Loading...
HomeMy WebLinkAboutMicrosoft_Purchase_-_State_of_CO_ParticipatioCOVER PAGE CITY OF WHEAT RIDGE Microsoft 3-Year Renewal 23-0142 Participation Agreement between Insight Public Sector, State of Arizona (Master Agreement No. CTR060025), State of Colorado (Contract No. 178266), and the City of Wheat Ridge This agreement has been reviewed by: IT Manager: Jesse Dubin Procurement Manager: Whitney Mugford-Smith _____________________________ _____________________________ Deputy City Manager: Allison Scheck City Manager: Patrick Goff _____________________________ _____________________________ City of Wheat Ridge Mayor: Bud Starker _____________________________ DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 1 of 30 Version 07.2022 PARTICIPATING ADDENDUM to NASPO ValuePoint Software Value Added Reseller Administered by the State of Arizona with Insight Public Sector, Inc. Master Agreement No. CTR060025 And The State of Colorado Contract # 178266 1.PARTIES AND SCOPE This Participating Addendum, including all of its attached exhibits and other documents incorporated by reference (the “Participating Addendum”), is entered into by and between Insight Public Sector, Inc. (the “Contractor”), and the State of Colorado (the “State”). This ParticipatingAddendum covers participation in the Software Value Added Reseller Master AgreementCTR060025 led by the State of Arizona (the “Master Agreement”), for use by State agencies andother entities located in Colorado which are authorized by law to utilize State contracts with the prior approval of the State Purchasing Director. The specific Goods and Services provided under the Master Agreement are listed in Exhibit C Products and Price List (includes GeneralSoftware and Microsoft Software) of this agreement. 2.PARTICIPATION Agencies, political subdivisions and other entities (including cooperatives) authorized by the State’s statutes to use State contracts may make purchases under this Participating Addendum as of its Effective Date. Issues of interpretation and eligibility for participation are solely within theauthority of the Chief Procurement Officer. 3.STATE MODIFICATIONS TO MASTER AGREEMENT AND APPLICABILITY To the extent not modified by this Participating Addendum and all its exhibits, the Master Agreement and all its terms and conditions shall apply to this Participating Addendum. If any term of this Participating Addendum conflicts with the Master Agreement, then this ParticipatingAddendum shall control for all transactions between the State and the Contractor under thisParticipating Addendum. All terms defined in the Master Agreement shall have the meaning givento them in the Master Agreement, except for those terms specifically defined differently in this PARTICIPATING ADDENDUM. 4.RESERVED 5.PRIMARY CONTACTS AND PERSONNEL RESPONSIBILITIES The primary contacts for this Participating Addendum are the individuals named in this section. Either Party may change its primary contacts or primary contacts contact information by noticesubmitted to the other party in writing no later than 5 days following the date on which the change DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 2 of 30 Version 07.2022 occurs, without a formal amendment to this Participating Addendum. The Contractor’s primary contact shall be ultimately responsible for ensuring that all Goods are delivered and all Services are completed in accordance with this Participating Addendum. Primary Contact for the State: Primary Contact for the Contractor: Greg Draughon Brittany Dunaway Colorado State Purchasing & Contracts Office Insight Public Sector, Inc 1525 Sherman Street, 3rd Floor 2701 E. Insight Way Denver, CO 80203 Chandler, AZ 85286 303-866-4552 480.366.7029 Gregory.Draughon@state.co.us SLEDcontracts@insight.com Each individual identified in this §5 of the Participating Addendum shall be the primary contact of the designating Party. All notices required or permitted to be given under this Participating Addendum shall be in writing and shall be delivered (A) by hand with receipt required, (B) by certified or registered mail to such Party’s primary contact at the address set forth above or (C) as an email with read receipt requested to the primary contact at the email address, if any, set forth above. If a Party delivers a notice to another through email and the email is undeliverable then, unless the Party has been provided with an alternate email contact, the Party delivering the notice shall deliver the notice by hand with receipt required or by certified or registered mail to such Party’s primary contact at the address set forth above. Unless otherwise provided in this Participating Addendum, notices shall be effective upon delivery of the written notice. In addition to the primary contact in this section, the Contractor shall also provide an individual who is ultimately responsible for the creation and submission of the quarterly volume report described in Exhibit A of this Participating Addendum. This individual, as named in this section, shall ensure that all required quarterly volume reports are accurate and delivered by the appropriate due date for that quarterly volume report. The Contractor may change this individual or their contact information by notice submitted to the other party in writing no later than 5 days following the date on which the change occurs, without a formal amendment to this Participating Addendum. Individual Responsible for Quarterly Volume Report Creation and Submission: Virginia Mace Insight Public Secor, Inc. 2701 E. Insight Way Chandler, AZ 85286 480.333.3068 SLEDreporting@insight.com 6.SUBCONTRACTORS The Contractor may only use Subcontractors, as defined in Exhibit A. §4, under this ParticipatingAddendum if the State has provided written approval for the Contractor to use that Subcontractor.All such approved Subcontractors authorized in the State of Colorado, as shown on the dedicatedContractor website, are approved to provide sales and service support to the State and any Purchasing Entity in the State. The Contractor’s Subcontractor’s participation shall be inaccordance with the terms and conditions set forth in the Master Agreement and this ParticipatingAddendum, as appropriate. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 3 of 30 Version 07.2022 7.ORDERS Any Order placed by a Purchasing Entity in the State of Colorado for a Good or Service available under this Participating Addendum shall be deemed to be a sale (and governed by the prices and other terms and conditions) under the Master Agreement and this Participating Addendum unlessthe parties to the Order agree in writing that another contract or agreement applies to such Orderor the terms of that Order control to the extent that they conflict with the terms of the MasterAgreement or this Participating Addendum. 8.ORDER OF PRECEDENCE AND ATTACHED EXHIBITS All of the exhibits listed in this section are attached to this Participating Addendum and areincorporated herein by reference. In the event of a conflict or inconsistency between thisParticipating Addendum and any exhibits or attachment such conflict or inconsistency shall beresolved by reference to the documents in the following order of priority: A.Colorado Special Provisions in §20 of Exhibit A, State Specific Terms B.Exhibit E, Safeguarding Requirements for Federal Tax Information, as applicable C.Exhibit D, HIPPA Business Associate Agreement, as applicable D.Exhibit F, Information Technology Provisions E.The provisions of this Participating Addendum F.All other sections of Exhibit A, State Specific Terms G.Exhibit B Statement of Work H.Exhibit C Products and Price List Notwithstanding anything to the contrary herein, the State and Purchasing Entities shall not be subject to any provision incorporated in any terms and conditions appearing on Contractor’s or Subcontractor’s website, any provision incorporated into any click-through or online agreements, or any provisions incorporated into any other document or agreement between the Parties that (i) requires the State to indemnify or hold harmless Contractor or any other party, (ii) is in violation of State law as, regulations, rules, fiscal rules, policies, or other State requirements as deemed solely by the State or (iii) is contrary to any of the provisions incorporated into Exhibit A, §19 or the main body of this Participating Addendum. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 4 of 30 Version 07.2022 THE PARTIES HERETO HAVE EXECUTED THIS AMENDMENT CONTRACTOR Insight Public Sector, Inc. By: Title: By:______________________________________________ *Signature Date: _________________________ STATE OF COLORADO Jared S. Polis, Governor Department of Personnel & Administration State Purchasing and Contracts Office Tony Gherardini, Executive Director By:______________________________________________ Sherri Maxwell, Chief Procurement Officer, or John Chapman, State Purchasing Manager Date: _________________________ STATE OF COLORADO Governor’s Office of Information Technology In accordance with §24-30-202, C.R.S., if this Contract is for a Major Information Technology Project, this Contract is not valid until signed and dated below by the Chief Information Officer or an authorized delegate. STATE CHIEF INFORMATION OFFICER Anthony Neal-Graves, Chief Information Officer and Executive Director Signed: ___________________________________________ Printed Name: _____________________________________ Title: _____________________________________________ Date: _________________________ ALL CONTRACTS REQUIRE APPROVAL BY THE STATE CONTROLLER §24-30-202 C.R.S. requires the State Controller to approve all State Contracts. This Participating Addendum is not valid until signedand dated below by the State Controller or an authorized delegate. STATE CONTROLLER Robert Jaros, CPA, MBA, JD By:___________________________________________ Name: __________________________________________ Date:_____________________ ALL CONTRACTS REQUIRE APPROVAL BY THE STATE CONTROLLER §24-30-202, C.R.S. requires the State Controller to approve all State Contracts. This Participating Addendum is not valid until signed anddated below by the State Controller or an authorized delegate. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655 10/10/2022 10/11/2022 10/12/2022 10/12/2022 DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 5 of 30 Version 07.2022 PARTICIPATING ADDENDUM EXHIBIT A STATE SPECIFIC TERMS 1. PARTIES AND SCOPE ............................................................................................................ 1 2. PARTICIPATION ..................................................................................................................... 1 3. STATE MODIFICATIONS TO MASTER AGREEMENT AND APPLICABILITY ............. 1 4. RESERVED…………………………………………………………………………………...1 5. PRIMARY CONTACTS AND PERSONNEL RESPONSIBILITIES ..................................... 1 6. SUBCONTRACTORS .............................................................................................................. 2 7. ORDERS .................................................................................................................................... 3 8. ORDER OF PRECEDENCE AND ATTACHED EXHIBITS ................................................. 3 9. AUTHORITY ............................................................................................................................ 5 10. PURPOSE .................................................................................................................................. 5 11. TERM ........................................................................................................................................ 6 12. DEFINITIONS .......................................................................................................................... 7 13. STATEMENT OF WORK ...................................................................................................... 10 14. PAYMENTS TO CONTRACTOR ......................................................................................... 11 15. PAYMENTS TO STATE ........................................................................................................ 12 16. REPORTING – NOTIFICATION ........................................................................................... 13 17. CONTRACTOR RECORDS ................................................................................................... 14 18. CONFIDENTIAL INFORMATION-STATE RECORDS ...................................................... 15 19. CONFLICTS OF INTEREST ................................................................................................ 177 20. INSURANCE .......................................................................................................................... 17 21. BREACH OF CONTRACT .................................................................................................... 19 22. REMEDIES ............................................................................................................................. 20 23. DISPUTE RESOLUTION ....................................................................................................... 21 24. RIGHTS IN WORK PRODUCT AND OTHER INFORMATION ........................................ 22 25. OBLIGATIONS AND RIGHTS IN THE EVENT OF TERMINATION OF ORDER OR CONTRACT ............................................................................................................................ 24 26. STATEWIDE CONTRACT MANAGEMENT SYSTEM ..................................................... 24 27. GENERAL PROVISIONS ...................................................................................................... 24 28. COLORADO SPECIAL PROVISIONS (COLORADO FISCAL RULE 3-3) ....................... 27 EXHIBIT B STATEMENT OF WORK .................................................................................... 1 EXHIBIT C PRODUCTS AND PRICE LIST .......................................................................... 1 EXHIBIT D HIPAA BUSINESS ASSOCIATE AGREEMENT .............................................. 1 EXHIBIT E SAFEGUARDING REQUIREMENTS FOR FEDERAL TAX INFO………….1 EXHIBIT F INFORMATION AND TECHNOLOGY SPECIAL PROVISIONS……………1 1. AUTHORITY Authority to enter into this Participating Addendum exists in the Colorado Procurement Code, §24- 102-202, C.R.S. and 1 CCR 101-9 R-24-102-202-01., and its associated rules. 2. PURPOSE The Parties are entering into this Participating Addendum for the Contractor to provide Sotware Value Added Reseller to Purchasing Entities. The Contractor was selected as a result of State DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 6 of 30 Version 07.2022 Price Agreement. 3. TERM A. Initial Term - Work Commencement The Parties’ respective performances under this Participating Addendum shall commence on the Effective Date and shall be co-terminus with NASPO ValuePoint Master Agreement CTR060025. Unless this Participating Addendum is terminated earlier, as described herein, or the State cancels its participation as described in the Master Agreement (the “Term”), the term of the Participating Addendum shall follow the Master Agreement initial term and will be automatically extended beyond the initial term if the Master Agreement term is extended (See Section 3.B.). B. Extension of Term If the term of NASPO ValuePoint Master Agreement is extended for any reason, the Term of this Participating Addendum shall be automatically modified to account for that extension, so long as such extension complies with the Colorado Procurement Code. C. End of Term Extension If this Participating Addendum approaches the end of its Initial Term, or any Extension Term then in place, the State, at its discretion, upon written notice to Contractor’s primary contact listed in §5 of the Participating Addendum and in accordance with §5 of this Participating Addendum, may unilaterally extend such Initial Term or Extension Term for a period not to exceed 2 months (an “End of Term Extension”), regardless of whether additional Extension Terms are available or not. The provisions of this Participating Addendum in effect when such notice is given shall remain in effect during the End of Term Extension. The End of Term Extension shall automatically terminate upon execution of a replacement contract or modification extending the total term of this Participating Addendum. D. Order Term Orders may only be placed prior to the expiration or earlier termination of this Participating Addendum, but may have a delivery date or performance period that extends no longer than 120 calendar days following that expiration or earlier termination date. Regardless of whether this Participating Addendum has expired or has been terminated, the Contractor shall comply with all Orders that extend past the expiration or termination, as described in this section, and all requirements of this Participating Addendum necessary to complete outstanding Orders shall survive the expiration or termination of this Participating Addendum until all Orders are complete. E. Early Termination in the Public Interest The State is entering into this Participating Addendum to serve the public interest of the State of Colorado as determined by its Governor, General Assembly, or Courts. A determination that this Contract should be terminated in the public interest shall not be equivalent to a State right to terminate for convenience. This subsection shall not apply to a termination of this Participating Addendum by the State for breach by Contractor, which shall be governed by §14.A.i. i. Method and Content The State shall notify Contractor of such termination in accordance with §5 of this Participating Addendum. The notice shall specify the effective date of the termination DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 7 of 30 Version 07.2022 and whether it affects all or a portion of this Participating Addendum, and shall include, to the extent practicable, the public interest justification for the termination. ii. Obligations and Rights Upon receipt of notice for termination in the public interest, Contractor shall be subject to the rights and obligations set forth in §14.A.i.a. iii. Payments If the State terminates this Participating Addendum in the public interest, the Purchasing Entities shall pay Contractor according to their orders with the Contractor. The sum of any and all payments shall not exceed the maximum amount payable to Contractor under each order. 