The URL can be used to link to this page

Home My WebLink AboutData Exchange Solutions LLC; 2024-04-01;Data Exchange Solutions Master Service(s) Agreement 1 THIS MASTER SERVICE(S) AGREEMENT (the “Agreement”) between Data Exchange Solutions LLC (hereafter “Data Exchange Solutions”) with its principal place of business at 1301 Sunset Ave, Lansing, MI, 48917 and the City of Carlsbad (hereafter “Customer”), a municipal corporation, with its principal place of business at 2560 Orion Way Carlsbad, CA 92010 is made effective as of 4/1/2024 (“Effective Date”). 1. DATA EXCHANGE SOLUTIONS DELIVERY OF SERVICE(S): Data Exchange Solutions grants Customer a non-exclusive, non-transferable limited license to access and use the Data Exchange Solutions on the Authorized Website(s) identified in the attached Addendum A. The CJIS Security Addendum (the “Security Addendum”) is hereby incorporated into this contract and attached hereto as Addendum B. Data Exchange Solutions will abide by all applicable requirements of the Security Addendum. 2. CUSTOMER RESPONSIBILITIES: Customer acknowledges it is receiving only a limited license to use the Service(s) and related documentation, if any, and shall obtain no title, ownership nor any other rights in or to the Service(s) and related documentation, all of which title and rights shall remain with Data Exchange Solutions. However, Customer will retain ownership of all its data in the system. Customer agrees that (1) the License is limited to applications for its own use and may not lease or rent the Service(s) nor offer its use for others; and (2) Data Exchange Solutions is not responsible for content placed into the Service(s). Customer agrees to adhere to the Security Addendum B. 3. SERVICE(S) LEVELS: Data Exchange Solutions will use commercially reasonable efforts to backup and keep the Service(s) and Authorized Website(s) in operation consistent with applicable industry standards and will respond to customers’ requests for support during normal business hours. The service(s) are provided on an “as is” basis, and Customer’s use of the service(s) is at its own risk. Data exchange solutions does not warrant that the service(s) will be uninterrupted or error-free or unaffected by force majeure events. 4. WARRANTY AND LIABILITY: Data exchange solutions makes no representation or warranty as to merchantability or fitness for a particular purpose except as otherwise stated herein of the service(s) and shall have no liability for any consequential damages of any kind including, but not limited to, data loss and business interruption, and the parties agree that the only remedies that shall be available to customer under this agreement shall be those expressly set forth in this agreement. Data Exchange Solution’s liability under all circumstances involved herein this agreement is expressly limited to the amount received by data exchange solutions under this agreement. 5. TERMINATION: Either party may terminate this Agreement with or without cause at any time, in writing. Upon any termination, Data Exchange Solutions will discontinue Service(s) under this Agreement. Data Exchange Solutions will provide Customer with an electronic copy of all of Customer’s data, if requested, at no cost to Customer. The provisions of this Agreement regarding Ownership, Warranty and Liability, Confidentiality, and Miscellaneous will continue to survive. 6. INDEMNIFICATION To the extent allowed by law, each Party agrees to fully indemnify and hold harmless the other Party for all costs, liabilities, losses, and expenses resulting from any claim, suit, action, or proceeding brought by any third party. 7. ACCEPTABLE USE: Customer represents and warrants that the Service(s) will only be used for lawful purposes, in a manner allowed by law, and in accordance with reasonable operating rules, policies, terms and procedures. Data Exchange Solutions may, upon misuse of the Service(s), request Customer to terminate access to any individual and Customer agrees to promptly comply with such request unless such misuse is corrected. DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 Data Exchange Solutions Master Service(s) Agreement 2 8. CONFIDENTIALITY: Each party hereby agrees to maintain the confidentiality of the other party’s confidential and proprietary materials and information, including but not limited to, all information, knowledge, or data not generally available to the public, which is acquired in connection with this Agreement, unless disclosure is required by law. Each party hereby agrees not to copy, duplicate, or transcribe any confidential documents of the other party except as required in connection with their performance under this Agreement. Customer acknowledges that the Service(s) contain valuable trade secrets, which are the sole property of Data Exchange Solutions, and Customer agrees to use reasonable care to prevent other parties from learning of these trade secrets or have unauthorized access to the Service(s). Data Exchange Solutions will use reasonable efforts to ensure that any Data Exchange Solutions contractors maintain the confidentiality of proprietary materials and information. 9. PCI-DSS COMPLIANCE: Data Exchange Solutions shall be in full compliance with rules, regulations, guidelines, and procedures adopted by the Payment Card Industry Data Security Standard (PCI-DSS), as amended from time to time by the Payment Card Industry Security Standards Council. Detailed information pertaining to the requirements may be found at https://www.pcisecuritystandards.org. 10. MISCELLANEOUS PROVISIONS: This Agreement will be governed by and construed in accordance with the laws of the State of California. 