Odyssey Contract

Iowa Department of Administrative Services
Contracts Declaration & Execution Page
Title of Contract: Bid Proposal Number Contract Number

Education Savings Account Administration 005-RFP-0317-2023
This Agreement is entered into between the State of Iowa (by and through its agency, the Department of Administrative
Services) and the Contractor named below:
State Agency’s Name:
Iowa Department of Education
Contractor’s Name:
Primary Class, Inc. dba Odyssey
Contract to Begin: Date of Expiration: Annual Extensions:
April 6, 2023 April 5, 2026 3
The parties agree to comply with the terms and conditions and attachments which are by this reference made a part of the Agreement:
Section 1 – Terms & Conditions..…………………………………………………..………………………………………………………………………...……..Page 2
Section 2 – Special Terms……………..………………………………………………………………………………………..…………………………….………Page 31
Section 3 – Scope of Work……………..…………………………………………………………………………………………………………………..…………Page 47
Section 4 – Pricing…………………………………………………………………………………………………………………..…………………………………….Page 55
Section 5 – Contacts ……………………………………………………………………………………………………………..…..………………………………...Page 57
Attachment 1 – Service Levels……………………………………………………………………………..…..……………………………………………….….Page 58
Attachment 2 – Business Associates Agreement……………………………………………………..…..……………………………………………….Page 67
Attachment 3 – Pub. 1075 Exhibit 7 Safeguarding Contract Language Obligations……………………………………………………..…Page 74
IN WITNESS WHEREOF, this Agreement has been executed by the parties hereto
Contractor: Primary Class, Inc. dba Odyssey
By (Authorized Signature) Date Signed
04/05/23
Printed Name and Title of Person Signing

Joseph Connor - Chief Executive Officer
Address
228 Park Ave S, PMB #18249
New York, NY 10003
State of Iowa: Department of Education

04/06/2023

Chad L. Aldis, Director
Address
400 E 14th ST
Des Moines, IA 50319
State of Iowa: Department of Administrative Services – Central Procurement
April 6, 2023
Karl Wendt, Procurement Manager

Address
1305 E Walnut ST
SECTION 1
Terms & Conditions
1.1 Definitions
The following words shall be defined as set forth below:
“Acceptance” means that the Agency has determined that one or more Deliverables satisfy the
Agency’s Acceptance Tests. Final Acceptance means that the Agency has determined that all
Deliverables satisfy the Agency’s Acceptance Tests. Non-acceptance means that the Agency has
determined that one or more Deliverables have not satisfied the Agency’s Acceptance Tests.
“Acceptance Criteria” means the Specifications, goals, performance measures, testing results
and/or other criteria designated by the Agency and against which the Deliverables may be evaluated
for purposes of Acceptance or Non-acceptance thereof.
“Acceptance Tests” or “Acceptance Testing” mean the tests, reviews and other activities that are
performed by or on behalf of Agency to determine whether the Deliverables meet the Acceptance
Criteria or otherwise satisfy the Agency, as determined by the Agency in its sole discretion.
“Application Services” means the hosted applications and related Services as further defined and
described in the RFP, Proposal, and this Agreement, including any Scope of Work of or related to the
implementation or configuration of the Application Services, System(s), or related Deliverables for
the Agency’s specific needs or use.
“Authorized Contractors” means independent contractors, consultants, or other Third Parties

(including other Governmental Entities) who are retained, hired, or utilized by any Governmental
Entity to use, maintain, support, modify, enhance, host, or otherwise assist a Governmental Entity
with any Deliverables provided pursuant to any General Terms.
“Bid Proposal” or “Proposal” means the Contractor’s proposal submitted in response to the RFP.
“Confidential Information” means, subject to any applicable federal, State, or local laws and
regulations, including Iowa Code Chapter 22, any confidential or proprietary information or trade
secrets disclosed by either Party (“Disclosing Party”) to the other Party (“Receiving Party”) that, at
the time of disclosure, is designated as confidential (or like designation), is disclosed in circumstances
of confidence, or would be understood by the Parties, exercising reasonable business judgment, to
be confidential. Confidential Information does not include any information that: (i) was rightfully in
the possession of the Receiving Party from a source other than the Disclosing Party prior to the time
of disclosure of the information by the Disclosing Party to the Receiving Party; (ii) was known to the
Receiving Party prior to the disclosure of the information by the Disclosing Party; (iii) was disclosed
to the Receiving Party without restriction by an independent third party having a legal right to disclose
the information; (iv) is in the public domain or shall have become publicly available other than as a
result of disclosure by the Receiving Party in violation of this Agreement or in breach of any other
agreement with the Disclosing Party; (v) is independently developed by the Receiving Party without
any reliance on Confidential Information disclosed by the Disclosing Party; (vi) is disclosed or is
required or authorized to be disclosed pursuant to law, rule, regulation, subpoena, summons, or the
order of a court, lawful custodian, governmental agency or regulatory authority, or by applicable
2
regulatory or professional standards; or (vii) is disclosed by the Receiving Party with the written
consent of the Disclosing Party.
“Contract” means the collective documentation memorializing the terms of the agreement between
the Agency and the Contractor identified on the Contract Declarations & Execution Page(s) and
includes the signed Contract Declarations & Execution Page(s), the Special Terms, these General
Terms for Services Contracts, any Special Contract Attachments, and all other attachments to the
Contract.
“Contractor Contractor(s)” means any of Contractor’s authorized subcontractors, affiliates,

subsidiaries, or any other Third Party acting on behalf of or at the direction of Contractor, directly or
indirectly, in performing or providing Deliverables under any General Terms.
“Contractor Personnel” means employees, agents, independent contractors, or any other staff or
personnel acting on behalf of or at the direction of Contractor or any Contractor’s Contractor
performing or providing Deliverables under any General Terms.
“Customer Data” means all information, data, materials, or documents (including Confidential
Information of or belonging to any applicable Governmental Entity and Customer PII) originating with,
disclosed by, provided by, made accessible by, or otherwise obtained by or from a Governmental
Entity making purchases pursuant to any General Terms, including Authorized Contractors of the
foregoing, but in including all information, data, materials, or documents developed by or created by
Contractor, Contractor’s subcontractors, or Contractor Personnel in connection with any Deliverables
provided pursuant to any General Terms.
“Customer PII” means all Customer Data that constitutes “personal information”, “personally
identifying-information”, and/or “protected health information”, as those terms are defined by
applicable law.
“Customer Property” means any property of or belonging to a Governmental Entity making

purchases pursuant to a General Terms, including Customer Data, software, hardware, programs or
other property possessed, owned, or otherwise controlled or maintained by a Governmental Entity.
“Customer-Owned Deliverables” means (if any) those Deliverables discovered, created, or

developed by Contractor, Contractor’s subcontractors, or Contractor Personnel at the direction of
the applicable Governmental Entity or for a Governmental Entity or for a specific project pursuant
to any General Terms that are specifically identified as Customer-Owned Deliverables in an
applicable SOW, including all intellectual property rights and proprietary rights arising out of,
embodied in, or related to such Deliverables, including copyrights, patents, trademarks, trade
secrets, trade dress, mask work, utility design, derivative works, and all other rights and interests
therein or related thereto.
“Deficiency” means a defect, flaw, anomaly, failure, omission, interruption of service, or other
problem of any nature whatsoever with respect to a Deliverable, including, without limitation, any
failure of a deliverable to conform to or meet an applicable specification. Deficiency also includes
the lack of something essential or necessary for completeness or proper functioning of a Deliverable.
3
“Deliverables” means all of the goods, products, services, work, work product, items, materials and
property to be created, developed, produced, delivered, performed or provided by or on behalf of,
or made available through, Contractor (or any agent, contractor or subcontractor of Contractor) in
connection with this Contract.
“Documentation” means any and all technical information, commentary, explanations, design
documents, system architecture documents, database layouts, test materials, training materials,
guides, manuals, worksheets, notes, work papers, and all other information, documentation and
materials related to or used in conjunction with the Deliverables, in any medium, including hard
copy, electronic, digital, and magnetically or optically encoded media.
“Governmental Entity” shall mean any Governmental Entity, as defined in Iowa Code Section 8A.101,
or any successor provision thereto. The term Governmental Entity includes without limitation
Participating Agencies, agencies, independent agencies, the Judicial Branch, the Legislative Branch,
courts, boards, authorities, institutions, establishments, divisions, bureaus, commissions,
committees, councils, examining boards, public utilities, offices of elective constitutional or statutory
officers, and other units, branches, or entities of government.
“I.T. Governance Document(s)” or “Governance Document(s)” means any Information Technology

policies, standards, processes, guidelines, or procedures developed by OCIO pursuant to Iowa Code
section 8B, available at: (navigate to policies, standards, rules, respectively), and which are generally
applicable to Participating Agencies, absent a waiver granted pursuant to Iowa Code section 8B.21(5)
or any corresponding implementing rules.
“Office of the Chief Information Officer” or “OCIO” means the Department of Management, Office
of the Chief Information Officer of the State of Iowa created by Iowa Code chapter 8B.
“Non-Appropriation Event” means any of the following:

The legislature or governor fail, in the sole opinion of the applicable Governmental Entity, to
appropriate funds sufficient to allow the Governmental Entity to either meet its obligations under
any General Terms, or to operate as required or to fulfill its obligations under any General Terms.
• If funds are de-appropriated, reduced, not allocated, or receipt of funds is delayed, or if any funds
or revenues needed by a Governmental Entity (regardless of the source of funding or revenues) to
make any payment under any General Terms are insufficient or unavailable for any other reason as
determined by the Governmental Entity in its sole discretion;
• If a Governmental Entity’s authorization to conduct its business or engage in activities or operations
related to the subject matter of any General Terms is withdrawn or materially altered or modified;
• If the applicable Governmental Entity’s duties, programs, or responsibilities are modified or
materially altered; or
• If there is a decision of any court, administrative law judge or an arbitration panel or any law, rule,
regulation, or order is enacted, promulgated. or issued that materially or adversely affects the
applicable Governmental Entity’s ability to fulfill any of its obligations under any General Terms.
“Participating Agency” shall have the same meaning ascribed it under Iowa Code Section 8B,
including any subsequent amendments or successor provisions thereto.
4
“Purchasing Instrument” means documentation issued by a Governmental Entity to Contractor for
the purchase of Deliverables, including a “Purchase Order” or “Statement of Work” executed
pursuant to any General Terms, regardless of form, and which identifies the Deliverables to be
purchased and any other requirements deemed necessary by the applicable Governmental Entity,
such as compensation and delivery dates.
“RFP” means the Request for Proposals or Request for Bids (and any Addenda thereto) that was
issued to solicit the Deliverables that are subject to the Contract.
“Security Breach” means the unauthorized acquisition of or access to Customer Data by an

unauthorized person that compromises the security, confidentiality, or integrity of Customer Data,
including when access occurs through the Deliverables due to a breach of this Contract by
Contractor.
“Services” include without limitation all services performed or provided by or on behalf of, or
otherwise made available through, Contractor, Contractor’s subcontractors, or Contractor Personnel,
directly or indirectly, in connection with any General Terms, including any Software or System or any
corresponding hosting, implementation, migration, or configuration services associated therewith or
related thereto.
“Software” means any and all other software, programs, applications, modules and components, in
object code form, and all related Source Code.
“Source Code” means the human-readable source code, source program, scripts and/or
programming language, including HTML, XML, XHTML, Visual Basic, and JAVA, for or related to the
Software. Source Code includes all source code listings, instructions (including compile instructions),
programmer’s notes, commentary and all related technical information and Documentation,
including all such information and Documentation that is necessary or useful for purposes of
maintaining, repairing, or making modifications or enhancements to the Software and the Source
Code.
“Special Terms” means the Contract attachment entitled “Special Terms” that contains terms
specific to this Contract, including but not limited to the Scope of Work, contract payment terms,
and any amendments to these General Terms and Conditions for Services Contracts. If there is a
conflict between the General Terms for Services Contracts and the Special Terms, the Special Terms
shall prevail.
“Specifications” means all specifications, requirements, technical standards, performance

standards, representations and other criteria related to the Deliverables stated or expressed in this
Contract, the Documentation, the RFP, and the Proposal. Specifications shall include the acceptance
tests Criteria and any specifications, standards or criteria stated or set forth in any applicable state,
federal, foreign and local laws, rules and regulations. The Specifications are incorporated into this
Contract by reference as if fully set forth in this Contract.
“State” means the State of Iowa, the Agency, and all State of Iowa agencies, boards, and
commissions, and when this Contract is available to political subdivisions, any political subdivisions
of the State of Iowa.
5
“System” means any system provided or otherwise made available by or through Contractor,
Contractor’s subcontractors, or Contractor Personnel, directly or indirectly, in connection with any
General Terms, including any Software, programs, or applications associated therewith or included
or incorporated therein, regardless of the method of delivery, including any Internet-enabled, Web-
based or other similar delivery method.
“Third Party” means a person or entity (including, any form of business organization, such as a
corporation, partnership, limited liability corporation, association, etc.) that is not a party to any
General Terms.
1.2 Availability of Contract to Other Entities

All other agencies of the State of Iowa and all political subdivisions of the State of Iowa may make
purchases pursuant to the Contract as permitted by the Competitive Bidding Document.
1.3 Duration of Contract

The term of the Contract shall begin and end on the dates specified on the Contract Declarations &
Execution Page(s), unless extended or terminated earlier in accordance with the termination
provisions of this Contract. Any extensions noted on the Contract Declarations & Execution Page(s)
shall be subject to mutual agreement of the Agency and the Contractor, and absent such mutual
agreement the term of this Contract will end on Date of Expiration specified on the Contract
Declarations & Execution Page(s).
1.4 Scope of Work

The Contractor shall provide Deliverables that comply with and conform to the Specifications.
Additional deliverables and scopes of work may be negotiated during the duration of the Contract
term.
1.5 Compensation
1.5.1 Pricing
The Contractor will be compensated in accordance with the payment terms outlined in
the Contract Payment Terms and Scope of Work described in the Special Terms.
The Contractor shall submit an invoice for Deliverables rendered in accordance with this
Contract. The invoice shall comply with all applicable rules concerning payment of such
claims. The Agency shall verify the Contractor’s performance of the Deliverables outlined
in the invoice before making payment. The Agency shall pay all approved invoices in
arrears and in conformance with Iowa Code 8A.514. The Agency may pay in less than sixty
(60) days, but an election to pay in less than sixty (60) days shall not act as an implied
waiver of Iowa Code § 8A.514.
Unless otherwise agreed in writing by the parties, the Contractor shall not be entitled to
receive any other payment or compensation from the State for any Deliverables provided
by or on behalf of the Contractor under this Contract. The Contractor shall be solely
responsible for paying all costs, expenses and charges it incurs in connection with its
performance under this Contract.
6
1.5.2 Reimbursement Expenses
The State has established rules for limitations on reimbursement expenses. Please
reference Department of Administrative Services - State Accounting Enterprise Procedure
210-245 (accessible on the internet) for limits on travel expenses.
1.5.3 Withholding Payments

In addition to pursuing any other remedy provided herein or by law, the Agency may
withhold compensation or payments to Contractor, in whole or in part, without penalty
to the Agency or work stoppage by Contractor, in the event the Agency determines that:
1.5.3.1 Contractor has failed to perform any of its duties or obligations as set forth in this
Contract; or
1.5.3.2 Any Deliverable has failed to meet or conform to any applicable Specifications or
contains or is experiencing a Deficiency.
1.5.4 No interest shall accrue or be paid to Contractor on any compensation or other amounts
withheld or retained by the Agency under this Contract.
1.5.5 Setoff Against Sums Owed by the Contractor

In the event that Contractor owes the State any sum under the terms of this Contract, any
other contract or agreement, pursuant to a judgment, or pursuant to any law, the State
may, in its sole discretion, set off any such sum against:
1.5.5.1 Any sum invoiced by, or owed to, Contractor under this Contract, or
1.5.5.2 Any sum or amount owed by the State to Contractor, unless otherwise required
by law.
The Contractor agrees that this provision constitutes proper and timely notice under any
applicable laws governing setoff.
1.6 Termination
1.6.1 Immediate Termination by the State

The State may terminate this Contract for any of the following reasons effective
immediately without advance notice:
1.6.1.1 In the event the Contractor is required to be certified or licensed as a

condition precedent to providing goods and services, the revocation or loss of
such license or certification will result in immediate termination of the
Contract effective as of the date on which the license or certification is no
longer in effect;
7
1.6.1.2 The State determines that the actions, or failure to act, of the Contractor, its
agents, employees or subcontractors have caused, or reasonably could cause,
a person’s life, health or safety to be jeopardized;
1.6.1.3 The Contractor fails to comply with confidentiality laws or provisions;
1.6.1.4 The Contractor furnished any statement, representation or certification in

connection with the Contract or the bidding process which is materially false,
deceptive, incorrect or incomplete.
1.6.2 Termination for Cause by the Agency

The Agency may terminate this Contract upon written notice for the breach by Contractor
of any material term, condition or provision of this Contract, if such breach is not cured
within the time period specified in the Agency’s notice of breach or any subsequent notice
or correspondence delivered by the Agency to Contractor, provided that cure is feasible.
In addition, the Agency may terminate this Contract effective immediately without penalty
and without advance notice or opportunity to cure for any of the following reasons:
1.6.2.1 Contractor furnished any statement, representation, warranty or certification

in connection with this Contract, the RFP or the Proposal that is false, deceptive,
or materially incorrect or incomplete;
1.6.2.2 Contractor or any of Contractor’s officers, directors, employees, agents,

subsidiaries, affiliates, contractors or subcontractors has committed or engaged
in fraud, misappropriation, embezzlement, malfeasance, misfeasance, or bad
faith;
1.6.2.3 Contractor or any parent or affiliate of Contractor owning a controlling interest

in Contractor dissolves;
1.6.2.4 Contractor terminates or suspends its business;
1.6.2.5 Contractor’s corporate existence or good standing in Iowa is suspended,

terminated, revoked or forfeited, or any license or certification held by
Contractor related to Contractor’s performance under this Contract is
suspended, terminated, revoked, or forfeited;
1.6.2.6 Contractor has failed to comply with any applicable international, federal, state
(including, but not limited to Iowa Code chapter 8F), or local laws, rules,
ordinances, regulations or orders when performing within the scope of this
Contract;
1.6.2.7 The Agency determines or believes the Contractor has engaged in conduct that:
(a) has or may expose the Agency or the State to material liability, or (b) has
caused or may cause a person’s life, health or safety to be jeopardized;
8
1.6.2.8 Contractor infringes or allegedly infringes or violates any patent, trademark,
copyright, trade dress or any other intellectual property right or proprietary
right, or Contractor misappropriates or allegedly misappropriates a trade
secret;
1.6.2.9 Contractor fails to comply with any applicable confidentiality laws, privacy laws,
or any provisions of this Contract pertaining to confidentiality or privacy; or
1.6.2.10 Any of the following has been engaged in by or occurred with respect to
Contractor or any corporation, shareholder or entity having or owning a
controlling interest in Contractor:
1.6.2.10.1 Commencing or permitting a filing against it which is not discharged

within ninety (90) days, of a case or other proceeding seeking
liquidation, reorganization, or other relief with respect to itself or
its debts under any bankruptcy, insolvency, or other similar law now
or hereafter in effect; or filing an answer admitting the material
allegations of a petition filed against it in any involuntary case or
other proceeding commenced against it seeking liquidation,
reorganization, or other relief under any bankruptcy, insolvency, or
other similar law now or hereafter in effect with respect to it or its
debts; or consenting to any such relief or to the appointment of or
taking possession by any such official in any voluntary case or other
proceeding commenced against it seeking liquidation,
reorganization, or other relief under any bankruptcy, insolvency, or
other similar law now or hereafter in effect with respect to it or its
debts;
1.6.2.10.2 Seeking or suffering the appointment of a trustee, receiver,

liquidator, custodian or other similar official of it or any substantial
part of its assets;
1.6.2.10.3 Making an assignment for the benefit of creditors;
1.6.2.10.4 Failing, being unable, or admitting in writing the inability generally

to pay its debts or obligations as they become due or failing to
maintain a positive net worth and such additional capital and
liquidity as is reasonably adequate or necessary in connection with
Contractor’s performance of its obligations under this Contract; or
1.6.2.10.5 Taking any action to authorize any of the foregoing. The Agency’s
right to terminate this Contract shall be in addition to and not
exclusive of other remedies available to the Agency, and the Agency
shall be entitled to exercise any other rights and pursue any
remedies, in law, at equity, or otherwise.
9
1.6.3 Termination upon Notice
Following thirty (30) days written notice, the Agency may terminate this Contract in whole
or in part without penalty and without incurring any further obligation to Contractor.
Termination can be for any reason or no reason at all.
1.6.4 Termination Due to Lack of Funds or Change in Law

