Embed Size (px)
Citation preview
Commonwealth of Massachusetts – Request for InformationIssued by the Executive Office for Administration and Finance -
Massachusetts Office of Information TechnologyNovember 19, 2015
RFI 16-31 End User Computing Services
Respondents to this Request for Information (RFI) are invited to respond to any or all of the questions in this document. Responses to this RFI shall serve solely to assist the Commonwealth in understanding the current state of the marketplace with regards to the solicited information or to inform the development of a possible solicitation for a Request for Responses (RFR) or Request for Quotes (RFQ) in the future. This RFI does not in any way obligate the Commonwealth to issue or amend a solicitation or to include any of the RFI provisions or responses in any solicitation. Responding to this RFI is entirely voluntary, and will in no way affect the Commonwealth’s consideration of any proposal submitted in response to any subsequent solicitation, nor will it serve as an advantage or disadvantage to the respondent in the course of any RFR or RFQ that may be subsequently issued or amended.
1. Introduction
The purpose of this RFI is to elicit the advice and best analysis of knowledgeable persons in the vendor community to enable the Massachusetts Office of Information Technology (MassIT) to craft a potential future solicitation for Massachusetts End-User Computing (EUC) Services. Responses to this RFI should include information that will be useful to MassIT in subsequently drafting more detailed procurement solicitation(s) related to Massachusetts EUC Services. For purposes of this RFI, the terms “End-User Computing” and “EUC” are used in their broadest sense, to encompass the full spectrum from traditional desktops through various forms of cloud-based Desktop-as-a-Service (DaaS)1, Software-as-a-Service (SaaS), application and desktop virtualization, as well as combinations or hybrids. MassIT looks forward to exploring the benefits and risks of different EUC models as a result of this RFI.
2. Agency
The Massachusetts Office of Information Technology is responsible for overseeing information technology investments for the Commonwealth of Massachusetts. MassIT provides the processing and application programming services for many Commonwealth entities using some of the most advanced hardware and software available today.
The MassIT Operations Group, acting on behalf of the Office of the Commonwealth Chief Information Officer, is contemplating the release of one or more procurements for Commonwealth of Massachusetts EUC services. This RFI specifically seeks information on products and/or services that will enable the Commonwealth of Massachusetts to contract with one or more
1 “Desktop-as-a-Service” (DaaS) means the capability provided to the consumer to provision processing, storage, networks and other fundamental computing resources for virtual desktops where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed application; and possibly limited control of select networking components (e.g., host firewalls).
1
vendors for the design and delivery of End-User Computing services for one or more Secretariats within the Executive Branch of the Commonwealth. Currently, such services are primarily provided by either MassIT or the IT organizations within each Secretariat.
3. Purpose of RFI
The purpose of the EUC Services Strategy project is to ensure that the Commonwealth is using the most cost effective, efficient, flexible, secure and transparent end-user computing services for the Commonwealth. This RFI solicitation seeks responses from vendors who can offer information about alternatives to MassIT’s current end-user computing services model. It also seeks advice on what information such vendors would need to see in a Request for Responses for the End-User Computing services (an “EUC Services RFR”) in order to ensure that responding bidders could submit a comprehensive bid.
End-user computing is a broad category with a wide range of products, solutions, services and technologies. As a result, we recognize that not every question is relevant for all responders. We are looking for insight from responders with a wide range of knowledge and expertise in the End-User Computing space to help the Commonwealth arrive at the best future EUC strategy and procurement approach.
4. Information Solicited
Background
The Commonwealth currently has approximately 90,000 frequent, regular end users and an unknown number of sporadic or irregular end users. Regular users are provided with a traditional desktop or laptop, with hardware and software customized according to their organization, job function and individual requirements. The hardware is acquired and refreshed on a 3 year lease cycle. Select users can be provided secure external access to the internal network using VPN. In some cases, regular users are allowed to connect their own computing devices, including personal computers, tablets and smart phones, to a “dirty LAN” to access e-mail and web-based applications as well as accessing a subset of web-based applications and e-mail via the WAN. Irregular users are also provided access to e-mail and select other web-based applications and are required to provide their own computing devices to conduct their work. Use cases for end users range from requirements for using a productivity suite and e-mail and web-based applications to traditional computing (e.g. laptop or physical desktop) for heavy computer use, such as graphics-intensive or latency-intolerant applications.