4. DEFINITIONS The following terms shall be construed and interpreted as follows: A. “Administration Fee” means the fee that is due to the State for the administration of this Participating Addendum, as described in §7. A. of this Exhibit A. B. “Breach of Contract” means the failure of a Party to perform any of its obligations in accordance with this Contract, in whole or in part or in a timely or satisfactory manner. The institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) days after the institution of such proceeding, shall also constitute a breach. If Contractor is debarred or suspended under §24-109-105, C.R.S. at any time during the term of this Contract, then such debarment or suspension shall constitute a breach. C. “Business Day” means any day in which the State is open and conducting business, but shall not include Saturday, Sunday or any day on which the State observes one of the holidays listed in §24-11-101(1), C.R.S. D. “Ceiling Price” means the maximum price a Contractor or a Subcontractor may charge for a Good or Service under this Participating Addendum. E. “Chief Procurement Officer” means the individual to whom the Executive Director of the Department of Personnel & Administration has delegated his or her authority pursuant to §24-102-202, C.R.S. to procure or supervise the procurement of all supplies and services needed by the state. F. “CJI” means criminal justice information collected by criminal justice agencies needed for the performance of their authorized functions, including, without limitation, all information defined as criminal justice information by the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy, as amended, and all Criminal Justice Records as defined under §24-72-302, C.R.S. G. “Confidential Information” means any and all information that is normally considered confidential in nature, and includes, but is not limited to, all State Records not subject to disclosure under the Colorado Open Records Act, §§24-72-200.1, et seq., C.R.S. (“CORA”). H. “Contract” means this Participating Addendum, including all attached Exhibits, all documents incorporated by reference, all referenced statutes, rules and cited authorities, and any future modifications thereto. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 8 of 30 Version 07.2022 I. “Contract Funds” means the funds that have been appropriated, designated, encumbered, or otherwise made available for payment by a Purchasing Entity for Orders placed under this Participating Addendum. J. “CORA” means the Colorado Open Records Act, §§24-72-200.1, et. seq., C.R.S. K. “Effective Date” means the date Contract is signed by the State Controller or their designee. L. “End of Term Extension” means the time period defined in §3. C. of this Exhibit A. M. “Environmentally Preferable Products” means products that have a lesser or reduced adverse effect on human health and the environment when compared with competing products that serve the same purpose, as defined in §24-103-904, C.R.S. N. “Effective Date” means the date on which this Participating Addendum is approved and signed by the Colorado State Controller or designee, as shown on the Signature Page for this Participating Addendum. If this Contract is for a Major Information Technology Project, as defined in §24-37.5-102(2.6), C.R.S., then the Effective Date of this Contract shall be the later of the date on which this Contract is approved and signed by the State’s Chief Information Officer or authorized delegate or the date on which this Contract is approved and signed by the State Controller or authorized delegate, as shown on the Signature Page for this Contract. O. “Exhibits” means the following exhibits attached to this Contract: i. Exhibit A, State Specific Terms. ii. Exhibit B, Statement of Work. iii. Exhibit C, Products and Price List iv. Exhibit D, HIPAA Business Associate Agreement v. Exhibit E, Safeguarding Federal Tax Information vi. Exhibit F, Information Technology Provisions P. “Extension Term” means the time period defined in §3. B. Q. “Goods” means any movable material acquired, produced, or delivered by Contractor as set forth in this Participating Addendum and shall include any movable material acquired, produced, or delivered by Contractor in connection with the Services. R. “Incident” means any accidental or deliberate event that results in or constitutes an imminent threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of any communications or information resources of the State, which are included as part of the Work, as described in §§24-37.5-401, et. seq., C.R.S. Incidents include, without limitation (i) successful attempts to gain unauthorized access to a State system or State Information regardless of where such information is located; (ii) unwanted disruption or denial of service; (iii) the unauthorized use of a State system for the processing or storage of data; or (iv) changes to State system hardware, firmware, or software characteristics without the State’s knowledge, instruction, or consent. S. “Initial Term” means the time period defined in §3.A of this Exhibit A. T. “Order” means any delivery order, purchase order, contract, agreement or other binding document used by a Purchasing Entity to order the Goods and Services described in this DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 9 of 30 Version 07.2022 Participating Addendum from the Contractor, and shall include any modification to such a document. U. “Party” means the State or Contractor, and “Parties” means both the State and Contractor. V. “Purchasing Entity” means any entity or organization that has been authorized by the State to place Orders with the Contractor, and may include, without limitation, agencies of the State, government supported institution of higher education within the State, political subdivisions of the State, authorized non-profit organizations and other authorized entities. W. “PCI” means payment card information including any data related to credit card holders’ names, credit card numbers, or the other credit card information as may be protected by state or federal law. X. “PII” means personally identifiable information including, without limitation, any information maintained by the State about an individual that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. PII includes, but is not limited to, all information defined as personally identifiable information in §§24-72-501 and 24-73-101, C.R.S. Y. “PHI” means any protected health information, including, without limitation any information whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes, but is not limited to, any information defined as Individually Identifiable Health Information by the federal Health Insurance Portability and Accountability Act. Z. “Services” means the services to be performed by Contractor as set forth in this Participating Addendum, and shall include any services to be rendered by Contractor in connection with the Goods. AA. “State Confidential Information” means any and all State Records not subject to disclosure under CORA. State Confidential Information shall include, but is not limited to, PII, PCI, and State personnel records not subject to disclosure under CORA. State Confidential Information shall not include information or data concerning individuals that is not deemed confidential but nevertheless belongs to the State, which has been communicated, furnished, or disclosed by the State to Contractor which (i) is subject to disclosure pursuant to CORA; (ii) is already known to Contractor without restrictions at the time of its disclosure to Contractor; (iii) is or subsequently becomes publicly available without breach of any obligation owed by Contractor to the State; (iv) is disclosed to Contractor, without confidentiality obligations, by a third party who has the right to disclose such information; or (v) was independently developed without reliance on any State Confidential Information. BB. “State Fiscal Rules” means that fiscal rules promulgated by the Colorado State Controller pursuant to §24-30-202(13) (a), C.R.S. CC. “State Fiscal Year” means a 12-month period beginning on July 1 of each calendar year and ending on June 30 of the following calendar year. If a single calendar year follows the term, then it means the State Fiscal Year ending in that calendar year. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 10 of 30 Version 07.2022 DD. “State Records” means any and all State data, information, and records, regardless of physical form, including, but not limited to, information subject to disclosure under CORA. EE. “Subcontractor” means third-parties, if any, engaged by Contractor pursuant to §18.B. to aid in performance of the Work. The term “Subcontractor” includes, without limitation, any dealers, distributors, partners or resellers engaged by the Contractor to perform the Work. FF. “Tax Information” means federal and State of Colorado tax information including, without limitation, federal and State tax returns, return information, and such other tax-related information as may be protected by federal and State law and regulation. Tax Information includes, but is not limited to all information defined as federal tax information in Internal Revenue Service Publication 1075. GG. “Work” means the Goods delivered and Services performed pursuant to this Contract. HH. “Work Product” means the tangible and intangible results of the Work, whether finished or unfinished, including drafts. Work Product includes, but is not limited to, documents, text, software (including source code), research, reports, proposals, specifications, plans, notes, studies, data, images, photographs, negatives, pictures, drawings, designs, models, surveys, maps, materials, ideas, concepts, know-how, and any other results of the Work. “Work Product” does not include any material that was developed prior to the Effective Date that is used, without modification, in the performance of the Work. Any other term used in this Participating Addendum that is defined in an Exhibit shall be construed and interpreted as defined in that Exhibit. 5. STATEMENT OF WORK Contractor shall complete the Work as described in this Participating Addendum and in accordance with the provisions of Exhibits A, B, C and D, and with any Purchasing Entity’s Order. Contractor personnel shall work cooperatively with State and Purchasing Entity staff to ensure the completion of the Work. A. Ordering and Order Fulfillment i. Ordering a. Contractor shall provide a complete and accurate Internal Revenue Service form W9 to the State prior to accepting an Order from any Purchasing Entity. Upon a request by a Purchasing Entity, Contractor shall provide a complete and accurate Internal Revenue Service form W9 to that Purchasing Entity. b. Each Purchasing Entity may complete an Order in accordance with its own rules and policies, as available to Contractor, using the appropriate documentation for that organization to issue an Order. c. Contractor shall communicate directly with each Purchasing Entity related to that Purchasing Entity’s Orders. d. Contractor shall ensure that all Orders it accepts have the proper information contained in them for Contractor to be able to comply with all reporting requirements of this Exhibit A. e. If Contractor provides for Ordering through an internet-based portal or electronic catalog, Contractor shall maintain all of Contractor’s necessary hardware, DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 11 of 30 Version 07.2022 software, backup-capacity and network connections required to operate that internet-based portal or electronic catalog. f. Contractor’s internet-based portal and electronic catalogs shall clearly designate that they are part of this Participating Addendum and shall have a link to the State’s designated web location, as determined by the State. Contractor shall ensure that all Environmentally Preferable Products are clearly listed on internet-based portal and electronic catalogs. g. If Contractor provides an internet-based portal or electronic catalog, Contractor shall also provide paper catalogs or catalogs on other digital media upon request by a Purchasing Entity. h. If Contractor’s catalog will be either hosted on or accessed through the State’s eCommerce system, when available, then Contractor shall comply with all policies, procedures and directions from the State in relation to hosting its catalog on or making its catalog accessible through that system. Contractor shall ensure that all information made available through the State’s eCommerce system is accurate and complies with this Participating Addendum. 6. PAYMENTS TO CONTRACTOR A. Payments Under Orders i. Contractor shall allow the State and Purchasing Entities to use a procurement card or other credit card to make payments under any Order, in addition to any other payment procedure available to the State or Purchasing Entity. ii. The State shall not pay any amount to Contractor under this Participating Addendum unless the State issues an Order, at which time it shall pay Contractor in accordance with that Order. The State shall not be responsible for payment under any Order that is issued by a Purchasing Entity that is not the State, and the Contractor shall seek no payment or other compensation from the State for any Work performed under any Order issued by a Purchasing Entity that is not the State. B. Payment Procedures i. Invoices Contractor shall invoice each Purchasing Entity in accordance with that Purchasing Entity’s Order. Contractor shall not invoice the State under any Order unless the State issued that Order. Contractor shall allow 45 days for the State and Purchasing Entities to pay an invoice following the receipt of the invoice, unless the State or a Purchasing Entity specifically agrees to a shorter time in an Order. State law and regulations provide that State payments made within 45 days are not considered delinquent, and unless otherwise agreed, State Purchasing Entities will pay interest on any unpaid balance beginning on the 45th day at the rate of 1% per month until paid in full; provided, however, that interest shall not accrue on unpaid amounts that are the subject of a good faith dispute regarding the obligation to pay all or a portion of the liability. Contractor shall invoice State Ordering Entities separately for accrued interest on delinquent amounts due. The billing shall reference the delinquent payment, the number of day’s interest to be paid, and the applicable interest rate. (§ 24-30-202(24), C.R.S., as amended.) ii. Payment Disputes DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 12 of 30 Version 07.2022 Unless different procedures are specified in an Order, if Contractor disputes any calculation, determination or amount of any payment, Contractor shall notify the Purchasing Entity issuing the Order in writing of its dispute within 30 days following the earlier to occur of Contractor’s receipt of the payment or notification of the determination or calculation of the payment by that Purchasing Entity. The Purchasing Entity will review the information presented by Contractor and may make changes to its determination based on this review. The calculation, determination or payment amount that results from the Purchasing Entity’s review shall not be subject to additional dispute under this subsection. No payment subject to a dispute under this subsection shall be due until after the Purchasing Entity has concluded its review, and the Purchasing Entity shall not pay any interest on any amount during the period it is subject to dispute under this subsection. iii. Available Funds-Contingency-Termination of Order Purchasing Entities, except for authorized non-profit entities, are prohibited by law from making commitments beyond the term of the current Purchasing Entity’s Fiscal Year. Payment to Contractor beyond the current Purchasing Entity’s Fiscal Year is contingent on the appropriation and continuing availability of Contract Funds in any subsequent year (See Colorado Special Provision). If federal funds, non-State funds or funds from any other source constitute all or some of the Contract Funds, the Purchasing Entity’s obligation to pay Contractor shall be contingent upon such funding continuing to be made available for payment. Orders under this Participating Addendum shall be made only from Contract Funds, and the Purchasing Entity’s liability for such payments shall be limited to the amount remaining of such Contract Funds. If State, federal or other Purchasing Entity funds are not appropriated, or otherwise become unavailable to fund an Order under this Participating Addendum, the Purchasing Entity may, upon written notice, terminate the Order, in whole or in part, without incurring further liability. The Purchasing Entity shall, however, remain obligated to pay for Services and Goods that are delivered and accepted prior to the effective date of notice of termination of Order. A State Purchasing Entity Order termination shall otherwise be treated as if the Order was terminated in the public interest as described in §3. E. of this Exhibit A. The Purchasing Entity may effect such termination by giving Contractor a written notice of termination, to the Contractor’s primary contact in accordance with §5 of the Participating Addendum, and by paying to Contractor any amounts which are due and have not been paid through the last day of the Fiscal Year for which appropriated funds are available. The Purchasing Entity shall endeavor to give notice of such termination not less than 30 days prior to the day of non-availability of funds, and shall notify Contractor of any anticipated termination. iv. Discount and Delinquency Period Any applicable cash discount period or delinquency period for the amounts shown on an invoice shall begin on the date the Purchasing Entity’s approves of the invoice, or from the date of receipt of acceptable Goods or Services at the specified destination by an authorized Purchasing Entity representative, whichever is later. 7. PAYMENTS TO STATE Administrative Fees DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 13 of 30 Version 07.2022 A. Each State Fiscal Year quarter, Contractor shall, using a form as directed by the State, calculate an Administrative Fee equal to 1% of the total sales made under Orders during that State Fiscal Year quarter. Contractor shall pay the State the Administrative Fee for each State Fiscal Year quarter within 45 days following the end of that State Fiscal Year quarter. B. Contractor shall remit all administrative fees to the State’s primary contact identified in §5 of the Participating Addendum and with the payee as “State of Colorado”. 8. REPORTING – NOTIFICATION A. Volume Reporting The State will use a centralized method of tracking volume. Contractor shall provide a quarterly volume report to the State’s primary contact identified in §5 of this Participating Addendum within 30 calendar days following the end of the State Fiscal Year quarter that the report covers. The quarterly volume report shall be submitted in a form as directed by the State, which may be modified by the State from time to time. The quarterly volume report shall contain, at a minimum, all of the following: i. A summary volume report that includes, but is not limited to, all of the following for the quarter that the report covers: a. The total spent by each type of Purchasing Entity under this Participating Addendum. b. The total of the list price of all items purchased by each type of Purchasing Entity under this Participating Addendum. c. The total estimated price savings for each type of Purchasing Entity under this Participating Addendum, calculated as the total list price of all items purchased by each type of Purchasing Entity minus the total spent for that type of Purchasing Entity. d. The total paid through the use of a procurement card or credit card for each Purchasing Entity under this Participating Addendum. e. The total sales of environmentally preferable products, as defined in the State’s Environmentally Preferable Purchasing Policy, for each Purchasing Entity under this Participating Addendum. f. The amount of the total administrative fee due to the State. g. Any additional summary information as requested by the State. ii. A detail report that includes, but is not limited to, all of the following for each sale that occurred during the quarter that the report covers: a. The name of the Purchasing Entity who the sale was made to. b. The date of the sale. c. A listing of each item purchased in the sale, including the name of the item, the quantity of the item, the unit price for the item, the extended price for the item calculated by multiplying the unit price by the quantity, the list price per unit for the item, the extended list price for the item calculated by multiplying the quantity by the list price, and the savings on the item calculated by subtracting the extended cost from the extended list price. