Professional Documents
Culture Documents
Odyssey Contract
Odyssey Contract
Address
228 Park Ave S, PMB #18249
New York, NY 10003
Address
400 E 14th ST
Des Moines, IA 50319
State of Iowa: Department of Administrative Services – Central Procurement
By (Authorized Signature) Date Signed
April 6, 2023
Printed Name and Title of Person Signing
1.1 Definitions
The following words shall be defined as set forth below:
“Acceptance” means that the Agency has determined that one or more Deliverables satisfy the
Agency’s Acceptance Tests. Final Acceptance means that the Agency has determined that all
Deliverables satisfy the Agency’s Acceptance Tests. Non-acceptance means that the Agency has
determined that one or more Deliverables have not satisfied the Agency’s Acceptance Tests.
“Acceptance Criteria” means the Specifications, goals, performance measures, testing results
and/or other criteria designated by the Agency and against which the Deliverables may be evaluated
for purposes of Acceptance or Non-acceptance thereof.
“Acceptance Tests” or “Acceptance Testing” mean the tests, reviews and other activities that are
performed by or on behalf of Agency to determine whether the Deliverables meet the Acceptance
Criteria or otherwise satisfy the Agency, as determined by the Agency in its sole discretion.
“Application Services” means the hosted applications and related Services as further defined and
described in the RFP, Proposal, and this Agreement, including any Scope of Work of or related to the
implementation or configuration of the Application Services, System(s), or related Deliverables for
the Agency’s specific needs or use.
“Bid Proposal” or “Proposal” means the Contractor’s proposal submitted in response to the RFP.
“Confidential Information” means, subject to any applicable federal, State, or local laws and
regulations, including Iowa Code Chapter 22, any confidential or proprietary information or trade
secrets disclosed by either Party (“Disclosing Party”) to the other Party (“Receiving Party”) that, at
the time of disclosure, is designated as confidential (or like designation), is disclosed in circumstances
of confidence, or would be understood by the Parties, exercising reasonable business judgment, to
be confidential. Confidential Information does not include any information that: (i) was rightfully in
the possession of the Receiving Party from a source other than the Disclosing Party prior to the time
of disclosure of the information by the Disclosing Party to the Receiving Party; (ii) was known to the
Receiving Party prior to the disclosure of the information by the Disclosing Party; (iii) was disclosed
to the Receiving Party without restriction by an independent third party having a legal right to disclose
the information; (iv) is in the public domain or shall have become publicly available other than as a
result of disclosure by the Receiving Party in violation of this Agreement or in breach of any other
agreement with the Disclosing Party; (v) is independently developed by the Receiving Party without
any reliance on Confidential Information disclosed by the Disclosing Party; (vi) is disclosed or is
required or authorized to be disclosed pursuant to law, rule, regulation, subpoena, summons, or the
order of a court, lawful custodian, governmental agency or regulatory authority, or by applicable
2
regulatory or professional standards; or (vii) is disclosed by the Receiving Party with the written
consent of the Disclosing Party.
“Contract” means the collective documentation memorializing the terms of the agreement between
the Agency and the Contractor identified on the Contract Declarations & Execution Page(s) and
includes the signed Contract Declarations & Execution Page(s), the Special Terms, these General
Terms for Services Contracts, any Special Contract Attachments, and all other attachments to the
Contract.
“Contractor Personnel” means employees, agents, independent contractors, or any other staff or
personnel acting on behalf of or at the direction of Contractor or any Contractor’s Contractor
performing or providing Deliverables under any General Terms.
“Customer Data” means all information, data, materials, or documents (including Confidential
Information of or belonging to any applicable Governmental Entity and Customer PII) originating with,
disclosed by, provided by, made accessible by, or otherwise obtained by or from a Governmental
Entity making purchases pursuant to any General Terms, including Authorized Contractors of the
foregoing, but in including all information, data, materials, or documents developed by or created by
Contractor, Contractor’s subcontractors, or Contractor Personnel in connection with any Deliverables
provided pursuant to any General Terms.
“Customer PII” means all Customer Data that constitutes “personal information”, “personally
identifying-information”, and/or “protected health information”, as those terms are defined by
applicable law.
“Deficiency” means a defect, flaw, anomaly, failure, omission, interruption of service, or other
problem of any nature whatsoever with respect to a Deliverable, including, without limitation, any
failure of a deliverable to conform to or meet an applicable specification. Deficiency also includes
the lack of something essential or necessary for completeness or proper functioning of a Deliverable.
3
“Deliverables” means all of the goods, products, services, work, work product, items, materials and
property to be created, developed, produced, delivered, performed or provided by or on behalf of,
or made available through, Contractor (or any agent, contractor or subcontractor of Contractor) in
connection with this Contract.
“Documentation” means any and all technical information, commentary, explanations, design
documents, system architecture documents, database layouts, test materials, training materials,
guides, manuals, worksheets, notes, work papers, and all other information, documentation and
materials related to or used in conjunction with the Deliverables, in any medium, including hard
copy, electronic, digital, and magnetically or optically encoded media.
“Governmental Entity” shall mean any Governmental Entity, as defined in Iowa Code Section 8A.101,
or any successor provision thereto. The term Governmental Entity includes without limitation
Participating Agencies, agencies, independent agencies, the Judicial Branch, the Legislative Branch,
courts, boards, authorities, institutions, establishments, divisions, bureaus, commissions,
committees, councils, examining boards, public utilities, offices of elective constitutional or statutory
officers, and other units, branches, or entities of government.
“Office of the Chief Information Officer” or “OCIO” means the Department of Management, Office
of the Chief Information Officer of the State of Iowa created by Iowa Code chapter 8B.
“Participating Agency” shall have the same meaning ascribed it under Iowa Code Section 8B,
including any subsequent amendments or successor provisions thereto.
4
“Purchasing Instrument” means documentation issued by a Governmental Entity to Contractor for
the purchase of Deliverables, including a “Purchase Order” or “Statement of Work” executed
pursuant to any General Terms, regardless of form, and which identifies the Deliverables to be
purchased and any other requirements deemed necessary by the applicable Governmental Entity,
such as compensation and delivery dates.
“RFP” means the Request for Proposals or Request for Bids (and any Addenda thereto) that was
issued to solicit the Deliverables that are subject to the Contract.
“Services” include without limitation all services performed or provided by or on behalf of, or
otherwise made available through, Contractor, Contractor’s subcontractors, or Contractor Personnel,
directly or indirectly, in connection with any General Terms, including any Software or System or any
corresponding hosting, implementation, migration, or configuration services associated therewith or
related thereto.
“Software” means any and all other software, programs, applications, modules and components, in
object code form, and all related Source Code.
“Source Code” means the human-readable source code, source program, scripts and/or
programming language, including HTML, XML, XHTML, Visual Basic, and JAVA, for or related to the
Software. Source Code includes all source code listings, instructions (including compile instructions),
programmer’s notes, commentary and all related technical information and Documentation,
including all such information and Documentation that is necessary or useful for purposes of
maintaining, repairing, or making modifications or enhancements to the Software and the Source
Code.
“Special Terms” means the Contract attachment entitled “Special Terms” that contains terms
specific to this Contract, including but not limited to the Scope of Work, contract payment terms,
and any amendments to these General Terms and Conditions for Services Contracts. If there is a
conflict between the General Terms for Services Contracts and the Special Terms, the Special Terms
shall prevail.
“State” means the State of Iowa, the Agency, and all State of Iowa agencies, boards, and
commissions, and when this Contract is available to political subdivisions, any political subdivisions
of the State of Iowa.
5
“System” means any system provided or otherwise made available by or through Contractor,
Contractor’s subcontractors, or Contractor Personnel, directly or indirectly, in connection with any
General Terms, including any Software, programs, or applications associated therewith or included
or incorporated therein, regardless of the method of delivery, including any Internet-enabled, Web-
based or other similar delivery method.
“Third Party” means a person or entity (including, any form of business organization, such as a
corporation, partnership, limited liability corporation, association, etc.) that is not a party to any
General Terms.
1.5 Compensation
1.5.1 Pricing
The Contractor will be compensated in accordance with the payment terms outlined in
the Contract Payment Terms and Scope of Work described in the Special Terms.
The Contractor shall submit an invoice for Deliverables rendered in accordance with this
Contract. The invoice shall comply with all applicable rules concerning payment of such
claims. The Agency shall verify the Contractor’s performance of the Deliverables outlined
in the invoice before making payment. The Agency shall pay all approved invoices in
arrears and in conformance with Iowa Code 8A.514. The Agency may pay in less than sixty
(60) days, but an election to pay in less than sixty (60) days shall not act as an implied
waiver of Iowa Code § 8A.514.
Unless otherwise agreed in writing by the parties, the Contractor shall not be entitled to
receive any other payment or compensation from the State for any Deliverables provided
by or on behalf of the Contractor under this Contract. The Contractor shall be solely
responsible for paying all costs, expenses and charges it incurs in connection with its
performance under this Contract.
6
1.5.2 Reimbursement Expenses
The State has established rules for limitations on reimbursement expenses. Please
reference Department of Administrative Services - State Accounting Enterprise Procedure
210-245 (accessible on the internet) for limits on travel expenses.
1.5.3.1 Contractor has failed to perform any of its duties or obligations as set forth in this
Contract; or
1.5.3.2 Any Deliverable has failed to meet or conform to any applicable Specifications or
contains or is experiencing a Deficiency.
1.5.4 No interest shall accrue or be paid to Contractor on any compensation or other amounts
withheld or retained by the Agency under this Contract.
1.5.5.1 Any sum invoiced by, or owed to, Contractor under this Contract, or
1.5.5.2 Any sum or amount owed by the State to Contractor, unless otherwise required
by law.
The Contractor agrees that this provision constitutes proper and timely notice under any
applicable laws governing setoff.
1.6 Termination
7
1.6.1.2 The State determines that the actions, or failure to act, of the Contractor, its
agents, employees or subcontractors have caused, or reasonably could cause,
a person’s life, health or safety to be jeopardized;
1.6.2.6 Contractor has failed to comply with any applicable international, federal, state
(including, but not limited to Iowa Code chapter 8F), or local laws, rules,
ordinances, regulations or orders when performing within the scope of this
Contract;
1.6.2.7 The Agency determines or believes the Contractor has engaged in conduct that:
(a) has or may expose the Agency or the State to material liability, or (b) has
caused or may cause a person’s life, health or safety to be jeopardized;
8
1.6.2.8 Contractor infringes or allegedly infringes or violates any patent, trademark,
copyright, trade dress or any other intellectual property right or proprietary
right, or Contractor misappropriates or allegedly misappropriates a trade
secret;
1.6.2.9 Contractor fails to comply with any applicable confidentiality laws, privacy laws,
or any provisions of this Contract pertaining to confidentiality or privacy; or
1.6.2.10 Any of the following has been engaged in by or occurred with respect to
Contractor or any corporation, shareholder or entity having or owning a
controlling interest in Contractor:
1.6.2.10.5 Taking any action to authorize any of the foregoing. The Agency’s
right to terminate this Contract shall be in addition to and not
exclusive of other remedies available to the Agency, and the Agency
shall be entitled to exercise any other rights and pursue any
remedies, in law, at equity, or otherwise.