Notwithstanding anything in this Contract to the contrary, and subject to the limitations
set forth below, the Agency shall have the right to terminate this Contract without penalty
and without any advance notice as a result of any of the following:
1.6.4.1 The legislature or governor fail in the sole opinion of the Agency to appropriate
funds sufficient to allow the Agency to either meet its obligations under this
Contract or to operate as required and to fulfill its obligations under this
Contract; or
1.6.4.2 If funds are de-appropriated, reduced, not allocated, or receipt of funds is

delayed, or if any funds or revenues needed by the Agency to make any
payment hereunder are insufficient or unavailable for any other reason as
determined by the Agency in its sole discretion; or
1.6.4.3 If the Agency’s authorization to conduct its business or engage in activities or

operations related to the subject matter of this Contract is withdrawn or
materially altered or modified; or
1.6.4.4 If the Agency’s duties, programs or responsibilities are modified or materially

altered; or
1.6.4.5 If there is a decision of any court, administrative law judge or an arbitration

panel or any law, rule, regulation or order is enacted, promulgated or issued
that materially or adversely affects the Agency’s ability to fulfill any of its
obligations under this Contract. The Agency shall provide Contractor with
written notice of termination pursuant to this section.
1.6.5 Limitation of the State’s Payment Obligations

In the event of termination of this Contract for any reason by either party (except for
termination by the Agency pursuant to Section 1.6.2), the Agency shall pay only those
amounts, if any, due and owing to Contractor hereunder for Deliverables actually and
satisfactorily provided in accordance with the provisions of this Contract up to and
including the date of termination of this Contract and for which the Agency is obligated to
pay pursuant to this Contract; provided however, that in the event the Agency terminates
this Contract pursuant to Section 1.6.4, the Agency’s obligation to pay Contractor such
amounts and other compensation shall be limited by, and subject to, legally available
funds. Payment will be made only upon submission of invoices and proper proof of
Contractor’s claim. Notwithstanding the foregoing, this Section 1.6.5 in no way limits the
rights or remedies available to the Agency and shall not be construed to require the
Agency to pay any compensation or other amounts hereunder in the event of Contractor’s
breach of this Contract or any amounts withheld by the Agency in accordance with the
10
terms of this Contract. The Agency shall not be liable, under any circumstances, for any of
the following:
1.6.5.1 The payment of unemployment compensation to Contractor’s employees;
1.6.5.2 The payment of workers’ compensation claims, which occur during the Contract
or extend beyond the date on which the Contract terminates;
1.6.5.3 Any costs incurred by Contractor in its performance of the Contract, including,
but not limited to, startup costs, overhead or other costs associated with the
performance of the Contract;
1.6.5.4 Any damages or other amounts associated with the loss of prospective profits,
anticipated sales, goodwill, or for expenditures, investments or commitments
made in connection with this Contract;
1.6.5.5 Any taxes Contractor may owe in connection with the performance of this
Contract, including, but not limited to, sales taxes, excise taxes, use taxes,
income taxes or property taxes.
1.6.6 Contractor’s Termination Duties

Upon receipt of notice of termination or upon request of the Agency, Contractor shall:
1.6.6.1 Cease work under this Contract and take all necessary or appropriate steps to
limit disbursements and minimize costs, and furnish a report within thirty (30)
days of the date of notice of termination, describing the status of all work
performed under the Contract and such other matters as the Agency may
require.
1.6.6.2 Immediately cease using and return to the Agency any property or materials,
whether tangible or intangible, provided by the Agency to Contractor.
1.6.6.3 Cooperate in good faith with the Agency and its employees, agents and
independent contractors during the transition period between the notification
of termination and the substitution of any replacement service provider.
1.6.6.4 Immediately return to the Agency any payments made by the Agency for
Deliverables that were not rendered or provided by Contractor.
1.6.6.5 Immediately deliver to the Agency any and all Deliverables for which the Agency
has made payment (in whole or in part) that are in the possession or under the
control of the Contractor or its agents or subcontractors in whatever stage of
development and form of recordation such property is expressed or embodied
as that time.
1.6.7 Termination for Cause by Contractor
11
Contractor may only terminate this Contract for the breach by the Agency of any material
term, condition or provision of this Contract, if such breach is not cured within sixty (60)
days of the Agency’s receipt of Contractor’s written notice of breach.
1.7 Confidential Information
1.7.1 Access to Confidential Information

The Contractor’s employees, agents and subcontractors may have access to confidential
information maintained by the Agency to the extent necessary to carry out its
responsibilities under the Contract. The Contractor shall presume that all information
received pursuant to this Contract is confidential unless otherwise designated by the
Agency. The Contractor shall provide to the Agency a written description of its policies and
procedures to safeguard confidential information. Policies of confidentiality shall address,
as appropriate, information conveyed in verbal, written, and electronic formats. The
Contractor must designate one individual who shall remain the responsible authority in
charge of all data collected, used, or disseminated by the Contractor in connection with
the performance of the Contract. The Contractor shall provide adequate supervision and
training to its agents, employees and subcontractors to ensure compliance with the terms
of this Contract. The private or confidential information shall remain the property of the
Agency at all times.
1.7.2 No Dissemination of Confidential information

No confidential information collected, maintained, or used in the course of performance
of the Contract shall be disseminated by Contractor except as authorized by law and only
with the prior written consent of the Agency, either during the period of the Contract or
thereafter. Any data supplied by the Agency to the Contractor or created by the Contractor
in the course of the performance of this Contract shall be considered the property of the
Agency. The Contractor must return any and all data collected, maintained, created or
used in the course of the performance of the Contract in whatever form it is maintained
promptly at the request of the Agency. The Contractor may be held civilly or criminally
liable for improper disclosure of confidential information.
1.7.3 Subpoena
In the event that a subpoena or other legal process is served upon the Contractor for
records containing confidential information, the Contractor shall promptly notify the
Agency and cooperate with the Agency in any lawful effort to protect the confidential
information.
1.7.4 Reporting of Unauthorized Disclosure

The Contractor shall immediately, within 2 hours of the discovery of unauthorized
disclosure, report to the Agency any unauthorized disclosure of confidential information.
1.7.5 If Contractor requests confidential treatment with respect to any information or material
contained within its Bid Proposal and if a judicial or administrative proceeding is initiated
to compel the release of such material, Contractor shall, at its sole expense, appear in the
proceeding or otherwise obtain an order restraining the release of such material from a
court of competent jurisdiction. Agency may release the information or material with or
12
without advance notice to Contractor if no judicial or administrative proceeding is initiated
and Agency determines the information or material is not confidential under Iowa or other
applicable law, or if Contractor failed to properly request confidential treatment under the
RFP, or if Contractor rescinds its request for confidential treatment.
1.7.6 Survives Termination

The Contractor’s obligations under this section shall survive termination or expiration of
this Contract.
1.8 Indemnification; Limitation of Liability
1.8.1 By the Contractor

The Contractor agrees to indemnify and hold harmless the State and its officers, appointed
and elected officials, board and commission members, employees, volunteers and agents
(collectively the “Indemnified Parties”), from any and all costs, expenses, losses, claims,
damages, liabilities, settlements and judgments (including, without limitation, the
reasonable value of the time spent by the Attorney General’s Office, and the costs,
expenses and attorneys’ fees of other counsel retained by the Indemnified Parties directly
or indirectly related to, resulting from, or arising out of this Contract, including but not
limited to any claims related to, resulting from, or arising out of:
1.8.1.1 Any breach of this Contract;
1.8.1.2 Any negligent, intentional or wrongful act or omission of the Contractor or any
agent or subcontractor utilized or employed by the Contractor;
1.8.1.3 The Contractor’s performance or attempted performance of this Contract,

including any agent or subcontractor utilized or employed by the Contractor;
1.8.1.4 Any failure by the Contractor to make all reports, payments and withholdings
required by federal and state law with respect to social security, employee
income and other taxes, fees or costs required by the Contractor to conduct
business in the State of Iowa;
1.8.1.5 Any claim of misappropriation of a trade secret or infringement or violation of

any intellectual property rights, proprietary rights or personal rights of any third
party, including any claim that any Deliverable or any use thereof (or the
exercise of any rights with respect thereto) infringes, violates or
misappropriates any patent, copyright, trade secret, trademark, trade dress,
mask work, utility design, or other intellectual property right or proprietary right
of any third party.
1.8.2 Limitation of Liability

Solely to the extent permitted by applicable laws, rules and regulations: (a) the maximum
liability of either Party under this Agreement for direct damages shall be two times the
Contract Value (“Contract Value” is defined as the aggregate total compensation to be
paid by a Governmental Entity under the entire term of the Agreement, including all
13
renewals and extensions), and (b) neither party will be liable for consequential, incidental,
indirect, special, or punitive damages; provided, however, under no circumstances shall
the foregoing limitation or any other provision in this Contract that either limits
Contractor’s liability or provides for sole or exclusive remedies apply to any losses,
damages, expenses, costs, settlement amounts, legal fees, judgments, actions, claims, or
any other liability arising out of or relating to:
a. Intentional torts, criminal acts, fraudulent conduct, intentional or willful misconduct,

or gross negligence;
b. Death, bodily injury, or damage to real or personal property;
c. Any contractual obligations of Contractor pertaining to indemnification; intellectual

property; liquidated damages; compliance with applicable laws; confidential
information; and/or Security Breach;
Claims arising under this Agreement calling for indemnification of the State or for third-
party claims against the State for bodily injury to persons or for damage to real or tangible
personal property caused by Contractor’s negligence or willful conduct.

Contractor’s duties and obligations under this section shall survive the termination of this
Contract and shall apply to all acts or omissions taken or made in connection with the
performance of this Contract regardless of the date any potential claim is made or
discovered by the Agency or any other Indemnified Party.
1.9 Insurance
1.9.1 Insurance Requirements

The Contractor shall maintain in full force and effect, with insurance companies licensed
by the State of Iowa, at the Contractor’s expense, insurance covering its work during the
entire term of this Contract and any extensions or renewals thereof. The Contractor’s
insurance shall, among other things, be occurrence based and shall insure against any loss
or damage resulting from or related to the Contractor’s performance of this Contract
regardless of the date the claim is filed or expiration of the policy. The State of Iowa and
the Agency shall be named as additional insureds or loss payees, or the Contractor shall
obtain an endorsement to the same effect, as applicable.
1.9.2 Types and Amounts of Insurance Required

Unless otherwise requested by the Agency in writing, the Contractor shall cause to be
issued insurance coverages insuring the Contractor and/or subcontractors against all
general liabilities, product liability, personal injury, property damage, and (where
applicable) professional liability. In addition, the Contractor shall ensure it has any
necessary workers’ compensation and employer liability insurance as required by Iowa
law.
14
Type of Insurance Limit Amount
General Liability (including General Aggregate $2 million
contractual liability) written on an Products –
occurrence basis Comp/Op Aggregate $1 Million
Personal injury $1 Million
Each Occurrence $1 Million
Automobile Liability (including Combined single limit $1 Million
contractual liability) written on an
occurrence basis
Excess Liability, umbrella form Each Occurrence $1 Million
Aggregate $1 Million
Errors and Omissions Insurance Each Occurrence $1 Million
Property Damage Each Occurrence $1 Million
Aggregate $1 Million
Workers Compensation and As Required by Iowa law As required
Employer Liability by Iowa law
1.9.3 Certificates of Coverage

Contractor shall maintain all insurance policies required by this Contract in full force and
effect during the entire term of this Contract and any extensions or renewals thereof, and
shall not permit such policies to be canceled or amended except with the advance written
approval of the Agency. The Contractor shall submit certificates of the insurance, which
indicate coverage and notice provisions as required by this Contract, to the Agency within
thirty (30) days after the parties’ mutual execution of this Contract. The insurer shall state
in the certificate that no cancellation of the insurance will be made without at least thirty
(30) days’ prior written notice to the Agency. Approval of the insurance certificates by the
Agency shall not relieve the Contractor of any obligation under this Contract.
1.9.4 Waiver of Subrogation Rights

The Contractor shall obtain a waiver of any subrogation rights that any of its insurance
carriers might have against the State. The waiver of subrogation rights shall be indicated
on the certificates of insurance coverage supplied to the State.
1.10 Project Management & Reporting
1.10.1 Project Manager

At the time of execution of this Contract, each party shall designate, in writing, a Project
Manager to serve until the expiration of this Contract or the designation of a substitute
Project Manager. During the term of this Contract, each Project Manager shall be available
to meet monthly, unless otherwise mutually agreed, to review and plan the Deliverables
being provided under this Contract.
1.10.2 Review Meetings

During the review meetings the Project Managers shall discuss progress made by the
Contractor in the performance of this Contract. Each party shall provide a status report,
as desired by a Project Manager, listing any problem or concern encountered since the last
15
meeting. Records of such reports and other communications issued in writing during the
course of Contract performance shall be maintained by each party.
1.10.3 Reports
At the next scheduled meeting after which any party has identified in writing a problem,
the party responsible for resolving the problem shall provide a report setting forth
activities undertaken, or to be undertaken, to resolve the problem, together with the
anticipated completion dates of such activities. Any party may recommend alternative
courses of action or changes that will facilitate problem resolution. For as long as a
problem remains unresolved, written reports shall identify:
1.10.3.1 Any event not within the control of the Contractor or the Agency that accounts
for the problem;
1.10.3.2 Modifications to the Contract agreed to by the parties in order to remedy or

solve the identified problem;
1.10.3.3 Damages allegedly incurred (which in no event shall constitute an admission or

legally-binding determination with respect to damages) as a result of any party's
failure to perform its obligations under this Contract; and
1.10.3.4 Any request or demand by one party that another party believes is not included
within the terms of this Contract.
1.10.4 Problem Reporting Omissions

The Agency’s acceptance of a problem report shall not relieve the Contractor of any
obligation under this Contract or waive any other remedy under this Contract or at law or
equity that the Agency may have. The Agency’s failure to identify the extent of a problem
or the extent of damages incurred as a result of a problem shall not act as a waiver of
performance or damages under this Contract. Where other provisions of this Contract
require notification of an event in writing, the written report shall be considered a valid
notice under this Contract provided the parties required to receive notice are notified.
1.10.5 Change Order Procedure

The Agency may at any time request a modification to the Scope of Work using a change
order. The following procedures for a change order shall be followed:
1.10.5.1 Written Request: The Agency shall specify in writing the desired modifications
to the same degree of specificity as in the original Scope of Work.
1.10.5.2 The Contractor’s Response: The Contractor shall submit to the Agency a firm
cost proposal for the requested change order within five (5) business days of
receiving the change order request.
1.10.5.3 Acceptance of the Contractor Estimate: If the Agency accepts the cost proposal
presented by the Contractor, the Contractor shall provide the modified
Deliverable subject to the cost proposal included in the Contractor response.
16
The Contractor’s provision of the modified deliverables shall be governed by the
terms and conditions of this Contract.
1.10.5.4 Adjustment to Compensation: The parties acknowledge that a change order for
this Contract may or may not entitle the Contractor to an equitable adjustment
in the Contractor’s compensation or the performance deadlines under this
Contract.
1.11 Legislative Changes

The Contractor expressly acknowledges that the contracted Deliverables are subject to legislative
change by either the federal or state government. Should either legislative body enact measures
which alter the project, the Contractor shall not hold the Agency liable in any manner for the
resulting changes. The Agency shall use best efforts to provide thirty (30) days’ written notice to
the Contractor of any legislative change. During the thirty (30)-day period, the parties shall meet
and make a good faith effort to agree upon changes to the Contract to address the legislative
change. Nothing in this Subsection shall affect or impair the Agency’s right to terminate the
Contract pursuant to the termination provisions.
1.12 Intellectual Property
1.12.1 State Intellectual Property

The State shall retain all right, title and interest in and to (i) all content and all property,
data and information furnished by or on behalf of the State or any agency, and to all
information that is created under this Contract, including, but not limited to, all data that
is generated under this Contract as a result of the use by Contractor, the State or any third
party of any technology systems or knowledge bases that are developed for the State and
used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State
trademarks, trade names, logos and other State identifiers, Internet uniform resource
locators, State user name or names, Internet addresses and e-mail addresses obtained or
developed pursuant to this Contract (collectively, “State Intellectual Property”).
Contractor may not collect, access or use State Intellectual Property for any purpose other
than as specified in this Contract. Upon expiration or termination of this Contract,
Contractor shall return or destroy all State Intellectual Property and all copies thereof, and
Contractor shall have no further right or license to such State Intellectual Property.
Contractor acquires no rights or licenses, including, without limitation, intellectual property

rights or licenses, to use State Intellectual Property for its own purposes. In no event shall
the Contractor claim any security interest in State Intellectual Property.
1.12.2 Waiver
To the extent any of Contractor’s rights in any Customer-Owned Deliverables are not
subject to assignment or transfer hereunder, including any moral rights and any rights of
attribution and of integrity, Contractor hereby irrevocably and unconditionally waives all
such rights and enforcement thereof and agrees not to challenge the State’s rights in and
to the Customer-Owned Deliverables.
17
1.12.3 Contractor Intellectual Property
As between the parties hereto, Contractor and its third-party suppliers are and shall remain
the sole owners of all intellectual property rights in the System, the Application Services,
all intellectual property underlying the System and Application Services, and all intellectual
property used to produce the other Deliverables pursuant to this Contract (but provided
that the State will still own the ultimate Customer-Owned Deliverables, if any, and
Customer Property that are produced pursuant to this Contract). The State’s rights in the
Application Services are limited to the license set forth in Section 2.10.2 of this Contract.
The State and Agency shall not assert any right in Contractor’s intellectual property other
than the license expressly granted in this Contract and shall not use or attempt to use the
Application Services in excess of the scope of license granted by this Contract. The State
and Agency shall not acquire any other rights in any intellectual property or Deliverables
arising out of this Contract or the performance thereof, except that Customer-Owned
Deliverables, including certain reports and the like that are created by Contractor and are
specific to the Services under this Contract, shall be the property of the Agency or the State.
In any event, Agency’s or the State’s ownership of such reports shall not transfer any
ownership rights in the System, the Application Services, or related intellectual property.
1.12.4 Further Assurances