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 14 of 30 Version 07.2022 d. Any other detail information as requested by the State. B. Additional Operational Reporting Upon request by the State, the Contractor shall provide operational reporting that includes all detailed and summary transaction, historical or payment information related to the State or any of the Participating Entities as requested by the State. The Contractor shall provide all such additional reports within 10 Business Days following the State’s request for that information, unless the State agrees to a longer period of time in writing. C. Environmentally Preferable Product Reporting Upon request by the State, the Contractor shall provide detailed reporting on environmentally preferable products, as defined in the State’s Environmentally Preferable Purchasing Policy, that are purchased or made available under this Participating Addendum. The scope and detail of such reports shall be agreed upon by the State and the Contractor. The Contractor shall provide all such additional reports within 10 Business Days following the State’s request for that information, unless the State agrees to a longer period of time in writing. D. Litigation Reporting If Contractor is served with a pleading or other document in connection with an action before a court or other administrative decision making body, and such pleading or document relates to this Participating Addendum or may affect Contractor’s ability to perform its obligations under this Participating Addendum, Contractor shall, within 10 days after being served, notify the State of such action and deliver copies of such pleading or document to the State’s primary contact identified in §5 of the Participating Addendum . E. Performance Outside the State of Colorado or the United States, §24-102-206, C.R.S. To the extent not previously disclosed in accordance with §24-102-206, C.R.S., Contractor shall provide written notice to the State’s primary contact in accordance with §5 of the Participating Addendum and in a form designated by the State, within 20 days following the earlier to occur of Contractor’s decision to perform Services outside of the State of Colorado or the United States, or its execution of an agreement with a Subcontractor to perform Services outside the State of Colorado or the United States. Such notice shall specify the type of Services to be performed outside the State of Colorado or the United States and the reason why it is necessary or advantageous to perform such Services at such location or locations, and such notice shall be a public record. Knowing failure by Contractor to provide notice to the State under this section shall constitute a breach of this Participating Addendum. This section shall not apply if the Participating Addendum Funds include any federal funds. 9. CONTRACTOR RECORDS A. Maintenance Contractor shall maintain a file of all documents, records, communications, notes and other materials relating to the Work (the “Contractor Records”) performed by the Contractor and any Subcontractors, that are required to ensure proper performance of that Work. Contractor shall maintain Contractor Records until the last to occur of: (i) the date 3 years after the date this Participating Addendum expires or is terminated, (ii) final payment under this Participating Addendum is made, (iii) the resolution of any pending Contract matters, or (iv) if an audit is occurring, or Contractor has received notice that an audit is pending, the date such audit is completed and its findings have been resolved (the “Record Retention Period”). DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 15 of 30 Version 07.2022 B. Inspection Contractor shall permit the State to audit, inspect, examine, excerpt, copy and transcribe Contractor Records during the Record Retention Period. Contractor shall make Contractor Records available during normal business hours at Contractor’s office or place of business, or at other mutually agreed upon times or locations, upon no fewer than 2 Business Days’ notice from the State, unless the State determines that a shorter period of notice, or no notice, is necessary to protect the interests of the State. C. Monitoring The State, in its discretion, may monitor Contractor’s performance of its obligations under this Participating Addendum using procedures as determined by the State. The State shall monitor Contractor’s performance in a manner that does not unduly interfere with Contractor’s performance of the Work. D. Final Audit Report Contractor shall promptly submit to the State a copy of any final audit report of an audit performed on Contractor’s records that relates to or affects this Participating Addendum or the Work, whether the audit is conducted by Contractor or a third party. E. Periodic Business Reviews i. The State may schedule periodic business reviews to review Contractor’s performance under this Participating Addendum. ii. Contractor shall ensure personnel assigned to the Participating Addendum are available for these meetings with the State as scheduled by the State. iii. Contractor’s primary contact designated in §5 of this the Participating Addendum shall be available for all regularly scheduled meetings between Contractor and the State, unless the State has granted prior, written approval otherwise. 10. CONFIDENTIAL INFORMATION-STATE RECORDS A. Confidentiality Contractor shall keep confidential, and cause all Subcontractors to keep confidential, all State Records, unless those State Records are publicly available. Contractor shall not, without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as otherwise stated in this Participating Addendum, permitted by law or approved in Writing by the State. Contractor shall provide for the security of all State Confidential Information in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and guidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, Contractor or its Subcontractors shall provide for the security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for all Tax Information and in accordance with the Safeguarding Requirements for Federal Tax Information attached to this Contract as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Agreement attached to this Contract , if DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 16 of 30 Version 07.2022 applicable. Contractor shall immediately forward any request or demand for State Records to the State’s primary contact as identified in §5 of the Participating Addendum. B. Other Entity Access and Nondisclosure Agreements Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to perform the Work, but shall restrict access to State Confidential Information to those agents, employees, assigns and Subcontractors who require access to perform their obligations under this Participating Addendum. Contractor shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing nondisclosure provisions at least as protective as those in this Participating Addendum, and that the nondisclosure provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential Information. Contractor shall provide copies of those signed nondisclosure provisions to the State upon execution of the nondisclosure provisions. C. Use, Security, and Retention Contractor shall use, hold and maintain State Confidential Information in compliance with any and all applicable laws and regulations in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all State Confidential Information wherever located. Contractor shall provide the State with access, subject to Contractor’s reasonable security requirements, for purposes of inspecting and monitoring access and use of State Confidential Information and evaluating security control effectiveness. Upon the expiration or termination of this Participating Addendum, Contractor shall return State Records provided to Contractor or destroy such State Records and certify to the State that it has done so, as directed by the State. If Contractor is prevented by law or regulation from returning or destroying State Confidential Information, Contractor warrants it will guarantee the confidentiality of, and cease to use, such State Confidential Information. D. Incident Notice and Remediation If Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the State. Unless Contractor can establish that neither Contractor nor any of Contractor’s agents, employees, assigns or Subcontractors are the cause or source of the Incident, Contractor shall be responsible for the cost of notifying each person who may have been impacted by the Incident. After an Incident, Contractor shall take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which may include, but is not limited to, developing and implementing a remediation plan that is approved by the State at no additional cost to the State. The State may, in its sole discretion and at Contractor’s sole expense, require Contractor to engage the services of an independent, qualified, State-approved third party to conduct a security audit. Contractor shall provide the State with the results of such audit and evidence of Contractor’s planned remediation in response to any negative findings. E. Data Protection and Handling Contractor shall ensure that all State Records and Work Product in the possession of Contractor or any Subcontractors are protected and handled in accordance with the requirements of this Contract, including the requirements of any Exhibits hereto, at all times. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 17 of 30 Version 07.2022 F. Safeguarding PII If Contractor or any of its Subcontractors will or may receive PII under this Contract, Contractor shall provide for the security of such PII, in a manner and form acceptable to the State, including, without limitation, State non-disclosure requirements, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, and audits. Contractor shall be a “Third-Party Service Provider” as defined in §24-73-103(1)(i), C.R.S. and shall maintain security procedures and practices consistent with §§24-73-101 et seq., C.R.S. 11. CONFLICTS OF INTEREST A. Actual Conflicts of Interest Contractor shall not engage in any business or activities, or maintain any relationships that conflict in any way with the full performance of the obligations of Contractor under this Participating Addendum. Such a conflict of interest would arise when a Contractor or Subcontractor’s employee, officer or agent were to offer or provide any tangible personal benefit to an employee of the State, or any member of his or her immediate family or his or her partner, related to the award of, entry into or management or oversight of this Participating Addendum. B. Apparent Conflicts of Interest Contractor acknowledges that, with respect to this Participating Addendum, even the appearance of a conflict of interest shall be harmful to the State’s interests. Absent the State’s prior written approval, Contractor shall refrain from any practices, activities or relationships that reasonably appear to be in conflict with the full performance of Contractor’s obligations under this Participating Addendum. C. Disclosure to the State If a conflict or the appearance of a conflict arises, or if Contractor is uncertain whether a conflict or the appearance of a conflict has arisen, Contractor shall submit to the State a disclosure statement setting forth the relevant details for the State’s consideration. Failure to promptly submit a disclosure statement or to follow the State’s direction in regard to the actual or apparent conflict constitutes a breach of this Participating Addendum. 12. INSURANCE Contractor shall obtain and maintain, and ensure that each Subcontractor shall obtain and maintain, insurance as specified in this section at all times during the term of this Participating Addendum and until all orders for goods or Services or both have been delivered and accepted, regardless of whether this Participating Addendum has expired or has been terminated. All insurance policies required by this Participating Addendum shall be issued by insurance companies as approved by the State. A. Workers’ Compensation Workers’ Compensation insurance as required by state statute, and employers’ liability insurance covering all Contractor or Subcontractor employees acting within the course and scope of their employment. Insurance must stay in place and in effect even if the contract terms expires, until all product or terms of the contract are completed and satisfied up to 120 days after contract term expires. B. General Liability DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 18 of 30 Version 07.2022 Commercial general liability insurance covering premises operations, fire damage, independent contractors, products and completed operations, blanket contractual liability, personal injury, and advertising liability with minimum limits as follows: i. $1,000,000 each occurrence; ii. $2,000,000 general aggregate; iii. $1,000,000 products and completed operations aggregate; and iv. $50,000 any 1 fire. C. Automobile Liability Automobile liability insurance covering any auto (including owned, hired and non-owned autos) with a minimum limit of $1,000,000 each accident combined single limit. D. Cyber/Network Security and Privacy Liability Liability insurance covering civil, regulatory, and statutory damages, contractual damages, data breach management exposure, and any loss of income or extra expense as a result of actual or alleged breach, violation or infringement of right to privacy, consumer data protection law, confidentiality or other legal protection for personal information, as well as State Confidential Information with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $2,000,000 general aggregate. E. Protected Information Liability insurance covering all loss of State Confidential Information, such as PII, PCI, PHI, Tax Information, and CJI, and claims based on alleged violations of privacy rights through improper use or disclosure of protected information with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $2,000,000 general aggregate. F. Professional Liability Insurance Professional liability insurance covering any damages caused by an error, omission or any negligent act with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $1,000,000 general aggregate. G. Crime Insurance Crime insurance including employee dishonesty coverage with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $1,000,000 general aggregate. H. Additional Insured The State shall be named as additional insured on all commercial general liability policies (leases and construction contracts require additional insured coverage for completed operations) required of Contractor and Subcontractors. I. Primacy of Coverage DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 19 of 30 Version 07.2022 Coverage required of Contractor and each Subcontractor shall be primary and noncontributory over any insurance or self-insurance program carried by Contractor or the State. J. Cancellation The above insurance policies shall include provisions preventing cancellation or non-renewal, except for cancellation based on non-payment of premiums, without at least 30 days prior notice to Contractor and Contractor shall forward such notice to the State in accordance with §5 of the Participating Addendum within 7 days of Contractor’s receipt of such notice. K. Subrogation Waiver All insurance policies secured or maintained by Contractor or its Subcontractors in relation to this Participating Addendum shall include clauses stating that each carrier shall waive all rights of recovery under subrogation or otherwise against Contractor or the State, its agencies, institutions, organizations, officers, agents, employees, and volunteers. L. Public Entities If Contractor is a "public entity" within the meaning of the Colorado Governmental Immunity Act, §§24-10-101, et seq., C.R.S. (the “GIA”), Contractor shall maintain, in lieu of the liability insurance requirements stated above, at all times during the term of this Participating Addendum such liability insurance, by commercial policy or self-insurance, as is necessary to meet its liabilities under the GIA. If a Subcontractor is a public entity within the meaning of the GIA, Contractor shall ensure that the Subcontractor maintain at all times during the terms of this Participating Addendum, in lieu of the liability insurance requirements stated above, such liability insurance, by commercial policy or self-insurance, as is necessary to meet the Subcontractor’s obligations under the GIA. M. Certificates Contractor shall provide to the State certificates evidencing Contractor’s insurance coverage required in this Participating Addendum within 7 Business Days following the Effective Date. Contractor shall provide to the State certificates evidencing Subcontractor insurance coverage required under this Participating Addendum within 7 Business Days following the Effective Date, except that, if Contractor’s subcontract is not in effect as of the Effective Date, Contractor shall provide to the State certificates showing Subcontractor insurance coverage required under this Participating Addendum within 7 Business Days following Contractor’s execution of the subcontract. No later than 15 days before the expiration date of Contractor’s or any Subcontractor’s coverage, Contractor shall deliver to the State certificates of insurance evidencing renewals of coverage. At any other time during the term of this Participating Addendum, upon request by the State, Contractor shall, within 7 Business Days following the request by the State, supply to the State evidence satisfactory to the State of compliance with the provisions of this §12. 13. BREACH OF CONTRACT In the event of a Breach of Contract, the aggrieved Party shall give written notice of breach to the other Party. If the notified Party does not cure the Breach of Contract, at its sole expense, within 30 days after the delivery of written notice, the Party may exercise any of the remedies as described in §14 for that Party. Notwithstanding any provision of this Participating Addendum to the contrary, the State, in its discretion in order to protect the public interest of the State, need not provide notice or a cure period and may immediately DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 20 of 30 Version 07.2022 terminate this Participating Addendum in whole or in part or institute any other remedy in this Participating Addendum; or if Contractor is debarred or suspended under §24-109-105, C.R.S., the State, in its discretion, need not provide notice or cure period and may terminate this Contract in whole or in part or institute any other remedy in this Contract as of the date that the debarment or suspension takes effect. 