The URL can be used to link to this page

Home My WebLink AboutStaff Report 7179 City of Palo Alto (ID # 7179) City Council Staff Report Report Type: Consent Calendar Meeting Date: 12/5/2016 City of Palo Alto Page 1 Summary Title: Citation Processing Contract and Budget Amendment Title: Approval of a Contract With Professional Account Management, LLC, in an Amount Not-to-Exceed $130,000 Per Year for Five Years for the Handling and Processing of Parking Violations and Approval of Budget Amendments in the General Fund From: City Manager Lead Department: Police Recommendation Staff recommends that the City Council: 1. Approve and authorize the City Manager or his designee to execute the attached contract #C17164727 with Professional Account Management, LLC, in an amount not- to-exceed $130,000 per year for five years for the handling and processing of parking violations. 2. Amend the FY 2017 Budget Appropriation Ordinance for the General Fund by: a. Increasing the revenue estimate for Fines, Forfeitures, and Penalties in the amount of $35,000; and b. Increasing the Police Department appropriation for General Contract Service in the amount of $35,000. Background Since 1992, the City has contracted with the City of Inglewood for the handling and processing of parking citations. The City was part of a consortium of other municipal agencies utlizing Duncan Solutions software for the processing of parking violations, of which the City of Inglewood managed the overall account. The City renewed contracts with the City of Inglewood in 1996, 2001, 2006, and 2011. However, in 2014, we were notified by the City of Inglewood that they were discontinuing as a vendor for citation processing but would honor the remainder of our contract ending on Ocbober 31, 2016. A Request for Proposal (RFP) was developed (RFP# 164727) and potential vendors were identified and notified of the RFP in PlanetBids. Discussion Project Description City of Palo Alto Page 2 The vendor will accept and process approximately 43,000 parking citations per year. The vendor will enter and store the citation in a database and provide City staff access to software to accept payments, adjustments, suspension and dismissal of citations. The software will identify the registered owner of vehicles cited and send out notices outlining payment options. The vendor will also handle the comprehensive collections of penalties if they remain unpaid. The account will be managed by an account representative who is available to City staff to provide ongoing support and training as needed, and the system will provide a range of stock and ad hoc reports on a monthly basis or as needed. The City does not have adequate staffing, hardware, or software to effectively manage this program in-house. Summary of the Bid Process and Vendor Selection The Police Department Parking Manager, with input from Administrative Services staff, prepared an RFP for the processing of parking citations. The RFP requested vendors to submit proposals for services that included accepting citations, maintaining a citation database, identifying vehicle registered owners, mailing courtesy notices to registered owners, identifying delinquent parking violations, placement and removal of vehicle registration liens with the Department of Motor Vehicles, and a comprehensive collections program that included participation in the State of California Franchise Tax Board’s Tax Offset Program. Nine potential vendors were identified. The potential vendors were notified that the RFP was available in PlanetBids on July 19, 2016. A non-mandatory pre-proposal telephone conference was held on July 26, 2016. A number of questions were received and Addendum number one was issued on July 27, 2016. An evaluation committee comprised of three representatives from the Police and Administrative Services Departments reviewed and ranked the seven proposals received. The evaluation committee selected the three highest ranked vendors (Phoenix Group, Turbo Data, and Professional Account Management, LLC) to attend a Consultant Interview on September 8, 2016. The evaluation committee interviewed all three potential vendors and staff recommends that the proposal submitted by Professional Management, LLC be accepted. This recommendation is based on the contractor’s experience and prior relationship with the City. Although the prior contract was managed by the City of Inglewood they have always used software and support from Duncan Solutions (DBA Professional Account Management, LLC in California). There would be no transitional costs or data conversion issues that could result in a potential loss or disruption of revenue and customer service that may be involved with a new vendor. They provide excellent customer service and adaptable and user-friendly software. Other factors include cost per citation to process, the ability to provide 24-hour per day urgent software support, a comprehensive collections program for delinquent citations, the ability to provide on-line Department of Motor Vehicle registered owner address information (California and out-of-state), on-site and online training as needed, an account representative that will make on-site support as needed, and security and disaster recovery protections of the software and database. City of Palo Alto Page 3 Resource Impact Expenses under this contract are based on per citation fee and a 35 percent fee charged for comprehensive collections. Penalties paid are submitted to the Parking Revenue Account in the General Fund, which means the collections 35 percent fee has to be reimbursed to the vendor. Actual expenses have ranged from $95,000 to $130,000 depending on activity levels. Due to the enhanced comprehensive collections program offered by the vendor, the Police Department has also seen a significant increase in the revenue of delinquent parking penalties that have been collected. However, the Parking Services Division’s budget within the Police Department contains $95,000 for this contract. Therefore, an increase in the appropriated funds and a corresponsing estimate in the revenue estimate for Fines, Forfeitures, and Penalties to adjust for this increased cost and activity level are recommended. Ongoing implications of this will be evaluated and adjusted as part of the development of the FY 2018 base budget. While this annual cost is a significant increase in the contract from prior years, overall, the vendor has decreased the current cost per cite for this contract and ultimately these activities generate increased revenues. Policy Implications This report does not represent any change to existing City Policies. Attachments:  ATTACHMENT A - C17164727 (PDF) Professional Services Rev. April 27, 2016 1 CITY OF PALO ALTO CONTRACT NO. C17164727 AGREEMENT BETWEEN THE CITY OF PALO ALTO AND PROFESSIONAL ACCOUNT MANAGEMENT, LLC FOR PROFESSIONAL SERVICES This Agreement is entered into on this 5th day of December, 2016, (“Agreement”) by and between the CITY OF PALO ALTO, a California chartered municipal corporation (“CITY”), and PROFESSIONAL ACCOUNT MANAGEMENT, LLC, a limited liability company, located at 633 W. Wisconsin Avenue, Suite 1600, Milwaukee, WI 53203 ("CONSULTANT"). RECITALS The following recitals are a substantive portion of this Agreement. A. CITY intends to issue parking citations (“Project”) and desires to engage a consultant to provide parking citation processing and collection services in connection with the Project (“Services”). B. CONSULTANT has represented that it has the necessary professional expertise, qualifications, and capability, and all required licenses and/or certifications to provide the Services. C. CITY in reliance on these representations desires to engage CONSULTANT to provide the Services as more fully described in Exhibit “A”, attached to and made a part of this Agreement. NOW, THEREFORE, in consideration of the recitals, covenants, terms, and conditions, in this Agreement, the parties agree: AGREEMENT SECTION 1. SCOPE OF SERVICES. CONSULTANT shall perform the Services described at Exhibit “A” in accordance with the terms and conditions contained in this Agreement. The performance of all Services shall be to the reasonable satisfaction of CITY. SECTION 2. TERM. The term of this Agreement shall be from the date of its full execution through October 31, 2021 unless terminated earlier pursuant to Section 19 of this Agreement. SECTION 3. SCHEDULE OF PERFORMANCE. Time is of the essence in the performance of Services under this Agreement. CONSULTANT shall complete the Services within the term of this Agreement and in accordance with the schedule set forth in Exhibit “B”, attached to and DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 2 made a part of this Agreement. Any Services for which times for performance are not specified in this Agreement shall be commenced and completed by CONSULTANT in a reasonably prompt and timely manner based upon the