Notice of Contract Purchase Agreement

Notice of Contract Purchase Agreement

State Of Rhode Island and Providence PlantationsDepartment of AdministrationDivision of PurchasesOne Capitol HillProvidence, RI 02908-5860

INVOICE TO The State of Rhode Island accepts electronic invoices via its supplier portal. To register and submit electronic invoices, visit the supplier portal at http://controller.admin.ri.gov/iSupplier/isup/index.php

To submit paper invoices, mail to: Department of Administration Controller, One Capitol Hill, 4th Floor, Providence 02908.

of 6

V E N D O R

CARAHSOFT TECHNOLOGY CORPORATION11493 SUNSET HILLS RDRESTON, VA 20190United States

CLOUD SOLUTION SERVICES Award Number 3673594

Revision Number 0 Effective Period -

Approved PO Date 04-APR-2020 Vendor Number 45132

S H I P T O

DOA - ENTERPRISE OPERATIONS CENTER50 SERVICE AVENUEWARWICK, RI 02886United States

Type of Requisition SINGLE / SOLE SOURCE

Requisition Number 1655437 Change Order

Requisition Number

Solicitation Number

Freight Paid Payment Terms NET 30

Buyer

- - Vittorioso,

Dawn Requester Name

Work Telephone

This Purchase Order is issued pursuant to and in accordance with the terms and conditions of the solicitation and applicable federal, state, and local law, including the State of Rhode Island's purchasing regulations, available at www.purchasing.ri.gov.

CLOUD SOLUTION SERVICES AS DESCRIBED IN ATTACHED ADDENDUM F AND STATEMENT OF WORK THIS IS A NO COST CONTRACT FOR THE PERIOD OF 4/3/2020 - 9/30/2020 WITH AN OPTION TO RENEW FOR THE PERIOD OF 10/1/2020 - 12/31/2020

AWARD BASED ON NASPO CLOUD SERVICES MASTER PRICE AGREEMENT CONTRACT #2472

VENDOR CONTACT: BETHANY BLACKWELL 703-230-7435TYLER MILLER 703-673-3551 [email protected]

AGENCY CONTACT: AKSHAR PATEL 401-222-5960

Reference Documents: Carahsoft - RIDOH - Addendum

State of Rhode Island Contract Purchase Agreement 3673594, 0

INVOICE TO The State of Rhode Island accepts electronic invoices via its supplier portal. To register and submit electronic invoices, visit the supplier portal at http://controller.admin.ri.gov/iSupplier/isup/index.php

To submit paper invoices, mail to: Department of Administration Controller, One Capitol Hill, 4th Floor, Providence 02908.

of 6

F_422020 FINAL (1).pdfAddendum E - Carahsoft-SFDC BAA (RI as Customer) 442020 APR 4 - SIGNED.pdf

State of Rhode Island Contract Purchase Agreement 3673594,0

of 6

Contract Terms and Conditions

Table of Contents

Terms and Conditions......................................................................................................................................................4PURCHASE ORDER STANDARD TERMS AND CONDITIONS ....................................................................4

TERMS AND CONDITIONS FOR THIS PURCHASE ORDER .................................................................4TERMS AND CONDITIONS OF PRICING AGREEMENT .......................................................................4CAMPAIGN FINANCE COMPLIANCE ......................................................................................................5FISCAL YEAR - AWARD EXTENDING PAST FISCAL YR END ...........................................................5INSURANCE REQUIREMENTS ..................................................................................................................6


of 6

Terms and Conditions

PURCHASE ORDER STANDARD TERMS AND CONDITIONS

TERMS AND CONDITIONS FOR THIS PURCHASE ORDER

TERMS AND CONDITIONS OF PRICING AGREEMENT

SCOPE AND LIMITATIONS - This Agreement covers requirements as described herein, ordered by Stateagencies during the Agreement Period. No additional or alternative requirements are covered, unless addedto the Agreement by formal amendment by the State Purchasing Agent or his designee.

Under State Purchasing Law, 37-2-54, no purchase or contract shall be binding on the state or any agency thereofunless approved by the department [of administration] or made under general regulations which the chief purchasingofficer may prescribe. Under State Purchasing Regulation 8.2.1.1.2, any alleged oral agreement or arrangementsmade by a bidder or contractor with any agency or an employee of the Office of Purchases may be disregarded andshall not be binding on the state.

PRODUCT ACCEPTANCE - All merchandise offered or otherwise provided shall be new, of prime manufacture,and of first quality unless otherwise specified by the State. The State reserves the right to reject all nonconforminggoods, and to cause their return for credit or replacement, at the State's option.

a) Failure by the state to discover latent defect(s) or concealed damage or non-conformance shall not foreclosethe State's right to subsequently reject the goods in question.

b) Formal or informal acceptance by the State of non-conforming goods shall not constitute a precedent forsuccessive receipts or procurements.

Where the vendor fails to cure the defect promptly or replace the goods, the State reserves the right to cancel theRelease, contract with a different vendor, and to invoice the original vendor for any differential in price over theoriginal contract price.

ORDER AUTHORIZATION AND RELEASE AGAINST PRICING AGREEMENT

In no event shall the Vendor deliver goods or provide service until such time as a duly authorized releasedocument is certified by the ordering Agency.

State Agencies shall request release as follows: All releases shall reference the Price Agreement number, theContract Issue number, the item(s) covered, and the unit pricing in the same format as described herein.

A Department Purchase Order (DPO) listing the items ordered shall be created by the agency. The agency maymail or fax a copy of the order to the Vendor. In some cases the agency may request delivery by telephone, but mustprovide the Vendor with a DPO Order Number reference for billing purposes. Vendors are encouraged to requirewritten orders to assure payments are processed accurately and promptly.

DELIVERY If this is an MPA, Vendor will obtain "ship to" information from each participating agency. Thisinformation will be contained in the DPO. APA delivery information will be contained in the Notice of Award.

PRICING - All pricing shall be as described herein, and is considered to be fixed and firm for the term of theAgreement, unless specifically noted to the contrary herein. All prices include prepaid freight. Freight, taxes,surcharges, or other additional charges will not be honored unless reflected herein.


of 6

INVOICING All invoices shall reference the DPO Order Number(s), Price Agreement number, the ContractIssue number, the item(s) covered, and the unit pricing in the same format as described herein. If this is an MPA,Vendor will obtain "bill to" information from each participating agency. This information will be contained in theDPO. APA billing information will be contained in the Notice of Award.

PAYMENT - Invoices for items not received, not priced according to contract or for work not yet performed willnot be honored. No payment will be processed to any vendor for whom there is no IRS W-9 on file with the StateController.

CAMPAIGN FINANCE COMPLIANCE

CAMPAIGN FINANCE: In accordance with RI General Law 17-27-2, Every person or business entity providinggoods or services of $5,000 or more, and has in the preceding 24 months, contributed an aggregate amount in excessof $250 within a calendar year to any general officer, or candidate for general office, any member, or candidate forgeneral assembly, or political party, is required to electronically file an affidavit regarding political contributions at: https://secure.ricampaignfinance.com/RhodeIslandCF/Public/VendorAffidavit.aspx

ARRA SUPPLEMENTAL TERMS AND CONDITIONS

For contracts and sub-awards funded in whole or in part by the American Recovery and Reinvestment Act of 2009.Pub.L.No. 111-5 and any amendments thereto, such contracts and sub-awards shall be subject to the SupplementalTerms and Conditions For Contracts and Sub-awards Funded in Whole or in Part by the American Recovery andReinvestment Act of 2009. Pub.L.No. 111-5 and any amendments thereto located on the Division of Purchaseswebsite at www.purchasing.ri.gov.

DIVESTITURE OF INVESTMENTS IN IRAN REQUIREMENT:

No vendor engaged in investment activities in Iran as described in R.I. Gen. Laws §37-2.5-2(b) may submit a bidproposal to, or renew a contract with, the Division of Purchases. Each vendor submitting a bid proposal or enteringinto a renewal of a contract is required to certify that the vendor does not appear on the list maintained by theGeneral Treasurer pursuant to R.I. Gen. Laws §37-2.5-3.

For all Purchase Orders issued on behalf of the University of Rhode Island, Community College of Rhode Island,and Rhode Island College, vendors will receive a confirming order from the respective entity prior to proceeding.

MASTER PRICE AGREEMENT CONTRACT ADMINISTRATIVE FEE

In 2017 the General Assembly amended the "State Purchases Act", R. I. Gen. Laws § 37-2-12 (b) to authorize theChief Purchasing Officer to establish, charge and collect from vendors listed on master price agreements ("MPA") acontract administrative fee not to exceed one percent (1%) of the total value of the annual spend against their MPAcontracts. All contract administrative fees collected from MPA vendors shall be deposited into a restricted receiptaccount which shall be used for the purposes of implementing and maintaining an online eProcurement system andother costs related to State procurement. In accordance with this legislative initiative the Division of Purchases isupgrading the State procurement system through the purchase and installation of an eProcurement system.

The contract administrative fee shall be applicable to all purchase orders issued relative to State MPA contracts.Therefore, effective January 1, 2020 all MPA contracts shall be assessed the 1% contract administrative fee.

FISCAL YEAR - AWARD EXTENDING PAST FISCAL YR END


of 6

AWARDS EXTENDING BEYOND JUNE 30TH ARE SUBJECT TO AVAILABILITY OF FUNDS.CONTINUATION OF THE CONTRACT BEYOND THE INITIAL FISCAL YEAR WILL BE AT THEDISCRETION OF THE STATE. TERMINATION MAY BE EFFECTED BY THE STATE BASED UPONDETERMINING FACTORS SUCH AS UNSATISFACTORY PERFORMANCE OR THE DETERMINATIONBY THE STATE TO DISCONTINUE THE GOODS/SERVICES, OR TO REVISE THE SCOPE AND NEED FORTHE TYPE OF GOODS/SERVICES; ALSO MANAGEMENT OWNER DETERMINATIONS THAT MAYPRECLUDE THE NEED FOR GOODS/SERVICES.

INSURANCE REQUIREMENTS

AN INSURANCE CERTIFICATE IN COMPLIANCE WITH PROVISIONS OF ITEM 31 (INSURANCE) OFTHE GENERAL CONDITIONS OF PURCHASE IS REQUIRED FOR COMPREHENSIVE GENERALLIABILITY, AUTOMOBILE LIABILITY, AND WORKERS' COMPENSATION AND MUST BE SUBMITTEDBY THE SUCCESSFUL BIDDER(S) TO THE DIVISION OF PURCHASES PRIOR TO AWARD. THEINSURANCE CERTIFICATE MUST NAME THE STATE OF RHODE ISLAND AS CERTIFICATE HOLDERAND AS AN ADDITIONAL INSURED. FAILURE TO COMPLY WITH THESE PROVISIONS MAY RESULTIN REJECTION OF THE OFFEROR'S BID. ANNUAL RENEWAL CERTIFICATES MUST BE SUBMITTEDTO THE AGENCY IDENTIFIED ON THE PURCHASE ORDER. FAILURE TO DO SO MAY BE GROUNDSFOR CANCELLATION OF CONTRACT.

NOTE: IF THIS BID COVERS CONSTRUCTION, SCHOOL BUSING, HAZARDOUS WASTE, OR VESSELOPERATION, APPLICABLE COVERAGES FROM THE FOLLOWING LIST MUST ALSO BE SUBMITTEDTO THE DIVISION OF PURCHASES PRIOR TO AWARD: * PROFESSIONAL LIABILITY INSURANCE(AKA ERRORS & OMISSIONS) - $1 MILLION OR 5% OF ESTIMATED PROJECT COST, WHICHEVER ISGREATER. * BUILDER'S RISK INSURANCE - COVERAGE EQUAL TO FACE AMOUNT OF CONTRACTFOR CONSTRUCTION. * SCHOOL BUSING - AUTO LIABILITY COVERAGE IN THE AMOUNT OF $5MILLION. * ENVIRONMENTAL IMPAIRMENT (AKA POLLUTION CONTROL) - $1 MILLION OR 5% OFFACE AMOUNT OF CONTRACT, WHICHEVER IS GREATER. * VESSEL OPERATION - (MARINE ORAIRCRAFT) - PROTECTION & INDEMNITY COVERAGE REQUIRED IN THE AMOUNT OF $1 MILLION.

1

GC Addendum F – Supplemental Terms and Conditions

Name of Contractor: CARAHSOFT TECHNOLOGY CORP.

