The URL can be used to link to this page

Banking RFP 070120181 Park City Municipal Corporation REQUEST FOR PROPOSALS (NON-BID) FOR Banking Services 2 NOTICE REQUEST FOR PROPOSALS (NON-BID) Banking Services PROPOSALS DUE: April 13, 2018, by 4:00pm MST RFP AVAILABLE: March 12, 2018 PROJECT LOCATION: 445 Marsac Avenue, Park City, UT 84060 PROJECT DESCRIPTION (brief): Full, integrated banking services for Park City Municipal Corporation PROJECT DEADLINE: July 1, 2018 OWNER: Park City Municipal Corporation P.O. Box 1480 Park City, UT 84060 CONTACT: Rebecca Gillis, Finance Manager Rebecca.gillis@parkcity.org All questions shall be submitted in writing via email no later than March 30, 2018. Park City reserves the right to reject any or all proposals received. Furthermore, the City shall have the right to waive any informality or technicality in proposals received when in the best interest of the City. 3 I. Introduction Park City Municipal Corporation (the City) is currently seeking proposals from local qualified financial institutions to provide full, integrated banking services to the City. The City intends to maintain all banking services with one financial institution to maximize cash flow and minimize administrative costs. As such, banking services proposals must include services for the account system outlined. Zions Bank currently provides banking services to the City. The City is requesting proposals to periodically test the market to assure that the City is receiving the optimum level of service at a competitive price. The City will make every effort to administer the proposal process in accordance with the terms and dates outlined in this Request For Proposal (RFP). However, the City reserves the right to cancel or modify the terms of this RFP and/or the project at any time and for any reason preceding contract award and reserves the right to accept or reject any or all proposals submitted pursuant to this request for proposals. Park City will provide respondents written notice of any cancellation and/or modification. By requesting proposals, the City is in no way obligated to award a contract or pay the expenses of proposing institutions in connection with the preparation or submission of a proposal. The awarding of a contract shall be contingent on the availability of funds and the requisite staff and City Council approvals. MANDATORY CONDITIONS QUALIFYING A FINANCIAL INSTITUTION TO PROPOSE Proposers must meet the qualifications described in this section. 1. Location within the City limits: The proposing financial institution must be a Federal or State of Utah chartered financial institution. The financial institution must have a full- service branch located within the City limits of Park City for the full term of the banking contract. This branch must be able to offer the full range of banking services required by this RFP. Any question as to whether a proposing institution meets this qualifying condition may be submitted to the Park City Finance Manager in writing via email prior to submission of a proposal. 2. Qualified Public Depository: The proposing financial institution must be a qualified depository for public funds pursuant to the Utah State Money Management Act Section 51-7-11. The financial institution must be a member of the Federal Reserve System and must have access to all Federal Reserve services (e.g., check processing, electronic funds transfer, etc.). The financial institution must be insured by the Federal Deposit Insurance Corporation (FDIC). 3. Strength and Stability: The proposing financial institution shall have on file with the City an affidavit with the amount of its capital stock and surplus. The financial institution selected to perform banking services shall maintain a capital structure equal to or greater than the amount the City has on deposit with them at any time during the term of the agreement. This calculation shall include both demand deposits and term deposits such as 4 certificates of deposit and savings accounts. Each proposing institution shall submit with their proposal one (1) copy of their annual financial report for the past two years. The successful proposer shall, for the duration of this contract, continue to furnish to the City annual financial reports in a timely manner. 4. Community Presence: The financial institution shall have a rating of “Outstanding” or “Satisfactory” on its most recent Community Reinvestment Act review. 5. Legal Compliance: By submitting a proposal, the financial institution represents and warrants that it is familiar with the local laws and ordinances, and will conform to all local, state and federal laws, including but not limited to workers’ compensation and all anti-discrimination laws. 6. Technology: The financial institution shall have the ability to supply web-based information reporting systems and allow multiple users with different security level access, provide electronic images of cleared checks front and back, direct deposit services, wire transfers, cashier’s checks, electronic funds and automatic clearinghouse transfers. II. Scope of Project Demand Deposit Accounts: Park City Municipal Corporation currently has one operating checking account. Daily balances and activity are obtained online through the internet for each account. Disbursements from the operating account are currently made by computer-generated checks by the Finance Department on Thursday of each week. City employees are paid using ADP Payroll Services either on a bi-weekly or monthly basis. All City checks require the signatures of both the City Manager and the Treasurer, done by a facsimile or actual signature. See Exhibit A for the average monthly banking activity for calendar year 2017. The City’s operating account receives all revenues. The City currently uses a courier service for daily deposit pick-ups at the following locations: Finance Department, Library, Public Works Parking Services, Golf Course (open May through October), Ice Rink and Recreation Department. The courier service is contracted and paid for directly by the City. The courier service only delivers to a branch in the City limits. Each City department or division has a unique identifier number printed on its deposit slip. Deposits occur during the day or occasionally through night drop. Checks processed at the Finance Department location only are remotely deposited through a Check 21 solution. Scanned checks are not delivered to the institution and are destroyed by Finance Department staff after thirty (30) days of deposit processing. All other locations send the paper checks for deposit. III. Content of Proposal Interested institutions shall provide a PDF electronic version of their proposal. A proposing bank must follow the instructions for preparing the proposal in the prescribed format as outlined in this section. Each question in the RFP shall be repeated with the bank’s response following. Do not include any extraneous or marketing information. If a service requirement or section of the 5 proposal cannot be met by a proposing bank, then “No Proposal” should be indicated on the bid form and in the relevant section of the proposal. An alternative equivalent service may be offered. Proposals should be 25 pages or less (not including the cover page and appendix items) and include the following information: A. Cover Page: Name, address, email, and website of the institution. B. Table of Contents: Table of Contents should follow the RFP format. C. Institution Profile: Please provide the following information: Institution Overview - General overview of the institution, certification of meeting required qualifications to propose as outlined in Section II, customer service philosophy and identification of the primary office or branch that the City will be assigned to and where the City will conduct its banking business. Experience – Institution’s direct experience in servicing public sector clients. Please include: the number of public agency clients and the dollar amount of public funds on deposit. Relationship Management – Identify officers responsible for the City’s accounts, what each person’s role and responsibilities will be, and the relevant credentials and experience of each person on the relationship management team. D. References: Please provide three (3) references (preferably public