circumstances and direction communicated to the CONSULTANT. CITY’s agreement to extend the term or the schedule for performance shall not preclude recovery of damages for delay if the extension is required due to the fault of CONSULTANT. SECTION 4. NOT TO EXCEED COMPENSATION. The compensation to be paid to CONSULTANT for performance of the Services described in Exhibit “A” (“Basic Services”), and reimbursable expenses, shall not exceed One Hundred Thirty Thousand Dollars per year ($130,000/year) for a total not to exceed amount of Six Hundred Fifty Thousand ($650,000) for all five years. CONSULTANT agrees to complete all Basic Services, including reimbursable expenses, within this amount. In the event Additional Services are authorized, the total compensation for Basic Services, Additional Services and reimbursable expenses shall not exceed Six Hundred Fifty Thousand Dollars ($650,000). The applicable rates and schedule of payment are set out at Exhibit “C-1”, entitled “HOURLY RATE SCHEDULE,” which is attached to and made a part of this Agreement. Any work performed or expenses incurred for which payment would result in a total exceeding the maximum amount of compensation set forth herein shall be at no cost to the CITY. Additional Services, if any, shall be authorized in accordance with and subject to the provisions of Exhibit “C”. CONSULTANT shall not receive any compensation for Additional Services performed without the prior written authorization of CITY. Additional Services shall mean any work that is determined by CITY to be necessary for the proper completion of the Project, but which is not included within the Scope of Services described at Exhibit “A”. SECTION 5. INVOICES. In order to request payment, CONSULTANT shall submit monthly invoices to the CITY describing the services performed and the applicable charges (including an identification of personnel who performed the services, hours worked, hourly rates, and reimbursable expenses), based upon the CONSULTANT’s billing rates (set forth in Exhibit “C- 1”). If applicable, the invoice shall also describe the percentage of completion of each task. The information in CONSULTANT’s payment requests shall be subject to verification by CITY. CONSULTANT shall send all invoices to the City’s project manager at the address specified in Section 13 below. The City will generally process and pay invoices within thirty (30) days of receipt. SECTION 6. QUALIFICATIONS/STANDARD OF CARE. All of the Services shall be performed by CONSULTANT or under CONSULTANT’s supervision. CONSULTANT represents that it possesses the professional and technical personnel necessary to perform the Services required by this Agreement and that the personnel have sufficient skill and experience to perform the Services assigned to them. CONSULTANT represents that it, its employees and subconsultants, if permitted, have and shall maintain during the term of this Agreement all licenses, permits, qualifications, insurance and approvals of whatever nature that are legally required to perform the Services. All of the services to be furnished by CONSULTANT under this agreement shall meet the professional standard and quality that prevail among professionals in the same discipline and of DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 3 similar knowledge and skill engaged in related work throughout California under the same or similar circumstances. SECTION 7. COMPLIANCE WITH LAWS. CONSULTANT shall keep itself informed of and in compliance with all federal, state and local laws, ordinances, regulations, and orders that may affect in any manner the Project or the performance of the Services or those engaged to perform Services under this Agreement. CONSULTANT shall procure all permits and licenses, pay all charges and fees, and give all notices required by law in the performance of the Services. SECTION 8. ERRORS/OMISSIONS. CONSULTANT is solely responsible for costs, including, but not limited to, increases in the cost of Services, arising from or caused by CONSULTANT’s errors and omissions, including, but not limited to, the costs of corrections such errors and omissions, any change order markup costs, or costs arising from delay caused by the errors and omissions or unreasonable delay in correcting the errors and omissions. SECTION 9. COST ESTIMATES. If this Agreement pertains to the design of a public works project, CONSULTANT shall submit estimates of probable construction costs at each phase of design submittal. If the total estimated construction cost at any submittal exceeds ten percent (10%) of CITY’s stated construction budget, CONSULTANT shall make recommendations to CITY for aligning the PROJECT design with the budget, incorporate CITY approved recommendations, and revise the design to meet the Project budget, at no additional cost to CITY. SECTION 10. INDEPENDENT CONTRACTOR. It is understood and agreed that in performing the Services under this Agreement CONSULTANT, and any person employed by or contracted with CONSULTANT to furnish labor and/or materials under this Agreement, shall act as and be an independent contractor and not an agent or employee of CITY. SECTION 11. ASSIGNMENT. The parties agree that the expertise and experience of CONSULTANT are material considerations for this Agreement. CONSULTANT shall not assign or transfer any interest in this Agreement nor the performance of any of CONSULTANT’s obligations hereunder without the prior written consent of the city manager. Consent to one assignment will not be deemed to be consent to any subsequent assignment. Any assignment made without the approval of the city manager will be void. SECTION 12. SUBCONTRACTING. Notwithstanding Section 11 above, CITY agrees that subconsultants may be used to complete the Services. The subconsultants authorized by CITY to perform work on this Project are: Duncan Solutions, Inc. CONSULTANT shall be responsible for directing the work of any subconsultants and for any compensation due to subconsultants. CITY assumes no responsibility whatsoever concerning compensation. CONSULTANT shall be fully responsible to CITY for all acts and omissions of a subconsultant. CONSULTANT shall change or add subconsultants only with the prior approval of the city manager or his designee. DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 4 SECTION 13. PROJECT MANAGEMENT. CONSULTANT will assign Dean Viereck as the Region Manager to have supervisory responsibility for the performance, progress, and execution of the Services to represent CONSULTANT during the day-to-day work on the Project. If circumstances cause the substitution of the project director, project coordinator, or any other key personnel for any reason, the appointment of a substitute project director and the assignment of any key new or replacement personnel will be subject to the prior written approval of the CITY’s project manager. CONSULTANT, at CITY’s request, shall promptly remove personnel who CITY finds do not perform the Services in an acceptable manner, are uncooperative, or present a threat to the adequate or timely completion of the Project or a threat to the safety of persons or property. CITY’s project manager is Karen McAdams, Police Department, Traffic Division, 275 Forest Avenue, Palo Alto, CA 94303, Telephone: (650)329-2411. The project manager will be CONSULTANT’s point of contact with respect to performance, progress and execution of the Services. CITY may designate an alternate project manager from time to time. SECTION 14. OWNERSHIP OF MATERIALS. Upon delivery, all work product, including without limitation, all writings, drawings, plans, reports, specifications, calculations, documents, other materials and copyright interests developed under this Agreement shall be and remain the exclusive property of CITY without restriction or limitation upon their use. CONSULTANT agrees that all copyrights which arise from creation of the work pursuant to this Agreement shall be vested in CITY, and CONSULTANT waives and relinquishes all claims to copyright or other intellectual property rights in favor of the CITY. Neither CONSULTANT nor its contractors, if any, shall make any of such materials available to any individual or organization without the prior written approval of the City Manager or designee. CONSULTANT makes no representation of the suitability of the work product for use in or application to circumstances not contemplated by the scope of work. SECTION 15. AUDITS. CONSULTANT will permit CITY to audit, at any reasonable time during the term of this Agreement and for three (3) years thereafter, CONSULTANT’s records pertaining to matters covered by this Agreement. CONSULTANT further agrees to maintain and retain such records for at least three (3) years after the expiration or earlier termination of this Agreement. SECTION 16. INDEMNITY. 