Title of Agreement: State of RI COVID Response Management Project Implementation and Support

Basis for Contract: Sole Source Contract

Contract Award: $0

Performance Period: [4/3/20] through [9/30/20] (the "Period"). An extension may be granted for [10/1/20] through [12/31/20]

2

This Addendum to the State’s General Conditions of Purchase (220-RICR-30-00-13 available at https://rules.sos.ri.gov/regulations/part/220-30-00-13), supplements and serves as additional terms and conditions to the General Conditions of Purchase (“General Conditions”). The General Conditions, along with the items incorporated by reference in 220-RICR-30-00-13.4, including this Addendum, serves as the “Agreement” between the parties. Under the General Conditions of Purchase, 220-RICR-30-00-13.34, this Agreement serves as GC Addendum F. The Contractor further agrees as follows:

WHEREAS, on March 31, 2020, Rhode Island executed a Third Addendum to its Participating Addendum with the National Association of State Procurement Officials (NASPO) ValuePoint Cloud contractors for contracting services under Master Agreement No. 2472; and

WHEREAS, this Agreement is executed between the Rhode Island Department of Health (the “State”) and Carahsoft Technology Corp. (the “Contractor” ) (collectively the “Parties”) to provide Cloud Solution Services to support a statewide system for ubiquitous testing, contact tracing, and effective quarantining with respect to C)ovid-19; and

WHEREAS, the Contractor shall provide the Cloud Solution Services as described above for a term commencing on [4/3/20] and ending on [9/30/20]. An extension may be granted for [10/1/20] through [12/31/20] and is further described herein; and

WHEREAS, the Contractor shall perform all duties and responsibilities contained in the Scope of Work (Exhibit A) and adhere to the agreed upon budget (Exhibit B).

NOW THEREFORE, the Parties to the Agreement, for good and valuable consideration, the receipt of which is hereby acknowledged, agree as follows:

PAR. 1. GOVERNING LAW AND GENERAL TERMS AND CONDITIONS

The State’s Purchasing Law (Chapter 37-2 of the Rhode Island General Laws) and Rhode Island Department of Administration, Division of Purchases, Purchasing Rules, Regulations, and General Conditions of Purchase apply as the governing terms and conditions of this Agreement, which can be obtained at https://rules.sos.ri.gov/regulations/part/220-30-00-13. In addition, the provisions of Federal Laws, Regulations and Procedures governing the implementation of federal funds apply to this Agreement.

PAR. 2. PERFORMANCE

In addition to the obligations stated in 220-RICR-30-00-13.22, the Contractor shall perform all obligations, duties, and work for the performance period under this Agreement. Said duties and responsibilities are contained in the Scope of Work in Exhibit A and Budget in Exhibit B. The State shall have the right at all times, to review the work being performed and to that end, the State shall be given reasonable access to all

https://rules.sos.ri.gov/regulations/part/220-30-00-13

https://rules.sos.ri.gov/regulations/part/220-30-00-13

3

activities related to this Agreement.

In connection with the duties and responsibilities set forth in Exhibits A and B, the parties further agree that they shall work cooperatively to ensure the most reasonable and efficient means for the Contractor to fulfill the duties and requirements pursuant to this Agreement.

PAR. 3. TIME OF PERFORMANCE

Subject to the provisions of 220-RICR-30-00-13.7, the Contractor shall commence performance of this Agreement on 4/3/2020 and shall complete performance no later than September 30, 2020, unless terminated prior to that day by other provisions of this Agreement. The Parties may elect to extend the Agreement for an optional six (6) month term at the discretion of the State.

PAR. 4. CONTRACT MANAGER - STATE

The State shall appoint a Contract Manager to manage this Agreement. The Contractor agrees to maintain close and continuing communication with the Contract Manager throughout the performance of work and services undertaken under the terms of this Agreement. The Contract Manager is responsible for seeking authorization of all payments made by the State to the Contractor under this Agreement. No work shall be commenced on the part of the Contractor without a valid Purchase Order issued by the Department of Administration, Division of Purchases.

PAR. 5. CONTRACTOR

The Contractor shall be responsible for coordinating and reporting work performed pursuant to this Agreement subject to and in accordance with the Scope of Work in Exhibit A and within the Budget in Exhibit B.. The Contractor shall notify the State in writing immediately and seek approval from the State, should a change to this Agreement be necessary in the opinion of the Contractor. Under no circumstances will a change be undertaken without the prior written approval of the State.

PAR. 6. WORK REVIEWS

The Contractor recognizes the responsibilities of the State to provide financial oversight of its contractors and consultants and agrees that the scope of all work performed under this Agreement may be reviewed by the State and/or its designee and/or by any third party designated by the State, for the purpose of verifying hours, costs, and expenses, and to ensure that they are in conformance with state and federal laws, regulations and policies or for any other reason in the sole discretion of the State.

PAR. 7. BUDGET

4

The Budget is contained in Exhibit B.

PAR. 8. METHOD OF PAYMENT AND REPORTS

The Contractor shall submit written detailed invoices to the State monthly within 15 days of the last day of the month of service. Contractor's bills shall delineate for which state department or agency the work was associated and the hours spent on said work and shall include all appropriate documentation, receipts and any other relevant information. The Contractor will work with the State to develop a mutually agreeable approach for reporting activities, work product, deliverables and/or outcomes resulting from execution of the Scope of Work in Exhibit A. The State shall make timely payments to the Contractor in accordance with the provisions of R. I. Gen. Laws § 42- 11.1-1 et. seq and in accordance with provisions of 220-RICR-30-00-13.13. Payments to the Contractor are to be made within thirty ( 30) working days of receipt of any invoice by the Contractor pursuant to R. I. Gen. Laws § 42-l 1.1-3(a).

PAR. 9. RESPONSIBILITIES UPON TERMINATION AND/OR DEFAULT OF AGREEMENT

Upon termination and/or default in accordance with 220-RICR-30-00-13.20 and the delivery to the Contractor of a notice of termination, specifying the nature of the termination, the extent to which performance of work under this contract is terminated, and the date upon which such termination becomes effective, the Contractor shall:

1. Stop work under this Agreement on the date and to the extent specified in the notice oftermination.

2. Take such action as may be necessary, or as the State's Contract Manager may reasonably direct, for the protection and preservation of the property related to this Agreement, which is in the possession of the Contractor and in which the State has or may acquire an interest.

3. Terminate all orders to the extent that they relate to the performance of work terminated by the notice of termination.

4. Subject to the provisions of this paragraph, assign to the State in the manner and to the extent directed by the State's Contract Manager all of the rights, title, and interest of the Contractor under the orders so terminated, in which case the Executive Office shall have the right, at its discretion, to settle or pay any or all claims arising out of the termination of such orders, however, notwithstanding this provision, the Contractor will not be obligated to assign any such rights, title or interest in the absence of payment therefore by the State.

5. With the approval or ratification of the State's Contract Manager, initiate

5

settlement of all outstanding liabilities and all claims, arising out of such termination of orders, the cost of which would be reimbursable in whole or in part, in accordance with the provisions of this contract. Prior to a final settlement of said outstanding liabilities and claims arising out of such termination, final written approval of the State's project manager must be obtained. Final approval by the State shall not be unreasonably withheld.

6. Subject to the provisions of this paragraph, transfer title, or if the Contractor does not have title, then transfer their rights to the State (to the extent that title has not already been transferred) and deliver in the manner, at reasonable times, and to the extent reasonably directed by the State's project manager all files, processing systems, data manuals, or other documentation, in any form, that relate to all the work completed or in progress prior to the notice of termination.

7. If instructed, complete the performance of such part of the work as shall not have been terminated by the notice of termination. The Contractor shall proceed immediately with the performance of the above obligations notwithstanding any delay in determining or adjusting the amount of any item of reimbursable price under thisclause.

8. Upon termination, Contractor agrees to an orderly transition in accordance with 220-RICR-30-00-13.30. Prior to the end of the Termination and up to sixty (60) days thereafter, the Contractor agrees to make an orderly transition of contract and/or deliverables hereunder and to perform any and all tasks in good faith that are necessary to preserve the integrity of the work performed by the Contractor on behalf of the State. Upon termination or expiration of the Agreement, the Contractor, shall, if requested by the State at least thirty (30) days prior to such termination or expiration, provide reasonable training for the successor entity and/or continued performance of services. For providing such training or continued performance after the Term of the Agreement, the State shall pay the Contractor at mutually agreed rates for personnel used in providing such training and/or services unless services delivered are already defined herein and rates established then such rates shall apply for such period. Should any missing data, materials, documents, etc., be discovered after expiration or termination, a grace period of one hundred and twenty (120) days shall be in effect during which the data, materials, documents, etc., is to be provided at a predetermined cost or at no additional cost if the Contractor caused the loss. Lost data shall be provided to the State in form acceptable to the State.

PAR. 10. ACCESSIBILITY AND RETENTION OFRECORDS

The Contractor agrees to make accessible and to maintain all records and supporting documentation that directly pertain to the performance of this Agreement (whether paper, electronic, or other media) for a minimum of ten (10) years after final payment, unless a longer period of records retention is stipulated (45 CFR § 155.1210). This accessibility requirement shall include the right to review and copy such records upon request. This requirement is also intended to include but is not limited to any auditing, monitoring, and evaluation procedures, including on-site visits, performed

6

individually or jointly, by State or federal officials or their agents necessary to verify the accuracy of Contractor’s invoices or compliance with this Agreement (in accordance with 45 CFR § 75.361 and 45 CFR § 155.1210). If such records are maintained outside of the State of Rhode Island, such records shall be made accessible by the Contractor at a Rhode Island location. Additionally, if any litigation, claim, or audit commences before the expiration of the ten (10) year period, the records must be retained until all litigation, claims, or audit findings involving the records have been resolved and final action taken in accordance with 45 CFR § 75.386. If audit findings have not been resolved at the end of the ten (10) years, the records shall be retained for an additional three (3) years after the resolution of the audit findings are made or as otherwise required by law.

The Contractor and its subcontractors, if subcontractors are permitted within the scope of this Agreement, will provide and maintain a quality assurance system acceptable to the State covering deliverables and services under this Agreement and will tender to the State only those deliverables that have been inspected and found to conform to this Agreement’s requirements. The Contractor will keep records evidencing inspections and their result and will make these records available to the State during Agreement performance and for ten (10) years after final payment. The Contractor shall permit the State to review procedures, practices, processes, and related documents to determine the acceptability of Contractor’s quality assurance system or other similar business practices related to performance of the Agreement.

Further, the Contractor agrees to include a similar right of the State, federal officials and their agents, to audit records and interview staff in any subcontract related to performance of this Agreement.

PAR. 11. SECURITY AND CONFIDENTIALITY

11. 1 Definitions

The following definitions shall apply:

1. “Breach” as defined pursuant to HIPAA guidelines as well as those found in the Health Information Technology for Economic and Clinical Health Act (HITECH) means an acquisition, access, use or disclosure or suspected acquisition, access, use or disclosure of Protected Health Information (PHI) in violation of HIPAA privacy rules that compromise PHI security or privacy. Additionally, a Breach or suspected Breach means an acquisition, access, use or disclosure or suspected acquisition, access, use or disclosure of PII or SI.

2. “Incident” is defined by OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017), as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation

7

of law, security policies, security procedures, or acceptable use policies.

3. “Confidential Information” means information that Contractor receives or has access to under this Agreement, including but not limited to; Personally Identifiable Information (PII); Sensitive Information (SI); PHI; Return Information; other information (including electronically stored information) or records sufficient to identify an applicant for or recipient of government benefits; preliminary draft, notes, impressions, memoranda, working papers and work product of State employees; any other records, reports, opinions, information, and statements required to be kept confidential by State or federal law or regulation, or rule of court; any statistical, personal, technical and other data and information relating to the State’s data; or other such data protected by State and federal laws, regulations.

4. “Personally Identifiable Information” or “PII” is means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc. (As defined in 45 CFR § 75.2 and as defined in OMB Memorandum M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”). PII shall also include individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, educational transcripts (as defined in 45 CFR § 75.2 Protected Personally Identifiable Information).

5. “Protected Health Information” or “PHI” means individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information. PHI relates to physical records, while ePHI is any PHI that is created, stored, transmitted, or received electronically. PHI does not include information contained in educational and employment records, that includes health information maintained by a HIPAA covered entity in its capacity as an employer.

6. “Return Information” is defined under 26 USC § 6103(b)(2) and has the

8

same meaning as “Federal Tax Information” or “FTI” as used in IRS Publication 1075.