At the Agency’s request, Contractor will execute and deliver such instruments and take
such other action as may be requested by the Agency to establish, perfect or protect the
State’s rights in and to the Deliverables and to carry out the assignments, transfers and
conveyances set forth in this Contract.
1.13 Warranties
1.13.1 Construction of Warranties Expressed IN THIS Contract with Warranties Implied by Law
Warranties made by the CONTRACTOR in this Contract, whether: (1) this Contract
specifically denominates the Contractor's promise as a warranty; or (2) the warranty is
created by the Contractor's affirmation or promise, by a description of the Deliverables to
be provided, or by provision of samples to the Agency, shall not be construed as limiting
or negating any warranty provided by law, including without limitation, WARRANTIES that
arise through course of dealing or usage of trade. The WARRANTIES expressed in this
Contract are intended to modify the warranties implied by law only to the extent that they
expand the warranties applicable to the Deliverables provided by the Contractor. The
provisions of this section apply during the term of this Contract and ANY extensions or
renewals thereof.
1.13.2 Contractor represents and warrants that: (1) all Deliverables shall be wholly original with
and prepared solely by Contractor; or it owns, possesses, holds, and has received or
secured all rights, permits, permissions, licenses and authority necessary to provide the
Deliverables to the Agency hereunder and to assign, grant and convey the rights, benefits,
licenses and other rights assigned, granted or conveyed to the Agency hereunder or under
any license agreement related hereto without violating any rights of any third party; (2)
Contractor has not previously and will not grant any rights in any Deliverables to any third
party that are inconsistent with the rights granted to the Agency herein; and (3) the
Agency shall peacefully and quietly have, hold, possess, use and enjoy the Deliverables
18
without suit, disruption or interruption.
1.13.3 Contractor represents and warrants that: (1) the Deliverables (and all intellectual
property rights and proprietary rights arising out of, embodied in, or related to such
Deliverables); and (2) the Agency’s use of, and exercise of any rights with respect to, the
Deliverables (and all intellectual property rights and proprietary rights arising out of,
embodied in, or related to such Deliverables), do not and will not, under any
circumstances, misappropriate a trade secret or infringe upon or violate any copyright,
patent, trademark, trade dress or other intellectual property right, proprietary right or
personal right of any third party. Contractor further represents and warrants there is no
pending or threatened claim, litigation or action that is based on a claim of infringement
or violation of an intellectual property right, proprietary right or personal right or
misappropriation of a trade secret related to the Deliverables. Contractor shall inform the
Agency in writing immediately upon becoming aware of any actual, potential or
threatened claim of or cause of action for infringement or violation or an intellectual
property right, proprietary right, or personal right or misappropriation of a trade secret. If
such a claim or cause of action arises or is likely to arise, then Contractor shall, at the
Agency’s request and at the Contractor’s sole expense: (1) procure for the Agency the right
or license to continue to use the Deliverable at issue; (2) replace such Deliverable with a
functionally equivalent or superior Deliverable free of any such infringement, violation or
misappropriation; (3) modify or replace the affected portion of the Deliverable with a
functionally equivalent or superior Deliverable free of any such infringement, violation or
misappropriation; or (4) accept the return of the Deliverable at issue and refund to the
Agency all fees, charges and any other amounts paid by the Agency with respect to such
Deliverable. In addition, Contractor agrees to indemnify, defend, protect and hold
harmless the State and its officers, directors, employees, officials and agents as provided
in the Indemnification section of this Contract, including for any breach of the
representations and warranties made by Contractor in this section. The foregoing
remedies shall be in addition to and not exclusive of other remedies available to the
Agency and shall survive termination of this Contract.
1.13.4 Contractor represents and warrants that the Deliverables (in whole and in part) shall:
(1) be free from material Deficiencies; and (2) meet, conform to and operate in accordance
with all Specifications and in accordance with this Contract during the Warranty Period, as
defined in the Special Terms. During the Warranty Period Contractor shall, at its expense,
repair, correct or replace any Deliverable that contains or experiences material
Deficiencies or fails to meet, conform to or operate in accordance with Specifications
within five business days of receiving notice of such Deficiencies or failures from the
Agency or within such other period as the Agency specifies in the notice. In the event
Contractor is unable to repair, correct or replace such Deliverable to the Agency’s
satisfaction, Contractor shall refund the fees or other amounts paid for the Deliverables
and for any services related thereto. The foregoing shall not constitute an exclusive
remedy under this Contract, and the Agency shall be entitled to pursue any other available
contractual, legal or equitable remedies. Contractor shall be available at all reasonable
times to assist the Agency with questions, problems and concerns about the Deliverables,
to inform the Agency promptly of any known Deficiencies in any Deliverables, repair and
correct any Deliverables not performing in accordance with the warranties contained in
19
this Contract, notwithstanding that such Deliverable may have been accepted by the
Agency, and provide the Agency with all necessary materials with respect to such repaired
or corrected Deliverable.
1.13.5 Contractor represents, warrants and covenants that all services to be performed under
this Contract shall be performed in a professional, competent, diligent and workmanlike
manner by knowledgeable, trained and qualified personnel, all in accordance with the
terms and Specifications of this Contract and the standards of performance considered
generally acceptable in the industry for similar tasks and projects. In the absence of a
Specification for the performance of any portion of this Contract, the parties agree that
the applicable specification shall be the generally accepted industry standard. So long as
the Agency notifies Contractor of any services performed in violation of this standard,
Contractor shall re-perform the services at no cost to the Agency, such that the services
are rendered in the above-specified manner, or if the Contractor is unable to perform the
services as warranted, Contractor shall reimburse the Agency any fees or compensation
paid to Contractor for the unsatisfactory services.
1.13.6 Contractor represents and warrants that the Deliverables will comply with any applicable
federal, state, foreign and local laws, rules, regulations, codes, and ordinances in effect
during the term of this Contract, including applicable provisions of Section 508 of the
Rehabilitation Act of 1973, as amended, and all standards and requirements established
by the Architectural and Transportation Barriers Access Board, the Iowa Department of
Administrative Services, and Iowa Office of the Chief Information Officer.
1.13.7 Obligations Owed to Third Parties

The Contractor represents and warrants that all obligations owed to third parties with
respect to the activities contemplated to be undertaken by the Contractor pursuant to
this Contract are or will be fully satisfied by the Contractor so that the Agency will not have
any obligations with respect thereto.
1.14 Acceptance Testing

Except as otherwise specified in the Scope of Work, all Deliverables shall be subject to the Agency’s
Acceptance Testing and Acceptance, unless otherwise specified in the Statement of Work. Upon
completion of all work to be performed by Contractor with respect to any Deliverable, Contractor
shall deliver a written notice to the Agency certifying that the Deliverable meets and conforms to
applicable Specifications and is ready for the Agency to conduct Acceptance Tests; provided,
however, that Contractor shall pretest the Deliverable to determine that it meets and operates in
accordance with applicable Specifications prior to delivering such notice to the Agency. At the
Agency’s request, Contractor shall assist the Agency in performing Acceptance Tests at no
additional cost to the Agency. Within a reasonable period of time after the Agency has completed
its Acceptance Testing, the Agency shall provide Contractor with written notice of Acceptance or
Non-acceptance with respect to each Deliverable that was evaluated during such Acceptance
Testing. If the Agency determines that a Deliverable satisfies its Acceptance Tests, the Agency shall
provide Contractor with notice of Acceptance with respect to such Deliverable. If the Agency
determines that a Deliverable fails to satisfy its Acceptance Tests, the Agency shall provide
Contractor with notice of Non-acceptance with respect to such Deliverable. In the event the
Agency provides notice of Non-acceptance to Contractor with respect to any Deliverable,
20
Contractor shall correct and repair such Deliverable and submit it to the Agency within ten (10)
days of Contractor’s receipt of notice of Non-acceptance so that the Agency may re-conduct its
Acceptance Tests with respect to such Deliverable. In the event the Agency determines, after re-
conducting its Acceptance Tests with respect to any Deliverable that Contractor has attempted to
correct or repair pursuant to this section, that such Deliverable fails to satisfy its Acceptance Tests,
then the Agency shall have the continuing right, at its sole option, to:
1.14.1 Require Contractor to correct and repair such Deliverable within such period of time as the
Agency may specify in a written notice to Contractor;
1.14.2 Refuse to accept such Deliverable without penalty and without any obligation to pay any
fees or other amounts associated with such Deliverable (or receive a refund of any fees or
amounts already paid with respect to such Deliverable);
1.14.3 Accept such Deliverable on the condition that any fees or other amounts payable with
respect thereto shall be reduced or discounted to reflect, to the Agency’s satisfaction, the
Deficiencies present therein and any reduced value or functionality of such Deliverable or
the costs likely to be incurred by the Agency to correct such Deficiencies; or
1.14.4 Terminate this Contract and/or seek any and all available remedies, including damages.
Notwithstanding the provisions of Section 1.6.1 of this Contract, the Agency may terminate
this Contract pursuant to this section without providing Contractor with any notice or
opportunity to cure provided for in Section 1.6.1. The Agency’s right to exercise the
foregoing rights and remedies, including termination of this Contract, shall remain in effect
until Acceptance Tests are successfully completed to the Agency’s satisfaction and the
Agency has provided Contractor with written notice of Final Acceptance. If the Agency
determines that all Deliverables satisfy its Acceptance Tests, the Agency shall provide
Contractor with notice of Final Acceptance with respect to such Deliverables. Contractor’s
receipt of any notice of Acceptance, including Final Acceptance, with respect to any
Deliverable(s) shall not be construed as a waiver of any of the Agency’s rights to enforce the
terms of this Contract or require performance in the event Contractor breaches this Contract
or any Deficiency is later discovered with respect to such Deliverable(s).
1.15 Contract Administration
1.15.1 Independent Contractor

The status of the Contractor shall be that of an independent contractor. The Contractor,
its employees, agents and any subcontractors performing under this Contract are not
employees or agents of the State or any agency, division or department of the State simply
by virtue of work performed pursuant to this Contract. Neither the Contractor nor its
employees shall be considered employees of the Agency or the State for federal or state
tax purposes simply by virtue of work performed pursuant to this Contract. The Agency
will not withhold taxes on behalf of the Contractor (unless required by law).
1.15.2 Incorporation of Documents

To the extent this Contract arises out of an RFP, the parties acknowledge that the Contract
consists of these contract terms and conditions as well as the RFP and the Bid Proposal.
21
The RFP and the Bid Proposal are incorporated into the Contract by reference, except that
no objection or amendment by the Contractor to the provisions of the RFP shall be
incorporated by reference into the Contract unless the Agency has explicitly accepted the
Contractor’s objection or amendment in writing. If there is a conflict between the
Contract, the RFP and the Bid Proposal, the conflict shall be resolved according to the
following priority, ranked in descending order: (1) the Contract; (2) the RFP; (3) the Bid
Proposal.
1.15.3 Intent of References to Bid Documents

The references to the parties' obligations, which are contained in this Contract, are
intended to supplement or clarify the obligations as stated in the RFP and the Bid Proposal.
The failure of the parties to make reference to the terms of the RFP or the Bid Proposal in
this Contract shall not be construed as creating a conflict and will not relieve the
Contractor of the contractual obligations imposed by the terms of the RFP and the
Contractor’s Bid Proposal. The contractual obligations of the Agency cannot be implied
from the Bid Proposal.
1.15.4 Compliance with the Law; Nondiscrimination in Employment

The Contractor, its employees, agents, and subcontractors shall not engage in
discriminatory employment practices which are forbidden by federal or state law,
executive orders, and rules of the Iowa Department of Administrative Services. The
Contractor, its employees, agents, and subcontractors shall comply with all applicable
federal, state, and local laws, rules, ordinances, regulations, orders when performing
under the Contract, including without limitation, all laws applicable to the prevention of
discrimination in employment (e.g., Iowa Code chapter 216 and section 19B.7) and the
use of targeted small businesses as subcontractors and suppliers. Upon the State’s written
request, the Contractor shall submit to the State a copy of its affirmative action plan,
containing goals and time specifications, and accessibility plans and policies as required
under Iowa Administrative Code chapter 11—121.
The Contractor, its employees, agents and subcontractors shall also comply with all
federal, state, and local laws, including any permitting and licensure requirements, in
carrying out the work performed under this Contract.
In the event Contractor contracts with third parties for the performance of any of the
Contractor obligations under this Contract as set forth in section 1.15.11, Contractor shall
take such steps as necessary to ensure such third parties are bound by the terms and
conditions contained in this section.
This funding for this Contract is not being provided through a grant from the Federal
Government.
1.15.5 Procurement
Contractor shall use procurement procedures that comply with all applicable federal,
state, and local laws and regulations.
22
1.15.6 Non-Exclusive Rights
This Contract is not exclusive. The Agency reserves the right to select other contractors to
provide Deliverables similar or identical to those described in the Scope of Work during
the term of this Contract.
1.15.7 Non-Supplanting Requirement

To the extent required by state or federal law, federal and state funds made available
under this Contract shall be used to supplement and increase the level of state, local and
other non-federal funds that would in the absence of such federal and state funds be
made available for the programs and activities for which funds are provided and will in no
event take the place of state, local and other non-federal funds.
1.15.8 Compliance with Iowa Code chapter 8F

If the Contract is subject to the provisions of Iowa Code chapter 8F, the Contractor shall
comply with Iowa Code chapter 8F with respect to any subcontracts it enters into pursuant
to this Contract. Any compliance documentation, including but not limited to
certifications, received from subcontractors by the Contractor shall be forwarded to the
Agency.
1.15.9 Amendments
This Contract may be amended in writing from time to time by mutual consent of the
parties. Amendments to the General Terms for Services Contracts may appear in the
Special Terms.
1.15.10 Third Party Beneficiaries

There are no third-party beneficiaries to this Contract. This Contract is intended only to
benefit the State and the Contractor.
1.15.11 Use of Third Parties

The Agency acknowledges that the Contractor may contract with third parties for the
performance of any of the Contractor’s obligations under this Contract. The Contractor
shall notify the Agency in writing of all subcontracts relating to Deliverables to be provided
under this Contract prior to the time the subcontract(s) become effective. The Agency
reserves the right to review and approve all subcontracts. The Contractor may enter into
these contracts to complete the project provided that the Contractor remains responsible
for all Deliverables provided under this Contract. All restrictions, obligations and
responsibilities of the Contractor under this Contract shall also apply to the subcontractors
and the Contractor shall include in all of its subcontracts a clause that so states. The
Agency shall have the right to request the removal of a subcontractor from the Contract
for good cause.
1.15.12 Choice of Law and Forum

The laws of the State of Iowa shall govern and determine all matters arising out of or in
connection with this Contract without regard to the conflict of law provisions of Iowa law.
Any and all litigation commenced in connection with this Contract shall be brought and
maintained solely in Polk County District Court for the State of Iowa, Des Moines, Iowa, or
in the United States District Court for the Southern District of Iowa, Central Division, Des
23
Moines, Iowa, wherever jurisdiction is appropriate. This provision shall not be construed
as waiving any immunity to suit or liability including without limitation sovereign
immunity in State or Federal court, which may be available to the Agency or the State of
Iowa.
1.15.13 Assignment and Delegation

Contractor may not assign, transfer or convey in whole or in part this Contract without the
prior written consent of the Agency. For the purpose of construing this clause, a transfer
of a controlling interest in the Contractor shall be considered an assignment. The
Contractor may not delegate any of its obligations or duties under this Contract without
the prior written consent of the Agency. The Contractor may not assign, pledge as
collateral, grant a security interest in, create a lien against, or otherwise encumber any
payments that may or will be made to the Contractor under this Contract.
1.15.14 Integration
This Contract represents the entire Contract between the parties. The parties shall not rely
on any representation that may have been made which is not included in this Contract.
1.15.15 Headings or Captions

The paragraph headings or captions used in this Contract are for identification purposes
only and do not limit or construe the contents of the paragraphs.
1.15.16 Not a Joint Venture

Nothing in this Contract shall be construed as creating or constituting the relationship of
a partnership, joint venture, (or other association of any kind or agent and principal
relationship) between the parties hereto. Each party shall be deemed to be an
independent contractor contracting for services and acting toward the mutual benefits
expected to be derived herefrom. No party, unless otherwise specifically provided for
herein, has the authority to enter into any contract or create an obligation or liability on
behalf of, in the name of, or binding upon another party to this Contract.
1.15.17 Joint and Several Liability

If the Contractor is a joint entity, consisting of more than one individual, partnership,
corporation or other business organization, all such entities shall be jointly and severally
liable for carrying out the activities and obligations of this Contract, and for any default of
activities and obligations.
1.15.18 Supersedes Former Contracts or Agreements

This Contract supersedes all prior contracts or agreements between the Agency and the
Contractor for the Deliverables to be provided in connection with this Contract.
1.15.19 Waiver
Except as specifically provided for in a waiver signed by duly authorized representatives
of the Agency and the Contractor, failure by either party at any time to require
performance by the other party or to claim a breach of any provision of the Contract shall
not be construed as affecting any subsequent right to require performance or to claim a
breach.
24
1.15.20 Notice
Any and all notices, designations, consents, offers, acceptances or any other
communication provided for herein shall be given in writing by a reliable carrier which
shall be addressed to the person who signed the Contract on behalf of the party at the
address identified in the Contract Declarations & Execution Page(s) at the address
specified on the forms. Each such notice shall be deemed to have been provided:
1.15.20.1 At the time it is actually received; or,
1.15.20.2 Within one day in the case of overnight hand delivery, courier or services such
as Federal Express with guaranteed next day delivery; or,
1.15.20.3 Within five (5) days after it is deposited in the U.S. Mail in the case of registered
U.S. Mail. From time to time, the parties may change the name and address of
a party designated to receive notice. Such change of the designated person shall
be in writing to the other party and as provided herein.
1.15.21 Cumulative Rights

The various rights, powers, options, elections and remedies of any party provided in this
Contract, shall be construed as cumulative and not one of them is exclusive of the others
or exclusive of any rights, remedies or priorities allowed either party by law, and shall in
no way affect or impair the right of any party to pursue any other equitable or legal
remedy to which any party may be entitled.
1.15.22 Severability
If any provision of this Contract is determined by a court of competent jurisdiction to be
invalid or unenforceable, such determination shall not affect the validity or enforceability
of any other part or provision of this Contract.
1.15.23 Time is of the Essence

Time is of the essence with respect to the Contractor’s performance of the terms of this
Contract. Contractor shall ensure that all personnel providing Deliverables to the Agency
are responsive to the Agency’s requirements and requests in all respects.
1.15.24 Authorization
Contractor represents and warrants that:
1.15.24.1 It has the right, power and authority to enter into and perform its obligations
under this Contract.
1.15.24.2 It has taken all requisite action (corporate, statutory or otherwise) to approve
execution, delivery and performance of this Contract, and this Contract
constitutes a legal, valid and binding obligation upon itself in accordance with
its terms.
1.15.25 Successors in Interest
25
All the terms, provisions, and conditions of the Contract shall be binding upon and inure
to the benefit of the parties hereto and their respective successors, assigns and legal
representatives.
1.15.26 Records Retention and Access

The Contractor shall maintain accurate, current, and complete records of the financial
activity of this Contract which sufficiently and properly document and calculate all charges
billed to the Agency throughout the term of this Contract and for a period of at least five
(5) years following the date of final payment or completion of any required audit
(whichever is later). If any litigation, claim, negotiation, audit or other action involving the
records has been started before the expiration of the five (5) year period, the records must
be retained until completion of the action and resolution of all issues which arise from it,
or until the end of the regular five (5) year period, whichever is later. The Contractor shall
permit the Agency, the Auditor of the State or any other authorized representative of the
State and where federal funds are involved, the Comptroller General of the United States
or any other authorized representative of the United States government, to access and
examine, audit, excerpt and transcribe any directly pertinent books, documents, papers,
electronic or optically stored and created records or other records of the Contractor
relating to orders, invoices or payments or any other documentation or materials
pertaining to this Contract, wherever such records may be located. The Contractor shall
not impose a charge for audit or examination of the Contractor’s books and records. Based
on the audit findings, the Agency reserves the right to address the Contractor’s board or
other managing entity regarding performance and expenditures.
1.15.26.1 Records of financial activity shall include records that adequately identify the
source and application of funds. When the terms of this Contract require
matching funds, cash contributions made by the Contractor and third party in-
kind (property or service) contributions must be verifiable from the Contractor’s
records. These records must contain information pertaining to contract amount,
obligations, unobligated balances, assets, liabilities, expenditures, income, and
third-party reimbursements.
1.15.26.2 The Contractor shall maintain accounting records supported by source

documentation that may include but are not limited to cancelled checks, paid
bills, payroll, time and attendance records, and contract award documents.
1.15.26.3 The Contractor, in maintaining project expenditure accounts, records and

reports, shall make any necessary adjustments to reflect refunds, credits,
underpayments or overpayments, as well as any adjustments resulting from
administrative or compliance reviews and audits. Such adjustments shall be set
forth in the financial reports filed with the Agency.
1.15.26.4 The Contractor shall maintain a sufficient record keeping system to provide the
necessary data for the purposes of planning, monitoring and evaluating its
program.
1.15.26.5 The Contractor shall retain all medical records for a period of six (6) years from
26
the last date of service for each patient; or in the case of a minor patient or
client, for a period consistent with that established by Iowa Code section
614.1(9). Client records, which are non-medical, must be maintained for a
period of five (5) years.
1.15.27 Audits or Examination of Records
1.15.27.1 Contractors that expend $750,000 or more in a fiscal year in federal awards
(from all sources) shall have a single audit conducted for that year in accordance
with the provisions of OMB Uniform Administrative Requirements, Cost
Principles, and Audit Requirements. Single audits must be completed and the
data collection form and reporting package must be submitted electronically to
the Federal Audit Clearinghouse within the earlier of thirty (30) calendar days
after Contractor’s receipt of the auditor’s report(s), or nine months after the
end of the audit period. The Contractor shall submit to the Agency one (1) copy
of the separate letter to management addressing non-material findings, if
provided by the auditor, promptly following receipt by Contractor. Contractor
shall also submit one (1) copy of the final audit report to the Agency within thirty
(30) days after Contractor’s receipt thereof, if either the schedule of findings
and questioned costs or the summary schedule of prior audit findings includes
any audit findings related to federal awards provided by the Agency. The
requirements of this subsection shall apply to the Contractor as well as any
subcontractors.
1.15.27.2 If a Contractor is independently audited but is not required to submit the audit
report per the criteria in subsection 1.15.27.1 above, the Contractor shall
submit to the Agency one (1) copy of the separate letter to management
addressing non-material findings, if provided by the auditor, promptly following
receipt by Contractor. Within fifteen (15) days following Agency’s request, the
Contractor shall also submit one (1) copy of the final audit report to the Agency.
1.15.27.3 The Agency may require, at any time and at its sole discretion, that recipients of
non-federal and/or federal funds have an audit performed. The Contractor shall
submit one (1) copy of the audit report to the Agency within thirty (30) days of
its issuance, unless specific exemption is granted in writing by the Agency. The
Contractor shall submit with the audit report a copy of the separate letter to
management addressing non-material findings, if provided by the auditor. The
Contractor may be required to comply with other prescribed compliance and
review procedures.
1.15.27.4 The Contractor shall be solely responsible for the cost of any required audit
unless otherwise agreed in writing by the Agency.
1.15.28 Qualifications of Staff

