Common use of Confidential Information Security and Access Clause in Contracts

Confidential Information Security and Access. 10.1. The GovPrime platform and any applications Provisioned on it will likely contain confidential data. In order to maintain the confidentiality of this data the following applies: 10.1.1. The GovPrime platform will be hosted in a cloud provider that at a minimum adheres to HIPAA, PII and FedRamp compliance protocols. Other compliance protocols may also be followed. 10.1.2. Arapahoe County will follow commercially reasonable and appropriate administrative, technical and organizational security measures to protect all data at rest and in transit to and from the platform and to safeguard against unauthorized access, disclosure or theft of the Subscribing County’s data. This includes any application that is hosted on GovPrime and referenced in this Agreement and its subsequent amendments. Subscribing County data will be encrypted when in transit based on the browser used by the Subscribing County. Arapahoe County will designate appropriate browser(s) to be used with the platform so that the Subscribing County can utilize all of the functionality. Within the GovPrime platform and any applications, Subscribing County data will be encrypted at rest, wherever technically possible. Where data is specifically identified as a specific data classification, such as PII or HIPAA, Arapahoe County will establish compensating controls to meet generally accepted or mandated practices. 10.1.3. Users must acknowledge the confidential nature of some or all of the data in the GovPrime system and in any of the Provisioned applications. In accordance with best practices, Subscribing County and Arapahoe County Users are expected to adhere strictly to the HIPAA, PII and FedRamp and other compliance protocols, depending on the data in the system. Subscribing Counties are expected to be familiar with all confidential data handling compliance protocols per the federal, state and local laws, and are expected to adhere to generally accepted best practices with data handling. If the Subscribing County is found to be using or accessing data inappropriately, it may lose access to the GovPrime platform and any Provisioned applications. 10.1.4. The Subscribing County is responsible for setting access rights and permissions for each of its Users through Active Directory Services and configuration settings in GovPrime. 10.2. Arapahoe County shall not be responsible for the misuse of data by the Subscribing County or any of the costs associated with the Subscribing County not following the prescribed compliance protocols. 10.3. Responsibilities in the Event of a Data Breach (See Section 11.2, Disclaimer of Warranties) 10.3.1. Arapahoe County shall immediately notify the Subscribing County in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident and/or Data Breach affecting Subscribing County’s data. Arapahoe County may also need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon. 10.3.2. In the case of a Data Breach originating from the Subscribing County, Arapahoe County will provide assistance to the Subscribing County for identification and resolution. However, the Subscribing County will have sole responsibility for any remediation actions necessary as a result of the Data Breach. Any associated costs for identifying and resolving such a breach that are incurred by Arapahoe County will be charged to the Subscribing County. 10.3.3. Arapahoe County shall promptly notify Subscribing County within 24 hours or sooner by telephone and email, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breach. Arapahoe County shall (1) cooperate with the Subscribing County as reasonably requested by the Subscribing County to investigate and resolve the Data Breach; (2) promptly implement necessary remedial measures, if necessary; and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.

