15.1 Records. Vendor shall make, keep, maintain, and allow inspection and monitoring by ITSC and each MRM State
of a complete file of all material records, documents, communications, notes, and other written materials, electronic media files, and communications, pertaining in any manner to the MRM System, Infrastructure, Services, Deliverables, and other obligations and responsibilities of Vendor under this Agreement, including each MRM State Addendum. Vendor shall maintain such records until the last to occur of: (a) a period of 5 years after the date this Agreement expires or is sooner terminated; (b) final payment is made hereunder; (c) the resolution of any pending matters hereunder; (d) such period required by applicable MRM State Law; or (e) if an audit is occurring or Vendor has received notice that an audit is pending, until such audit has been completed and its findings have been resolved (collectively, the “Record
Retention Period”).
15.2 Inspection. Vendor shall permit ITSC, each MRM State, and the federal government or any other duly
authorized agent of a governmental agency to audit, inspect, examine, excerpt, copy and/or transcribe Vendor’s records relating to this Agreement during the Record Retention Period to assure compliance with the terms hereof. Vendor shall permit any MRM State to audit, inspect, examine, excerpt, copy and/or transcribe Vendor’s records pertaining to any MRM State Addendum relating to such MRM State during the Record Retention Period to assure compliance with the terms thereof.
15.3 Monitoring. Vendor shall permit ITSC, each MRM, the federal government, any state, and any governmental
agency having jurisdiction, in their sole discretion, to monitor all activities conducted by Vendor pursuant to the terms of this Agreement using any reasonable procedure, including: internal evaluation procedures, examination of program data, special analyses, on-site checking, formal audit examinations, or any other procedures. All monitoring controlled by ITSC shall be performed in a manner that shall not unduly interfere with Vendor’s general business operations or performance hereunder. Vendor shall permit each MRM State to monitor all activities conducted by Vendor pursuant to the terms of the Addendum relating to such MRM State, unless provided to the contrary in such Addendum.
to this Agreement in accordance with the provisions hereof, in such form as prescribed by ITSC.
15.5 Audits. Full, timely participation in scheduled and random security audits, including hosting infrastructure and/or the application vulnerability assessments. Complete compliance with all Federal and MRM state laws, regulations, statutes, policies, standards. Conduct self-audits on all software and hardware, modifications, patches applied, etc.
15.6 Notifications. Vendor shall provide ITSC and MRM States notification consistent with the failure to meet any RFP requirements, events, breaches, and agreed upon Operational Service Agreement (OSA) and Service Level Agreement (SLA) failures.
16. INDEMNIFICATION.
16.1 Indemnification. Vendor shall, at any Consortium Indemnified Party’s sole discretion, defend, indemnify, and
hold ITSC and each of the MRM States, as well as each of their respective elected officials, officers, agents, employees, end users, and sublicensees (collectively and individually “Consortium Indemnified Party”), individually and collectively, harmless, from any and all costs, losses, damages, expenses (including reasonable attorney’s fees), liabilities, claims, lawsuits, proceedings, or demands (collectively “Liability”) arising out of or resulting from and of the following (each, a “Claim”): (a) any claim or allegation that the Infrastructure or Services (or accompanying Deliverables), the development or operation thereof by Vendor, or the use or enjoyment thereof by any Consortium Indemnified Party infringes,
misappropriates or otherwise violates any IPR of any third party; (b) any third-party claim or allegation, including any claim by any MRM State, alleging a breach by the Vendor of any of its obligations regarding confidentiality or data security or privacy hereunder; (c) any third-party claim or allegation, including any claim by any MRM State, alleging a breach by Vendor of any of its representations, warranties or covenants under this Agreement; and (iv) any claim or allegation, including, any claim by any MRM State, arising or resulting from acts, omissions, or negligence on the part of Vendor, its employees, or any person or entity acting for or on its or their behalf relating to this Agreement.
16.2 Notice of Claims. In each instance in which a Consortium Indemnified Party seeks to have Vendor indemnify
such Consortium Party for or defend such Consortium Indemnified Party against any Claim or Liability, the Consortium Indemnified Party shall provide Vendor with prompt written notice of such Claim and reasonable assistance, provided that the Consortium Indemnified Party will have the right to participate in such defense and negotiations using counsel at its own expense. Vendor will obtain the Consortium Indemnified Party’s consent, which will not be unreasonably withheld, prior to entering into a settlement or compromise or consenting to any injunctive relief with respect to such Claim. In instances where the Consortium Indemnified Party chooses to defend a Claim itself, the Consortium
Indemnified Party shall promptly notify Vendor in writing of such choice. Vendor shall promptly reimburse the
Consortium Indemnified Party for any fees for monies owed, when due, as a result of the Consortium Indemnified Party defending and resolving the claim or otherwise owed to the Consortium Indemnified Party under this Section.
16.3 Nothing contained herein shall be deemed to accord to Vendor, through its attorney(s) or otherwise, the right to
represent ITSC in any legal matter, or any of the other Consortium States subject to the respective Laws of such Consortium States.
17. LIABILITY.
17.1 ITSC/Consortium Liability. Neither ITSC nor any MRM State shall have any liability to Vendor or any other third
party arising out of any party’s performance of this Agreement, except as expressly provided in this Agreement.