The Contractor shall be responsible for assuring that all persons, whether they are
employees, agents, subcontractors or anyone acting for or on behalf of the Contractor,
are properly licensed, certified or accredited as required under applicable state law and
27
the Iowa Administrative Code. The Contractor shall provide standards for service providers
who are not otherwise licensed, certified or accredited under state law or the Iowa
Administrative Code.
1.15.29 Solicitation
The Contractor represents and warrants that no person or selling agency has been
employed or retained to solicit and secure this Contract upon an agreement or
understanding for commission, percentage, brokerage or contingency excepting bona fide
employees or selling agents maintained for the purpose of securing business.
1.15.30 Obligations Beyond Contract Term

This Contract shall remain in full force and effect to the end of the specified term or until
terminated pursuant to this Contract. All obligations of the Agency and the Contractor
incurred or existing under this Contract as of the date of expiration or termination will
survive the termination or expiration of this Contract.
1.15.31 Counterparts
The parties agree that this Contract has been or may be executed in several counterparts,
each of which shall be deemed an original and all such counterparts shall together
constitute one and the same instrument.
1.15.32 Delays or Impossibility of Performance

Neither party shall be in default under the Contract if performance is prevented, delayed
or made impossible to the extent that such prevention, delay, or impossibility is caused
by a “force majeure.” The term “force majeure” as used in this Contract includes an event
that no human foresight could anticipate or which if anticipated, is incapable of being
avoided. Circumstances must be abnormal and unforeseeable, so that the consequences
could not have been avoided through the exercise of all due care, such as acts of God, war,
civil disturbance and other similar causes. The delay or impossibility of performance must
be beyond the control and without the fault or negligence of the parties. “Force majeure”
does not include: financial difficulties of the Contractor or any parent, subsidiary, affiliated
or associated company of Contractor; claims or court orders that restrict Contractor’s
ability to deliver the Deliverables contemplated by this Contract; strikes; labor unrest; or
supply chain disruptions. If delay results from a subcontractor’s conduct, negligence or
failure to perform, the Contractor shall not be excused from compliance with the terms
and obligations of the Contract unless the subcontractor or supplier is prevented from
timely performance by a “force majeure” as defined in this Contract. If a “force majeure”
delays or prevents the Contractor’s performance, the Contractor shall immediately use its
best efforts to directly provide alternate, and to the extent possible, comparable
performance. Comparability of performance and the possibility of comparable
performance shall be determined solely by the Agency. The party seeking to exercise this
provision and not perform or delay performance pursuant to a “force majeure” shall
immediately notify the other party of the occurrence and reason for the delay. The parties
shall make every effort to minimize the time of nonperformance and the scope of work
not being performed due to the unforeseen events. Dates by which performance
obligations are scheduled to be met will be extended only for a period of time equal to
the time lost due to any delay so caused.
28
1.15.33 Suspensions and Debarment
The Contractor certifies pursuant to 48 CFR Part 9 that neither it nor its principles are
presently debarred, suspended, proposed for debarment, declared ineligible, or
voluntarily excluded from participation in this Contract by any federal Agency or State
Agency. The Contractor certifies that it is not presently debarred, suspended, proposed
for debarment, declared ineligible, or voluntarily excluded from participation in any
contracts with the State of Iowa.
1.15.34 Conflict of Interest

Contractor represents, warrants, and covenants that no relationship exists or will exist
during the Contract period between the Contractor and the Agency that is a conflict of
interest. No employee, officer or agent of the Contractor or subcontractor shall participate
in the selection or in the award or administration of a subcontract if a conflict of interest,
real or apparent, exists. The provisions of Iowa Code ch. 68B shall apply to this Contract.
If a conflict of interest is proven to the Agency, the Agency may terminate this Contract,
and the Contractor shall be liable for any excess costs to the Agency as a result of the
conflict of interest. The Contractor shall establish safeguards to prevent employees,
consultants, or members of governing bodies from using their positions for purposes that
are, or give the appearance of being, motivated by the desire for private gain for
themselves or others with whom they have family, business, or other ties. The Contractor
shall report any potential, real, or apparent conflict of interest to the Agency.
1.15.35 Certification Regarding Sales and Use Tax

By executing this Contract, the Contractor certifies it is either (a) registered with the Iowa
Department of Revenue, collects, and remits Iowa sales and use taxes as required by Iowa
Code chapter 423; or (b) not a “retailer” or a “retailer maintaining a place of business in
this state” as those terms are defined in Iowa Code subsections 423.1(47) & (48). The
Contractor also acknowledges that the Agency may declare the Contract void if the above
certification is false. The Contractor also understands that fraudulent certification may
result in the Agency or its representative filing for damages for breach of contract.
1.15.36 Right to Address the Board of Directors or Other Managing Entity

The Agency reserves the right to address the Contractor’s board of directors or other
managing entity of the Contractor regarding performance, expenditures and any other
issue as appropriate. The Agency determines appropriateness.
1.15.37 Repayment Obligation

In the event that any State and/or federal funds are deferred and/or disallowed as a result
of any audits or expended in violation of the laws applicable to the expenditure of such
funds, the Contractor shall be liable to the Agency for the full amount of any claim
disallowed and for all related penalties incurred. The requirements of this paragraph shall
apply to the Contractor as well as any subcontractors.
1.15.38 Further Assurances and Corrective Instruments

The parties agree that they will, from time to time, execute, acknowledge and deliver, or
cause to be executed, acknowledged and delivered, such amendments hereto and such
29
further instruments as may reasonably be required for carrying out the expressed
intention of this Contract.
1.15.39 Reporting Requirements

If this Contract permits other State agencies and political subdivisions to make purchases
off of the Contract, the Contractor shall keep a record of the purchases made pursuant to
the Contract and shall submit a report to the Agency on a quarterly basis. The report shall
identify all of the State agencies and political subdivisions making purchases off of this
Contract and the quantities purchased pursuant to the Contract during the reporting
period.
1.15.40 Immunity from Liability

Every person who is a party to the Contract is hereby notified and agrees that the State,
the Agency, and all of their employees, agents, successors, and assigns are immune from
liability and suit for or from Contractor’s and/or subcontractors’ activities involving third
parties and arising from the Contract.
1.15.41 Public Records

The laws of the State require procurement records to be made public unless otherwise
provided by law.
1.15.42 Use of Name or Intellectual Property

Contractor agrees it will not use the Agency and/or State’s name or any of their intellectual
property, including but not limited to, any State, state agency, board or commission
trademarks or logos in any manner, including commercial advertising or as a business
reference, without the expressed prior written consent of the Agency and/or the State.
1.15.43 Taxes
The State is exempt from Federal excise taxes, and no payment will be made for any taxes
levied on Contractor’s employee’s wages. The State is exempt from State and local sales
and use taxes on the Deliverables.
1.15.44 No Minimums Guaranteed

does not guarantee any minimum level of purchases or any minimum amount of
compensation.
30
SECTION 2
Special Terms
2.1 [RESERVED]
2.2 Compliance with Law

Contractor represents, warrants, covenants, and promises that Contractor, Contractor
subcontractors, and Contractor Personnel have complied with, and shall continue to comply with,
and, to the extent applicable, the Deliverables will comply with all applicable federal, state, foreign,
and local laws, rules, regulations, codes, standards, ordinances, and orders, both generally and in
connection with the performance of any General Terms, including, to the extent applicable to
Contractor by their terms, the following:
2.2.1 Those prohibiting discriminatory employment practices or related to equal opportunity in

employment or affirmative action under federal or state law, rules, regulations, or orders,
including Iowa Code chapter 216 and section 19B.7 and the rules of the Iowa Department
of Administrative Services and the Iowa Civil Rights Commission. Upon the applicable
Governmental Entity’s or its designee’s written request, Contractor shall submit a copy of
its affirmative action plan, containing goals, time specifications, accessibility plans, and
policies as required by Iowa Administrative Code chapter 11—121.
2.2.2 Those requiring the use of targeted small businesses as subcontractors and suppliers in
connection with government contracts.
2.2.3 Those pertaining to any permitting and licensure requirements in carrying out the work
performed under any General Terms.
2.2.4 Those relating to prevailing wages, occupational safety and health standards, payment of
taxes, gift laws, and lobbying laws.
2.2.5 Applicable provisions of Section 508 of the Rehabilitation Act of 1973, as amended, including
Web Content Accessibility Guidelines (WCAG) 2.0, including any amendments thereto or any
subsequent versions thereof, and all standards and requirements established by the
Architectural and Transportation Barriers Access Board.
2.2.6 All applicable I.T. Governance Document(s).
2.2.7 To the extent a portion of the funding used to pay for the Deliverables is being provided
through a grant from the Federal Government, any applicable federal requirements,
including those found at 2 CFR 200.
Contractor shall take such steps as necessary to ensure Contractor’s subcontractors and
Contractor Personnel are bound by the terms and conditions contained in this Section.
Notwithstanding anything in this Amendment or any General Terms to the contrary,
Contractor, Contractor subcontractors, and Contractor Personnel’s failure to fulfill any
requirement set forth in this Section shall be regarded as a material breach and the
applicable Governmental Entity may cancel, terminate, or suspend, in whole or in part any
31
General Terms, in whole or in part. In addition, Contractor may be declared ineligible for
future State contracts in accordance with authorized procedures or Contractor may be
subject to other sanctions as provided by law or rule.
2.3 Confidential Information
2.3.1 Contractor’s Treatment of Confidential Information
2.3.1.1 Limited Access

Customer Data shall at all times remain the property of the applicable
Governmental Entity, and the applicable Governmental Entity shall retain
exclusive rights thereto and ownership thereof. Contractor, Contractor’s
subcontractors, and Contractor Personnel may have access to Customer Data
solely to the extent necessary to carry out their duties under any General Terms.
Contractor, Contractor’s subcontractors, or Contractor Personnel shall presume
all Customer Data is considered confidential, hold all Customer Data in the
strictest confidence, and use and permit use of Customer Data solely for the
purposes of providing Deliverables under any General Terms, subject to any
restrictions set forth herein or in any state and federal laws, rules, regulations,
standards, and orders applicable either during the Term or thereafter. Contractor,
Contractor’s subcontractors, and Contractor Personnel shall not gather, store, log,
archive, use, or otherwise retain Customer Data in any manner other than as
expressly authorized by any General Terms, and will not disclose, distribute, sell,
commercially or politically exploit, share, rent, assign, lease, or otherwise transfer
or disseminate Customer Data to any Third Party, except as expressly permitted
hereunder or as Contractor may be expressly directed in advance in writing by the
applicable Governmental Entity. Contractor, Contractor’s subcontractors, and
Contractor Personnel shall not remove from any Governmental Entity’s facilities
or retain a copy of any Customer Data unless such removal or retention is
necessary to provide or perform Deliverables, to fulfill their obligations under any
General Terms, or is otherwise approved in writing by the applicable
Governmental Entity. Contractor will immediately report the unauthorized
disclosure of Customer Data to the applicable Governmental Entity.
2.3.1.2 Destruction or Return of Customer Data

On the applicable Governmental Entity’s written request or upon expiration or
termination of any General Terms for any reason, Contractor will promptly:
2.3.1.2.1 After providing notice to the applicable Governmental Entity and

subject to its prior written approval, return or destroy, at the
applicable Governmental Entity’s option, all Customer Data; and
2.3.1.2.2 Provide a notarized written statement to the applicable

Governmental Entity certifying all Customer Data has been returned
or destroyed to the Governmental Entity, whichever is applicable.
32
To the extent Contractor is required to destroy Customer Data pursuant to this
Section, Customer Data shall be permanently deleted and shall not be
recoverable, in accordance with National Institute of Standards and Technology
(“NIST”)-approved methods.
2.3.1.3 Compelled Disclosures

To the extent required by applicable law or by lawful order or requirement of a
court or governmental authority of competent jurisdiction over Contractor,
Contractor may disclose Customer Data to a Third Party in accordance with such
law, order, or requirement, subject to the following conditions:
2.3.1.3.1 As soon as becoming aware of such law, order, or requirement, and

no-less-than five (5) business days prior to disclosing Customer Data
pursuant thereto, Contractor will (unless prohibited by law) notify the
applicable Governmental Entity in writing, specifying the nature of
and circumstances surrounding the contemplated disclosure, and
forward any applicable process, including a subpoena, to the
appropriate Governmental Entity for its review.
2.3.1.3.2 Contractor will consult with the applicable Governmental Entity on

the advisability of taking legally-available steps to resist or narrow any
required response or disclosure.
2.3.1.3.3 Contractor will use best efforts not to release Customer Data pending
the outcome of any measures taken by the applicable Governmental
Entity to contest, oppose, or otherwise seek to limit such disclosure
by Contractor or any Third Party ultimately obtaining such Customer
Data. Contractor will cooperate with and provide assistance to the
applicable Governmental Entity regarding such measures.
2.3.1.3.4 Solely the extent Contractor is required to disclose Customer Data to

a Third Party, Contractor will furnish only such portion of Customer
Data as it is required to disclose and will exercise best efforts to obtain
an order or other reliable assurances that Customer Data will be held
in confidence by any Third Party to which it is disclosed.
2.3.1.3.5 Notwithstanding any such compelled disclosure by Contractor, such

compelled disclosure will not otherwise affect Contractor’s
obligations hereunder with respect to Customer Data so disclosed.
2.3.2 Treatment of Contractor’s Confidential Information
2.3.2.1 Safeguarding Obligation

Except as otherwise provided or contemplated herein, and subject to applicable
state, federal, and/or international laws, rules, regulations, or orders (including
Iowa Code Chapter 22 and any corresponding implementing rules, regulations, or
orders), Governmental Entities shall not disclose Contractor’s Confidential
33
Information to a Third Party (excluding other Governmental Entities and
Authorized Contractors) without the prior written consent of Contractor.
2.3.2.2 Destruction or Return of Contractor’s Confidential Information

On termination or expiration of any General Terms, the applicable Governmental
Entity shall, except to the extent otherwise required by applicable laws rules,
records retention schedules or regulations with the force of law, return or
destroy, at Contractor’s option, all of Contractor’s Confidential Information
(excluding items subject to any continuing licenses inuring to the benefit of the
applicable Governmental Entity hereunder or that are required for use of any
Deliverables).
2.3.2.3 Compelled Disclosures

Notwithstanding and in addition to the foregoing, Governmental Entities may
disclose Contractor’s Confidential Information:
2.3.2.3.1 To the extent required by any legal, judicial, regulatory, or

administrative proceedings, subpoena, summons, deposition,
interrogatory, requests for documents, order, ruling, civil
investigative demand, or other legal, administrative or regulatory
processes;
2.3.2.3.2 To the extent required by any applicable laws, rules, or regulations;
2.3.2.3.3 If the applicable Governmental Entity reasonably determines such

information is not a confidential record pursuant to Iowa Code
Section 22.7 or other applicable laws, rules, and regulations; or
2.3.2.3.4 If the applicable Governmental Entity, in the Governmental Entity’s

sole discretion, determines Contractor has not provided or is
unwilling to provide facts sufficient to enable the Governmental
Entity to make a determination as to whether such information
constitutes a confidential record under Iowa Code Section 22.7 or
other applicable laws, rule, and regulations.
Prior to disclosing any of Contractor’s Confidential Information as

permitted above, a Governmental Entity shall provide reasonable
notice to Contractor of the circumstances giving rise to such
disclosure. Contractor may, in its discretion, seek an appropriate
protective order, or otherwise defend any right it may have to
maintain the confidentiality of such information under applicable
State law within three business days of the State’s receipt of any such
request. Contractor agrees to indemnify and hold harmless the State
for any costs or expenses incurred by the State, including, but not
limited to attorneys’ fees awarded in accordance with Iowa Code
Chapter 22, in connection with any action brought in connection with
Contractor’s attempts to prevent or unreasonably delay public
34
disclosure of Contractor’s information if a final decision of a court of
competent jurisdiction determines that the State improperly
withheld such information and that the improper withholding was
based on Contractor’s attempts to prevent public disclosure of
Contractor’s information.
2.3.3 Ancillary Agreements and Non-Disclosure Agreements

Contractor or Contractor’s subcontractors will execute any applicable agreements to
address any compliance, legal, confidentiality, or privacy concerns relevant to this Contract,
including, but not limited to, applicable) Business Associate Agreement (“BAA”) or Criminal
Justice Information System (“CJIS”) Security Addendum.
2.3.4 Non-Exclusive Equitable Remedy

Each Party acknowledges and agrees that due to the unique nature of Confidential
Information there can be no adequate remedy at law for any breach of its obligations
hereunder, that any such breach or threatened breach may allow a Party or Third Parties to
unfairly compete with the other Party resulting in irreparable harm to such Party, and
therefore, that upon any such breach or any threat thereof, each Party, including any
Governmental Entity, will be entitled to appropriate equitable remedies, and may seek
injunctive relief from a court of competent jurisdiction without the necessity of proving
actual loss, in addition to whatever remedies either of them might have at law or equity.

Each party’s duties as set forth in this Section shall survive termination of this Agreement
and shall apply to all acts or omissions taken or made in connection with such party’s, or
such party’s personnel (including employees, sub-contractors, sub-sub-contractors, etc.)
performance of this Contract regardless of the date any potential claim is made or
discovered by a party.
2.4 Security
2.4.1 Compliance
Contractor and Contractor’s subcontractors shall comply with applicable state and federal
data security and privacy statutes, regulations, rules, and other applicable laws relating to
data security and privacy. Contractor further represents, warrants, and covenants that
Contractor and its personnel and subcontractors will ensure that the Services (including the
System and Application Services), will at all times comply with all applicable state and federal
IT standards, policies and guidelines, including, but not limited to those relating to security,
internet and the web, data backup, and the most current versions of standards and controls
provided at:
● NIST 800-53
● ISO/IEC 27001:2013
Annually throughout the Term of this Agreement, Contractor shall obtain and provide the
State with the following, at no additional cost to the State of Iowa: a) an independent, third-
party certificate of audit certifying that the Services comply with NIST 800-53, most current
version controls; b) ISO/IEC 27001: most current version of Certification; c) test or
35
assessment results of an independent, third party assessment of application scans using the
Open Web Application Security Project (OWASP) Top Ten List; d) test results of a penetration
test conducted by an independent, third-party firm; e) a copy of Contractor’s annual SOC 2
type 2 report (for all Trust Services Principles); and f) a Contractor produced remediation
plan resulting from items a through e, inclusive.
Upon the State’s request, Contractor shall also provide the State with a copy of a system
security plan (SSP), or other comparable report, for inspection by the State. The State shall
bear any and all costs incurred in connection with its inspection of the SSP. The State may,
in its sole discretion, utilize a third-party contractor to inspect the SSP; provided, however,
that the State shall be responsible for all costs associated with such inspection. The
inspection of the SSP shall be completed according to mutually agreeable terms and
timelines, but no less frequently than annually, unless agreed to by both parties in writing.
Contractor acknowledges and agrees that it will be subject to and bound by all of the terms
and provisions set forth in this Section and shall require and, to the extent applicable, cause
any subcontractor used by Contractor in connection with this Agreement to agree to be
subject to and bound by all of the foregoing. In addition, Contractor and its personnel and
subcontractors will ensure that all networks, servers, computer systems, hardware, IT
infrastructure and other hardware on which the Services are hosted, installed, operated,
processed, stored or otherwise located, comply with all such State of Iowa and federal IT
laws, rules, regulations, standards, policies and guidelines, and all of the other standards
and controls noted above.
2.4.2 Reporting
Contractor will notify the State of Iowa Security Operations Center at soc@iowa.gov and call
1.855.442.4357 within twenty-four (24) hours of Contractor’s discovery of any actual or
suspected breach of confidentiality, privacy or security (or any unauthorized access) with
regard to any Customer Data. Contractor shall provide such other information, including a
written report, as reasonably requested by the State.
2.4.3 Investigations and Remedies

In addition to Contractor’s other obligations under this Agreement, or under any law or
regulation, Contractor agrees, at its sole expense, to take all steps necessary to promptly
remedy any Security Breach and to fully cooperate with the State of Iowa in resolving such
Security Breach and mitigating any damage from such breach, contain the incident by
stopping the unauthorized practice, recover records, shut down the system that was
breached, revoke access and/or correct weaknesses in physical security. Contractor will
reasonably cooperate with the State of Iowa in investigating a Security Breach, including,
but not limited to, providing reasonable assistance to the State and reasonably assisting the
State in reviewing system, application, and access logs, conducting forensic audits of
relevant systems, imaging relevant media, and making personnel available for interview. On
notice of any confirmed Security Breach, Contractor will immediately institute appropriate
controls to maintain and preserve all electronic evidence relating to the breach in
accordance with industry best practices. Contractor will deliver to the State of Iowa a root
cause assessment and future incident mitigation plan with regard to any Security Breach.
Contractor will deliver a preliminary assessment and plan as soon as practical, and regularly
36
maintain and update such assessment and plan throughout the course of any investigation
based on any findings. Contractor agrees that, unless otherwise required by law, it will not
notify any regulatory authority or any User relating to any such Security Breach on behalf of
the State of Iowa unless the State of Iowa specifically requests in writing that Contractor do
so. Contractor and the State of Iowa will work together to formulate a plan to rectify all
Security Breaches.
2.4.4 Additional Procedures in the Event of Security Breach