14. REMEDIES A. State’s Remedies If Contractor is in breach under any provision of this Participating Addendum and fails to cure such breach, the State, following the notice and cure period set forth in §13, shall have all of the remedies listed in this section in addition to all other remedies set forth in this Participating Addendum or at law. The State may exercise any or all of the remedies available to it, in its discretion, concurrently or consecutively. i. Termination for Breach In the event of Contractor’s uncured breach, the State may terminate this entire Participating Addendum or any part of this Participating Addendum. Contractor shall continue performance of this Participating Addendum to the extent not terminated, if any. If after termination by the State, the State agrees that Contractor was not in breach or that Contractor's action or inaction was excusable, such termination shall be treated as a termination in the public interest, and the rights and obligations of the Parties shall be as if this Participating Addendum had been terminated in the public interest under §3. E. ii. Remedies Not Involving Termination The State, in its discretion, may exercise one or more of the following additional remedies: a. Suspend Performance Suspend Contractor’s performance with respect to all or any portion of the Work pending corrective action as specified by the State without entitling Contractor to an adjustment in price or cost or an adjustment in the performance schedule. Contractor shall promptly cease performing Work and incurring costs in accordance with the State’s directive, and neither the State nor any Purchasing Entity shall be liable for costs incurred by Contractor after the suspension of performance. b. Removal Demand immediate removal of any of Contractor’s employees, agents, or Subcontractors from the Work whom the State deems incompetent, careless, insubordinate, unsuitable, or otherwise unacceptable or whose continued relation to this Participating Addendum is deemed by the State to be contrary to the public interest or the State’s best interest. c. Intellectual Property If any Work infringes, or if the State in its sole discretion determines that any Work is likely to infringe, a patent, copyright, trademark, trade secret or other DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 21 of 30 Version 07.2022 intellectual property right, Contractor shall, at the option of and as approved by the State or Purchasing Entity (i) secure that right to use such Work for the State, Purchasing Entity and Contractor; (ii) replace the Work with noninfringing Work or modify the Work so that it becomes noninfringing; or, (iii) remove any infringing Work and refund the amount paid for such Work to the Purchasing Entity. B. Contractor’s Remedies If the State is in breach of any provision of this Participating Addendum and does not cure such breach, Contractor, following the notice and cure period in §13 and the dispute resolution process in §15 shall have all remedies available at law and equity. If a Purchasing Entity is in breach of a provision of an Order, Contractor shall have all remedies available to it under that Order and available at law and equity. C. Purchasing Entity’s Remedies i. If Contractor is in breach under any provision of an Order by a Purchasing Entity, the Purchasing Entity shall have all of the remedies listed in that Order, all remedies listed in §14. A. ii above, all remedies listed here in §14.C and all other remedies available by law or equity. The Purchasing Entity may exercise any or all of the remedies available to it, in its discretion, concurrently or consecutively. ii. If a Purchasing Entity gives Contractor notice of breach or terminates an Order because of Contractor’s breach of that Order, Contractor shall provide notice to the State of that breach or termination within 5 Business Days following Contractor’s receipt of that notice of breach or termination. iii. Payments and Damages a. Notwithstanding anything to the contrary, Purchasing Entities shall only pay Contractor for accepted Work received as of the date of termination. A Purchasing Entity may withhold any amount that may be due Contractor as the Purchasing Entity deems necessary until Contractor corrects its Work or to protect itself against loss including, without limitation, loss as a result of outstanding liens and costs incurred by the Purchasing Entity in procuring from third parties replacement Work as cover. b. Notwithstanding any other remedial action by the State, Contractor shall remain liable to the State or appropriate Purchasing Entity for any damages sustained by the State or Purchasing Entity in connection with any breach by Contractor, and the Purchasing Entity may withhold payment to Contractor for the purpose of mitigating the Purchasing Entity’s damages. A Purchasing Entity may deny payment to Contractor for Work not performed, or that due to Contractor’s actions or inactions, cannot be performed or if they were performed are reasonably of no value to the state; provided, that any denial of payment shall be equal to the value of the obligations not performed. 15. DISPUTE RESOLUTION A. Order Disputes, Termination and Resolution i. If a dispute related to an Order arises between Contractor and a Purchasing Entity, Contractor shall meet with the Purchasing Entity to attempt to resolve the issue. If DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 22 of 30 Version 07.2022 Contractor is unable to resolve the issue with the Purchasing Entity, then Contractor may request assistance from the State by submitting a request in writing, which includes the pertinent information about the dispute and the assistance sought by Contractor, in accordance with §5 of the Participating Addendum. Nothing in this section shall be interpreted as limiting the rights or obligations of Contractor, the State or any Purchasing Entity under this Contract of any Order. ii. A Purchasing Entity may terminate an Order if it determines that Contractor was in breach of that Order. Termination of an Order shall not terminate any other Order or this Participating Addendum. iii. If a Purchasing Entity gives Contractor notice of breach or terminates an Order because of Contractor’s breach of that Order, Contractor shall provide notice to the State of that breach or termination within 5 Business Days following Contractor’s receipt of that notice of breach or termination. B. Initial Resolution Except as herein specifically provided otherwise, disputes concerning the performance of this Participating Addendum which cannot be resolved by the designated Participating Addendum primary contacts, as identified in §5 of the Participating Addendum, or through a dispute on an Order shall be referred in writing to a senior departmental management staff member designated by the State and a senior manager designated by Contractor for resolution. C. Resolution of Controversies arising under this Participating Addendum If the initial resolution described in §15.B. fails to resolve the dispute within ten (10) Business Days, Contractor shall submit any alleged breach of this Participating Addendum by the State to the Procurement Official of the State Purchasing and Contracts Office as described in in §24-102-202(3), C.R.S. for resolution in accordance with the provisions of §§24-109-101.1 through 24-109-505, C.R.S., (the “Resolution Statutes”), except that if Contractor wishes to challenge any decision rendered by the Procurement Official, Contractor’s challenge shall be an appeal to the Executive Director of the Department of Personnel and Administration, or their delegate, under the Resolution Statutes before Contractor pursues any further action as permitted by such statutes. Except as otherwise stated in this Section, all requirements of the Resolution Statutes shall apply including, without limitation, time limitations. 16. RIGHTS IN WORK PRODUCT AND OTHER INFORMATION A. Work Product Contractor assigns to the Purchasing Entity and its successors and assigns, the entire right, title, and interest in and to all causes of action, either in law or in equity, for past, present, or future infringement of intellectual property rights related to the Work Product and all works based on, derived from, or incorporating the Work Product under an Order. Whether or not Contractor is under contract with the State at the time, Contractor shall execute applications, assignments, and other documents, and shall render all other reasonable assistance requested by the State, to enable the Purchasing Entity to secure patents, copyrights, licenses and other intellectual property rights related to the Work Product. To the extent that Work Product would fall under the definition of “works made for hire” under 17 U.S.C.S. §101, the parties intend the Work Product to be a work made for hire. i. Copyrights DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 23 of 30 Version 07.2022 To the extent that the Work Product (or any portion of the Work Product) would not be considered works made for hire under applicable law, Contractor hereby assigns to the Purchasing Entity, the entire right, title, and interest in and to copyrights in all Work Product and all works based upon, derived from, or incorporating the Work Product; all copyright applications, registrations, extensions, or renewals relating to all Work Product and all works based upon, derived from, or incorporating the Work Product; and all moral rights or similar rights with respect to the Work Product throughout the world. To the extent that Contractor cannot make any of the assignments required by this section, Contractor hereby grants to the Purchasing Entity a perpetual, irrevocable, royalty-free license to use, modify, copy, publish, display, perform, transfer, distribute, sell, and create derivative works of the Work Product created under that Purchasing Entity’s Order and all works based upon, derived from, or incorporating the Work Product by all means and methods and in any format now known or invented in the future. The Purchasing Entity may assign and license its rights under this license. ii. Patents In addition, Contractor grants to the Purchasing Entity (and to recipients of Work Product distributed by or on behalf of the State) a perpetual, worldwide, no-charge, royalty-free, irrevocable patent license to make, have made, use, distribute, sell, offer for sale, import, transfer, and otherwise utilize, operate, modify and propagate the contents of the Work Product created under an Order. Such license applies only to those patent claims licensable by Contractor that are necessarily infringed by the Work Product alone, or by the combination of the Work Product with anything else used by the Purchasing Entity. B. Exclusive Property of the State Except to the extent specifically provided elsewhere in this Participating Addendum, any pre-existing State Records, State software, research, reports, studies, photographs, negatives or other documents, drawings, models, materials, data and information shall be the exclusive property of the State (collectively, “State Materials”). Contractor shall not use, willingly allow, cause or permit Work Product or State Materials to be used for any purpose other than the performance of Contractor’s obligations in this Participating Addendum without the prior written consent of the State. Upon termination of this Participating Addendum for any reason, Contractor shall provide all Work Product and State Materials to the State in a form and manner as directed by the State. C. Exclusive Property of Contractor Contractor retains the exclusive rights, title, and ownership to any and all pre-existing materials owned or licensed to Contractor including, but not limited to, all pre-existing software, licensed products, associated source code, machine code, text images, audio and/or video, and third-party materials, delivered by Contractor under the Contract, whether incorporated in a Deliverable or necessary to use a Deliverable (collectively, “Contractor Property”). Contractor Property shall be licensed to the State as set forth in this Contract or a State approved license agreement: (i) entered into as exhibits to this Contract; (ii) obtained DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 24 of 30 Version 07.2022 by the State from the applicable third-party vendor; or (iii) in the case of open source software, the license terms set forth in the applicable open source license agreement. 17. OBLIGATIONS AND RIGHTS IN THE EVENT OF TERMINATION OF ORDER OR CONTRACT To the extent specified in any termination notice, Contractor shall not incur further obligations or render further performance past the effective date of such notice, and shall terminate outstanding orders and subcontracts with third parties. However, Contractor shall complete and deliver to Purchasing Entities all Work not cancelled by the termination notice, and may incur obligations as necessary to do so within this Participating Addendum’s terms. At the request of the State, Contractor shall assign to the appropriate Purchasing Entity all of Contractor's rights, title, and interest in and to such terminated orders or subcontracts. Upon termination, Contractor shall take timely, reasonable and necessary action to protect and preserve property in the possession of Contractor in which the appropriate Purchasing Entity has an interest. At the State or Purchasing Entity’s request, Contractor shall return materials owned by the Purchasing Entity that Contractor possesses at the time of any termination. Contractor shall deliver all completed Work Product to the appropriate Purchasing Entity at the State or Purchasing Entity’s request. 18. STATEWIDE CONTRACT MANAGEMENT SYSTEM If the maximum amount payable to Contractor under this Contract is $100,000 or greater, either on the Effective Date or at any time thereafter, this section shall apply. Contractor agrees to be governed by and comply with the provisions of §§24-102-206, 24-106-103, 24-106-106, and 24-106-107, C.R.S. regarding the monitoring of vendor performance and the reporting of contract information in the State’s contract management system (“Contract Management System” or “CMS”). Contractor’s performance shall be subject to evaluation and review in accordance with the terms and conditions of this Contract, Colorado statutes governing CMS, and State Fiscal Rules and State Controller policies. 19. GENERAL PROVISIONS A. Assignment Contractor’s rights and obligations under this Participating Addendum are personal and may not be transferred or assigned without the prior, written consent of the State. Any attempt at assignment or transfer without such consent shall be void. Any assignment or transfer of Contractor’s rights and obligations approved by the State shall be subject to the provisions of this Participating Addendum. B. Subcontracts Contractor shall not enter into any subcontract in connection with its obligations under this Contract without the prior, written approval of the State. Contractor shall submit to the State a copy of each subcontract upon request by the State. All subcontracts entered into by Contractor in connection with this Participating Addendum shall comply with all applicable federal and state laws and regulations, shall provide that they are governed by the laws of the State of Colorado, and shall be subject to all provisions of this Participating Addendum. C. Binding Effect Except as otherwise provided in §19.A., all provisions of this Participating Addendum, including the benefits and burdens, shall extend to and be binding upon the Parties’ respective successors and assigns. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 25 of 30 Version 07.2022 D. Authority Each Party represents and warrants to the other that the execution and delivery of this Participating Addendum and the performance of such Party’s obligations have been duly authorized. E. Captions and References The captions and headings in this Participating Addendum are for convenience of reference only, and shall not be used to interpret, define, or limit its provisions. All references in this Participating Addendum to sections (whether spelled out or using the § symbol), subsections, exhibits or other attachments, are references to sections, subsections, exhibits or other attachments contained herein or incorporated as a part hereof, unless otherwise noted. F. Counterparts This Participating Addendum may be executed in multiple, identical, original counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. G. Entire Understanding This Participating Addendum represents the complete integration of all understandings between the Parties related to the Work, and all prior representations and understandings related to the Work, oral or written, are merged into this Participating Addendum. Prior or contemporaneous additions, deletions, or other changes to this Participating Addendum shall not have any force or effect whatsoever, unless embodied herein. H. Digital Signatures If any signatory signs this agreement using a digital signature in accordance with the Colorado State Controller Contract, Grant and Purchase Order Policies regarding the use of digital signatures issued under the State Fiscal Rules, then any agreement or consent to use digital signatures within the electronic system through which that signatory signed shall be incorporated into this Contract by reference. I. Modification Except as otherwise provided in this Participating Addendum, any modification to this Participating Addendum shall only be effective if agreed to in a formal amendment to this Participating Addendum, properly executed and approved in accordance with applicable Colorado State law and State Fiscal Rules. Modifications permitted under this Participating Addendum, other than contract amendments, shall conform to the policies issued by the Colorado State Controller. J. Statutes, Regulations, Fiscal Rules, and Other Authority. Any reference in this Participating Addendum to a statute, regulation, State Fiscal Rule, fiscal policy or other authority shall be interpreted to refer to such authority then current, as may have been changed or amended since the Effective Date of this Participating Addendum. K. Severability The invalidity or unenforceability of any provision of this Participating Addendum shall not affect the validity or enforceability of any other provision of this Participating Addendum, which shall remain in full force and effect, provided that the Parties can continue to perform DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 26 of 30 Version 07.2022 their obligations under this Participating Addendum in accordance with the intent of this Participating Addendum. L. Survival of Certain Contract Terms Any provision of this Participating Addendum that imposes an obligation on the Contractor or a Purchasing Entity after termination or expiration of this Participating Addendum shall survive the termination or expiration of this Participating Addendum and shall be enforceable by the other Party. M. Taxes The State is exempt from federal excise taxes