agencies) for whom the institution has provided banking services similar to those required by the City. Include the following information for each reference: Contact name, title, name of customer, address, telephone number and number of years as customer. E. Cost Proposal (see Exhibit A and Exhibit B) Proposals will be evaluated by a committee of Finance Department staff. Evaluations will be based on criteria outlined herein, which may be weighted by the City in a manner it deems appropriate. All proposals will be evaluated using the same criteria and weighting. Price is not the sole deciding factor. Criteria for evaluation of proposals include the following: 1. legal and other qualifications have been met by the financial institution, 2. proper submission and responsiveness to RFP, 3. verification that a proposing institution is qualified under Section 51-7-11 of the Utah State Money Management Act as a designated depository, 4. location(s) in the Park City Municipal city limits, 5. experience, resources, and qualifications of the financial institution and individuals assigned to this account and relevant experience managing similar account relationships with public agency clients, 6. scope of services offered including internet based services, 6 7. financial strength and capacity of proposing institution based upon annual financial reports and other related information, 8. references, 9. fees, 10. agreement to the terms of the City’s Service Provider/Professional Services Agreement attached as Exhibit D, 11. employee banking services package, and 12. the value of any new product or service suggestions or other new ideas and enhancements. If there are any services not listed in Exhibit A for which an institution intends to charge, please list each item separately in Exhibit B. Any services for which a proposing institution intends to charge must be listed along with the price per item on the proposal form. Any services not listed thereon will be assumed free of charge. If there is a conflict between the written and numerical amount, the written amount shall supersede. Proposals lacking required information will not be considered. All submittals shall be public records in accordance with government records regulations (“GRAMA”) unless otherwise designated by the applicant pursuant to UCA §63G-2-309, as amended. The award of contract is subject to approval by City Council. A proposing institution may submit written questions via email to the Finance Manager in order to clarify any matters relating to this RFP no later than March 30, 2018 at 4:00pm MST. The proposer’s question and the City’s answer will become public record and will be shared with all proposing institutions to which the RFP has been sent. F. Please provide answers to the following: 1. Please describe the institution’s cash deposit requirements. How should the coin and currency deposits be bundled? Is there a fee for depositing loose or rolled coin? 2. Please provide examples of the reports for account analysis statement and the monthly statement. 3. Please describe in detail the procedures for handling deposit adjustments. What documentation on discrepancies is provided? Is the documentation different for cash deposits and check deposits? What is the minimum adjustment amount? How soon would support documentation of a deposit discrepancy be provided to the City? 4. What are the cut-off times for deposits at the local branch? If the institution has more than one branch, identify the time and branch(es) where the daily deposit(s) will be accepted. Is pricing different for night drop services? How are deposit adjustments and the related notification and support documentation handled for night drop deposits? 7 5. Please describe the returned item handling and notification procedures. How long does it take returned items to be sent to the City? Can returned items be automatically re- deposited? If so, how many times? 6. Can change orders for $500 or less be made available to City departments without advance notice? 7. The institution will be required to provide certain transaction confirmations and respond to other requests for data as needed from the City’s auditors. Will the bank be able to comply with such requests? 8. The City has not been in an overdraft position for years, however, what is the institution’s policy regarding daylight (intra-day) overdrafts? Is there a charge for DOD’s and if so, how is it calculated? Is there a daily cap on fees? Will the institution guarantee payment of all items even if it results in the account being overdrawn temporarily for the day? What is the institution’s policy regarding Interday Overdrafts? Is interest assessed on overdrafts and if so, how is that rate calculated? 9. How does the institution determine and calculate availability of deposited items? Does the institution give immediate availability for on-us items? Does the institution calculate availability by item or formula? Please provide a copy of the funds availability schedule the institution proposes to use for the City. Describe one day, two day availability and wire requirements. Online Banking: Does the financial institution’s online banking services include, at a minimum the following capabilities:  secure, dual administration (separation of duties) for initiating and approving user access, permissions, wire transfers, ACH transfers, template setups, etc.,  wire transfers and ACH transfers,  ability to download electronic monthly statements in an electronic file that can be exported to Excel,  ability to identify via online reporting, by numeric code, the originating location of deposits made by City departments,  daily detailed account reporting showing beginning and ending ledger balances, collected balances and available balances. Please provide a sample of prior day and intra-day reports that would be the best example of the system’s capabilities,  image viewing of deposit tickets,  image viewing of canceled checks,  stop payments,  funds transfers between accounts, and  viewing of float information on all deposited items. ACH Debit Services and Direct Deposit of Payroll: The City processes a direct debit batch once a month for the payment of both residential and commercial utility bills. The City also 8 processes payroll up to five (5) times a month. Payroll will be an ACH transaction to ADP for paydays that occur every other Friday for staff. City Council and Boards are paid monthly. Other miscellaneous ACH transactions such as retirement fund transfers, sales tax transfers and federal tax payments flow through the account each month. Please provide answers to the following: 1. Please describe the institution’s ACH and Direct Deposit online banking service.  What are the different ACH file transmission options available to the City?  What are the transmission deadlines for ACH files? When (day and time) does the institution need the file from the City?  What are the hours of operation of the ACH unit? 2. Please detail the institution’s back-up plans for data transmissions. The City requires immediate notification of any changes or problems and the ability to re-send a file or to delete a file. 3. What screening measures does the institution use to minimize errors on files? 4. How does the institution handle file, batch and item reversals and deletions? Banking Supplies: Currently, at no additional charge, the City is provided triplicate carbonless deposit slips encoded with each depositing department’s code number and plastic deposit bags. Does the institution charge for this service? Positive Pay/Reverse Positive Pay Services: Describe the institution’s ability to provide Positive Pay or Reverse Positive Pay services on checks and ACH debits. What type of data transmission can the institution accept? What is the deadline for the transmission of check issuance files to the institution? How much time will the City have to review discrepancies and notify the institution to reject? Safekeeping Services: Occasionally, the City maintains a fixed-income portfolio with assets of approximately $5 million. Describe the institution’s safekeeping services including an example of monthly reports that would be provided to the City. Please provide a schedule of fees for this service. Employee Banking: Describe in detail the package of employee banking services that the institution proposes to provide to City employees that use direct deposit for their payroll. Currently our employees are offered a free checking account that includes the following: No monthly service charge, unlimited check writing, no minimum balance requirement, free bill pay for twelve (12) months, debit card and free online banking. Conversion: The City requires a smooth and low-cost transition to a new institution. 