|
during the Record Retention Period. Vendor shall make Vendor Records available during normal
<br /> business hours at Vendor's office or place of business, or at other mutually agreed upon times or
<br /> locations, upon no fewer than 2 Business Days' notice from the State, unless the State determines that
<br /> a shorter period of notice, or no notice, is necessary to protect the interests of the State. The State, in
<br /> its discretion, may monitor Vendor's performance of its obligations under this Purchase Order using
<br /> procedures as determined by the State. The State shall monitor Vendor's performance in a manner
<br /> that does not unduly interfere with Vendor's performance of the work. Vendor shall promptly submit to
<br /> the State a copy of any final audit report of an audit performed on Vendor's records that relates to or
<br /> affects this Purchase Order or the work, whether the audit is conducted by Vendor or a third party.
<br /> E. Information Confidentiality. Vendor shall keep confidential, and cause all subcontractors to keep
<br /> confidential, all State Records, unless those State Records are publicly available. Vendor shall not,
<br /> without prior written approval of the State, use, publish, copy, disclose to any third party, or permit the
<br /> use by any third party of any State Records, except as otherwise stated in this PO, permitted by law,
<br /> or approved in writing by the State. Vendor shall provide for the security of all State Confidential
<br /> Information in accordance with all applicable laws, rules, policies, publications, and guidelines. If
<br /> Vendor or any of its subcontractors will or may have access to any State Confidential Information or
<br /> any other protected information, Vendor shall comply with all Colorado Office of Information Security
<br /> (OIS) policies and procedures which OIS has issued pursuant to CRS §§24-37.5-401 through 406, and
<br /> 8 CCR §1501-5 and posted at https://oit.colorado.gov/standards-policies-quides/technical-standards-
<br /> olicies, all information security and privacy obligations imposed by any federal, state, or local statute
<br /> or regulation, or by any industry standards or guidelines, as applicable based on the classification of
<br /> the data relevant to Vendor's performance under this PO. Such obligations may arise from HIPAA; IRS
<br /> Publication 1075; Payment Card Industry Data Security Standard (PCI-DSS); Federal Bureau of
<br /> Investigation Criminal Justice Information Service Security Addendum; Centers for Medicare &
<br /> Medicaid Services (CMS) Minimum Acceptable Risk Standards for Exchanges; and Electronic
<br /> Information Exchange Security Requirements and Procedures for State and Local Agencies
<br /> Exchanging Electronic Information With The Social Security Administration. Vendor shall immediately
<br /> forward any request or demand for State Records to the State's purchasing agent.
<br /> F. Other Entity Access and Nondisclosure Agreements. Vendor may provide State Records to its
<br /> agents, employees, assigns and subcontractors as necessary to perform the work, but shall restrict
<br /> access to State Confidential Information to those agents, employees, assigns, and subcontractors who
<br /> require access to perform their obligations under this PO. Vendor shall ensure all such agents,
<br /> employees, assigns, and subcontractors sign agreements containing nondisclosure provisions at least
<br /> as protective as those in this PO, and that the nondisclosure provisions are in force at all times the
<br /> agent, employee, assign or subcontractor has access to any State Confidential Information. Vendor
<br /> shall provide copies of those signed nondisclosure provisions to the State upon execution of the
<br /> nondisclosure provisions if requested by the State.
<br /> G. Use, Security, and Retention. Vendor shall use, hold, and maintain State Confidential Information
<br /> in compliance with all applicable laws and regulations only in facilities located within the United States,
<br /> and shall maintain a secure environment that ensures confidentiality of all State Confidential
<br /> Information. Vendor shall provide the State with access, subject to Vendor's reasonable security
<br /> requirements, for purposes of inspecting and monitoring access and use of State Confidential
<br /> Information and evaluating security control effectiveness. Upon the expiration or termination of this PO,
<br /> Vendor shall return State Records provided to Vendor or destroy such State Records and certify to the
<br /> State that it has done so, as directed by the State. If Vendor is prevented by law or regulation from
<br /> returning or destroying State Confidential Information, Vendor warrants it will guarantee the
<br /> confidentiality of, and cease to use, such State Confidential Information.
<br /> H. Incident Notice and Remediation. If Vendor becomes aware of any Incident, it shall notify the
<br /> State immediately and cooperate with the State regarding recovery, remediation, and the necessity to
<br /> involve law enforcement, as determined by the State. Unless Vendor can establish none of Vendor or
<br /> Page 8of10
<br /> Effective 7/1/2022
<br />
|