9
1.6.3 Termination upon Notice
Following thirty (30) days written notice, the Agency may terminate this Contract in whole
or in part without penalty and without incurring any further obligation to Contractor.
Termination can be for any reason or no reason at all.
1.6.4.1 The legislature or governor fail in the sole opinion of the Agency to appropriate
funds sufficient to allow the Agency to either meet its obligations under this
Contract or to operate as required and to fulfill its obligations under this
Contract; or
10
terms of this Contract. The Agency shall not be liable, under any circumstances, for any of
the following:
1.6.5.2 The payment of workers’ compensation claims, which occur during the Contract
or extend beyond the date on which the Contract terminates;
1.6.5.3 Any costs incurred by Contractor in its performance of the Contract, including,
but not limited to, startup costs, overhead or other costs associated with the
performance of the Contract;
1.6.5.4 Any damages or other amounts associated with the loss of prospective profits,
anticipated sales, goodwill, or for expenditures, investments or commitments
made in connection with this Contract;
1.6.5.5 Any taxes Contractor may owe in connection with the performance of this
Contract, including, but not limited to, sales taxes, excise taxes, use taxes,
income taxes or property taxes.
1.6.6.1 Cease work under this Contract and take all necessary or appropriate steps to
limit disbursements and minimize costs, and furnish a report within thirty (30)
days of the date of notice of termination, describing the status of all work
performed under the Contract and such other matters as the Agency may
require.
1.6.6.2 Immediately cease using and return to the Agency any property or materials,
whether tangible or intangible, provided by the Agency to Contractor.
1.6.6.3 Cooperate in good faith with the Agency and its employees, agents and
independent contractors during the transition period between the notification
of termination and the substitution of any replacement service provider.
1.6.6.4 Immediately return to the Agency any payments made by the Agency for
Deliverables that were not rendered or provided by Contractor.
1.6.6.5 Immediately deliver to the Agency any and all Deliverables for which the Agency
has made payment (in whole or in part) that are in the possession or under the
control of the Contractor or its agents or subcontractors in whatever stage of
development and form of recordation such property is expressed or embodied
as that time.
11
Contractor may only terminate this Contract for the breach by the Agency of any material
term, condition or provision of this Contract, if such breach is not cured within sixty (60)
days of the Agency’s receipt of Contractor’s written notice of breach.
1.7.3 Subpoena
In the event that a subpoena or other legal process is served upon the Contractor for
records containing confidential information, the Contractor shall promptly notify the
Agency and cooperate with the Agency in any lawful effort to protect the confidential
information.
1.7.5 If Contractor requests confidential treatment with respect to any information or material
contained within its Bid Proposal and if a judicial or administrative proceeding is initiated
to compel the release of such material, Contractor shall, at its sole expense, appear in the
proceeding or otherwise obtain an order restraining the release of such material from a
court of competent jurisdiction. Agency may release the information or material with or
12
without advance notice to Contractor if no judicial or administrative proceeding is initiated
and Agency determines the information or material is not confidential under Iowa or other
applicable law, or if Contractor failed to properly request confidential treatment under the
RFP, or if Contractor rescinds its request for confidential treatment.
1.8.1.2 Any negligent, intentional or wrongful act or omission of the Contractor or any
agent or subcontractor utilized or employed by the Contractor;
1.8.1.4 Any failure by the Contractor to make all reports, payments and withholdings
required by federal and state law with respect to social security, employee
income and other taxes, fees or costs required by the Contractor to conduct
business in the State of Iowa;
13
renewals and extensions), and (b) neither party will be liable for consequential, incidental,
indirect, special, or punitive damages; provided, however, under no circumstances shall
the foregoing limitation or any other provision in this Contract that either limits
Contractor’s liability or provides for sole or exclusive remedies apply to any losses,
damages, expenses, costs, settlement amounts, legal fees, judgments, actions, claims, or
any other liability arising out of or relating to:
Claims arising under this Agreement calling for indemnification of the State or for third-
party claims against the State for bodily injury to persons or for damage to real or tangible
personal property caused by Contractor’s negligence or willful conduct.
1.9 Insurance
14
Type of Insurance Limit Amount
General Liability (including General Aggregate $2 million
contractual liability) written on an Products –
occurrence basis Comp/Op Aggregate $1 Million
Personal injury $1 Million
Each Occurrence $1 Million
Automobile Liability (including Combined single limit $1 Million
contractual liability) written on an
occurrence basis
Excess Liability, umbrella form Each Occurrence $1 Million
Aggregate $1 Million
Errors and Omissions Insurance Each Occurrence $1 Million
Property Damage Each Occurrence $1 Million
Aggregate $1 Million
Workers Compensation and As Required by Iowa law As required
Employer Liability by Iowa law
15
meeting. Records of such reports and other communications issued in writing during the
course of Contract performance shall be maintained by each party.
1.10.3 Reports
At the next scheduled meeting after which any party has identified in writing a problem,
the party responsible for resolving the problem shall provide a report setting forth
activities undertaken, or to be undertaken, to resolve the problem, together with the
anticipated completion dates of such activities. Any party may recommend alternative
courses of action or changes that will facilitate problem resolution. For as long as a
problem remains unresolved, written reports shall identify:
1.10.3.1 Any event not within the control of the Contractor or the Agency that accounts
for the problem;
1.10.3.4 Any request or demand by one party that another party believes is not included
within the terms of this Contract.
1.10.5.1 Written Request: The Agency shall specify in writing the desired modifications
to the same degree of specificity as in the original Scope of Work.
1.10.5.2 The Contractor’s Response: The Contractor shall submit to the Agency a firm
cost proposal for the requested change order within five (5) business days of
receiving the change order request.
1.10.5.3 Acceptance of the Contractor Estimate: If the Agency accepts the cost proposal
presented by the Contractor, the Contractor shall provide the modified
Deliverable subject to the cost proposal included in the Contractor response.
16
The Contractor’s provision of the modified deliverables shall be governed by the
terms and conditions of this Contract.
1.10.5.4 Adjustment to Compensation: The parties acknowledge that a change order for
this Contract may or may not entitle the Contractor to an equitable adjustment
in the Contractor’s compensation or the performance deadlines under this
Contract.
Contractor may not collect, access or use State Intellectual Property for any purpose other
than as specified in this Contract. Upon expiration or termination of this Contract,
Contractor shall return or destroy all State Intellectual Property and all copies thereof, and
Contractor shall have no further right or license to such State Intellectual Property.
1.12.2 Waiver
To the extent any of Contractor’s rights in any Customer-Owned Deliverables are not
subject to assignment or transfer hereunder, including any moral rights and any rights of
attribution and of integrity, Contractor hereby irrevocably and unconditionally waives all
such rights and enforcement thereof and agrees not to challenge the State’s rights in and
to the Customer-Owned Deliverables.
17
1.12.3 Contractor Intellectual Property
As between the parties hereto, Contractor and its third-party suppliers are and shall remain
the sole owners of all intellectual property rights in the System, the Application Services,
all intellectual property underlying the System and Application Services, and all intellectual
property used to produce the other Deliverables pursuant to this Contract (but provided
that the State will still own the ultimate Customer-Owned Deliverables, if any, and
Customer Property that are produced pursuant to this Contract). The State’s rights in the
Application Services are limited to the license set forth in Section 2.10.2 of this Contract.
The State and Agency shall not assert any right in Contractor’s intellectual property other
than the license expressly granted in this Contract and shall not use or attempt to use the
Application Services in excess of the scope of license granted by this Contract. The State
and Agency shall not acquire any other rights in any intellectual property or Deliverables
arising out of this Contract or the performance thereof, except that Customer-Owned
Deliverables, including certain reports and the like that are created by Contractor and are
specific to the Services under this Contract, shall be the property of the Agency or the State.
In any event, Agency’s or the State’s ownership of such reports shall not transfer any
ownership rights in the System, the Application Services, or related intellectual property.
1.13 Warranties
1.13.1 Construction of Warranties Expressed IN THIS Contract with Warranties Implied by Law
Warranties made by the CONTRACTOR in this Contract, whether: (1) this Contract
specifically denominates the Contractor's promise as a warranty; or (2) the warranty is
created by the Contractor's affirmation or promise, by a description of the Deliverables to
be provided, or by provision of samples to the Agency, shall not be construed as limiting
or negating any warranty provided by law, including without limitation, WARRANTIES that
arise through course of dealing or usage of trade. The WARRANTIES expressed in this
Contract are intended to modify the warranties implied by law only to the extent that they
expand the warranties applicable to the Deliverables provided by the Contractor. The
provisions of this section apply during the term of this Contract and ANY extensions or
renewals thereof.
1.13.2 Contractor represents and warrants that: (1) all Deliverables shall be wholly original with
and prepared solely by Contractor; or it owns, possesses, holds, and has received or
secured all rights, permits, permissions, licenses and authority necessary to provide the
Deliverables to the Agency hereunder and to assign, grant and convey the rights, benefits,
licenses and other rights assigned, granted or conveyed to the Agency hereunder or under
any license agreement related hereto without violating any rights of any third party; (2)
Contractor has not previously and will not grant any rights in any Deliverables to any third
party that are inconsistent with the rights granted to the Agency herein; and (3) the
Agency shall peacefully and quietly have, hold, possess, use and enjoy the Deliverables
18
without suit, disruption or interruption.
1.13.3 Contractor represents and warrants that: (1) the Deliverables (and all intellectual
property rights and proprietary rights arising out of, embodied in, or related to such
Deliverables); and (2) the Agency’s use of, and exercise of any rights with respect to, the
Deliverables (and all intellectual property rights and proprietary rights arising out of,
embodied in, or related to such Deliverables), do not and will not, under any
circumstances, misappropriate a trade secret or infringe upon or violate any copyright,
patent, trademark, trade dress or other intellectual property right, proprietary right or
personal right of any third party. Contractor further represents and warrants there is no
pending or threatened claim, litigation or action that is based on a claim of infringement
or violation of an intellectual property right, proprietary right or personal right or
misappropriation of a trade secret related to the Deliverables. Contractor shall inform the
Agency in writing immediately upon becoming aware of any actual, potential or
threatened claim of or cause of action for infringement or violation or an intellectual
property right, proprietary right, or personal right or misappropriation of a trade secret. If
such a claim or cause of action arises or is likely to arise, then Contractor shall, at the
Agency’s request and at the Contractor’s sole expense: (1) procure for the Agency the right
or license to continue to use the Deliverable at issue; (2) replace such Deliverable with a
functionally equivalent or superior Deliverable free of any such infringement, violation or
misappropriation; (3) modify or replace the affected portion of the Deliverable with a
functionally equivalent or superior Deliverable free of any such infringement, violation or
misappropriation; or (4) accept the return of the Deliverable at issue and refund to the
Agency all fees, charges and any other amounts paid by the Agency with respect to such
Deliverable. In addition, Contractor agrees to indemnify, defend, protect and hold
harmless the State and its officers, directors, employees, officials and agents as provided
in the Indemnification section of this Contract, including for any breach of the
representations and warranties made by Contractor in this section. The foregoing
remedies shall be in addition to and not exclusive of other remedies available to the
Agency and shall survive termination of this Contract.