A new EUC strategy must include the flexibility to meet diverse end-user requirements, address varied and sometimes strict security requirements, and provide the ability to reduce the high capital and operational costs inherent in a traditional end-user computing model. The new strategy must also be capable of flexing to accommodate the expansion and contraction of irregular users and adaptable to future directions such as Bring Your Own Device (BYOD) and Bring Your Own PC (BYOPC).
Please answer any or all of the questions that follow, keeping in mind that only some of the questions or information requested may be applicable to your product and service portfolio.
A) Introductory Questions
1. What kind of information does MassIT need to include in an RFR in order to enable EUC vendors to provide a suitable response?
2
2. In your view, how has End-User Computing changed in the last 3-5 years? How do you see it changing in the next 5 years and how is that reflected in the direction your organization takes toward End-User Computing for you and your customers?
3. What are the biggest challenges you foresee as a result of the recent and future changes in End-User Computing?
B) Applicable Capabilities, Services and Experience
1. Regarding relevant capabilities, services, solutions and experience:
a. What is the extent of your experience delivering EUC services, solutions or products to federal, state and local government customers?
b. Describe the largest environment you have designed, delivered and/or supported in the government segment.
c. Do you offer cloud-based EUC services such as Desktop-as-a-Service? (please describe in detail, including whether it is a private, multi-tenant, or government multi-tenant cloud and what EUC services are included)
d. Please provide at least two detailed examples of solutions provided to particular federal, state or local customers (with or without identification of the customer).
2. What are typical criteria used by customers to determine and measure the success of transitioning to a new EUC model? What are typical success criteria from the end-user perspective?
3. Describe any services or solutions you use to provide secure, integrated file storage and sharing for end users and customer organizations.
4. Describe the capabilities and methods you recommend or use for backup, restore and disaster recovery of EUC data, services and solutions.
C) Solution Architecture and Service Delivery Model Options
1. What EUC platforms and technologies do you design, implement and support? Please categorize as follows:
a. Traditional desktop model (image deployment, image management)
b. Desktop virtualization (DaaS, on-premises, hybrid)
c. Application virtualization/delivery
d. User Environment Management
e. Content Collaboration
f. PaaS/SaaS
3
2. Does your portfolio include a method for providing a secure desktop across multiple platforms without requiring a constant network connection? If so, please describe.
3. Does your portfolio include a means for backing up and securing user data on traditional and hosted desktops as well as laptops which may not always be connected to the internal network? If so, please describe.
4. If your portfolio includes an application virtualization/delivery solution, does it provide the following? Please elaborate.
a. Application delivery to both virtual and physical desktops
b. Application delivery without the user being required to log into a desktop or terminal server
c. User installed/provisioned applications
d. Streaming delivery
e. Delivery of multiple versions of a single application
f. Packaging and delivery of an application that has underlying requirements (e.g. application + Java)
g. Integration with User Environment Management capability allowing user customization of a delivered application
h. Secure sharing of files between individuals and groups of users
5. Given your current understanding of the Commonwealth’s requirements, user diversity, demand patterns and security concerns, what solution or combination of solutions in your service portfolio would you recommend as best suited and most cost-effective?
6. Where typically do you establish the solution and responsibility boundaries between infrastructure, application and user tiers, and what is your advice for maintaining a clear delineation between service providers at each level of the stack while delivering seamless end-to-end service to the customer?
7. What restrictions do you have on the type or number of end-user applications, desktops or OS’s you can host and support?
8. If the Commonwealth decides to adopt a hybrid solution that includes both cloud/hosted and on-premises components, possibly supplied by different service providers,
a. How are you equipped to support such a hybrid arrangement?
b. Are you able to provide support for both hosted/cloud and on-premises EUC solutions?
4
c. In particular, how would you handle data management in a cross-provider coordinated manner?
d. What are greatest concerns and risks of such an arrangement, and what measures would you recommend in order to mitigate their effect?
9. How does any recommended service or solution provide for disaster recovery and high availability?
10. How is backup and recovery of end-user data provided as part of the recommended solutions?
11. How do your EUC solutions provide for preservation and archiving of data and information necessary to comply with regulatory and/or legal requirements?
12. If you were to recommend a cloud-based service as part of the solution, how easy is it to change providers at the end of a term? Please describe a typical process for transitioning from one provider to another.
13. For a completely integrated EUC solution (Cloud, On-Premises, and traditional EUC components), how easy is it to change providers at the end of a term? Please describe a typical process for transitioning from one provider to another.
D) Performance and SLAs
1. Describe the industry-standard SLAs, if any,that are relevant to hosted or cloud-based service offerings for end-user computing.
2. For your standard SLAs:
a. What target service levels are associated with your service offerings?
b. Do you provide differentiated service levels (i.e., “gold/silver/bronze”)?
