The URL can be used to link to this page

Browse Search

Home My WebLink About20183312.tiffRESOLUTION RE: APPROVE AGREEMENT FOR BIOMETRIC IDENTIFICATION (FINGERPRINTING) SERVICES AND AUTHORIZE CHAIR TO SIGN - IDEMIA IDENTITY AND SECURITY USA, LLC WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with an Agreement for Biometric Identification (Fingerprinting) Services between fie County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Human Services, and Idemia Identity and Security USA, LLC, commencing upon full execution of signatures, with further terms and conditions being as stated in said agreement, and WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Agreement for Biometric Identification (Fingerprinting) Services between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Human Services, and Idemia Identity and Security USA, LLC, be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 17th day of October, A.D., 2018. ATTEST: ddelf4/1)o•a. Weld County Clerk to the Board eouty Clerk to the Boar Clerk to the Boar APPRO ounty Attorney BOARD OF COUNTY COMMISSIONERS WELD C UNTY, COLORADO Steve Moreno, Chair arbara Kirkme er, iDro-Tem Date of signature: (Ohl / t can P. Conway CUSED lie A. Cozad Mike Freeman cc: HSD,cAC4M) to /oi/a o 2018-3312 HR0089 BOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW RE: IDEMIA IDENTITY& SECURITY USA, LLC SERVICES AGREEMENT DEPARTMENT: DHS/County Attorney DATE: October 10, 2018 PERSON REQUESTING: Karin McDougal and Judy Griego Brief description of the problem/issue: Please find attached a services agreement with Idemia Identity & Security USA, LLC. Idemia is one of the Prime Contractors chosen by the State of Colorado to perform biometric identification services (fingerprinting) for the state agencies that perform background checks. Idemia partners with companies, local governments, etc., to have them house the equipment and perform the services for Idemia for a fee. Weld County Department of Human Services (WCDHS) has agreed to be that partner for a fee of $5.00 per successfully submitted transaction. A successful transaction is the submission and recording of Applicant's fingerprints and other biographic information on the Idemia server and sent direct to the federal or state automatic fingerprint identification system. WCDHS has agreed to have a small group of staff trained on Idemia equipment at no cost to WCDHS and to perform no more than 3 appointment per hour. The agreement may be terminated with 30 days written notice from either party. The agreement has been reviewed by the County Attorney's Office. What options exist for the Board? (Include consequences, impacts, costs, etc. of options) Approve the agreement for placement on the Agenda for October 17, 2018 or request a work session Recommendation: Approve the agreement for placement on the Agenda for October 17, 2018 without work session. Approve Recommendation Sean P. Conway Julie A. Cozad, Mike Freeman Barbara Kirkmeyer Steve Moreno, Chair Schedule Work Session Other/Comments: f 2018-3312 IDEMIA Identity & Security USA, LLC SERVICES AGREEMENT This Services Agreement ("Agreement") is entered into as of the 5'h day of October, 2018 ("Effective Date"), by and between Idemia Identity & Security USA, LLC having an office at 296 Concord Road, Suite 300, Billerica, MA 01821 ("IDEMIA") and, Weld County Board of County Commissioners, having an office at Department of Human Services, 315 North 1 l'h Avenue, Building B, Greeley, CO 80631("Service Provider"). WHEREAS: IDEMIA is the prime contractor under a contract to provide biometric identification services for one or more government agencies; and WHEREAS: IDEMIA has requested Service Provider to provide biometric identification services as IDEMIA's subcontractor and Service Provider agrees to provide such services under the terms and conditions of this Agreement. NOW, THEREFORE, the Parties agree as follows: 1. DEFINITIONS For purposes of this Agreement the following terms shall have the following meanings: A) "Agency" shall mean the government agency identified in Attachment A and to which IDEMIA transmits an Applicant's biometric and biographic information. B) "Applicant(s)" shall mean those individuals who have their biometric and biographic information transmitted to the Agency. C) "Applicant Fees" shall mean any fees due from Applicants, as specified in the SOW, or as otherwise communicated by IDEMIA to Service Provider from time to time. D) "Fees" shall mean those fees specified in Attachment A for Service Provider's provision of Services. E) "Prime Contract" shall mean the contract between IDEMIA and one or more government entities, or between IDEMIA and its higher -tier contractor, in support of a contract with one or more government entities. F) "Services" shall mean those services described in Attachment A or any subsequent SOW executed by the parties. G) "Statement of Work" or "SOW" shall mean Attachment A to this Agreement and any statement of work subsequently executed by the parties or any amendment to this Agreement to identify Services and set forth any additional terms and conditions. Should the SOW include any terms that are more stringent or restrictive than those of this Agreement, the terms of the SOW shall control. Revision Date: 5/29/2018 020/g- ,6/02.-, 2. SERVICES In consideration of IDEMIA's payment to Service Provider of the Fees, Service Provider hereby agrees to provide the Services in accordance with the terms and conditions of this Agreement and of all Attachments and Schedules hereto and any SOW, which shall be deemed incorporated into, and made a part of, this Agreement by this reference. Service Provider hereby agrees that IDEMIA may identify Service Provider as a subcontractor and provide relevant contact information in any proposals or bids IDEMIA submits for Prime Contracts or renewals thereof. IDEMIA may, from time to time, upon mutual written agreement (email is sufficient), license office space from Service Provider in order for IDEMIA employees to perform services that are the same or similar to Services. Service Provider will not receive any compensation under this Agreement for such services performed by IDEMIA employees or for the license of office space. 3. REMITTANCE OF APPLICANT FEES; TAXES A) Service Provider will collect and remit Applicant Fees to IDEMIA on a daily basis. All Applicant Fees are non-refundable and shall be remitted by Service Provider without any right of setoff or deduction. Where remittance of collected Applicant Fees is routinely late, IDEMIA may, at its sole discretion, deduct collected Applicant Fees from Fees paid to Service Provider upon 30 days written notice to Service Provider. B) In jurisdictions where Applicant Fees are subject to sales or other taxes, IDEMIA will include such taxes within Applicant Fees. The Service Provider will collect and remit any such taxes to IDEMIA with the Applicant Fees. IDEMIA is responsible for reporting, collection, and/or remittance of the taxes and governmental fees associated with the Applicant Fees. Service Provider is solely responsible for the reporting, collection, and /or remittance of all other taxes and governmental fees associated with Service Provider's business. 4. PAYMENT TO SERVICE PROVIDER IDEMIA agrees to pay Service Provider the Fees set forth in Attachment A within forty-five (45) days of the last day of the month in which the relevant Services were performed. 5. EQUIPMENT IDEMIA will provide Service Provider with all required hardware and software to perform Services, free of lease or charge, which may include a Livescan device, computer, monitor, printer, check scanner, router and required cabling ("Equipment"). Service Provider agrees that any Equipment provided by IDEMIA shall remain the sole property of IDEMIA and shall be used exclusively for the performance of Services. IDEMIA will maintain and support the Equipment at no charge to Service Provider, except as otherwise provided in this Agreement. Service Provider agrees to use best efforts to keep the equipment in good working order. If any Equipment is lost or intentionally damaged by the Service Provider, or is damaged as the result of Service Provider's gross negligence, IDEMIA may invoice Service Provider for the replacement value thereof or deduct the replacement value from Fees up to $5,000.00. 