1.13.4 Contractor represents and warrants that the Deliverables (in whole and in part) shall:
(1) be free from material Deficiencies; and (2) meet, conform to and operate in accordance
with all Specifications and in accordance with this Contract during the Warranty Period, as
defined in the Special Terms. During the Warranty Period Contractor shall, at its expense,
repair, correct or replace any Deliverable that contains or experiences material
Deficiencies or fails to meet, conform to or operate in accordance with Specifications
within five business days of receiving notice of such Deficiencies or failures from the
Agency or within such other period as the Agency specifies in the notice. In the event
Contractor is unable to repair, correct or replace such Deliverable to the Agency’s
satisfaction, Contractor shall refund the fees or other amounts paid for the Deliverables
and for any services related thereto. The foregoing shall not constitute an exclusive
remedy under this Contract, and the Agency shall be entitled to pursue any other available
contractual, legal or equitable remedies. Contractor shall be available at all reasonable
times to assist the Agency with questions, problems and concerns about the Deliverables,
to inform the Agency promptly of any known Deficiencies in any Deliverables, repair and
correct any Deliverables not performing in accordance with the warranties contained in
19
this Contract, notwithstanding that such Deliverable may have been accepted by the
Agency, and provide the Agency with all necessary materials with respect to such repaired
or corrected Deliverable.
1.13.5 Contractor represents, warrants and covenants that all services to be performed under
this Contract shall be performed in a professional, competent, diligent and workmanlike
manner by knowledgeable, trained and qualified personnel, all in accordance with the
terms and Specifications of this Contract and the standards of performance considered
generally acceptable in the industry for similar tasks and projects. In the absence of a
Specification for the performance of any portion of this Contract, the parties agree that
the applicable specification shall be the generally accepted industry standard. So long as
the Agency notifies Contractor of any services performed in violation of this standard,
Contractor shall re-perform the services at no cost to the Agency, such that the services
are rendered in the above-specified manner, or if the Contractor is unable to perform the
services as warranted, Contractor shall reimburse the Agency any fees or compensation
paid to Contractor for the unsatisfactory services.
1.13.6 Contractor represents and warrants that the Deliverables will comply with any applicable
federal, state, foreign and local laws, rules, regulations, codes, and ordinances in effect
during the term of this Contract, including applicable provisions of Section 508 of the
Rehabilitation Act of 1973, as amended, and all standards and requirements established
by the Architectural and Transportation Barriers Access Board, the Iowa Department of
Administrative Services, and Iowa Office of the Chief Information Officer.
20
Contractor shall correct and repair such Deliverable and submit it to the Agency within ten (10)
days of Contractor’s receipt of notice of Non-acceptance so that the Agency may re-conduct its
Acceptance Tests with respect to such Deliverable. In the event the Agency determines, after re-
conducting its Acceptance Tests with respect to any Deliverable that Contractor has attempted to
correct or repair pursuant to this section, that such Deliverable fails to satisfy its Acceptance Tests,
then the Agency shall have the continuing right, at its sole option, to:
1.14.1 Require Contractor to correct and repair such Deliverable within such period of time as the
Agency may specify in a written notice to Contractor;
1.14.2 Refuse to accept such Deliverable without penalty and without any obligation to pay any
fees or other amounts associated with such Deliverable (or receive a refund of any fees or
amounts already paid with respect to such Deliverable);
1.14.3 Accept such Deliverable on the condition that any fees or other amounts payable with
respect thereto shall be reduced or discounted to reflect, to the Agency’s satisfaction, the
Deficiencies present therein and any reduced value or functionality of such Deliverable or
the costs likely to be incurred by the Agency to correct such Deficiencies; or
1.14.4 Terminate this Contract and/or seek any and all available remedies, including damages.
Notwithstanding the provisions of Section 1.6.1 of this Contract, the Agency may terminate
this Contract pursuant to this section without providing Contractor with any notice or
opportunity to cure provided for in Section 1.6.1. The Agency’s right to exercise the
foregoing rights and remedies, including termination of this Contract, shall remain in effect
until Acceptance Tests are successfully completed to the Agency’s satisfaction and the
Agency has provided Contractor with written notice of Final Acceptance. If the Agency
determines that all Deliverables satisfy its Acceptance Tests, the Agency shall provide
Contractor with notice of Final Acceptance with respect to such Deliverables. Contractor’s
receipt of any notice of Acceptance, including Final Acceptance, with respect to any
Deliverable(s) shall not be construed as a waiver of any of the Agency’s rights to enforce the
terms of this Contract or require performance in the event Contractor breaches this Contract
or any Deficiency is later discovered with respect to such Deliverable(s).
21
The RFP and the Bid Proposal are incorporated into the Contract by reference, except that
no objection or amendment by the Contractor to the provisions of the RFP shall be
incorporated by reference into the Contract unless the Agency has explicitly accepted the
Contractor’s objection or amendment in writing. If there is a conflict between the
Contract, the RFP and the Bid Proposal, the conflict shall be resolved according to the
following priority, ranked in descending order: (1) the Contract; (2) the RFP; (3) the Bid
Proposal.
The Contractor, its employees, agents and subcontractors shall also comply with all
federal, state, and local laws, including any permitting and licensure requirements, in
carrying out the work performed under this Contract.
In the event Contractor contracts with third parties for the performance of any of the
Contractor obligations under this Contract as set forth in section 1.15.11, Contractor shall
take such steps as necessary to ensure such third parties are bound by the terms and
conditions contained in this section.
This funding for this Contract is not being provided through a grant from the Federal
Government.
1.15.5 Procurement
Contractor shall use procurement procedures that comply with all applicable federal,
state, and local laws and regulations.
22
1.15.6 Non-Exclusive Rights
This Contract is not exclusive. The Agency reserves the right to select other contractors to
provide Deliverables similar or identical to those described in the Scope of Work during
the term of this Contract.
1.15.9 Amendments
This Contract may be amended in writing from time to time by mutual consent of the
parties. Amendments to the General Terms for Services Contracts may appear in the
Special Terms.
23
Moines, Iowa, wherever jurisdiction is appropriate. This provision shall not be construed
as waiving any immunity to suit or liability including without limitation sovereign
immunity in State or Federal court, which may be available to the Agency or the State of
Iowa.
1.15.14 Integration
This Contract represents the entire Contract between the parties. The parties shall not rely
on any representation that may have been made which is not included in this Contract.
1.15.19 Waiver
Except as specifically provided for in a waiver signed by duly authorized representatives
of the Agency and the Contractor, failure by either party at any time to require
performance by the other party or to claim a breach of any provision of the Contract shall
not be construed as affecting any subsequent right to require performance or to claim a
breach.
24
1.15.20 Notice
Any and all notices, designations, consents, offers, acceptances or any other
communication provided for herein shall be given in writing by a reliable carrier which
shall be addressed to the person who signed the Contract on behalf of the party at the
address identified in the Contract Declarations & Execution Page(s) at the address
specified on the forms. Each such notice shall be deemed to have been provided:
1.15.20.2 Within one day in the case of overnight hand delivery, courier or services such
as Federal Express with guaranteed next day delivery; or,
1.15.20.3 Within five (5) days after it is deposited in the U.S. Mail in the case of registered
U.S. Mail. From time to time, the parties may change the name and address of
a party designated to receive notice. Such change of the designated person shall
be in writing to the other party and as provided herein.
1.15.22 Severability
If any provision of this Contract is determined by a court of competent jurisdiction to be
invalid or unenforceable, such determination shall not affect the validity or enforceability
of any other part or provision of this Contract.
1.15.24 Authorization
Contractor represents and warrants that:
1.15.24.1 It has the right, power and authority to enter into and perform its obligations
under this Contract.
1.15.24.2 It has taken all requisite action (corporate, statutory or otherwise) to approve
execution, delivery and performance of this Contract, and this Contract
constitutes a legal, valid and binding obligation upon itself in accordance with
its terms.
25
All the terms, provisions, and conditions of the Contract shall be binding upon and inure
to the benefit of the parties hereto and their respective successors, assigns and legal
representatives.
1.15.26.1 Records of financial activity shall include records that adequately identify the
source and application of funds. When the terms of this Contract require
matching funds, cash contributions made by the Contractor and third party in-
kind (property or service) contributions must be verifiable from the Contractor’s
records. These records must contain information pertaining to contract amount,
obligations, unobligated balances, assets, liabilities, expenditures, income, and
third-party reimbursements.
1.15.26.4 The Contractor shall maintain a sufficient record keeping system to provide the
necessary data for the purposes of planning, monitoring and evaluating its
program.
1.15.26.5 The Contractor shall retain all medical records for a period of six (6) years from
26
the last date of service for each patient; or in the case of a minor patient or
client, for a period consistent with that established by Iowa Code section
614.1(9). Client records, which are non-medical, must be maintained for a
period of five (5) years.
1.15.27.1 Contractors that expend $750,000 or more in a fiscal year in federal awards
(from all sources) shall have a single audit conducted for that year in accordance
with the provisions of OMB Uniform Administrative Requirements, Cost
Principles, and Audit Requirements. Single audits must be completed and the
data collection form and reporting package must be submitted electronically to
the Federal Audit Clearinghouse within the earlier of thirty (30) calendar days
after Contractor’s receipt of the auditor’s report(s), or nine months after the
end of the audit period. The Contractor shall submit to the Agency one (1) copy
of the separate letter to management addressing non-material findings, if
provided by the auditor, promptly following receipt by Contractor. Contractor
shall also submit one (1) copy of the final audit report to the Agency within thirty
(30) days after Contractor’s receipt thereof, if either the schedule of findings
and questioned costs or the summary schedule of prior audit findings includes
any audit findings related to federal awards provided by the Agency. The
requirements of this subsection shall apply to the Contractor as well as any
subcontractors.