3. In what ways would you as the cloud/hosting or on-premises provider be prepared to collaborate with other service providers responsible for components of an overall EUC solution (e.g., application-layer provider, other infrastructure/connectivity providers) to support end-to-end “outcome-based” SLAs (i.e., as experienced by the end user), such as for availability/uptime and incident response and resolution times? Can you provide an example of how you have dealt with this requirement in the past?
4. When implementing EUC services for a customer that is transitioning from a traditional model, describe areas where the biggest performance and cost improvements are seen
a. Are there any areas where some costs increase over traditional EUC strategy? If so, how and where are these offset by decreases in cost or performance improvements in other areas?
b. Please describe how you are able to quantify performance improvements to justify possible increases in costs (e.g., hardware costs increase 2x, but are offset by a 3x decrease in support costs and 25% decrease in time to resolve an incident).
5
E) Operational Support
1. For any hosted or cloud-provided components of a solution provided to the Commonwealth, what type of access would you be prepared to provide to the Commonwealth for purposes of:
a. Performance/utilization monitoring?
b. SLA compliance monitoring?
c. Log and log analytics?
d. Capacity management?
e. Resource/capacity provisioning?
f. Incident response ticketing and problem management?
g. Change management ticketing?
2. What ticketing system do you currently employ?
3. Describe your approach and experience integrating your ticketing system and processes with those of the customer and/or additional service providers (e.g., the User Operations and Maintenance Services (UOMS) provider) to enable a seamless unified support experience from the user and administrators’ perspective.
4. What additional toolsets do you use or recommend to manage your hosting services and underlying infrastructure?
5. Describe your IT Service Management (ITSM) process and capability framework, as well as your level of compliance with standards such as ITIL, and the overall process maturity and level of automation.
6. In what ways can you support customers wanting to periodically evaluate capacity utilization and assist them with balancing and cost-optimizing both their cloud/hosting and on-premises configuration?
7. Considering the significant change in technologies, products and services that could be used to deliver EUC for the Commonwealth in the future, what do you see as the most significant impacts the changes will have on the support organizations and functions?
a. What are the most significant risks inherent in these changes?
b. What recommendations would you make to minimize the disruptive effect these changes might have?
8. Considering the significant change in technologies, products and services that could be used to deliver EUC for the Commonwealth in the future, what do you see as the most significant impacts the changes will have on end users?
6
a. What are the most significant risks inherent in these changes?
b. What recommendations would you make to minimize the disruptive effect these changes might have?
F) Service Consumption Models and Pricing
1. What EUC hosting service/resource consumption models do you offer? For each model, please answer the following:
a. What discrete service parameters and/or resource components go into determining the cost of hosting services?
b. Are these elements priced separately or bundled into aggregate consumption units for pricing purposes? If the latter, please describe how the aggregate units are derived from their constituent elements.
c. What specific factors affect the price of a desktop or hosted application?
2. Given your current understanding of the Commonwealth’s environment and requirements, which EUC service/consumption model(s) would you recommend as most suitable?
3. How do EUC solution(s) provide for chargeback to departments within a larger organization?
4. Describe models and methods for licensing of the hardware and software, including Operating System(s), for the EUC solution(s). How is customer owned software provided for in each model that you described?
5. What customer inputs do you require in order to arrive at an optimized EUC service configuration and price?
6. Please provide standard/list unit pricing for your EUC services (it is understood that this information in no way represents a formal bid or price commitment).
7. What special pricing, if any, is available to government customers?
8. Are you on GSA IT Schedule 70? If so, which services relevant to this inquiry do you offer on that schedule?
9. What refunds and/or charges may apply in the event of service termination, distinguishing between termination at contractual expiration date or prior to such date?
10. In what ways can you enable the customer to benefit from declining infrastructure unit cost trends during the course of a multi-year contract?
G) Solution Implementation and Transition from Current to New EUC Arrangement
1. A chosen service provider might be expected to provide some EUC services in place of those provided by MassIT and other Commonwealth IT organizations, which will
7
continue to provide the on-premises and associated UOMS. What are the greatest challenges and risks that you foresee for the implementation and transition of a new EUC solution, and what measures would you propose to overcome them?
2. Please describe the methodology, standardized processes and tools that you use to facilitate a timely and risk-minimized customer systems and data transition into an on-premises or cloud- hosted solution.
3. Please describe similar projects that have been successfully completed and describe the critical success factors for such projects.