16.1. To the fullest extent permitted by law, CONSULTANT shall protect, indemnify, defend and hold harmless CITY, its Council members, officers, employees and agents (each an “Indemnified Party”) from and against any and all demands, claims, or liability of any nature, including death or injury to any person, property damage or any other loss, including all costs and expenses of whatever nature including attorneys fees, experts fees, court costs and disbursements (“Claims”) resulting from, arising out of or in any manner related to performance or nonperformance by CONSULTANT, its officers, employees, agents or contractors under this Agreement, regardless of whether or not it is caused in part by an Indemnified Party. DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 5 16.2. Notwithstanding the above, nothing in this Section 16 shall be construed to require CONSULTANT to indemnify an Indemnified Party from Claims arising from the active negligence, sole negligence or willful misconduct of an Indemnified Party. 16.3. The acceptance of CONSULTANT’s services and duties by CITY shall not operate as a waiver of the right of indemnification. The provisions of this Section 16 shall survive the expiration or early termination of this Agreement. SECTION 17. WAIVERS. The waiver by either party of any breach or violation of any covenant, term, condition or provision of this Agreement, or of the provisions of any ordinance or law, will not be deemed to be a waiver of any other term, covenant, condition, provisions, ordinance or law, or of any subsequent breach or violation of the same or of any other term, covenant, condition, provision, ordinance or law. SECTION 18. INSURANCE. 18.1. CONSULTANT, at its sole cost and expense, shall obtain and maintain, in full force and effect during the term of this Agreement, the insurance coverage described in Exhibit "D". CONSULTANT and its contractors, if any, shall obtain a policy endorsement naming CITY as an additional insured under any general liability or automobile policy or policies. 18.2. All insurance coverage required hereunder shall be provided through carriers with AM Best’s Key Rating Guide ratings of A-:VII or higher which are licensed or authorized to transact insurance business in the State of California. Any and all contractors of CONSULTANT retained to perform Services under this Agreement will obtain and maintain, in full force and effect during the term of this Agreement, identical insurance coverage, naming CITY as an additional insured under such policies as required above. 18.3. Certificates evidencing such insurance shall be filed with CITY concurrently with the execution of this Agreement. The certificates will be subject to the approval of CITY’s Risk Manager and will contain an endorsement stating that the insurance is primary coverage and will not be canceled, or materially reduced in coverage or limits, by the insurer except after filing with the Purchasing Manager thirty (30) days' prior written notice of the cancellation or modification. If the insurer cancels or modifies the insurance and provides less than thirty (30) days’ notice to CONSULTANT, CONSULTANT shall provide the Purchasing Manager written notice of the cancellation or modification within two (2) business days of the CONSULTANT’s receipt of such notice. CONSULTANT shall be responsible for ensuring that current certificates evidencing the insurance are provided to CITY’s Chief Procurement Officer during the entire term of this Agreement. 18.4. The procuring of such required policy or policies of insurance will not be construed to limit CONSULTANT's liability hereunder nor to fulfill the indemnification provisions of this Agreement. Notwithstanding the policy or policies of insurance, CONSULTANT will be obligated for the full and total amount of any damage, injury, or loss caused by or directly arising as a result of the Services performed under this Agreement, including such damage, injury, or loss arising after the Agreement is terminated or the term has DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 6 expired. SECTION 19. TERMINATION OR SUSPENSION OF AGREEMENT OR SERVICES. 19.1. The City Manager may suspend the performance of the Services, in whole or in part, or terminate this Agreement, with or without cause, by giving ten (10) days prior written notice thereof to CONSULTANT. Upon receipt of such notice, CONSULTANT will immediately discontinue its performance of the Services. 19.2. CONSULTANT may terminate this Agreement or suspend its performance of the Services by giving thirty (30) days prior written notice thereof to CITY, but only in the event of a substantial failure of performance by CITY. 19.3. Upon such suspension or termination, CONSULTANT shall deliver to the City Manager immediately any and all copies of studies, sketches, drawings, computations, and other data, whether or not completed, prepared by CONSULTANT or its contractors, if any, or given to CONSULTANT or its contractors, if any, in connection with this Agreement. Such materials will become the property of CITY. 19.4. Upon such suspension or termination by CITY, CONSULTANT will be paid for the Services rendered or materials delivered to CITY in accordance with the scope of services on or before the effective date (i.e., 10 days after giving notice) of suspension or termination; provided, however, if this Agreement is suspended or terminated on account of a default by CONSULTANT, CITY will be obligated to compensate CONSULTANT only for that portion of CONSULTANT’s services which are of direct and immediate benefit to CITY as such determination may be made by the City Manager acting in the reasonable exercise of his/her discretion. The following Sections will survive any expiration or termination of this Agreement: 14, 15, 16, 19.4, 20, and 25. 19.5. No payment, partial payment, acceptance, or partial acceptance by CITY will operate as a waiver on the part of CITY of any of its rights under this Agreement. SECTION 20. NOTICES. All notices hereunder will be given in writing and mailed, postage prepaid, by certified mail, addressed as follows: To CITY: Office of the City Clerk City of Palo Alto Post Office Box 10250 Palo Alto, CA 94303 With a copy to the Purchasing Manager To CONSULTANT: Attention of the project director at the address of CONSULTANT recited above DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 7 SECTION 21. CONFLICT OF INTEREST. 21.1. In accepting this Agreement, CONSULTANT covenants that it presently has no interest, and will not acquire any interest, direct or indirect, financial or otherwise, which would conflict in any manner or degree with the performance of the Services. 21.2. CONSULTANT further covenants that, in the performance of this Agreement, it will not employ subconsultants, contractors or persons having such an interest. CONSULTANT certifies that no person who has or will have any financial interest under this Agreement is an officer or employee of CITY; this provision will be interpreted in accordance with the applicable provisions of the Palo Alto Municipal Code and the Government Code of the State of California. 21.3. If the Project Manager determines that CONSULTANT is a “Consultant” as that term is defined by the Regulations of the Fair Political Practices Commission, CONSULTANT shall be required and agrees to file the appropriate financial disclosure documents required by the Palo Alto Municipal Code and the Political Reform Act. SECTION 22. NONDISCRIMINATION. As set forth in Palo Alto Municipal Code section 2.30.510, CONSULTANT certifies that in the performance of this Agreement, it shall not discriminate in the employment of any person because of the race, skin color, gender, age, religion, disability, national origin, ancestry, sexual orientation, housing status, marital status, familial status, weight or height of such person. CONSULTANT acknowledges that it has read and understands the provisions of Section 2.30.510 of the Palo Alto Municipal Code relating to Nondiscrimination Requirements and the penalties for violation thereof, and agrees to meet all requirements of Section 2.30.510 pertaining to nondiscrimination in employment. SECTION 23. ENVIRONMENTALLY PREFERRED PURCHASING AND ZERO WASTE REQUIREMENTS. CONSULTANT shall comply with the CITY’s Environmentally Preferred Purchasing policies which are available at CITY’s Purchasing Department, incorporated by reference and may be amended from time to time. CONSULTANT shall comply with waste reduction, reuse, recycling and disposal requirements of CITY’s Zero Waste Program. Zero Waste best practices include first minimizing and reducing waste; second, reusing waste and third, recycling or composting waste. In particular, CONSULTANT shall comply with the following zero waste requirements: (a) All printed materials provided by CCONSULTANT to CITY generated from a personal computer and printer including but not limited to, proposals, quotes, invoices, reports, and public education materials, shall be double-sided and printed