9 1. Please describe the institution’s plan to implement the proposed services and to ensure a smooth, error-free conversion. Please detail all costs and the responsible party (institution or City) associated with the conversion of all the new services. 2. Indicate the plans for educating and training City employees in the use of the institution’s systems. 3. Describe in detail how the institution handles problem resolution, customer service, day- to-day contact and ongoing maintenance for governmental clients. Please be specific about exactly whom the City will be calling and working with for the above described situations. Compensation: Compensation shall be provided either in the form of a compensating balance or direct fees basis. The City currently uses the direct fees basis. The City shall, at the beginning of the contract period, specify which method of compensation will be used. 1. What is the institution’s Earnings Credit Rate (ECR) based on, and how is it calculated? List the institution’s actual ECR for the months of November and December 2017 and January 2018. Is the account analysis settlement period monthly? 2. Please detail exactly what types of items and services can be applied against the City’s account analysis in addition to standard banking services. Is there a mark-up for any of the items? If so, how much? 3. What procedure is used to make any adjustments to account analysis statements and how long does it take adjustments to take effect? How are adjustments handled if the analysis period has already ended? Data Equipment Compatibility: The City heavily relies on online transactions and wishes to ensure equipment and data compatibility and therefore requests the specifications needed for an automated wire transfer, ACH debit and credit, balance reporting and any other automated systems be included in this proposal. Any costs associated with automated data and equipment should be identified in Exhibit B if not already listed in Exhibit A. Disaster Recovery: 1. Describe the institution’s formal disaster recovery plan. 2. How quickly will back-up facilities be activated? Exhibits for Banking Services Proposal The following exhibits must be included with the proposal: 10 Exhibit A: Please complete and submit the form entitled “Banking Services Bid Form” which is included with the RFP. This is a list of services the City now uses as well as the average monthly unit counts experienced in calendar year 2017. Exhibit B: Please complete and submit the form entitled “Banking Services Proposal – Additional Services and Costs” which is included with the RFP. If the institution requires certain elements or services not already listed in Exhibit A, please add them in Exhibit B. Exhibit A and Exhibit B will be considered all-inclusive and the prices shown on the list shall be incorporated into the agreement and be effective through June 30, 2025. IV. Selection Process Proposals will be evaluated on the factors listed in Section III, Content of Proposal, above. The City will evaluate proposals based on completeness, qualifications, experience, and ability to comply with requirements mentioned herein. The City may request additional information on the proposal if insufficient or unclear details are provided. All proposals shall be good for up to 180 days after receipt. The selection process will proceed on the following schedule: A. Proposals will be received by Park City prior to 4:00pm MST on April 13, 2018 to Rebecca.gillis@parkcity.org (if 8MB or less) or via Dropbox as a read-only shared link. B. A selection committee comprised of Finance Manager, Treasurer, Accounting Manager, Accountant and/or City Staff will review all submitted RFPs within 21- days after the submission deadline. Initial proposals will be evaluated for price and content. Finalist institutions will have 10 business days to fill out any additional information and schedule a demo of their online banking and other services. C. The selection committee may conduct additional research such as site visits, customer interviews (at the City’s expense), etc. before selecting a finalist. D. It is anticipated that City Council will vote on the contract award before May 31, 2018. Park City Municipal Corporation reserves the right to change any dates or deadlines related to the bid submittal process. V. Park City Municipal Standard Service Provider Agreement The successful proposal will be required to enter into Park City’s Professional Service Agreement, in its current form, with the City. A draft of the Agreement is attached to this RFP. 11 Proposals should either agree to the standard contract “as is” or request changes to the form as part of the proposal; however, RFP responders should understand that the City is not required to make adjustments to the standard contract. The nature and extent of any requested changes to the standard contract will be considered as part of the evaluation process. Any service provider who contracts with Park City is required to have a valid Park City business license. ANY INQUIRIES RELATED TO INDEMNIFICATION OR INSURANCE PROVISIONS CONTAINED IN PARK CITY MUNICIPAL CORPORATION’S STANDARD AGREEMENT MUST BE SUBMITTED TO PARK CITY MUNICIPAL CORPORATION NO LATER THAN THE PROPOSAL/SUBMITTAL DEADLINE. PARK CITY MAY, IN ITS SOLE DISCRETION, CONSIDER SUCH INQUIRIES. ANY CHANGES TO PARK’S CITY’S STANDARD INSURANCE AND INDEMNIFICATION PROVISIONS SHALL BE APPROVED IN PARK CITY’S SOLE DISCRETION. Contract Period: The selected institution shall be designated as the City’s depository for an initial three-year term commencing July 1, 2018. At the City’s option, two (2), two-year extensions will be permitted with the same terms and conditions of the original contract or as amended, thereby providing for seven (7) years of depository and banking services. The prices submitted on Exhibit A and Exhibit B will be considered all-inclusive and shall be incorporated into the agreement and be effective through June 30, 2025. The prices may be re-negotiated at that time. The City Finance and Legal Departments must approve additional related contracts, such as Wire Transfer Agreements, as to both form and content. VI. Information to be submitted To be considered, one electronic copy of the proposal must be received by email, Rebecca.gillis@parkcity.org or via Dropbox as a read-only shared link no later than April 13, 2018 at 4:00pm MST. VII. Preparation of Proposals A. Failure to Read. Failure to Read the Request for Proposal and these instructions will be at the offeror's own risk. B. Cost of Developing Proposals. All costs related to the preparation of the proposals and any related activities are the sole responsibility of the offeror. The City assumes no liability for any costs incurred by offerors throughout the entire selection process. VIII. Proposal Information A. Equal Opportunity. The City will make every effort to ensure that all offerors are treated fairly and equally throughout the entire advertisement, review and 12 selection process. The procedures established herein are designed to give all parties reasonable access to the same basic information. B. Proposal Ownership. All proposals, including attachments, supplementary materials, addenda, etc., shall become the property of the City and will not be returned to the offeror. C. Rejection of Proposals. The City reserves the right to reject any or all proposals received. Furthermore, the City shall have the right to waive any informality or technicality in proposals received when in the best interest of the City. D. No proposal shall be accepted from, or contract awarded to, any person, firm or corporation that is in arrears to the City, upon debt or contract, or that is a defaulter, as surety or otherwise, upon any obligation to the City, or that may be deemed irresponsible or unreliable by the City. Offerors may be required to submit satisfactory evidence that they have the necessary financial resources to perform and complete the work outlined in this RFP. E. Park City Municipal Corporation’s policy is, subject to Federal, State and local procurement laws, to make reasonable attempts to support Park City businesses by purchasing goods and services through local vendors and service providers. F. If bidder utilizes third parties for completing RFP requirements, list what portion of the RFP will be completed by third parties and the name, if known, of the third party. 