Upon the State of Iowa’s determination that a breach of security (including but not limited
to any Breach of Security as defined in Iowa Code Chapter 715C and any other breach of
security as defined by any applicable law, rule, or regulation) involving or relating to any
State of Iowa Confidential Information has occurred or is reasonably possible, Contractor
shall fully cooperate with the State of Iowa in rectifying any breach or misuse, including
notifying all of the State of Iowa’s affected Users. The State of Iowa shall determine, in its
sole discretion, the content and means of delivery of the User notice. Notwithstanding any
provision in this Agreement to the contrary, Contractor will be solely responsible and liable
for all costs, expenses, damages, fines, penalties, taxes, assessments, legal fees, claims,
service fees and any and all other amounts of any kind or nature whatsoever (including,
without limitation, the reasonable value of time of the Iowa Attorney General’s Office and
the costs, expenses and attorney fees of other counsel retained by any Indemnitee) related
to, arising out of or incurred by or on behalf of the State of Iowa as a result of, any security
breach caused directly or indirectly, in whole or in part, by Contractor, its affiliates,
employees, or subcontractors, including, but not limited to, the costs of notifications of
affected individuals and businesses and any applicable regulators or governmental entities
(including, preparation, printing, mailing and delivery); the cost of opening and closing
accounts, printing new checks, embossing new cards; the costs of forensic and other audits,
investigations, public relations services, call center services, websites and toll-free numbers
for affected individuals; the costs of obtaining credit monitoring services and identity theft
insurance for any person or entity whose Personal Data has or may have been acquired or
compromised; and all other costs associated with corrective or other actions that are taken
to mitigate or address the security breach. Contractor will reimburse or pay to the State of
Iowa all such expenses, fees, damages and all other amounts within fifteen (15) business
days of the date of any written demand or request delivered by the State of Iowa to
Contractor.
2.4.5 Security Audits by the State of Iowa

During the Term, the State of Iowa or its third-party designee may, but is not obligated to,
perform audits of Contractor’s environment, including unannounced penetration and
security tests, as it relates to the receipt, maintenance, use or retention of the State of
Iowa’s Confidential Information. Any of the State of Iowa’s regulators (and any federal
agencies providing grant funds used to pay for Services, in whole or in part) shall have the
same right upon request. Contractor agrees to comply with all reasonable recommendations
that result from such inspections, tests, and audits within reasonable timeframes.
2.4.6 Security Testing; Compliance Audits

Contractor will periodically test its systems for potential areas where security could be
breached. During the Term, to the extent Contractor engages a third-party auditor to
37
perform an SSAE 16 of Contractor’s operations, information security program, and/or
disaster recovery/business continuity plan, Contractor shall promptly furnish a copy of the
test report or audit report to the State of Iowa. In addition, Contractor shall disclose its non-
proprietary security processes and technical limitations to the State of Iowa, such that
adequate protection and flexibility can be attained between the State of Iowa and
Contractor. For example, Contractor shall disclose its security processes with respect to
virus checking and port sniffing to the State of Iowa such that the State of Iowa is capable of
identifying necessary compensating controls to adequately safeguard and protect its data,
information, and systems. Required testing shall also include:
• Web application scanning:
• Before website goes to production;
• Annually; and
• When the system is updated.
• Vulnerability scanning\pen testing at least annually.
2.4.7 Data Ownership

All Customer Data shall be and remain the sole and exclusive property of the State of Iowa
including without limitation all data in any way provided, submitted, modified, processed,
abstracted, adapted, compiled, reproduced, utilized or altered by or on behalf of the State
of Iowa or any User (including but not limited to by or through Contractor on behalf of the
State of Iowa or any User, or in any way related to the State of Iowa’s or any User’s use of
the System or Application Services).
2.4.8 Data Protection

Protection of personal privacy and data shall be an integral part of the business activities of
Contractor to ensure there is no inappropriate or unauthorized use of the State of Iowa’s
Confidential Information at any time. To this end, Contractor shall safeguard the
confidentiality, integrity and availability of the State of Iowa’s Confidential Information. In
so doing, Contractor shall comply with the following conditions:
• Contractor shall implement and maintain appropriate administrative, technical and
organizational security measures to safeguard against unauthorized access, disclosure or
theft of State of Iowa Confidential Information. Such security measures shall be in
accordance with recognized industry practice (including the most current versions of NIST
800-53 and ISO27001 standards and controls) and not less stringent than the measures
the Contractor applies to its own personal data and non-public data of similar kind.
Additionally, such securities measures, to the extent applicable, shall comply with, and
shall enable the State to at all time comply fully with, all applicable federal, state, and local
laws, rules, ordinances, codes, regulations and orders related to such security measures
or other date security or safeguarding requirements, including but not limited to IRS
Publication 1075.
• All State of Iowa Confidential Information shall be encrypted at rest and in transit with
controlled access and shall utilize the most up to date version of TLS. Unless otherwise
expressly provided herein or otherwise agreed to by the Parties in writing, Contractor is
responsible for encryption of all State of Iowa Confidential Information. Additionally,
Contractor shall ensure hard drive encryption consistent with validated cryptography
standards as referenced in Federal Information Processing Standards (FIPS) 140-2,
38
Security Requirements for Cryptographic Modules for all Personal Data, unless the State
of Iowa approves in writing the storage of Personal Data on a Contractor portable device.
• At no time shall any State of Iowa Confidential Information be copied, disclosed or
retained by Contractor, any subcontractor, or any party related to Contractor for
subsequent use in any transaction that does not include the State of Iowa.
Contractor shall not use any State of Iowa Confidential Information collected, processed,
stored or transmitted in connection with the Services provided under this Agreement for
any purpose other than fulfilling Contractor’s express obligations and duties under this
Agreement.
2.4.9 [RESERVED]
2.4.10 Data Location

Contractor shall provide Services to the State of Iowa, Governmental Entities, and Users
solely from data centers located in the continental United States of America. Storage of
State of Iowa Confidential Information at data centers rest and all backups shall be located
solely in data centers located in the continental United States of America.
2.4.11 Background Checks

Contractor shall conduct nationwide criminal background checks and not utilize any staff,
including subcontractors, to fulfill the obligations of this Agreement who have been
convicted of any crime of dishonesty, including but not limited to criminal fraud, or
otherwise convicted of any felony or misdemeanor offense for which incarceration for up to
1 year is an authorized penalty. Contractor shall promote and maintain an awareness of the
importance of securing the State of Iowa Confidential Information among the Contractor’s
employees, affiliates, subcontractors, and agents.
2.4.12 [RESERVED]
2.4.13 [RESERVED]
2.4.14 [RESERVED]
2.4.15 [RESERVED]
2.4.16 This section, and Contractor’s duties, obligations and liability shall survive termination or
expiration of this Agreement.
2.5 Disaster Recovery/Business Continuity/Data Backup/Loss of Data
2.5.1 Creation, Maintenance and Testing

Contractor shall maintain a Business Continuity and Disaster Recovery Plan for the Services
(the “Plan”), and implement such plan in the event of any unplanned interruption of the
Services. On or before the Effective Date, Contractor shall provide the State of Iowa with a
copy of Contractor’s current Plan, revision history, and any reports or summaries relating to
past testing of the Plan. Contractor shall actively test, review, and update the Plan on at
least an annual basis using American Institute of Certified Public Accountants standards and
39
other industry best practices as guidance. Contractor shall promptly provide the State of
Iowa with copies of all reports and/or summaries resulting from any testing of the Plan and
with copies of all such updates to the Plan. All updates shall be subject to the requirements
of this Contract. Any future updates or revisions to the Plan shall be no less protective than
the plan in effect as of the Effective Date. Throughout the Term, Contractor shall maintain
disaster avoidance procedures designed to safeguard the State of Iowa's Confidential
Information and the data processing capability and availability of the Services.
2.5.2 Activation of Plan

Contractor shall immediately notify the State of Iowa Security Operations Center at and call
1.855.442.4357 of any disaster or other event in which the Plan is activated. If Contractor
fails to reinstate the Services within the periods of time set forth in the Plan, the State of
Iowa may in addition to any other remedies available hereunder, in its sole discretion,
immediately terminate this Agreement as a non-curable default. Without limiting
Contractor’s obligations under this Agreement, whenever a disaster causes Contractor to
allocate limited resources between or among Contractor’s customers, the State of Iowa shall
receive at least the same treatment as comparable Contractor customers with respect to
such limited resources.
2.5.3 Backup and Recovery

Contractor is responsible for maintaining a backup of State of Iowa Confidential Information.
Unless stated otherwise in this Contract, Contractor shall maintain a contemporaneous
backup of State of Iowa Confidential Information that may be recovered within two (2) hours
at any point in time. Contractor shall store a backup of State of Iowa Confidential
Information in an off-site “hardened” facility no less than daily, maintaining the security of
State of Iowa Confidential Information, and consistent with the security requirements set
forth in this Contract. To the extent applicable, any backups of State of Iowa Confidential
Information shall not be considered in calculating storage used by the State of Iowa.
2.5.4 Loss of Data

In the event of any act, error or omission, negligence, or misconduct that compromises or is
suspected to compromise the security, confidentiality, or integrity of State of Iowa
Confidential Information or the physical, technical, administrative, or organizational
safeguards put in place by Contractor or any of its Subcontractors related to the protection
of the security, confidentiality, or integrity of State of Iowa Confidential Information,
Contractor shall, in addition to any other remedies available pursuant to this Agreement, or
otherwise available at law or in equity, to the extent applicable: (a) notify the State of Iowa
Security Operations Center at and call 1.855.442.4357 as soon as practicable but no later
than two (2) hours of becoming aware of such occurrence; (b) send the State of Iowa written
confirmation within forty-eight (48) hours of discovery or notification of the occurrence; (c)
cooperate with the State of Iowa in investigating the occurrence, including, but not limited
to providing to the State and assisting the State in reviewing system, application, and access
logs, conducting forensic audits of relevant systems, imaging relevant media, and making
personnel available for interview; (d) indemnify and hold harmless the State of Iowa, State
Users, Governmental Entities, and their employees, officers, board members, agents,
representatives, and officials from and against any and all claims, actions, suits, liabilities,
damages, losses, settlements, demands, deficiencies, judgments, fines, penalties, taxes,
40
costs and expenses (including, without limitation, the reasonable value of time of the Iowa
Attorney General’s Office and the costs, expenses and attorney fees of other counsel
retained by any Indemnitee) directly or indirectly related to, resulting from, or arising out of
such occurrence; (e) be responsible for recreating lost State of Iowa Confidential
Information in the manner and on the schedule specified by the State of Iowa without
charge to the State of Iowa; and, (f) provide to the State of Iowa a detailed plan within ten
(10) calendar days of the occurrence describing the measures Contractor will undertake to
prevent a future occurrence.
2.5.5 This section, and Contractor’s duties, obligations and liability under this Section, shall survive
termination or expiration of this Agreement.
2.6 Industry Standards

Contractor shall render and perform services pursuant to this Contract in a professional and
workmanlike manner in accordance with the terms of this Contract and applicable professional
standards for similar tasks and projects. In the absence of a detailed specification for the
performance of any portion of this Contract, the parties agree the applicable specification shall be
the generally accepted industry standard.
2.7 Personnel to Perform the Services

As part of the consideration for this Contract, Agency is relying upon the personal skills of the key
individuals identified in the Contractor's proposal to perform the services described in the scope of
work. Except in the event of disability, illness, grave personal circumstances, or separation from
service, the Contractor must receive the Agency's written approval prior to making any substitutions
of key personnel who are identified herein as such by the Contractor during the term of this Contract
or any extensions thereof.
2.8 Nature of Services

It is understood and agreed the Contractor's services may include advice and recommendations, but
all decisions in connection with the implementation of such advice and recommendations shall be
the responsibility of, and made by, the Agency. In connection with its services hereunder, the
Contractor shall be entitled to rely upon all decisions and approvals of the Agency.
2.9 Cooperation
The Agency shall cooperate with the Contractor in the Contractor's performance of its services
hereunder, including, without limitation, providing the Contractor with reasonable facilities and
timely access to data, information and personnel of the Agency. The Agency shall be responsible for
the performance of its personnel and agents and for the accuracy and completeness of all data and
information provided by the Agency.
2.10 Services
2.10.1 Services Defined

In connection with this Agreement, Contractor will provide the State of Iowa, State Users,
and, to the extent applicable, Users, with access to and use of the Application Services and
perform and provide the Services, all as more particularly described herein and in the Scope
of Work.
41
2.10.2 Application Services
Subject to the terms and conditions of this Agreement, Contractor grants to the State of
Iowa, State Users and their Authorized Contractors for the State of Iowa’s business activities,
including without limitation the provision of information and services to State Users, Users
(to the extent applicable), and the federal government during the Term a non-exclusive
license to: (i) access, use and, to the extent applicable, maintain and support, the Application
Services solely for the functional purposes contemplated by the Scope of Work set forth in
Section 3 hereof; and (ii) access, use, reproduce and distribute Documentation solely in
connection with the use of the Application Services pursuant to the foregoing subclause (i).
2.10.3 Support Services

Contractor will provide Support Services as set forth in 2.10.9.
2.10.4 Software
To the extent Contractor provides or delivers any software to the State of Iowa in connection
with this Agreement for installation on the State of Iowa servers or personal computers or
laptops, the State of Iowa will have a non-exclusive license to use, maintain, modify, copy,
distribute and support the software solely in connection with its use of the Services as
contemplated hereunder. The State of Iowa shall not disassemble, decompile, or reverse
engineer the software or remove any proprietary notices thereon. The software will be
deemed part of and included in the definition of the Services.
2.10.5 Third-Party Intellectual Property

Any Third-Party Intellectual Property shall be deemed part of and included in the definition
of “Services” and subject to all terms and conditions of this Agreement relating to the
Services. The State of Iowa shall not be bound by any terms and conditions relating to the
Third-Party Intellectual Property unless such terms and conditions are expressly identified
by Contractor in, and attached to, Attachment 1 and agreed to by the State in writing.
2.10.6 Import and Export of Data

The State of Iowa shall have the ability to import or export data and information (including
but not limited to State of Iowa Confidential Information) in whole or in part from the
System at its discretion, at no charge to the State, and in such formats as may be acceptable
to the State or any State User, without interference from Contractor. This includes the ability
for the State of Iowa to import or export such information and data to/from other
contractors (including Authorized Contractors). In the event the State of Iowa is unable to
successfully import or export data and information in whole or in part from the System,
Contractor shall assist the State of Iowa in doing so upon the State of Iowa’s reasonable
request, at no additional cost.
2.10.7 [RESERVED]
2.10.8 Documentation
At no additional charge to the State of Iowa, Contractor shall provide the State of Iowa with
all Documentation relating to the Services. If the Documentation for the Services is revised
or supplemented at any time, Contractor shall promptly deliver a copy of such revised or
42
supplemental Documentation to the State of Iowa, at no additional cost. The State of Iowa
and State Users may, at any time, reproduce copies of all Documentation and other
materials provided by Contractor, distribute such copies to the State of Iowa personnel and
Authorized Contractors, and incorporate such copies into its own technical manuals,
provided that such reproduction relates to the State of Iowa’s and its personnel’s use of the
Services as permitted in this Agreement, and all copyright and trademark notices, if any, are
reproduced thereon. To the maximum extent available, Contractor shall deliver the
Documentation in electronic form to the State of Iowa, unless otherwise requested by the
State.
2.10.9 Support Services

Contractor shall provide the Support Services as follows:
2.10.9.1 Support Responsibilities

In addition to any warranty obligations of Contractor under this Agreement,
Contractor shall provide the Support Services described in Attachment 1,
including:
• Promptly correct any Error or any failure of the Services to perform in
accordance with the Specifications, including without limitation, defect repair,
programming corrections, and remedial programming, and provide such
services and repairs required to ensure that the Services operate properly and
conform to the Specifications on an ongoing basis during the Term of this
Agreement. If a request cannot be resolved within the Response Time,
Contractor shall escalate the request in accordance with the terms of
Attachment 1 – Service Level Agreement;
• Provide telephone support to State Users relating to the use and operation of
the Services and Error Correction. Such telephone support shall be available
twenty-four (24) hours a day, seven (7) days a week. All telephone support shall
be accessible to State Users through a toll-free phone number and shall be
provided by Contractor from within the continental United States;
• Provide online access to technical support bulletins and other user support
information and forums;
• Contractor may not provide technical user support on a 24/7 basis using a
Follow the Sun model.
2.10.9.2 Contractor’s Changes and Upgrades

Contractor may from time to time during the Term make available new
enhancements, upgrades, updates, versions, or releases of the Application
Services (collectively, “Changes”). Contractor shall provide the Changes to the
State of Iowa at no additional charge, cost, or expense. In the event of such
Changes, the new version of the Services will include at least the functionality,
level and quality of services that the State of Iowa previously received and shall
continue to comply with all of the requirements of this Agreement.
43
2.10.9.3 Support Not to be Withheld
Contractor will not under any circumstances withhold Support Services under this
Agreement even if there is a dispute (including but not limited to a payment
dispute) between the Parties under this Agreement.
2.11 Management and Control; Reporting
2.11.1 Contractor Manager

Contractor shall assign a manager (“Contractor Manager”) to manage Contractor’s
performance of the Services. The Contractor Manager shall be responsible for Contractor’s
day-to-day activities under this Agreement and for providing the State of Iowa reports. The
Contractor Manager shall also serve as Contractor’s liaison with the State of Iowa, assign
and schedule Contractor Personnel to perform all of the Services required by Contractor
under this Agreement, and act as Contractor’s initial representative for dispute resolution.
Any change of the Contractor Manager (other than death, disability or Contractor Manager’s
voluntary departure from Contractor) shall be subject to the State of Iowa’s (State of Iowa
Manager) prior approval, which approval shall not be unreasonably withheld or delayed.
2.11.2 Reports
The Contractor Manager and the State of Iowa Manager shall communicate at least once
every two (2) weeks (the “Status Report”). The communications shall include a conference
call or an in-person meeting (the “Status Meeting”) and a report from the appropriate
Contractor Personnel regarding:
• Overview of the Services occurring during the reporting period;
• Issues to be resolved;
• Issues resolved;
• Any other information that the State of Iowa or Contractor may, from time-to-time,
reasonably request in writing that Contractor or the State of Iowa, as the case may be,
may deem appropriate.
2.11.3 Problem Reporting Omissions

The State of Iowa’s receipt of a report that identifies any problems shall not relieve
Contractor of any obligation under this Agreement or waive any other remedy under this
Agreement or at law or equity that the State of Iowa may have. The State of Iowa’s failure
to identify the extent of a problem or discrepancy with Specifications, or the extent of
damages incurred as a result of a problem or discrepancy with Specifications, shall not act
as a waiver of performance under this Agreement.
2.11.4 State of Iowa Manager

The State of Iowa shall assign a manager (“State of Iowa Manager”) who will be responsible
for the State of Iowa’s day-to-day activities with respect to such project under this
Agreement. The State of Iowa Manager shall serve as the State of Iowa’s initial
representative for dispute resolution. The State of Iowa Manager shall respond to the
Contractor Manager’s reports to the extent that a response is appropriate as determined by
the State of Iowa Manager. All Services provided by Contractor hereunder shall be subject
to approval by the State of Iowa Manager. Any change of the State of Iowa Manager shall
be in the State of Iowa’s sole discretion; provided the State of Iowa shall notify Contractor
44
in writing of any change. The State of Iowa Manager shall be the only individual authorized
to approve changes or additional fees or charges under this Agreement on behalf of the
State of Iowa, which approval must be in writing.
2.11.5 Semi Annual Review Meetings

Contractor and the State of Iowa shall, at semiannual intervals, hold a review meeting at the
State of Iowa’s offices, or at such other place as is mutually agreed to by the Parties, to
review the performance of the Services, discuss fee and expense issues, and address such
other issues as may be relevant at the time. The Contractor Manager (and any other
Contractor Personnel who attend) will attend at the sole cost of Contractor.
2.11.6 Alert Reports

The Contractor shall promptly notify the State of Iowa both in writing (i.e., facsimile
transmission or courier) and by phone on becoming aware of any change or problem that
would negatively impact completion or performance of the Services and/or Deliverables,
the progress of tasks assigned under a Statement of Work, or any schedule in a Statement
of Work. Both the written notice and phone notice shall include a detailed description or
explanation, respectively, of the relevant change or problem. The Contractor shall provide
the State of Iowa Manager with additional details and updates on a frequent basis by secure
email regarding the status of any such change or problem.
2.12 Captions and Terms