4. What types of specialist staff (SMEs) and what approximate level of involvement and time commitment would you need from the Commonwealth team to design and execute a transition to a new EUC environment?
5. What is the typical duration (pilot to production) for implementation and transition from a traditional EUC model to a new EUC model as delivered by your organization today? Please provide examples of the process, methodology and milestones where possible.
6. What are typical criteria for determining the success of the transition project?
7. Describe the types of training provided to end users. Is this provided prior to, during or after transition? Based on your experience, in what ways is such training critical to the overall success or failure of the EUC transition and delivery?
8. How is transition to the new EUC solution provided for remote users?
H) Security and Compliance
1. What industry or other certifications do you currently hold (e.g., SSAE 16, HIPAA, PCI, FedRAMP) and comply with, and to what technology tier or component(s) or location(s) do they apply? Are regular internal and/or external audits conducted, and for compliance with what standards?
2. Regarding audit requirements:
a. What type of access will you provide to a cloud-based or hosting customer for purposes of audit and compliance verifications?
b. Do you provide customers with access to audit data?
c. Will you allow the Commonwealth to conduct its own independent audits?
3. Commonwealth systems and applications accessed by end users may contain data that is legally required to remain in the United States, such as Federal Tax Information under IRS Publication 1075.
a. Are you able to guarantee that all systems and data hosted will reside in the continental United States for the duration of any contract?
8
b. How would you ensure that access to data is only provided to authorized service provider personnel (e.g., personnel who can access the data, including for the case of a follow-the-sun service arrangement, must reside and work in the United States, though citizenship is not a requirement)?
4. Describe privacy and security capabilities and service offerings relevant to this inquiry, including any specific privacy and security laws with which your solution complies. Please indicate whether any add-on services are required for compliance.
I) Other
1. Describe any third-party relationships or dependencies that would be relied upon for the solution described in response to this RFI.
2. Describe the nature of assistance you provide in the event of hosted or cloud-based EUC service termination, including data and server migration support, archiving, certifications, hardware transfer, etc.
3. Note whether your cloud-based EUC services, if any, are inconsistent with any of the requirements set forth in Exhibit A hereto, Commonwealth Cloud Procurement Terms.
5. General Instructions
Please note that this RFI is issued solely for the purpose of obtaining information. Nothing in this RFI shall be interpreted as a commitment on the part of MassIT to enter a contract with any respondent or to make any procurement.
a. This RFI has been posted on November 19, 2015.
b. Respondent Questions: Potential respondents who have questions regarding this RFI may make inquiries and request clarification concerning this RFI either by written questions submitted via e-mail or through the COMMBUYS Bid Q&A process described below
c. Questions must be submitted or posted by 5:00 p.m. on November 30, 2015. MassIT reserves the right not to respond to questions submitted after this date. It is the Vendor’s responsibility to verify receipt of questions. Responses to inquiries and clarification questions will be provided electronically to all interested parties via a posting on COMMBUYS (the Commonwealth’s state-of-the-art electronic Market Center supporting online commerce between government purchasers and business; additional details below). Posting questions via the Bid Q&A on COMMBUYSThe “Bid Q&A” provides the opportunity for potential respondents to ask written questions and receive written answers from the PMT regarding this RFI. If choosing this option, Vendors’ questions must be submitted through the Bid Q&A found on COMMBUYS (see below for instructions).
9
Locating Bid Q&ALog into COMMBUYS, locate the RFI, acknowledge receipt of the RFI, and scroll down to the bottom of the Bid Header page. The “Bid Q&A” button allows Vendors access to the Bid Q&A page.
Vendors are responsible for entering content suitable for public viewing, since all of the questions are accessible to the public. Vendors must not include any information that could be considered personal, security sensitive, inflammatory, incorrect, collusory, or otherwise objectionable, including information about the Vendor’s company or other companies. The PMT reserves the right to edit or delete any submitted questions that raise any of these issues or that are not in the best interest of the Commonwealth or this information request.
All answers are final when posted. Any subsequent revisions to previously provided answers will be dated.
It is the responsibility of the prospective Vendor to maintain an active registration in COMMBUYS and to keep current the email address of the Vendor’s contact person and prospective contract manager, if awarded a contract, and to monitor that email inbox for communications from the Purchasing Department, including requests for clarification. The Purchasing Department and the Commonwealth assume no responsibility if a Vendor’s designated email address is not current, or if technical problems, including those with the Vendor’s computer, network or internet service provider (ISP) cause email communications sent to/from the Vendor and the Purchasing Department to be lost or rejected by any means including email or spam filtering.
d. Response Submission. All responses to this RFI are due no later than 3:00 p.m. on December 16, 2015. Respondents should submit their response through COMMBUYS. All responses must include on the first page the official name (if any) of the firm or entity submitting the response. Please consecutively number all pages of the response
If Respondent has any issues with responding through COMMBUYS, it should contact the COMMBUYS Help Desk at [email protected] or call during normal business hours (8AM – 5PM Monday – Friday) at 1-888-627-8283 or 617-720-3197.