11. ACCEPTANCE: Authorized representatives of Customer and Data Exchange Solutions have read the foregoing and all documents incorporated therein and agree and accept such terms effective as of the date first written above. Customer: _____________________________________ Signature: ______________________________________ Print Name: _____________________________________ Title: ____________________ Date: ____________ Approved as to Form: Customer: _____________________________________ Signature: ______________________________________ Print Name: _____________________________________ Title: ____________________ Date: ____________ Data Exchange Solutions, LLC Signature: ______________________________________ Print Name: ____________________________________ Title: Managing Member Date: _________ DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 3/12/2024 Joseph Puuri City of Carlsbad 3/12/2024Assistant City Attorney Jennifer R. True City of Carlsbad Mickey Williams 3/12/2024Police Chief flliCk.'"ll)Ji!Li""'1 Data Exchange Solutions Master Service(s) Agreement 3 ADDENDUM A 1) Service(s) Descriptions: Data Exchange Solution’s Services consists of Authorized Website(s) GovTransfer.com and Authorized Application GovTransfer that captures requests for records and provides the Customer with the ability to deliver a record to a secure database located at Microsoft AZURE. The record is encrypted in-transit and at rest. 2) Training and ongoing support included in the Implementation and Subscription Fees: a) One online Administrator training. b) One online training session for all users. c) Ongoing support through system videos and knowledgebase. d) Periodic webinars to train and update customers on new features. 3) Term: 4/1/2024 to 3/31/2025. This annual term will automatically renew all existing services unless the Customer notifies Data Exchange Solutions in writing of its intent not to extend the term at least thirty (30) days prior to expiration of the current term end date. Renewal Terms will not increase by more than 5.5%. 4) Fees: a) (Per user) Annual Subscription Fee is: $420 per User effective 1/1/2024. b) One Time Setup Fee: $0. DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 Data Exchange Solutions Master Service(s) Agreement 1 ADDENDUM B - SECURITY ADDENDUM FEDERAL BUREAU OF INVESTIGATION CRIMINAL JUSTICE INFORMATION SERVICES SECURITY ADDENDUM LEGAL AUTHORITY FOR AND PUPROSE AND GENESIS OF THE SECURITY ADDENDUM Traditionally, law enforcement and other criminal justice agencies have been responsible for the confidentiality of their information. Accordingly, until mid-1999, the Code of Federal Regulations Title 28, Part 20, subpart C, and the National Crime Information Center (NCIC) policy paper approved December 6, 1982, required that the management and exchange of criminal justice information be performed by a criminal justice agency or, in certain circumstances, by a noncriminal justice agency under the management control of a criminal justice agency. In light of the increasing desire of governmental agencies to contract with private entities to perform administration of criminal justice functions, the FBI sought and obtained approval from the United States Department of Justice (DOJ) to permit such privatization of traditional law enforcement functions under certain controlled circumstances. In the Federal Register of May 10, 1999, the FBI published a Notice of Proposed Rulemaking, announcing as follows: 1. Access to CHRI [Criminal History Record Information] and Related Information, Subject to Appropriate Controls, by a Private Contractor Pursuant to a Specific Agreement with an Authorized Governmental Agency To Perform an Administration of Criminal Justice Function (Privatization). Section 534 of title 28 of the United States Code authorizes the Attorney General to exchange identification, criminal identification, crime, and other records for the official use of authorized officials of the federal government, the states, cities, and penal and other institutions. This statute also provides, however, that such exchanges are subject to cancellation if dissemination is made outside the receiving departments or related agencies. Agencies authorized access to CHRI traditionally have been hesitant to disclose that information, even in furtherance of authorized criminal justice functions, to anyone other than actual agency employees lest such disclosure be viewed as unauthorized. In recent years, however, governmental agencies seeking greater efficiency and economy have become increasingly interested in obtaining support services for the administration of criminal justice from the private sector. With the concurrence of the FBI’s Criminal Justice Information Services (CJIS) Advisory Policy Board, the DOJ has concluded that disclosures to private persons and entities providing support services for criminal justice agencies may, when subject to appropriate controls, properly be viewed as permissible disclosures for purposes of compliance with 28 U.S.C. 534. We are therefore proposing to revise 28 CFR 20.33(a)(7) to provide express authority for such arrangements. The proposed authority is similar to the authority that already exists in 28 CFR 20.21(b)(3) for state and local CHRI systems. Provision of CHRI under this authority would only be permitted pursuant to a specific agreement with an authorized governmental agency for the purpose of providing services for the administration of criminal justice. The agreement would be required to incorporate a security addendum approved by the Director of the FBI (acting for the Attorney General). The security addendum would specifically authorize access to CHRI, limit the use of the information to the specific purposes for which it