|
C. License or Use Audit Rights. If this PO includes any license or other right to use Vendor's intellectual property,
<br /> Vendor shall have the right, at any time during and throughout the term of this PO, but not more than once during any State
<br /> fiscal year, to request via written notice in accordance with the notice provisions of this PO that the State audit its use of
<br /> Vendor's intellectual property and certify as to its compliance with any applicable license or use restrictions and limitations
<br /> contained in this PO (an "Audit Request"). The Audit Request shall specify the time period to be covered by the audit, which
<br /> shall not include any time periods covered by a previous audit. The State shall complete the audit and provide certification
<br /> of its compliance to Vendor ("Audit Certification") within 120 days following the State's receipt of the Audit Request. If upon
<br /> receipt of the State's Audit Certification, the parties reasonably determine that: (a) the State's use of licenses, use of
<br /> software, use of programs, or any other use of intellectual property during the audit period exceeded the use restrictions
<br /> and limitations contained in this PO ("Overuse") and (b)the State would have been or is then required to purchase additional
<br /> rights to use Vendor's intellectual property ("Additional Rights"), Vendor shall provide written notice to the State in
<br /> accordance with the notice provisions of this PO identifying any Overuse or required Additional Rights and request that the
<br /> State bring its use into compliance with such use restrictions and limitations. Notwithstanding anything to the contrary in
<br /> this PO, or incorporated as a part of Vendor's or any subcontractor's website, click-through or online agreements, third-
<br /> party agreements, or any other documents or agreements between the parties, the State shall not be liable for the costs
<br /> associated with any Overuse or Additional Rights, during the audit period regardless of whether the State may have been
<br /> notified in advance of such costs.
<br /> D. Vendor Records. Vendor shall maintain a file of all documents, records, communications, notes, and other materials
<br /> relating to the work (the "Vendor Records"). Vendor Records shall include all documents, records, communications, notes
<br /> and other materials maintained by Vendor that relate to any work performed by Subcontractors, and Vendor shall maintain
<br /> all records related to the work performed by Subcontractors required to ensure proper performance of that work. Unless a
<br /> longer period is required in this PO or any attachment or exhibit to this PO, Vendor shall maintain Vendor Records until the
<br /> last to occur of: (a)the date 3 years after the date this Purchase Order expires or is terminated, (b)final payment under this
<br /> Purchase Order is made, (c)the resolution of any pending Purchase Order matters, or(d) if an audit is occurring, or Vendor
<br /> has received notice that an audit is pending, the date such audit is completed and its findings have been resolved (the
<br /> "Record Retention Period"). Vendor shall permit the State, the federal government, and any other duly authorized agent of
<br /> a governmental agency to audit, inspect, examine, excerpt, copy, and transcribe Vendor Records during the Record
<br /> Retention Period.Vendor shall make Vendor Records available during normal business hours at Vendor's office or place of
<br /> business, or at other mutually agreed upon times or locations, upon no fewer than 2 Business Days' notice from the State,
<br /> unless the State determines that a shorter period of notice, or no notice, is necessary to protect the interests of the State.
<br /> The State, in its discretion, may monitor Vendor's performance of its obligations under this Purchase Order using procedures
<br /> as determined by the State. The State shall monitor Vendor's performance in a manner that does not unduly interfere with
<br /> Vendor's performance of the work. Vendor shall promptly submit to the State a copy of any final audit report of an audit
<br /> performed on Vendor's records that relates to or affects this Purchase Order or the work,whether the audit is conducted by
<br /> Vendor or a third party.
<br /> E. Information Confidentiality. Vendor shall keep confidential, and cause all subcontractors to keep confidential, all
<br /> State Records, unless those State Records are publicly available. Vendor shall not, without prior written approval of the
<br /> State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, except as
<br /> otherwise stated in this PO, permitted by law, or approved in writing by the State. Vendor shall provide for the security of all
<br /> State Confidential Information in accordance with all applicable laws, rules, policies, publications, and guidelines. If Vendor
<br /> or any of its subcontractors will or may have access to any State Confidential Information or any other protected information,
<br /> Vendor shall comply with all Colorado Office of Information Security (OIS) policies and procedures which OIS has issued
<br /> pursuant to CRS§§24-37.5-401 through 406, and 8 CCR§1501-5 and posted at https:Hoit.colorado.gov/standards-policies-
<br /> quides/technical-standards-policies, all information security and privacy obligations imposed by any federal, state, or local
<br /> statute or regulation, or by any industry standards or guidelines, as applicable based on the classification of the data relevant
<br /> to Vendor's performance under this PO. Such obligations may arise from HIPAA; IRS Publication 1075; Payment Card
<br /> Industry Data Security Standard (PCI-DSS); Federal Bureau of Investigation Criminal Justice Information Service Security
<br /> Addendum; Centers for Medicare & Medicaid Services (CMS) Minimum Acceptable Risk Standards for Exchanges; and
<br /> Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging
<br /> Electronic Information With The Social Security Administration. Vendor shall immediately forward any request or demand
<br /> for State Records to the State's purchasing agent.
<br /> F. Other Entity Access and Nondisclosure Agreements. Vendor may provide State Records to its agents, employees,
<br /> assigns and subcontractors as necessary to perform the work, but shall restrict access to State Confidential Information to
<br /> those agents, employees, assigns, and subcontractors who require access to perform their obligations under this PO.
<br /> Vendor shall ensure all such agents, employees, assigns, and subcontractors sign agreements containing nondisclosure
<br /> provisions at least as protective as those in this PO, and that the nondisclosure provisions are in force at all times the agent,
<br /> employee, assign or subcontractor has access to any State Confidential Information. Vendor shall provide copies of those
<br /> signed nondisclosure provisions to the State upon execution of the nondisclosure provisions if requested by the State.
<br /> G. Use, Security, and Retention. Vendor shall use, hold, and maintain State Confidential Information in compliance with
<br /> all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment
<br /> Page 6 of 8
<br /> Effective 7/1/2022
<br />
|