7. “Sensitive Information” or “SI” means information that could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals if the confidentiality, integrity, or availability is lost. Further, the loss of Sensitive Information confidentiality, integrity, or availability might: (i) cause a significant or severe degradation in mission capability to an extent and duration that the organization is unable to perform its primary functions; (ii) result in significant or major damage to organizational assets; (iii) result in significant or major financial loss; or (iv) result in significant, severe or catastrophic harm to individuals that may involve loss of life or serious life threatening injuries. (Defined in HHS Memorandum ISP-2007-005, "Departmental Standard for the Definition of Sensitive Information" as amended).

11.2. General

The Contractor shall take security measures to protect against the improper use, loss, access of and disclosure of any Confidential Information it may receive or have access to under this Agreement as required by this Agreement, the RFP and proposal, or which becomes available to the Contractor in carrying out this Agreement and the RFP and the proposal and agrees to comply with State requirements for safeguarding Confidential Information. All such information shall be held in strict confidence and protected by the Contractor from unauthorized use and disclosure utilizing same or more effective procedural requirements as are applicable to the State.

11.3. Privacy and Security Safeguards and Obligations

For all Confidential Information under this Agreement, the Contractor must

comply with the following privacy and security requirements and obligations:

a. Ensure that its employees, contractors, and agents implement the

appropriate administrative, physical and technical safeguards to protect

Confidential Information received by Contractor under this Agreement

from loss, theft or inadvertent disclosure.

i. Administrative Safeguards. Contractor will advise all users who

will have access to the Confidential Information of its confidential nature,

the safeguards required to protect the Confidential Information, and the

civil and criminal sanctions for noncompliance contained in applicable

Federal laws.

ii. Physical Security/Storage: Contractor will store the Confidential

Information in an area that is physically and technologically secure from

access by unauthorized persons during duty hours, as well as non-duty

9

hours or when not in use (e.g., door locks, card keys, biometric identifiers,

etc.). Only authorized personnel will transport the Confidential

Information. Contractor will establish appropriate safeguards for such

Confidential Information, as determined by a risk-based assessment of the

circumstances involved.

iii. Technical Safeguards: Contractor agrees that the Confidential

Information exchanged under this Agreement will be processed under the

immediate supervision and control of authorized personnel to protect the

confidentiality of the Confidential Information in such a way that

unauthorized persons cannot retrieve any such Confidential Information

by means of computer, remote terminal, or other means. Contractor

personnel must enter personal identification information when accessing

Confidential Information on the State’s systems. Contractor will strictly limit authorization to those electronic Confidential Information areas

necessary for authorized persons to perform his or her official duties.

iv. Understand that they are responsible for safeguarding this

information at all times, regardless of whether or not the Contractor

employee, subcontractor, or agent is at his or her regular duty station.

v. Ensure that laptops and other electronic devices/media containing

Confidential Information that constitutes PII are encrypted and/or

password protected.

vi. Send E-mails containing Confidential Information that constitutes

PII only if encrypted and being sent to and received by email addresses of

persons authorized to receive such information. In the case of FTI,

Contractor employees, subcontractors, and agents must comply with

Internal Revenue Service (“IRS”) Publication 1075’s rules and restrictions

on emailing return information.

vii. Restrict access to the Confidential Information only to those

authorized Contractor employees, subcontractors, and agents who need

such Confidential Information to perform their official duties in

connection with purposes identified in this Agreement; such restrictions

shall include, at a minimum, role-based access that limits access to those

individuals who need it to perform their official duties in connection with

the uses of Confidential Information authorized in this Agreement

(“authorized users”). Contractor shall not use or access Confidential Data

for independent projects unrelated to the purposes identified in this

Agreement. Further, the Contractor shall advise all users who will have

access to the Confidential Information provided under this Agreement of

the confidential nature of the Confidential Information, the safeguards

required to protect the Confidential Information, and the civil and criminal

sanctions for noncompliance contained in the applicable Federal laws. The

10

Contractor shall require its contractors, agents, and all employees of such

contractors or agents with authorized access to the Confidential

Information disclosed under this Agreement, to comply with the terms and

conditions set forth in this Agreement, and not to duplicate, disseminate,

or disclose such Confidential Information unless authorized under this

Agreement.

viii. For receipt of FTI, the Contractor agrees to maintain all return

information sourced from the IRS in accordance with IRC section

6103(p)(4) and comply with the safeguards requirements set forth in

Publication 1075, “Tax Information Security Guidelines for Federal, State

and Local Agencies”, which is the IRS published guidance for security guidelines and other safeguards for protecting return information pursuant

to 26 CFR § 301.6103(p)(4)-1. In addition, the Contractor shall:

(1) Establish a central point of control for all requests for

and receipt of Return Information and maintain a log to

account for all subsequent disseminations and products

made with/from that information, and movement of the

information until destroyed, in accordance with

Publication 1075.

(2) Establish procedures for secure storage of return

information consistently maintaining two barriers of

protection to prevent unauthorized access to the

information, including when in transit, in accordance

with Publication 1075.

(3) Consistently label return information obtained under this

Agreement to make it clearly identifiable and to restrict

access by unauthorized individuals. Any duplication or

transcription of return information creates new records

which must also be properly accounted for and

safeguarded. Return information should not be

commingled with other records unless the entire file is

safeguarded in the same manner as required for return

information and the FTI within is clearly labeled in

accordance with Publication 1075.

(4) Restrict access to return information solely to officers,

employees, agents, and subcontractors of the Contractor

whose duties require access for the purposes of carrying

out this Agreement. Prior to access, the Contractor must

evaluate which personnel require such access on a need-

to-know basis. Authorized individuals may only access

return information to the extent necessary to perform

11

services related to this Agreement, in accordance with

Publication 1075.

(5) Prior to initial access to FTI and annually thereafter, the

Contractor will ensure that employees, officers agents,

and subcontractors that will have access to return

information receive awareness training regarding the

confidentiality restrictions applicable to the return

information and certify acknowledgement in writing that

they are informed of the criminal penalties and civil

liability provided by sections 7213, 7213A, and 7431 of

the Internal Revenue Code for any willful disclosure or

inspection of return information that is not authorized by

the Internal Revenue Code, in accordance with

Publication 1075.

(6) Contractor must ensure information systems processing

return information are compliant with Section

3544(a)(1)(A)(ii) of the Federal Information Security

Management Act of 2002 (FISMA).

11.4. Ownership of Confidential Information

The Contractor expressly agrees and acknowledges that Confidential Information provided to and/or transferred by the State or to which the Contractor has access to for the performance of this Agreement is the sole property of the State and shall not be disclosed and/or used or misused and/or provided and/or accessed by any other individual(s), entity(ies) and/or party(ies) without the express written consent of the State. Further, the Contractor expressly agrees to forthwith return to the State any and all said Confidential Information and/or information and/or Confidential Information and/or database upon the State’s written request and/or cancellation and/or termination of this Agreement.

11.5. Compliance with Applicable Laws, Regulations, Policies and Standards

The Contractor agrees to abide by all applicable, current and as amended Federal and State laws, regulations, policies, guidance and standards governing the confidentiality of information to which it may have access to under this Agreement, including to but not limited to the Business Associate requirements of HIPAA (WWW.HHS.GOV/OCR/HIPAA) and 45 CFR § 155.260. In addition, the Contractor agrees to comply with the State confidentiality policy recognizing a person's basic right to privacy and confidentiality of personal information.

The Contractor agrees to adhere to any and all applicable State and federal statutes and regulations relating to confidential health care and substance abuse treatment including but not limited to the Federal Regulation 42 CFR, Part 2; Rhode Island Mental Health Law, R.I. General Laws Chapter 40.1-5-26; Confidentiality of Health Care Communications and

http://www.hhs.gov/ocr/hipaa

12

Information Act, R.I. General Laws Chapter 5- 37.3-1 et seq; Identity Theft Protection Act of 2015, R.I. Gen. Laws Chapter 11-49.3 and HIPAA and its implementing regulations. The Contractor acknowledges that failure to comply with the provisions of this Paragraph 23 will result in the termination of this Agreement.

In connection with all PII that Contractor receives or has access to under this Agreement, the Contractor must comply with Minimum Acceptable Risk Standards for Exchanges (MARS-E), version 2.0 dated November 15, 2015 which includes the following suite of documents: Volume I: Harmonized Security and Privacy Framework; Volume II: Minimum Acceptable Risk Standards for Exchanges; Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges; and Volume IV: ACA Administering Entity System Security Plan.

Notwithstanding any other requirement set out in this Agreement, the Contractor acknowledges and agrees that the HITECH Act and its implementing regulations impose requirements with respect to privacy, security and Breach notification and contemplates that such requirements shall be implemented by regulations to be adopted by the U.S. State of Health and Human Services. The HITECH requirements, regulations and provisions are hereby incorporated by reference into this Agreement as if set forth in this Agreement in their entirety. Notwithstanding anything to the contrary or any provision that may be more restrictive within this Agreement, all requirements and provisions of HITECH, and its implementing regulations currently in effect and promulgated and/or implemented after the date of this Agreement, are automatically effective and incorporated herein. Where this Agreement requires stricter guidelines, the stricter guidelines must be adhered to.

11.6. Breach/Incident Reporting

Upon notice of a suspected or confirmed Incident or Breach the State and Contractor will meet to jointly develop an Incident investigation and remediation plan. Depending on the nature and severity of the confirmed Breach, the plan may include the use of an independent third-party security firm to perform an objective security audit in accordance with recognized cyber security industry commercially reasonable practices. The Parties will consider the scope, severity and impact of the Incident to determine the scope and duration of the third-partyaudit. If the Parties cannot agree on either the need for or the scope of such audit, then the matter shall be escalated to senior officials of each organization for resolution. The Contractor will pay the costs of all such audits. Depending on the nature and scope of the Incident, remedies may include, among other things, information to individuals on obtaining credit reports and notification to applicable credit card companies, notification to the local office of the Secret Service, and or affected users and other applicable Parties, utilization of a call center and the offering of credit monitoring services on a selected basis.

11.7 Other

Failure to abide by the State's confidentiality policy or the required signed Business

13

Associate Agreement (BAA) will result in termination remedies, including but not limited to, termination of this Agreement. A BAA shall be signed by the Contractor, simultaneously or as soon thereafter as possible, from the signing of this Agreement, as required by the State. The Contractor agrees that no findings, listing, or information derived from information obtained through performance of this Agreement may be released or publicly disclosed in any form for any purpose if such findings, listing, or information contains any combination of data elements that might allow an individual to determine a beneficiary’s identification without first obtaining written authorization from the State’s Contract Manager. Examples of such data elements include, but are not limited to geographic indicators, age, sex, diagnosis, procedure, date of birth, or admission/discharge date(s). The Contractor agrees further that the State shall be the sole judge as to whether any finding, listing, information, or any combination of data extracted or derived from the State’s files identify or would, with reasonable effort, permit one to identify an individual, or to deduce the identifying of an individual to a reasonable degree of certainty. The Contractor agrees that the conditions set forth herein apply to any materials presented or submitted review and/or publication that contain individual identifying elements in the information obtained, as stated above, unless such information is presented in the aggregate. Under no circumstance, shall the Contractor publicly disclose or present or submit any materials for review and/or publication that contains an individual’s social security number, in part or in whole. The Contractor is hereby notified that all initial data received from DHS is considered confidential by the State.

Contractor will inform the State of any change in its administrative, technical, or

operational environment that would impact compliance with the terms of this Agreement,

including but not limited to compliance with 45 CFR § 155.260.

The Contractor shall monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls in accordance with 45 CFR § 155.260(a)(5).

The Contractor shall not be required under the provisions of this Paragraph 23 to keep confidential any Confidential Information or information, which is or becomes legitimately publicly available or is rightfully obtained from third Parties under no obligation of confidentiality.

Contractor shall establish and maintain, throughout the term of this Agreement, policies and procedures to ensure the safekeeping of Confidential Information and prevent unauthorized access to or use of such Confidential Information in compliance with ISO 27001 and ISO 27002 (or any replacement standard relating to information security), applicable regulatory requirements, and consistent with industry standards. In addition to its other obligations set forth in this Agreement, whenever Contractor possesses, stores, processes or has access to the State’s Confidential Information, Contractor shall comply with those information security policies and procedures reasonably required by the State from time to time.

14

Nothing herein shall limit the State’s ability to seek injunctive relief or any and all damages resulting from the Contractor’s negligent or intentional disclosure of Confidential Information.