is being provided, ensure the security and confidentiality of the information consistent with applicable laws and regulations, provide for sanctions, and contain such other provisions as the Director of the FBI (acting for the Attorney General) may require. The security addendum, buttressed by ongoing audit programs of both the FBI and the sponsoring governmental agency, will provide an appropriate balance between the benefits of privatization, protection of individual privacy interests, and preservation of the security of the FBI’s CHRI systems. The FBI will develop a security addendum to be made available to interested governmental agencies. We anticipate that the security addendum will include physical and personnel security constraints historically required by NCIC security practices and other programmatic requirements, together with personal integrity and electronic security provisions comparable to those in NCIC User Agreements between the FBI and criminal justice agencies, and in existing Management Control Agreements between criminal justice agencies and noncriminal justice governmental entities. The security addendum will make clear that access to CHRI will be limited to those officers and employees of the private contractor or its subcontractor who require the information to properly perform services for the sponsoring governmental agency, and that the service provider may not access, modify, use, or disseminate such information for inconsistent or unauthorized purposes. DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 Data Exchange Solutions Master Service(s) Agreement 2 Consistent with such intent, Title 28 of the Code of Federal Regulations (C.F.R.) was amended to read: § 20.33 Dissemination of criminal history record information. a. Criminal history record information contained in the Interstate Identification Index (III) System and the Fingerprint Identification Records System (FIRS) may be made available: 1) To criminal justice agencies for criminal justice purposes, which purposes include the screening of employees or applicants for employment hired by criminal justice agencies. 2) To noncriminal justice governmental agencies performing criminal justice dispatching functions or data processing/information services for criminal justice agencies; and 3) To private contractors pursuant to a specific agreement with an agency identified in paragraphs (a)(1) or (a)(6) of this section and for the purpose of providing services for the administration of criminal justice pursuant to that agreement. The agreement must incorporate a security addendum approved by the Attorney General of the United States, which shall specifically authorize access to criminal history record information, limit the use of the information to the purposes for which it is provided, ensure the security and confidentiality of the information consistent with these regulations, provide for sanctions, and contain such other provisions as the Attorney General may require. The power and authority of the Attorney General hereunder shall be exercised by the FBI Director (or the Director’s designee). This Security Addendum, appended to and incorporated by reference in a government-private sector contract entered into for such purpose, is intended to insure that the benefits of privatization are not attained with any accompanying degradation in the security of the national system of criminal records accessed by the contracting private party. This Security Addendum addresses both concerns for personal integrity and electronic security which have been addressed in previously executed user agreements and management control agreements. A government agency may privatize functions traditionally performed by criminal justice agencies (or noncriminal justice agencies acting under a management control agreement), subject to the terms of this Security Addendum. If privatized, access by a private contractor's personnel to NCIC data and other CJIS information is restricted to only that necessary to perform the privatized tasks consistent with the government agency's function and the focus of the contract. If privatized the contractor may not access, modify, use or disseminate such data in any manner not expressly authorized by the government agency in consultation with the FBI. FEDERAL BUREAU OF INVESTIGATION CRIMINAL JUSTICE INFORMATION SERVICES SECURITY ADDENDUM The goal of this document is to augment the CJIS Security Policy to ensure adequate security is provided for criminal justice systems while (1) under the control or management of a private entity or (2) connectivity to FBI CJIS Systems has been provided to a private entity (contractor). Adequate security is defined in Office of Management and Budget Circular A- 130 as “security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.” The intent of this Security Addendum is to require that the Contractor maintain a security program consistent with federal and state laws, regulations, and standards (including the CJIS Security Policy in effect when the contract is executed), as well as with policies and standards established by the Criminal Justice Information Services (CJIS) Advisory Policy Board (APB). This Security Addendum identifies the duties and responsibilities with respect to the installation and maintenance of adequate internal controls within the contractual relationship so that the security and integrity of the FBI's information resources are not compromised. The security program shall include consideration of personnel security, site security, system security, and data security, and technical security. DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 Data Exchange Solutions Master Service(s) Agreement 3 The provisions of this Security Addendum apply to all personnel, systems, networks, and support facilities supporting and/or acting on behalf of the government agency. 