1.15.27.2 If a Contractor is independently audited but is not required to submit the audit
report per the criteria in subsection 1.15.27.1 above, the Contractor shall
submit to the Agency one (1) copy of the separate letter to management
addressing non-material findings, if provided by the auditor, promptly following
receipt by Contractor. Within fifteen (15) days following Agency’s request, the
Contractor shall also submit one (1) copy of the final audit report to the Agency.
1.15.27.3 The Agency may require, at any time and at its sole discretion, that recipients of
non-federal and/or federal funds have an audit performed. The Contractor shall
submit one (1) copy of the audit report to the Agency within thirty (30) days of
its issuance, unless specific exemption is granted in writing by the Agency. The
Contractor shall submit with the audit report a copy of the separate letter to
management addressing non-material findings, if provided by the auditor. The
Contractor may be required to comply with other prescribed compliance and
review procedures.
1.15.27.4 The Contractor shall be solely responsible for the cost of any required audit
unless otherwise agreed in writing by the Agency.
27
the Iowa Administrative Code. The Contractor shall provide standards for service providers
who are not otherwise licensed, certified or accredited under state law or the Iowa
Administrative Code.
1.15.29 Solicitation
The Contractor represents and warrants that no person or selling agency has been
employed or retained to solicit and secure this Contract upon an agreement or
understanding for commission, percentage, brokerage or contingency excepting bona fide
employees or selling agents maintained for the purpose of securing business.
1.15.31 Counterparts
The parties agree that this Contract has been or may be executed in several counterparts,
each of which shall be deemed an original and all such counterparts shall together
constitute one and the same instrument.
28
1.15.33 Suspensions and Debarment
The Contractor certifies pursuant to 48 CFR Part 9 that neither it nor its principles are
presently debarred, suspended, proposed for debarment, declared ineligible, or
voluntarily excluded from participation in this Contract by any federal Agency or State
Agency. The Contractor certifies that it is not presently debarred, suspended, proposed
for debarment, declared ineligible, or voluntarily excluded from participation in any
contracts with the State of Iowa.
29
further instruments as may reasonably be required for carrying out the expressed
intention of this Contract.
1.15.43 Taxes
The State is exempt from Federal excise taxes, and no payment will be made for any taxes
levied on Contractor’s employee’s wages. The State is exempt from State and local sales
and use taxes on the Deliverables.
30
SECTION 2
Special Terms
2.1 [RESERVED]
2.2.2 Those requiring the use of targeted small businesses as subcontractors and suppliers in
connection with government contracts.
2.2.3 Those pertaining to any permitting and licensure requirements in carrying out the work
performed under any General Terms.
2.2.4 Those relating to prevailing wages, occupational safety and health standards, payment of
taxes, gift laws, and lobbying laws.
2.2.5 Applicable provisions of Section 508 of the Rehabilitation Act of 1973, as amended, including
Web Content Accessibility Guidelines (WCAG) 2.0, including any amendments thereto or any
subsequent versions thereof, and all standards and requirements established by the
Architectural and Transportation Barriers Access Board.
2.2.7 To the extent a portion of the funding used to pay for the Deliverables is being provided
through a grant from the Federal Government, any applicable federal requirements,
including those found at 2 CFR 200.
Contractor shall take such steps as necessary to ensure Contractor’s subcontractors and
Contractor Personnel are bound by the terms and conditions contained in this Section.
Notwithstanding anything in this Amendment or any General Terms to the contrary,
Contractor, Contractor subcontractors, and Contractor Personnel’s failure to fulfill any
requirement set forth in this Section shall be regarded as a material breach and the
applicable Governmental Entity may cancel, terminate, or suspend, in whole or in part any
31
General Terms, in whole or in part. In addition, Contractor may be declared ineligible for
future State contracts in accordance with authorized procedures or Contractor may be
subject to other sanctions as provided by law or rule.
32
To the extent Contractor is required to destroy Customer Data pursuant to this
Section, Customer Data shall be permanently deleted and shall not be
recoverable, in accordance with National Institute of Standards and Technology
(“NIST”)-approved methods.
2.3.1.3.3 Contractor will use best efforts not to release Customer Data pending
the outcome of any measures taken by the applicable Governmental
Entity to contest, oppose, or otherwise seek to limit such disclosure
by Contractor or any Third Party ultimately obtaining such Customer
Data. Contractor will cooperate with and provide assistance to the
applicable Governmental Entity regarding such measures.
33
Information to a Third Party (excluding other Governmental Entities and
Authorized Contractors) without the prior written consent of Contractor.
34
disclosure of Contractor’s information if a final decision of a court of
competent jurisdiction determines that the State improperly
withheld such information and that the improper withholding was
based on Contractor’s attempts to prevent public disclosure of
Contractor’s information.
2.4 Security
2.4.1 Compliance
Contractor and Contractor’s subcontractors shall comply with applicable state and federal
data security and privacy statutes, regulations, rules, and other applicable laws relating to
data security and privacy. Contractor further represents, warrants, and covenants that
Contractor and its personnel and subcontractors will ensure that the Services (including the
System and Application Services), will at all times comply with all applicable state and federal
IT standards, policies and guidelines, including, but not limited to those relating to security,
internet and the web, data backup, and the most current versions of standards and controls
provided at:
● NIST 800-53
● ISO/IEC 27001:2013
Annually throughout the Term of this Agreement, Contractor shall obtain and provide the
State with the following, at no additional cost to the State of Iowa: a) an independent, third-
party certificate of audit certifying that the Services comply with NIST 800-53, most current
version controls; b) ISO/IEC 27001: most current version of Certification; c) test or
35
assessment results of an independent, third party assessment of application scans using the
Open Web Application Security Project (OWASP) Top Ten List; d) test results of a penetration
test conducted by an independent, third-party firm; e) a copy of Contractor’s annual SOC 2
type 2 report (for all Trust Services Principles); and f) a Contractor produced remediation
plan resulting from items a through e, inclusive.
Upon the State’s request, Contractor shall also provide the State with a copy of a system
security plan (SSP), or other comparable report, for inspection by the State. The State shall
bear any and all costs incurred in connection with its inspection of the SSP. The State may,
in its sole discretion, utilize a third-party contractor to inspect the SSP; provided, however,
that the State shall be responsible for all costs associated with such inspection. The
inspection of the SSP shall be completed according to mutually agreeable terms and
timelines, but no less frequently than annually, unless agreed to by both parties in writing.
Contractor acknowledges and agrees that it will be subject to and bound by all of the terms
and provisions set forth in this Section and shall require and, to the extent applicable, cause
any subcontractor used by Contractor in connection with this Agreement to agree to be
subject to and bound by all of the foregoing. In addition, Contractor and its personnel and
subcontractors will ensure that all networks, servers, computer systems, hardware, IT
infrastructure and other hardware on which the Services are hosted, installed, operated,
processed, stored or otherwise located, comply with all such State of Iowa and federal IT
laws, rules, regulations, standards, policies and guidelines, and all of the other standards
and controls noted above.
2.4.2 Reporting
Contractor will notify the State of Iowa Security Operations Center at soc@iowa.gov and call
1.855.442.4357 within twenty-four (24) hours of Contractor’s discovery of any actual or
suspected breach of confidentiality, privacy or security (or any unauthorized access) with
regard to any Customer Data. Contractor shall provide such other information, including a
written report, as reasonably requested by the State.
36
maintain and update such assessment and plan throughout the course of any investigation
based on any findings. Contractor agrees that, unless otherwise required by law, it will not
notify any regulatory authority or any User relating to any such Security Breach on behalf of
the State of Iowa unless the State of Iowa specifically requests in writing that Contractor do
so. Contractor and the State of Iowa will work together to formulate a plan to rectify all
Security Breaches.
37
perform an SSAE 16 of Contractor’s operations, information security program, and/or
disaster recovery/business continuity plan, Contractor shall promptly furnish a copy of the
test report or audit report to the State of Iowa. In addition, Contractor shall disclose its non-
proprietary security processes and technical limitations to the State of Iowa, such that
adequate protection and flexibility can be attained between the State of Iowa and
Contractor. For example, Contractor shall disclose its security processes with respect to
virus checking and port sniffing to the State of Iowa such that the State of Iowa is capable of
identifying necessary compensating controls to adequately safeguard and protect its data,
information, and systems. Required testing shall also include:
• Web application scanning:
• Before website goes to production;
• Annually; and
• When the system is updated.
• Vulnerability scanning\pen testing at least annually.
38
Security Requirements for Cryptographic Modules for all Personal Data, unless the State
of Iowa approves in writing the storage of Personal Data on a Contractor portable device.
• At no time shall any State of Iowa Confidential Information be copied, disclosed or
retained by Contractor, any subcontractor, or any party related to Contractor for
subsequent use in any transaction that does not include the State of Iowa.
Contractor shall not use any State of Iowa Confidential Information collected, processed,
stored or transmitted in connection with the Services provided under this Agreement for
any purpose other than fulfilling Contractor’s express obligations and duties under this
Agreement.
2.4.9 [RESERVED]
2.4.12 [RESERVED]
2.4.13 [RESERVED]
2.4.14 [RESERVED]
2.4.15 [RESERVED]
2.4.16 This section, and Contractor’s duties, obligations and liability shall survive termination or
expiration of this Agreement.
39
other industry best practices as guidance. Contractor shall promptly provide the State of
Iowa with copies of all reports and/or summaries resulting from any testing of the Plan and
with copies of all such updates to the Plan. All updates shall be subject to the requirements
of this Contract. Any future updates or revisions to the Plan shall be no less protective than
the plan in effect as of the Effective Date. Throughout the Term, Contractor shall maintain
disaster avoidance procedures designed to safeguard the State of Iowa's Confidential
Information and the data processing capability and availability of the Services.
40
costs and expenses (including, without limitation, the reasonable value of time of the Iowa
Attorney General’s Office and the costs, expenses and attorney fees of other counsel
retained by any Indemnitee) directly or indirectly related to, resulting from, or arising out of
such occurrence; (e) be responsible for recreating lost State of Iowa Confidential
Information in the manner and on the schedule specified by the State of Iowa without
charge to the State of Iowa; and, (f) provide to the State of Iowa a detailed plan within ten
(10) calendar days of the occurrence describing the measures Contractor will undertake to
prevent a future occurrence.
2.5.5 This section, and Contractor’s duties, obligations and liability under this Section, shall survive
termination or expiration of this Agreement.
2.9 Cooperation
The Agency shall cooperate with the Contractor in the Contractor's performance of its services
hereunder, including, without limitation, providing the Contractor with reasonable facilities and
timely access to data, information and personnel of the Agency. The Agency shall be responsible for
the performance of its personnel and agents and for the accuracy and completeness of all data and
information provided by the Agency.