6. CONFIDENTIALITY A) "Confidential Information" means all information or material disclosed by one party hereto ("Discloser") in any manner, whether orally, visually or in tangible form, to the other party hereto ("Recipient"), or 2 Revision Date: 5/29/2013 otherwise discovered by or made available to Recipient. In the course of disclosing Confidential Information to the Recipient, Discloser shall endeavor to identify such information as "confidential", but failure to so identify such information as confidential shall not relieve Recipient of its obligations hereunder. Confidential Information shall not include information that: (a) is already known to Recipient without restriction on use or disclosure prior to receipt of such information from Discloser; (b) is or becomes part of the public domain other than by breach of this Agreement by Recipient; (c) is developed by Recipient independently of and without use of or reference to any of Discloser's Confidential Information; or (d) is received by Recipient from a third party who is not under any obligation to Discloser to maintain the confidentiality of such information. For the avoidance of doubt and notwithstanding any terms herein to the contrary, all information provided by Applicants shall be deemed Confidential Information B) IDEMIA is advised that as a public entity, Service Provider must comply with the provisions of C.R.S. 24- 72-201, et seq., with regard to public records, and cannot guarantee the confidentiality of all documents. Notwithstanding the foregoing, in the event that Service Provider receives a request under the Colorado Open Records Act ("Act") for any records provided by IDEMIA to the Service Provider, or records created by or through the Service Provider in providing Services, Service Provider shall promptly notify IDEMIA thereof so that IDEMIA may seek a protective order or otherwise assert any applicable exemption from disclosure under the Act. C) All Confidential Information disclosed by Discloser shall remain the sole property of Discloser. Nothing herein shall be construed as a grant by Discloser to Recipient or any third party of any license, directly or by implication, estoppel or otherwise, in any Confidential Information. Nothing contained herein shall create any obligation on the part of Discloser to provide Recipient with any Confidential Information. D) Discloser hereby authorizes Recipient to use Confidential Information solely for the purpose of performance of this Agreement and for no other purpose whatsoever. Such authorization shall automatically expire upon expiration or termination of this Agreement for any reason. Recipient covenants and agrees that it shall disclose, permit the disclosure of or allow access to Confidential Information to only those of its employees who have executed written confidentiality agreements with obligations of confidentiality and restrictions on use substantially similar to those herein.. E) Recipient agrees that it will handle Confidential Information with the same degree of care it takes to safeguard its own confidential information of a like nature, but in no event less than a reasonable degree of care, and will not use, disclose or make available, directly or indirectly, any Confidential Information to any person, concern or entity, except as expressly permitted hereunder. F) Recipient shall notify Discloser immediately upon discovery of any unauthorized use or disclosure of Confidential Information or any other breach of this Agreement by Recipient or its employees, and will cooperate with Discloser in every reasonable way to help Discloser regain possession of the Confidential Information and prevent its further unauthorized use or disclosure. O) Recipient shall not create derivative works from, reverse engineer, decompile or disassemble any software code and/or pre-release hardware devices disclosed by Discloser to the Recipient under the terms of this Agreement, except as expressly permitted by applicable law. 3 Revision Date: 5/29/2018 H) Notwithstanding any other provision of this Agreement, Recipient may disclose Confidential Information in response to a valid order of a court, regulatory agency, or other governmental body in the United States or any political subdivision thereof, but only to the limited extent and for the limited purposes stated in such order; provided, however, that Recipient shall first notify Discloser in writing of the order and cooperate with Discloser if Discloser desires to seek an appropriate protective order. 1) All Confidential Information, copies and summaries thereof shall be returned to Discloser within ten (10) days of Discloser's request. At Discloser's option, Confidential Information, including all copies, may instead be destroyed by Recipient, provided Recipient certifies such destruction in writing to Discloser within five (5) days of Discloser's instructions to Recipient. This obligation survives expiration or termination of this Agreement. J) Discloser may seek injunctive relief from any court of competent jurisdiction if necessary to preserve the status quo or otherwise prevent irreparable harm from the unauthorized disclosure or use of its Confidential Information. 7. NON -SOLICITATION; NON -COMPETE Service Provider agrees that during the term of this Agreement, except as otherwise permitted in advance in writing by IDEMIA, Service Provider shall not (a) divert or attempt to divert from IDEMIA any business of IDEMIA; (b) perform any services which are related or similar to the Services for any person or entity other than IDEMIA, which duty shall be interpreted as broadly as allowed under law to prevent Service Provider from interfering with IDEMIA's business opportunities and to prevent Service Provider from competing against IDEMIA or assisting other persons or entities to perform work which has the effect of reducing the work available to IDEMIA; (c) interfere with IDEMIA's employee relationships, or with IDEMIA's customer or vendor relationships. For the avoidance of doubt, the Weld County Sherriffs Office shall not be bound by the terms of this Section 7. 8. WARRANTIES A) Service Provider represents and warrants that all employees and contractors of Service Provider, who collect, submit or otherwise process biometric or biographic information of Applicants will be only United States citizens or legal permanent residents (unless the Prime Contract requires otherwise, which requirement shall be communicated by IDEMIA). B) For purposes of this Section 8, all individuals subject to Background Check Requirements shall hereinafter be referred to as "Restricted Personnel." Service Provider will not use Restricted Personnel in performance of this Agreement until after IDEMIA's Chief Security Officer or Chief Compliance Officer has notified Service Provider in writing that such Restricted Personnel meet Background Check Requirements. It shall be a material breach of this Agreement by Service Provider if any Restricted Personnel begin to perform under this Agreement before IDEMIA has provided such notification. C) Service Provider further represents and warrants that: i) Services will be performed in a timely, professional and workman -like manner and will conform to the specifications stated in the applicable SOW; and 4 Revision Date: 5/29/2018 ii) Service Provider shall comply with all federal, state and local laws and regulations and any terms identified in the SOW as a Prime Contract Flow -Down Term. Should any terms identified in the SOW as Prime Contract Flow -Down Terms conflict with any terms of this Agreement, the terms identified as Prime Contract Flow -Down Terms shall control. 9. INSURANCE Service Provider is a "public entity" within the meaning of the Colorado Governmental Immunity Act, §§24-10-101, et seq., C.R.S. (the "GIA"), Service Provider shall maintain, at all times during the term of this Contract such liability insurance, by commercial policy or self- insurance, as is necessary to meet its liabilities under the GIA. 10. INTENTIONALLY OMITTED 11. LIMITATION OF LIABILITY No term or condition of this contract shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protections or other provisions, of the Colorado Governmental Immunity Act §§24-10-101 et seq., as applicable now or hereafter amended. 12. TERM AND TERMINATION A) This Agreement will commence on the Effective Date and remain in full force and effect until terminated by either party under the terms of this Agreement. B) IDEMIA may terminate this Agreement at any time upon written notice for any breach or non- compliance with this Agreement that IDEMIA reasonably believes denigrates its business reputation or could lead to termination of the Prime Contract. C) This Agreement shall terminate automatically and with immediate effect upon the expiration or termination of the Prime Contract or if the Agency or any party to the Prime Contract informs IDEMIA that Service Provider is no longer an approved subcontractor. D) Either party may terminate this Agreement in the event that a material breach by the other party remains uncured for a period of thirty (30) days from the date the party in breach receives written notice of such breach, if the breaching party is capable of curing the breach. E) IDEMIA may terminate this Agreement, in whole or in part (i.e., terminate the provision of a) Services provided under any one Prime Contract or b) Services provided at any individual location of Service Provider), at any time for any reason with thirty (30) days prior written notice. If requested by IDEMIA, Service Provider agrees to continue providing the Services during the thirty (30) day notice period and IDEMIA will pay Service Provider in accordance with the terms of this Agreement. F) Service Provider may terminate this Agreement, in whole or in part (i.e., terminate the provision of a) Services provided under any one Prime Contract or b) Services provided at any individual location of Service Provider), at any time for any reason with thirty (30) days prior written notice. If requested by 5 Revision Date: 5/29/2018 IDEMIA, Service Provider agrees to continue providing the Services during the thirty (30) day notice period and IDEMIA will pay Service Provider in accordance with the terms of this Agreement. G) In the event of termination, Service Provider agrees to assist IDEMIA with any de -installation of the Equipment, transition of resources and work product and to provide full cooperation and support for transition to an alternate service provider. 