13 Attachment 1 PARK CITY MUNICIPAL CORPORATION SERVICE PROVIDER/PROFESSIONAL SERVICES AGREEMENT THIS AGREEMENT is made and entered into as of this ____ day of _____________, 20__, by and between PARK CITY MUNICIPAL CORPORATION, a Utah municipal corporation, (“City”), and ____________________________________, a Financial Institution (“Service Provider”), collectively, the City and the Service Provider are referred to as (the “Parties).” WITNESSETH: WHEREAS, the City desires to have certain services and tasks performed as set forth below requiring specialized skills and other supportive capabilities; WHEREAS, sufficient City resources are not available to provide such services; and WHEREAS, the Service Provider represents that the Service Provider is qualified and possesses sufficient skills and the necessary capabilities, including technical and professional expertise, where required, to perform the services and/or tasks set forth in this Agreement. NOW, THEREFORE, in consideration of the terms, conditions, covenants, and performance contained herein, the Parties hereto agree as follows: 1. SCOPE OF SERVICES. The Service Provider shall perform such services and accomplish such tasks, including the furnishing of all materials and equipment necessary for full performance thereof, as are identified and designated as Service Provider responsibilities throughout this Agreement and as set forth in the “Scope of Services” attached hereto as “Exhibit A” and incorporated herein (the “Project”). The total fee for the Project shall not exceed __________________ Dollars ($_____________). Service Provider shall abide by the requirements in Exhibit “B “Technology Support, Infrastructure & Security” which is attached hereto and incorporated herein. The City has designated __________, or his/her designee as City’s Representative, who shall have authority to act in the City’s behalf with respect to this Agreement consistent with the budget contract policy. 14 2. TERM. No work shall occur prior to the issuance of a Notice to Proceed which cannot occur until execution of this Agreement, which execution date shall be commencement of the term and the term shall terminate on ________________________ or earlier, unless extended by mutual written agreement of the Parties. 3. COMPENSATION AND METHOD OF PAYMENT. A. Payments for services provided hereunder shall be made monthly following the performance of such services. B. No payment shall be made for any service rendered by the Service Provider except for services identified and set forth in this Agreement. C. For all “extra” work the City requires, the City shall pay the Service Provider for work performed under this Agreement according to the schedule attached hereto as “Exhibit C,” or if none is attached, as subsequently agreed to by both Parties in writing. D. The Service Provider shall submit to the City Manager or her designee on forms approved by the City Manager, an invoice for services rendered during the pay period. The City shall make payment to the Service Provider within thirty (30) days thereafter. Requests for more rapid payment will be considered if a discount is offered for early payment. Interest shall accrue at a rate of six percent (6%) per annum for services remaining unpaid for sixty (60) days or more. E. The Service Provider reserves the right to suspend or terminate work and this Agreement if any unpaid account exceeds sixty (60) days. F. Service Provider acknowledges that the continuation of this Agreement after the end of the City’s fiscal year is specifically subject to the City Council’s approval of the annual budget. 4. RECORDS AND INSPECTIONS. A. The Service Provider shall maintain books, records, documents, statements, reports, data, information, and other material with respect to matters covered, directly or indirectly, by this Agreement, including (but not limited to) that which is necessary to sufficiently and properly reflect all direct and indirect costs related to the performance of this Agreement, and shall maintain such accounting procedures and practices as may be necessary to assure proper accounting of all funds paid pursuant to this Agreement. 15 B. The Service Provider shall retain all such books, records, documents, statements, reports, data, information, and other material with respect to matters covered, directly or indirectly, by this Agreement for six (6) years after expiration of the Agreement. C. The Service Provider shall, at such times and in such form as the City may require, make available for examination by the City, its authorized representatives, the State Auditor, or other governmental officials authorized by law to monitor this Agreement all such books, records, documents, statements, reports, data, information, and other material with respect to matters covered, directly or indirectly, by this Agreement. The Service Provider shall permit the City or its designated authorized representative to audit and inspect other data relating to all matters covered by this Agreement. The City may, at its discretion, conduct an audit at its expense, using its own or outside auditors, of the Service Provider’s activities, which relate directly or indirectly to this Agreement. D. The City is subject to the requirements of the Government Records Access and Management Act, Chapter 2, Title 63G, Utah Code Annotated, 1953, as amended and Park City Municipal Code Title 5 (“GRAMA”). All materials submitted by Service Provider pursuant to this Agreement are subject to disclosure unless such materials are exempt from disclosure pursuant to GRAMA. The burden of claiming and exemption form disclosure rests solely with Service Provider. Any materials for which Service Provider claims a privilege from disclosure based on business confidentiality shall be submitted marked as “confidential - business confidentiality” and accompanied by a concise statement from Service Provider of reasons supporting its claim of business confidentiality. Generally, GRAMA only protects against the disclosure of trade secrets or commercial information that could reasonably be expected to result in unfair competitive injury. The City will make reasonable efforts to notify Service Provider of any requests made for disclosure of documents submitted under a claim of confidentiality. Service Provider specifically waives any claims against the City related to any disclosure of materials pursuant to GRAMA. 5. INDEPENDENT CONTRACTOR RELATIONSHIP. A. The Parties intend that an independent Service Provider/City relationship will be created by this Agreement. No agent, employee, or representative of the Service Provider shall be deemed to be an employee, agent, or representative of the City for any purpose, and the employees of the Service Provider are not entitled to any of the benefits the City provides for its employees. The Service Provider will be solely and entirely responsible for its acts and for the acts of its agents, employees, 16 subcontractors or representatives during the performance of this Agreement. B. In the performance of the services herein contemplated the Service Provider is an independent contractor with the authority to control and direct the performance of the details of the work, however, the results of the work contemplated herein must meet the approval of the City and shall be subject to the City’s general rights of inspection and review to secure the satisfactory completion thereof. 6. SERVICE PROVIDER EMPLOYEE/AGENTS. The City may at its sole discretion require the Service Provider to remove an employee(s), agent(s), or representative(s) from employment on this Project. The Service Provider may, however, employ that (those) individuals(s) on other non-City related projects. 