2.10 Services
41
2.10.2 Application Services
Subject to the terms and conditions of this Agreement, Contractor grants to the State of
Iowa, State Users and their Authorized Contractors for the State of Iowa’s business activities,
including without limitation the provision of information and services to State Users, Users
(to the extent applicable), and the federal government during the Term a non-exclusive
license to: (i) access, use and, to the extent applicable, maintain and support, the Application
Services solely for the functional purposes contemplated by the Scope of Work set forth in
Section 3 hereof; and (ii) access, use, reproduce and distribute Documentation solely in
connection with the use of the Application Services pursuant to the foregoing subclause (i).
2.10.4 Software
To the extent Contractor provides or delivers any software to the State of Iowa in connection
with this Agreement for installation on the State of Iowa servers or personal computers or
laptops, the State of Iowa will have a non-exclusive license to use, maintain, modify, copy,
distribute and support the software solely in connection with its use of the Services as
contemplated hereunder. The State of Iowa shall not disassemble, decompile, or reverse
engineer the software or remove any proprietary notices thereon. The software will be
deemed part of and included in the definition of the Services.
2.10.7 [RESERVED]
2.10.8 Documentation
At no additional charge to the State of Iowa, Contractor shall provide the State of Iowa with
all Documentation relating to the Services. If the Documentation for the Services is revised
or supplemented at any time, Contractor shall promptly deliver a copy of such revised or
42
supplemental Documentation to the State of Iowa, at no additional cost. The State of Iowa
and State Users may, at any time, reproduce copies of all Documentation and other
materials provided by Contractor, distribute such copies to the State of Iowa personnel and
Authorized Contractors, and incorporate such copies into its own technical manuals,
provided that such reproduction relates to the State of Iowa’s and its personnel’s use of the
Services as permitted in this Agreement, and all copyright and trademark notices, if any, are
reproduced thereon. To the maximum extent available, Contractor shall deliver the
Documentation in electronic form to the State of Iowa, unless otherwise requested by the
State.
43
2.10.9.3 Support Not to be Withheld
Contractor will not under any circumstances withhold Support Services under this
Agreement even if there is a dispute (including but not limited to a payment
dispute) between the Parties under this Agreement.
2.11.2 Reports
The Contractor Manager and the State of Iowa Manager shall communicate at least once
every two (2) weeks (the “Status Report”). The communications shall include a conference
call or an in-person meeting (the “Status Meeting”) and a report from the appropriate
Contractor Personnel regarding:
• Overview of the Services occurring during the reporting period;
• Issues to be resolved;
• Issues resolved;
• Any other information that the State of Iowa or Contractor may, from time-to-time,
reasonably request in writing that Contractor or the State of Iowa, as the case may be,
may deem appropriate.
44
in writing of any change. The State of Iowa Manager shall be the only individual authorized
to approve changes or additional fees or charges under this Agreement on behalf of the
State of Iowa, which approval must be in writing.
45
shall be paid quarterly by Contractor directly to the State, made payable to the "Iowa Department
of Administrative Services – Central Procurement."
46
SECTION 3
Scope of Work
3.1.1 Contractor must administer funds for all Qualified Educational Expenses.
3.1.2 Contractor must comply with the applicable aspects of the following requirements regarding
pupil’s personally identifying information, including but not limited to:
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Iowa laws, rules, and regulations applicable to State’s current and published privacy and
security policies and procedures
3.1.3 Contractor must be liable and bear all the responsibility of and resolve any complaints or
issues a student’s representative may have towards the conduct of the evaluation and/or
any privacy or data breaches under state or federal law.
3.2.1 Services shall comply with 2023 Iowa Act (90th G.A.), HF68 (January 24, 2023).
3.2.2 Contractor shall cooperate with the State of Iowa to reach compliance with Iowa Code
Chapter 12C within 1 year from Contract execution.
3.2.3 Contractor must acquire a surety bond or other means of protection, prior to accepting
public funds and in a form acceptable to the State of Iowa, of public funds allocated under
this Contract and under control of Contractor, or any third party, until compliance with Iowa
Code Chapter 12C is accomplished.
3.2.4 Services must be operational to allow a minimum of 30 days, and preferably 60 days or
more, for parents or guardians of eligible pupils to submit an application to meet the June
30 deadline for the 2023-2024 school year. Services will continue for school years remaining
through duration of contract period.
3.2.6 Contractor must allocate funds from each pupil’s account for the payment of Qualified
Educational Expenses incurred by the pupil’s parent or guardian.
3.2.7 Contractor must have procedures in place and at all times comply with the procedures to
prevent waste, fraud, and abuse. Such procedures to be reviewed by the Agency for
approval.
3.2.8 Upon determination of a false claim for an ESA, or improper payment from an ESA, as
determined by either the Agency or the Department pursuant to 2023 Iowa Acts, House File
47
68, contractor shall close the pupil’s ESA. If improperly obtained amounts have been
disbursed, contractor shall immediately notify state officials and cooperate with all future
efforts and legal proceedings to recover such amounts from the parent or guardian, if
necessary.
3.2.9 Contractor must establish an individual account for that pupil in the education savings
account fund. The amount of the pupil’s education savings account payment shall be
deposited into the pupil’s individual account on July 15 or thirty days following submission
of the application, whichever is later, and such amount shall be immediately available for
the payment of Qualified Educational Expenses incurred by the parent or guardian for the
pupil during that school budget year.
3.2.10 Contractor must hold funds remaining in a pupil’s individual account upon conclusion of the
school budget year, and funds shall remain in the pupil’s individual account for the payment
of qualified educational expenses in future fiscal years during which the pupil participates
in the program until the pupil becomes ineligible under the program or until the remaining
amounts are transferred to the state general fund.
3.2.11 Offshore performance of work is prohibited. Any services that directly serve the State or its
clients and involve access to secure or sensitive data or personal client data shall be
performed within the United States. This provision applies to work performed by
subcontractors at all tiers.
3.2.12 Contractor shall provide platform user interface services, application services, customer
service, and outreach materials in both English and Spanish at a minimum, with options for
these same services in other languages as needed and requested by the state of Iowa.
3.2.13 Contractor shall coordinate with the Iowa Department of Revenue for joint application
development and/or integrations as appropriate for the purposes of income verification and
program eligibility.
3.3.1 Keep data secure. Any technology platform used for the program meets the State’s highest
security requirements, including compliance.
3.3.1.1 When Contractor evaluates their organization and produce a System and
Organization Controls 1 (SOC-1) and System and Organization Controls 2 (SOC-2)
report or similar, the Contractor shall provide this annually to the State of Iowa.
3.3.1.2 The Contractor shall immediately report within five (5) business days to the
Department of Education (contact listed in Section 5) any use or disclosure of
Confidential Information not provided for by this Contract, of which it becomes
aware. Contractor shall cooperate with the State of Iowa’s investigation, analysis,
notification and mitigation activities, and shall be responsible for all costs incurred
by the Department of Education for those activities.
48
3.3.1.3 Ensure that Contractor or its employees and subcontractors will not reuse, sell,
make available, or make use in any format the data researched or compiled for
this Contract for any venture, profitable or not, outside this Contract.
3.3.1.4 The Contractor shall encrypt all data at rest and in transit at minimum at 256 AES.
3.3.1.5 Storage of data at rest shall be located solely in data centers in the continental
United States.
3.3.2 Must provide the Department of Education the capability of automated clearinghouse
transactions, electronic commerce transactions, reimbursement transactions, and debit
card payments in order to meet the diverse needs of participating parents and guardians to
pay for Qualified Educational Expenses.
3.3.3.1 Allow for secure transmission of applications, to include any required supporting
documents, such as tax returns, applicable nontaxable income documents, and
documents verifying school enrollment.
3.3.3.2 Have the ability for applicants to input personal information for multiple students
in household on same application.
3.3.3.3 Provide review based on income data inputted by the applicant and identify any
need for additional document submissions from the applicants.
3.3.3.4 Compare Applicant reported income to income thresholds defined by the Client
to determine whether Applicant meets Client’s eligibility requirements.
3.3.3.6 Allow Applicant to start and stop an application mid-stream and save information
to be able to resume later.
3.3.3.7 Provide status of application within application reporting. This may include:
Submitted, Documents in Process, Does Not File, and Verified.
3.3.3.8 Allow a Client administrator to view application data, including reporting fields
related to eligibility criteria.
49
3.3.3.11 Provide a two-week document processing turn-around once all required
documentation is received from applicant(s).
3.3.3.12 Provide Client access to perform student level eligible school verification and
existing ESA program participation status.
3.3.3.14 Authentication
Contractor must provide a multi-factor authentication for system administrator
and service/resource accounts.
3.3.3.15 PCI-DSS
Contractor must provide attestation ongoing compliance with PCI-DSS
requirements at least annually.
3.4 Training
Contractor shall provide live training, recorded video training, and training documents.
3.4.1.2 Content: The training will include an overview of the following topics:
50
• Features for the administrator portal.
• User journey for parents and parent features.
• User journey for vendors and vendor features.
• Best practices for fraud prevention.
• Best practices for record keeping and retention.
3.4.1.3 Format: Contractor will provide these trainings over Zoom or in person. A
recording and any other associated training documents (slides, handouts, etc.) will
be provided to the State of Iowa Manager.
3.4.2.1 Duration and Frequency: Contractor will provide two training sessions per week
over an eight-week period for nonpublic schools unless otherwise determined by
the Department of Education. Each training session will last, at a minimum, one
hour each unless otherwise determined by the Department of Education.
3.4.2.2 Content: The training will include an overview of the following topics and be
followed by a Q&A:
• Features for the vendor portal.
• User journey for parents and parent features, including applications.
• Best practices for fraud prevention.
• Best practices for record keeping and retention.
3.4.2.3 Format: Contractor will provide these trainings over Zoom to make them as
accessible as possible. A recording will be made accessible to new nonpublic
schools to watch as needed after the eight-week initial period.
3.4.3.1 Duration and Frequency: Contractor will provide two training sessions per week
over an eight-week period for families of pupils unless otherwise determined by
the department. Each training session will last one hour unless otherwise
determined by the department. Additionally, we will create 5 training videos for
our family users. Each video will be released publicly and will be approximately 4
minutes in length.
3.4.3.2 Content: The training will include an overview of the following topics and be
followed by a Q&A:
• Features for the parent portal.
• User journey for parents and parent features, including applications.
• Best practices for using your funds.
3.4.3.3 Format: Contractor will provide these trainings over Zoom to make them as
accessible as possible, and the videos will be hosted publicly and on YouTube.
51
3.5 Deliverables
Contractor shall provide all documents, services, and information required for ESA compliance
including, but not limited to:
• ESA system run as independent instance.
• Reports
• Filings
• Training
3.6 Implementation
3.6.1 Upon execution of a Contract for services, the Contractor and Agency will cooperatively
initiate implementation in accordance with the agreed upon implementation plan.