on a minimum of 30% or greater post-consumer content paper, unless otherwise approved by CITY’s Project Manager. Any submitted materials printed by a professional printing company shall be a minimum of 30% or greater post- consumer material and printed with vegetable based inks. (b) Goods purchased by CONSULTANT on behalf of CITY shall be purchased in accordance with CITY’s Environmental Purchasing Policy including but not limited to Extended Producer Responsibility requirements for products and packaging. A copy of this policy is on file at the Purchasing Division’s office. (c) Reusable/returnable pallets shall be taken back by CONSULTANT, at no DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 8 additional cost to CITY, for reuse or recycling. CONSULTANT shall provide documentation from the facility accepting the pallets to verify that pallets are not being disposed. SECTION 24. COMPLIANCE WITH PALO ALTO MINIMUM WAGE ORDINANCE. CONSULTANT shall comply with all requirements of the Palo Alto Municipal Code Chapter 4.62 (Citywide Minimum Wage), as it may be amended from time to time. In particular, for any employee otherwise entitled to the State minimum wage, who performs at least two (2) hours of work in a calendar week within the geographic boundaries of the City, CONSULTANT shall pay such employees no less than the minimum wage set forth in Palo Alto Municipal Code section 4.62.030 for each hour worked within the geographic boundaries of the City of Palo Alto. In addition, CONSULTANT shall post notices regarding the Palo Alto Minimum Wage Ordinance in accordance with Palo Alto Municipal Code section 4.62.060. SECTION 25. NON-APPROPRIATION 25.1. This Agreement is subject to the fiscal provisions of the Charter of the City of Palo Alto and the Palo Alto Municipal Code. This Agreement will terminate without any penalty (a) at the end of any fiscal year in the event that funds are not appropriated for the following fiscal year, or (b) at any time within a fiscal year in the event that funds are only appropriated for a portion of the fiscal year and funds for this Agreement are no longer available. This section shall take precedence in the event of a conflict with any other covenant, term, condition, or provision of this Agreement. SECTION 26. PREVAILING WAGES AND DIR REGISTRATION FOR PUBLIC WORKS CONTRACTS 26.1 This Project is not subject to prevailing wages. CONSULTANT is not required to pay prevailing wages in the performance and implementation of the Project in accordance with SB 7 if the contract is not a public works contract, if the contract does not include a public works construction project of more than $25,000, or the contract does not include a public works alteration, demolition, repair, or maintenance (collectively, ‘improvement’) project of more than $15,000. OR 26.1 CONSULTANT is required to pay general prevailing wages as defined in Subchapter 3, Title 8 of the California Code of Regulations and Section 16000 et seq. and Section 1773.1 of the California Labor Code. Pursuant to the provisions of Section 1773 of the Labor Code of the State of California, the City Council has obtained the general prevailing rate of per diem wages and the general rate for holiday and overtime work in this locality for each craft, classification, or type of worker needed to execute the contract for this Project from the Director of the Department of Industrial Relations (“DIR”). Copies of these rates may be obtained at the Purchasing Division’s office of the City of Palo Alto. CONSULTANT shall provide a copy of prevailing wage rates to any staff or subcontractor hired, and shall pay the adopted prevailing wage rates as a minimum. CONSULTANT shall comply with the provisions of all sections, including, but not limited to, Sections 1775, 1776, 1777.5, 1782, 1810, and 1813, DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 9 of the Labor Code pertaining to prevailing wages. 26.2 CONSULTANT shall comply with the requirements of Exhibit “E” for any contract for public works construction, alteration, demolition, repair or maintenance. SECTION 27. MISCELLANEOUS PROVISIONS. 27.1. This Agreement will be governed by the laws of the State of California. 27.2. In the event that an action is brought, the parties agree that trial of such action will be vested exclusively in the state courts of California in the County of Santa Clara, State of California. 27.3. The prevailing party in any action brought to enforce the provisions of this Agreement may recover its reasonable costs and attorneys' fees expended in connection with that action. The prevailing party shall be entitled to recover an amount equal to the fair market value of legal services provided by attorneys employed by it as well as any attorneys’ fees paid to third parties. 27.4. This document represents the entire and integrated agreement between the parties and supersedes all prior negotiations, representations, and contracts, either written or oral. This document may be amended only by a written instrument, which is signed by the parties. 27.5. The covenants, terms, conditions and provisions of this Agreement will apply to, and will bind, the heirs, successors, executors, administrators, assignees, and consultants of the parties. 27.6. If a court of competent jurisdiction finds or rules that any provision of this Agreement or any amendment thereto is void or unenforceable, the unaffected provisions of this Agreement and any amendments thereto will remain in full force and effect. 27.7. All exhibits referred to in this Agreement and any addenda, appendices, attachments, and schedules to this Agreement which, from time to time, may be referred to in any duly executed amendment hereto are by such reference incorporated in this Agreement and will be deemed to be a part of this Agreement. 27.8 In the event of a conflict between the terms of this Agreement and the exhibits hereto or CONSULTANT’s proposal (if any), the Agreement shall control. In the case of any conflict between the exhibits hereto and CONSULTANT’s proposal, the exhibits shall control. 27.9 If, pursuant to this contract with CONSULTANT, CITY shares with CONSULTANT personal information as defined in California Civil Code section 1798.81.5(d) about a California resident (“Personal Information”), CONSULTANT shall maintain reasonable and appropriate security procedures to protect that Personal Information, and shall inform City immediately upon learning that there has been a breach in the security of the system or in the DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 10 security of the Personal Information. CONSULTANT shall not use Personal Information for direct marketing purposes without City’s express written consent. 27.10 All unchecked boxes do not apply to this agreement. 27.11 The individuals executing this Agreement represent and warrant that they have the legal capacity and authority to do so on behalf of their respective legal entities. 27.12 This Agreement may be signed in multiple counterparts, which shall, when executed by all the parties, constitute a single binding agreement IN WITNESS WHEREOF, the parties hereto have by their duly authorized representatives executed this Agreement on the date first above written. CITY OF PALO ALTO City Manager APPROVED AS TO FORM: City Attorney or designee PROFESSIONAL ACCOUNT MANAGEMENT, LLC By: Name: Title: Attachments: EXHIBIT “A”: SCOPE OF SERVICES EXHIBIT “B”: SCHEDULE OF PERFORMANCE EXHIBIT “C”: COMPENSATION EXHIBIT “C-1”: SCHEDULE OF RATES EXHIBIT “D”: VISA/SasS Security, Privacy Policy EXHIBIT “E” PAM DUNCAN PCI CERTIFICATE DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Tim Wendler CEO Professional Services Rev. April 27, 2016 11 EXHIBIT “A” SCOPE OF SERVICES Parking Citation Processing and Comprehensive Collections A) Scope of Work Contractor shall provide the following services: • Access to system and training a) AutoPROCESS is a comprehensive hosted citation processing solution, which is accessed via the Internet using Citrix. It is a Windows-based, menu-driven, account-centric citation processing system for processing parking, traffic, and municipal ordinance citations. The software and Database is a fully hosted, turnkey type system. b) Training and support on an on-going basis by vendor will be provided, which shall not exceed four eight hour days annually. c) Respond to all telephone and electronic mail inquiries. Our account management team will provide timely responses to City inquiries, requests for service and will engage in periodic program update meetings to ensure coordination of operations and objectives are being met. d) Update meetings. Vendor Manager and/or Account Representative shall communicate regularly with the Project Manager of the City as required. • Services a) Collection of citations transmitted to vendor for system entry on a daily basis. Citations are issued manually (handwritten) or by portable electronic