7. HOLD HARMLESS INDEMNIFICATION. A. The Service Provider shall indemnify and hold the City and its agents, employees, and officers, harmless from and shall process and defend at its own expense any and all claims, demands, suits, at law or equity, actions, penalties, losses, damages, or costs, of whatsoever kind or nature, brought against the City arising out of, in connection with, or incident to the execution of this Agreement and/or the Service Provider’s negligent performance or failure to perform any aspect of this Agreement; provided, however, that if such claims are caused by or result from the concurrent negligence of the City, its agents, employees, and officers, this indemnity provision shall be valid and enforceable only to the extent of the negligence of the Service Provider; and provided further, that nothing herein shall require the Service Provider to hold harmless or defend the City, its agents, employees and/or officers from any claims arising from the sole negligence of the City, its agents, employees, and/or officers. The Service Provider expressly agrees that the indemnification provided herein constitutes the Service Provider’s limited waiver of immunity as an employer under Utah Code Section 34A-2-105; provided, however, this waiver shall apply only to the extent an employee of Service Provider claims or recovers compensation from the City for a loss or injury that Service Provider would be obligated to indemnify the City for under this Agreement. This limited waiver has been mutually negotiated by the Parties, and is expressly made effective only for the purposes of this Agreement. The provisions of this section shall survive the expiration or termination of this Agreement. 17 B. No liability shall attach to the City by reason of entering into this Agreement except as expressly provided herein. 8. INSURANCE. The Service Provider shall procure and maintain for the duration of the Agreement, insurance against claims for injuries to persons or damage to property which may arise from or in connection with the performance of the work hereunder by the Service Provider, their agents, representatives, employees, or subcontractors. The Service Provider shall provide a Certificate of Insurance evidencing: A. General Liability insurance written on an occurrence basis with limits no less than One Million Dollars ($1,000,000) combined single limit per occurrence and Three Million Dollars ($3,000,000) aggregate for personal injury, bodily injury and property damage. The Service Provider shall increase the limits of such insurance to at least the amount of the Limitation of Judgments described in Section 63G-7-604 of the Governmental Immunity Act of Utah, as calculated by the state risk manager every two years and stated in Utah Admin. Code R37-4-3. B. Automobile Liability insurance with limits no less than Two Million Dollars ($2,000,000) combined single limit per accident for bodily injury and property damage. C. Professional Liability (Errors and Omissions) insurance with annual limits no less than One Million Dollars ($1,000,000) per occurrence. If written on a claims-made basis, the Service Provider warrants that the retroactive date applicable to coverage precedes the effective date of this agreement; and that continuous coverage will be maintained for an extended reporting period and tail coverage will be purchased for a period of at least three (3) years beginning from the time that work under this agreement is complete. D. Workers Compensation insurance limits written as follows: Bodily Injury by Accident Five Hundred Thousand Dollars ($500,000) each accident; Bodily Injury by Disease Five Hundred Thousand Dollars ($500,000) each employee, Five Hundred Thousand Dollars ($500,000) policy limit. E. Data Breach and Privacy / Cyber Liability Insurance including coverage for failure to protect confidential information and failure of the security of the Service Provider’s computer systems or the City’s systems due to the actions of the Service Provider which results in unauthorized access to the City’s data. The limit applicable to this policy shall be no less than Five 18 Million Dollars ($5,000,000) per occurrence, and must apply to incidents related to the Cyber Theft of the City’s property, including but not limited to money and securities. F. Technology Errors and Omissions Insurance with a limit of no less than Five Million Dollars ($5,000,000) for damages arising from computer related services including but not limited to the following:  Consulting;  Data Processing;  Programming;  System Integration;  Hardware or Software Development;  Installation;  Distribution or Maintenance;  Systems Analysis Or Design;  Training; and  Staffing or Other Support Services. The policy shall include coverage for third party fidelity including cyber theft and protect the City as “Additional Insured”. It is acceptable that the Data Breach and Privacy / Cyber Liability Insurance and Technology Errors and Omissions insurance be provided on the same policy. The additional insured protection afforded the City must be on a primary and non-contributory basis. All policies must include a waiver of subrogation in favor of the City. G. The City shall also be named as an additional insured on general liability and auto liability insurance policies, with respect to work performed by or on behalf of the Service Provider and a copy of the endorsement naming the City as an additional insured shall be attached to the Certificate of Insurance. Should any of the above described policies be cancelled before the expiration date thereof, Service Provider shall deliver notice to the City within thirty (30) days of cancellation. The City reserves the right to request certified copies of any required policies. H. The Service Provider’s insurance shall contain a clause stating that coverage shall apply separately to each insured against whom claim is made or suit is brought, except with respect to the limits of the insurer’s liability. 19 9. TREATMENT OF ASSETS. Title to all property furnished by the City shall remain in the name of the City and the City shall become the owner of the work product and other documents, if any, prepared by the Service Provider pursuant to this Agreement (contingent on City’s performance hereunder). 10. COMPLIANCE WITH LAWS AND WARRANTIES. A. The Service Provider, in the performance of this Agreement, shall comply with all applicable federal, state, and local laws and ordinances, including regulations for licensing, certification and operation of facilities, programs and accreditation, and licensing of individuals, and any other standards or criteria as described in this Agreement to assure quality of services. B. Unless otherwise exempt, the Service Provider is required to have a valid Park City business license. C. The Service Provider specifically agrees to pay any applicable fees or charges which may be due on account of this Agreement. D. If this Agreement is entered into for the physical performance of services within Utah the Service Provider shall register and participate in E-Verify, or equivalent program. The Service Provider agrees to verify employment eligibility through E-Verify, or equivalent program, for each new employee that is employed within Utah, unless exempted by Utah Code Ann. § 63G- 12-302. E. Service Provider shall be solely responsible to the City for the quality of all services performed by its employees or sub-contractors under this Agreement. Service Provider hereby warrants that the services performed by its employees or sub-contractors will be performed substantially in conformance with the standard of care observed by similarly situated companies providing services under similar conditions. 