13. DOCUMENT RETENTION; AUDIT Service Provider shall maintain records, books, tiles and other data and in such detail as shall properly substantiate claims for payment, for a minimum retention period of seven (7) years, beginning on the date the Services were provided, or such longer period as is necessary for the resolution of any litigation, claim, negotiation, audit or other inquiry. Service Provider shall provide IDEMIA and the Agency with access to such records during Service Provider's regular business hours and upon reasonable prior notice, including on -site reviews and reproduction of such records at IDEMIA's expense. 14. NON-DISCRIMINATION; UNFAIR LABOR PRACTICES Service Provider shall comply with all federal, state and local laws, rules and . regulations promoting fair employment practices or prohibiting employment discrimination and unfair labor practices, and shall not discriminate against any employee or applicant for employment, nor shall any qualified employee be demoted, discharged or otherwise subject to discrimination in the tenure, position, promotional opportunities, wages, benefits or terms and conditions of their employment, because of race, creed, color, national origin, ancestry, age, sex, religion, height, weight, marital status, physical or mental disability, genetic predisposition, carrier status or sexual orientation, or for exercising any rights afforded by law. 15. INTENTIONALLY OMITTED 16. EXPORT CONTROL Notwithstanding anything to the contrary in this Agreement, Service Provider acknowledges and agrees that it may be subject to regulations of the U.S. Department of Commerce that prohibit the export or diversion of certain products and technologies to certain countries. Service Provider agrees that it will not export or divert any information or technology provided hereunder without fully complying with all relevant laws of and regulations, including without limitation, the US Export Administration Act of 1979, as amended, any successor legislation, and the Export Administration Regulations issued by the US Department of Commerce. 17. E -VERIFY Service Provider warrants that it utilizes and shall continue to utilize for the term of this Agreement, the U.S. Department of Homeland Security's E -Verify system to determine the eligibility of its employees and independent contractors to lawfully work in the U.S. Service Provider shall provide, upon request of IDEMIA, proof of compliance with the terms of this Section 17 which may include an electronic or hardcopy screenshot of the confirmation or tentative non -conformation screen containing the E -Verify case verification number for any Service Provider employee or contractor performing services under this Agreement. 6 Revision Date: 5/29/2018 18. GOVERNING LAW This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado without regard to conflicts of law rules. 19. SURVIVAL The sections of this Agreement which by their nature require survival after termination or completion of the Services shall survive and remain notwithstanding any termination or completion of the Services. The Sections which shall survive include, but are not limited to, Sections 3 (Remittance of Applicant Fees; Taxes), 4 (Payment to Service Provider), 5 (Equipment), 6 (Confidentiality), 7 (Non -Solicitation; Non -Compete), 8-{ e#ttfrt cadet ; 11 (Limitation of Liability), 12 (Termination), 13 (Document Retention), 16 (Export Control), 18 (Governing Law), 19 (Survival), 22 (Severability), 23 (Notices) and 24 (Entire Agreement). 20. INDEPENDENT CONTRACTOR The relationship between the Parties subject to this Agreement shall be independent contractors. Service Provider employees or agents rendering services under this Agreement shall not be employees of 1DEMIA, the Agency or any government entity that is a party to the Prime Contract for federal or state tax purposes, or for any other purpose. Service Provider shall be responsible for workers' compensation, social security, unemployment insurance and all applicable taxes. 21. ASSIGNMENT Neither party may assign any of its rights or delegate any of its duties, in whole or in part, without the prior written consent of the other party. Any attempted assignment or delegation without such consent shall be null and void. Notwithstanding the foregoing, IDEMIA may assign this Agreement to any current or future parent or subsidiary of IDEMIA or of such parent without Service Provider's prior written consent. 22. SEVERABILITY If any provision of this Agreement should be held to be invalid in any way or unenforceable, it shall be severed and the remaining provisions shall not in any way be affected or impaired. This Agreement shall be construed so as to most nearly give effect to the intent of the parties as originally executed. 23. NOTICES Any notice required by this Agreement or given in connection with it, shall be in writing and shall be given to the appropriate party by personal delivery or by certified mail, postage prepaid, or recognized overnight delivery services to the parties' respective addresses first set forth above. Except as otherwise provided herein, such notices shall be deemed given when received copies of all notices to IDEMIA shall be sent to: Idemia Identity & Security USA, LLC Attn: General Counsel 296 Concord Road, Suite 300 Billerica, MA 01821 7 Revision Date: 5/29/2018 With a copy to: Idemia Identity & Security USA, LLC Attn: Charles Carroll 6840 Carothers Parkway, Suite 601 Franklin, TN 37067 All notice to Service Provider shall be sent to: Weld County Board of County Commissioners Attn: Judy Griego, Department of Human Services PO Box A Greeley, CO 80632 24. ENTIRE AGREEMENT This Agreement and all Attachments and Schedules contain the entire understanding between the parties concerning the subject matter hereof and supersedes all prior and contemporaneous communications and agreements with respect to such subject matter. There are no representations, warranties, terms, conditions, undertakings or collateral agreements, express, implied or statutory, between the parties other than as expressly set forth in this Agreement. No provision of this Agreement can be waived or cancelled, and this Agreement cannot be changed, modified or amended, except by an instrument in writing executed by both parties. Notwithstanding the foregoing, the parties agree that IDEMIA may amend this Agreement by providing advance written notice thereof to Service Provider, stating that if Service Provider does not respond to such notice within the time period specified, Service Provider shall be deemed to have accepted the terms of any such amendment, without any requirement of Service Provider's written acknowledgement or signature. 25. COUNTERPARTS This Agreement may be executed in counterparts, each of which shall be deemed an original Agreement for all purposes and which collectively shall constitute one and the same Agreement. The signature of either of the parties hereto may be evidenced by a facsimile or electronic (e.g., pdt) copy of this Agreement bearing such signature and transmitted to the other party. Such signature shall -be valid and binding as if an original executed copy of the Agreement has been delivered. IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed as of the Effective Date. Idemia Identity & Security USA, LLC Weld County Board of County Commissioners Patrick Kell t:2 .10 by Patrick0:27!3 Kelly Date: 2018.10.2'3 1027'38 -04'00' By: Name: Patrick Kelly Title: Sr. Director of Business Development Sales & Marketing 8 Revision Date: 5/29/2018 By: OCT 17 Zen Name: Steve Moreno Title: Chair doii- LIST OF ATTACHMENTS Attachment A Attachment B Schedule A Schedule B Schedule C Schedule D Revision Date: 5/29/2015 Statement of Work (SOW) W-9 Personnel Requirements Security Requirements Technical Requirements ECQC Assessment 9 WELD COUNTY: �C ATTEST: diaA441 Weld ' o n CI to the B he BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ve Moreno, Chair OCT 12018 APPROVED AS TO FUNDI PROVED AS TO S BSTANCE: I Barb Connelly, C(troller Conty Attorney APPROVED AS TO FORM: Departm ao/6c1,- �3/ , Attachment A ,Statement of Work (SOW) — Colorado This Statement of Work ("SOW") identifies the Fees, Applicant Fees and the Services to be provided by Weld County Board of Count Commissioners ("Service Provider") under the terms of the Services Agreement between Service Provider and IDEMIA Identity & Security USA, LLC ("IDEMIA"), dated on or around October 5t', 2018 ("Agreement"), and sets forth any additional terms and conditions concerning the Services, except as otherwise expressly provided herein by reference to the affected section of