3.6.3 Milestones
Milestone 2 - Fully functional ability to accept and process nonpublic schools. This Milestone
deadline is May 31, 2023.
Achievement of milestone 3 shall be considered go live date for the purpose of payments
addressed in 4.3.1 below.
52
Marketing and Outreach N/A Implement marketing and outreach
programs for families and vendors.
User / Help Guides and Troubleshooting Work with Contractor to create Create Iowa help desk documents.
Materials Iowa-specific help desk
guidelines.
Admin / Vendor/ Family Portal Delivery Test Iowa Family Portal Continual development and testing
and Beta Testing
Provide feedback Respond to Iowa feedback.
Final Admin / Vendor / Family Portal Final signoff on User Acceptance Launch Contractor site.
Delivery Testing.
System Monitoring, Usability Testing, Monitor usage and collect Continually monitor usage.
Feedback, and Additional Development qualitative and quantitative
(As Needed) feedback from users.
3.6.5.1 Contractor shall provide support for inquiries from covered individuals regarding
information provided pursuant to this contract.
53
3.6.5.3 Call center with toll free phone number shall be located within the continental
United States.
3.6.5.4 Contractor call centers must verify customer identity for callers requesting
assistance in accordance with state of Iowa Program Manager approved
procedures.
3.6.5.5 Contractor’s staff must complete annual security awareness training including
training on social engineering.
54
SECTION 4
Pricing
Year 1
Application Platform $237,910.00
Fiscal Management & Payment System $154,475.00
Customer Service $189,948.75
Standalone System Fee* $100,000.00
TOTAL FEE YEAR 1 $682,333.75
Year 2
Application Platform $252,700.00
Fiscal Management & Payment System $167,000.00
Customer Service $205,350.00
Standalone System Fee* $100,000.00
TOTAL FEE YEAR 2 $729,550.00
Year 3
Application Platform $252,700.00
Fiscal Management & Payment System $167,000.00
Customer Service $205,350.00
Standalone System Fee* $100,000.00
TOTAL FEE YEAR 3 $729,550.00
*Standalone System Fee reflects additional fee agreed upon by the Parties subsequent to
submission of the Bid Proposal. Contractor will provide the State with a stand-alone instance of the
System separate from Contractor’s other clients.
Fees for extension periods of this Contract are subject to mutual agreement of the Parties and will
be discussed by the Parties in connection with the Parties’ evaluation of whether to mutually extend
this Contract (such discussion to commence reasonably in advance of the end of the then-current
term of this Contract).
55
4.3 Frequency of Payments
4.3.1 Year 1
4.3.1.1 Contractor will issue an invoice for the Year 1 Application System fee
($237,910.00) upon Contractor achieving go live for the Application Platform
available to Agency.
4.3.1.2 Contractor will issue an invoice for the Year 1 Fiscal Management & Payment
System fee ($154,475.00) upon Contractor achieving go live for the Fiscal
Management and Payment System available to Agency.
4.3.1.3 Contractor will issue an invoice for the Year 1 Standalone System fee
($100,000.00) at such time as both the Application Platform and Fiscal
Management & Payment System have been made available to Agency.
4.3.1.4 Contractor will issue invoices quarterly, in arrears, for the Year 1 Customer Service
fee ($47,487.18); however, no invoice for services is due to the Contractor until
accomplishment of milestone 3, as identified in 3.6.3 above. Contractor
understands services provided prior to go live date are at risk, and only become
payable upon delivery of a fully functional system.
4.3.2.1 Contractor will issue invoice for Application Platform, Fiscal Management &
Payment System, and Standalone System Fee on the anniversary date of Year 1
system acceptance.
4.3.2.2 Contractor will issue invoices quarterly, in arrears, for the Year 1 Customer Service
fee ($51,337.50).
In all cases, the State shall pay Contractor’s invoices pursuant to the terms set forth above in this
Contract.
56
SECTION 5
Contacts
57
ATTACHMENT 1
Service Levels
The following describes the performance standards and service levels to be achieved by Contractor in
providing the Services:
1.1 Definitions
Except as provided in this Attachment, capitalized terms shall have the meanings set forth in the
Agreement. The following terms, when used in this Attachment, shall have the following meanings:
“Available” means the Services shall: (a) be available for access and use over the Internet by State
of Iowa, Government Entities, State Users, and Users; and (b) provide the functionality required
under the Agreement and applicable Statement(s) of Work.
“Critical Hours” means 6:00 a.m. to 11:00 p.m. CST, Monday through Friday.
“Server” shall mean the server(s) on which the Services will be hosted.
1.2.2 Allow access to the Services over the Internet and provide secure and confidential storage
of all information transmitted to and from the Services.
1.2.3 Supply hardware, security protocols, software and communications support structure to
facilitate connection to the Internet in accordance with the requirements set forth herein.
1.2.4 Maintain a back-up server, at a geographically different site (e.g., different flood plain and
power grid) from where the Server is located, to ensure continuous service in the event of
disaster.
1.2.5 Review security notifications and alerts relevant to the hosting platform (e.g., Contractor
notifications of bugs, attacks, patches), and apply any compensating controls and remedial
measures to maintain the highest level of defense.
1.2.6 Contractor shall utilize state-of-the-art and up-to-date anti-virus and anti-malware
software, and properly configured intrusion prevention systems and firewall protection
devices in order to secure State of Iowa Confidential Information from unauthorized access
by third parties.
58
period set forth in this contract. Contractor shall maintain redundancy in all key components such
that service outages are less likely to occur due to individual component failures.
Contractor will monitor “heartbeat” signals of all servers, routers and leased lines, and HTTP
availability of the Server, by proactive probing at 30-second intervals 24 hours a day using an
automated tool. If a facility does not respond to a ping-like stimulus, it shall be immediately checked
again. When Contractor receives a “down” signal, or otherwise has knowledge of a failure in the
Server or the application software and/or hardware, Contractor personnel will:
1.3.1 Confirm (or disconfirm) the outage by a direct check of the facility;
1.3.2 If confirmed, take such action as may restore the service in one hour or less, or, if
determined to be a telephone company problem, open a trouble ticket with the telephone
company carrier;
1.3.3 Notify the State of Iowa by telephone or pager according to mutually agreed upon
procedures that an outage has occurred, providing such details as may be available,
including the Contractor trouble ticket number, if appropriate, and time of outage;
1.3.4 Work through the problems until resolution, escalating to appropriate management or to
engineering as required;
1.3.5 Notify the State of Iowa of final resolution, along with any pertinent findings or action taken,
and request concurrence by the State of Iowa prior to closing the applicable trouble ticket.
1.4 Backups
Contractor shall provide for both the regular back-up of standard file systems relating to the Server
and Services, and the timely restoral of such data on request by the State of Iowa due to a site failure.
In particular, Contractor shall:
1.4.3 Send back-up media to secured, off-site storage facilities with a thirty (30) day rotation of
media;
1.4.4 Retain one back-up tape per month for one year;
1.4.5 Fulfill restoral requests as directed by the State of Iowa due to site failures. Such restoral
will be performed within the interval of twelve (12) to twenty-four (24) hours depending on
the urgency of the request, and the agreed upon location of the desired backup media; and
1.4.6 If the Server or hosting location is expected to be down for more than twenty-four (24)
hours, Contractor shall immediately transfer appropriate back-up data and re-establish all
hosting operations in an appropriately functioning secondary server or location. Such
59
secondary server and/or location shall be subject to the State of Iowa’s approval and
consent, which shall not be unreasonably withheld.
60
(e.g., e-mail, phone) or, if a specific means of communication is not requested, using direct
interactive (person to person) method of communication to achieve contact with such user
(e.g., no email or automated voicemail).
1.5.5 Escalation
With respect to any Critical Support Request, until Resolved, Contractor shall escalate that
Support Request within sixty (60) minutes of Receipt to the appropriate Contractor support
personnel (as designated by Contractor), including, as applicable, Contractor’s SVP of Client
Operations.
61
1.6 Availability Service Level
The Application Services shall be Available for the percentage of the time each month of the Term
of the Agreement as set forth below.
“Scheduled Downtime” shall have the meaning In the event at least 95% Availability during Critical
ascribed to it in Section 8.1 of this Attachment. Hours for the Application Services is not achieved,
then the credits shall be incurred as follows:
“Unscheduled Downtime” shall mean an Outage 20% of monthly Application Services fees for the
that is not Schedule Downtime. first month, and
25% of monthly Application Services fees for the
“Scheduled Uptime” shall mean any time during a second consecutive month,
Calendar month that is not Scheduled Downtime. 30% of monthly Application Services fees for the
third consecutive month and each consecutive
“Available for Use” shall mean the ability of the month thereafter.
Application Services to be utilized or accessed as
contemplated under the Agreement(s), including
conformance to the Specifications, and without
material degradation of performance, but excluding
Scheduled Downtime.
62
1.6.2 Availability during non-Critical Hours
Service Level Metric Service Level Credits
At a minimum, 97% Availability for the In the event 97% Availability for the
Application Services in each calendar month of Application Services is not achieved, but at
the term of the Agreement. least 93% Availability for the Application
Services is achieved, then the credits shall be
“Downtime,” “Outage,” “Unscheduled incurred as follows:
Downtime,” “Scheduled Downtime” 20% of monthly Application Services fees for
“Scheduled Uptime” and “Available for Use” the first month, and
shall each of the meaning defined above. 25% of monthly Application Services fees for
the second consecutive month, and
“Availability”, for purposes of this paragraph 30% of monthly Application Services fees for
5.2.2, means the actual number of hours the the third consecutive month and each
Application Services are Available For Use consecutive month thereafter.
during Scheduled Uptime in a given calendar
month expressed as a percentage of Scheduled In the event at least 93%% Availability for the
Uptime during a calendar month (i.e., Application Services is not achieved, then the
Availability % = ((Number of hours the credits shall be incurred as follows:
Application Services are actually Available For 40% of monthly Application Services fees for
Use during Scheduled Uptime – Downtime the first month, and
during Scheduled Uptime)/(Number of hours 45% of monthly Application Services fees for
the Application Services are actually Available the second consecutive month, and
For Use during Scheduled Uptime)) x 100%). 50% of monthly Application Services fees for
the third consecutive month and each
consecutive month thereafter.
“Download Time” means the average time to download any page related to the Services, including
all content contained therein. Download time shall be measured using a Contractor-supplied
program, and by clock, and shall be measured to the nearest one-tenth of a second for each page,
commencing from the operative input from the user, whether by keyboard, mouse click, or any
other input device.
63
“KB40” means the Keynote Business 40 Internet Performance Index. In the event KB40 is
discontinued, a successor index (such as average download times for all other customers of the
Contractor) may be mutually agreed upon by the parties.