Unless the context otherwise clearly requires, references to the plural include the singular,
references to the singular include the plural, and the word “or” has the inclusive meaning
represented by the phrase “and/or.” The words “include” and “including” shall be deemed to be
followed by the phrase “without limitation.”
2.13 Performance Security

Agency shall retain ten percent (10%) of each payment due under the Contract. Agency shall pay the
retained amount only after all Deliverables have been completed by Contractor and accepted by the
Agency.
2.14 Quarterly Report

The Contractor shall provide an electronic detailed quarterly report on all sales made under this
agreement within the State of Iowa via E-Mail to the Iowa Department of Administrative Services,
Central Procurement, Attn: Karl Wendt, karl.wendt@iowa.gov. The report file format shall be
Microsoft Excel compatible format. The report at minimum shall include the date of sale, customer
name and address, full product description, SKU Numbers, quantity, invoice number, unit and
extended invoice prices. Respondent proposals must include a sample report and a description of
the reporting that will be provided. The State reserves the right to request more detailed
information (ad-hoc reporting) at any time and on an individual or specific basis for a specific
product, department, time frame, or for a range of products, departments or time frames.
2.15 Administrative Fee

Without affecting the approved Service prices or discounts specified in the Master Agreement, the
State of Iowa shall be entitled to receive a one percent (1.00%) administrative fee on all sales made
within the State of Iowa against this agreement. The administration fee due to the State of Iowa
45
shall be paid quarterly by Contractor directly to the State, made payable to the "Iowa Department
of Administrative Services – Central Procurement."
46
SECTION 3
Scope of Work
3.1 Contractor Requirements
3.1.1 Contractor must administer funds for all Qualified Educational Expenses.
3.1.2 Contractor must comply with the applicable aspects of the following requirements regarding
pupil’s personally identifying information, including but not limited to:
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Iowa laws, rules, and regulations applicable to State’s current and published privacy and
security policies and procedures
3.1.3 Contractor must be liable and bear all the responsibility of and resolve any complaints or
issues a student’s representative may have towards the conduct of the evaluation and/or
any privacy or data breaches under state or federal law.
3.2 Service Requirements
3.2.1 Services shall comply with 2023 Iowa Act (90th G.A.), HF68 (January 24, 2023).
3.2.2 Contractor shall cooperate with the State of Iowa to reach compliance with Iowa Code
Chapter 12C within 1 year from Contract execution.
3.2.3 Contractor must acquire a surety bond or other means of protection, prior to accepting
public funds and in a form acceptable to the State of Iowa, of public funds allocated under
this Contract and under control of Contractor, or any third party, until compliance with Iowa
Code Chapter 12C is accomplished.
3.2.4 Services must be operational to allow a minimum of 30 days, and preferably 60 days or
more, for parents or guardians of eligible pupils to submit an application to meet the June
30 deadline for the 2023-2024 school year. Services will continue for school years remaining
through duration of contract period.
3.2.5 Families are to be notified of acceptance or denial within 30 days of submitting an

application.
3.2.6 Contractor must allocate funds from each pupil’s account for the payment of Qualified
Educational Expenses incurred by the pupil’s parent or guardian.
3.2.7 Contractor must have procedures in place and at all times comply with the procedures to
prevent waste, fraud, and abuse. Such procedures to be reviewed by the Agency for
approval.
3.2.8 Upon determination of a false claim for an ESA, or improper payment from an ESA, as
determined by either the Agency or the Department pursuant to 2023 Iowa Acts, House File
47
68, contractor shall close the pupil’s ESA. If improperly obtained amounts have been
disbursed, contractor shall immediately notify state officials and cooperate with all future
efforts and legal proceedings to recover such amounts from the parent or guardian, if
necessary.
3.2.9 Contractor must establish an individual account for that pupil in the education savings
account fund. The amount of the pupil’s education savings account payment shall be
deposited into the pupil’s individual account on July 15 or thirty days following submission
of the application, whichever is later, and such amount shall be immediately available for
the payment of Qualified Educational Expenses incurred by the parent or guardian for the
pupil during that school budget year.
3.2.10 Contractor must hold funds remaining in a pupil’s individual account upon conclusion of the
school budget year, and funds shall remain in the pupil’s individual account for the payment
of qualified educational expenses in future fiscal years during which the pupil participates
in the program until the pupil becomes ineligible under the program or until the remaining
amounts are transferred to the state general fund.
3.2.11 Offshore performance of work is prohibited. Any services that directly serve the State or its
clients and involve access to secure or sensitive data or personal client data shall be
performed within the United States. This provision applies to work performed by
subcontractors at all tiers.
3.2.12 Contractor shall provide platform user interface services, application services, customer
service, and outreach materials in both English and Spanish at a minimum, with options for
these same services in other languages as needed and requested by the state of Iowa.
3.2.13 Contractor shall coordinate with the Iowa Department of Revenue for joint application
development and/or integrations as appropriate for the purposes of income verification and
program eligibility.
3.3 System Requirements

Contractor’s systems must:
3.3.1 Keep data secure. Any technology platform used for the program meets the State’s highest
security requirements, including compliance.
3.3.1.1 When Contractor evaluates their organization and produce a System and
Organization Controls 1 (SOC-1) and System and Organization Controls 2 (SOC-2)
report or similar, the Contractor shall provide this annually to the State of Iowa.
3.3.1.2 The Contractor shall immediately report within five (5) business days to the
Department of Education (contact listed in Section 5) any use or disclosure of
Confidential Information not provided for by this Contract, of which it becomes
aware. Contractor shall cooperate with the State of Iowa’s investigation, analysis,
notification and mitigation activities, and shall be responsible for all costs incurred
by the Department of Education for those activities.
48
3.3.1.3 Ensure that Contractor or its employees and subcontractors will not reuse, sell,
make available, or make use in any format the data researched or compiled for
this Contract for any venture, profitable or not, outside this Contract.
3.3.1.4 The Contractor shall encrypt all data at rest and in transit at minimum at 256 AES.
3.3.1.5 Storage of data at rest shall be located solely in data centers in the continental
United States.
3.3.2 Must provide the Department of Education the capability of automated clearinghouse
transactions, electronic commerce transactions, reimbursement transactions, and debit
card payments in order to meet the diverse needs of participating parents and guardians to
pay for Qualified Educational Expenses.
3.3.3 Application system must:
3.3.3.1 Allow for secure transmission of applications, to include any required supporting
documents, such as tax returns, applicable nontaxable income documents, and
documents verifying school enrollment.
3.3.3.2 Have the ability for applicants to input personal information for multiple students
in household on same application.
3.3.3.3 Provide review based on income data inputted by the applicant and identify any
need for additional document submissions from the applicants.
3.3.3.4 Compare Applicant reported income to income thresholds defined by the Client
to determine whether Applicant meets Client’s eligibility requirements.
3.3.3.5 Allow electronic verification and acknowledgment by the Applicant of required

assurances and rules.
3.3.3.6 Allow Applicant to start and stop an application mid-stream and save information
to be able to resume later.
3.3.3.7 Provide status of application within application reporting. This may include:
Submitted, Documents in Process, Does Not File, and Verified.
3.3.3.8 Allow a Client administrator to view application data, including reporting fields
related to eligibility criteria.
3.3.3.9 Generate an acceptance or denial e-mail or letter to Applicants.
3.3.3.10 Bundle siblings into the same Applicant user account.
49
3.3.3.11 Provide a two-week document processing turn-around once all required
documentation is received from applicant(s).
3.3.3.12 Provide Client access to perform student level eligible school verification and
existing ESA program participation status.
3.3.3.13 Data Segregation

Contractor must provide an architecture diagram and application diagram
demonstrating segregation of Iowa data, utilizing a separate database, from other
vendor customers.
3.3.3.14 Authentication
Contractor must provide a multi-factor authentication for system administrator
and service/resource accounts.
3.3.3.15 PCI-DSS
Contractor must provide attestation ongoing compliance with PCI-DSS
requirements at least annually.
3.3.3.16 Web Application Firewall

Contractor must provide the ESA web application(s) be protected by a layer 7 web
application firewall (WAF).
3.3.3.17 Parent-Facing Portal

Contractor shall include the following language as part of the login screen to the
parent-facing portal:
“I understand that [Vendor] needs to gather and share information about each
child for which I seek [an ESA] and for each claim I make against that child’s [ESA].
I give my consent to [Vendor] to gather and share information necessary to
implement my child’s participation in [the Students First ESA program], including
with the Iowa Department of Education and with the private schools and
providers serving my child. I understand my child will not be able to participate
in [the Students First ESA program] if I refuse to grant my consent to [Vendor] to
gather and share necessary information.”
3.4 Training
Contractor shall provide live training, recorded video training, and training documents.
3.4.1 Iowa Department of Education
3.4.1.1 Duration and Frequency:

Contractor will provide one training session per week over a four-week period
for the Department of Education, unless otherwise determined by the
Department of Education. The training will last, at a minimum, two hours each
unless otherwise determined by the Department of Education.
3.4.1.2 Content: The training will include an overview of the following topics:
50
• Features for the administrator portal.
• User journey for parents and parent features.
• User journey for vendors and vendor features.
• Best practices for fraud prevention.
• Best practices for record keeping and retention.
3.4.1.3 Format: Contractor will provide these trainings over Zoom or in person. A
recording and any other associated training documents (slides, handouts, etc.) will
be provided to the State of Iowa Manager.
3.4.2 Nonpublic Schools
3.4.2.1 Duration and Frequency: Contractor will provide two training sessions per week
over an eight-week period for nonpublic schools unless otherwise determined by
the Department of Education. Each training session will last, at a minimum, one
hour each unless otherwise determined by the Department of Education.
3.4.2.2 Content: The training will include an overview of the following topics and be
followed by a Q&A:
• Features for the vendor portal.
• User journey for parents and parent features, including applications.
• Best practices for fraud prevention.
• Best practices for record keeping and retention.
3.4.2.3 Format: Contractor will provide these trainings over Zoom to make them as
accessible as possible. A recording will be made accessible to new nonpublic
schools to watch as needed after the eight-week initial period.
3.4.3 Families of Pupils
3.4.3.1 Duration and Frequency: Contractor will provide two training sessions per week
over an eight-week period for families of pupils unless otherwise determined by
the department. Each training session will last one hour unless otherwise
determined by the department. Additionally, we will create 5 training videos for
our family users. Each video will be released publicly and will be approximately 4
minutes in length.
3.4.3.2 Content: The training will include an overview of the following topics and be
followed by a Q&A:
• Features for the parent portal.
• User journey for parents and parent features, including applications.
• Best practices for using your funds.
3.4.3.3 Format: Contractor will provide these trainings over Zoom to make them as
accessible as possible, and the videos will be hosted publicly and on YouTube.
51
3.5 Deliverables
Contractor shall provide all documents, services, and information required for ESA compliance
including, but not limited to:
• ESA system run as independent instance.
• Reports
• Filings
• Training
3.6 Implementation
3.6.1 Upon execution of a Contract for services, the Contractor and Agency will cooperatively
initiate implementation in accordance with the agreed upon implementation plan.
3.6.2 Throughout the implementation process, Contractor shall provide a dedicated

implementation team consisting of:
• The implementation lead serves as the project leader for the overall ESA implementation,
collaborating with the Agency on key decisions that impact the specific data requirements
and establishing dates for key implementation milestones.
• The admin/support team member helps with project agendas, meeting notes and work
plan updates, assisting the implementation lead in keeping the project on task.
• The data specialist will review the ESA file specifications with the Agency’s data team and
work through the necessary testing, validation and file transmission method.
• The ESA subject matter professional is a knowledgeable resource on ESA regulations who
will draw from specialized knowledge and recommend leading practices for a smooth
implementation.
3.6.3 Milestones
Milestone 1 - Fully functional ability to accept and process applications to include

notification of acceptance or denial. This Milestone deadline is May 31, 2023.
Milestone 2 - Fully functional ability to accept and process nonpublic schools. This Milestone
deadline is May 31, 2023.
Milestone 3 - Fully functional ability to complete transactions to approved nonpublic

schools. This Milestone deadline is July 1, 2023.
Achievement of milestone 3 shall be considered go live date for the purpose of payments
addressed in 4.3.1 below.
3.6.4 Initial Implementation Tasks

Iowa Responsibilities Contractor Responsibilities
Contracting Process and Kickoff Meeting Major stakeholders attend the Schedule and lead kickoff meeting
kickoff meeting.
Confirm timelines and agreed-upon

requirements for the ESA program.
52
Marketing and Outreach N/A Implement marketing and outreach
programs for families and vendors.
Verification Verify Enrollment Forms Guide Iowa through Enrollment and

Acceptance criteria.
Verify Acceptance Criteria.

Training and Staff Access Identify employees needing Import admins into the system with
administrative access appropriate access.
Attend training. Train admins on the features and

capabilities of the Contractor program.
User / Help Guides and Troubleshooting Work with Contractor to create Create Iowa help desk documents.
Materials Iowa-specific help desk
guidelines.
Admin / Vendor/ Family Portal Delivery Test Iowa Family Portal Continual development and testing
and Beta Testing
Provide feedback Respond to Iowa feedback.
Final Admin / Vendor / Family Portal Final signoff on User Acceptance Launch Contractor site.
Delivery Testing.
Admin Portal Open For State N/A N/A

Administrators
Vendor Enrollment Applications Open N/A Contractor imports pre-approved Iowa

vendor list.
Approval begins immediately.

Family Enrollment Applications Open N/A Contractor begins processing approvals.
Marketplace Opens N/A Contractor launches marketplace.

Families and vendors can access it.
First Families Funded Sign off on family approval. Review families for eligibility and
approval.
Full Launch of Contractor Platform N/A N/A
System Monitoring, Usability Testing, Monitor usage and collect Continually monitor usage.
Feedback, and Additional Development qualitative and quantitative
(As Needed) feedback from users.
Share issues and feedback to Design and develop enhancements to

improve the platform. improve the experience.
3.6.5 Call Center Services
3.6.5.1 Contractor shall provide support for inquiries from covered individuals regarding
information provided pursuant to this contract.
3.6.5.2 Contractor shall provide administrative and technical support to Agency.
53
3.6.5.3 Call center with toll free phone number shall be located within the continental
United States.
3.6.5.4 Contractor call centers must verify customer identity for callers requesting
assistance in accordance with state of Iowa Program Manager approved
procedures.
3.6.5.5 Contractor’s staff must complete annual security awareness training including
training on social engineering.
54
SECTION 4
Pricing
4.1 Fixed Fee Services
Year 1
Application Platform $237,910.00
Fiscal Management & Payment System $154,475.00
Customer Service $189,948.75
Standalone System Fee* $100,000.00
TOTAL FEE YEAR 1 $682,333.75
Year 2
Year 3
Years 4-6 (Extension Periods)

TOTAL ANNUAL FEE YEARS 4-6 $729,550.00
*Standalone System Fee reflects additional fee agreed upon by the Parties subsequent to
submission of the Bid Proposal. Contractor will provide the State with a stand-alone instance of the
System separate from Contractor’s other clients.
Fees for extension periods of this Contract are subject to mutual agreement of the Parties and will
be discussed by the Parties in connection with the Parties’ evaluation of whether to mutually extend
this Contract (such discussion to commence reasonably in advance of the end of the then-current
term of this Contract).
4.2 Surety Bond

Contractor will invoice the State for the cost of the surety bond, or other means of protection of
funds.
55
4.3 Frequency of Payments
4.3.1 Year 1
4.3.1.1 Contractor will issue an invoice for the Year 1 Application System fee
($237,910.00) upon Contractor achieving go live for the Application Platform
available to Agency.
4.3.1.2 Contractor will issue an invoice for the Year 1 Fiscal Management & Payment
System fee ($154,475.00) upon Contractor achieving go live for the Fiscal
Management and Payment System available to Agency.
4.3.1.3 Contractor will issue an invoice for the Year 1 Standalone System fee
($100,000.00) at such time as both the Application Platform and Fiscal
Management & Payment System have been made available to Agency.
4.3.1.4 Contractor will issue invoices quarterly, in arrears, for the Year 1 Customer Service
fee ($47,487.18); however, no invoice for services is due to the Contractor until
accomplishment of milestone 3, as identified in 3.6.3 above. Contractor
understands services provided prior to go live date are at risk, and only become
payable upon delivery of a fully functional system.
4.3.2 Years 2 and 3
4.3.2.1 Contractor will issue invoice for Application Platform, Fiscal Management &
Payment System, and Standalone System Fee on the anniversary date of Year 1
system acceptance.
4.3.2.2 Contractor will issue invoices quarterly, in arrears, for the Year 1 Customer Service
fee ($51,337.50).
In all cases, the State shall pay Contractor’s invoices pursuant to the terms set forth above in this
Contract.
56
SECTION 5
Contacts
5.1 Project Manager - Contractor

Meaghan Barber
801.369.3444
meaghan@withodyssey.com
5.2 State of Iowa Manager - Department of Education

Mark Ford
515.669.1157
mark.ford@iowa.gov
5.3 DOM – OCIO Contact

Shane Dwyer
Phone: 515.321.2825
Email: shane.dwyer@iowa.gov
5.4 State of Iowa – DAS/Procurement Contact

Karl Wendt
515.281.7073
karl.wendt@iowa.gov
57
ATTACHMENT 1
Service Levels
The following describes the performance standards and service levels to be achieved by Contractor in
providing the Services:
1.1 Definitions
Except as provided in this Attachment, capitalized terms shall have the meanings set forth in the
Agreement. The following terms, when used in this Attachment, shall have the following meanings:
“Available” means the Services shall: (a) be available for access and use over the Internet by State
of Iowa, Government Entities, State Users, and Users; and (b) provide the functionality required
under the Agreement and applicable Statement(s) of Work.
“Critical Hours” means 6:00 a.m. to 11:00 p.m. CST, Monday through Friday.
“Server” shall mean the server(s) on which the Services will be hosted.
1.2 General Hosting Obligations

In addition to the other obligations set forth in the Agreement and this Attachment, Contractor shall
do the following:
1.2.1 Operate the Services on a Server owned and maintained by Contractor.
1.2.2 Allow access to the Services over the Internet and provide secure and confidential storage
of all information transmitted to and from the Services.
1.2.3 Supply hardware, security protocols, software and communications support structure to
facilitate connection to the Internet in accordance with the requirements set forth herein.
1.2.4 Maintain a back-up server, at a geographically different site (e.g., different flood plain and
power grid) from where the Server is located, to ensure continuous service in the event of
disaster.
1.2.5 Review security notifications and alerts relevant to the hosting platform (e.g., Contractor
notifications of bugs, attacks, patches), and apply any compensating controls and remedial
measures to maintain the highest level of defense.
1.2.6 Contractor shall utilize state-of-the-art and up-to-date anti-virus and anti-malware
software, and properly configured intrusion prevention systems and firewall protection
devices in order to secure State of Iowa Confidential Information from unauthorized access
by third parties.
1.3 Service Monitoring & Management

This Section may need to be revised if Contractor will provide hosting services through a third-party
hosting provider. Contractor will perform continuous monitoring and management of the Services
to optimize availability of Services. Included within the scope of this section is the proactive
monitoring of the Server and all service components of Contractor’s firewall for trouble on a 7 day
by 24-hour basis, and the expedient restoration of components when failures occur within the time
58
period set forth in this contract. Contractor shall maintain redundancy in all key components such
that service outages are less likely to occur due to individual component failures.
Contractor will monitor “heartbeat” signals of all servers, routers and leased lines, and HTTP
availability of the Server, by proactive probing at 30-second intervals 24 hours a day using an
automated tool. If a facility does not respond to a ping-like stimulus, it shall be immediately checked
again. When Contractor receives a “down” signal, or otherwise has knowledge of a failure in the
Server or the application software and/or hardware, Contractor personnel will:
1.3.1 Confirm (or disconfirm) the outage by a direct check of the facility;
1.3.2 If confirmed, take such action as may restore the service in one hour or less, or, if
determined to be a telephone company problem, open a trouble ticket with the telephone
company carrier;
1.3.3 Notify the State of Iowa by telephone or pager according to mutually agreed upon
procedures that an outage has occurred, providing such details as may be available,
including the Contractor trouble ticket number, if appropriate, and time of outage;
1.3.4 Work through the problems until resolution, escalating to appropriate management or to
engineering as required;
1.3.5 Notify the State of Iowa of final resolution, along with any pertinent findings or action taken,
and request concurrence by the State of Iowa prior to closing the applicable trouble ticket.
1.4 Backups
Contractor shall provide for both the regular back-up of standard file systems relating to the Server
and Services, and the timely restoral of such data on request by the State of Iowa due to a site failure.
In particular, Contractor shall:
1.4.1 Perform weekly full back-ups;
1.4.2 Perform daily incremental back-ups;
1.4.3 Send back-up media to secured, off-site storage facilities with a thirty (30) day rotation of
media;
1.4.4 Retain one back-up tape per month for one year;
1.4.5 Fulfill restoral requests as directed by the State of Iowa due to site failures. Such restoral
will be performed within the interval of twelve (12) to twenty-four (24) hours depending on
the urgency of the request, and the agreed upon location of the desired backup media; and
1.4.6 If the Server or hosting location is expected to be down for more than twenty-four (24)
hours, Contractor shall immediately transfer appropriate back-up data and re-establish all
hosting operations in an appropriately functioning secondary server or location. Such
59
secondary server and/or location shall be subject to the State of Iowa’s approval and
consent, which shall not be unreasonably withheld.
1.5 Service Levels
1.5.1 Support Request Service Levels