the Agreement, the rights and obligations of the parties set forth in this SOW shall be governed by the Agreement. Capitalized terms used herein without definition shall have the meanings assigned to them in the Agreement. A. Summary IDEMIA is a Prime Contract holder with the State of Colorado, by and through the Colorado Bureau of Investigation (CBI) to provide electronic fingerprint services to Colorado applicants who require a fingerprint - based background check by one or more Colorado state agencies, including the Department of Human Services, Department of Education, Department of Regulatory Agencies, and the CBI, among others. Applicants are required to have a fingerprint -based background check pursuant to Colorado or Federal law. IDEMIA transmits Applicant fingerprints and biographic information to CBI, and CBI runs the fingerprints through its state Automated Fingerprint Identification System (AFIS) and the Federal Bureau of Investigation (FBI) database to perform a criminal history check. After CBI has adjudicated the results, the results are then made available by CBI to the requesting agency, volunteer organization or employer. This SOW describes the basic requirements for the Service Provider to provide fingerprinting services to IDEMIA in support of the Prime Contract. B. Fees IDEMIA agrees to pay Service Provider a payment of $5.00 per successfully submitted transaction under the terms of Section 4 of the Agreement. Successfully submitted transactions are defined as the submission and recording of Applicant's fingerprints and other biographic information on the IDEMIA server and sent directly to the Federal or State Automatic Fingerprint Identification System (AFIS). Service Provider will not be paid for rejected fingerprint submissions. C. Prime Contract Flow -Down Terms See Appendix II to this Attachment A. D. Service Provider Responsibilities 1) The Service Provider shall provide electronic fingerprinting services and associated processing for non- criminal justice licensing and employment purposes pursuant to state and federal laws requiring background checks. Except as may be specifically stated in the Agreement, Service Provider is responsible for all staffing, operations, building leases, equipment rental, consumables and office supplies required for performance of Services. 2) Service Provider is responsible for abiding by IDEMIA policies and procedures and for establishing the availability of necessary facilities, trained personnel, and the delivery of all services described herein to the satisfaction of IDEMIA and the State and acknowledges that this is a material term of this contract and that failure to perform may be considered a material breach. 3) Service Provider must provide documentation to IDEMIA indicating the background criminal records check for all Service Provider personnel that may submit fingerprints and complete administrative tasks prior to the start of their duties relating to the program. Service Provider employees must have no criminal record, excluding minor traffic offenses. IDEMIA will provide instructions and the approved process for the Service Provider to follow for complying with the background check requirement. IDEMIA reserves the right to reject any potential employee. 4) Service Provider will verify the identity of each Applicant and the specific reason they are requesting fingerprinting services prior to collecting fingerprints. Service Provider shall also require each Applicant to, ,Induce Revision Date: 6/15/2018 2 INITIAL a government -issued photo identification prior to being fingerprinted. 5) Service Provider will accept Applicant Fees in the form of credit cards, business checks, cashier's checks or money orders, unless mutually agreed to in writing. Applicants who make their appointments online will have other payment options. For Applicants paying on site, the Service Provider collects the rolling fee plus applicable Federal, State or FBI channeling charges. 6) On a daily basis, Service Provider will a) submit a reconciliation report in a format to be specified by IDEMIA and b) remit all collected Applicant Fees to the IDEMIA Billing Department in a postage -paid envelope provided by IDEMIA. Service Provider will provide other reports and data requested by IDEMIA from time to time. 7) Service Provider will provide a receipt, in a format specified by IDEMIA, to each Applicant who is fingerprinted, as evidence of successful completion of the transaction. The receipt will include a unique identifying number assigned and submitted with the electronic submission of the Applicant's biometric and biographic information. 8) Service Provider is responsible for providing reports and data in the formats and time frames as requested by the State Agency and IDEMIA. 9) The Service Provider shall provide all services and deliverables as required, described, and detailed herein and shall meet all service and delivery timelines as specified. 10) Service Provider will not collect any additional Applicant Fees from Applicants whose fingerprints were submitted by Service Provider 11) In addition to Service Provider's confidentiality obligations under the Agreement, Service Provider shall take reasonable steps (e.g., privacy screens, room partitions, separate collection room or area) to ensure that Applicant data visible on the Livescan device is shielded from view by anyone other than the Applicant and the Service Provider employee operating the Livescan device. 12) Service Provider must maintain a fingerprint rejection rate of less than 2%. Only individuals that have attended an IDEMIA fingerprint -rolling training session, who have reviewed, executed and returned the IDEMIA IT Security Policy and meet other requirements of the Agreement may operate Equipment. 13) Service Provider agrees to provide Services with a high degree of professionalism, treat all Applicants in a polite and courteous manner, and promptly notify IDEMIA of any issues or incidents that arise from Applicant dissatisfaction. Service Provider agrees to provide adequate parking, ADA-accessibility and reasonable accommodations for Applicants waiting for fingerprinting appointments. 14) Service Provider shall provide services under this SOW within the targets specified in the Service Level Agreements (SLAs) defined in Appendix I: Service Provider Performance Metrics. 15) Service Provider will strive to meet the standards described in the Enrollment Center Quality Control document attached to the Agreement as Schedule D. 16) Service Provider shall ensure that all Service Provider employees and contractors wear an identification badge at all times while performing Services. Other name tag requirements are as follows: ■ Service Provider- provided name tags are acceptable. • The name tags should have at least the employee's full first name and the initial of their last name. Service Provider's corporate logo may also be displayed on name tags. ■ If Service Provider does not issue name tags, IDEMIA will provide an IdentoGO name tag for the initial onboarding staff at no cost. Payment for additional or replacement name tags will be the responsibility of the Service Provider. 17) Service Provider shall comply with any signage and branding guidelines provided by IDEMIA Revision Date: 6/15/2018 3 INITIAL oZb/ f- 33 /z 18) IDEMIA will provide initial training for Service Provider employees at IDEMIA expense. Service Provider must cause its employees to complete approximately 3-5 hours of computer based training (CBT) prior to 2-3 days of hands-on instruction with an IDEMIA Trainer. The Trainer will observe the employee in a live environment for 1 day during normal hours of operation. The employee must demonstrate proficiency of the material learned. The Trainer will determine whether the employee is competent to perform the work independently in the Trainer's certification process. Examples of specific training topics include: • Glossary of Terms and Acronyms • Enrollment Process • Identification Verification/Citizenship Status • Identification Authentication/I-Authenticate • Photograph Capture • Payment Processing • Fingerprint Captures • Start of Day and End of Day Procedures ▪ Data Entry • Operations & Administration Only individuals that have attended an IDEMIA enrollment workstation training session and have reviewed, executed and returned the IDEMIA IT Security Awareness and PII Training, and have successfully cleared all background checks and/or drug screens may operate the enrollment workstation. IDEMIA's training process is initiated, maintained, and monitored by the IDEMIA training organization and recorded in the Greenlight Learning Management System (LMS) as part of the program personnel's permanent training record. 1DEMIA will provide Briefings on a regular basis highlighting system updates and program changes. New training modules will be initiated a minimum of 4 limes per year as new services and/or features are released or refreshed. Assigned trainings take approximately 20-90 minutes to complete. 