PAR. 12. NONDISCRIMINATION INEMPLOYMENT AND SERVICES

By signing this Agreement, the Contractor agrees to comply with the requirements of Title VI of the Civil Rights Act of 1964 (42 USC 2000d et seq.); Section 504 of the Rehabilitation Act of 1973, as amended (29 USC 794); Americans with Disabilities Act of 1990 (42 USC 12101 et. seq.); Title IX of the Education Amendments of 1972 (20 USC 1681 et. seq.); The Age Discrimination Act of 1975, The United States Department of Health and Human Services (hereinafter DHHS) Regulations found in 45 CFR, Parts 80 and 84; the United States Department of Education Implementing regulations (34 CFR, Parts 104 and 106); and U.S. Department of Veterans Affairs, Veterans Health Administration (VHA), Directive 1124, which prohibit discrimination on the basis of race, color, national origin (limited English proficiency persons), age, sex (including gender identity, transgender status, sexual orientation, and pregnancy),

disability, genetic information, marital/parental status, religion, political beliefs, or retaliation for opposing discriminatory practices or for participating in the discrimination- complaint process. in acceptance for or provision of services, employment, or treatment in educational or other programs or activities, or as any of the Acts are amended from time to time.

The Contractor must submit, within thirty-five (35) days of the date of a request by DHHS, VHA or R. I. Office of Veterans Services full and complete information on Title VI and/or Section 504 compliance and/or self-assessments, as referenced above, by the Contractor and/or any subcontractor or vendor of the Contractor.

The Contractor further agrees to comply with all other provisions applicable to law, including the Americans with Disabilities Act of 1990; the Governor's Executive Order No. 05-01, Promotion of Equal Opportunity and the Prevention of Sexual Harassment in State Government.

The Contractor also agrees to comply with the requirements of the State for safeguarding of client information as such requirements are made known to the Contractor at the time of this contract. Changes to any of the requirements contained herein shall constitute a change and be handled in accordance with 220-RICR-30-00- 13.4(C)(1)(c).

Failure to comply with this Paragraph may be the basis for cancellation of this Agreement.

PAR. 13. MODIFICATION OFAGREEMENT

All modifications to the Agreement are subject to 220-RICR-30-00-13.4(C)(1)(c).

15

PAR. 14. INTEREST OFCONTRACTOR

The Contractor covenants that it presently has no pecuniary interest and shall not acquire any such interest, direct or indirect, without first disclosing to the State in writing and then subsequently obtaining approval, in writing, from the State, that would conflict in any manner or degree with the performance of services required under this Agreement. The Contractor further covenants that no person having any such interest shall be employed by the Contractor for the performance of any work associated with this Agreement.

PAR. 15. OWNERSHIP

Any and all data, technical information, information systems, materials gathered, originated, developed, prepared, modified, used or obtained by the Contractor in performance of the Agreement, including but not limited to, all hardware, software computer programs, data files, application programs, intellectual property, source code, documentation and manuals, regardless of state of completion shall be deemed to be owned and remain owned by the State (“State Property”). However, each party will retain all rights in any software, ideas, concepts, know-how, development tools, techniques or any other proprietary material or information that it owned or developed prior to the date of this Agreement or acquired or developed after the date of this Agreement without reference to or use of the intellectual property of the other party. All software that is licensed by a party from a third-party vendor will be and remain the property of such vendor.

PAR. 16. NOTICES

No notice, approval or consent permitted or required to be given by this Agreement will be effective unless the same is in writing and sent postage prepaid, certified mail or registered mail, return receipt requested, or by reputable overnight delivery service to the other party at the address set forth below, or such other address as either party may direct by notice given to the other as provided, and shall be deemed to be given when received by the addressee.

As to the State:

As to the Contractor:

16

EXHIBIT A SCOPE OF WORK

carahsoft

CARAHSOFT TECHNOLOGY CORP.’S

Statement of Work for

State of RI COVID

Response

Management

Project

Q# 21595861

Friday April 3, 2020

SOLUTION PROVIDED BY

CARAHSOFT TECHNOLOGY CORP.

1860 MICHAEL FARADAY DRIVE, SUITE 100

RESTON, VA 20190

888.66.CARAH | WWW.CARAHSOFT.COM

http://www.carahsoft.com/

April 3, 2020

Ramesh Madhavan One Capitol Hill Providence, RI 02908

Re: Carahsoft’s Statement of Work for the State of Rhode Island

Dear Ramesh,

Carahsoft Technology Corp. appreciates the opportunity to provide a Statement of Work to the State of Rhode Island for Salesforce Services. Carahsoft has worked closely with Salesforce to provide a detailed Statement of Work to engage Salesforce in professional services.

Please feel free to contact me directly at 703.673.3551 – [email protected] with questions or concerns.

Thank you for your time and consideration.

Sincerely,

Tyler Miller Account Representative

mailto:[email protected]

1 Scope

1.1 Definitions Subject to the terms of this SOW and the Agreement, SFDC will provide the Professional Services set forth

below. The term “Application” is used to refer to the Online Services (meaning any online, web-based

services and associated offline components made available by SFDC (or one or more of its Affiliates) to

Customer under a separate agreement) purchased by Customer pursuant to a Master Subscription

Agreement. The term "Mobile App" is used to refer to the custom ios/html5/java/.net app built on the

apple/android/windows platform and communicating with the Application.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1.2 Business Objectives and Context The State of Rhode Island engaged Salesforce to support their COVID-19 response management activities

and enable a statewide system for ubiquitous testing, contact tracing, and effective quarantining. The goal is

to reduce infections by preventing exposed people from spreading COVID-19. This requires the following

priorities:

● Contact tracing and notification of exposed individuals to prevent spread

● Track symptoms of exposed individuals to kick off additional contact tracing

● Providing support during quarantine & isolation

● Track symptoms and additional info for forecasting and other analysis.

1.3 Functional Scope The State of Rhode Island prioritized Contact Tracing and Test Scheduling to be developed first as part of

MVP 1.0. The functionality to be implemented as part of the configured Application is described below.

1.3.1 Contact Tracing and Test Scheduling

Contact Tracing

● Capture data from patient interviews into a patient record

● Capture relatect contact information

● Capture related organization and location information

Test Scheduling

● Provide a list of approved test sites with related schedule availability

● Provide the ability for physicians to login and schedule patient test

● Provide the ability for the RI National Guard (agents) to login and view patient test schedules

Workstream Validation

● Demonstration walkthrough of the configured solution with RI stakeholders

● Prioritization of any requested system changes

● Perform system and end user testing

Production Readiness

● Final application walkthrough with RI stakeholders

● User training of selected RI personnel

Functional Area Description

Health Cloud User Setup ● Profiles ● Permission Sets

● Roles ● Organization Wide Defaults

Contact Tracing via Health Cloud Service Console

● Set up using standard configuration ● Support Processes ● Workflow and approval processes ● Highlights Panel ● Pinned Lists ● Recent Tabs

Patient Scheduling using Lightning Scheduler

● Configure schedule blocks based on RI parameters ● Locations with related schedules

Physician Login using Community Cloud

● User administration ● Data load for physicians

Collaboration ● Settings ● Collaboration groups to be defined

Reports and Dashboards ● Standard Reports ● Standard Dashboards (including role-based dashboards for

Agents, Managers and Executives) Security ● Role hierarchy

● Sharing Rules

The State of Rhode Island will determine when to launch the application into Production for Go Live. Salesforce

will continue to support pre-Production and post-Production activities under this SOW through April 3, 2020.

This Phase will deliver MVP 1. Any work performed by Salesforce after April 3, 2020 will be governed under a

subsequent SOW/Amendment, including any defects from the delivered work products.

1.3.2 Transition to Post-Production Support

Salesforce will transition to Post-Production support when the application is deployed to the users whether the

State does a full deployment or a soft launch. This will include

● Support end user adoption and application usage

● Capture prioritize and resolve any system issues

● Additional training as needed

1.4 Out of Scope and Change Orders Changes to the scope of this SOW require a fully executed Change Order. Any work not explicitly set forth as

Professional Services within this SOW is out of scope of this SOW, including the following out of scope

activities:

● Enhancement to MVP 1.0 ● CTI and screen-pop functionality ● Patient Community & Knowledge articles ● Single Sign-on ● Automated Integrations (other than limited data loader uploads by Admin) ● SMS Automation (Sending, triggering follow-up if no-response) ● GPS upload and automation ● Symptom Monitoring ● Quarantine and Isolation Management

2 Approach SFDC will use SFDC Services’ development methodology (“Adaptive Methodology”) with Customer to deliver the Professional Services. As part of the Adaptive Methodology:

● SFDC and Customer will review, document and approve project control documents (“Planning Documents”) based on this SOW together with additional discovery and further detailing project execution plans, boundaries, and controls.

● SFDC and Customer will review, document and approve solution design documents (“Design Documents”) based on this SOW together with additional discovery, further detailing the solution design and containing sufficient detail for Customer to understand and agree to the solution design.

● SFDC and Customer will document the desired configured Application functionality as a list of functional needs by user type (“User Stories”).

● Development will be done in a series of regular increments (“Sprints”), which include construction of the solution components and testing of them as they are built.

● Customer will supply a dedicated resource responsible for product vision, representation of stakeholders to the development team and ultimately for maximizing the business value of the development effort (“Product Owner”).

● SFDC and Customer will complete development reviews at the completion of each Sprint. The regular cadence of these reviews will enable Customer to measure functional progress and will provide Customer an on-going process to regularly validate and provide feedback on the functionality that will be delivered in the configured Application.

● Customer will lead and SFDC will support final testing of the solution once construction is complete.

Customer Product Owner may request additional or alternative functionality based on the prioritization of User

Stories as they are refined and developed during construction of the configured Application. As a

consequence, the precise scope of the configured Application cannot be determined at the outset of the

Professional Services and the detailed scope described above may not be completed as part of the

Professional Services. Rather, on-going User Story prioritization as mutually agreed between the Customer

Product Owner and SFDC will dictate the final content of the configured Application.

3 Customer Obligations and Assumptions

3.1 General ● Timely and successful performance of the Professional Services pursuant to this SOW requires

ongoing collaboration between SFDC and Customer. Customer is responsible for certain key tasks, contributions and timely reviews of SFDC work to maintain the estimated schedule and estimated Professional Services fees.

● Customer shall procure, install, host, test, deploy, monitor and maintain all associated hardware, software (including, without limitation, the Application), remote meeting tools, high-speed internet if meetings are held onsite, and copyrighted materials, including patches or upgrades required to enable provision of the Professional Services.

● Customer will make available appropriately skilled and knowledgeable Customer resources, including the following resources, to provide active and continuous participation, including timely review, feedback, and approvals: o Executive sponsor o Project manager o Product Owner o Functional lead and business subject matter experts

● Any change to Customer’s project manager during the course of the project will require a Change Order to account for additional hours needed for consultation with Customer’s new project manager on current project status and on-going activities.

● Customer will allocate time among Customer project staff, subject matter experts, and executive staff as needed for participation in meetings, timely review of documentation and decision- making.

● Customer will define and maintain the list of the business objectives and requirements that will guide the provision of the Professional Services.

● Customer will participate in planning, discovery and design sessions as needed to facilitate the development of Planning Documents and Design Documents and will review and approve the same in a timely manner prior to start of the Construct stage.

● Customer will coordinate on-site, web or conference call schedules for meetings to be held during the term of this SOW.

● Customer is responsible for its use of the deliverables resulting from the Professional Services, including compliance with all applicable laws and license requirements related to the use and / or distribution of such deliverables (e.g. inclusion of any terms, such as privacy policies, conformance to any third-party terms (operating system terms, etc.)).

● Customer will provide assistance, cooperation, information, equipment, data, a suitable work environment and resources reasonably necessary to enable SFDC to perform the Professional Services.

● Customer will identify and enable permissions for SFDC personnel as system administrators or users of Customer's Application instances as reasonably necessary for the provision of Professional Services.

● Customer will be responsible for executing on overall program management responsibilities. ● If Customer requires additional security or internal IT reviews not specifically called out in this

SOW, a Change Order will be required for the additional scope. ● Requests for Professional Services work outside of normal business hours (Monday – Friday,

8:30 a.m. - 5:30 p.m. in the time zone of the location where work is to be performed), including weekends and holidays, must be made through a Change Request per Appendix 2 (“Change Control Process”). Scheduling work outside of normal business hours requires staffing considerations and will need to be planned twenty (20) business days in advance of need and is subject to any additional requirements contained herein.

● Customer is responsible for cleansing and preparing the data used in the Online Services, including extract processing and quality assurance testing of data prior to submitting such data to the Online Services. Improperly prepared data, i.e., data that is not ready for use by SFDC in connection with this engagement as provided by Customer, can significantly impact SFDC’s ability to provision the Professional Services.