1.00 Definitions 1.01 Contracting Government Agency (CGA) - the government agency, whether a Criminal Justice Agency or a Noncriminal Justice Agency, which enters into an agreement with a private contractor subject to this Security Addendum. 1.02 Contractor - a private business, organization or individual which has entered into an agreement for the administration of criminal justice with a Criminal Justice Agency or a Noncriminal Justice Agency. 2.00 Responsibilities of the Contracting Government Agency. 2.01 The CGA will ensure that each Contractor employee receives a copy of the Security Addendum and the CJIS Security Policy and executes an acknowledgment of such receipt and the contents of the Security Addendum. The signed acknowledgments shall remain in the possession of the CGA and available for audit purposes. The acknowledgement may be signed by hand or via digital signature (see glossary for definition of digital signature). 3.00 Responsibilities of the Contractor. 3.01 The Contractor will maintain a security program consistent with federal and state laws, regulations, and standards (including the CJIS Security Policy in effect when the contract is executed and all subsequent versions), as well as with policies and standards established by the Criminal Justice Information Services (CJIS) Advisory Policy Board (APB). 4.00 Security Violations. 4.01 The CGA must report security violations to the CJIS Systems Officer (CSO) and the Director, FBI, along with indications of actions taken by the CGA and Contractor. 4.02 Security violations can justify termination of the appended agreement. 4.03 Upon notification, the FBI reserves the right to: a. Investigate or decline to investigate any report of unauthorized use; b. Suspend or terminate access and services, including telecommunications links. The FBI will provide the CSO with timely written notice of the suspension. Access and services will be reinstated only after satisfactory assurances have been provided to the FBI by the CGA and Contractor. Upon termination, the Contractor's records containing CHRI must be deleted or returned to the CGA. 5.00 Audit 5.01 The FBI is authorized to perform a final audit of the Contractor's systems after termination of the Security Addendum. 6.00 Scope and Authority 6.01 This Security Addendum does not confer, grant, or authorize any rights, privileges, or obligations on any persons other than the Contractor, CGA, CJA (where applicable), CSA, and FBI. 6.02 The following documents are incorporated by reference and made part of this agreement: (1) the Security Addendum; (2) the NCIC 2000 Operating Manual; (3) the CJIS Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20. The parties are also subject to applicable federal and state laws and regulations. DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 Data Exchange Solutions Master Service(s) Agreement 4 6.03 The terms set forth in this document do not constitute the sole understanding by and between the parties hereto; rather they augment the provisions of the CJIS Security Policy to provide a minimum basis for the security of the system and contained information and it is understood that there may be terms and conditions of the appended Agreement which impose more stringent requirements upon the Contractor. 6.04 This Security Addendum may only be modified by the FBI, and may not be modified by the parties to the appended Agreement without the consent of the FBI. 6.05 All notices and correspondence shall be forwarded by First Class mail to: Information Security Officer Criminal Justice Information Services Division, FBI 1000 Custer Hollow Road Clarksburg, West Virginia 26306 ADENEDUM B CERTIFICATION I hereby certify that I am familiar with the contents of (1) the Security Addendum, including its legal authority and purpose; (2) the NCIC Operating Manual; (3) the CJIS Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20, and agree to be bound by their provisions. I recognize that criminal history record information and related data, by its very nature, is sensitive and has potential for great harm if misused. I acknowledge that access to criminal history record information and related data is therefore limited to the purpose(s) for which a government agency has entered into the contract incorporating this Security Addendum. I understand that misuse of the system by, among other things: accessing it without authorization; accessing it by exceeding authorization; accessing it for an improper purpose; using, disseminating or re-disseminating information received as a result of this contract for a purpose other than that envisioned by the contract, may subject me to administrative and criminal penalties. I understand that accessing the system for an appropriate purpose and then using, disseminating or re-disseminating the information received for another purpose other than execution of the contract also constitutes misuse. I further understand that the occurrence of misuse does not depend upon whether or not I receive additional compensation for such authorized activity. Such exposure for misuse includes, but is not limited to, suspension or loss of employment and prosecution for state and federal crimes. Printed Name/Signature of Contractor Employee Date Joseph Puuri / 2/29/2024 Printed Name/Signature of Contractor Representative Date Data Exchange Solutions, LCC / Partner 2/29/2024 Organization and Title of Contractor Representative Date DocuSign Envelope ID: EA85C6C2-196D-464B-A41C-8B93A0C69777 3/12/2024Mickey Williams /\tickui (}Jj(1;,,,..1