19) Service Provider agrees to accept Applicants for processing during the below standard days and hours of operation: Monday through Friday from 8:30am — 4:15pm 20) In the event the specified, standard days and hours of operation cannot be met and a single event closure, whether scheduled or unscheduled, of the site is necessary, Service Provider will offer replacement hours comparable to the lost hours respective to the closure date(s) requested, in order to accommodate applicant scheduling needs. 21) Service Provider will ensure Enrollment Center availability in accordance with the Weld County Government Calendar. 22) Service Provider must communicate any requested changes to the agreed -upon operating hours to the appropriate IDEMIA Supervisor/Manager, with a minimum of thirty (30) days' notice. Any permanent changes to operating schedules must be pre -approved in writing by IDEMIA. In the event of an unscheduled closure, Service Provider must notify IDEMIA no later than 8 AM local time on the date of such closure. 23) Service Provider agrees to accept 3 appointments per hour, as specified by IDEMIA from time to time, during the agreed upon hours of operation. 24) Service Provider will provide a minimum of three Enrollment Agents to perform fingerprinting services for each livescan workstation. (i.e. 3 EAs for 1 livescan, 6 EAs for 2 livescans, etc.). All Enrollment Agents must maintain the necessary level of proficiency under the Agreement by rotating, as needed, into the fingerprinting schedule and be able to provide backfill coverage as needed. Should an Enrollment Agent no longer be available to the program, Service Provider will promptly submit additional name(s) for vetting to maintain the minimum level of necessary EAs. Revision Date: 6/15/2018 4 INITIAL d r- 01D/8- 3.3/a_ E. IDEMIA Responsibilitieg 1) IDEMIA will provide training for Service Provider employees to provide Services. 2) IDEMIA will provide a toll -free customer service phone number for Applicants to pre -register for fingerprint processing appointments or to get related information, as well as an online registration portal. 3) IDEMIA will establish and maintain a website that allows applicants to pre -enroll and schedule for fingerprint processing including collection of demographic information necessary for registration. 4) IDEMIA will provide technical and operational support to the Service Provider and their staff during normal operating hours. The Technical Help Desk is available Monday -Friday from 6:OOAM-9:00 PM and Saturday 7:OOAM-7:OOPM Mountain Time. The Call Center Customer Support is available Monday -Friday from 7:00AM- 3:30 PM Mountain Time. Revision Date: 6/15/2018 5 INITIAL ✓r o2Da-.33/2_ Appendix I to Attachment A Service Provider Performance Metrics The Service Provider shall provide IDEMIA with performance measures that fall within the Service Level Agreements (SLAs) defined below. The SLAs have been established to evaluate Service Provider performance. These metrics may also provide a benchmark to identify areas for future improvements. Repeated failure to comply with these SLA measurements may result in contract termination. The Service Provider shall, to the maximum extent possible, meet or exceed the Desired Outcomes summarized in the table below. These objectives are of equal importance to IDEMIA and its customers. Acceptable quality levels (AQLs) are defined as the minimum level of performance accepted by IDEMIA and its customers. The Service Provider shall meet each performance measure with careful observance of established policies and procedures. IDEMIA will calculate and provide regular feedback of SLA performance for each Service Provider. If performance falls below the identified AQL level for a period of measurement, the Service Provider agrees to adjust their operational performance promptly to assure adherence to the SLAs, including adjustment of hours of operation and adding additional staff as needed. IDEMIA will provide additional workstation equipment when necessary to enable Service Provider to meet the SLAs. # Performance Measure Definition • Desired Outcome/Acceptable Quality Level (AQL) Measurement Frequency 1. :Technical FBI Fingerprint Rejection Rate Percentage of fingerprints rejected by the FBI due to poor quality/erroneous processing. s 2% of submitted fingerprints Monthly Application/Enrollment Rejection Rate Percentage of applications/enrollments rejected by the CBI or CBI authorized receiving system due to mismatched, misspelled, incorrectly formatted or incomplete application data. s 1% of submitted applications/enrollments Monthly '°Becurity Security Violations A compromise or suspected compromise of information to persons not authorized to receive that information, or a serious failure to comply with the provisions of applicable security requirements which is likely to result in compromise. A practice dangerous to security is defined as any knowing, willful, or negligent action contrary to the provisions of applicable security requirements that does not rise to the level of a security violation. A pattern of repeated lesser security infractions committed by Service Provider personnel may result in determination of a practice dangerous to security. 0 violations The Service Provider does not commit any security violations or engage in any practices dangerous to security. The final determination as to the classification and severity of a security incident as either a security violation or practice dangerous to security is at the discretion of IDEMIA. As soon as the violation is discovered 3. Privacy Privacy Violations A compromise or suspected compromise of Personally Identifiable Information (PII) to persons not authorized to receive that information, or a serious failure to comply with the provisions of applicable privacy requirements which is likely to result in compromise. A practice dangerous to privacy is defined as any knowing, willful, or negligent action contrary to the provisions of applicable privacy requirements that does not rise to the level of a privacy violation. A pattern of repeated lesser privacy infractions committed by Service Provider personnel may result in a determination of a practice dangerous to privacy. 0 violations The Service Provider does not commit any privacy violations or engage in any practices dangerous to privacy. The final determination as to the classification and severity of a privacy incident as either a privacy violation or practice dangerous to privacy is at the discretion of IDEMIA. As soon as the violation is discovered Revision Date: 6/15/2018 6 INITIAL✓� / 0Zo/f o 53/z 4 Customer Service Operational Availability The percentage of time that an enrollment center is open (number of hours closed/ number of scheduled operational hours) EA Procedural Errors Number of errors in procedure by EAs that are identified by audit, error detection, or other circumstances Number of incorrectly handled checks or money orders. This includes failing to process, submit, or control these financial instruments according to established procedures Evaluation of seriousness and frequency of errors Monthly Financial Instrument Handling Compliance Critical Customer Service Measures are further defined below: Evaluation of seriousness and frequency of errors Monthly pperaliortal Availability This is defined as the time that an enrollment center is open as a percentage of its scheduled hours (i.e., number of hours open divided by number of scheduled hours). 1) Any closures related to weather shall not be included in this metric. 2) Federal government holidays (for example, Thanksgiving Day) shall not be included as part of scheduled hours since it is anticipated that all enrollment centers will be closed during these holidays. 3) Any pre -approved non-standard closures, including annual Weld County holiday closures, shall be excluded from this metric (for example, Mardi Gras holiday closures in Louisiana). 4) System -related closures shall be excluded from the metric a. For example, if the IDEMIA or government system or any provided components of IDEMIA's UEP system are unavailable, then those hours of outage will not be included in this metric. 5) Any sites that are scheduled for only one day of operations in a week and that have an unscheduled closure, will not have the unscheduled closure time included in the metric, so long as the operational hours are "made up" later in the same calendar week. a. For example, if a site is scheduled for 9 AM — 5 PM operations on Mondays only and has an unscheduled closure, then the unscheduled closure shall be excluded from this metric if the site is open for a cumulative 8 operational hours later in the same calendar week. Any closure that exceeds one hour shall require Service Provider to notify IDEMIA and will be included in this metric. $eripnsincident Penalties , Serious Incidents include, but are not limited to, the following: • Leaving enrollment work station unattended • improper safeguarding and disposal of PII • Improper handling of fees • Unscheduled site closure for reasons other than catastrophic event or severe weather • Neglecting to complete mandatory Learning Management System (LMS) modules • Improper use of assigned login credentials A Serious Incident occurs when Service Provider fails to comply with procedures and processes defined in the Agreement, this SOW or published program materials such as the user training manual, standard operating procedures and other program directives or warning orders issued by IDEMIA or IDEMIA's customer. Revision Date: 6/15/2018 7 INITIAL e?.ZD/?