ticket writers. Electronic ticket writers currently utilize PinForce citation issuance software from Database Consultants of Australia (DCA). The City is transitioning from Motorola and Trimble Windows Mobile handheld devices with Bluetooth Intermec printers to Android based Samsung phones and Bluetooth O’Neil printers. b) Shall accept daily citation file via secure SFTP. c) Shall have the ability to manually enter parking citations into the system if needed. d) Vendor shall export to a SFTP site a current habitual offender file to City each day which consist of accounts with 5 or more delinquent citations. e) Reconciliation. Provide the ability to generate a daily report of the number of citations entered into processing system by vendor. f) Violation screening. The system should screen each citation manually entered by the City to determine whether the citation contains the information necessary to enter it into the system. g) Shall notify Project manager by email if no citations are received electronically (except on weekends and holidays). h) Notice of delinquent parking violation. The system shall generate a notice for each citation, which remains unpaid based upon the notice schedule required by the City. DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 12 i) Shall have access to NLETS. City is required to complete and maintain the necessary paperwork for access. j) Shall provide real time access to the California DMV registered owner information. City is required to complete and maintain the necessary paperwork for access. R/O updates shall be done in a batch mode nightly on scheduled business days. k) Identification of registered vehicle owners. The system shall make attempts to obtain the name and address of the registered vehicle owner from the DMV and/or NLETS for each vehicle for which a citation has been issued, but payment for which has not been received within the required time period. l) Verification of ownership through the DMV/NLETS. m) Send notification to the lessee and/or second reported owner when delinquent and follow the lien process under California law. n) Vehicle registration holds. The system shall automatically place a hold with DMV on the registration of vehicles for which citations and fees remain unpaid by the registered owners of such vehicles. o) Removal of registration holds. p) Process and collect on citations issued to vehicles with out-of-state registration. q) Suspension of procedures. The system shall suspend the handling of any citations issued by the City upon receipt of appropriate notice by the City. r) Citation dismissal. They system shall suspend the handling of any citations issued by the City upon receipt of appropriate notice by the City. s) Assistance with citation design if requested by the City (not required at this time). t) Quality control procedures in the system. u) Use of approved forms. All forms, delinquency notices, and correspondence sent by vendor shall conform to applicable law and shall be initially approved by the City. v) Local and National Fleet Management. If and when City is ready to move forward with this option. w) IVR System. If and when the City is ready to move forward with this option. x) We require that the vendor provide the ability for customers to pay citations via the internet. y) Payments for citations can also be mailed to the City of Palo Alto Revenue Collections Department and processed by City staff. z) Customer Account Website. If and when the City is ready to move forward with this option. • On Going Training and Support a) Contractor will provide ongoing training and support as needed either in person or through web meetings or conference calls up to three, eight hour days annually. • Reports and Document Storage a) Vendor shall provide the City access to the following reports via its AutoPROCESS platform: 1. Revenue reports and violation tracking reports 2. Violation statistics and officer report 3. Violation statistics by issue area reports DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 13 4. Habitual offender report 5. Statistical and year-to-date revenue reports 6. Citation suspension reports 7. Citation dismissal reports 8. Citation status reports 9. Processing exception reports 10. Registered owner reports 11. Habitual offender reports 12. Court fee reports 13. Special reports as requested by the City 14. Ability to create Ad Hoc reports b) Quarterly closed violation reports c) Maintain computer files in standard format for records of payments, collection efforts, disposition, and any and all other information required to provide an audit trial of citation history d) Reports should be exportable in PDF and/or excel format e) Record retention and storage for a period of at least five years • Comprehensive Collections a) Assignment and program business rules. Will work with the City to implement business rules regarding collections procedures that are acceptable to the City b) Will work with the City on changes to the program business rules if required c) Commercial Collections. Will work with the City to implement business rules regarding commercial collections if and when City is ready to move forward with this option. d) Outbound Calling. Will work with the City to implement business rules regarding outbound dialing If and when City is ready to move forward with this option. e) Legal Collections. Will work with the City to implement business rules regarding outbound dialing if and when City is ready to move forward with this option. The rate for this service option would be 45% of the revenue collected. f) Collection Letters. Shall present proposed collection letters to the City to review, edit and approve. The collection letters may include: 1. Notice of Assignment to Collection Agency 2. Demand for payment 3. Impending DMV Lien 4. Impending Tax Offset 5. Impending Assignment to Collection Attorney g) Skip tracing. Shall provide skip tracing services to locate violators at a current address for all accounts assigned with a “bad address” indicator and from accounts that are “return to sender” via mailings h) DMV information. Shall use its resources to verify DMV information and obtain registration information for any accounts prior to collections assignment i) Customer service. Shall provide a toll-free customer service number which will be listed on all correspondence for violators to contact should they have any questions or want to dispute the validity of the debt DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 14 j) Dispute resolution. Shall provide dispute resolution services to review customer claims of non-liability and forward accounts to Client Agency where is has been determined that there is a valid reason for dismissal of the debt. The system would be updated to reflect the Client Agency decision either by the Client Agency k) Lockbox remittance processing. Shall provide lockbox remittance processing and include a return remittance envelope with all delinquent collection notices l) DMV lien process. Shall provide for delayed filing of DMV liens until 100-120 days before the renewal date if requested by the City This allows maximum time to collect citations without waiting up to one year for the renewal date. The contractor shall mail a “Notice of Impending DMV Lien” prior to the lien being filed, and will pay all monthly DMV lien fees m) Franchise Tax Board. Shall include participation in the annual Franchise Tax Board’s Tax Offset Program including: 1. Selecting qualifying accounts per Client Agency guidelines 2. Obtaining social security numbers 3. Obtaining updated addresses 4. Consolidating multiple plates owned by a single violator 5. Mailing “Impending Offset Notice” 6. Receiving calls from violators resulting from “Impending Offset Notice” 7. Lockbox remittance processing 8. Filing with FTB the balance of accounts remaining unpaid from “Impending FTB Notice” process 9. Handling calls from violators whose tax refund has been intercepted 10. Updating FTB with modify records; payments received at other sources; additional amount due 11. Issuing refunds at direction of Client Agency for cases found to have been filed in error n) Fees, expense reimbursement and revenue distribution: 1. Contractor shall retain the agreed upon fee on payments received from assigned citations. The collection fee will be applicable in cases where the Client Agency decides to accept less than the total amount assigned or where the FTB has intercepted a lesser amount, but in no case shall the collections agency fee exceed the agreed upon rate 2. Collections agency services are contingency based with no additional charges for FTB Social Security numbers, DMV liens, plate matching and mailings 3. Shall issue the Client Agency a credit for DMV lien fees deducted by the State from collection proceeds 4. On a mutually agreed upon schedule, contractor shall transfer to the Client Agency’s designated account, via