under I.R.C. Chapter 32 (26 U.S.C., Subtitle D, Ch. 32) (Federal Excise Tax Exemption Certificate of Registry No. 84-730123K) and from State and local government sales and use taxes under §§39-26-704(1), et seq., C.R.S. (Colorado Sales Tax Exemption Identification Number 98-02565). The State shall not be liable for the payment of any excise, sales, or use taxes, regardless of whether any political subdivision of the State imposes such taxes on Contractor. Contractor shall be solely responsible for any exemptions from the collection of excise, sales or use taxes that Contractor may wish to have in place in connection with this Participating Addendum. Contractor shall honor any tax exemption that any Purchasing Entity has, and shall not charge any Purchasing Entity any excise, sales, or use taxes from which that Purchasing Entity is exempt. N. Third Party Beneficiaries Except for a Purchasing Entity and/or the Parties’ respective successors and assigns described in §19.A, this Participating Addendum does not and is not intended to confer any rights or remedies upon any person or entity other than the Parties. Enforcement of this Participating Addendum and all rights and obligations hereunder are reserved solely to the Parties. Any services or benefits which third parties receive as a result of this Participating Addendum are incidental to this Participating Addendum, and do not create any rights for such third parties. O. Waiver A Party’s failure or delay in exercising any right, power, or privilege under this Participating Addendum, whether explicit or by lack of enforcement, shall not operate as a waiver, nor shall any single or partial exercise of any right, power, or privilege preclude any other or further exercise of such right, power, or privilege. P. CORA Disclosure To the extent not prohibited by federal law, this Participating Addendum and the performance measures and standards required under §24-106-107, C.R.S., if any, are subject to public release through the CORA. Q. Standard and Manner of Performance Contractor shall perform its obligations under this Participating Addendum in accordance with the highest standards of care, skill and diligence in Contractor’s industry, trade, or profession. R. Licenses, Permits, and Other Authorizations. Contractor shall secure, prior to the Effective Date, and maintain at all times during the term of this Participating Addendum, at its sole expense, all licenses, certifications, permits, and DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 27 of 30 Version 07.2022 other authorizations required to perform its obligations under this Participating Addendum, and shall ensure that all employees, agents and Subcontractors secure and maintain at all times during the term of their employment, agency or subcontract, all license, certifications, permits and other authorizations required to perform their obligations in relation to this Participating Addendum. S. Indemnification i. General Indemnification Contractor shall indemnify, save, and hold harmless the State, its employees, agents and assignees (the “Indemnified Parties”), against any and all costs, expenses, claims, damages, liabilities, court awards and other amounts (including attorneys’ fees and related costs) incurred by any of the Indemnified Parties in relation to any act or omission by Contractor, or its employees, agents, Subcontractors, or assignees in connection with this Participating Addendum. ii. Confidential Information Indemnification Disclosure or use of State Confidential Information by Contractor in violation of §10 may be cause for legal action by third parties against Contractor, the State, or their respective agents. Contractor shall indemnify, save, and hold harmless the Indemnified Parties, against any and all claims, damages, liabilities, losses, costs, expenses (including attorneys’ fees and costs) incurred by the State in relation to any act or omission by Contractor, or its employees, agents, assigns, or Subcontractors in violation of §10. iii. Intellectual Property Indemnification Contractor shall indemnify, save, and hold harmless the Indemnified Parties, against any and all costs, expenses, claims, damages, liabilities, and other amounts (including attorneys’ fees and costs) incurred by the Indemnified Parties in relation to any claim that any Work infringes a patent, copyright, trademark, trade secret, or any other intellectual property right. 20. COLORADO SPECIAL PROVISIONS (COLORADO FISCAL RULE 3-3) These Special Provisions apply to all contracts except where noted in italics. A. STATUTORY APPROVAL. §24-30-202(1), C.R.S. This Contract shall not be valid until it has been approved by the Colorado State Controller or designee. If this Contract is for a Major Information Technology Project, as defined in §24-37.5-102(2.6), then this Contract shall not be valid until it has been approved by the State’s Chief Information Officer or designee. B. FUND AVAILABILITY. §24-30-202(5.5), C.R.S. Financial obligations of the State payable after the current State Fiscal Year are contingent upon funds for that purpose being appropriated, budgeted, and otherwise made available. C. GOVERNMENTAL IMMUNITY. Liability for claims for injuries to persons or property arising from the negligence of the State, its departments, boards, commissions committees, bureaus, offices, employees and officials shall be controlled and limited by the provisions of the Colorado Governmental Immunity Act, §24-10-101, et seq., C.R.S.; the Federal Tort Claims Act, 28 U.S.C. Pt. VI, Ch. 171 and DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 28 of 30 Version 07.2022 28 U.S.C. 1346(b), and the State’s risk management statutes, §§24-30-1501, et seq. C.R.S. No term or condition of this Contract shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protections, or other provisions, contained in these statutes. D. INDEPENDENT CONTRACTOR Contractor shall perform its duties hereunder as an independent contractor and not as an employee. Neither Contractor nor any agent or employee of Contractor shall be deemed to be an agent or employee of the State. Contractor shall not have authorization, express or implied, to bind the State to any agreement, liability or understanding, except as expressly set forth herein. Contractor and its employees and agents are not entitled to unemployment insurance or workers compensation benefits through the State and the State shall not pay for or otherwise provide such coverage for Contractor or any of its agents or employees. Contractor shall pay when due all applicable employment taxes, income taxes and local head taxes incurred pursuant to this Contract. Contractor shall (i) provide and keep in force workers' compensation and unemployment compensation insurance in the amounts required by law, (ii) provide proof thereof when requested by the State, and (iii) be solely responsible for its acts and those of its employees and agents. E. COMPLIANCE WITH LAW. Contractor shall comply with all applicable federal and State laws, rules, and regulations in effect or hereafter established, including, without limitation, laws applicable to discrimination and unfair employment practices. F. CHOICE OF LAW, JURISDICTION, AND VENUE. Colorado law, and rules and regulations issued pursuant thereto, shall be applied in the interpretation, execution, and enforcement of this Contract. Any provision included or incorporated herein by reference which conflicts with said laws, rules, and regulations shall be null and void. All suits or actions related to this Contract shall be filed and proceedings held in the State of Colorado and exclusive venue shall be in the City and County of Denver. G. PROHIBITED TERMS. Any term included in this Contract that requires the State to indemnify or hold Contractor harmless; requires the State to agree to binding arbitration; limits Contractor’s liability for damages resulting from death, bodily injury, or damage to tangible property; or that conflicts with this provision in any way shall be void ab initio. Nothing in this Contract shall be construed as a waiver of any provision of §24-106-109 C.R.S. Any term included in this Contract that limits Contractor’s liability that is not void under this section shall apply only in excess of any insurance to be maintained under this Contract, and no insurance policy shall be interpreted as being subject to any limitations of liability of this Contract. H. SOFTWARE PIRACY PROHIBITION. State or other public funds payable under this Contract shall not be used for the acquisition, operation, or maintenance of computer software in violation of federal copyright laws or applicable licensing restrictions. Contractor hereby certifies and warrants that, during the term of this Contract and any extensions, Contractor has and shall maintain in place appropriate systems and controls to prevent such improper use of public funds. If the State determines that Contractor is in violation of this provision, the State may exercise any remedy available at law or in equity or under this Contract, including, without limitation, immediate DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 29 of 30 Version 07.2022 termination of this Contract and any remedy consistent with federal copyright laws or applicable licensing restrictions. I. EMPLOYEE FINANCIAL INTEREST/CONFLICT OF INTEREST. §§24-18-201 and 24-50-507, C.R.S. The signatories aver that to their knowledge, no employee of the State has any personal or beneficial interest whatsoever in the service or property described in this Contract. Contractor has no interest and shall not acquire any interest, direct or indirect, that would conflict in any manner or degree with the performance of Contractor’s services and Contractor shall not employ any person having such known interests. J. VENDOR OFFSET AND ERRONEOUS PAYMENTS. §§24-30-202(1) and 24-30-202.4, C.R.S. [Not applicable to intergovernmental agreements] Subject to §24-30-202.4(3.5), C.R.S., the State Controller may withhold payment under the State’s vendor offset intercept system for debts owed to State agencies for: (i) unpaid child support debts or child support arrearages; (ii) unpaid balances of tax, accrued interest, or other charges specified in §§39-21-101, et seq., C.R.S.; (iii) unpaid loans due to the Student Loan Division of the Department of Higher Education; (iv) amounts required to be paid to the Unemployment Compensation Fund; and (v) other unpaid debts owing to the State as a result of final agency determination or judicial action. The State may also recover, at the State’s discretion, payments made to Contractor in error for any reason, including, but not limited to, overpayments or improper payments, and unexpended or excess funds received by Contractor by deduction from subsequent payments under this Contract, deduction from any payment due under any other contracts, grants or agreements between the State and Contractor, or by any other appropriate method for collecting debts owed to the State. K. PUBLIC CONTRACTS FOR SERVICES. §§8-17.5-101, et seq., C.R.S. [Not applicable to agreements relating to the offer, issuance, or sale of securities, investment advisory services or fund management services, sponsored projects, intergovernmental agreements, or information technology services or products and services] Contractor certifies, warrants, and agrees that it does not knowingly employ or contract with an illegal alien who will perform work under this Contract and will confirm the employment eligibility of all employees who are newly hired for employment in the United States to perform work under this Contract, through participation in the E-Verify Program or the State verification program established pursuant to §8-17.5-102(5)(c), C.R.S., Contractor shall not knowingly employ or contract with an illegal alien to perform work under this Contract or enter into a contract with a Subcontractor that fails to certify to Contractor that the Subcontractor shall not knowingly employ or contract with an illegal alien to perform work under this Contract. Contractor (i) shall not use E-Verify Program or the program procedures of the Colorado Department of Labor and Employment (“Department Program”) to undertake pre-employment screening of job applicants while this Contract is being performed, (ii) shall notify the Subcontractor and the contracting State agency or institution of higher education within 3 days if Contractor has actual knowledge that a Subcontractor is employing or contracting with an illegal alien for work under this Contract, (iii) shall terminate the subcontract if a Subcontractor does not stop employing or contracting with the illegal alien within 3 days of receiving the notice, and (iv) shall comply with reasonable requests made in the course of an investigation, undertaken pursuant to §8-17.5-102(5), C.R.S., by the Colorado Department of Labor and Employment. If Contractor participates in DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Contract Number: Page 30 of 30 Version 07.2022 the Department program, Contractor shall deliver to the contracting State agency, Institution of Higher Education or political subdivision, a written, notarized affirmation, affirming that Contractor has examined the legal work status of such employee, and shall comply with all of the other requirements of the Department program. If Contractor fails to comply with any requirement of this provision or §§8-17.5-101, et seq., C.R.S., the contracting State agency, institution of higher education or political subdivision may terminate this Contract for breach and, if so terminated, Contractor shall be liable for damages. L. PUBLIC CONTRACTS WITH NATURAL PERSONS. §§24-76.5-101, et seq., C.R.S. Contractor, if a natural person eighteen (18) years of age or older, hereby swears and affirms under penalty of perjury that Contractor (i) is a citizen or otherwise lawfully present in the United States pursuant to federal law, (ii) shall comply with the provisions of §§24-76.5-101, et seq., C.R.S., and (iii) has produced one form of identification required by §24-76.5-103, C.R.S. prior to the Effective Date of this Contract. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Exhibit B Page 1 EXHIBIT B STATEMENT OF WORK 1. GOODS AND/OR SERVICES For a description of what the Participating Addendum will provide please reference Exhibit C pricing list. This agreement is only for items within the General Software Category and the Microsoft Category. Oracle items are excluded from this agreement. A. Delivery of Goods and Performance of Services i. Contractor shall provide all Goods and perform all Services described in each Order. ii. Unless specifically agreed to otherwise in an Order, Contractor shall deliver all Goods under an Order in good, working and undamaged condition. All Goods shall be free on board (“F.O.B.”) destination to the location specified in the Order. iii. If a good in an Order is out of stock, Contractor may only provide a substitute good if it has notified the Purchasing Entity for that Order, in writing, that the good is out of stock and has received the Purchasing Entity’s approval to provide the substitute good. Purchasing Entities may request additional information comparing the substitute good with the original good in the Purchasing Entity’s sole discretion. B. Additional Terms Any additional terms and conditions on any invoice, statement, Contractor time sheet, website, electronic license or use agreement or any other form, including, without limitation, terms regarding indemnification, limitation of liability, cancellation fees, choice of law and binding arbitration shall be void and unenforceable except to the extent that they are specifically included in this Participating Addendum or an Order. The signature of any employee of a Purchasing Entity on any such form shall be effective to establish receipt of Goods or completion of Services and shall not make any term of that form enforceable. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Exhibit C Page 1 EXHIBIT C PRODUCTS AND PRICE LIST 1. Contractor has been awarded the following categories: • SOFTWARE VALUE ADDED RESELLER 2. The products and price list is located on the Contractor’s dedicated State website, hosted and maintained by the Contractor, and is incorporated into this Participating Addendum by reference. Changes in product and pricing must be approved by the lead state and shall be effective when published on the dedicated state website. HTTPS://WWW.IPS.INSIGHT.COM/NASPOSVAR2022 3. Pricing A. Price Lists The State may publish any pricing information under this Participating Addendum, including, without limitation the pricing information shown in this Exhibit C, Products and Price List, on the State’s website and any other website as the State determines is necessary or efficient to facilitate the use of this Participating Addendum by Purchasing Entities. B. Price Decreases and Ceiling Prices The prices listed in this Exhibit C are Ceiling Prices, and Contractor may offer lower prices to Purchasing Entities, and Purchasing Entities may negotiate lower prices with Contractor, without the review or approval of the State. Contractor shall not allow a Subcontractor to charge an amount greater than the Ceiling Price for any Order. C. Environmentally Preferable Purchasing i. Contractor shall provide training regarding the environmentally preferable products, as defined in the State’s Environmentally Preferable Purchasing Policy, that are purchased or made available under this Participating Addendum. This training shall be provided at no additional cost, unless otherwise agreed upon by the Parties, and shall be presented at a time and in a manner as agreed upon by the Parties. ii. The State reserves the right to request additional provisions and requirements to ensure this Participating Addendum is in compliance with all State regulations and policies, including all sustainable purchasing and environmentally preferable purchasing policies or executive orders. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 PUBLISHERS Tier I Publishers (Key Itemized Publishers) ADOBE CA TECHNOLOGIES (acquired by Broadcom) CISCO COMMVAULT IBM RED HAT SPLUNK TABLEAU VEEAM VMWARE Tier II Publishers (Other Itemized Publishers) AUTODESK BARRACUDA NETWORKS BMC SOFTWARE CHECK POINT SOFTWARE CHERWELL CITRIX CHATSWORTH PRODUCTS (CPI) CROWDSTRIKE DELL DELPHIX DOCUSIGN DYNATRACE FORCEPOINT FORTINET GOOGLE INFORMATICA IVANTI KNOWBE4 MCAFEE MICRO FOCUS MULESOFT NETMOTION OKTA OPENTEXT PROGRESS SOFTWARE PROOFPOINT QUEST SOFTWARE RAPID7 RSA SECURITY SALESFORCE SAP SOLARWINDS SOPHOS SPILLMAN (acquired by Motorola Solutions) SYMANTEC (acquired by Broadcom) TENABLE TREND MICRO VARONIS VERITAS ZOHO Non-itemized Publishers All other publishers 2.50% 2.50% 2.25% 2.50% 4.75% 2.50% 2.50% 2.25% 2.50% 2.50% 2.50% 2.50% 2.50% 2.50% 2.50% 2.25% 2.50% 2.50% 2.50% 2.25% 2.25% 2.50% 2.50% 2.50% 2.25% 2.50% 2.25% 2.50% 2.25% 2.50% 2.50% 2.50% 2.25% 2.50% 2.25% 2.25% 2.25% 2.25% 2.25% 2.25% 2.50% 1.95% INSIGHT PUBLIC SECTOR NASPO VALUEPOINT SOFTWARE VALUE-ADDED RESELLER (SVAR) STATE OF COLORADO CONTRACT #178266 ALL PUBLISHERS EXCEPT MICROSOFT AND ORACLE MAXIMUM MARKUP ON RESELLER'S INVOICED COST 2.00% 2.00% 1.95% 1.95% 2.00% 1.95% 2.00% 2.00% 1.95% DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 INSIGHT PUBLIC SECTOR NASPO VALUEPOINT SOFTWARE VALUE-ADDED RESELLER (SVAR) STATE OF COLORADO CONTRACT #178266 ALL PUBLISHERS EXCEPT MICROSOFT AND ORACLE RESELLER SERVICES Asset management Solutions architect Senior solutions architect Program engagement manager Project leader Project manager Senior project manager All other in-scope reseller services (Connected Workforce / Cloud + Data Center Transformation) OPTIONAL SERVICES Digital Innovation: UX/Visual/Product Creative Director Principal Designer Associate Creative Director Design Manager Product Manager Senior Designer Senior Business Analyst Designer Business Analyst Associate Designer Associate Business Analyst Digital Innovation: PM Services Manager Program Manager Project Manager Project Coordinator Digital Innovation: Technology Principal/Chief Architect Senior Architect Managing Architect Architect Senior Software Engineer Software Engineer Associate Software Engineer $300.00 $275.00 $250.00 $225.00 $190.00 $300.00 $250.00 $250.00 $225.00 $225.00 $190.00 $190.00 $325.00 $250.00 $225.00 $190.00 $325.00 $275.00 HOURLY RATE $209.00 $220.00 $284.00 $325.00 $300.00 $300.00 $275.00 $127.00 HOURLY RATE $200.00 $209.00 $265.00 $232.00 DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 SUBCATEGORY Itemized Microsoft Offerings EMS E5, G1, G2, G3, G5, Govt E4, Advanced Threat Protection, Power BI, Exchange Online, Kiosk F3 Now, Dynamics, PowerApps, Project Online, Azure All Other Microsoft Offerings SaaS On-Premise Resold In-scope Professional Services Ongoing maintenance & support services not included in software license agreement Deployment services Architectural design services Training deployment services All other resold in-scope professional services IN-SCOPE RESELLER SERVICES Asset management Solutions architect Senior solutions architect Program engagement manager Project leader Project manager Senior project manager All other in-scope reseller services (Connected Workforce / Cloud + Data Center Transformation) OPTIONAL SERVICES Cloud Solution Provider (CSP) Program OPTIONAL SERVICES Digital Innovation: UX/Visual/Product Creative Director Principal Designer Associate Creative Director Design Manager Product Manager Senior Designer Senior Business Analyst Designer Business Analyst Associate Designer Associate Business Analyst Digital Innovation: PM Services Manager Program Manager Project Manager Project Coordinator Digital Innovation: Technology Principal/Chief Architect Senior Architect Managing Architect Architect Senior Software Engineer Software Engineer Associate Software Engineer $300.00 $275.00 $250.00 $225.00 $190.00 $300.00 $250.00 $250.00 $225.00 $225.00 $190.00 $190.00 $325.00 $250.00 $225.00 $190.00 $325.00 $275.00 MAXIMUM MARKUP ON 16.00% HOURLY RATE $325.00 $300.00 $300.00 $275.00 $209.00 $220.00 $284.00 $200.00 $209.00 $265.00 $232.00 $127.00 INSIGHT PUBLIC SECTOR NASPO VALUEPOINT SOFTWARE VALUE-ADDED RESELLER (SVAR) STATE OF COLORADO CONTRACT #178266 MICROSOFT MAXIMUM MARKUP ON RESELLER'S INVOICED COST 1.65% HOURLY RATE 1.65% 1.65% 1.65% 1.65% 1.65% 1.65% 1.65% DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 1 of 8 EXHIBIT D – HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (“Agreement”) between the State and Contractor is agreed to in connection with, and as an exhibit to, the Contract. For purposes of this Agreement, the State is referred to as “Covered Entity” and the Contractor is referred to as “Business Associate”. Unless the context clearly requires a distinction between the Contract and this Agreement, all references to “Contract” shall include this Agreement. 1. PURPOSE Covered Entity wishes to disclose information to Business Associate, which may include Protected Health Information ("PHI"). The Parties intend to protect the privacy and security of the disclosed PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191 (1996) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) enacted under the American Recovery and Reinvestment Act of 2009 (“ARRA”) Pub. L. No. 111–5 (2009), implementing regulations promulgated by the U.S. Department of Health and Human Services at 45 C.F.R. Parts 160, 162 and 164 (the “HIPAA Rules”) and other applicable laws, as amended. Prior to the disclosure of PHI, Covered Entity is required to enter into an agreement with Business Associate containing specific requirements as set forth in, but not limited to, Title 45, Sections 160.103, 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”) and all other applicable laws and regulations, all as may be amended. 2. DEFINITIONS The following terms used in this Agreement shall have the same meanings as in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. The following terms used in this Agreement shall have the meanings set forth below: a. Business Associate. “Business Associate” shall have the same meaning as the term “business associate” at 45 C.F.R. 160.103, and shall refer to Contractor. b. Covered Entity. “Covered Entity” shall have the same meaning as the term “covered entity” at 45 C.F.R. 160.103, and shall refer to the State. c. Information Technology and Information Security. “Information Technology” and “Information Security” shall have the same meanings as the terms “information technology” and “information security”, respectively, in §24-37.5-102, C.R.S. Capitalized terms used herein and not otherwise defined herein or in the HIPAA Rules shall have the meanings ascribed to them in the Contract. 3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE d. Permitted Uses and Disclosures. i. Business Associate shall use and disclose PHI only to accomplish Business Associate’s obligations under the Contract. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 2 of 8 ii. To the extent Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with any and all requirements of Subpart E that apply to Covered Entity in the performance of such obligation. iii. Business Associate may disclose PHI to carry out the legal responsibilities of Business Associate, provided, that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that: A. the information will remain confidential and will be used or disclosed only as Required by Law or for the purpose for which Business Associate originally disclosed the information to that person, and; B. the person notifies Business Associate of any Breach involving PHI of which it is aware. iv. Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity. Business Associate may de-identify any or all PHI created or received by Business Associate under this Agreement, provided the de-identification conforms to the requirements of the HIPAA Rules. e. Minimum Necessary. Business Associate, its Subcontractors and agents, shall access, use, and disclose only the minimum amount of PHI necessary to accomplish the objectives of the Contract, in accordance with the Minimum Necessary Requirements of the HIPAA Rules including, but not limited to, 45 C.F.R. 164.502(b) and 164.514(d). f. Impermissible Uses and Disclosures. i. Business Associate shall not disclose the PHI of Covered Entity to another covered entity without the written authorization of Covered Entity. ii. Business Associate shall not share, use, disclose or make available any Covered Entity PHI in any form via any medium with or to any person or entity beyond the boundaries or jurisdiction of the United States without express written authorization from Covered Entity. g. Business Associate's Subcontractors. i. Business Associate shall, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to safeguarding PHI. ii. Business Associate shall provide to Covered Entity, on Covered Entity’s request, a list of Subcontractors who have entered into any such agreement with Business Associate. iii. Business Associate shall provide to Covered Entity, on Covered Entity’s request, copies of any such agreements Business Associate has entered into with Subcontractors. h. Access to System. If Business Associate needs access to a Covered Entity Information Technology system to comply with its obligations under the Contract or this Agreement, Business Associate shall request, review, and comply with any and all policies applicable to Covered Entity regarding such DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 3 of 8 system including, but not limited to, any policies promulgated by the Office of Information Technology and available at http://oit.state.co.us/about/policies. i. Access to PHI. Business Associate shall, within ten days of receiving a written request from Covered Entity, make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. j. Amendment of PHI. i. Business Associate shall within ten days of receiving a written request from Covered Entity make any amendment to PHI in a Designated Record Set as directed by or agreed to by Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526. ii. Business Associate shall promptly forward to Covered Entity any request for amendment of PHI that Business Associate receives directly from an Individual. k. Accounting Rights. Business Associate shall, within ten days of receiving a written request from Covered Entity, maintain and make available to Covered Entity the information necessary for Covered Entity to satisfy its obligations to provide an accounting of Disclosure under 45 C.F.R. 164.528. l. Restrictions and Confidential Communications. i. Business Associate shall restrict the Use or Disclosure of an Individual’s PHI within ten days of notice from Covered Entity of: (1) a restriction on Use or Disclosure of PHI pursuant to 45 C.F.R. 164.522; or (2) a request for confidential communication of PHI pursuant to 45 C.F.R. 164.522. ii. Business Associate shall not respond directly to an Individual’s requests to restrict the Use or Disclosure of PHI or to send all communication of PHI to an alternate address. iii. Business Associate shall refer such requests to Covered Entity so that Covered Entity can coordinate and prepare a timely response to the requesting Individual and provide direction to Business Associate. m. Governmental Access to Records. Business Associate shall make its facilities, internal practices, books, records, and other sources of information, including PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules in accordance with 45 C.F.R. 160.310. n. Audit, Inspection and Enforcement. i. Business Associate shall obtain and update at least annually a written assessment performed by an independent third party reasonably acceptable to Covered Entity, which evaluates the Information Security of the applications, infrastructure, and processes that interact with the Covered Entity data Business Associate receives, manipulates, stores and distributes. Upon request by Covered Entity, Business Associate shall provide to Covered Entity the executive summary of the assessment. ii. Business Associate, upon the request of Covered Entity, shall fully cooperate with Covered Entity’s efforts to audit Business Associate’s compliance with applicable HIPAA Rules. If, DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 4 of 8 through audit or inspection, Covered Entity determines that Business Associate’s conduct would result in violation of the HIPAA Rules or is in violation of the Contract or this Agreement, Business Associate shall promptly remedy any such violation and shall certify completion of its remedy in writing to Covered Entity. o. Appropriate Safeguards. i. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided in this Agreement. ii. Business Associate shall safeguard the PHI from tampering and unauthorized disclosures. iii. Business Associate shall maintain the confidentiality of passwords and other data required for accessing this information. iv. Business Associate shall extend protection beyond the initial information obtained from Covered Entity to any databases or collections of PHI containing information derived from the PHI. The provisions of this section shall be in force unless PHI is de-identified in conformance to the requirements of the HIPAA Rules. p. Safeguard During Transmission. i. Business Associate shall use reasonable and appropriate safeguards including, without limitation, Information Security measures to ensure that all transmissions of PHI are authorized and to prevent use or disclosure of PHI other than as provided for by this Agreement. ii. Business Associate shall not transmit PHI over the internet or any other insecure or open communication channel unless the PHI is encrypted or otherwise safeguarded with a FIPS- compliant encryption algorithm. q. Reporting of Improper Use or Disclosure and Notification of Breach. i. Business Associate shall, as soon as reasonably possible, but immediately after discovery of a Breach, notify Covered Entity of any use or disclosure of PHI not provided for by this Agreement, including a Breach of Unsecured Protected Health Information as such notice is required by 45 C.F.R. 164.410 or a breach for which notice is required under §24-73-103, C.R.S. ii. Such notice shall include the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. iii. Business Associate shall, as soon as reasonably possible, but immediately after discovery of any Security Incident that does not constitute a Breach, notify Covered Entity of such incident. iv. Business Associate shall have the burden of demonstrating that all notifications were made as required, including evidence demonstrating the necessity of any delay. r. Business Associate’s Insurance and Notification Costs. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 5 of 8 i. Business Associate shall bear all costs of a Breach response including, without limitation, notifications, and shall maintain insurance to cover: (1) loss of PHI data; (2) Breach notification requirements specified in HIPAA Rules and in §24-73-103, C.R.S.; and (3) claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. ii. All such policies shall meet or exceed the minimum insurance requirements of the Contract or otherwise as may be approved by Covered Entity (e.g., occurrence basis, combined single dollar limits, annual aggregate dollar limits, additional insured status, and notice of cancellation). iii. Business Associate shall provide Covered Entity a point of contact who possesses relevant Information Security knowledge and is accessible 24 hours per day, 7 days per week to assist with incident handling. iv. Business Associate, to the extent practicable, shall mitigate any harmful effect known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this Agreement. s. Subcontractors and Breaches. i. Business Associate shall enter into a written agreement with each of its Subcontractors and agents, who create, receive, maintain, or transmit PHI on behalf of Business Associate. The agreements shall require such Subcontractors and agents to report to Business Associate any use or disclosure of PHI not provided for by this Agreement, including Security Incidents and Breaches of Unsecured Protected Health Information, on the first day such Subcontractor or agent knows or should have known of the Breach as required by 45 C.F.R. 164.410. ii. Business Associate shall notify Covered Entity of any such report and shall provide copies of any such agreements to Covered Entity on request. t. Data Ownership. i. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. ii. Upon request by Covered Entity, Business Associate immediately shall provide Covered Entity with any keys to decrypt information that the Business Association has encrypted and maintains in encrypted form, or shall provide such information in unencrypted usable form. u. Retention of PHI. Except upon termination of this Agreement as provided in Section 5, below, Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of this Agreement, and shall continue to maintain the accounting of disclosures required under Section 3.h, above, for a period of six years. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 6 of 8 4. OBLIGATIONS OF COVERED ENTITY a. Safeguards During Transmission. Covered Entity shall be responsible for using appropriate safeguards including encryption of PHI, to maintain and ensure the confidentiality, integrity, and security of PHI transmitted pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Rules. b. Notice of Changes. i. Covered Entity maintains a copy of its Notice of Privacy Practices on its website. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission to use or disclose PHI, to the extent that it may affect Business Associate’s permitted or required uses or disclosures. ii. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that it may affect Business Associate’s permitted use or disclosure of PHI. 5. TERMINATION a. Breach. i. In addition to any Contract provision regarding remedies for breach, Covered Entity shall have the right, in the event of a breach by Business Associate of any provision of this Agreement, to terminate immediately the Contract, or this Agreement, or both. ii. Subject to any directions from Covered Entity, upon termination of the Contract, this Agreement, or both, Business Associate shall take timely, reasonable, and necessary action to protect and preserve property in the possession of Business Associate in which Covered Entity has an interest. b. Effect of Termination. i. Upon termination of this Agreement for any reason, Business Associate, at the option of Covered Entity, shall return or destroy all PHI that Business Associate, its agents, or its Subcontractors maintain in any form, and shall not retain any copies of such PHI. ii. If Covered Entity directs Business Associate to destroy the PHI, Business Associate shall certify in writing to Covered Entity that such PHI has been destroyed. iii. If Business Associate believes that returning or destroying the PHI is not feasible, Business Associate shall promptly provide Covered Entity with notice of the conditions making return or destruction infeasible. Business Associate shall continue to extend the protections of Section 3 of this Agreement to such PHI, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 7 of 8 6. INJUNCTIVE RELIEF Covered Entity and Business Associate agree that irreparable damage would occur in the event Business Associate or any of its Subcontractors or agents use or disclosure of PHI in violation of this Agreement, the HIPAA Rules or any applicable law. Covered Entity and Business Associate further agree that money damages would not provide an adequate remedy for such Breach. Accordingly, Covered Entity and Business Associate agree that Covered Entity shall be entitled to injunctive relief, specific performance, and other equitable relief to prevent or restrain any Breach or threatened Breach of and to enforce specifically the terms and provisions of this Agreement. 7. LIMITATION OF LIABILITY Any provision in the Contract limiting Contractor’s liability shall not apply to Business Associate’s liability under this Agreement, which shall not be limited. 8. DISCLAIMER Covered Entity makes no warranty or representation that compliance by Business Associate with this Agreement or the HIPAA Rules will be adequate or satisfactory for Business Associate’s own purposes. Business Associate is solely responsible for all decisions made and actions taken by Business Associate regarding the safeguarding of PHI. 9. CERTIFICATION Covered Entity has a legal obligation under HIPAA Rules to certify as to Business Associate’s Information Security practices. Covered Entity or its authorized agent or contractor shall have the right to examine Business Associate’s facilities, systems, procedures, and records, at Covered Entity’s expense, if Covered Entity determines that examination is necessary to certify that Business Associate’s Information Security safeguards comply with the HIPAA Rules or this Agreement. 