- .3,3/7— Appendix H to Attachment A Prime Contract Flow -Down Terms 1) Insurance Service Provider shall obtain and maintain, and ensure that each subcontractor of Service Provider shall obtain and maintain, insurance as specified herein at all times during the term of the Agreement. All insurance policies required by this SOW shall he issued by insurance companies that may be subject to approval by the Agency. Service Provider is a public entity, and therefore only Subsection K and L of this section applies, unless Service Provider engages a subcontractor who is not a public entity. A. Workers' Compensation Workers' compensation insurance as required by state statute, and employers' liability insurance covering all Service Provider employees and any Service Provider subcontractor employees acting within the course and scope of their employment. B. General Liability Commercial general liability insurance covering premises operations, fire damage, independent contractors, products and completed operations, blanket contractual liability, personal injury, and advertising liability with minimum limits as follows: i. $1,000,000 each occurrence; ii. $1,000,000 general aggregate; iii. $1,000,000 products and completed operations aggregate; and iv. $50,000 any 1 fire. C. Automobile Liability To the extent Service Provider uses automobiles in the performance of Services, automobile liability insurance covering any auto (including owned, hired and non -owned autos) with a minimum limit of $1,000,000 each accident combined single limit. D. Protected Information Liability insurance covering all loss of Confidential Information, such as personally identifiable information, payment card information, and criminal justice information, and claims based on alleged violations of privacy rights through improper use or disclosure of protected information with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $2,000,000 general aggregate. E. Professional Liability Insurance Professional liability insurance covering any damages caused by an error, omission or any negligent act with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $1,000,000 general aggregate. F. Crime Insurance Crime insurance including employee dishonesty coverage with minimum limits as follows: i. $1,000,000 each occurrence; and ii. $1,000,000 general aggregate. G. Additional Insured The State with jurisdiction over the Agency ("the State") shall be named as an additional insured on all Revision Date: 6/15/2018 8 INITIAL• .72.9/1-33/;,- commercial general liability policies (leases and construction contracts require additional insured coverage for completed operations) required of Service Provider and its subcontractors hereunder. H. Primacy of Coverage Coverage required of Service Provider and its subcontractors hereunder shall be primary over any insurance or self-insurance program carried by Service Provider or the State. Cancellation The above insurance policies shall include provisions preventing cancellation or non -renewal, except for cancellation based on non-payment of premiums, without at least 30 days prior notice to Service Provider and Service Provider shall forward such notice to the State and to IDEMIA in accordance with Section 23 of the Agreement within 7 days of Service Provider's receipt of such notice. J. Subrogation Waiver All insurance policies secured or maintained by Service Provider and its subcontractors in relation to the Agreement shall include clauses stating that each carrier shall waive all rights of recovery under subrogation or otherwise against Service Provider, IDEMIA or the State, its agencies, institutions, organizations, officers, agents, employees, and volunteers. K. Public Entities If Service Provider is a "public entity" within the meaning of the Colorado Governmental Immunity Act, §24- 10-101, et seq., C.R.S. (the "GIA"), Service Provider shall maintain, in lieu of the liability insurance requirements stated above, at all times during the term of the Agreement such liability insurance, by commercial policy or self-insurance, as is necessary to meet its liabilities under the GIA. If any of Service Provider's subcontractors is a public entity within the meaning of the GIA, Service Provider shall ensure that the subcontractor maintain at all times during the terms of the Agreement, in lieu of the liability insurance requirements stated above, such liability insurance, by commercial policy or self-insurance, as is necessary to meet the subcontractor's obligations under the GIA. L. Certificates Service Provider shall provide to the State certificates evidencing Service Provider's insurance coverage required in this SOW within 7 Business Days following the Effective Date of the Agreement. Service Provider shall provide to the State certificates evidencing insurance coverage of Service Provider's subcontractors, as required under this SOW, within 7 Business Days following the Effective Date of the Agreement, except that, if any such subcontract is not in effect as of the Effective Date of the Agreement, Service Provider shall provide to IDEMIA and the State certificates showing insurance coverage of Service Provider's subcontractors, as required under this SOW, within 7 Business Days following Service Provider's execution of the subcontract. Service Provider shall deliver to 1DEMIA and the State certificates of insurance evidencing renewals of coverage within 15 days before the expiration date of Service Provider's or any of its subcontractors' coverage. At any other time during the term of the Agreement, upon request by IDEMIA or the State, Service Provider shall, within 7 business days following the request by IDEMIA or the State, as the case may be, supply to the State or IDEMIA evidence satisfactory to IDEMIA or the State of compliance with the insurance requirements of this SOW. 2) Fmnloyee Nondisclosure Agreements Service Provider shall ensure that all agents, employees, assigns and subcontractors with access to Confidential Information sign the Employee Nondisclosure and Confidentiality Agreement to be provided by IDEMIA, and that the nondisclosure provisions are in force at all times the agent, employee, assign or subcontractor has access to any Confidential Information. IDEMIA will deliver signed copies of the agreements to the State. 3) Governing Law Notwithstanding any terms of the Agreement to the contrary, the Agreement shall be governed by and construed in accordance with the laws of the State of Colorado, without regard to conflicts of law rules. Revision Date: 6/15/2018 9 INITIAL „fr 020/f P.3/�i 4) Ft -Verify Service Provider certifies, warrants, and agrees that it does not knowingly employ or contract with an illegal alien who will perform work under this Agreement and will confirm the employment eligibility of all employees who are newly hired for employment in the United States to perform work under this Agreement, through participation in the E -Verify Program established under Pub. L. 104-208 or the State verification program established pursuant to §8-17.5-102(5)(c), C.R.S. Service Provider shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or enter into a contract with a subcontractor that fails to certify that the subcontractor shall not knowingly employ or contract with an illegal alien to perform work under this Agreement. Service Provider (i) shall not use E -Verify Program or State program procedures to undertake pre -employment screening of job applicants while this Agreement is being performed, (ii) shall notify the subcontractor and the Agency within 3 days if Service Provider has actual knowledge that a subcontractor is employing or contracting with an illegal alien for work under this Agreement, (iii) shall terminate the subcontract if a subcontractor does not stop employing or contracting with the illegal alien within 3 days of receiving the notice, and (iv) shall comply with reasonable requests made in the course of an investigation, undertaken pursuant to §8-17.5-102(5), C.R.S., by the Colorado Department of Labor and Employment. If Service Provider participates in the State program, Service Provider shall deliver to the Agency, Institution of Higher Education or political subdivision, a written, notarized affirmation, affirming that Service Provider has examined the legal work status of such employee, and shall comply with all of the other requirements of the State program. If Service Provider fails to comply with any requirement of this provision or §§8-17.5-101, et seq., C.R.S., the Agency, Institution of Higher Education or political subdivision may cause IDEMIA to terminate this Agreement for breach and, if so terminated, Service Provider shall be liable for damages. Revision Date: 6/15/2018 1 INITIAL 9^4 azo/8- 33/2- Schedule A Personnel Reauirements for Enrollment Anentq Summary Service Provider shall provide qualified personnel