● The Professional Services described in this SOW will be delivered virtually using WebEx (or comparable) conference tools unless otherwise mutually agreed by the parties, subject to Section 4.4 Travel Expenses.

● Customer’s execution of this SOW constitutes its express consent for SFDC to use subcontractors to perform any of its obligations hereunder. SFDC will be responsible for the performance of Professional Services by its personnel (including employees and contractors) and their compliance with SFDC’s obligations under this SOW, except as otherwise specified herein.

3.2 Adaptive Methodology Obligations and Assumptions ● Customer will provide an authorized and skilled Product Owner who will be responsible for the

following:

o managing the content of the product backlog, o providing content for User Stories, o prioritizing stories in the backlog, o working with SFDC to determine the order in which stories will be implemented, o assisting with the creation of acceptance criteria, and o accepting each User Story upon demonstration that it meets the acceptance criteria in

accordance with Acceptance section below. ● Customer Product Owner will work with SFDC to fully elaborate sufficient User Stories prior to

the start of the Construct stage. ● Customer Product Owner will represent Customer business stakeholder interests to the

development team. ● Customer Product Owner and SFDC will participate in periodic review meetings with Customer

business stakeholders throughout the delivery of the Professional Services. ● Customer Product Owner will determine prioritization of User Stories in the product backlog.

User Stories implementation will be based on this prioritization, dependencies between functional components and development team capacity.

● Acceptance Criteria in the User Stories will be the basis for expected configured Application functionality. If Customer testing identifies functional needs not reflected in the acceptance criteria, a defect will be created to describe the functional gap. Customer Product Owner will determine which defects (i.e. which functional gaps) they would like to have addressed as part of the Professional Services as part of the on-going prioritization process. If defects that Customer wishes to address cannot be addressed with the defined resource pool and timeline, the Change Control Process will be initiated as set forth below.

● Material changes to the scope requested by Customer will initiate the Change Control Process as set forth below.

3.3 Steering Committee

Customer agrees to a monthly steering committee meeting to include the following parties: Customer

Executive Project Sponsor, Customer PM, SFDC Executive Sponsor and SFDC PM. This meeting will be

used to review project status, key open issues and assure alignment between organizations.

4 Schedule and Professional Services Fees

4.1 Schedule This Phase will deliver MVP 1.0. The work schedule under this SOW is March 26, 2020, through April 4, 2020.

Any work performed by Salesforce after April 3, 2020 will be governed under a subsequent SOW/Amendment,

including any defects from the delivered work products.

4.2 Rates and Professional Services Fee

Salesforce is providing the MVP 1.0 activities at no additional cost to the State of Rhode Island. This donation

of professional services is offered solely for the purpose of assisting the State of Rhode Island’s response to the COVID-19 crisis. It is the intent of Salesforce.com that this donation, with an estimated value of $280,486,

comply with all applicable laws, regulations and ethics rules regarding gifts and donations.

Salesforce.com makes this donation without seeking promises or favoritism for Salesforce.com in any bidding

arrangements. Further, no exclusivity will be expected by either party in consideration for the donation. Finally,

Salesforce.com makes the donation with the understanding that it will not, as a result of such offer, be

prohibited from any procurement opportunities or be subject to any reporting requirements for Salesforce.com.

The State of Rhode Island’s ethics officer or legal counsel will promptly advise Salesforce.com [or Reseller, if

transacting through reseller] in writing, if it is inappropriate for the organization to accept the offer described

above.

4.3 Invoices

All Professional Services fees, as well as actual and reasonable expenses and taxes, if applicable, associated

with the Professional Services will be invoiced monthly and shall be due and payable in accordance with the

terms of the Agreement.

4.4 Travel Expenses

Professional Services will be delivered remotely. If travel is required, Salesforce will obtain pre-approval prior

to incurring any expenses via the change order process in Section 5.3. Travel expenses and reasonable out-

of-pocket expenses, including but not limited to transportation, mileage if driving, hotels, meals if traveling,

hotel phone and Internet charges and any necessary copies or postage, are not included in the fees set forth

in this SOW and will be invoiced separately.

5 General Terms

5.1 Precedence This SOW and any appendices hereto shall be governed by the terms of the Agreement. In the event of a

conflict between any term of this SOW and the Agreement, the terms of this SOW will control.

5.2 Segmentation

Customer acknowledges that this SOW is limited to Professional Services and does not convey any right to

use the Online Services (including the Application). Any use of Online Services by Customer will be governed

by a separate agreement. Customer agrees that its purchase of Professional Services is not contingent on

the delivery of any future Online Service functionality or features, other than Deliverables, subject to the terms

of this SOW or on any oral or written public comments by SFDC regarding future Online Service functionality or

features.

5.3 Change Order

To make a change to the Scope set forth in this SOW, Customer must submit a written request to SFDC

specifying the proposed changes. SFDC shall submit to Customer an estimate of the charges and the

anticipated changes in the delivery schedule that will result from the proposed change in the Professional

Services. Upon mutual agreement of the parties, the parties each shall execute an amendment representing

the changes to this SOW (“Change Order”). SFDC shall continue performing the Professional Services in accordance with the SOW until the parties agree in writing on the change in scope of work, scheduling, and

fees therefore.

5.4 Acceptance

Upon completion of each Deliverable, SFDC will, as applicable: (a) submit a complete copy to Customer; and

(b) at Customer’s request, demonstrate its functionality to Customer. Customer is responsible for reviewing

and testing all Deliverables in accordance with this SOW pursuant to any acceptance criteria or test plans

mutually agreed upon in writing by the parties for such Deliverable. Customer will provide SFDC with written

notification of acceptance for each Deliverable promptly upon acceptance; however, failure to reject a

Deliverable, as set forth below, will be deemed acceptance. If Customer, in its reasonable and good faith

judgment, determines that any submitted Deliverable does not satisfy the agreed-upon acceptance criteria as

specified in this SOW or as mutually agreed upon in writing by the parties for such Deliverable, Customer must

so notify SFDC in writing within ten (10) business days after SFDC’s submission of the Deliverable, specifying

the deficiencies in detail. SFDC will use commercially reasonable efforts to correct such deficiencies and

resubmit the Deliverable to Customer as soon as practicable. Customer will again review and test the

Deliverable against the agreed-upon acceptance criteria and detail any deficiencies to SFDC in writing within

ten (10) business days after resubmission of the Deliverable. If a Deliverable fails to meet the functional

requirements specified in this SOW after its second resubmission to Customer, Customer may either, as its

sole and exclusive remedy: (i) again reject the Deliverable and return it to SFDC for further correction and

resubmission in accordance with the process described above (if the Deliverable is not accepted after two (2)

resubmissions, the matter will be escalated to Customer’s executive sponsor for the project associated with this SOW and the SFDC Engagement Manager), (ii) terminate this SOW immediately upon written notice and

recover all Professional Services fees paid under this SOW for such deficient Deliverable. If the parties

determine that a Deliverable’s functional requirements specified in this SOW require modification (for example,

due to incorrect assumptions or changed requirements), they will cooperate in good faith to execute a Change

Order for such revised requirements.

NOTE: Acceptance of User Stories developed and demonstrated to Customer is an interactive process to

which the foregoing does not apply. Rather, Customer must formally accept User Stories either through the

tracking application (described in the Construct Section above) or in writing (email acceptable). In the event

Customer neither accepts User Stories subject to the foregoing, nor rejects User Stories in writing (email

acceptable), then such User Stories will be deemed accepted at the earlier of ten (10) business days after

demonstration of the User Story or two (2) business days following the end of the Sprint in which the User

Story was completed.

5.5 Termination

Customer may terminate this SOW at any time for convenience upon ten (10) days’ written notice to SFDC. Either party may terminate this SOW for cause: (i) upon thirty (30) days written notice to the other party of a

material breach if such breach remains uncured at the expiration of such period or (ii) if the other party

becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership,

liquidation or assignment for the benefit of creditors.

5.6 Customer Cooperation

● Cooperation o Customer will cooperate reasonably and in good faith with SFDC in its performance of

Professional Services by, without limitation: ▪ allocating sufficient resources and timely performing any tasks reasonably

necessary to enable SFDC to perform its obligations under each SOW; ▪ timely delivering any Customer collateral and other obligations required under

each SOW; ▪ timely responding to SFDC’s inquiries related to the Professional Services; ▪ assigning an internal project manager for each SOW to serve as a primary point

of contact for SFDC; ▪ actively participating in scheduled project meetings; ▪ providing in a timely manner and at no charge to SFDC, office workspace,

telephone and other facilities, suitably configured computer equipment with Internet access, access to appropriate and knowledgeable employees and agents of Customer and continuous administrative access to Customer’s Online Service account and coordination of onsite, online and telephonic meetings all as reasonably required by SFDC; and

▪ providing complete, accurate and timely information, data and feedback all as reasonably required.

o Customer shall ensure that all instructions it provides to SFDC in relation to this SOW and its use of any Deliverables provided pursuant to this SOW are compliant with applicable laws.

● Delays o Any delays in the performance of Professional Services or delivery of Deliverables caused

by Customer may result in additional applicable charges for resource time. o SFDC shall have no liability for any delays or other damages caused by Customer’s failure

to meet its obligations.

5.7 General

This SOW is subject to the terms and conditions of the Professional Services Agreement found at

https://www.salesforce.com/company/legal/agreements/, unless Customer has a written professional services

agreement with SFDC, or an Affiliate of SFDC, in which case such written professional services agreement

will govern (“Agreement”). In the event of a conflict between any term of this SOW and the Agreement, the terms of this SOW will control. Capitalized terms used but not defined herein shall have the meanings ascribed

to them in the Agreement. This SOW may be signed in counterparts, each of which shall be deemed an

original. The effective date of this SOW shall be the later date of execution by the two

(2) parties.

http://www.salesforce.com/company/legal/agreements/

IN WITNESS WHEREOF, the parties have caused this SOW to be executed by their duly authorized

representatives as identified below.

Appendix 1: Change Control Process The following provides a summary of the process to follow if a change to this SOW is desired:

● A project change request (“Change Request”) will be the vehicle for communicating change. The Change Request must describe the change, the rationale for the change and the effect the change will have on the Professional Services.

● The designated Customer project manager or SFDC project manager will review the proposed change and determine whether to submit the request to the other party.

● Both the Customer and SFDC project managers will review the proposed change and either approve it for further investigation, or reject it. The investigation will determine the technical merits and the effect on the charges, schedule, and other terms and conditions of the SOW that may result from the implementation of the Change Request. The parties will then decide either to accept or to reject the Change Request.

● A written Change Request Form (see the Change Request Form below) must be agreed by both parties to authorize implementation of the Change Request.

● Once approved, a fully executed Change Order related to this SOW will be required in order to implement the requested change.

Change Request Form

Project: Project Manager:

Phase: Date Assigned:

Issue #: Assigned to:

Title: Date Due:

Submitted Date: Closed Date: / /

Description Of Change

●

Alternatives

●

Impact Analysis

For a Change Request, this field should include: ● Scope: ● Deliverables: ● Schedule: ● Budget: ● Resources: ● Risk: ● Priority:

Dependencies

●

Recommendation

●

Related Documents

●

Resolution

●

SFDC Project Manager Signature Date

☐ Approved

☐ Not Approved

Project Manager Name:

/ /20

Customer Acceptor Signature Date

☐ Approved

☐ Not Approved

Assigned To Name:

/ /20

EXHIBIT B BUDGET

Fee: $0

Exhibit C

$0 License Quote

CONFIDENTIAL PAGE 1 of 5

QUOTE DATE: QUOTE NO:

03/30/2020

21572411

Government - Price Quotation

Salesforce.com Government at Carahsoft

Carahsoft Technology Corp.

