stores, transmits, discloses, or disposes
of City of Tukwila and/or City of Tukwila customer credit, debit, or other payment cardholder
information, Contractor agrees to the following additional requirements:
a. Contractor, at its sole expense, will comply with the Payment Card Industry Data
Security Standard ("PCI DSS"), as may be amended or changed from time to time,
including without limitation, any and all payment card industry validation actions (e.g.,
third party assessments, self -assessments, security vulnerability scans, or any other
actions identified by payment card companies for the purpose of validating Contractor's
compliance with the PCI DSS).
b. Contractor will maintain a continuous PCI DSS compliance program. Annually,
Contractor agrees to provide evidence of PCI DSS compliance in the form of a Qualified
Security Assessor ("QSA") Assessment Certificate, a PCI Report on Compliance
("ROC"), or evidence that Contractor is included on the Visa or MasterCard list of PCI
DSS Validated Service Providers.
c. Contractor will ensure that subcontractors approved by City of Tukwila, in accordance
with Section 6.2, comply with and maintain a continuous PCI DSS compliance program
if the subcontractor provides any service on behalf of Contractor that falls within PCI
DSS scope. The Subcontractor must provide evidence of PCI DSS compliance in the
form of a Qualified Security Assessor ("QSA") Assessment Certificate, a PCI Report on
Compliance ("ROC"), or evidence that Subcontractor is included on the Visa or
MasterCard list of PCI DSS Validated Service Providers.
d. Contractor will immediately notify City of Tukwila if Contractor is found to be non-
compliant with a PCI DSS requirement or if there is any breach of cardholder data
impacting City of Tukwila or its customers.
8. Changes
In the event of any change in City of Tukwila's data protection or privacy obligations due to
legislative or regulatory actions, industry standards, technology advances, or contractual
obligations, Contractor will work in good faith with City of Tukwila to promptly amend this
Exhibit accordingly.
TIS EXH—Data Protection and Info Security 02-2021 Page 10 of 10
52