Useful Link:
Job aid on how to submit a response to the RFI (please follow the “quote” process despite the fact that this is an RFI, not a solicitation for a bid, and MassIT is not seeking “quotes”) : http://www.mass.gov/anf/docs/osd/commbuys/create-a-quote.pdf
Webcast: How to Locate and Respond to a Bid in CommBuys, will familiarize bidders with CommBuys terminology, basic navigation, and provide guidance for locating bid opportunities in CommBuys and submitting an online quote.
e. Response Content. Vendors should include a response to each of the questions
set forth in section 9 of this RFI, and any or all of the questions set forth in section 4 of this RFI.
10
f. Response Format. MassIT requests that all responses be submitted in a MS Word document with a point-by-point response to each subsection (“A” through “I”) set forth in Section 4 above and Section 9 below. If a respondent opts not to respond to any item(s) in that subsection, please note and if possible include an explanation for the lack of response.
g. Response Length. Please restrict your response to any individual question (including its sub-questions) to no more than 2 pages. If you wish to provide additional pertinent information, you may submit it as a separate attachment, suitably referenced to the originating question.
h. Additional Information. i. MassIT retains the right to request additional information from
respondents. MassIT may, at its sole discretion, elect to request a face-to-face meeting with two or more respondents to this RFI to discuss their response in more detail. In the event that the number of responses is extensive, MassIT may limit face-to-face meetings to only a few respondents deemed most responsive to RFI.
ii. MassIT may create an RFR or RFQ which will include the detailed requirements and key success criteria for the procurement and be based, at least in part, on the responses received from this RFI. MassIT may request further explanation or clarification from any and all respondents during the review process.
6. Event CalendarCALENDAR EVENT DAY DATE TIMERFQ Posting and Release Thursday November 19 On or
before COB
Questions Due Monday Nov. 30, 2015 5:00 PMQuestion Responses Posted Friday Dec. 4, 2015 4:00 PMAll Responses to RFI Due Wednesday Dec. 16, 2015 3:00 PM
7. Costs.
By submitting a response, respondents agree that any cost incurred in responding to this RFI, or in support of activities associated with this RFI, shall be the sole responsibility of respondent. MassIT shall not be held responsible for any costs incurred by respondents in preparing their respective responses to this RFI.
8. Review Rights.
Responses to this RFI may be reviewed and evaluated by any person(s) at the discretion of MassIT, including independent consultants retained by MassIT now or in the future.
9. Public Record.
All responses to this RFI will be public record under the Commonwealth’s Public Records Law, MGL ch. 66 s. 10, regardless of confidentiality notices set forth on such writings to the contrary.
10. Information Requested.
11
a. Company Name (please list parent company as well)b. Company Address
c. Company Website
d. Contact name and information (e-mail address required)
e. Provide a description of your company and the basis of your expertise in offering a response to this RFI.
f. Please provide responses to questions identified in Section 4 of this RFI.
12
Exhibit A
Commonwealth Cloud Procurement Terms
(MassIT version as of 3/26/15)
The following legal terms apply to subscriptions to cloud offerings (each referred to as the “Service”) by an eligible entity (“Customer”) within the Commonwealth of Massachusetts (“Commonwealth”). These terms shall supplement any terms provided by the service provider (“Service Provider”). Changes to the terms below that adversely affect the Commonwealth must be approved by legal counsel at the Massachusetts Office of Information Technology; however, terms may be removed without approval if Service Provider’s terms contain similar provisions that are no less protective of the Commonwealth than the provisions contained herein. These terms must be attached to and made part of the executed contract.
DEFINITIONS
Cloud offerings include the following:
“Infrastructure-as-a-Service” (IaaS) means the capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed application; and possibly limited control of select networking components (e.g., host firewalls). “Platform-as-a-Service” (PaaS) means the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or -acquired applications created using programming languages and tools supported by the provider. This capability does not necessarily preclude the use of compatible programming languages, libraries, services and tools from other sources. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment configurations.