11493 SUNSET HILLS ROAD | Suite 100 | Reston, Virginia 20190

Phone (703) 871-8500 | Fax (703) 871-8505 | Toll Free (888) 662-2724

www.carahsoft.com | [email protected]

TO: Ramesh Madhavan

Rhode Island DOIT One Capitol Hill Providenc, RI 02908 USA

FROM: Tyler Miller

Carahsoft Technology Corp. 11493 Sunset Hills Road Suite 100 Reston, Virginia 20190

EMAIL:

PHONE:

[email protected]

(401) 574-9162

EMAIL: [email protected]

PHONE: (703) 673-3551 FAX: (703) 871-8505

Payment Terms: Net 30 (On Approved Credit) Cage Code: 1P3C5 DUNS No: 088365767 Credit Cards: VISA/MasterCard/AMEX Sales Tax May Apply

RFQ NO: SHIPPING: TOTAL PRICE:

ESD

$0.00

TOTAL QUOTE: $0.00

LINE NO. PART NO. DESCRIPTION - QUOTE PRICE QTY EXTENDED PRICE

1 205-0016 Health Cloud - Unlimited Edition *Includes Courtesy Administrators for Premier+ Success - Unlimited Edition*

$0.00 OM 50 $0.00

Start Date: 03/27/2020 End Date: 09/26/2020

2 205-0026 Customer Community Plus Logins Unlimited Edition Start Date: 03/27/2020 End Date: 09/26/2020

$0.00 OM 2000 $0.00

3 205-0116 Salesforce Shield 30% Net Price / $100 Start Date: 03/27/2020 End Date: 09/26/2020

$0.00 OM 1 $0.00

4 205-943 myTrailhead for Employees - Unlimited Edition Start Date: 03/27/2020 End Date: 09/26/2020

$0.00 OM 50 $0.00

SUBTOTAL: $0.00

TOTAL PRICE:

$0.00

TOTAL QUOTE: $0.00

TERMS:

FTIN: 52-2189693

QUOTE NO:

21572411

Shipping Point: FOB Destination QUOTE DATE: 03/30/2020

Remit To: Same as Above QUOTE EXPIRES: 04/29/2020





CONFIDENTIAL PAGE 2 of 5


03/30/2020

21572411


03/30/2020

21572411 CONFIDENTIAL PAGE 2 of 5





Phone (703) 871-8500 | Fax (703) 871-8505 | Toll Free (888) 662-2724 www.carahsoft.com | [email protected]

LINE NO. PART NO. DESCRIPTION - QUOTE PRICE QTY EXTENDED PRICE *This quote will be governed under the Terms and Conditions set forth in the Rhode Island NASPO PA once

executed*

---Quote Special Terms---

This donation of subscriptions to SFDC Services is offered solely for the purpose of assisting Customer’s preparation for and response to the COVID-19 crisis. It is the intent of Salesforce.com that this donation,

with an estimated value of $104,003.88 (USD), comply with all applicable laws, regulations and ethics rules

regarding gifts and donations. Salesforce.com makes this donation without seeking promises or favoritism

for Salesforce.com in any bidding arrangements. Further, no exclusivity will be expected by either party in

consideration for the donation. Finally, Salesforce.com makes the donation with the understanding that it

will not, as a result of such offer, be prohibited from any procurement opportunities or be subject to any

reporting requirements for Salesforce.com. For the avoidance of doubt, Reseller is required to include in its

contract with the Reseller’s customer the SFDC Service Terms, the Services section of the Order Form and all Quote Special Terms and Product Special Terms. Customer's ethics officer or legal counsel will promptly

advise Reseller in writing, if it is inappropriate for the organization to accept the donation described above.

---

The subscriptions ordered pursuant to this Order Form at $0 are offered one time at promotional pricing.

Additional subscriptions are not available at this subscription pricing. These subscriptions terminate on the

applicable Order End Date and cannot be renewed.

---

The subscriptions ordered hereunder are Restricted Use Subscriptions, and shall be subject to the following

restriction(s): Restricted Use Subscriptions may only be used for purposes related to Customer’s preparation and response to the COVID-19 crisis. These restrictions shall be cumulative and shall apply to all Restricted

Use Subscriptions purchased under this Order Form. Customer must strictly segregate all Restricted Use

Subscriptions from any full-featured subscriptions it may hold by setting up and enforcing a unique profile in

the Service associated with such Restricted Use Subscriptions. Customer understands that the above

functionality limitations are contractual in nature (i.e., the functionality itself has not been disabled as a

technical matter in the Service) and therefore agrees to strictly monitor its Users' use of such Restricted Use

Subscriptions and enforce the applicable restrictions. Salesforce.com may audit Customer's use of Restricted

Use Subscriptions at any time through the Service. Should any audit reveal any unauthorized use of

Restricted Use Subscriptions, Customer agrees it will pay, within thirty (30) days of notice of the audit

results, the difference between the contract price for Restricted Use Subscriptions and the list price for full

subscriptions of the above-named product, for all of the Restricted Use Subscriptions showing unauthorized

use (taken as a group), beginning with the date of the first violation through the end of the then current

subscription term. Upon such payment, all such Restricted Use Subscriptions showing unauthorized use will

be converted into full subscriptions for the remainder of the then current subscription term. For certain

Services that may be included in this Order Form, Customer is not permitted to submit any information

related to an individual's: (i) physical or mental health; or (ii) payment or provision of healthcare. Customer

should refer to each applicable Service's Trust & Compliance Documentation and Customer's applicable

agreements with Salesforce for further details about this and other types of prohibited data.

---

In the event Customer does not have a written Business Associate Addendum with SFDC, Customer and SFDC

agree to the terms of the Business Associate Addendum to the Master Subscription Agreement located at:

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/456456.pdf

---

---Product Special Terms---

Einstein Bots Feature

The Einstein Bots feature shall be subject to the Order Form Supplement for Einstein Features available at

https://www.salesforce.com/company/legal/agreements.jsp (“Supplement”) which is hereby made part of this Order Form. Customer may enable and disable Einstein Bots at any time by following the instructions in

the Supplement. Customer will be provided with 25 Einstein Bots conversations per month for each Live

Agent User with an active subscription. Unused Einstein Bot conversations are forfeited at the end of each

anniversary of the Order Start Date hereunder or the Order End Date, whichever occurs first, and do not roll

over to subsequent months. Customer understands that the above limitation is contractual in nature (i.e., it

is not limited as a technical matter in the Service) and therefore agrees to monitor its Users' use of such

subscriptions and enforce the limit set forth herein. SFDC may review Customer's use of the subscriptions at



http://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/456456.pdf

http://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/456456.pdf

http://www.salesforce.com/company/legal/agreements.jsp



03/30/2020







LINE NO. PART NO. DESCRIPTION - QUOTE PRICE QTY EXTENDED PRICE any time through the Service. Should any review reveal unauthorized use, Customer agrees that SFDC may terminate Customer's access to such 25 Einstein Bots conversations. Customer may purchase additional

Einstein Bots conversations at SFDC's then-current list price. The Einstein Bots Feature is not available to

some customers, including Government Cloud as stated in the Documentation.

---

Einstein Features

SFDC may offer Customer access to Einstein features via the Services. Customer’s use of the Einstein features shall be subject to the Order Form Supplement for Einstein features available at

https://www.salesforce.com/company/legal/agreements.jsp (“Supplement”) which is hereby made part of this Order Form. Upon Customer’s first use of an Einstein feature in an instance of the Services, Customer

will be presented with an In-App Message directing Customer to confirm acceptance of Einstein feature

terms and conditions. Instructions for enabling/disabling each Einstein feature in any instance are outlined in

the Documentation here: https://help.salesforce.com/apex/HTViewSolution?urlname=Einstein-Enable-

Disable&language=en_US The functionality of the Einstein features shall not be considered a material

component of the Services being provisioned hereunder. The Einstein features are not available to some

customers, including Government Cloud as stated in the Documentation.

---

Scratch Org

The following terms shall govern all of Customer’s use of the Scratch Orgs functionality, whether provisioned pursuant to this or another Order Form. Scratch Orgs are for testing and development use only, and not for

production use. As part of its system maintenance, SFDC will per odically delete any Scratch Org, including

any associated data or Active Scratch Objects, as set forth in the Documentation. Deletion of an active

Scratch Org shall not terminate Customer’s Scratch Org subscription; if an active Scratch Org is deleted during Customer’s Scratch Org subscription term, Customer may create a new active Scratch Org. Creation of new active Scratch Orgs count towards the daily scratch org limits set forth in the Documentation. Any

representations, warranties and covenants in the Customer’s MSA regarding log retention, back-ups, disaster

recovery, and return and deletion of data shall not apply to Scratch Orgs.

---

Event Monitoring

Event Monitoring includes Event Monitoring Wave App, which may not be used to upload or access external

data sets other than the one external dataset provided as part of the Event Monitoring Wave App

subscription. Customer understands that the foregoing limitation is contractual in nature (i.e. it is not limited

as a technical matter in the Services), and therefore agrees to strictly monitor its Users' use of such

subscriptions and enforce the applicable restriction. SFDC may monitor Customer's usage of the Event

Monitoring Wave App subscriptions at any time through the Services. Event Monitoring Wave App is

available in English only.

---

myTrailhead

In order to provision myTrailhead for Employees, Customer must provide SFDC with a valid subdomain to be

used in connection with myTrailhead for Employees. Upon receipt of a valid subdomain, SFDC shall provision

myTrailhead for Employees within 2 business days. Customer acknowledges that each myTrailhead for

Employees subscription entitles the Customer to a Total Image Storage per Namespace of 2GB, and a Total

Data Storage per Namespace of 500MB. The Identity functionality included with the myTrailhead for

Employees Services may only be assigned to myTrailhead for Employees Users and used only to access the

myTrailhead for Employees Services. Each myTrailhead for Employees User that uses Identity to access the

myTrailhead for Employees Services is limited to access 10 custom objects. Customer understands that the

foregoing limitations are contractual in nature (i.e. they are not limited as a technical matter in the Services),

and therefore agrees to strictly monitor its Users' use of such subscriptions and enforce the applicable

restrictions. SFDC may monitor Customer's usage of the subscriptions at any time through the Services.

---

Customer Community Plus (Logins)

Subscriptions to Customer Community Plus (Logins/month) may not be purchased for use by Customer

employees or other personnel of Customer. Each Customer Community Plus (Logins/month) subscription

entitles the Permitted Users access to all such Communities within the same Org up to the number of log-ins

per calendar month ordered (the “Permitted Number of Monthly Logins”). Customer shall assign each Permitted User a User profile or permission set that permits access to no more than 10 custom objects in the






03/30/2020







LINE NO. PART NO. DESCRIPTION - QUOTE PRICE QTY EXTENDED PRICE applicable community. Salesforce will provision 20 User subscriptions for each of the Permitted Number of Monthly Logins; subject, however, to the limitations on the aggregate number of User subscriptions per Org

set forth in the Documentation ("Permitted Users"). Notwithstanding anything to the contrary in the

applicable Documentation, each such Customer Community Plus subscription allows for an additional 10 API

Requests per 24-hour period for an Org. Customer understands that the above limitations are contractual in

nature (i.e., they are not limited as a technical matter in the Service) and therefore agrees to strictly review

its Users' use of such subscriptions and enforce the limits set forth herein. SFDC may review Customer's use

of the subscriptions at any time through the Service. Unused logins are forfeited at the end of each

anniversary of the Order Start Date hereunder or the Order End Date, whichever occurs first, and do not roll

over to subsequent months. The beginning and end of each calendar month will conform with U.S. Pacific

Time.

---

Health Cloud - CRM / Service for Enterprise and Unlimited Edition

Shared Contacts must be enabled in Customer’s Salesforce Org prior to installing the Health Cloud package. Then in order to access Health Cloud, the Customer’s system administrator must first install it in the

Customer’s Salesforce instance via the following links, in the following order: 1) http://industries.force.com/healthcloud, and 2) https://industries.force.com/healthcloudflow. The

languages in which the Services are available are listed in the applicable Documentation. Customer’s use of this product is subject to the following restrictions:

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/sales-service-

contractual-restrictions.pdf. In addition, Customer agrees that the intended use of Einstein Analytics for

Health Cloud is to provide insights into the health trends of Customer's patient population based on the CMS

HCC model (the “Intended Use”). Customer may not (i) use Einstein Analytics for Health Cloud to build custom applications, (ii) upload or access data sets using the Wave External Data API or any program or tools

using such API, (iii) bring data from Salesforce Standard Objects that are not already part of the Einstein

Analytics for Health Cloud feature, or (iv) use Einstein Analytics for Health Cloud for purposes other than its

Intended Use. Customer understands that the foregoing limitations are contractual in nature (i.e. they are

not limited as a technical matter in the Services), and therefore agrees to strictly monitor its Users' use of

such subscriptions and enforce the applicable restrictions. SFDC may review Customer's use at any time

through the Services. Einstein Analytics for Health Cloud: Risk Stratification is available in English only. For

clarity, this subscription includes use of Einstein Analytics for Health Cloud by five (5) Health Cloud Users per

Org.

---

Free Sandbox with Unlimited/Performance Edition

Sandbox subscriptions are for testing and development use only, and not for production use. As part of its

system maintenance, SFDC may delete any Sandbox that Customer has not logged into for 150 consecutive

days. Thirty or more days before any such deletion, SFDC will notify Customer (email acceptable) that the

Sandbox will be deleted if Customer does not log into it during that 30-day (or longer) period. Deletion of a

Sandbox shall not terminate Customer’s Sandbox subscription; if a Sandbox is deleted during Customer’s Sandbox subscription term, Customer may create a new Sandbox.