Contractor shall Respond to and Resolve Support Requests as set forth below.
1.5.2 Support Requests

The State of Iowa shall classify its requests for Error Corrections consistent with the
descriptions below. Each such request shall be referred to herein as a “Support Request.”
The State of Iowa shall notify Contractor of Support Requests via a Contractor-specified
telephone number, email address, or other Contractor-provided mechanisms. All Contractor
technical support personnel providing telephone support must do so in a manner such that
the communication does not diminish the State of Iowa’s ability to effectively utilize the
Application Services or negatively impact the satisfaction of the users with the Application
Services. Such impacts could arise from technology issues such as delays or jitter in
telecommunication lines, or the failure of the Contractor technical support personnel to
provide support in standard American English with understandable accents or otherwise
demonstrate sufficient language skills as reasonably determined by the State of Iowa.
Support Request Description

Classification
Critical ▪ Issue affecting entire system;
▪ Issue affecting single critical production function;
▪ System down or operating in materially degraded state;
▪ Potential services to Users affected;
▪ Data security or integrity at risk;
▪ Material financial impact;
▪ Declared a Critical Support Request by the State of Iowa CIO or
designee; and/or
▪ Widespread access interruptions.
High ▪ Primary workflow module failure that materially impairs its
performance; and/or
▪ Data entry or access is materially impaired on a limited basis.
Medium ▪ System is operating with minor issues that can be addressed with a
work around.
Low ▪ Request for assistance, information, or services that are routine in
nature.
1.5.3 Support Response Time Service Level

“Response Time” shall be measured from the time when Contractor receives the Support
Request until the time Contractor has Responded to the Support Request. “Respond” means
that Contractor has engaged on the Support Request; is working continuously to diagnose
the corresponding Errors, formulate a plan to address any such Errors, and execute that
plan; and has notified the State of Iowa user originating the Support Request that such
support has begun, in the manner requested by the user originating the Support Request
60
(e.g., e-mail, phone) or, if a specific means of communication is not requested, using direct
interactive (person to person) method of communication to achieve contact with such user
(e.g., no email or automated voicemail).
Support Service Level Metric Service Level Credits

Request (Response Time)
Classification
Critical 100% (15) minutes 0.5% of monthly Application Service fees for the
initial service level failure and .05% of monthly
Application Service fees for each additional fifteen
(15) minute increment that begins after the initial
service level failure
High 100% (30) minutes 0.1% of monthly Application Service fees for the
initial service level failure and 0.01% of monthly
Application Service fees for each additional fifteen
(15) minute increment that begins after the initial
service level failure
1.5.4 Resolution Time Service Level

Resolution time shall be measured from the time when Contractor receives the Support
Request until the time Contractor has Resolved the Support Request. “Resolve” means that,
as to Errors, Contractor has provided the State of Iowa the corresponding Error Correction
and the State of Iowa has confirmed such Error Correction.
Support Service Level Metric Service Level Credits

Request (Resolution Time)
Classification
Critical 100% (4) hours 5% of monthly fees for the initial service level failure
and 0.5% of monthly fees for first additional one (1)
hour increment that begins after the initial service
level failure and doubling for each additional (1) hour
High 100% (8) hours 2.5% of monthly fees for the initial service level failure
and 0.25% of monthly fees for each additional one (1)
hour increment that begins after the initial service
level failure
Medium 100% (2) days 1% of monthly fees for the initial service level failure
day increment that begins after the initial service level
failure
Low 100% (5) days 0.5% of monthly fees for the initial service level failure
day increment that begins after the initial service level
failure
1.5.5 Escalation
With respect to any Critical Support Request, until Resolved, Contractor shall escalate that
Support Request within sixty (60) minutes of Receipt to the appropriate Contractor support
personnel (as designated by Contractor), including, as applicable, Contractor’s SVP of Client
Operations.
61
1.6 Availability Service Level
The Application Services shall be Available for the percentage of the time each month of the Term
of the Agreement as set forth below.
1.6.1 Availability during Critical Hours
Service Level Metric Service Level Credits

At a minimum, 99.9% Availability for the Application In the event 99.9% Availability during Critical Hours
Services in each calendar month of the term of the for the Application Services is not achieved, but at
Agreement during Critical Hours. least 98.0% Availability for the Application Services
during Critical Hours is achieved, then the credits
“Availability” means the number of hours the shall be incurred as follows:
Application Services are Available For Use during 10% of monthly Application Services fees for the
Critical Hours in a given calendar month expressed first month,
as a percentage of Critical Hours during a calendar 15% of monthly Application Services fees for the
month (i.e., Availability % = ((Number of Critical second consecutive month, and
Hours – Downtime during Critical Hours)/(Number 20% of monthly Application Services fees for the
of Critical Hours)) x 100%). third consecutive month and each consecutive
month thereafter.
“Downtime” means the aggregate duration of
Outages for the Application Services during the In the event at least 98% Availability for the
applicable Scheduled Uptime during a calendar Application Services during Critical Hours is not
month. achieved, but at least 95.0% Availability during
Critical Hours for the Application Services is
“Outage” means any time during which the achieved then the credits shall be incurred as
Application Services (or any portion thereof) is not follows:
Available For Use during a calendar month, 20% of monthly Application Services fees for the
measured from the earliest point in time that such first month,
Outage is or reasonably should be detected by 25% of monthly Application Services fees for the
Contractor, but in any event no later than the time second consecutive month, and
the Outage actually occurred. An Outage is an Error. 30% of monthly Application Services fees for the
An Outage also constitutes a Critical Support third consecutive month and each consecutive
Request. month thereafter.
“Scheduled Downtime” shall have the meaning In the event at least 95% Availability during Critical
ascribed to it in Section 8.1 of this Attachment. Hours for the Application Services is not achieved,
then the credits shall be incurred as follows:
“Unscheduled Downtime” shall mean an Outage 20% of monthly Application Services fees for the
that is not Schedule Downtime. first month, and
25% of monthly Application Services fees for the
“Scheduled Uptime” shall mean any time during a second consecutive month,
Calendar month that is not Scheduled Downtime. 30% of monthly Application Services fees for the
third consecutive month and each consecutive
“Available for Use” shall mean the ability of the month thereafter.
Application Services to be utilized or accessed as
contemplated under the Agreement(s), including
conformance to the Specifications, and without
material degradation of performance, but excluding
Scheduled Downtime.
62
1.6.2 Availability during non-Critical Hours
At a minimum, 97% Availability for the In the event 97% Availability for the
Application Services in each calendar month of Application Services is not achieved, but at
the term of the Agreement. least 93% Availability for the Application
Services is achieved, then the credits shall be
“Downtime,” “Outage,” “Unscheduled incurred as follows:
Downtime,” “Scheduled Downtime” 20% of monthly Application Services fees for
“Scheduled Uptime” and “Available for Use” the first month, and
shall each of the meaning defined above. 25% of monthly Application Services fees for
the second consecutive month, and
“Availability”, for purposes of this paragraph 30% of monthly Application Services fees for
5.2.2, means the actual number of hours the the third consecutive month and each
Application Services are Available For Use consecutive month thereafter.
during Scheduled Uptime in a given calendar
month expressed as a percentage of Scheduled In the event at least 93%% Availability for the
Uptime during a calendar month (i.e., Application Services is not achieved, then the
Availability % = ((Number of hours the credits shall be incurred as follows:
Application Services are actually Available For 40% of monthly Application Services fees for
Use during Scheduled Uptime – Downtime the first month, and
during Scheduled Uptime)/(Number of hours 45% of monthly Application Services fees for
the Application Services are actually Available the second consecutive month, and
For Use during Scheduled Uptime)) x 100%). 50% of monthly Application Services fees for
the third consecutive month and each
consecutive month thereafter.
1.7 Unscheduled Downtime Reporting

Contractor shall track and report monthly to the State of Iowa each Unscheduled Downtime.
1.8 Application Services Download Times

Contractor represents, warrants, and covenants that the download time for a page of the Services
during Critical Hours shall be:
During Critical Hours: In the event these average Download Times
At a maximum, the lesser of (a) 0.5 seconds above the are not achieved, 3% of the monthly fees.
KB40, or (b) three (3) seconds.
During non-Critical Hours: In the event these average Download Times
At a maximum, the lesser of (a) 0.8 seconds above the are not achieved, 3% of the monthly fees.
KB40, or (b) four (4) seconds.
“Download Time” means the average time to download any page related to the Services, including
all content contained therein. Download time shall be measured using a Contractor-supplied
program, and by clock, and shall be measured to the nearest one-tenth of a second for each page,
commencing from the operative input from the user, whether by keyboard, mouse click, or any
other input device.
63
“KB40” means the Keynote Business 40 Internet Performance Index. In the event KB40 is
discontinued, a successor index (such as average download times for all other customers of the
Contractor) may be mutually agreed upon by the parties.
Tests of Download Times shall be conducted by Contractor over any two (2) hour period during
Critical Hours every ten (10) business day(s) using a representative number of logged-on computers
or terminals for the selected two (2) hour period, and running a representative sampling of
applications then installed. Contractor shall supply the State of Iowa with the results of these tests
on a monthly basis. Contractor further agrees to provide, at no cost to the State of Iowa,
measurement tools capable of directly making all measurements necessary to apply the Application
Services Response Time warranty in this Section.
1.9 Service Level Audits

The State of Iowa or its designee will have the right to audit Contractor’s measurement, monitoring,
and reporting on all service levels herein, including providing the State of Iowa with access to the
data used by Contractor to calculate its performance against the service levels and the measurement
and monitoring tools and procedures utilized by Contractor to generate such data for purposes of
audit and verification.
1.10 Meetings
Contractor and the State of Iowa shall meet at least once a week to review the status of open
Support Requests, and discuss trends and issues relating to Support Requests and approaches to
reducing the number of Support Requests as well as improving both the State of Iowa and Contractor
responses to such Support Requests.
1.11 Additions, Deletions, and Modifications of Service Levels

After the initial six (6) months following the Effective Date, the State of Iowa may add, modify, or
delete service levels specified herein by sending written notice to Contractor at least ninety (90)
days in advance; provided that, the total number of such notices (which notices may contain multiple
changes) sent by the State of Iowa shall not exceed twenty (20) in any contract year.
1.12 Service Levels Added

Service Levels shall be added in accordance with the following:
1.12.1 Where data exists for at least six (6) months from which measurements can be derived, the
State of Iowa and Contractor shall review the measurement trends and the levels of quality
that were attained during the measurement period and shall work together in good faith to
mutually agree, and to establish the service level standard that Contractor will be required
to meet; or
1.12.2 Where no such data exists, the Parties shall attempt in good faith to mutually agree during
a thirty (30) day period on a service level standard using industry standard measures or
third-party contractor advisory services.
1.13 Service Level Failures and Service Level Credits
1.13.1 Service Level Failures
64
Failure to achieve any of the service levels described in Section 1.5 (Service Levels) of this
Attachment shall constitute a “Service Level Failure” and Contractor shall be liable for the
Service Level Credits in the amounts set forth in Section 1.5 (Service Levels). Contractor shall
not be responsible for any Service Level Failure caused by the State of Iowa or its agents.
Contractor shall promptly notify the State of Iowa of any Service Level Failure.
1.13.2 Service Level Credits

Upon the occurrence of any Service Level Failure, Contractor shall issue to the State of Iowa
a credit in the amount set forth in Section 1.5 (Service Levels) (“Service Level Credit”). If
more than one (1) Service Level Failure has occurred in a single month, the sum of the
corresponding Service Level Credits shall be credited to the State of Iowa. In no event will
the aggregate of all Service Level Credits arising as a result of failures by Contractor to
perform its Support Services obligations in any month exceed 25% of the amount of the
Support Services fees otherwise payable for the most recent three (3) month period except
for instances of Service Level Credits associated failures on “Critical” and “High” Resolution
Time service levels which will not exceed 100% of the amount of the said Support Services
fees. Contractor shall notify the State of Iowa in writing if the State of Iowa becomes entitled
to a Service Level Credit, which notice shall be included in the monthly performance reports
as described in this Attachment.
The total amount of Service Level Credits that Contractor will be obligated to pay to the
State of Iowa, with respect to Service Level Failure(s) occurring each month shall be reflected
on the invoice issued in the second month following the month during which the Service
Level Failure(s) giving rise to such Service Level Credit(s) occurred. Notwithstanding the
foregoing, the calculation of such Service Level Credit(s) shall be based on the credit
amounts in effect, and the Support Services fees for, the month during which the Service
Level Failure occurred. For example, the amount of Service Level Credits payable with
respect to Service Level Failures occurring in August shall be set forth in the invoice issued
in October, but shall be calculated using August data. In the event the State of Iowa prepays
for any Services more than one month in advance, Contractor will issue refunds or credits
to the State of Iowa at the State’s sole discretion, within 5 days of the end of the month in
which the Service Level Failure occurred.
1.13.3 Termination for Chronic Service Level Failures

In addition to its termination rights under the Agreement, the State of Iowa may, in its sole
discretion, terminate the Agreement without further obligation to Contractor in the event
Contractor fails to achieve any of the required Service Levels for (a) three (3) months
consecutively, or (b) any three (3) months during a consecutive six (6) month period.
1.14 Corrective Action Plan

In the event two (2) or more Critical Support Requests occur in any thirty (30) calendar day period
during the Term of the Agreement, or in the event of any Service Level Failure, Contractor shall
promptly investigate the root causes of such support issues and shall provide to the State of Iowa
within five (5) business days of the occurrence of the second Critical Support Request or the
occurrence of the Service Level Failure an analysis of such root causes and a proposed corrective
action plan for the State of Iowa’s review, comment, and approval (the “Corrective Action Plan”).
The Corrective Action Plan shall include, at a minimum: (a) a commitment by Contractor to devote
65
the appropriate time, skilled Contractor personnel, systems support and equipment, and/or
resources to remedy, and prevent any further occurrences of Critical Support Request issues; and
(b) time frames for implementation of the Corrective Action Plan. There shall be no additional charge
(other than those fees set forth in this Agreement(s)) for Contractor’s implementation of such
Corrective Action Plan in the time frames and manner set forth in the Corrective Action Plan.
1.15 Service Outages

Contractor shall notify the State of Iowa of scheduled outages at least twenty-four (24) hours in
advance, and such outages shall last no longer than one hour. Such outages shall be scheduled
between the hours of 1:00 a.m. and 5:00 a.m., CST on Saturday nights (“Scheduled Downtime”).
Contractor may request extensions of scheduled down time above one (1) hour and such approval
by the State of Iowa, which may not be unreasonably withheld or delayed. Unscheduled outages are
not excluded from the Availability service levels set forth above (i.e., an Unscheduled outage, except
due to the actions of the State of Iowa and its agents, shall not relieve Contractor of its obligation to
achieve the service levels set forth herein).
1.16 Security Breaches

In the event of an attack or threatened or suspected breach of security against the Services and/or
Server, Contractor will take whatever reasonable steps that are necessary to halt such action,
including taking the Services down. Down time due to external attacks shall not count against
Availability requirement set forth above. Contractor will immediately contact the person designated
by the State of Iowa to discuss what measure to take. However, if time is critical, action may be
required before the contact can be reached. Contractor’s actions will include, as appropriate:
1.16.1 Confirm the threat;
1.16.2 Deny access from the source of the attack;
1.16.3 Investigate the extent of the damage, if any;
1.16.4 Back-up the affected systems and those suspected to be affected;
1.16.5 Strengthen defenses everywhere, not just the suspected path that the attacker used;
1.16.6 Contact the ISP where the threat or attack originated and/or law enforcement to work with
Contractor’s security team; and
1.16.7 Produce an Incident Report within 24 hours detailing Contractor’s findings.
1.16.8 Re-instate the denial of access after a set time period, but continue to monitor traffic from
that source until risk of further attacks is deemed to be minimized.
66
ATTACHMENT 2
IT Business Associate Agreement
To the extent that this Business Associate Agreement is incorporated into the Contract by reference, the
Vendor acts as the Business Associate of the agency or agencies designated in Attachment 2 to this
Business Associate Agreement as Covered Entities under the Family Education Rights and Privacy Act
(FERPA), as amended, and the federal regulations published at 45 CFR part 160 and 164.
For purposes of this IT Business Associate Agreement, the Vendor (the “Business Associate”) agrees to
comply with this IT Business Associate Agreement (BAA). This Business Associate Agreement (“BAA”)
supplements and is made a part of the Contract (hereinafter, the “Underlying Agreement”) between the
Covered Entities and the Business Associate.
1.1 Purpose
The Business Associate performs certain services on behalf of or for the Agency pursuant to the
Underlying Agreement that may include the exchange of information that is protected by the
Family Education Rights and Privacy Act (FERPA), as amended, and the FERPA Rules (collectively
“FERPA”). The parties to the Underlying Agreement are entering into this BAA to establish the
responsibilities of both parties regarding Protected Health Information and to bring the Underlying
Agreement into compliance with HIPAA.
1.2 Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA
Rules: Breach, Designated Record Set, Disclosure, Individual, Minimum Necessary, Notice of
Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident,
Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
Business Associate. “Business Associate” shall generally have the same meaning as the term
“Business Associate” at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean
the Vendor.
Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered
entity” at 45 C.F.R. § 160.103. For the Iowa Veterans Home, in reference to the party to this BAA
shall mean the Agency. For the Department of Human Services, in reference to the party to this
BAA shall mean the portions of the Agency which is a “hybrid” entity under HIPAA that fall under
the purview of HIPAA.
HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement
Rules at 45 C.F.R. Part 160 and Part 164.
1.3 Obligations and Activities of Business Associate

The Business Associate agrees to:
1.3.1 Not Use or Disclose Protected Health Information other than as permitted or required by
this BAA or as Required By Law;
1.3.2 Use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect
to Protected Health Information, to prevent Use or Disclosure of Protected Health
67
Information other than as provided for by this BAA;
1.3.3 Report to the Covered Entity any Use or Disclosure of Protected Health Information not
provided for by this BAA of which it becomes aware, including Breaches of Unsecured
Protected Health Information as required at 45 C.F.R. § 164.410, and any Security Incident
of which it becomes aware in accordance with subsection 7, below;
1.3.4 In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable,

ensure that any Subcontractors that create, receive, maintain, or transmit Protected
Health Information on behalf of the Business Associate agree to the same restrictions,
conditions, and requirements that apply to the Business Associate with respect to such
information;
1.3.5 Make available Protected Health Information in a Designated Record Set to the Covered
Entity as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. §164.524;
1.3.6 Make any amendment(s) to Protected Health Information in a Designated Record Set as
directed or agreed to by the Covered Entity pursuant to 45 C.F.R. §164.526, or take other
measures as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. § 164.526;
1.3.7 Maintain and promptly make available, as directed by the Covered Entity, the information
required to provide an accounting of Disclosures to the Covered Entity as necessary to
satisfy the Cover Entity’s obligations under 45 C.F.R. § 164.528;
1.3.8 Within 5 business days forward any request that the Business Associate receives directly
from an Individual who (1) seeks access to Protected Health Information held by the
Business Associate pursuant to this BAA, (2) requests amendment of Protected Health
Information held by the Business Associate pursuant to this BAA, or (3) requests an
accounting of Disclosures, so that the Covered Entity can coordinate the response;
1.3.9 To the extent the Business Associate is to carry out one or more of the Covered Entity’s
obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of
Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
1.3.10 Make its internal practices, books, and records available to the Secretary for purposes of
determining compliance with the HIPAA Rules.
1.4 Permitted Uses and Disclosures by the Business Associate
1.4.1 The Business Associate may Use or Disclose Protected Health Information received in
relation to the Underlying Agreement as necessary to perform the services set forth in the
Underlying Agreement.
1.4.2 The Business Associate may use or disclose Protected Health Information as is required by
law.
1.4.3 The Business Associate is not authorized to de-identify Protected Health Information in
accordance with 45 C.F.R. § 164.514(a)-(c) unless expressly authorized to do so in writing
68
by the Covered Entity’s Security and Privacy Officer.
1.4.4 The Business Associate agrees to make Uses and Disclosures and Requests for Protected
Health Information consistent with the Covered Entity’s Minimum Necessary policies and
procedures.
1.4.5 The Business Associate may not Use or Disclose Protected Health Information in a manner
that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
1.4.6 The Business Associate may Use or Disclose the Protected Health Information for the
proper management and administration of the Business Associate or to carry out the legal
responsibilities of the Business Associate, provided the Disclosures are Required By Law,
or the Business Associate obtains reasonable assurances from the person to who the
information is Disclosed that the information will remain confidential and used or further
Disclosed only as Required By Law or for the purposes for which it was Disclosed to the
person, and the person notifies the Business Associate of any instances of which it is aware
in which the confidentiality of the Protected Health Information has been Breached.
1.5 Obligations of the Covered Entity
1.5.1 The Covered Entity will notify the Business Associate of any limitation(s) in the Notice of
Privacy Practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such
Limitation may affect the Business Associate’s Use or Disclosure of Protected Health
Information.
1.5.2 The Covered Entity will notify the Business Associate of any changes in, or revocation of,
the permission by an Individual to Use or Disclose his or her Protected Health Information,
to the extent that such changes may affect the Business Associate’s Use or Disclosure of
Protected Health Information.
1.5.3 The Covered Entity shall notify the Business Associate of any restriction on the Use or
Disclosure of Protected Health Information that the Covered Entity has agreed to or is
required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may
affect the Business Associate’s Use or Disclosure of Protected Health Information.
1.6 Permissible Requests by the Covered Entity