“Software-as-a-Service” (SaaS) means the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin-client interface such as a Web browser (e.g., Web-based email) or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
SUBSCRIPTION TERMS
1. Service Provider grants to Customer a license or right to (i) access and use the Service, (ii) for SaaS, use underlying software as embodied or used in the service, and (iii) view, copy, download (if applicable), and use documentation.
2. No terms, including a standard click-through license or website terms of use or privacy policy, shall apply to Customer unless Customer has expressly agreed to such terms by including them in a signed agreement.
13
SUPPORT AND TRAINING
1. Service Provider must provide technical support via online helpdesk and toll-free phone number, at minimum during Business Hours (Monday through Friday from 8:00 a.m. to 6:00 p.m. Eastern Time), and 24x7x365 if required by Customer and requested prior to contract execution.
2. Service Provider must make training available online to users. Training must be accessible, per the Commonwealth Web Accessibility Standards.
3. All support and training shall be provided at no additional cost to Customer, except for customized support and training expressly requested by Customer.
SERVICE LEVELS
Service Provider must provide a Service Level Agreement (SLA) that contains, at minimum, the following terms:
Uptime; scheduled maintenance
1. SLA must include (1) specified guaranteed annual or monthly uptime percentage, at minimum 99.99%; and (2) definition of uptime and how it is calculated.
2. For purposes of calculating uptime percentage, scheduled maintenance may be excluded up to ten (10) hours per month, but unscheduled maintenance and any scheduled maintenance in excess of ten (10) hours must be included as downtime
3. Scheduled maintenance must occur: with at least two (2) business days’ advance notice; at agreed-upon times when a minimum number of users will be using the system; and in no event during Business Hours.
Defects; other SLA metrics
4. SLA must include: (1) response and resolution times for defects; (2) at least three levels of defect classifications (severe, medium, low); and (3) any other applicable performance metrics (e.g., latency, transaction time) based on industry standards.
5. While the Service Provider may initially classify defects, Customer determines final classification of defects.
Remedies
6. SLA must include remedies for failure to meet guaranteed uptime percentage, response and resolution times, and other metrics, which may include fee reductions, credits, and extensions in service period at no cost. Such remedies shall be issued by Service Provider with no action required from Customer.
7. Repeated or consistent failures to meet SLA metrics result in (1) a refund of all fees paid by Customer for the period in which the failure occurred; (2) participation by Service Provider in a root cause analysis and corrective action plan at Customer’s request; and (3) a right for Customer to terminate without penalty and without waiver of any rights upon written notice to Service Provider.
Reports
14
8. Service Provider will provide Customer with a written report (which may be electronic) of performance metrics, including uptime percentage and record of service support requests, classifications, and response and resolution times, at least quarterly or as requested by Customer. Customer may independently audit the report at Customer’s expense.
9. Representatives of Service Provider and Customer shall meet as often as may be reasonably requested by either party to review the performance of the Service and to discuss technical plans, financial matters, system performance, service levels, and any other matters related to this Agreement.
10. Service Provider will provide to Customer regular status reports during unscheduled downtime, at least twice per day or upon request.
11. Service Provider will provide Customer with root cause analysis within thirty (30) days of unscheduled downtime at no additional cost.
Changes to SLA
12. Service Provider may not change the SLA in any manner that adversely affects Customer or degrades the service levels applicable to Customer, without Customer’s written approval.
UPDATES AND UPGRADES
1. Service Provider will make updates and upgrades available to Customer at no additional cost when Service Provider makes such updates and upgrades generally available to its users.
2. No update, upgrade or other change to the Service may decrease the Service’s functionality, adversely affect Customer’s use of or access to the Service, or increase the cost of the Service to Customer.
3. Service Provider will notify Customer at least sixty (60) days in advance prior to any major update or upgrade.
4. Service Provider will notify Customer at least five (5) business days in advance prior to any minor update or upgrade, including hotfixes and installation of service packs, except in the case of an emergency such as a security breach.
CUSTOMER DATA
1. Customer retains full right and title to data provided by Customer and any data derived therefrom, including metadata (collectively, the “Customer Data”).
2. Service Provider shall not collect, access, or use user-specific Customer Data except as strictly necessary to provide Service to Customer. No information regarding Customer’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall extend beyond the term of the Agreement in perpetuity.
3. Service Provider shall not use any information collected in connection with the Agreement, including the Customer Data, for any purpose other than fulfilling its obligations under the Agreement.
4. At no time may any data or processes which either belong to Customer, or are intended for Customer’s exclusive use, be copied, disclosed, or retained by Service Provider for subsequent use in any transaction that does not include Customer.