---

Courtesy Administrators for Premier+ Success

The Courtesy Administrators for Premier+ Success are provided to Customer free of charge for use only by

the SFDC administration team in connection with Customer’s purchase of the Premier+ Success Plan in order to allow SFDC to perform the administration functions described in the Premier+ Success Plan (“Courtesy Administrator Subscriptions”). After Customer’s execution of this Order Form, SFDC will provide Customer with instructions on how to set up the Courtesy Administrator Subscriptions. For clarity, the Courtesy

Administrator Subscriptions are provided on a one-time basis and Customer may not add on any additional

Courtesy Administrator Subscriptions during the Order Term despite anything to the contrary in any

agreement between Customer and SFDC.

---

Platform Encryption

Platform Encryption. Customer is responsible for creating its own customer-managed keys, which is/are used

in conjunction with encryption keys created and managed by SFDC as described in the Documentation.

Customer’s customer-managed key is unique to the Customer’s Org and to the specific Customer Data to which they apply. Should Customer delete, destroy or misplace a



http://industries.force.com/healthcloud

http://industries.force.com/healthcloud

http://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/sales-service-


03/30/2020







LINE NO. PART NO. DESCRIPTION - QUOTE PRICE QTY EXTENDED PRICE customer-managed key, the encrypted Customer Data is irretrievable unless Customer has previously

exported the customer-managed key and then imported such customer-managed key back into the Services.

Customer is responsible for regularly backing up its customer-managed key and all Customer Data and

storing them locally in a safe place. IN NO EVENT SHALL SFDC HAVE ANY LIABILITY HEREUNDER TO

CUSTOMER ARISING FROM CUSTOMER’S DELETION, DESTRUCTION OR MISPLACEMENT OF CUSTOMER’S

CUSTOMER-MANAGED KEY(S). Use of Platform Encryption may restrict the functionality of Service features

as further described in the Documentation.

---

Salesforce Shield

Salesforce Shield is comprised of Platform Encryption, Event Monitoring and Field Audit Trail, and is subject

to the Product Special Terms for Platform Encryption and Event Monitoring.

------

Licensee agrees that any order for Salesforce.com will be governed by the terms and conditions of the

Carahsoft Salesforce Service Terms copies of which are found at

https://www.carahsoft.com/Eula/Salesforce_MSA and all Schedules referenced by the Service Terms are

made a part hereof. Licensee acknowledges it has had the opportunity to review the Agreement, prior to

executing an order.

Should the licensee purchase Government Cloud Licenses with Government Cloud Premier + Support, the

following terms shall apply to the support: http://www.carahsoft.com/government-cloud-terms

Should the licensee purchase Salesforce Marketing Cloud Licenses, the following terms shall apply to those

products: http://www.salesforce.com/assets/pdf/misc/salesforce_MSA.pdf

https://help.salesforce.com/articleView?id=salesforce_help_map.htm&type=0

A list of currently available FedRAMP/IL4 Authorized Salesforce products can be found here:

https://help.salesforce.com/articleView?id=000270080&language=en_US&type=1

Should the licensee purchase MuleSoft Licenses, the following terms shall apply to those products:

https://www.mulesoft.com/legal/terms/EULA



http://www.carahsoft.com/Eula/Salesforce_MSA

http://www.carahsoft.com/Eula/Salesforce_MSA

http://www.carahsoft.com/government-cloud-terms

http://www.carahsoft.com/government-cloud-terms

http://www.salesforce.com/assets/pdf/misc/salesforce_MSA.pdf

http://www.salesforce.com/assets/pdf/misc/salesforce_MSA.pdf

http://www.mulesoft.com/legal/terms/EULA

Online Version 1

March 2020

CONFIDENTIAL Page 1 of 5

ADDENDUM E

BUSINESS ASSOCIATE AGREEMENT ADDENDUM TO THE MASTER

SUBSCRIPTION AGREEMENT

By executing the Agreement that references this Business Associate Agreement Addendum (the “Addendum”) Customer and Salesforce.com (“SFDC”) agree to the terms of this Addendum. All capitalized undefined terms herein shall have the meaning provided in the Master Subscription Agreement between Customer and SFDC (the “Agreement”).

This Addendum is made a part of, and incorporated into, the Agreement. The purpose of this Addendum is to implement certain of the requirements of the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations promulgated thereunder as supplemented and amended by the requirements of Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act of 2009 and the rules and regulations promulgated thereunder (collectively, “HIPAA”). The parties acknowledge that those regulations include both the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & E) (the “Privacy Rule”), and the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & C) (the “Security Rule”).

In the course of providing those Services branded by SFDC as Force.com, Site.com, Database.com, Sales Cloud, Service Cloud, Field Service Lightning, Communities, Chatter, Salesforce Mobile app, Health Cloud, Einstein Analytics, IoT Explorer, Live Agent, Surveys, and ExactTarget (collectively, the “Covered Services”) to Customer pursuant to the Agreement, SFDC may, on behalf of Customer, receive, maintain or transmit information entered into the Covered Services as Customer Data that constitutes Protected Health Information, as defined in 45 CFR §160.103 (“PHI”), and as a result may, for certain purposes and under certain circumstances, be deemed a Business Associate, as such term is defined in 45 CFR §160.103, under HIPAA. “Documentation” means SFDC’s online user guides, documentation, and help and training materials, as updated from time to time, accessible via help.salesforce.com or login to the applicable Services. For clarity, Customer acknowledges that neither SFDC nor its Subcontractors “create” Protected Health Information in the provision of the Covered Services. This Addendum governs Customer’s and SFDC’s respective responsibilities with respect to such PHI to the extent SFDC acts as a Business Associate to Customer, including SFDC’s Use and Disclosure of PHI, as such terms are defined in 45 CFR §160.103. A capitalized term not defined herein shall have the meaning ascribed to that term in the Agreement, or, if any such term has no meaning ascribed in the Agreement, then such term shall have the meaning ascribed to it under HIPAA.

Online Version 1

March 2020


Accordingly, the parties agree as follows:

1. Use and Disclosure of PHI by Customer. Customer shall Use and Disclose PHI only as

permitted by HIPAA. Customer shall not authorize, request or require SFDC to Use or Disclose PHI in any manner that would violate HIPAA if the Use or Disclosure were carried out by Customer except as permitted under HIPAA and set forth in this Addendum. Customer will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause SFDC or one of its Subcontractors to violate this Addendum or any applicable law.

2. Use and Disclosure of PHI by SFDC. SFDC shall Use or Disclose PHI only in the manner and for the purposes set forth in this Addendum or in accordance with the Agreement and not in any other manner or for any other

purposes. Without limiting the generality of the foregoing, Customer hereby authorizes SFDC to do the following:

(i) Use and Disclose PHI as necessary to provide the Covered Services, to prevent or

address service or technical problems and, to perform customer support services to Customer;

(ii) Use and Disclose PHI as Required by Law; and

(iii) Use and Disclose PHI as necessary for the proper management and administration of

SFDC and to carry out the legal responsibilities of SFDC The Use and Disclosure of PHI by SFDC pursuant to this Section 2(iii) is subject to the following, as permitted in 45 CFR §.164.504(e)(2)(i) and 45 CFR § 164.504(e)(4): (a) SFDC obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and (b) the person notifies SFDC of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Protection of PHI. In connection with its receipt, maintenance or transmission of PHI on behalf of Customer, SFDC agrees to do the following:

(i) in accordance with 45 CFR § 164.502(e)(1), SFDC may disclose PHI to

Subcontractors and such Subcontractors shall have the rights to Use and Disclose PHI pursuant the agreement between SFDC and each Subcontractor, provided that SFDC shall ensure that any Subcontractors that receive, maintain or transmit PHI on behalf of SFDC agree to restrictions and conditions no less restrictive than those that apply to SFDC in this Addendum with respect to such PHI;

(ii) use appropriate administrative, technical and physical safeguards, and comply, where

Online Version 1

March 2020


applicable, with the Security Rule with respect to any PHI that constitutes Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for by this Addendum; and

(iii) to the extent SFDC carries out the Customer’s obligations under the Privacy Rule, if

applicable, comply with the requirements of the Privacy Rule that apply to the Customer in the performance of those obligations; notwithstanding the foregoing, the parties acknowledge that, under the Agreement and this Addendum, unless otherwise agreed upon by the parties in writing, SFDC has no obligations to carry out any of Customer’s obligations under the Privacy Rule.

4. Breach Notification.

(i) SFDC shall report to Customer any Use or Disclosure of PHI not provided for in this

Addendum of which SFDC becomes aware, including any Breach of Unsecured Protected Health Information in accordance with 45 CFR § 164.410. SFDC shall make such report without unreasonable delay and in no case later than thirty (30) days after SFDC becomes aware of such Use or Disclosure or Breach. SFDC shall provide to the Customer all information required by 45 CFR § 164.410(c) to the extent known and provide any additional available information reasonably requested by Customer for purposes of investigating the Breach as required by HIPAA. For purposes of this Addendum, “Breach” means the acquisition, access, Use or Disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI as defined, and subject to the exclusions set forth, in 45 CFR § 164.402.

(ii) SFDC shall be required to report to Customer, without unreasonable delay, only

successful Security Incidents pertaining to PHI of which SFDC becomes aware. SFDC hereby provides Customer with notice in this Section 4(ii) of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, which include, but are not limited to, pings and other broadcast attacks on SFDC’s firewall, port scans, unsuccessful log-in attempts, denials of service attacks and any combination of the above, so long such incidents do not result in unauthorized access, Use or Disclosure of PHI. The parties agree that no further notice of unsuccessful Security Incidents is required.

5. Access by HHS. SFDC shall make its internal practices, books and records relating to the

Use and Disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA.

6. Individual Access Requests. SFDC shall forward to Customer any requests SFDC receives from an Individual for access to the Individual’s PHI that is entered in the Covered Services by Customer to which Customer shall respond in accordance with the requirements of 45 CFR § 164.524. The parties agree that, by virtue of providing the Covered Services, SFDC

Online Version 1

March 2020


will make available to Customer all PHI that is entered in the Covered Services by Customer, including PHI about an Individual, to facilitate Customer’s compliance with the requirements of 45 CFR § 164.524.

7. Individual Amendment Requests. Customer shall be exclusively responsible for

responding to all requests by Individuals for amendment to their PHI in accordance with HIPAA. The parties agree that, by virtue of providing the Covered Services, SFDC will make available to Customer all PHI that is entered in the Covered Services by Customer, including any PHI required to be made available for amendment without unreasonable delay in accordance with 45 CFR § 164.526, in a manner that allows the Customer to reasonably incorporate any amendments to the PHI in accordance with 45 CFR § 164.526.

8. Individual Accounting Requests. SFDC shall in accordance with and as required by 45

CFR § 164.504(e)(2) document Disclosures of PHI made by SFDC and maintain information related to such Disclosures. SFDC shall promptly make information available to Customer within sixty (60) days of a request by Customer to assist Customer in complying with its legal obligations under 45 CFR § 164.528 and in responding to requests by Individuals for an accounting of such Disclosures of their respective PHI if Customer does not have or did not have access to such information or the ability to accommodate such request through its use of the Covered Services or otherwise and to the extent permitted by law; including, as applicable, if known: (i) the date of the Disclosure; (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (iii) a brief description of the PHI Disclosed; and (iv) a brief statement of the purpose of the Disclosure.

9. Termination. Upon request by Customer made in accordance with the terms of the

Agreement after the effective date of termination or expiration of the Agreement, SFDC will make the Customer Data submitted to the Covered Services available to Customer for return, export, or download as provided in the Documentation. SFDC will otherwise have no obligation to maintain or provide any Customer Data, and will delete, overwrite, or destroy all copies of Customer Data in its systems or otherwise in its possession or control as provided in the Documentation, unless legally prohibited. In the event that SFDC determines that returning or destroying the PHI is infeasible, SFDC shall use commercially reasonable efforts to provide to Customer written notification of the conditions that make return or destruction infeasible. Upon Customer’s written agreement that the return or destruction of PHI is infeasible, SFDC shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as SFDC maintains such PHI.

10. Non-Compliance. In the event either party becomes aware that the other party has engaged

in a pattern of activity or practice that constitutes a material breach or violation of this Addendum, the non-breaching party may request in writing that the breaching party cure the breach or violation. If the breach or violation is not cured within 30 days of the written notice, the non-breaching party may terminate this Addendum and the Agreement..