ACH transfer, the Net Receipts for the prior reporting period. “Net Receipts” means the collection fee due the collections agency will be deducted from proceeds of collections and the remaining funds will be transferred to the Client Agency. Adequate funds may not exist in the collections agency trust when payment of assigned accounts occurs through mail, over the counter, credit card, telephone, or internet payments are received directly by the Client Agency DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 15 5. Franchise Tax Board (FTB) Tax Intercept Lien Collections shall be distributed to the Client Agency from funds received monthly from FTB 6. In the event that collection fees due to the collections agency for any month exceed the amount of funds available in the lockbox account and the monthly FTB distribution, the Client Agency shall be invoiced for the balance due. Payment terms for the balance due shall be Net 30 days of receipt of invoice 7. Contractor shall provide the Client Agency a monthly statement and supporting report that itemizes the collection by citation number and source of payment. The monthly statement will reconcile all payments for assigned accounts received at the following sources: • Direct payment to City from mail, over the counter, IVR and internet credit card payments • Direct payment to City from DMV for registration hold payments received • Payment to collections lockbox service • Payment from FTB for tax intercept and lottery winning liens filed on behalf of the City DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 16 EXHIBIT “B” SCHEDULE OF PERFORMANCE CONSULTANT shall perform the Services so as to complete each milestone within the number of days/weeks specified below. The time to complete each milestone may be increased or decreased by mutual written agreement of the project managers for CONSULTANT and CITY so long as all work is completed within the term of the Agreement. CONSULTANT shall provide a detailed schedule of work consistent with the schedule below within 2 weeks of receipt of the notice to proceed. Milestones Completion No. of Days from NTP 1. Citations entered into system 1 day 2. Send letter via US mail if not paid 14 days 3. Late fee added if not paid 21 days from date of first letter 4. Forward to Collections 91 days from cite issue date DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 17 EXHIBIT “C” COMPENSATION The CITY agrees to compensate the CONSULTANT for professional services performed in accordance with the terms and conditions of this Agreement, and as set forth in the budget schedule below. Compensation shall be calculated based on the hourly rate schedule attached as exhibit C-1 up to the not to exceed budget amount for each task set forth below. The compensation to be paid to CONSULTANT under this Agreement for services described in Exhibit “A” (“Basic Services”) and reimbursable expenses shall not exceed $130,000 per year. CONSULTANT agrees to complete all Basic Services, including reimbursable expenses, within this amount. Any work performed or expenses incurred for which payment would result in a total exceeding the maximum amount of compensation set forth herein shall be at no cost to the CITY. CONSULTANT shall perform the tasks and categories of work as outlined and budgeted below. The CITY’s project manager may approve in writing the transfer of budget amounts between any of the tasks or categories listed below provided the total compensation for Basic Services, including reimbursable expenses, does not exceed $130,000 per year. BUDGET SCHEDULE NOT TO EXCEED AMOUNT Task 1 $1.35/cite/first three years (Citation Processing) $1.37/cite/year four $1.39/cite/year five Task 2 $0.65/letter/first three years (Notices Letters – includes postage) $0.68/letter/year four $0.71/letter/year five Task 3 $1.05/transaction/first three years (Internet Payments) $1.07/transaction/year four $1.09/transaction/year five Sub-total Basic Services $130,000 per year Total Not-to-Exceed for Basic Services for five years at $130,000 per year. Maximum Total Compensation $650,000 DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 18 EXHIBIT “C-1” SCHEDULE OF RATES CITATION PROCESSING AND COLLECTIONS FEE SCHEDULE Current Services Unit Price 1. Citation Processing - per citation entered into the system (1) $1.35 Year Four $1.37 Year Five $1.39 2. Notices Letter or Large Postcard Format (2) $0.65 Year Four $0.68 Year Five $0.71 3. Internet Payments - Client's Processor (3) $1.05 Year Four $1.07 Year Five $1.09 4. Obtain California Registered Owner Information (4) Included in processing cost Obtain Out-of-State Registration Information (4) $0.98 to $4.50 5. Collections Services Options (5) Comprehensive Collection Services 35% Special Note: DMV liens are currently used as a collections tool and are included as part of a comprehensive collections program we reimburse the City $3.00 for every registration hold placed. Optional Services Unit Price 6. Manual Citation Data Entry/Imaging $0.25 7. Phone Payments - Client's Processor (9) $1.05 Year Four $1.07 Year Five $1.09 DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 19 (1) The fee for use of the AutoPROCESS System is a transaction charge per citation processed. The rate charged is dependent on the client agency annual citation volume. Determination of “volume” is based on a client agency’s citations processed during the prior calendar year. Includes the cost for obtaining registered owner information from the California Department of Motor Vehicles. If the DMV ever charges for this service the actual cost willl be passed on to the Client Agency. (2) Rates for notice printing and mailing include postage at the current prevailing rate. This service fee will be adjusted to offset any increase in the standard U.S. first class postage rate in the future. Client agencies will be notified of postal rate changes and the impact on service fees for letter and post card notices as they occur. (Client Agency can choose either notice type or a combination of the two first and second notices) (3) Duncan can provide the credit card merchant account and transfer funds collected to the client's bank account. If the client agency provides the credit card merchant account, Web and IVR payment fee is reduced because the Client Agency is responsible for credit card merchant service fees and bank charges. (4) Costs for obtaining DMV registered owner information is billed to client agencies. California is currently provided by DMV at no cost. The charges for out-of-state registered owners data requests varies from State to State and ranges from $.98 to $4.50 per transaction. The average cost is $0.98 per transaction, some states are at a higher rate. (5) Delinquent account collection services includes skip tracing, research of registered owners, obtaining social security numbers. Full Service includes telephone customer call center services, return mail processing, notice printing and mailing, payment processing and correspondence processing. Client agencies have the option of adopting "Collection Cost Recovery Fee" charged to add penalty to citation account balance due to offset collection costs. (6) Data entry of manual ciations and rejected citation workflow. (7) Interactive Voice Response service for citation inquiry, payments and answers to FAQ’s. DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Professional Services Rev. April 27, 2016 20 EXHIBIT “D” - VISA DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A f This Exhibit sh into by and be for the provisio In order to people who patrons and City, as a c including, w subcontract services pro below, whi Statement o privacy of t information A “secure IT the City, in maintenanc continuity p and reliable integrated managemen In the event the Require writing, on Requiremen satisfaction Part A. The Consult (a) Appo SO all be made a etween the City on of Software assure the o do business d other indiv condition of without limit tors, if any, i ovider, shal le it render of Work, Ex he personal n security req T environme ncluding co ce processes planning; and e environm framework, nt devices, u t that, after ements, the e or more nts” as set of the Infor Requirem tant shall at oint or desig OFTWARE T part of the City y of Palo Alto (t e as a Service to privacy and s with the C viduals and receiving s tation, the S including, w l design, ins rs and perfo xhibit B, to information quirements ent” include onnection to s needed to s d (c) the IT i ent and se , including, upon which d the Effectiv Consultant alternate forth in Pa mation Secu ments: all times dur gnate an em EX AS A SERV TERMS AN y of Palo Alto’s the “City”) and o the City (the security of ity, including businesses, services from Software as without limita stall, provid orms the Se the extent n of the City (the “Requir es: (a) the IT o the City' support the nfrastructur rvice availa without l digital netwo ve