to serve as Enrollment Agents (EA). EA's must be citizens of the United States or legal permanent residents of the United States. EA's must meet the specifications as indicated in attachment, A Statement of Work (SOW). Service Provider shall hire qualified candidates in compliance with federal and state laws. Job postings shall be general in nature and not list the specific program, federal agency, teaming members, or salary of the EA position. The following Job Description section of this document outlines the tasks the EA will perform. These employees must also adhere to the Personal Appearance Guidelines listed below. Wherever practical, Service Provider will hire disabled veterans to perform these services. Job Description The primary job function of the EA is to capture biometric data including electronic fingerprints according to the requirements of Attachment A, SOW. The EA will verify the applicant's identity documents to ensure they are valid and match the individual. The EA will adhere to all privacy and security laws as reviewed in training to ensure the protection of customer information. They are expected to deliver exceptional customer service during the enrollment process. Additional responsibilities include, but are not limited to, supporting the IDEMIA Operations and Management teams, and conducting other administrative duties as needed to support program requirements. Enrollment Agents staffed for this program shall perform services as follows: • View and print appointment schedule using web -based applications • Verify identity of and enroll employee/applicant, scan documents, and capture biometrics using the computer equipment provided in accordance with program requirements • Transmit applicant information and fingerprints • Provide reports to IDEMIA as might be reasonably requested • Interface with the helpdesk to resolve technical difficulties • Monitor performance to ensure operational requirements and metrics are being met • Implement process improvements as needed Enrollment Agents will possess, at a minimum, the following attributes and qualifications: • Must be a US Citizen • Hold a valid driver's license if travel between locations is required • Professional in appearance and behavior • Excellent customer service skills, including problem resolution • Above average computer skills with the ability to conduct basic troubleshooting on hardware and software • Ability to perform the core functions of the enrollment process • Ability to pass a pre -employment background check and drug test • Flexibility and dependability Personal Appearance Guidelines Dress, grooming, and personal cleanliness standards contribute to the morale of all employees and affect the business image IDEMIA and its Service Providers present to customers and visitors. During business hours or when representing IDEMIA, Enrollment Agents are expected to present a clean, neat, and tasteful appearance. Revision Date: 1/2/2018 1 Schedule A Schedule B Security Requirements Physical Security Service Provider shall ensure employees follow IDEMIA provided policies and procedures governing physical, environmental, and information security, and the specifications, directives, and manuals for conducting work to generate the products and services as required by this Agreement. Personnel are responsible for the physical security of their area and Contractor Furnished Equipment (CFE) issued to them under the provisions of the Agreement. Service Provider is responsible for maintaining compliance with physical security requirements that may be revised over the life of this Agreement. Service Provider shall protect all IDEMIA-provided assets from loss, theft, abuse, and any malicious, destructive or disruptive activity. Desktop computers must be physically locked to stationary objects at all times. Portable computers must be locked to stationary objects whenever they are not in the direct physical possession of Service Provider personnel. Cable Lock Instructions for Workstations and Laptop Systems will accompany the equipment. Passwords Service Provider personnel must never share or disclose any password, PIN, or authentication token. Passwords are highly confidential. IDEMIA and its affiliates will never contact Service Provider personnel to ask for a username or password. If a password is compromised, or if Service Provider personnel are asked to share their password, the IDEMIA program manager must be notified immediately. Personally Identifiable Information: Data Privacy and Protection Service Provider personnel are required to submit all necessary security information to commence work on this Agreement, in accordance with State and Federal Security Standards. Personnel must obtain a favorable suitability determination to work under this Agreement. The Service Provider and its personnel are required to sign a non -disclosure agreement based on the content of the information handled in performing tasks. Service Provider must satisfy requirements to work with and safeguard Personally Identifiable Information (PII). All support personnel must understand and rigorously follow IDEMIA, State, and Federal requirements, policies, and procedures for safeguarding PII. For some programs Service Provider personnel are required to complete online training for PII, Informational Security, and the Federal Privacy Act. Service Provider shall not disclose, either orally, electronically, or in writing, any information that may be considered sensitive unless authorized in writing by IDEMIA. Service Provider is responsible for the security of all data generated by Service Provider. Service Provider agrees to ensure all users of IDEMIA Information Technology (IT) assets will adhere to all security requirements regarding the confidentiality, integrity, availability, and non -repudiation of information under their control. Service Provider is responsible for all users accessing IDEMIA IT assets and must guarantee those users actively apply the security requirements specified within this IDEMIA contract package. Handling Personally Identifiable Information (PII) Sensitive Personally Identifiable Information (PII) includes any information about an individual, such as: • Any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records • Any other information linked or linkable to an individual, such as medical, educational, financial, and employment information Service Provider is responsible for the following requirements in accordance with handling PII and any sensitive information: The following are non-exclusive PII handling requirements. Service Provider is responsible to take all required actions to protect PII: • Physically secure sensitive PII (e.g., safe or lockable file cabinet or drawer) when not in use and/or under the control of a person with a need -to -know. Sensitive PII may be stored in a room/area with access control measures Revision Date: 6/15/2013 t Schedule B preventing unauthorized access by members of the public, visitors, or other persons without a need -to -know, such as a locked room or an area where access is controlled by a guard, cipher lock or card reader • Physically secure sensitive PII when in transit. For example, do not pack laptops or electronic storage devices in checked baggage. Do not leave laptops or electronic storage devices in an unattended car. (See the Physical Security section of this document) Do not mail or courier sensitive PII on CDs unless the CD is encrypted with FIPS-compliant AES-128 encryption. Contact the IDEMIA program office for more information if needed. • Store sensitive PII in shared access computer drives only if access is restricted to those with a need -to -know by permissions settings or passwords • Log off, turn off, or lock your computer whenever leaving a desk to ensure no sensitive PII is compromised • Do not include sensitive PII in the body of an email. Encrypt all documents containing sensitive PII sent via email. Two software programs that support this are Microsoft Office and WinZip. Contact the IDEMIA program office for more information if needed • Do not discuss or entrust sensitive PII to individuals who do not have a need -to -know. Be conscious of the environment and surroundings when discussing sensitive PII. Do not discuss sensitive PII on wireless or cordless phones unless absolutely necessary • Do not leave sensitive PIl unattended on a network printer, facsimile, or copier. Do not send sensitive PII to a facsimile without contacting the recipient to arrange for its receipt • Only desktop and laptop computers, removable hard drives, thumb drives, or other storage devices issued and approved for use by IDEMIA may be used for storage of sensitive PII. These devices must be secured with authorization and encryption mechanisms or equivalent protection approved by IDEMIA • Do not remove PII from the worksite, in either paper or electronic format unless appropriately secured. Electronic formats must be encrypted. Paper formats must be under the control of the employee or locked in a container. Personal computers must not be used to access, process or store sensitive PII • Destroy all sensitive PIT when it is no