15
5. Customer Data must remain at all times within the continental United States. Service Provider must disclose to Customer the identity of any third-party host of Customer Data prior to the signing of this Agreement.
6. Customer may export the Customer Data at any time during the term of the Agreement or for up to three (3) months after the term (so long as the Customer Data remains in the Service Provider’s possession) in an agreed-upon file format and medium.
7. Three (3) months after the termination or expiration of the Agreement or upon Customer’s earlier written request, and in any event after Customer has had an opportunity to export and recover the Customer Data, Service Provider shall at its own expense destroy and erase from all systems it directly or indirectly uses or controls all tangible or intangible forms of the Customer Data and Customer’s Confidential Information, in whole or in part, and all copies thereof except such records as are required by law. To the extent that any applicable law prevents Service Provider from destroying or erasing Customer Data as described in the preceding sentence, Service Provider shall retain, in its then current state, all such Customer Data then within its right of control or possession in accordance with the confidentiality, security and other requirements of this Agreement, and perform its obligations under this section as soon as such law no longer prevents it from doing so. Service Provider shall, upon request, send a written certification to Customer certifying that it has destroyed the Customer Data and Confidential Information in compliance with this section.
DATA PRIVACY AND SECURITY
1. Service Provider must comply with all applicable laws related to data privacy and security.
2. Service Provider shall not access Customer user accounts, or Customer Data, except in the course of data center operations, response to service or technical issues, as required by the express terms of this Agreement, or at Customer’s written request.
3. Service Provider may not share Customer Data with its parent company, other affiliate, or any other third party without Customer’s express written consent.
4. Prior to contract execution, Service Provider and Customer must cooperate and hold a meeting to determine whether:
a. “Personal data,” as defined in Mass. Gen. Laws c. 66A, will be stored or used in the Service. If so, then Service Provider is a “holder” of “personal data”, as such terms are defined in M.G.L. c. 66A, solely to the extent that the obligations of a holder are applicable to Service Provider’s delivery of services under the Agreement. The Customer remains responsible for all other obligations of a holder set forth in M.G.L. c. 66A.
b. Any sensitive or personal information will be stored or used in the Service that is subject to any law, rule or regulation providing for specific compliance obligations (e.g., M.G.L. c. 93H and 201 CMR 17.00, HIPAA, FERPA, IRS Pub. 1075). If so, then Service Provider must document in the Agreement how the Service complies with such law.
If either of the above is true, then Service Provider and Customer must review the Service specifications to determine whether the Service is appropriate for the level of sensitivity of the data to be stored or used in the Service, and how Customer and Service Provider will comply with applicable laws. Service Provider and Customer must document the results of this discussion and attach the document to the Agreement.
5. Service Provider shall provide a secure environment for Customer Data, and any hardware and software, including servers, network and data components provided by Service Provider as part
16
of its performance under this Agreement, in order to protect, and prevent unauthorized access to and use or modification of, the Service and Customer Data.
6. Service Provider will encrypt personal and non-public Customer Data in transit and at rest.
7. Customer Data must be partitioned from other data in such a manner that access to it will not be impacted or forfeited due to e-discovery, search and seizure or other actions by third parties obtaining or attempting to obtain Service Provider’s records, information or data for reasons or activities that are not directly related to Customer’s business.
8. In the event of any breach of the Service’s security that adversely affects Customer Data or Service Provider’s obligations with respect thereto, or any evidence that leads Service Provider to reasonably believe that such a breach is imminent, Service Provider shall immediately (and in no event more than twenty-four hours after discovering such breach) notify Customer. Service Provider shall identify the affected Customer Data and inform Customer of the actions it is taking or will take to reduce the risk of further loss to Customer. Service Provider shall provide Customer the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law.
9. In the event that personally identifiable information is compromised, Service Provider shall be responsible for providing breach notification to data owners in coordination with Customer and the Commonwealth as required by M.G.L. ch. 93H or other applicable law or Commonwealth policy.
10. Service Provider shall indemnify, defend, and hold Customer harmless from and against any and all fines, criminal or civil penalties, judgments, damages and assessments, including reasonable expenses suffered by, accrued against, charged to or recoverable from the Commonwealth, on account of the failure of Service Provider to perform its obligations pursuant to this Section.