10. AMENDMENT a. Amendment to Comply with Law. The Parties acknowledge that state and federal laws and regulations relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide procedures to ensure compliance with such developments. i. In the event of any change to state or federal laws and regulations relating to data security and privacy affecting this Agreement, the Parties shall take such action as is necessary to implement the changes to the standards and requirements of HIPAA, the HIPAA Rules and other applicable rules relating to the confidentiality, integrity, availability and security of PHI with respect to this Agreement. ii. Business Associate shall provide to Covered Entity written assurance satisfactory to Covered Entity that Business Associate shall adequately safeguard all PHI, and obtain written assurance satisfactory to Covered Entity from Business Associate’s Subcontractors and agents that they shall adequately safeguard all PHI. iii. Upon the request of either Party, the other Party promptly shall negotiate in good faith the terms of an amendment to the Contract embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Rules, or other applicable rules. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 8 of 8 iv. Covered Entity may terminate this Agreement upon 30 days’ prior written notice in the event that: (1) Business Associate does not promptly enter into negotiations to amend the Contract and this Agreement when requested by Covered Entity pursuant to this Section; or (2) Business Associate does not enter into an amendment to the Contract and this Agreement, which provides assurances regarding the safeguarding of PHI sufficient, in Covered Entity’s sole discretion, to satisfy the standards and requirements of the HIPAA, the HIPAA Rules and applicable law. b. Amendment of Appendix. The Appendix to this Agreement may be modified or amended by the mutual written agreement of the Parties, without amendment of this Agreement. Any modified or amended Appendix agreed to in writing by the Parties shall supersede and replace any prior version of the Appendix. 11. ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS Covered Entity shall provide written notice to Business Associate if litigation or administrative proceeding is commenced against Covered Entity, its directors, officers, or employees, based on a claimed violation by Business Associate of HIPAA, the HIPAA Rules or other laws relating to security and privacy or PHI. Upon receipt of such notice and to the extent requested by Covered Entity, Business Associate shall, and shall cause its employees, Subcontractors, or agents assisting Business Associate in the performance of its obligations under the Contract to, assist Covered Entity in the defense of such litigation or proceedings. Business Associate shall, and shall cause its employees, Subcontractor’s and agents to, provide assistance, to Covered Entity, which may include testifying as a witness at such proceedings. Business Associate or any of its employees, Subcontractors or agents shall not be required to provide such assistance if Business Associate is a named adverse party. 12. INTERPRETATION AND ORDER OF PRECEDENCE Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. In the event of an inconsistency between the Contract and this Agreement, this Agreement shall control. This Agreement supersedes and replaces any previous, separately executed HIPAA business associate agreement between the Parties. 13. SURVIVAL Provisions of this Agreement requiring continued performance, compliance, or effect after termination shall survive termination of this contract or this agreement and shall be enforceable by Covered Entity. 14. APPENDIX D.1. TO HIPAA BUSINESS ASSOCIATE AGREEMENT, ATTACHED TO THIS EXHIBIT IS INCORPORATED AND MADE PART HEREOF. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 1 APPENDIX D.1 TO HIPAA BUSINESS ASSOCIATE AGREEMENT This Appendix (“Appendix”) to the HIPAA Business Associate Agreement (“Agreement”) is s an appendix to the Contract and the Agreement. For the purposes of this Appendix, defined terms shall have the meanings ascribed to them in the Agreement and the Contract. Unless the context clearly requires a distinction between the Contract, the Agreement, and this Appendix, all references to “Contract” or “Agreement” shall include this Appendix. 1. Purpose This Appendix sets forth additional terms to the Agreement. Any sub-section of this Appendix marked as “Reserved” shall be construed as setting forth no additional terms. 2. Additional Terms a. Additional Permitted Uses. In addition to those purposes set forth in the Agreement, Business Associate may use PHI for the following additional purposes: i. Reserved. a. Additional Permitted Disclosures. In addition to those purposes set forth in the Agreement, Business Associate may disclose PHI for the following additional purposes: i. Reserved. c. Approved Subcontractors. Covered Entity agrees that the following Subcontractors or agents of Business Associate may receive PHI under the Agreement: i. Reserved. d. Definition of Receipt of PHI. Business Associate’s receipt of PHI under this Contract shall be deemed to occur, and Business Associate’s obligations under the Agreement shall commence, as follows: i. Reserved. e. Additional Restrictions on Business Associate. Business Associate agrees to comply with the following additional restrictions on Business Associate’s use and disclosure of PHI under the Contract: i. Reserved. f. Additional Terms. Business Associate agrees to comply with the following additional terms under the Agreement: i. Reserved. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 1 of 6 EXHIBIT E SAFEGUARDING REQUIREMENTS FOR FEDERAL TAX INFORMATION This Addendum regarding Safeguarding Requirements for Federal Tax Information (“Addendum”)1 is an essential part of the agreement between the State and Contractor as described in the Contract to which this Addendum is attached. Unless the context clearly requires a distinction between the Contract and this Addendum, all references to “Contract” shall include this Addendum. 1. PERFORMANCE In performance of this Contract, the Contractor agrees to comply with and assume responsibility for compliance by Contractor’s employees with the following requirements: A. All work will be done under the supervision of the Contractor or the Contractor’s employees. B. The Contractor and the Contractor’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075 and Colorado Revised Statutes 24-50-1002. C. Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this Contract. Disclosure to anyone other than an officer or employee of the Contractor will be prohibited. D. All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. E. The Contractor certifies that the data processed during the performance of this Contract will be completely purged from all data storage components of Contractor’s computer facility, and no output will be retained by the Contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the Contractor certifies that any FTI remaining in any storage component will be safeguarded to prevent unauthorized disclosures. F. Any spoilage or any intermediate hard copy printout that may result during the processing of FTI will be given to the State or the State’s designee. When this is not possible, the Contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the State or the State’s designee with a statement containing the date of destruction, description of material destroyed, and the method used. G. All computer systems receiving, processing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. 1 The language of this Addendum is derived from IRS Publication 1075, Tax Information Security Guidelines For Federal, State and Local Agencies, Exhibit 7 – Safeguarding Contract Language, “Contract Language for Technology Services.” This Addendum is not exhaustive of all requirements contained in Publication 1075. By agreeing to this Addendum, Contractor agrees to comply with all applicable requirements in Publication 1075 or described on the website of the IRS Safeguards Program, located at www.irs.gov/privacy-disclosure/safeguards-program. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 2 of 6 All security features must be available and activated to protect against unauthorized use of and access to FTI. H. No work involving FTI furnished under this Contract will be subcontracted without prior written approval of the State, by and through the contracting agency and the Office of Information Technology, and the IRS.2 I. The Contractor will maintain a list of employees’ authorized access. Such list will be provided to the State and, upon request, to the IRS reviewing office. J. The Contractor will not use live FTI in a test environment or utilize a cloud computing model that receives processes, stores, or transmits FTI without express written authorization from the State.3 K. The Contractor will maintain the confidentiality of all taxpayer information provided by the State or learned in the course of Contractor’s duties under this Contract in accordance with safeguards set forth under Colorado Revised Statutes § 39-21-113(4), as amended. L. The Contractor agrees to comply with the following additional requirements in performance of this Contract: None M. The State will have the right to void the Contract if the Contractor fails to provide the safeguards described above. 2. CRIMINAL/CIVIL SANCTIONS A. Each officer or employee of any person4 to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. B. Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal 2 see IRS Publication 1075, Exhibit 6 – Contractor 45-Day Notification Procedures. 3 see IRS Publication 1075, Section 9 and https://www.irs.gov/privacy-disclosure/use-of-live-fti-in-system-testing . 4 The term “person” is used in this Section 2 as it is used in Title 26 of the United States Code and related regulations. The term “person” means a person or entity, including “an individual, a trust, estate, partnership, association, company or corporation.” 26 U.S.C. § 7701(a)(1). DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 3 of 6 misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431 and set forth at 26 CFR 301.6103(n)-1. C. Additionally, Contractor shall inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to Contractor by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a Contractor, who by virtue of his/her employment or official position, has possession of or access to State records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. D. Granting a Contractor access to FTI must be preceded by certifying that each individual understands the State’s security policy and procedures for safeguarding FTI. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the State’s files for review. As part of the certification and at least annually afterwards, Contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches.5 For both the initial certification and the annual certification, the Contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. 3. INSPECTION The IRS and the State, with 24-hour notice, shall have the right to send its inspectors into the offices and plants of the Contractor to inspect facilities and operations performing any work with FTI under this Contract for compliance with requirements defined in IRS Publication 1075. The IRS’s right of inspection shall include the use of manual and/or automated scanning tools to perform compliance and vulnerability assessments of information technology (IT) assets that access, store, process, or transmit FTI. On the basis of such inspection, corrective actions may be required in cases where the Contractor is found to be noncompliant with Contract safeguards. 5 see IRS Publication 1075, Section 10 or www.irs.gov/privacy-disclosure/reporting-improper-inspections-or-disclosures. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 1 of 6 PARTICIPATING ADDENDUM EXHIBIT F, INFORMATION TECHNOLOGY PROVISIONS This Exhibit regarding Information Technology Provisions (the “Exhibit”) is an essential part of the agreement between the State and Contractor as described in the Contract to which this Exhibit is attached. Unless the context clearly requires a distinction between the Contract and this Exhibit, all references to “Contract” shall include this Exhibit. 1. PROTECTION OF SYSTEM DATA A. In addition to the requirements of the main body of this Contract, if Contractor or any Subcontractor is given access to State Information Technology resources or State Records by the State or its agents in connection with Contractor’s performance under the Contract, Contractor shall protect such Information Technology resources and State Records in accordance with this Exhibit. All provisions of this Exhibit that refer to Contractor shall apply equally to any Subcontractor performing work in connection with the Contract. B. The terms of this Exhibit shall apply to the extent that Contractor’s obligations under this Contract include the provision of Information Technology goods or services to the State. Information Technology is computer-based equipment and related services designed for the storage, manipulation, and retrieval of data, and includes, without limitation: i. Any technology, equipment, or related services described in §24-37.5-102(2), C.R.S.; ii. The creation, use, processing, disclosure, transmission, or disposal of State Records, including any data or code, in electronic form; and iii. Other existing or emerging technology, equipment, or related services that may require knowledge and expertise in Information Technology. C. Contractor shall, and shall cause its Subcontractors to meet all of the following: i. Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Contract. ii. Maintain network, system, and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 2 of 6 security testing, and improvements or enhancements consistent with evolving industry standards. iii. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. iv. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. v. Promptly report all Incidents, including Incidents that do not result in unauthorized disclosure or loss of data integrity, to a designated representative of the State’s Office of Information Security (“OIS”). vi. Comply with all rules, policies, procedures, and standards issued by the Governor’s Office of Information Technology (“OIT”), including change management, project lifecycle methodology and governance, technical standards, documentation, and other requirements posted at www.oit.state.co.us/about/policies. D. Subject to Contractor’s reasonable access security requirements and upon reasonable prior notice, Contractor shall provide the State with scheduled access for the purpose of inspecting and monitoring access and use of State Records, maintaining State systems, and evaluating physical and logical security control effectiveness. E. Contractor shall perform current background checks in a form reasonably acceptable to the State on all of its respective employees and agents performing services or having access to State Records provided under this Contract, including any Subcontractors or the employees of Subcontractors. A background check performed within 30 days prior to the date such employee or agent begins performance or obtains access to State Records shall be deemed to be current. i. Upon request, Contractor shall provide notice to a designated representative for the State indicating that background checks have been performed. Such notice will inform the State of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. ii. If Contractor will have access to Federal Tax Information under the Contract, Contractor shall agree to the State’s requirements regarding Safeguarding Requirements for Federal Tax Information and shall comply with the background check requirements defined in IRS Publication 1075 and §24-50-1002, C.R.S. 2. DATA HANDLING A. Contractor may not maintain or forward these State Records to or from any other facility or location, except for the authorized and approved purposes of backup and disaster recovery purposes, without the prior written consent of the State. Contractor may not DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 3 of 6 maintain State Records in any data center or other storage location outside the United States for any purpose without the prior express written consent of OIS. B. Contractor shall not allow remote access to State Records from outside the United States, including access by Contractor’s employees or agents, without the prior express written consent of OIS. Contractor shall communicate any request regarding non-U.S. access to State Records to the Security and Compliance Representative for the State. The State shall have sole discretion to grant or deny any such request. C. Upon request by the State made any time prior to 60 days following the termination of this Contract for any reason, whether or not the Contract is expiring or terminating, Contractor shall make available to the State a complete download file of all State data. i. This download file shall be made available to the State within 10 Business Days of the State’s request, shall be encrypted and appropriately authenticated, and shall contain, without limitation, all State Records, Work Product, and system schema and transformation definitions, or delimited text files with documents, detailed schema definitions along with attachments in its native format. ii. Upon the termination of Contractor’s provision of data processing services, Contractor shall, as directed by the State, return all State Records provided by the State to Contractor, and the copies thereof, to the State or destroy all such State Records and certify to the State that it has done so. If any legal obligation imposed upon Contractor prevents it from returning or destroying all or part of the State Records provided by the State to Contractor, Contractor shall guarantee the confidentiality of all State Records provided by the State to Contractor and will not actively process such data anymore. Contractor shall not interrupt or obstruct the State’s ability to access and retrieve State Records stored by Contractor. D. The State retains the right to use the established operational services to access and retrieve State Records stored on Contractor’s infrastructure at its sole discretion and at any time. Upon request of the State or of the supervisory authority, Contractor shall submit its data processing facilities for an audit of the measures referred to in this Exhibit in accordance with the terms of this Contract. 