11. NONDISCRIMINATION. A. The City is an equal opportunity employer. B. In the performance of this Agreement, Service Provider will not discriminate against any qualified person in matters of compensation and other terms, privileges, and conditions of employment because of: race, color, religion, sex (including pregnancy, childbirth, pregnancy-related conditions, breastfeeding, or medical conditions related to breastfeeding), national origin, age (40 or older), disability, genetic information, sexual orientation, gender identity, or protected expressions. Service Provider shall take such action with respect to this 20 Agreement as may be required to ensure full compliance with local, State and federal laws prohibiting discrimination in employment. C. Service Provider will not discriminate against any recipient of any services or benefits provided for in this Agreement on the grounds of race, color, religion, sex (including pregnancy, childbirth, pregnancy-related conditions, breastfeeding, or medical conditions related to breastfeeding), national origin, age (40 or older), disability, genetic information, sexual orientation, gender identity, or protected expressions. D. If any assignment or subcontracting has been authorized by the City, said assignment or subcontract shall include appropriate safeguards against discrimination. The Service Provider shall take such action as may be required to ensure full compliance with the provisions in the immediately preceding paragraphs herein. 12. ASSIGNMENTS/SUBCONTRACTING. A. The Service Provider shall not assign its performance under this Agreement or any portion of this Agreement without the written consent of the City, and it is further agreed that said consent must be sought in writing by the Service Provider not less than thirty (30) days prior to the date of any proposed assignment. The City reserves the right to reject without cause any such assignment. Any assignment made without the prior express consent of the City, as required by this part, shall be deemed null and void. B. Any work or services assigned hereunder shall be subject to each provision of this Agreement and property bidding procedures where applicable as set forth in local, state or federal statutes, ordinance and guidelines. C. Any technical/professional service subcontract not listed in this Agreement, must have express advance approval by the City. D. Each subcontractor that physically performs services within Utah shall submit an affidavit to the Service Provider stating that the subcontractor has used E-Verify, or equivalent program, to verify the employment status of each new employee, unless exempted by Utah Code Ann. § 63G-12- 302. 21 13. CHANGES. Either party may request changes to the scope of services and performance to be provided hereunder, however, no change or addition to this Agreement shall be valid or binding upon either party unless such change or addition be in writing and signed by both Parties. Such amendments shall be attached to and made part of this Agreement. 14. PROHIBITED INTEREST, NO THIRD PARTY RIGHTS AND NO GRATUITY TO CITY EMPLOYEES. A. No member, officer, or employee of the City shall have any interest, direct or indirect, in this Agreement or the proceeds thereof. B. Nothing herein is intended to confer rights of any kind in any third party. C. No City employee who has procurement decision making authority and is engaged in the procurement process, or the process of administering a contract may knowingly receive anything of value including but not limited to gifts, meals, lodging or travel from anyone that is seeking or has a contract with the City. 15. MODIFICATIONS TO TASKS AND MISCELLANEOUS PROVISIONS. A. All work proposed by the Service Provider is based on current government ordinances and fees in effect as of the date of this Agreement. B. Any changes to current government ordinances and fees which affect the scope or cost of the services proposed may be billed as an “extra” pursuant to Paragraph 3(C), or deleted from the scope, at the option of the City. C. The City shall make provision for access to the property and/or project and adjacent properties, if necessary for performing the services herein. 16. TERMINATION. A. Either party may terminate this Agreement, in whole or in part, at any time, by at least thirty (30) days' written notice to the other party. The Service Provider shall be paid its costs, including contract close-out costs, and profit on work performed up to the time of termination. The Service Provider shall promptly submit a termination claim to the City. If the Service Provider has any property in its possession belonging to the City, the Service Provider will account for the same, and dispose of it in a manner directed by the City. 22 B. If the Service Provider fails to perform in the manner called for in this Agreement, or if the Service Provider fails to comply with any other provisions of the Agreement and fails to correct such noncompliance within three (3) days’ written notice thereof, the City may immediately terminate this Agreement for cause. Termination shall be effected by serving a notice of termination on the Service Provider setting forth the manner in which the Service Provider is in default. The Service Provider will only be paid for services performed in accordance with the manner of performance set forth in this Agreement. 17. NOTICE. Notice provided for in this Agreement shall be sent by certified mail to the addresses designated for the Parties on the last page of this Agreement. Notice is effective upon the date it was sent, except that a notice of termination pursuant to paragraph 16 is effective upon receipt. All reference to “days” in this Agreement shall mean calendar days. 18. ATTORNEYS FEES AND COSTS. If any legal proceeding is brought for the enforcement of this Agreement, or because of a dispute, breach, default, or misrepresentation in connection with any of the provisions of this Agreement, the prevailing party shall be entitled to recover from the other party, in addition to any other relief to which such party may be entitled, reasonable attorney’s fees and other costs incurred in connection with that action or proceeding. 19. JURISDICTION AND VENUE. A. This Agreement has been and shall be construed as having been made and delivered within the State of Utah, and it is agreed by each party hereto that this Agreement shall be governed by laws of the State of Utah, both as to interpretation and performance. B. Any action of law, suit in equity, or judicial proceeding for the enforcement of this Agreement, or any provisions thereof, shall be instituted and maintained only in any of the courts of competent jurisdiction in Summit County, Utah. 20. SEVERABILITY AND NON-WAIVER. A. If, for any reason, any part, term, or provision of this Agreement is held by a court of the United States to be illegal, void or unenforceable, the validity of the remaining provisions shall not be affected, and the rights and obligations of the Parties shall be construed and enforced as if the Agreement did not contain the particular provision held to be invalid. 23 B. If it should appear that any provision hereof is in conflict with any statutory provision of the State of Utah, said provision which may conflict therewith shall be deemed inoperative and null and void insofar as it may be in conflict therewith, and shall be deemed modified to conform in such statutory provisions. C. It is agreed by the Parties that the forgiveness of the non-performance of any provision of this Agreement does not constitute a subsequent waiver of the provisions of this Agreement. No waiver shall be effective unless it is in writing and signed by an authorized representative of the waiving party. 21. ENTIRE AGREEMENT. The Parties agree that this Agreement is the complete expression of the terms hereto and any oral representations or understandings not incorporated herein are excluded. Further, any modification of this Agreement shall be in writing and signed by both Parties. Failure to comply with any of the provisions stated herein shall constitute material breach of contract and cause for termination. Both Parties recognize time is of the essence in the performance of the provisions of this Agreement. IN WITNESS WHEREOF the Parties hereto have caused this Agreement to be executed the day and year first hereinabove written. PARK CITY MUNICIPAL CORPORATION 445 Marsac Avenue Post Office Box 1480 Park City, UT 84060-1480 ________________________________ Diane Foster, City Manager Attest: ___________________________ City Recorder’s Office Approved as to form: ___________________________ City Attorney’s Office SERVICE PROVIDER NAME 24 Address: Address: City, State, Zip: Tax ID#: _________________________ PC Business License# BL_____________ __________________________________ Signature __________________________________ Printed name __________________________________Title STATE OF UTAH ) ) ss. COUNTY OF SUMMIT ) On this ____ day of ________________, 20__, personally