Tests of Download Times shall be conducted by Contractor over any two (2) hour period during
Critical Hours every ten (10) business day(s) using a representative number of logged-on computers
or terminals for the selected two (2) hour period, and running a representative sampling of
applications then installed. Contractor shall supply the State of Iowa with the results of these tests
on a monthly basis. Contractor further agrees to provide, at no cost to the State of Iowa,
measurement tools capable of directly making all measurements necessary to apply the Application
Services Response Time warranty in this Section.
1.10 Meetings
Contractor and the State of Iowa shall meet at least once a week to review the status of open
Support Requests, and discuss trends and issues relating to Support Requests and approaches to
reducing the number of Support Requests as well as improving both the State of Iowa and Contractor
responses to such Support Requests.
1.12.2 Where no such data exists, the Parties shall attempt in good faith to mutually agree during
a thirty (30) day period on a service level standard using industry standard measures or
third-party contractor advisory services.
64
Failure to achieve any of the service levels described in Section 1.5 (Service Levels) of this
Attachment shall constitute a “Service Level Failure” and Contractor shall be liable for the
Service Level Credits in the amounts set forth in Section 1.5 (Service Levels). Contractor shall
not be responsible for any Service Level Failure caused by the State of Iowa or its agents.
Contractor shall promptly notify the State of Iowa of any Service Level Failure.
The total amount of Service Level Credits that Contractor will be obligated to pay to the
State of Iowa, with respect to Service Level Failure(s) occurring each month shall be reflected
on the invoice issued in the second month following the month during which the Service
Level Failure(s) giving rise to such Service Level Credit(s) occurred. Notwithstanding the
foregoing, the calculation of such Service Level Credit(s) shall be based on the credit
amounts in effect, and the Support Services fees for, the month during which the Service
Level Failure occurred. For example, the amount of Service Level Credits payable with
respect to Service Level Failures occurring in August shall be set forth in the invoice issued
in October, but shall be calculated using August data. In the event the State of Iowa prepays
for any Services more than one month in advance, Contractor will issue refunds or credits
to the State of Iowa at the State’s sole discretion, within 5 days of the end of the month in
which the Service Level Failure occurred.
65
the appropriate time, skilled Contractor personnel, systems support and equipment, and/or
resources to remedy, and prevent any further occurrences of Critical Support Request issues; and
(b) time frames for implementation of the Corrective Action Plan. There shall be no additional charge
(other than those fees set forth in this Agreement(s)) for Contractor’s implementation of such
Corrective Action Plan in the time frames and manner set forth in the Corrective Action Plan.
1.16.5 Strengthen defenses everywhere, not just the suspected path that the attacker used;
1.16.6 Contact the ISP where the threat or attack originated and/or law enforcement to work with
Contractor’s security team; and
1.16.8 Re-instate the denial of access after a set time period, but continue to monitor traffic from
that source until risk of further attacks is deemed to be minimized.
66
ATTACHMENT 2
IT Business Associate Agreement
To the extent that this Business Associate Agreement is incorporated into the Contract by reference, the
Vendor acts as the Business Associate of the agency or agencies designated in Attachment 2 to this
Business Associate Agreement as Covered Entities under the Family Education Rights and Privacy Act
(FERPA), as amended, and the federal regulations published at 45 CFR part 160 and 164.
For purposes of this IT Business Associate Agreement, the Vendor (the “Business Associate”) agrees to
comply with this IT Business Associate Agreement (BAA). This Business Associate Agreement (“BAA”)
supplements and is made a part of the Contract (hereinafter, the “Underlying Agreement”) between the
Covered Entities and the Business Associate.
1.1 Purpose
The Business Associate performs certain services on behalf of or for the Agency pursuant to the
Underlying Agreement that may include the exchange of information that is protected by the
Family Education Rights and Privacy Act (FERPA), as amended, and the FERPA Rules (collectively
“FERPA”). The parties to the Underlying Agreement are entering into this BAA to establish the
responsibilities of both parties regarding Protected Health Information and to bring the Underlying
Agreement into compliance with HIPAA.
1.2 Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA
Rules: Breach, Designated Record Set, Disclosure, Individual, Minimum Necessary, Notice of
Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident,
Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
Business Associate. “Business Associate” shall generally have the same meaning as the term
“Business Associate” at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean
the Vendor.
Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered
entity” at 45 C.F.R. § 160.103. For the Iowa Veterans Home, in reference to the party to this BAA
shall mean the Agency. For the Department of Human Services, in reference to the party to this
BAA shall mean the portions of the Agency which is a “hybrid” entity under HIPAA that fall under
the purview of HIPAA.
HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement
Rules at 45 C.F.R. Part 160 and Part 164.
1.3.1 Not Use or Disclose Protected Health Information other than as permitted or required by
this BAA or as Required By Law;
1.3.2 Use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect
to Protected Health Information, to prevent Use or Disclosure of Protected Health
67
Information other than as provided for by this BAA;
1.3.3 Report to the Covered Entity any Use or Disclosure of Protected Health Information not
provided for by this BAA of which it becomes aware, including Breaches of Unsecured
Protected Health Information as required at 45 C.F.R. § 164.410, and any Security Incident
of which it becomes aware in accordance with subsection 7, below;
1.3.5 Make available Protected Health Information in a Designated Record Set to the Covered
Entity as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. §164.524;
1.3.6 Make any amendment(s) to Protected Health Information in a Designated Record Set as
directed or agreed to by the Covered Entity pursuant to 45 C.F.R. §164.526, or take other
measures as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. § 164.526;
1.3.7 Maintain and promptly make available, as directed by the Covered Entity, the information
required to provide an accounting of Disclosures to the Covered Entity as necessary to
satisfy the Cover Entity’s obligations under 45 C.F.R. § 164.528;
1.3.8 Within 5 business days forward any request that the Business Associate receives directly
from an Individual who (1) seeks access to Protected Health Information held by the
Business Associate pursuant to this BAA, (2) requests amendment of Protected Health
Information held by the Business Associate pursuant to this BAA, or (3) requests an
accounting of Disclosures, so that the Covered Entity can coordinate the response;
1.3.9 To the extent the Business Associate is to carry out one or more of the Covered Entity’s
obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of
Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
1.3.10 Make its internal practices, books, and records available to the Secretary for purposes of
determining compliance with the HIPAA Rules.
1.4.1 The Business Associate may Use or Disclose Protected Health Information received in
relation to the Underlying Agreement as necessary to perform the services set forth in the
Underlying Agreement.
1.4.2 The Business Associate may use or disclose Protected Health Information as is required by
law.
1.4.3 The Business Associate is not authorized to de-identify Protected Health Information in
accordance with 45 C.F.R. § 164.514(a)-(c) unless expressly authorized to do so in writing
68
by the Covered Entity’s Security and Privacy Officer.
1.4.4 The Business Associate agrees to make Uses and Disclosures and Requests for Protected
Health Information consistent with the Covered Entity’s Minimum Necessary policies and
procedures.
1.4.5 The Business Associate may not Use or Disclose Protected Health Information in a manner
that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
1.4.6 The Business Associate may Use or Disclose the Protected Health Information for the
proper management and administration of the Business Associate or to carry out the legal
responsibilities of the Business Associate, provided the Disclosures are Required By Law,
or the Business Associate obtains reasonable assurances from the person to who the
information is Disclosed that the information will remain confidential and used or further
Disclosed only as Required By Law or for the purposes for which it was Disclosed to the
person, and the person notifies the Business Associate of any instances of which it is aware
in which the confidentiality of the Protected Health Information has been Breached.
1.5.1 The Covered Entity will notify the Business Associate of any limitation(s) in the Notice of
Privacy Practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such
Limitation may affect the Business Associate’s Use or Disclosure of Protected Health
Information.
1.5.2 The Covered Entity will notify the Business Associate of any changes in, or revocation of,
the permission by an Individual to Use or Disclose his or her Protected Health Information,
to the extent that such changes may affect the Business Associate’s Use or Disclosure of
Protected Health Information.
1.5.3 The Covered Entity shall notify the Business Associate of any restriction on the Use or
Disclosure of Protected Health Information that the Covered Entity has agreed to or is
required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may
affect the Business Associate’s Use or Disclosure of Protected Health Information.
1.7.1 To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be
provided without unreasonable delay, except where a law enforcement official determines
69
that a notification would impede a criminal investigation or cause damage to national
security. For purposes of this BAA, the Business Associate is deemed to have discovered
the Breach as of the first day on which such Breach is known to the Business Associate or
by exercising reasonable diligence, would have been known to the Business Associate,
including any person, other than the Individual committing the Breach, that is a workforce
member or agent of the Business Associate;
1.7.2 To include to the extent possible the identification of the Individuals whose Unsecured
Protected Health Information has been, or is reasonably believed to have been, the subject
of a Breach;
1.7.3 To complete and submit the Information Security Data Breach Incident Report form
located on the Agency’s website.
1.7.4 To draft and provide written notification to Individuals that their Unsecured Protected
Health Information has been, or is reasonably believed to have been, the subject of a
Breach. The draft letter must include, to the extent possible:
1.7.5 A brief description of what happened, including the date of the Breach and the date of the
discovery of the Breach, if known;
1.7.6 A description of the types of Unsecured Protected Health Information that were involved
in the Breach (such as full name, Social Security Number, date of birth, home address,
account number, disability code, or other types of information that were involved);
1.7.7 Any steps the Individuals should take to protect themselves from potential harm resulting
from the Breach;
1.7.8 A brief description of what the Covered Entity and the Business Associate are doing to
investigate the Breach, to mitigate harm, and to protect against any further Breaches;
and
1.7.9 Contact procedures for Individuals to ask questions or learn additional information, which
shall include Covered Entity contact information, including a toll-free telephone number,
an e-mail address, web site, or postal address.
1.8 Administration
1.8.2 Obligation to Return PHI, Destroy PHI, or Extend Protections to Retained PHI
Upon expiration or termination of this BAA for any reason, the Business Associate shall
return to the Covered Entity or destroy all Protected Health Information received from
Covered Entity, or created, maintained, or received by the Business Associate on behalf of
the Covered Entity, that the Business Associate still maintains in any form. Return or
destruction of Protected Health Information shall take place in accordance with the
requirements for such return or destruction as set forth in the Underlying Agreement or
as otherwise directed by the Covered Entity. The Business Associate shall retain no copies
of the Protected Health Information unless such return or destruction is not feasible. If
return or destruction of the Protected Health Information is not feasible, upon expiration
or termination of this BAA, the Business Associate shall:
1.8.2.1 Retain only that Protected Health Information that is necessary for the Business
Associate to continue its proper management and administration or to carry out
its legal responsibilities to the extent Required By Law;
1.8.2.2 Return to the Covered Entity or destroy the remaining Protected Health
Information that the Business Associate still maintains in any form;
1.8.2.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R.
