Laserfiche WebLink
REV: 06-24-22 RL <br />contractors have access to the City’s network or City Data while providing Services will <br />be secured using a virtual private network or similar protocol. City Data that is stored by <br />Provider will only be stored on servers, which are located in the United States of America. <br />Provider shall not allow its personnel or contractors to store City Data on portable devices, <br />including personal computers, except for devices that are used and kept only at its U.S. <br />data centers. Provider shall permit its personnel and contractors to access City Data <br />remotely only as required to provide the Services or to provide technical support. <br />c. Provider shall inform the City of any Security Incident or Data Breach in accordance with <br />the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a Security <br />Incident, which may include contacting law enforcement, fielding media inquiries <br />and seeking external expertise as mutually agreed upon, defined by law or <br />contained in this Agreement. Discussing Security Incidents with the City should <br />be handled on an urgent as-needed basis, as part of Provider communication and <br />mitigation processes as mutually agreed upon, defined by law or contained in this <br />Agreement. <br />(ii) Provider shall report a Security Incident to the appropriate City Identified Contact <br />immediately. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects the <br />security of any City Data, Provider shall (1) promptly notify the appropriate City <br />Identified Contact within 24 hours or sooner, unless shorter time is required by <br />applicable law, and (2) take commercially reasonable measures to address the Data <br />Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the City to <br />investigate and resolve the Data Breach, (2) promptly implement necessary <br />remedial measures, if necessary, and (3) document responsive actions taken related <br />to the Data Breach, including any post-incident review of events and actions taken <br />to make changes in business practices in providing the Services, if necessary. <br />(v) Unless otherwise stipulated, if a Data Breach is a direct result of Provider’s breach <br />of its contractual obligation to secure City Data in accordance with this Agreement <br />and the Security Policy or otherwise prevent its release, Provider shall bear the <br />costs associated with (1) the investigation and resolution of the Data Breach; (2) <br />notifications to individuals, regulators or others required by state law; (3) a credit <br />monitoring service required by state (or federal) law; (4) a website or a toll-free <br />number and call center for affected individuals required by state law — all not to <br />exceed the average per record per person cost calculated for data breaches in the <br />United States (currently $225 per record/person) in the most recent Cost of Data <br />Breach Study: Global Analysis published by the Ponemon Institute at the time of <br />the Data Breach; and (5) complete all corrective actions as reasonably determined <br />by Provider based on root cause. <br />11. Service Level Requirements. <br />a. Upon completion of the Implementation Services, the City will test the hosted environment <br />to ensure processing in accord with the requirements below, and, based on this testing, <br />Provider will use reasonable efforts to configure and optimize the hosted environment that <br />is used by the services in the event that the City notifies Provider (to include providing <br />Provider with documented testing results) that the testing demonstrates processing not in <br />ATTY/AGR.2022.156/Granicus (Online agenda and meeting hosting and indexing) (Page 5 of 32)