appeared before me _____________________________, whose identity is personally known to me/or proved to me on the basis of satisfactory evidence and who by me duly sworn/affirmed, did say that he/she is the _________________________ (title or office) of __________________________________, a ___________________________ corporation (or limited liability company), by authority of its Bylaws/Resolution of the Board of Directors (if as to a corporation) or Member Resolution (if as to a limited liability company), and acknowledged that he/she signed it voluntarily for its stated purpose as _______________________ (title) for _______________________________, a _______________ corporation (or limited liability company). __________________________________ Notary Public EXHIBIT “A” SCOPE OF SERVICES 26 EXHIBIT “B” Technology Support, Infrastructure & Security 1. Definitions “City Data” / “information” is any data provided, shared, created or managed by the City. “Service Provider” Is the contract holder that manages employees, contractors or affiliates having access to PCMC infrastructure or data for specific defined purpose. “Process, Processed, or Processing” means any operation or set of operations performed upon City Data, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing or destroying the data. "Data Masking" The process of modifying records to conceal City Data, especially when such records are copied from a production environment to a non-production environment. “The Information Technology Department” is responsible for the administration of this policy. If you have any questions regarding this policy, please contact the Information Technology Department 435-615-5123, 5123@parkcity.org. “Service Provider’s Third Party Security Auditor” is defined as a third party organization which provides security audits of Service Provider’s Information Processing Systems. “Provider” is defined as any company supplying a service for Service Provider’s Information Processing System (such as a Data Center, Managed Service, or Data Circuit). “Security Breach” is defined as an unauthorized access to Service Provider’s software or Data Center facilities, Information Processing Systems or networks used to service, store, or access City Data. “Sensitive Information” is defined as any Personally Identifiable Information or any information not publicly available (i.e. – clients, passwords, financial information, employee information, schedules, technology infrastructure, closed reports, draft notes, etc.). “Written Request of the City” is defined as a request received by Service Provider by a City on official letter head signed by an officer of the City. 27 2. Information Classification Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information: 3. Internal Information Internal Information is intended for unrestricted use within PCMC, and in some cases within affiliated organizations such as Service Provider business partners for non- sales purposes. This type of information is already widely-distributed within PCMC, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages. Any information not explicitly classified as Sensitive Information, PII or Public will, by default, be classified as Internal Information. Unauthorized disclosure of this information is not permitted. 4. Public Information Public Information has been specifically approved for public release by a designated authority within each entity of Service Provider. Examples of Public Information may include material posted to approved public internet web pages. This information may be disclosed outside of Service Provider. 5. Security Policy Formal Security Policy. Consistent with the requirement of this Document, Service Provider will create and provide to City an information security policy that is approved by Service Provider’s management, published and communicated and agreed to be adhered to by all Service Provider’s employees, contractors and affiliates. Security Policy Review. Service Provider will review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness and may revise such policy, from time to time. Changes resulting in a lower standard of security or service must be agreed to by PCMC prior to adoption. 28 6. Asset Management. Acceptable Use. Service Provider will implement policies and procedures for the acceptable use of information and assets which is no less restrictive than industry best practice for the classification of such Information and consistent with the requirements of this Document. Equipment Use While on City Premises. While on City’s premises, Service Provider will not connect hardware (physically or via a wireless connection) to City internal systems or networks unless necessary for Service Provider to perform Processing under this Document. This hardware is subject to be inspected and, or, scanned by PCMC IT Department directly or by automated means before use. Personally-owned Equipment: Sensitive Information, with the exception of Business Contact Information, may not be stored on any employee owned equipment. 7. Human Resources Security Removal of Access Rights. The access rights of all Service Provider employees to Service Provider Information Processing Systems or media containing Sensitive Information will be removed immediately upon termination of their employment, contract or agreement, or adjusted upon change. 8. Physical and Environmental Security. Secure Areas. Service Provider will secure all areas, including loading docks, holding areas, telecommunications areas, cabling areas and off-site areas that contain Information Processing Systems or media containing information by the use of appropriate security controls in order to ensure that only authorized personnel are allowed access and to prevent damage and interference. The following controls will be implemented: Visitors to secure areas will be supervised. 9. Geographic Data Centers Service Provider’s data centers are geographically distributed and employ a variety of physical security measures. The technology and security mechanisms used in these facilities may vary depending on local conditions such as building location and regional risks. The standard physical security controls implemented at each Service Provider data center include the following: custom designed electronic card access control systems, alarm systems, interior and exterior cameras, and security guards. Access to areas where systems, or system components, are installed or stored are segregated 29 from general office and public areas such as lobbies. The areas are centrally monitored for suspicious activity, and the facilities are routinely patrolled by security guards. 10. Environmental Security Service Provider will protect equipment from power failures and other disruptions caused by failures in supporting utilities. To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, Service Provider implements a disaster recovery program at all of its data centers. This program includes multiple components to minimize the risk of any single point of failure. 11. Role Based Access Service Provider restricts access to its data centers based on role, not position. As a result, most senior executives at Service Provider do not have access to Service Provider data centers 12. Communications and Operations Management. Protections Against Malicious Code. Service Provider will implement detection, prevention, and recovery controls to protect against malicious software, which is no less than current industry best practice and perform appropriate employee training on the prevention and detection of malicious software. Back-ups. Service Provider will perform appropriate back-ups of Service Provider Information Processing Systems and media containing City Data every business day with end-of-month copy stored for 1-year in order ensuring services and service levels described in this Document. Service Provider maintains a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Sensitive Information and Internal Information. Media Handling. Service Provider will protect against unauthorized access or misuse of City Data contained on media. Media and Information Disposal. Service Provider will securely and safely dispose of media containing Sensitive Information: Maintaining a secured disposal log that provides an audit trail of disposal activities. 