17.2 Limitation of Liability. Regardless of whether any remedy set forth herein fails of its essential purpose or
otherwise, to the greatest extent permissible under applicable law, in no event will ITSC or its elected officials, affiliates, employees, agents, contractors, assigns, licensees, or successors in interest, be liable for any indirect, incidental,
consequential, special, punitive or other damages other than direct damages arising out of or relating to this Agreement, whether in an action in contract, tort, strict liability or otherwise, even if ITSC has been advised of the possibility of those damages and whether or not such loss or damages are foreseeable.
(a) The total cumulative liability of ITSC under this Agreement for any liability or damages arising out of or relating to this Agreement, whether in contract, tort, or otherwise, will not exceed the Maximum Compensation Amount, as may be amended,
(b) With the exception of liability for any indemnification obligation under this Agreement, the total cumulative liability of Vendor under this Agreement for any liability or damages arising out of or relating to this Agreement, whether in contract, tort, or otherwise, will not exceed the greater of the any actual direct damages and 3 times the Maximum Compensation Amount, as may be amended, provided that in no event shall this Section limit the liability of Vendor for its intentional torts, criminal acts, or fraudulent conduct.
17.4 Applicable Immunities. Nothing in this Agreement shall be construed or interpreted as a waiver, express or
implied, of any of the immunities, rights, benefits, protection, or other provisions, of any MRM State under applicable Laws, including all applicable governmental immunity statutes.
18. CONFIDENTIALITY.
18.1 Definitions.
(a) “Confidential Information” means all confidential information of a Disclosing Party, whether in paper or electronic format, disclosed to a Recipient that is designated in writing as confidential at the time of disclosure or that would be reasonably understood to be proprietary and confidential. Confidential Information shall not include
information received under this Agreement required to be disclosed pursuant to the open records statutes of the Laws of any MRM State.
(b) “MRM State Confidential Information” means all Confidential Information belonging to any MRM State.
(c) “Disclosing Party” means a party disclosing Confidential Information.
(d) “ITSC Confidential Information” means the Confidential Information of ITSC. Confidential Information of ITSC shall include the System, Infrastructure, Data, and Deliverables.
(e) “Recipient” means a party receiving Confidential Information.
(f) “Vendor Confidential Information” means all Confidential Information of Vendor.
18.2 Exceptions. Confidential Information shall not include information that: (a) was generally available to the public
at the time it was disclosed, or becomes generally available to the public through no fault of the Recipient; (b) was known to the Recipient at the time of disclosure as shown by written records in existence at the time of disclosure; (c) was developed independently by the Recipient prior to the disclosure, as shown by written records in existence prior to the disclosure; (d) is disclosed with the prior written approval of the Disclosing Party; (e) becomes known to the
Recipient from a source other than the Disclosing Party without breach of this Agreement, and in a manner that is otherwise not in violation of the Disclosing Party’s rights; (f) is required under the open records statutes applicable to the Recipient (where the Recipient is a MRM State); or (g) is disclosed pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the Recipient shall attempt to provide reasonable advance notice to the Disclosing Party to enable the Disclosing Party to seek a protective order or otherwise prevent such disclosure.
18.3 Obligations of the Parties. Each Recipient receiving Confidential Information of a Disclosing Party shall (a) treat
as confidential all Confidential Information provided by the Disclosing Party in compliance with the laws, regulations, and state cyber-security procedures applicable to the confidentiality of information; (b) not use such Confidential Information except as expressly permitted under the terms of this Agreement under which the Confidential Information was disclosed, or as otherwise previously authorized in writing by the Disclosing Party; (c) implement reasonable procedures to prohibit the disclosure, unauthorized duplication, reverse engineering, disassembly, decompiling, misuse or removal of such Confidential Information; (d) not disclose such Confidential Information to any third party, except to employees, affiliates and contractors that require access to the Confidential Information for the performance of obligations under this Agreement and that are bound by enforceable confidentiality obligations substantially similar to
Recipient shall use at least the same degree of care to prevent the disclosure of the Confidential Information of a Disclosing Party as it uses to prevent the disclosure of its own Confidential Information, and shall in any event use no less than a reasonable degree of care.
18.4 Notification. Each Recipient of the Confidential Information of a Disclosing Party shall: (a) notify each of its
agents, employees, contractors and assigns who are authorized to use or reasonably may be expected to come into contact with the Confidential Information that each is subject to the confidentiality requirements set forth herein and in any Addendum under which the disclosure is made; and (b) provide each such agent, employee, contractor, and assigns with a written explanation of such requirements before permitting such agent, employee, contractor, and assigns to access Confidential Information.
18.5 Use, Security, and Retention. Neither ITSC Confidential Information nor any MRM Confidential Information of
any kind, shall be distributed or sold to any third party or used by Vendor, its contractors, or their respective employees and agents in any manner, except as approved in writing by the authorized representative of the Disclosing Party. Vendor shall provide and maintain a secure environment that ensures the confidentiality of all ITSC Confidential Information and MRM Confidential Information wherever located. Neither ITSC Confidential Information nor MRM Confidential Information shall be retained in any files or otherwise by Vendor, it contractors, or their respective employees and agents, except as approved in writing by an authorized representative of the Disclosing Party. All ITSC Confidential Information, MRM Confidential Information, and Data of any kind shall be stored, processed, or transferred only in or to facilities located within the United States.
18.6 Third Party Requests. Any request or demand by a third party for ITSC Confidential Information in the
possession of Vendor shall be immediately forwarded to an authorized representative of ITSC. Any request or demand by a third party for MRM Confidential Information in the possession of Vendor shall be immediately forwarded to an authorized representative of the MRM State to which such Confidential Information belongs.