3. DELIVERY AND ACCEPTANCE A. Contractor shall provide and maintain a quality assurance system acceptable to the State for any Work or Deliverables under this Contract and shall provide to the State only such Work or Deliverables that have been inspected and found to conform to the specifications identified in this Contract and any applicable solicitation, bid, offer, or proposal from which this Contract results. B. Contractor’s delivery of any Work or Deliverables to the State shall constitute certification that such Work or Deliverable has been determined to conform to the applicable specifications, and Contractor shall make records of such quality assurance available to the State upon request during the term of the Contract or at any time within three years following expiration or termination of the Contract. C. For any Work or Deliverables other than the purchase or license of commercially available goods or software, acceptance of the Work or Deliverable shall require DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 4 of 6 affirmative written communication from the State to the Contractor that such Work or Deliverable has been accepted by the State. Such communication shall be provided within a reasonable time period from the delivery of the Work or Deliverable and shall not be unreasonably delayed or withheld. Acceptance by the State shall be final, except in cases of Contractor’s failure to conduct proper quality assurance, latent defects that could not reasonably have been detected upon delivery, or Contractor’s gross negligence or willful misconduct. 4. WARRANTY A. Notwithstanding the acceptance of any Work or Deliverable, or the payment of any invoice for such Work or Deliverable, Contractor warrants that any Work or Deliverable provided by Contractor under this Contract shall be free from material defects and shall function in material accordance with the applicable specifications. Contractor warrants that any Work or Deliverable shall be, at the time of delivery, free from any harmful or malicious code, including without limitation viruses, malware, spyware, ransomware, or other similar function designed to interfere with or damage the normal operation of Information Technology resources. Contractor’s warranties under this section shall apply to any defects or material nonconformities discovered within 180 days following delivery of any Work or Deliverable. B. Upon notice during the warranty term of any defect or material nonconformity, Contractor shall submit to the State in writing within 10 business days of the notice one or more recommendations for corrective action with sufficient documentation for the State to ascertain the feasibility, risks, and impacts of each recommendation. The State’s remedy for such defect or material non-conformity shall be: i. Contractor shall re-perform, repair, or replace such Work or Deliverable in accordance with any recommendation chosen by the State. Contractor shall deliver, at no additional cost to the State, all documentation required under the Contract as applicable to the corrected Work or Deliverable; or ii. Contractor shall refund to the State all amounts paid for such Work or Deliverable, as well as pay to the State any additional amounts reasonably necessary for the State to procure alternative goods or services of substantially equivalent capability, function, and performance. C. Any Work or Deliverable delivered to the State as a remedy under this section shall be subject to the same quality assurance, acceptance, and warranty requirements as the original Work or Deliverable. The duration of the warranty for any replacement or corrected Work or Deliverable shall run from the date of the corrected or replacement Work or Deliverable. 5. COMPLIANCE A. In addition to the compliance obligations imposed by the main body of the Contract, Contractor shall comply with: DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 5 of 6 i. All Colorado Office of Information Security (OIS) policies and procedures which OIS has issued pursuant to §§24-37.5-401 through 406, C.R.S. and 8 CCR §1501-5 and posted at http://oit.state.co.us/ois ii. All information security and privacy obligations imposed by any federal, state, or local statute or regulation, or by any specifically incorporated industry standards or guidelines, as applicable based on the classification of the data relevant to Contractor’s performance under the Contract. Such obligations may arise from: a. Health Information Portability and Accountability Act (HIPAA) b. IRS Publication 1075 c. Payment Card Industry Data Security Standard (PCI-DSS) d. FBI Criminal Justice Information Service Security Addendum e. CMS Minimum Acceptable Risk Standards for Exchanges f. Electronic Information Exchange Security Requirements and Procedures For State and Local Agencies Exchanging Electronic Information With The Social Security Administration iii. Contractor shall comply with and adhere to Section 508 of the U.S. Rehabilitation Act of 1973, as amended, and §§24-85-101, et seq., C.R.S. Contractor shall comply with all State of Colorado technology standards related to technology accessibility and with Level AA of the most current version of the Web Content Accessibility Guidelines (WCAG), incorporated in the State of Colorado technology standards and available at https://www.w3.org/TR/WCAG21/. B. Contractor shall implement and maintain all appropriate administrative, physical, technical, and procedural safeguards necessary and appropriate to ensure compliance with the standards and guidelines applicable to Contractor’s performance under the Contract. C. Contractor shall allow the State reasonable access and shall provide the State with information reasonably required to assess Contractor’s compliance. Such access and information shall include: i. An annual SOC2 Type II audit including, at a minimum, the Trust Principles of Security, Confidentiality, and Availability, or an alternative audit recommended by OIS; or ii. The performance of security audit and penetration tests, as requested by OIS. D. To the extent Contractor controls or maintains information systems used in connection with State Records, Contractor will provide OIS with the results of all security assessment activities when conducted on such information systems, including any code-level vulnerability scans, application level risk assessments, and other security assessment activities as required by this Contract or reasonably requested by OIS. Contractor will make reasonable efforts to remediate any vulnerabilities or will request a security exception from the State. The State will work with Contractor and OIS to prepare any requests for exceptions from the security requirements described in this Contract and its Exhibits, including mitigating controls and other factors, and OIS will consider such requests in accordance with their policies and procedures referenced herein. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 Page 6 of 6 6. TRANSITION OF SERVICES Upon request by the State prior to expiration or earlier termination of this Contract or any Services provided in this Contract, Contractor shall provide reasonable and necessary assistance to accomplish a complete transition of the Services from Contractor to the State or any replacement provider designated solely by the State without any interruption of or adverse impact on the Services. Contractor shall cooperate fully with the State or any successor provider and shall promptly take all steps required to assist in effecting a complete transition of the Services designated by the State. All services related to such transition shall be performed at no additional cost beyond what would be paid for the Services in this Contract. 7. LICENSE OR USE AUDIT RIGHTS A. To the extent that Contractor, through this Contract or otherwise as related to the subject matter of this Contract, has granted to the State any license or otherwise limited permission to use any Contractor Property, the terms of this section shall apply. B. Contractor shall have the right, at any time during and throughout the Contract Term, but not more than once per Fiscal Year, to request via written notice in accordance with the notice provisions of the Contract that the State audit its use of and certify as to its compliance with any applicable license or use restrictions and limitations contained in this Contract (an “Audit Request”). The Audit Request shall specify the time period to be covered by the audit, which shall not include any time periods covered by a previous audit. The State shall complete the audit and provide certification of its compliance to Contractor (“Audit Certification”) within 120 days following the State’s receipt of the Audit Request. C. If upon receipt of the State’s Audit Certification, the Parties reasonably determine that: (i) the State’s use of licenses, use of software, use of programs, or any other use during the audit period exceeded the use restrictions and limitations contained in this Contract (“Overuse”) and (ii) the State would have been or is then required to purchase additional maintenance and/or services (“Maintenance”), Contractor shall provide written notice to the State in accordance with the notice provisions of the Contract identifying any Overuse or required Maintenance and request that the State bring its use into compliance with such use restrictions and limitations. DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 CMS # 178266 DocuSign Envelope ID: 77A69468-2CAF-44A2-842B-63A1F4C7B655DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 ProgramSignForm(MSSign)(NA,LatAm)ExBRA,MLI(ENG)(May2020) Page 1 of 2 Document X20-12883 Program Signature Form MBA/MBSA number Agreement number 01E73376 Note: Enter the applicable active numbers associated with the documents below. Microsoft requires the associated active number be indicated here, or listed below as new. For the purposes of this form, “Customer” can mean the signing entity, Enrolled Affiliate, Government Partner, Institution, or other party entering into a volume licensing program agreement. This signature form and all contract documents identified in the table below are entered into between the Customer and the Microsoft Affiliate signing, as of the effective date identified below. Contract Document Number or Code <Choose Agreement> <Choose Agreement> <Choose Agreement> <Choose Agreement> <Choose Agreement> <Choose Enrollment/Registration> <Choose Enrollment/Registration> <Choose Enrollment/Registration> <Choose Enrollment/Registration> <Choose Enrollment/Registration> Online Services Extended Term Option Form X20-14395 By signing below, Customer and the Microsoft Affiliate agree that both parties (1) have received, read and understand the above contract documents, including any websites or documents incorporated by reference and any amendments and (2) agree to be bound by the terms of all such documents. Customer Name of Entity (must be legal entity name)* City of Wheat Ridge, CO Signature* Printed First and Last Name* Printed Title Signature Date* Tax ID *indicates required field Bud Starker City of Wheat Ridge, CO Mayor 10/02/2023 09803515 DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 ProgramSignForm(MSSign)(NA,LatAm)ExBRA,MLI(ENG)(May2020) Page 2 of 2 Document X20-12883 Microsoft Affiliate Microsoft Corporation Signature Printed First and Last Name Printed Title Signature Date (date Microsoft Affiliate countersigns) Agreement Effective Date (may be different than Microsoft’s signature date) Optional 2nd Customer signature or Outsourcer signature (if applicable) Customer Name of Entity (must be legal entity name)* Signature* Printed First and Last Name* Printed Title Signature Date* *indicates required field Outsourcer Name of Entity (must be legal entity name)* Signature* Printed First and Last Name* Printed Title Signature Date* *indicates required field If Customer requires additional contacts or is reporting multiple previous Enrollments, include the appropriate form(s) with this signature form. After this signature form is signed by the Customer, send it and the Contract Documents to Customer’s channel partner or Microsoft account manager, who must submit them to the following address. When the signature form is fully executed by Microsoft, Customer will receive a confirmation copy. Microsoft Corporation Dept. 551, Volume Licensing 6880 Sierra Center Parkway Reno, Nevada 89511 USA DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 OnlineServices(ExtendedTermForm)(WW)(ENG)(Nov2020) Page 1 of 2 Document X20-14395 Online Services Extended Term Option Form Enrollment Number Reseller or Software Advisor to complete 51618432 Please return this form to the Microsoft Affiliate identified on the signature form. To be valid, this form must be attached to a signature form and received by Microsoft at least 30 days prior to the expiration of the Enrollment. For the purposes of this form, “Entity” means the signing entity, Customer, Enrolled Affiliate, Integrator, Institution, or other party entering into a volume licensing program agreement. Eligible Online Services may be found in the Product Terms. Choosing an Extended Term: Entity may choose to have an Extended Term (“Opt In”) or not (“Opt Out) for current and future purchases of Online Services identified as eligible for the Extended Term in the Product Terms by providing information in the table below. Upon renewal of the Enrollment, the Extended Term option will be reset to default settings for the renewal term. If selecting “All current and future eligible Online Services”, Entity agrees that the Extended Term Option will change for all current and future purchases of eligible Online Services during the Enrollment term. Entity cannot Opt In to dependent Online Services without Opting In to the parent Online Service. For Multi-tenant scenario: When entering the enrollment in the Enrollment Number box above, selections in this form will apply to Lead enrollment and all Tenant enrollments by default. Check box if selection applies to Lead Enrollment only When entering a Tenant enrollment in the Enrollment Number box above, selections will apply to Tenant enrollment only (even if check box above is ticked) OLS Description Select Extended Term Option All current and future eligible Online Services, except for Azure Services Opt Out <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> <choose> DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 OnlineServices(ExtendedTermForm)(WW)(ENG)(Nov2020) Page 2 of 2 Document X20-14395 Reseller or Software Advisor acknowledgement: Name of Reseller/Software Advisor Insight Direct USA, Inc. Printed Name Valerie Saunders Printed Title Software Contracts Specialist Date 9-26-23 Reseller/Software Advisor Signature DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 10/02/2023 Page 1 of 1 City of Wheat Ridge, CO Quotation:0623-City of Wheat Ridge1-MSEA-KJE Agreement Start Date:Date:August 8, 2023 Agreement End Date: Enrollment:51618432Contract:CTR060025 / 1782665 Part Number Item Name Level Purchase Period Pool Product Type Quantity Unit Price Extended Price Additional Products 359-00792 SQL CAL ALng SA Device CAL D Added at Signing Servers Software Assurance 40 37.69$ 1,507.60$ 228-04433 SQL Server Standard ALng SA D Added at Signing Servers Software Assurance 2 162.11$ 324.22$ 9EA-00278 Win Server DC Core ALng SA 2L D Added at Signing Servers Software Assurance 130 126.37$ 16,428.10$ 9EM-00270 Win Server Standard Core ALng SA 2L D Added at Signing Servers Software Assurance 28 19.39$ 542.92$ Annual Total:18,802.84$ Three Year Total:56,408.52$ **See Monthly Subscriptions on the next tab 1 Year Grand Total w/ Monthly Subscription:163,115.02$ 3 Year Grand Total w/ Monthly Subsciption:489,345.06$ Microsoft Enterprise Agreement True-up Guide 10/01/202309/30/2026 Confidential.EA At Signing Thank you for the opportunity to quote. DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12 Agreement DetailAgreement SummaryAgreement Number 51618432 Program Enterprise 6Master Agreement Number 01E73376 Updated EA YesAgreement Type Standard Enrollment National Cloud NoBusiness Agreement Number Unknown License Agreement Type GovernmentPrimary Customer Name City of Wheat Ridge, CO (B711A54F)Agreement Status ActiveAgreement Start Date 10/01/2020 Price List Country United StatesAgreement End Date 09/30/2023 Price List Currency US DollarRenewal End Date 09/30/2026 MS Account Manager Unknown Licenses (20 rows)Item Name Pool Product Family Version Language Auto-Renew Default Product Type Usage Country Quantity Ordered Purchase Order TypeAzureprepaymentG ShrdSvr ALNG SubsVL MVL Commit Provision Servers Azure Monetary CommitmentG Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 1.00 New OrderAzureprepaymentG ShrdSvr ALNG SubsVL MVL Commit Provision Servers Azure Monetary CommitmentG Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 1.00 True UpExchange Server Ent ALng SA Servers Exchange Server Enterprise Non-specific All Languages Software Assurance United States 1.00 Basic Enterprise CommitmentM365 G3 Unified FSA GCC Sub Per User Servers M365 G3 Unified FSA GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 415.00 Basic Enterprise CommitmentM365 G3 Unified FUSL GCC Sub Per User Servers M365 G3 Unified FUSL GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 13.00 Basic Enterprise CommitmentPower Automate Premium GCC Sub Per User Servers Power Automate Premium GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 1.00 New OrderPower Automate Premium GCC Sub Per User Servers Power Automate Premium GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 0.00 True UpPower BI Pro GCC Sub Per User Servers Power BI Pro GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 5.00 Basic Enterprise CommitmentPower BI Pro GCC Sub Per User Servers Power BI Pro GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 2.00 True UpProject P3 CAO GCC Sub Add-on Project Pro Servers Project P3 CAO GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 5.00 New OrderProject Professional ALng SA 1 Server CAL Applications Project Professional Non-specific All Languages Software Assurance United States 5.00 Basic Enterprise CommitmentSQL CAL ALng SA Device CAL Servers SQL CAL Non-specific All Languages Software Assurance United States 40.00 Basic Enterprise CommitmentSQL Server Standard ALng SA Servers SQL Server Standard Non-specific All Languages Software Assurance United States 2.00 Basic Enterprise CommitmentTeams AC with Dial Out US/CA GCC Sub Add-on Servers Teams AC with Dial Out US/CA GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 428.00 New OrderVisio P2 AO GCC Sub Add-on to Visio Pro Applications Visio P2 AO GCC Non-specific All Languages Non Auto-Renew Monthly Subscriptions-VolumeLicense United States 10.00 New OrderVisio Professional ALng LSA Applications Visio Professional Non-specific All Languages License/Software Assurance Pack United States 1.00 Basic Enterprise CommitmentVisio Professional ALng SA Applications Visio Professional Non-specific All Languages Software Assurance United States 9.00 Basic Enterprise CommitmentWin Server DC Core ALng SA 2L Servers Win Server Datacenter Core Non-specific All Languages Software Assurance United States 104.00 Basic Enterprise CommitmentWin Server DC Core ALng SASU 2L Win Server Std Servers Win Server Datacenter Core Non-specific All Languages SA Step Up United States 26.00 New OrderWin Server Standard Core ALng SA 2L Servers Win Server Standard Core Non-specific All Languages Software Assurance United States 250.00 Basic Enterprise Commitment DocuSign Envelope ID: 06B86F5F-AFE2-4528-95F7-2C70CDC55A12