Part 164 with respect to Protected Health Information to prevent Use or
Disclosure of the Protected Health Information, other than as provided for in this
Section, for as long as the Business Associate retains the Protected Health
Information;
1.8.2.4 Not Use or Disclose the Protected Health Information retained by the Business
Associate other than for the purposes for which such Protected Health
Information was retained and subject to the same conditions set out in
subsection 4(e) above under “Permitted Uses and Disclosures by the Business
Associate” which applied prior to termination; and
1.8.2.5 Return to the Covered Entity or destroy the Protected Health Information
retained by the Business Associate when it is no longer needed by the Business
Associate for its proper management and administration or to carry out its legal
responsibilities.
71
1.8.3.2 Mental health treatment: Iowa Code chapters 228, 229;
1.8.3.4 Substance abuse treatment: 42 U.S.C. § 290dd-2; 42 C.F.R. part 2; Iowa Code §§
125.37, 125.93.
1.8.4.1 To the extent that the Business Associate is a governmental agency subject to
the provisions of Iowa Code § 679A.19, any dispute between the Business
Associate and the Agency, including but not limited to the incursion of any costs,
liabilities, damages, or penalties related to the Business Associate’s breach of this
BAA, shall be submitted to a board of arbitration in accordance with Iowa Code
§ 679A.19.
1.8.4.2 To the extent that the Business Associate is not subject to the provisions of Iowa
Code § 679A.19, the Business Associate shall defend, indemnify, and hold
harmless the Covered Entity from costs, liabilities, damages, or penalties
incurred as a result of the Business Associate or any Subcontractor’s breach of
this BAA, the Underlying Agreement, or conduct of the Business Associate or the
Business Associate’s Subcontractor not in compliance with 45 C.F.R. Part 164,
subpart E. Such liability shall not attach to disclosures made at the express
written direction of the Covered Entity.
1.8.4.3 The Business Associate’s obligations under this subsection 8(d) are not limited
to third-party claims but shall also apply to claims by the Covered Entity against
the Business Associate.
1.8.5 Amendment
The Covered Entity may amend the BAA from time to time by posting an updated version
of the BAA on the Agency’s website at:
and providing the Business Associate electronic notice of the amended BAA. The Business
Associate shall be deemed to have accepted the amendment unless the Business Associate
notifies the Covered Entity of its non-acceptance in accordance with the Notice provisions
of the Contract within 30 days of the Covered Entity’s notice referenced herein. Any agreed
alteration not part of the then current Covered Entity BAA shall have no force or effect
until the agreed alteration is reduced to a Contract amendment and signed by the Business
Associate, Agency Director and the Covered Entity or Entities Security and Privacy
Officer(s).
1.8.6 Survival
All obligations of the Agency and the Business Associate incurred or existing under this
BAA as of the date of expiration or termination will survive the expiration or termination
of this BAA.
72
1.8.7 No Third-Party Beneficiaries
There are no third-party beneficiaries to this BAA between the parties. The Underlying
Agreement and this BAA are intended to only benefit the parties to the BAA.
1.8.8 Miscellaneous
1.8.8.2 Interpretation
Any ambiguity in this BAA shall be interpreted to permit compliance with the
HIPAA Rules.
1.8.8.4 The Parties agree to take such action as is necessary to amend this Agreement
from time to time as is necessary for compliance with the requirement of the
HIPAA Rules and any other applicable law.
73
ATTACHMENT 3
Pub. 1075 Exhibit 7 Safeguarding Contract Language Obligations
To the extent that this Pub. 1075 Exhibit 7 Safeguarding Contract Language Obligations (the “Attachment”)
is incorporated into the Contract by reference, the Vendor agrees to comply with the obligations set forth
in this Attachment. This Contract Attachment supplements and is made a part of the Contract between the
purchasing Agency and the Vendor.
To the extent that Vendor provides notice that it does not accept an amended Attachment, any agreed
alteration not part of the then current Attachment shall have no force or effect until the agreed alteration
is reduced to a Contract amendment and signed by the Vendor and the purchasing Agency. In such a case,
the existing Attachment will continue to remain a part of the Contract until such time as the parties agree
to a newly amended Pub 1075 Exhibit 7 compliance attachment.
1.1 Performance
In performance of this Contract, the Vendor agrees to comply with and assume responsibility for
compliance by officers or employees with the following requirements:
1.1.1 All work will be performed under the supervision of the Vendor.
1.1.2 The Vendor and Vendor’s officers or employees to be authorized access to federal and/or
state tax information (“FTI”) must meet background check requirements defined in IRS
Publication 1075. The Vendor will maintain a list of officers or employees authorized access
to FTI. Such list will be provided to the agency and, upon request, to the IRS.
1.1.3 FTI in hardcopy or electronic format shall be used only for the purpose of carrying out the
provisions of this Contract. FTI in any format shall be treated as confidential and shall not be
divulged or made known in any manner to any person except as may be necessary in the
performance of this Contract. Inspection or disclosure of FTI to anyone other than the
Vendor or the Vendor’s officers or employees authorized is prohibited.
1.1.4 FTI will be accounted for upon receipt and properly stored before, during, and after
processing. In addition, any related output and products require the same level of protection
as required for the source material.
1.1.5 The Vendor will certify that FTI processed during the performance of this Contract will be
completely purged from all physical and electronic data storage with no output to be
retained by the Vendor at the time the work is completed. If immediate purging of physical
and electronic data storage is not possible, the Vendor will certify that any FTI in physical or
electronic storage will remain safeguarded to prevent unauthorized disclosures.
1.1.6 Any spoilage or any intermediate hard copy printout that may result during the processing
of FTI will be given to the agency. When this is not possible, the Vendor will be responsible
for the destruction of the spoilage or any intermediate hard copy printouts and will provide
the agency with a statement containing the date of destruction, description of material
destroyed, and the destruction method.
74
1.1.7 All computer systems receiving, processing, storing, or transmitting FTI must meet the
requirements in IRS Publication 1075. To meet functional and assurance requirements, the
security features of the environment must provide for the managerial, operational, and
technical controls. All security features must be available and activated to protect against
unauthorized use of and access to FTI.
1.1.8 No work involving FTI furnished under this Contract will be subcontracted without the prior
written approval of the IRS.
1.1.9 Vendor will ensure that the terms of FTI safeguards described herein are included, without
modification, in any approved subcontract for work involving FTI.
1.1.10 To the extent the terms, provisions, duties, requirements, and obligations of this Contract
apply to performing services with FTI, the Vendor shall assume toward the subcontractor all
obligations, duties and responsibilities that the agency under this Contract assumes toward
the Vendor, and the subcontractor shall assume toward the Vendor all the same obligations,
duties and responsibilities which the Vendor assumes toward the agency under this
Contract.
1.1.11 In addition to the subcontractor’s obligations and duties under an approved subcontract,
the terms and conditions of this Contract apply to the subcontractor, and the subcontractor
is bound and obligated to the Vendor hereunder by the same terms and conditions by which
the Vendor is bound and obligated to the agency under this Contract.
1.1.12 For purposes of this Contract, the term “Vendor” includes any officer or employee of the
Vendor with access to or who uses FTI, and the term “subcontractor” includes any officer or
employee of the subcontractor with access to or who uses FTI.
1.1.13 The agency will have the right to void the Contract if the Vendor fails to meet the terms of
FTI safeguards described herein.
1.2.1 Each officer or employee of a Vendor to whom FTI is or may be disclosed shall be notified in
writing that FTI disclosed to such officer or employee can be used only for a purpose and to
the extent authorized herein, and that further disclosure of any FTI for a purpose not
authorized herein constitutes a felony punishable upon conviction by a fine of as much as
$5,000 or imprisonment for as long as 5 years, or both, together with the costs of
prosecution.
1.2.2 Each officer or employee of a Vendor to whom FTI is or may be accessible shall be notified
in writing that FTI accessible to such officer or employee may be accessed only for a purpose
and to the extent authorized herein, and that access/inspection of FTI without an official
need-to-know for a purpose not authorized herein constitutes a criminal misdemeanor
punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1
year, or both, together with the costs of prosecution.
75
1.2.3 Each officer or employee of a Vendor to whom FTI is or may be disclosed shall be notified
in writing that any such unauthorized access, inspection or disclosure of FTI may also
result in an award of civil damages against the officer or employee in an amount equal to
the sum of the greater of $1,000 for each unauthorized access, inspection, or disclosure, or
the sum of actual damages sustained as a result of such unauthorized access, inspection,
or disclosure, plus in the case of a willful unauthorized access, inspection, or disclosure or
an unauthorized access/inspection or disclosure which is the result of gross negligence,
punitive damages, plus the cost of the action. These penalties are prescribed by IRC
sections 7213, 7213A and 7431 and set forth at 26 CFR 301.6103(n)-1.
1.2.4 Additionally, it is incumbent upon the Vendor to inform its officers and employees of the
penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a.
Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C.
552a(m)(1), provides that any officer or employee of a Vendor, who by virtue of his/her
employment or official position, has possession of or access to agency records which
contain individually identifiable information, the disclosure of which is prohibited by the
Privacy Act or regulations established thereunder, and who knowing that disclosure of
the specific material is so prohibited, willfully discloses the material in any manner to any
person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not
more than $5,000.
1.2.5 Granting Vendor access to FTI must be preceded by certifying that each officer or
employee understands the agency’s security policy and procedures for safeguarding FTI.
Vendor and each officer or employee must maintain their authorization to access FTI
through annual recertification of their understanding of the agency’s security policy and
procedures for safeguarding FTI. The initial certification and recertifications must be
documented and placed in the agency's files for review. As part of the certification and at
least annually afterwards, Vendor and each officer or employee must be advised of the
provisions of IRC sections 7213, 7213A, and 7431 (see IRS Pub. 1075, Sanctions for
Unauthorized Disclosure, and Civil Damages for Unauthorized Disclosure). The training on
the agency’s security policy and procedures provided before the initial certification and
annually thereafter must also cover the incident response policy and procedure for
reporting unauthorized disclosures and data breaches. For the initial certification and the
annual recertifications, the Vendor and each officer or employee must sign, either with
ink or electronic signature, a confidentiality statement certifying their understanding of
the security requirements.
1.3 Inspection
The IRS and the Agency, with 24-hour notice, shall have the right to send its inspectors into the
offices and plants of the Vendor to inspect facilities and operations performing any work with
FTI under this Contract for compliance with requirements defined in IRS Publication 1075. The
IRS’ right of inspection shall include the use of manual and/or automated scanning tools to
perform compliance and vulnerability assessments of information technology (IT) assets that
access, store, process or transmit FTI. Based on the inspection, corrective actions may be
required in cases where the Vendor is found to be noncompliant with FTI safeguard
requirements.