Online Version 1

March 2020


11. Amendment. The parties shall take such action as is necessary to amend the Agreement and this Addendum from time to time as is necessary for the parties to comply with changes to the rules and regulations under HIPAA. If the parties cannot agree as to a necessary amendment, either party may terminate the Agreement and this Addendum with 30 days prior written notice to the other party.

12. Interpretation. Any ambiguity in this Addendum shall be resolved to permit the parties to

comply with HIPAA.

Acknowledged and agreed to by: RHODE ISLAND DEPARTMENT OF CARHSOFT TECHNOLOGY HEALTH

AUTHORIZED AGENT AUTHORIZED AGENT

TITLE TITLE Director

Bethany Blackwell

Printed Name Printed Name

Date Date

4/4/2020

Contact Information: Contact Information:


11493 Sunset Hills Road

Address Address

Reston, Va 20190

City, State, Zip City, State, Zip

Telephone

Telephone

7032307435

Online Version 1

March 2020


Attention: Attention: Bethany Blackwell

Online Version 1

March 2020


ADDENDUM E

BUSINESS ASSOCIATE AGREEMENT ADDENDUM TO THE MASTER

SUBSCRIPTION AGREEMENT

By executing the Agreement that references this Business Associate Agreement Addendum (the

“Addendum”) Customer and Salesforce.com (“SFDC”) agree to the terms of this Addendum. All

capitalized undefined terms herein shall have the meaning provided in the Master Subscription

Agreement between Customer and SFDC (the “Agreement”).

This Addendum is made a part of, and incorporated into, the Agreement. The purpose of this

Addendum is to implement certain of the requirements of the Health Insurance Portability and

Accountability Act of 1996 and the rules and regulations promulgated thereunder as supplemented

and amended by the requirements of Subtitle D of the Health Information Technology for

Economic and Clinical Health (HITECH) Act provisions of the American Recovery and

Reinvestment Act of 2009 and the rules and regulations promulgated thereunder (collectively,

“HIPAA”). The parties acknowledge that those regulations include both the federal privacy

regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts

160 and 164 (Subparts A & E) (the “Privacy Rule”), and the federal security regulations, as

amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164

(Subparts A & C) (the “Security Rule”).

In the course of providing those Services branded by SFDC as Force.com, Site.com,

Database.com, Sales Cloud, Service Cloud, Field Service Lightning, Communities, Chatter,

Salesforce Mobile app, Health Cloud, Einstein Analytics, IoT Explorer, Live Agent, Surveys, and

ExactTarget (collectively, the “Covered Services”) to Customer pursuant to the Agreement, SFDC

may, on behalf of Customer, receive, maintain or transmit information entered into the Covered

Services as Customer Data that constitutes Protected Health Information, as defined in 45 CFR

§160.103 (“PHI”), and as a result may, for certain purposes and under certain circumstances, be

deemed a Business Associate, as such term is defined in 45 CFR §160.103, under HIPAA.

“Documentation” means SFDC’s online user guides, documentation, and help and training

materials, as updated from time to time, accessible via help.salesforce.com or login to the

applicable Services. For clarity, Customer acknowledges that neither SFDC nor its Subcontractors

“create” Protected Health Information in the provision of the Covered Services. This Addendum

governs Customer’s and SFDC’s respective responsibilities with respect to such PHI to the extent

SFDC acts as a Business Associate to Customer, including SFDC’s Use and Disclosure of PHI, as

such terms are defined in 45 CFR §160.103. A capitalized term not defined herein shall have the

meaning ascribed to that term in the Agreement, or, if any such term has no meaning ascribed in

the Agreement, then such term shall have the meaning ascribed to it under HIPAA.

Online Version 1

March 2020


Accordingly, the parties agree as follows:

1. Use and Disclosure of PHI by Customer. Customer shall Use and Disclose PHI only as

permitted by HIPAA. Customer shall not authorize, request or require SFDC to Use or

Disclose PHI in any manner that would violate HIPAA if the Use or Disclosure were carried

out by Customer except as permitted under HIPAA and set forth in this Addendum.

Customer will not agree to any restriction requests or place any restrictions in any notice of

privacy practices that would cause SFDC or one of its Subcontractors to violate this

Addendum or any applicable law.

2. Use and Disclosure of PHI by SFDC. SFDC shall Use or Disclose PHI only in the manner

and for the purposes set forth in this Addendum or in accordance with the Agreement and not

in any other manner or for any other

purposes. Without limiting the generality of the foregoing, Customer hereby authorizes

SFDC to do the following:

(i) Use and Disclose PHI as necessary to provide the Covered Services, to prevent or

address service or technical problems and, to perform customer support services to

Customer;

(ii) Use and Disclose PHI as Required by Law; and

(iii) Use and Disclose PHI as necessary for the proper management and administration of

SFDC and to carry out the legal responsibilities of SFDC The Use and Disclosure of

PHI by SFDC pursuant to this Section 2(iii) is subject to the following, as permitted in

45 CFR §.164.504(e)(2)(i) and 45 CFR § 164.504(e)(4): (a) SFDC obtains reasonable

assurances from the person to whom the information is disclosed that it will be held

confidentially and used or further disclosed only as required by law or for the purposes

for which it was disclosed to the person; and (b) the person notifies SFDC of any

instances of which it is aware in which the confidentiality of the information has been

breached.

3. Protection of PHI. In connection with its receipt, maintenance or transmission of PHI on

behalf of Customer, SFDC agrees to do the following:

(i) in accordance with 45 CFR § 164.502(e)(1), SFDC may disclose PHI to

Subcontractors and such Subcontractors shall have the rights to Use and Disclose PHI

pursuant the agreement between SFDC and each Subcontractor, provided that SFDC

shall ensure that any Subcontractors that receive, maintain or transmit PHI on behalf

of SFDC agree to restrictions and conditions no less restrictive than those that apply

to SFDC in this Addendum with respect to such PHI;

(ii) use appropriate administrative, technical and physical safeguards, and comply, where

Online Version 1

March 2020


applicable, with the Security Rule with respect to any PHI that constitutes Electronic

Protected Health Information, to prevent Use or Disclosure of PHI other than as

provided for by this Addendum; and

(iii) to the extent SFDC carries out the Customer’s obligations under the Privacy Rule, if

applicable, comply with the requirements of the Privacy Rule that apply to the

Customer in the performance of those obligations; notwithstanding the foregoing, the

parties acknowledge that, under the Agreement and this Addendum, unless otherwise

agreed upon by the parties in writing, SFDC has no obligations to carry out any of

Customer’s obligations under the Privacy Rule.

4. Breach Notification.

(i) SFDC shall report to Customer any Use or Disclosure of PHI not provided for in this

Addendum of which SFDC becomes aware, including any Breach of Unsecured

Protected Health Information in accordance with 45 CFR § 164.410. SFDC shall

make such report without unreasonable delay and in no case later than thirty (30)

days after SFDC becomes aware of such Use or Disclosure or Breach. SFDC shall

provide to the Customer all information required by 45 CFR § 164.410(c) to the extent

known and provide any additional available information reasonably requested by

Customer for purposes of investigating the Breach as required by HIPAA. For

purposes of this Addendum, “Breach” means the acquisition, access, Use or

Disclosure of PHI in a manner not permitted by the Privacy Rule that compromises

the security or privacy of the PHI as defined, and subject to the exclusions set forth,

in 45 CFR § 164.402.

(ii) SFDC shall be required to report to Customer, without unreasonable delay, only

successful Security Incidents pertaining to PHI of which SFDC becomes aware.

SFDC hereby provides Customer with notice in this Section 4(ii) of the ongoing

existence and occurrence of attempted but unsuccessful Security Incidents, which

include, but are not limited to, pings and other broadcast attacks on SFDC’s firewall,

port scans, unsuccessful log-in attempts, denials of service attacks and any

combination of the above, so long such incidents do not result in unauthorized access,

Use or Disclosure of PHI. The parties agree that no further notice of unsuccessful

Security Incidents is required.

5. Access by HHS. SFDC shall make its internal practices, books and records relating to the

Use and Disclosure of PHI available to the Secretary of the United States Department of

Health and Human Services for purposes of determining Customer’s compliance with

HIPAA.

6. Individual Access Requests. SFDC shall forward to Customer any requests SFDC receives

from an Individual for access to the Individual’s PHI that is entered in the Covered Services

by Customer to which Customer shall respond in accordance with the requirements of 45

CFR § 164.524. The parties agree that, by virtue of providing the Covered Services, SFDC

Online Version 1

March 2020


will make available to Customer all PHI that is entered in the Covered Services by Customer,

including PHI about an Individual, to facilitate Customer’s compliance with the requirements

of 45 CFR § 164.524.

7. Individual Amendment Requests. Customer shall be exclusively responsible for

responding to all requests by Individuals for amendment to their PHI in accordance with

HIPAA. The parties agree that, by virtue of providing the Covered Services, SFDC will make

available to Customer all PHI that is entered in the Covered Services by Customer, including

any PHI required to be made available for amendment without unreasonable delay in

accordance with 45 CFR § 164.526, in a manner that allows the Customer to reasonably

incorporate any amendments to the PHI in accordance with 45 CFR § 164.526.

8. Individual Accounting Requests. SFDC shall in accordance with and as required by 45

CFR § 164.504(e)(2) document Disclosures of PHI made by SFDC and maintain information

related to such Disclosures. SFDC shall promptly make information available to Customer

within sixty (60) days of a request by Customer to assist Customer in complying with its

legal obligations under 45 CFR § 164.528 and in responding to requests by Individuals for

an accounting of such Disclosures of their respective PHI if Customer does not have or did

not have access to such information or the ability to accommodate such request through its

use of the Covered Services or otherwise and to the extent permitted by law; including, as

applicable, if known: (i) the date of the Disclosure; (ii) the name of the entity or person who

received the PHI and, if known, the address of such entity or person; (iii) a brief description

of the PHI Disclosed; and (iv) a brief statement of the purpose of the Disclosure.

9. Termination. Upon request by Customer made in accordance with the terms of the

Agreement after the effective date of termination or expiration of the Agreement, SFDC will

make the Customer Data submitted to the Covered Services available to Customer for return,

export, or download as provided in the Documentation. SFDC will otherwise have no

obligation to maintain or provide any Customer Data, and will delete, overwrite, or destroy

all copies of Customer Data in its systems or otherwise in its possession or control as provided

in the Documentation, unless legally prohibited. In the event that SFDC determines that

returning or destroying the PHI is infeasible, SFDC shall use commercially reasonable efforts

to provide to Customer written notification of the conditions that make return or destruction

infeasible. Upon Customer’s written agreement that the return or destruction of PHI is

infeasible, SFDC shall extend the protections of this Addendum to such PHI and limit further

uses and disclosures of such PHI to those purposes that make the return or destruction

infeasible, for so long as SFDC maintains such PHI.

10. Non-Compliance. In the event either party becomes aware that the other party has engaged

in a pattern of activity or practice that constitutes a material breach or violation of this

Addendum, the non-breaching party may request in writing that the breaching party cure the

breach or violation. If the breach or violation is not cured within 30 days of the written notice,

the non-breaching party may terminate this Addendum and the Agreement..

Online Version 1

March 2020


11. Amendment. The parties shall take such action as is necessary to amend the Agreement and

this Addendum from time to time as is necessary for the parties to comply with changes to

the rules and regulations under HIPAA. If the parties cannot agree as to a necessary

amendment, either party may terminate the Agreement and this Addendum with 30 days

prior written notice to the other party.

12. Interpretation. Any ambiguity in this Addendum shall be resolved to permit the parties to

comply with HIPAA.

Acknowledged and agreed to by:

RHODE ISLAND DEPARTMENT OF CARHSOFT TECHNOLOGY

HEALTH

AUTHORIZED AGENT AUTHORIZED AGENT

TITLE______________________ TITLE______________________

_____________________________ ____________________________

Printed Name Printed Name

_____________________________ _____________________________

Date Date

Contact Information: Contact Information:

_________________________________ _________________________________

Address Address

_________________________________ _________________________________

City, State, Zip City, State, Zip

Telephone________________________ Telephone________________________

Attention: ________________________ Attention:________________________

Deputy Director of Health

Ana Novais

4/4/2020

Rhode Island Department of Health3 Capitol Hill

Providence, RI 02908

401-222-5960

Akshar Patel

Notice of Contract Purchase Agreement

Documents

Transcript of Notice of Contract Purchase Agreement