Confidential Information Security and Access. 10.1. The GovPrime platform and any applications Provisioned on it will likely are expected to contain confidential data. In order to maintain the confidentiality of this data the following applies: 10.1.1. The GovPrime platform will be hosted in a cloud provider that at a minimum adheres to HIPAA, PII and FedRamp compliance protocols. Other compliance protocols may also be followed. 10.1.2. Arapahoe County will follow commercially reasonable and appropriate administrative, technical and organizational security measures to protect all data at rest and in transit to and from the platform and to safeguard against unauthorized access, disclosure or theft of the Subscribing County’s data. This includes any application that is hosted on GovPrime and referenced in this GovPrime Agreement and its subsequent amendments. Subscribing County data will be encrypted when in transit based on the browser used by the Subscribing County. Arapahoe County will designate appropriate browser(s) to be used with the platform so that the Subscribing County can utilize all of the functionality. Within the GovPrime platform and any applications, Subscribing County data will be encrypted at rest, wherever technically possible. Where data is specifically identified as a specific data classification, such as PII or HIPAA, Arapahoe County will establish compensating controls to meet generally accepted or mandated practices. 10.1.3. Users must acknowledge the confidential nature of some or all of the data in the GovPrime system and in any of the Provisioned software applications. In accordance with best practices, Subscribing County and Arapahoe County its Users are expected to adhere strictly to the HIPAA, PII and FedRamp and other compliance protocols, depending on the data in the system. Subscribing Counties are expected to be familiar with all confidential data handling compliance protocols per the federal, state and local laws, and are expected to adhere to generally accepted best practices with data handling. If the Subscribing County is found to be using or accessing data inappropriately, it may lose access to the GovPrime platform and any Provisioned software applications. 10.1.4. The Subscribing County is responsible for setting access rights and permissions for each of its Users through Active Directory Services and configuration settings in GovPrime. 10.2. Arapahoe County shall not be responsible for the misuse of data by the Subscribing County or any of the costs associated with the Subscribing County not following the prescribed compliance protocols. 10.3. Responsibilities in the Event of a Data Breach (See also Section 11.211.1, Disclaimer of Warranties) 10.3.1. Arapahoe County shall immediately notify the Subscribing County in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident and/or Data Breach affecting Subscribing County’s data. Arapahoe County may also need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon. 10.3.2. In the case of a Data Breach originating from the Subscribing County, Arapahoe County will provide assistance to the Subscribing County for identification and resolution. However, the Subscribing County will have sole responsibility for any remediation actions necessary as a result of the Data Breach. Any The parties agree that any associated costs for identifying and resolving such a breach that are incurred by Arapahoe County will be charged to the Subscribing CountyCounty in conformance with the terms of the Services Agreement, Section 4 (Support). 10.3.3. Arapahoe County shall promptly notify Subscribing County within 24 hours or sooner by telephone and email, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been been, a Data Breach. Arapahoe County shall shall (1) cooperate with the Subscribing County as reasonably requested by the Subscribing County to investigate and resolve the Data Breach; (2) promptly implement necessary remedial measures, if necessarymeasures as covered by the County’s Cyber Liability insurance policy; and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.

Confidential Information Security and Access. 10.1. The GovPrime platform and any applications Provisioned on it will likely contain confidential data. In order to maintain the confidentiality of this data the following applies: 10.1.1. : The GovPrime platform will be hosted in a cloud provider that at a minimum adheres to HIPAA, PII and FedRamp compliance protocols. Other compliance protocols may also be followed. 10.1.2. Arapahoe County will follow commercially reasonable and appropriate administrative, technical and organizational security measures to protect all data at rest and in transit to and from the platform and to safeguard against unauthorized access, disclosure or theft of the Subscribing County’s data. This includes any application that is hosted on GovPrime and referenced in this Agreement and its subsequent amendments. Subscribing County data will be encrypted when in transit based on the browser used by the Subscribing County. Arapahoe County will designate appropriate browser(s) to be used with the platform so that the Subscribing County can utilize all of the functionality. Within the GovPrime platform and any applications, Subscribing County data will be encrypted at rest, wherever technically possible. Where data is specifically identified as a specific data classification, such as PII or HIPAA, Arapahoe County will establish compensating controls to meet generally accepted or mandated practices. 10.1.3. Users must acknowledge the confidential nature of some or all of the data in the GovPrime system and in any of the Provisioned applications. In accordance with best practices, Subscribing County and Arapahoe County Users are expected to adhere strictly to the HIPAA, PII and FedRamp and other compliance protocols, depending on the data in the system. Subscribing Counties are expected to be familiar with all confidential data handling compliance protocols per the federal, state and local laws, and are expected to adhere to generally accepted best practices with data handling. If the Subscribing County is found to be using or accessing data inappropriately, it may lose access to the GovPrime platform and any Provisioned applications. 10.1.4. The Subscribing County is responsible for setting access rights and permissions for each of its Users through Active Directory Services and configuration settings in GovPrime. 10.2. Arapahoe County shall not be responsible for the misuse of data by the Subscribing County or any of the costs associated with the Subscribing County not following the prescribed compliance protocols. 10.3. Responsibilities in the Event of a Data Breach (See Section 11.2, Disclaimer of Warranties) 10.3.1. ) Arapahoe County shall immediately notify the Subscribing County in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident and/or Data Breach affecting Subscribing County’s data. Arapahoe County may also need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon. 10.3.2. In the case of a Data Breach originating from the Subscribing County, Arapahoe County will provide assistance to the Subscribing County for identification and resolution. However, the Subscribing County will have sole responsibility for any remediation actions necessary as a result of the Data Breach. Any associated costs for identifying and resolving such a breach that are incurred by Arapahoe County will be charged to the Subscribing County. 10.3.3. Arapahoe County shall promptly notify Subscribing County within 24 hours or sooner by telephone and email, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breach. Arapahoe County shall shall (1) cooperate with the Subscribing County as reasonably requested by the Subscribing County to investigate and resolve the Data Breach; (2) promptly implement necessary remedial measures, if necessary; and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.