13. Exchange of Information To protect confidentiality and integrity of Sensitive Information in transit, Service Provider will: 30 Perform an inventory, analysis, and risk assessment of all data exchange channels (including, but not limited to , SFTP, HTTP, HTTPS, SMTP, modem and fax) to identify and mitigate risks to Sensitive Information from these channels. Monitor and inspect all data exchange channels to detect unauthorized information releases. Ensure that appropriate security controls using approved data exchange channels are employed when exchanging Sensitive Information. 14. Monitoring To protect against unauthorized access or misuse of Sensitive Information residing on Service Provider Information Processing Systems, Service Provider will: Employ current industry best practice security controls and tools to monitor Information Processing Systems and log user activities, exceptions, unauthorized information processing activities, suspicious activities and information security events. Logging facilities and log information will be protected against tampering and unauthorized access. Logs will be kept for at least 180 days. Perform frequent reviews of logs and take necessary actions to protect against unauthorized access and implement policy and infrastructure as needed. At Written Request of the City, make logs available to City to assist in investigations. Ensure that the time clocks of all relevant Information Processing Systems are synchronized using a national or international time source. Ensure common configuration and patch management information is maintained. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities. 15. Access Control User Access Management. To protect against unauthorized access or misuse of Sensitive Information a formal user registration and de-registration procedure for granting and revoking access and access rights to all Service Provider Information Processing Systems. Employ a formal password management process using authentication and authorization controls that are designed to protect against unauthorized access. 31 Perform recurring reviews of Service Provider employees’ access and access rights to ensure that they are appropriate for the users’ role. 16. User Responsibilities To protect against unauthorized access or misuse of Sensitive Information residing on Service Provider Information Processing Systems, Service Provider will: Ensure that Service Provider Information Processing Systems users follow current security practices in the selection and use of sufficiently strong passwords. Ensure that unattended equipment has appropriate protection to prohibit access and use by unauthorized individuals. Ensure that Sensitive Information contained at employee workstations, including but not limited to paper and media display screens, is protected from unauthorized access and/or utilizes Data Masking. 17. Network Access Control Access to internal, external and public network services that allow access to Service Provider Information Processing Systems shall be controlled. Service Provider will: Ensure that current industry best practice standard authentication mechanisms for network users and equipment are in place and updated as necessary. Ensure electronic perimeter controls are in place to protect Service Provider Information Processing Systems from unauthorized access. Ensure sufficient authentication methods are used to control access by remote users. Ensure physical and logical access to diagnostic and configuration ports is controlled. 18. Operating System Access Control To protect against unauthorized access or misuse of Sensitive Information residing on Service Provider Information Processing Systems, Service Provider will: Ensure that access to operating systems is controlled by a secure log-on procedure and limited to role based necessity. Ensure that Service Provider Information Processing System users have a unique identifier (user ID). This account is used to identify each person’s activity on Service 32 Provider’s Information Processing Systems network, including any access to employee or City data. Ensure that the use of utility programs that are capable of overriding system and application controls are highly restricted and tightly controlled, with access limited to those employees whose specific job function requires such access. Ensure that inactive sessions are automatically terminated when technically possible after a defined period of inactivity. Employ idle time-based restrictions on connection times when technically possible to provide additional security for high risk applications. Ensure that current industry best practice standard authentication mechanisms for wireless network users and equipment are in place and updated as necessary. Ensure authentication methods are used to control access by remote users, with unique User Identifiers. 19. Information Systems Acquisition, Development and Maintenance Security of System Files. To protect City Information Processing Systems and system files containing information, Service Provider will ensure that access to source code is restricted to authorized users whose specific job function necessitates such access. Security in Development and Support Processes. To protect City information Processing Systems and system files containing Sensitive Information, Service Provider will: Employ industry best practice security controls to minimize information dissemination. Employ oversight quality controls and security management of outsourced software development. Employ regular code reviews covering security vulnerabilities, including but not limited to buffer overflow, SQL injection, input validation, and commonly used vector attacks. 20. Information Security Incident Management Reporting Information Security Events and Weaknesses. To protect City Information Processing Systems and system files containing information, Service Provider will: 33 Implement a process to ensure that Information Security Events and Security Breaches are reported through appropriate management channels as quickly as possible. Train all employees, contractors, users of information systems and services regarding the report of any observed or suspected Information Security Events and Security Breaches. Notify City by email or phone as soon as possible of all Information Security Events and Security Breaches. Following any such event or breach, Service Provider will promptly notify City whether or not Sensitive Information was compromised or released to unauthorized parties, the data affected and/or the details of the event or breach. 21. Business Continuity Management Business Continuity Management Program. To ensure services and service levels described in this Document, Service Provider will: Develop and maintain a process for business continuity throughout the organization that addresses the information security requirements needed for Service Provider’s and its Providers’ business continuity so that the provision of products and/or services provided is uninterrupted. Maintain efforts to identify events that may cause interruptions to business processes, along with the probability and impact of such interruptions and the consequences for information security. Develop and implement plans to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes and provide City a copy of the same upon Written Request of the City. Disaster Recovery. Service Provider has appropriate and reasonable disaster recovery measures in place designed to prevent any interruptions in Service to the City. Service Provider has established disaster contingency plans governing processes following a breach incident, which in particular address the following issues: (i) safety of personnel and third parties, (ii) losses of communications capability (e.g., voice, fax, data), (iii) loss of computer processing capabilities, and (iv) loss of access to physical office facilities. 22. Security Assessments Initial and Recurring Security Assessments. Service Provider’s Third-Party Security Auditor shall perform weekly static scans, monthly dynamic scans, and annual penetration testing. The results of these audits are available to Service Provider and the City with execution a Confidentiality Agreement with Service Provider. 34 EXHIBIT “C” PAYMENT SCHEDULE FOR “EXTRA” WORK