The Covered Entity shall not request the Business Associate to Use or Disclose Protected Health
Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if
done by the Covered Entity.
1.7 Breach Notification Obligations of the Business Associate

In the event that the Business Associate discovers a Breach of Unsecured Protected Health
Information, the Business Associate agrees to take the following measures within 5 business days
after the Business Associate first discovers the incident:
1.7.1 To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be
provided without unreasonable delay, except where a law enforcement official determines
69
that a notification would impede a criminal investigation or cause damage to national
security. For purposes of this BAA, the Business Associate is deemed to have discovered
the Breach as of the first day on which such Breach is known to the Business Associate or
by exercising reasonable diligence, would have been known to the Business Associate,
including any person, other than the Individual committing the Breach, that is a workforce
member or agent of the Business Associate;
1.7.2 To include to the extent possible the identification of the Individuals whose Unsecured
Protected Health Information has been, or is reasonably believed to have been, the subject
of a Breach;
1.7.3 To complete and submit the Information Security Data Breach Incident Report form
located on the Agency’s website.
1.7.4 To draft and provide written notification to Individuals that their Unsecured Protected
Health Information has been, or is reasonably believed to have been, the subject of a
Breach. The draft letter must include, to the extent possible:
1.7.5 A brief description of what happened, including the date of the Breach and the date of the
discovery of the Breach, if known;
1.7.6 A description of the types of Unsecured Protected Health Information that were involved
in the Breach (such as full name, Social Security Number, date of birth, home address,
account number, disability code, or other types of information that were involved);
1.7.7 Any steps the Individuals should take to protect themselves from potential harm resulting
from the Breach;
1.7.8 A brief description of what the Covered Entity and the Business Associate are doing to
investigate the Breach, to mitigate harm, and to protect against any further Breaches;
and
1.7.9 Contact procedures for Individuals to ask questions or learn additional information, which
shall include Covered Entity contact information, including a toll-free telephone number,
an e-mail address, web site, or postal address.
1.8 Administration
1.8.1 Term and Termination

This BAA is effective on the date of its incorporation into the Underlying Agreement. The
Covered Entity may terminate this BAA for cause if the Covered Entity determines that the
Business Associate or any of its Subcontractors or agents has breached a material term of
this BAA. The Covered Entity will provide written notice to the Business Associate
requesting that the Business Associate remedy the breach within the time frame provided
in the notice. The remedy time frame provided the Business Associate will be consistent
with the severity of the breach. The Covered Entity reserves the right to terminate the BAA
without notice in the event that the Covered Entity determines, in its sole discretion, that
notice is either infeasible or inappropriate under the circumstances. Expiration or
70
termination of either the Underlying Agreement or this BAA shall constitute expiration or
termination of the corresponding agreement.
1.8.2 Obligation to Return PHI, Destroy PHI, or Extend Protections to Retained PHI
Upon expiration or termination of this BAA for any reason, the Business Associate shall
return to the Covered Entity or destroy all Protected Health Information received from
Covered Entity, or created, maintained, or received by the Business Associate on behalf of
the Covered Entity, that the Business Associate still maintains in any form. Return or
destruction of Protected Health Information shall take place in accordance with the
requirements for such return or destruction as set forth in the Underlying Agreement or
as otherwise directed by the Covered Entity. The Business Associate shall retain no copies
of the Protected Health Information unless such return or destruction is not feasible. If
return or destruction of the Protected Health Information is not feasible, upon expiration
or termination of this BAA, the Business Associate shall:
1.8.2.1 Retain only that Protected Health Information that is necessary for the Business
Associate to continue its proper management and administration or to carry out
its legal responsibilities to the extent Required By Law;
1.8.2.2 Return to the Covered Entity or destroy the remaining Protected Health
Information that the Business Associate still maintains in any form;
1.8.2.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R.
Part 164 with respect to Protected Health Information to prevent Use or
Disclosure of the Protected Health Information, other than as provided for in this
Section, for as long as the Business Associate retains the Protected Health
Information;
1.8.2.4 Not Use or Disclose the Protected Health Information retained by the Business
Associate other than for the purposes for which such Protected Health
Information was retained and subject to the same conditions set out in
subsection 4(e) above under “Permitted Uses and Disclosures by the Business
Associate” which applied prior to termination; and
1.8.2.5 Return to the Covered Entity or destroy the Protected Health Information
retained by the Business Associate when it is no longer needed by the Business
Associate for its proper management and administration or to carry out its legal
responsibilities.
1.8.3 Compliance with Confidentiality Laws

The Business Associate acknowledges that it must comply with all applicable laws that may
protect the Protected Health Information or other patient information received and will
comply with all such laws, which include but are not limited to the following:
1.8.3.1 Medicaid applicants and recipients: 42 U.S.C. § 1396a(a)(7); 42 C.F.R. §§ 431.300-

.307; Iowa Code § 217.30;
71
1.8.3.2 Mental health treatment: Iowa Code chapters 228, 229;
1.8.3.3 HIV/AIDS diagnosis and treatment: Iowa Code § 141A.9; and
1.8.3.4 Substance abuse treatment: 42 U.S.C. § 290dd-2; 42 C.F.R. part 2; Iowa Code §§
125.37, 125.93.
1.8.3.5 Consumer personal information: Iowa Code ch. 715C.
1.8.4 Financial Obligations for Breach Notification
1.8.4.1 To the extent that the Business Associate is a governmental agency subject to
the provisions of Iowa Code § 679A.19, any dispute between the Business
Associate and the Agency, including but not limited to the incursion of any costs,
liabilities, damages, or penalties related to the Business Associate’s breach of this
BAA, shall be submitted to a board of arbitration in accordance with Iowa Code
§ 679A.19.
1.8.4.2 To the extent that the Business Associate is not subject to the provisions of Iowa
Code § 679A.19, the Business Associate shall defend, indemnify, and hold
harmless the Covered Entity from costs, liabilities, damages, or penalties
incurred as a result of the Business Associate or any Subcontractor’s breach of
this BAA, the Underlying Agreement, or conduct of the Business Associate or the
Business Associate’s Subcontractor not in compliance with 45 C.F.R. Part 164,
subpart E. Such liability shall not attach to disclosures made at the express
written direction of the Covered Entity.
1.8.4.3 The Business Associate’s obligations under this subsection 8(d) are not limited
to third-party claims but shall also apply to claims by the Covered Entity against
the Business Associate.
1.8.5 Amendment
The Covered Entity may amend the BAA from time to time by posting an updated version
of the BAA on the Agency’s website at:
and providing the Business Associate electronic notice of the amended BAA. The Business
Associate shall be deemed to have accepted the amendment unless the Business Associate
notifies the Covered Entity of its non-acceptance in accordance with the Notice provisions
of the Contract within 30 days of the Covered Entity’s notice referenced herein. Any agreed
alteration not part of the then current Covered Entity BAA shall have no force or effect
until the agreed alteration is reduced to a Contract amendment and signed by the Business
Associate, Agency Director and the Covered Entity or Entities Security and Privacy
Officer(s).
1.8.6 Survival
All obligations of the Agency and the Business Associate incurred or existing under this
BAA as of the date of expiration or termination will survive the expiration or termination
of this BAA.
72
1.8.7 No Third-Party Beneficiaries
There are no third-party beneficiaries to this BAA between the parties. The Underlying
Agreement and this BAA are intended to only benefit the parties to the BAA.
1.8.8 Miscellaneous
1.8.8.1 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as it
may be amended from time to time.
1.8.8.2 Interpretation
Any ambiguity in this BAA shall be interpreted to permit compliance with the
HIPAA Rules.
1.8.8.3 Applicable Law

Except to the extent preempted by federal law, this BAA shall be
governed by and construed in accordance with the same internal laws as that of
the Underlying Agreement.
1.8.8.4 The Parties agree to take such action as is necessary to amend this Agreement
from time to time as is necessary for compliance with the requirement of the
HIPAA Rules and any other applicable law.
1.9 Covered Entities and Corresponding Information
Name of Covered Information Security Address Contact Information

Entity Data Breach Incident
Report for URL
Iowa Department https://ocio.iowa.gov/cyberse Department of Email: soc@iowa.gov

of Education curity Management, Office Phone: 1.855.442.4357
of the Chief
Information Officer
200 East Grand Avenue
73
ATTACHMENT 3
Pub. 1075 Exhibit 7 Safeguarding Contract Language Obligations
To the extent that this Pub. 1075 Exhibit 7 Safeguarding Contract Language Obligations (the “Attachment”)
is incorporated into the Contract by reference, the Vendor agrees to comply with the obligations set forth
in this Attachment. This Contract Attachment supplements and is made a part of the Contract between the
purchasing Agency and the Vendor.
To the extent that Vendor provides notice that it does not accept an amended Attachment, any agreed
alteration not part of the then current Attachment shall have no force or effect until the agreed alteration
is reduced to a Contract amendment and signed by the Vendor and the purchasing Agency. In such a case,
the existing Attachment will continue to remain a part of the Contract until such time as the parties agree
to a newly amended Pub 1075 Exhibit 7 compliance attachment.
1.1 Performance
In performance of this Contract, the Vendor agrees to comply with and assume responsibility for
compliance by officers or employees with the following requirements:
1.1.1 All work will be performed under the supervision of the Vendor.
1.1.2 The Vendor and Vendor’s officers or employees to be authorized access to federal and/or
state tax information (“FTI”) must meet background check requirements defined in IRS
Publication 1075. The Vendor will maintain a list of officers or employees authorized access
to FTI. Such list will be provided to the agency and, upon request, to the IRS.
1.1.3 FTI in hardcopy or electronic format shall be used only for the purpose of carrying out the
provisions of this Contract. FTI in any format shall be treated as confidential and shall not be
divulged or made known in any manner to any person except as may be necessary in the
performance of this Contract. Inspection or disclosure of FTI to anyone other than the
Vendor or the Vendor’s officers or employees authorized is prohibited.
1.1.4 FTI will be accounted for upon receipt and properly stored before, during, and after
processing. In addition, any related output and products require the same level of protection
as required for the source material.
1.1.5 The Vendor will certify that FTI processed during the performance of this Contract will be
completely purged from all physical and electronic data storage with no output to be
retained by the Vendor at the time the work is completed. If immediate purging of physical
and electronic data storage is not possible, the Vendor will certify that any FTI in physical or
electronic storage will remain safeguarded to prevent unauthorized disclosures.
1.1.6 Any spoilage or any intermediate hard copy printout that may result during the processing
of FTI will be given to the agency. When this is not possible, the Vendor will be responsible
for the destruction of the spoilage or any intermediate hard copy printouts and will provide
the agency with a statement containing the date of destruction, description of material
destroyed, and the destruction method.
74
1.1.7 All computer systems receiving, processing, storing, or transmitting FTI must meet the
requirements in IRS Publication 1075. To meet functional and assurance requirements, the
security features of the environment must provide for the managerial, operational, and
technical controls. All security features must be available and activated to protect against
unauthorized use of and access to FTI.
1.1.8 No work involving FTI furnished under this Contract will be subcontracted without the prior
written approval of the IRS.
1.1.9 Vendor will ensure that the terms of FTI safeguards described herein are included, without
modification, in any approved subcontract for work involving FTI.
1.1.10 To the extent the terms, provisions, duties, requirements, and obligations of this Contract
apply to performing services with FTI, the Vendor shall assume toward the subcontractor all
obligations, duties and responsibilities that the agency under this Contract assumes toward
the Vendor, and the subcontractor shall assume toward the Vendor all the same obligations,
duties and responsibilities which the Vendor assumes toward the agency under this
Contract.
1.1.11 In addition to the subcontractor’s obligations and duties under an approved subcontract,
the terms and conditions of this Contract apply to the subcontractor, and the subcontractor
is bound and obligated to the Vendor hereunder by the same terms and conditions by which
the Vendor is bound and obligated to the agency under this Contract.
1.1.12 For purposes of this Contract, the term “Vendor” includes any officer or employee of the
Vendor with access to or who uses FTI, and the term “subcontractor” includes any officer or
employee of the subcontractor with access to or who uses FTI.
1.1.13 The agency will have the right to void the Contract if the Vendor fails to meet the terms of
FTI safeguards described herein.
1.2 Criminal/Civil Sanctions
1.2.1 Each officer or employee of a Vendor to whom FTI is or may be disclosed shall be notified in
writing that FTI disclosed to such officer or employee can be used only for a purpose and to
the extent authorized herein, and that further disclosure of any FTI for a purpose not
authorized herein constitutes a felony punishable upon conviction by a fine of as much as
$5,000 or imprisonment for as long as 5 years, or both, together with the costs of
prosecution.
1.2.2 Each officer or employee of a Vendor to whom FTI is or may be accessible shall be notified
in writing that FTI accessible to such officer or employee may be accessed only for a purpose
and to the extent authorized herein, and that access/inspection of FTI without an official
need-to-know for a purpose not authorized herein constitutes a criminal misdemeanor
punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1
year, or both, together with the costs of prosecution.
75
1.2.3 Each officer or employee of a Vendor to whom FTI is or may be disclosed shall be notified
in writing that any such unauthorized access, inspection or disclosure of FTI may also
result in an award of civil damages against the officer or employee in an amount equal to
the sum of the greater of $1,000 for each unauthorized access, inspection, or disclosure, or
the sum of actual damages sustained as a result of such unauthorized access, inspection,
or disclosure, plus in the case of a willful unauthorized access, inspection, or disclosure or
an unauthorized access/inspection or disclosure which is the result of gross negligence,
punitive damages, plus the cost of the action. These penalties are prescribed by IRC
sections 7213, 7213A and 7431 and set forth at 26 CFR 301.6103(n)-1.
1.2.4 Additionally, it is incumbent upon the Vendor to inform its officers and employees of the
penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a.
Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C.
552a(m)(1), provides that any officer or employee of a Vendor, who by virtue of his/her
employment or official position, has possession of or access to agency records which
contain individually identifiable information, the disclosure of which is prohibited by the
Privacy Act or regulations established thereunder, and who knowing that disclosure of
the specific material is so prohibited, willfully discloses the material in any manner to any
person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not
more than $5,000.
1.2.5 Granting Vendor access to FTI must be preceded by certifying that each officer or
employee understands the agency’s security policy and procedures for safeguarding FTI.
Vendor and each officer or employee must maintain their authorization to access FTI
through annual recertification of their understanding of the agency’s security policy and
procedures for safeguarding FTI. The initial certification and recertifications must be
documented and placed in the agency's files for review. As part of the certification and at
least annually afterwards, Vendor and each officer or employee must be advised of the
provisions of IRC sections 7213, 7213A, and 7431 (see IRS Pub. 1075, Sanctions for
Unauthorized Disclosure, and Civil Damages for Unauthorized Disclosure). The training on
the agency’s security policy and procedures provided before the initial certification and
annually thereafter must also cover the incident response policy and procedure for
reporting unauthorized disclosures and data breaches. For the initial certification and the
annual recertifications, the Vendor and each officer or employee must sign, either with
ink or electronic signature, a confidentiality statement certifying their understanding of
the security requirements.
1.3 Inspection
The IRS and the Agency, with 24-hour notice, shall have the right to send its inspectors into the
offices and plants of the Vendor to inspect facilities and operations performing any work with
FTI under this Contract for compliance with requirements defined in IRS Publication 1075. The
IRS’ right of inspection shall include the use of manual and/or automated scanning tools to
perform compliance and vulnerability assessments of information technology (IT) assets that
access, store, process or transmit FTI. Based on the inspection, corrective actions may be
required in cases where the Vendor is found to be noncompliant with FTI safeguard
requirements.

Odyssey Contract

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Odyssey Contract

Uploaded by

Copyright:

Available Formats

Iowa Department of Administrative Services

Contracts Declaration & Execution Page

Title of Contract: Bid Proposal Number Contract Number

Printed Name and Title of Person Signing

State of Iowa: Department of Education

Printed Name and Title of Person Signing

Karl Wendt, Procurement Manager

“Authorized Contractors” means independent contractors, consultants, or other Third Parties

“Contractor Contractor(s)” means any of Contractor’s authorized subcontractors, affiliates,

“Customer Property” means any property of or belonging to a Governmental Entity making

“Customer-Owned Deliverables” means (if any) those Deliverables discovered, created, or

“I.T. Governance Document(s)” or “Governance Document(s)” means any Information Technology

“Non-Appropriation Event” means any of the following:

“Security Breach” means the unauthorized acquisition of or access to Customer Data by an

“Specifications” means all specifications, requirements, technical standards, performance

1.2 Availability of Contract to Other Entities

1.3 Duration of Contract

1.4 Scope of Work

1.5.3 Withholding Payments

1.5.5 Setoff Against Sums Owed by the Contractor

1.6.1 Immediate Termination by the State

1.6.1.1 In the event the Contractor is required to be certified or licensed as a

1.6.1.3 The Contractor fails to comply with confidentiality laws or provisions;

1.6.1.4 The Contractor furnished any statement, representation or certification in

1.6.2 Termination for Cause by the Agency

1.6.2.1 Contractor furnished any statement, representation, warranty or certification

1.6.2.2 Contractor or any of Contractor’s officers, directors, employees, agents,

1.6.2.3 Contractor or any parent or affiliate of Contractor owning a controlling interest

1.6.2.4 Contractor terminates or suspends its business;

1.6.2.5 Contractor’s corporate existence or good standing in Iowa is suspended,

1.6.2.10.1 Commencing or permitting a filing against it which is not discharged

1.6.2.10.2 Seeking or suffering the appointment of a trustee, receiver,

1.6.2.10.3 Making an assignment for the benefit of creditors;

1.6.2.10.4 Failing, being unable, or admitting in writing the inability generally

1.6.4 Termination Due to Lack of Funds or Change in Law

1.6.4.2 If funds are de-appropriated, reduced, not allocated, or receipt of funds is

1.6.4.3 If the Agency’s authorization to conduct its business or engage in activities or

1.6.4.4 If the Agency’s duties, programs or responsibilities are modified or materially

1.6.4.5 If there is a decision of any court, administrative law judge or an arbitration

1.6.5 Limitation of the State’s Payment Obligations

1.6.5.1 The payment of unemployment compensation to Contractor’s employees;

1.6.6 Contractor’s Termination Duties

1.6.7 Termination for Cause by Contractor

1.7 Confidential Information

1.7.1 Access to Confidential Information

1.7.2 No Dissemination of Confidential information

1.7.4 Reporting of Unauthorized Disclosure

1.7.6 Survives Termination

1.8 Indemnification; Limitation of Liability

1.8.1 By the Contractor

1.8.1.1 Any breach of this Contract;

1.8.1.3 The Contractor’s performance or attempted performance of this Contract,

1.8.1.5 Any claim of misappropriation of a trade secret or infringement or violation of

1.8.2 Limitation of Liability

a. Intentional torts, criminal acts, fraudulent conduct, intentional or willful misconduct,

b. Death, bodily injury, or damage to real or personal property;

c. Any contractual obligations of Contractor pertaining to indemnification; intellectual

1.8.3 Survives Termination

1.9.1 Insurance Requirements

1.9.2 Types and Amounts of Insurance Required

1.9.3 Certificates of Coverage

1.9.4 Waiver of Subrogation Rights

1.10 Project Management & Reporting

1.10.1 Project Manager