longer needed and continued retention is not required. Destruction must be accomplished by shredding, or through such other means as will make the sensitive PII in the record irretrievable. Diskettes, USB and other forms of external drives, or other magnetic media must be cleared (i.e. overwritten or zeroed) before re -use. Records stored pending a scheduled destruction must be safeguarded to prevent unauthorized access during the interval before destruction • Report any suspected or confirmed loss, theft, or unauthorized disclosures of sensitive PII within one hour of discovery to the IDEMIA program office. Report the date/time the data compromise was discovered, how it occurred, what data was involved, the number of individuals whose data was compromised, and any information regarding mitigation of the risk of loss (e.g., encryption) Service Provider is prohibited from requesting, collecting, or maintaining any applicant PII other than expressly permitted within this SOW. The following activities requiring PII retention are permitted: • Usage of IDEMIA provided applicant processing software to display, edit, and confirm applicant's data • Capturing applicant information required to perform the sign -in of the applicant using the IDEMIA provided applicant sign -in log • Upon acceptance of a money order from an applicant, recording the required subset of applicant information on the IDEMIA provided money order tracking log Protection of IDEMIA Intellectual Capital, Intellectual Property, and Proprietary Information Service Provider shall not use or disclose any of IDEMIA's Proprietary Information, in whole or in part, for any purpose, including but not limited to: • Manufacture or enable manufacture by itself or any third party of the IDEMIA products, products similar thereto, or products derived there from, without the prior express written consent of IDEMIA • Decompile, disassemble, decode, reproduce, redesign, reverse engineer or manufacture any products or equipment of the disclosing party or any part thereof • Perform any services, including services relating to the products or equipment of the disclosing party • Deliver under a contract or make subject to a "rights in data" clause or equivalent clause • Confer with a competitor of IDEMIA about services that relate to the type of services provided under this Agreement Revision Date: 6/15/2018 2 Schedule B Proprietary Information includes but is not limited to IDEMIA's trade secrets, financial information, economic or engineering information, formulas, know how, processes, pricing, business plans or models, licenses, copyrights, patents, technical data, intellectual property, software, hardware, software integration, hardware integration, software and hardware integration, designs, trademarks, service marks, trade secrets, and inventions. Proprietary Information shall remain the exclusive property of IDEMIA, and no license therein is granted by IDEMIA. Security Training Service Provider will ensure all appropriate personnel review and agree to comply with these and any other applicable Security Requirements within 30 days of assignment to work under the Agreement and at a minimum annually thereafter. Service Provider must ensure all staff supporting this effort completes other security training as requested by the program they are working on. Revision Date: 6/15/2018 3 Schedule B Schedule C Technical Requirements 1. Service Provider agrees that only authorized personnel shall have physical control of and access to the Livescan and all components. When Livescan and all components are not under the physical control of authorized personnel, they shall be secured in a way that will not allow anyone else to gain possession of the equipment or gain access to the data contained on the equipment. If the Livescan becomes compromised, lost, and or stolen at any time, Service Provider agrees to immediately contact IDEMIA's TouchCare Support Center at (866) 326- 5309 to report the matter. 2. Service Provider agrees to provide Internet connectivity within ten (10) feet of the area where the Live Scan equipment is installed. Service Provider sites agree to meet the requirements for connectivity to the IDEMIA network, to include: • Broadband\High-Speed Business Connection; Usage of a wireless router is allowed with the workstation hardwired into the router. See diagram and approved list of routers below. Wireless connectivity is not permitted • Internet connectivity minimum upload speed shall be provided for the following configurations: o 128 Kbps for 1 workstation o 256K Kbps for 2 workstations o 1 Mbps for up to 8 workstations o 3 Mbps for up to 25 workstations o 5 Mbps for up to 40 workstations • Latency must be below 100ms • Firewall protection in front of Livescan, firewall should be bi-directional • Update Anti -virus software daily. IDEMIA has supplied Symantec Anti -Virus; it is the Service Provider's responsibility to ensure the software is updated daily. • Service Provider may not connect any peripheral devices (mouse, keyboard, etc.) to the IDEMIA Livescan workstation and may not use the Livescan workstation for internet browsing or other functions. • The following connectivity protocols need to be allowed out from the workstation to the Internet: o SSL port 443 o DNS Service • Approved Routers: o Non -Wireless — Cisco Small Business RV320 • The following connectivity protocols to be opened on core firewall to allow VPN connectivity: Service SSL Secure Socket Layer PPTP Control Connection PPTP Tunnel Encapsulation ISAKMP/IPSEC Key Management IPSEC Tunnel Encapsulation IPSEC NAT Transparency TCP/IP Setting (DHCP/Static IP) Protocol Number Source Port 6 (TCP) N/A 6 (TCP) 1023 47 (GRE) N/A 17 (UDP) 500 50 (ESP) N/A 17 (UDP) 10000 (default) If Static IP, provide address Destination Port 443 1723 N/A 500 N/A 10000 (default) The Livescan will have Cisco VPN client software that will establish the VPN tunnel back to IDEMIA. IDEMIA does not currently allow VPN site -to -site connections, only host -to -gateway. Revision Date: I /2/2018 1 Schedule C Cheryl Hoffman From: Sent: To: Subject: noreply@weldgov.com Thursday, April 18, 2024 8:25 AM CM-ClerktoBoard; Windy Luna; Lesley Cobb; CM-HumanServices-DeptHead Fast Tracked Contract ID (8060) Contract # 8060 has been Fast Tracked to CM -Contract Maintenance. You will be notified in the future based on the Contract information below: Entity Name: IDEMIA IDENTITY & SECURITY USA LLC Contract Name: IDEMIA (BIOMETRIC FINGERPRINT IDENTIFICATION SERVICES - IDENTIGO) Contract Amount: $0.00 Contract ID: 8060 Contract Lead: WLUNA Department: HUMAN SERVICES Review Date: 4/1/2025 Renewable Contract: NO Renew Date: Expiration Date:6/1/2025 Tyler Ref #: 20183312 Thank -you o2D/r, ,33 ia- �a�9 Cheryl Hoffman From: Sent: To: Cc: Subject: Attachments: Good afternoon CTB, FAST TRACK ITEM: Windy Luna Wednesday, April 17, 2024 4:00 PM CTB HS -Contract Management FAST TRACK ITEM: IDEMIA (Biometric Fingerprinting Identification Services - IdentiGo) (2018-3312) Idemia Agreement 2018.pdf; RE: IDEMA Identity & Security USA, LLC Attached please find the IDEMIA (Biometric Fingerprinting Identification Services - IdentiGo) Services Agreement. Per Kimberly Rino email 04/02/2024, this agreement is in perpetuity and no changes are needed at this time. IDEMIA is known as Tyler ID# 2018-3312, and is being Fast Tracked as CMS #8060 for tracking purposes only. It will be reviewed in one year. Regards, Windy Luna Contract Administrative Coordinator Weld County Dept. of Human Services 315 N. 11th Ave., Bldg A PO Box A Greeley, CO 80632 (970) 400-6544 wluna@weld.gov Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. Houstan Aragon From: Sent: To: Subject: noreply@weldgov.com Tuesday, April 22, 2025 1:15 PM CM-ClerktoBoard; Sara Adams; Lesley Cobb; CM-HumanServices-DeptHead Fast Tracked Contract ID (9389) Contract # 9389 has been Fast Tracked to CM -Contract Maintenance. You will be notified in the future based on the Contract information below: Entity Name: IDEMIA IDENTITY & SECURITY USA LLC Contract Name: IDEMIA (BIOMETRIC FINGERPRINT IDENTIFICATION SERVICES - IDENTIGO) Contract Amount: $0.00 Contract ID: 9389 Contract Lead: SADAMS Department: HUMAN SERVICES Review Date: 4/1/2026 Renewable Contract: YES Renew Date: 6/1/2026 Expiration Date: Tyler Ref #: Thank -you aorrvvaci- (1)4_301 FO.S\-TvO.C1z Y2-v12wed Z01$-3312 Me_0n9 Houstan Aragon From: Sent: To: Cc: Subject: Attachments: Good afternoon CTB, FAST TRACK ITEM: Sara Adams Tuesday, April 22, 2025 1:10 PM CTB HS -Contract Management FAST TRACK - O1 Idemia Identity & Security USA LLC Agreement (CMS #9389) Idemia Agreement 2018.pdf Attached please find the Idemia Identity & Security USA LLC Agreement (Tyler ID# 2018-3312). This agreement is in perpetuity and is reviewed on a yearly basis. No changes are required. This will be a Fast Track item in CMS for tracking purposes only (CMS#9389). Thank you, Sara COUNTY, 00 Sara Adams Contract Administrative Coordinator Department of Human Services Desk: 970-400-6603 P.O. Box A, 315 N. 11th Ave., Greeley, CO 80632 061000 0 Join Our Team Important: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. Hello