WARRANTY
At minimum, Service Provider must warrant that:
1. Service Provider has acquired any and all rights, grants, assignments, conveyances, licenses, permissions and authorizations necessary for Service Provider to provide the Service to Customer;
2. The Service will perform materially as described in the Agreement;
3. Service Provider will provide to Customer commercially reasonable continuous and uninterrupted access to the Service, and will not interfere with Customer’s access to and use of the Service during the term of the Agreement;
4. The Service is compatible with and will operate successfully with any environment (including web browser and operating system) specified by Service Provider in its documentation;
5. The Service will be performed in accordance with industry standards, provided however that if a conflicting specific standard is provided in this Agreement or the documentation provided by Service Provider, such specific standard will prevail;
6. Service Provider will maintain adequate and qualified staff and subcontractors to perform its obligations under this Agreement; and
7. Service Provider and its employees, subcontractors, partners and third party providers have taken all necessary and reasonable measures to ensure that all software provided under this
17
Agreement shall be free of Trojan horses, back doors, known security vulnerabilities, malicious code, degradation, or breach of privacy or security.
ACCESSIBILITY
For SaaS and PaaS, Service Provider must comply with the Commonwealth’s established standards for accessibility as described in a separate attachment. If such attachment is not provided, the Service Provider must request the accessibility terms from Customer. The accessibility terms provide, among other things, that Service Provider must (1) give Customer a VPAT or other results of accessibility testing prior to contract execution; (2) provide Customer with access to the Service so that Customer can conduct accessibility testing, and cooperate with Customer or third party accessibility testing of the Service; and (3) make available, both prior to and during the course of the engagement, Service Provider personnel to discuss accessibility and compliance with the Commonwealth’s accessibility standards.
SUBCONTRACTORS
1. Before and during the term of this Agreement, Service Provider must notify Customer prior to any subcontractor providing any services, directly or indirectly, to Customer under this Agreement that materially affect the Service being provided to Customer, including: hosting; data storage; security and data integrity; payment; and disaster recovery. Customer must approve all such subcontractors identified after the effective date of the Agreement.
2. Service Provider is responsible for its subcontractors’ compliance with the Agreement, and shall be fully liable for the actions and omissions of subcontractors as if such actions or omissions were performed by Service Provider.
DISASTER RECOVERY
1. Service Provider agrees to maintain and follow a disaster recovery plan designed to maintain Customer access to the Service, and to prevent the unintended destruction or loss of Customer Data. The disaster recovery plan shall provide for and be followed by Service Provider such that in no event shall the Service be unavailable to Customer for a period in excess of twenty-four (24) hours.
2. If Customer designates the Service as mission-critical, as determined by Customer in its sole discretion: (1) Service Provider shall review and test the disaster recovery plan regularly, at minimum twice annually; (2) Service Provider shall back up Customer Data no less than twice daily in an off-site “hardened” facility located within the continental United States; and (3) in the event of Service failure, Service Provider shall be able to restore the Service, including Customer Data, with loss of no more than twelve (12) hours of Customer Data and transactions prior to failure.
RECORDS AND AUDIT
1. Records. Service Provider shall maintain accurate, reasonably detailed records pertaining to:
(i) The substantiation of claims for payment under this Agreement, and
(ii) Service Levels, including service availability and downtime.
2. Records Retention. Service Provider shall keep such records for a minimum retention period of seven (7) years from the date of creation, and will preserve all such records for five (5) years after termination of this Agreement. No applicable records may be discarded or destroyed during the course of any litigation, claim, negotiation, audit or other inquiry involving this Agreement.
18
3. Audit of Records. Customer or its designated agent shall have the right, upon reasonable notice to Service Provider, to audit, review and copy, or contract with a third party to audit, any and all records collected by Service Provider pursuant to item (1) above, as well as any other Service Provider records that may reasonably relate to Customer’s use of the Service, no more than twice per calendar year. Such records will be made available to Customer at no cost in a format that can be downloaded or otherwise duplicated.
TRANSITION ASSISTANCE
1. Service Provider shall reasonably cooperate with other parties in connection with all services to be delivered under this Agreement, including without limitation any successor provider to whom Customer Data is to be transferred in connection with termination. Service Provide shall assist Customer in exporting and extracting the Customer Data, in a format usable without the use of the Service and as agreed to by Customer, at no additional cost. Any transition services requested by Customer involving additional knowledge transfer and support may be subject to a separate transition SOW on a time and materials basis either for a fixed fee or at rates to be mutually agreed upon by the parties.
2. If Customer determines in its sole discretion that a documented transition plan is necessary, then no later than sixty (60) days prior to termination, Service Provider and Customer shall jointly create a written Transition Plan Document identifying transition services to be provided and including an SOW if applicable. Both parties shall comply with the Transition Plan Document both prior to and after termination as needed.
19