Date, the shall promp countermea art B), whic urity Manage ring the term mployee, pre XHIBIT ___ VICE SECU ND COND s Professional S d ___________ “Agreement”) the person g, without li who are re m the City a Service se ation, any In de, and mai ervices and any scope o y’s custome rements”) se T infrastructu s IT system environmen re performa bility to th imitation, d orks operate Consultant ptly inform t asure optio ch may be er (the “ISM m of any con eferably an Doc URITY AND DITIONS Services Agree _____________ ). al informati mitation, ve equired to sh or selling g ervices prov nformation T ntain a sec furnishes g of work imp rs. The Cons et forth in Pa ure, by whic ms; (b) the nt, including nce monitor e City. “IT data cente e. reasonably he City of it ns to the accepted o ”). ntract betwe executive o ument Versi D PRIVACY ement or any o ____________ on of the C endors, utilit hare such in goods and s vider (the “C Technology ure IT envir goods, if an plicates the sultant shall art A below. ch the Servi e Consultan g disaster rec ring services T infrastruct rs, comput determines ts determina Requiremen or rejected een the City fficer, as th City of Informationon: V2.5 [11/Doc: Info Pa ther contract e ___ (the “Cons City’s custom ty customers nformation w ervices to t Consultant”) (“IT”) infras ronment, de y, described confidentia l fulfill the d ces are prov t’s operatio covery and b s to ensure a ture” refers ers, and d that it cann ation and su nts (the “A in the rea and the Con e security li Palo Alto n Security /01/2012] oSec 110 age 1 of 3 entered ultant”) mers and s, library with the the City, ) and its tructure escribed d in the ality and data and vided to ons and business a secure s to the database not fulfill ubmit, in Alternate asonable nsultant: aison to D DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A the C (b) Prov Que to t impl adop anni majo (c) Have docu Man http http (d) Cond appr (e) Deve vers (f) Deve perf perm enab of it term (g) Prov met (h) Impl role‐ pers syste that the d (i) Assis Serv impl and (j) Prov conf (k) Depl patc secu (l) Prov inclu (m) Not unau City with res vide a full an stionnaire (t the Require ementation pt as counte versary dat or changes t e adopted umented, ar nagement Sy ://www.iso. ://www.iso. duct routine ropriate to t elop and m ions and pat elop an in orming prof mit verificati ble the imm ts employee minated. vide a list of or has failed ement acce ‐base acces onnel, syste ems security would requ detection an st the City i vices’ enviro emented m secure IT ar vide and m fidentiality, i loy and mai h and/or rel urity patches vide for the uding on‐goi ify the City uthorized ac spect to the nd complete the “Questio ements, as plan of req ermeasures e of this Ag o the IT infra and imple re accessible ystems (ISMS org/iso/hom org/iso/iso_ e data and heir role. aintain deta tch levels. dependently fessional an ion of empl ediate denia es who no f IT infrastru d to meet an ess accounta s control (“ ems and sof y approach t uire more th nd preventio n undertaki onment des easures in a chitecture. aintain sec ntegrity and ntain IT sys lease levels s must be ins timely det ng incident y within on ccess to or th Services to b e response t onnaire”) to and when uired count in the perfo greement th astructure. emented in e to the City S) Standards me/store/cat _catalogue/c information ailed docum y verifiable nd criminal loyees’ pers al of access longer wo ucture comp ny objective ability (ident “RBAC”) an ftware used to restricting an one indiv on of fraud a ng annually sign and de accordance w ure intersys d availability tem upgrad by not later stalled withi tection of, r monitoring w e (1) hour he misuse of be performe to the City’s o the ISM, an requested. termeasures ormance of t he Consultan nformation y and confo s. See the fo talogue_tc/c catalogue_tc n security co mentation of e process, background sonal identit to the City' uld require ponents in o terms and c tification and d segregatio to provide g access only vidual to co nd errors. an assessm eployment with industry stem comm y of the City's des, patches than one (1 n 24 hours a response to with logging of detectin f the City's c Doc ed under thi s Supplier Se nd also repo . The respo s, which the the Services nt shall rep security an orm to ISO 2 llowing: catalogue_d c/catalogue_ ompliance t f the IT infr consistent d checks of ty and emp s confidenti access to order to ver conditions. d authentica on of dutie the Services y to authoriz mplete a se ment to assu are known y best pract munication s informatio and config 1) week afte after its date o, and the r g. ng a securit onfidential d ument Versi s Agreemen ecurity and ort any majo onse shall City require s. In additio ort to the C nd privacy 27001/2 – In detail.htm?cs _detail.htm? raining of it rastructure, with indus its employ ployment sta ial data and that inform rify whether ation) archit es (“SoD”) m s. “RBAC” re zed users. “S ecurity task i ure that: (1) to the Ci ices applicab paths that on. urations con r its date of e of release. reporting of ty incident data and inf City of Informationon: V2.5 [11/Doc: Info Pa t. Privacy Asse or non‐confo include a es the Consu on, as of the City, in writ policies t nformation snumber=42 ?csnumber= ts personne including s stry standa yees that (1 atus, and (2 information mation or w the Consult tecture and mechanisms efers to a co SoD” is an a in order to p all element ity, and (2) ble to secure would ens nforming to release. Em f security in that results ormation. Palo Alto n Security /01/2012] oSec 110 age 2 of 3 essment ormance detailed ultant to e annual ting, any hat are Security 2103 =50297 l that is software rds, for 1) would 2) would n by any who are tant has support s for all omputer pproach promote ts of the ) it has e coding sure the current mergency ncidents, s in the DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A (n) Infor (o) Perfo basis anni (p) Acco perf third Cons prac dete (q) Coop regu auth (r) Perfo Serv (s) Main earli thirt all of (t) Main data (u) Encr and (v) Unle indir use, inclu Part B. rm the City t orm securit s, and provid versary date ommodate, ormance of d party serv sultant’s an ctices, syste ection and re perate with ulations, the horized third orm regular vices. ntain record er terminat ty (30) days f those reco ntain the Co a and inform rypt the Con or any autho ess otherwis rect or puni data or pro uding, witho Alternate that any thir y self‐audits de the requi e or any othe as practica random site vice provide nd its third ms configu esponse. the City to Confidentia d party servic r, reliable se ds relating to tion of this A after the eff rds relating onfidential I ation privac fidential Inf orized recipi se addressed tive damage ofits, arising ut limitation e Requireme rd party serv s on a regu ired summar er date agre ble, and up e security au r(s), as app party serv rations, acc ensure that al Informati ce provider’s ecured back o the Service Agreement fective date to the perfo nformation cy laws, rules ormation be ient. d in the Agr es whatsoev g out of or i n, IT infrastru ents: vice provider lar basis an ry reports of eed to by the pon reason udits at the C licable. The vice provide cess authen t to the ext on will be a s personnel. ups of all da es for a perio and in a m of expiratio ormance of t in accordan s and regula efore deliver reement, sh ver includin n any way c ucture comm Doc r(s) meet(s) nd not less f f those self‐ e Parties. able prior Consultant’s scope of t er(s)’ aware ntication an tent required accessible o . ata needed od of three utually agre on or earlier the Services nce with app tions. ring the sam hall not hold g, without connected w munications ument Versi all of the Re frequently t audits to the notice by t site(s), inclu these audits eness of se nd authoriza d by applica only by the to maximiz (3) years aft eeable stora termination shall be pro plicable fede me by electro d the City li limitation, d with the Cit . City of Informationon: V2.5 [11/Doc: Info Pa equirements than on a q e ISM on the the City, th uding the sit s will extend ecurity polic ation, and able laws, ru Consultant ze availabilit ter the expir ge medium n of this Agre ovided to the eral, state a onic mail to able for any damages for ty’s IT enviro Palo Alto n Security /01/2012] oSec 110 age 3 of 3 s. quarterly e annual he City’s te(s) of a d to the cies and incident ules and and any ty of the ration or . Within eement, e ISM. and local the City y direct, r loss of onment, DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Info Release and Release Date Document Cl orma Version: e: assification: atioon P 1st 31 Ne Priva Release, Ver January, 201 eed to Know acy rsion 2.2 13 Pollicy DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 CONTEN DOCUMENT CHANGE RE APPROVAL . DISTRIBUTIO 1. OBJE A) INTEN B) SCOP C) CONS D) EXCE E) MUNIC 2. RESP A) RESP B) RESP C) RESP D) RESP E) RESP 3. PRIVA A) OVER B) PERSO C) METH D) UTILIT E) PUBLI F) ACCE G) SECU H) DATA I) SOFTW J) FAIR A 4. CONT Privacy Policy TS CONTROLS... ECORD .......... ..................... ON ................ ECTIVE ........... NT .................. E .................. SEQUENCES.... PTIONS.......... CIPAL ORDINAN PONSIBILITIES ONSIBILITY OF ONSIBILITY OF ONSIBILITY OF ONSIBILITY OF ONSIBILITY OF ACY POLICY .. RVIEW ............ ONAL INFORMA ODS OF COLLE TIES SERVICE . C DISCLOSUR SS TO PERSON RITY, CONFIDE RETENTION / I WARE AS A SE AND ACCURAT TACTS ........... y ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... NCE ............... OF CITY STAF CIO AND ISM INFORMATION USERS ......... F INFORMATION F AUTHORIZATI ..................... ..................... ATION AND CH ECTION OF PER ..................... E ................... NAL INFORMAT ENTIALITY AND INFORMATION RVICE (SAAS) E CREDIT TRA ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... F ................... M .................... N SECURITY ST ..................... N TECHNOLOGY ON COORDINA ..................... ..................... OICE .............. RSONAL INFOR ..................... ..................... TION ............... NON-DISCLOS RETENTION ... ) OVERSIGHT .. ANSACTION ACT ..................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... ...................... TEERING COMM ...................... Y (IT) MANAGE ATION ............. ...................... ...................... ...................... RMATION ......... ...................... ...................... ...................... SURE ............. ...................... ...................... T OF 2003 (FA ...................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... MITTEE .......... ..................... ERS ............... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ACT) ............. ..................... InInforma ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... City of nformation Teation Security Pa 31 Janua ...................... ...................... ...................... ...................... ...................... ..................... ..................... ..................... ..................... ..................... ...................... ..................... ..................... ..................... ..................... ..................... ...................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................... ...................... Palo Alto chnology Services age 1 of 8 ary, 2013 ............ 2 ............ 2 ............ 2 ............ 2 ............ 3 ............ 3 ............ 3 ............ 3 ............ 3 ............ 4 ............ 4 ............ 4 ............ 4 ............ 4 ............ 5 ............ 5 ............ 5 ............ 5 ............ 5 ............ 5 ............ 6 ............ 6 ............ 6 ............ 6 ............ 7 ............ 7 ............ 7 ............ 8 DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 DOCUME CHANGE APPROVA DISTRIBU Privacy Policy ENT CONT Documen Location Documen Documen Contributo E RECORD Date 12-Jul-12 26-Sep-12 09-Nov-12 19-Nov-12 22-Nov-12 26-Nov-12 6-Dec-12 14-Jan-13 31-Jan-13 VAL Date 06-Dec-12 06-Dec-12 06-Dec-12 14-Jan-13 14-Jan-13 UTION Name City of Pa Providers y TROLS nt Title nt Author nt Manager ors D AuthorRaj Pat2 Raj Pat 2 Raj Pat 2 Raj Pat 2 Raj Pat 2 Raj Pat Raj Pat 3 Raj Pat 3 Raj Pat Name 2 Raj Pate 2 Jonatha 2 Tom Auz 3 Grant Ko 3 InformatSteering alo Alto Emplo , Residents a Informatio City of Pa Raj Patel Raj Patel Jonathan Joe Black r Versitel 0.01tel 1.0 tel 1.5 tel 1.6 tel 1.7 tel 1.8 tel 1.92 tel 2.0 tel 2.2 el n Reichental zenne olling tion Security g Committee oyees, Servic and Businesse on Privacy Po alo Alto Webs Reichental,kwell, Grant K on ChangFirst dFirst d Update Additio Revise Revise Reiche ReviseJonath Revise Grant Revisefrom In Comm Role InformaManag Techno CIO; InTechno Assista Utilities SeniorAttorne Office Sponso Lo ce es Cit Sh olicy ite and Share Shiva SwamKolling ge Referencedraft developedraft released ed first draft f onal updates ed table of co ed followed b ental and Tom ed according han Reichenta ed according Kolling ed according nformation Se mittee ation Securityger; Informatio ology Departm nformation ology Departm ant Director, s Department r Assistant Citey; City Attorn or ocation ty of Palo Alto harePoint InInforma ePoint minathan, Tom e ed for review for review as identified ontent y review from m Auzenne to commentsal to comments to recommenecurity Steeri Com y on ment Appr ment Appr t Appr ty ney’s Appr Appr o Website an City of nformation Teation Security Pa 31 Janua m Auzenne, m Jonathan s from s from ndations ng mments roved roved roved roved roved d Palo Alto chnology Services age 2 of 8 ary, 2013 DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 1. O The C Palo provi approfinan businlocal indus1798 somebusin Califoto en Protebusin provi“Pers “Infoin thi A) I The C persoof me persothe C and spolic Infor The g all ussecu and scomp B) S The requinform confo C) C The Ctheir Privacy Policy Objective City of Palo A Alto. In promisions of the C opriate measncial) informat ness as a locaauthorities a stry best prac8.24, 1798.79 e of these proness in a man ornia laws. Thnsure the ong ected Critical ness with the ide services. sonally Identif rmation”) are s Policy by re INTENT City, acting in ons who do beans, includin ons accessingCity’s staff and security of theies, rules, reg mation is coll goals and obj sers having arity of databa security of thepliance with le SCOPE Policy will gu ired to protecmation data a orm their perf CONSEQUENCE City’s employwork implicat y e Alto (the “City” moting the quaCalifornia Pub ures to safegtion of person al governmennd reflected i ctices, includin.8(b), 1798.80 ovisions do nonner which pr he objective ooing protectio InfrastructureCity and rece The terms “Pfiable Informa defined in theeference. n its governme business with ng, without lim g the City’s wd/or authorize e Information gulations and ected, stored jectives of the ccess to the Case informatio e Information egal and regu ide the City’s ct the confidenare intended t formances to ES yees shall comtes access to ”) strives to p ality of life of tblic Records A uard the secuns, collected in nt agency. Thn federal and ng, without lim0(e), 1798.81 ot apply to locomotes the p of this Policy ion of the Pers e Informationaeiving service Personal Inforation” and “Pe e California C ental and pro or receive semitation, from website, and ped third-party collected by procedures, and utilized i e Policy are: ( City’s applicaon assets own provided to tulatory require staff and, ind ntiality and prto be covered the Policy sh mply with the the Informati romote and s these personsAct, California urity and privan the ordinary ese measured California law mitation, the p.5, 1798.82(e cal governmerivacy of pers is to describesonal Informa and Personales from the Ci rmation,” “Proersonally Iden Civil Code sec prietary capa ervices from thpersons appl persons who acontractors. T the City. The and industry in compliance (a) a safe, pro tions and datned by, or ent he City’s staffements. directly, third p ivacy of the Ind by the Policy ould they enj Policy in the ion referred to sustain a supe s, it is the pola Governmen acy of the pery course and es are generaws, the City’s provisions of Ce), 1798.83(e nt agencies lisonal informa e the City’s daation, Persona ly Identifying ity or a third p otected Criticantifying Inform ctions, referre acities, collect he City. The Ilying to receiv access other The City is co City acknowbest practice e with applica oductive, and tabases; (b) thtrusted to, the ff and third pa party contract nformation ofy and which w oy conditiona execution of o in this Polic InInforma erior quality o icy of the Citynt Code §§ 62 rsonal (includscope of con lly observed bs rules and re California Cive)(7), and 179 ike the City, tation, as reflec ata security goally Identifiabl Information oparty under co al Infrastructumation” (collec ed to above, a ts the Informa Information isve services p information pommitted to p ledges federaes are dedicat able laws. inoffensive w he appropriate City; (c) the arty contractor tors, which ar f the persons will be advised al access to th their official dcy. A failure to City of nformation Teation Security Pa 31 Janua of life for perso y, consistent w250 – 6270, to ding, without lnducting the C by federal, stagulations, an vil Code §§ 1798.92(c). Thou the City will cocted in federa oals and objele Information of persons doontract to the ure Informatioctively, the and are incorp ation pertainin s collected by rovided by th portals maintaprotecting the al and Califorted to ensurin work environm te maintenanccontrolled ac rs; and (d) fai re by contract whose persod by City staf hat informatio duties to the eo comply may Palo Alto chnology Services age 3 of 8 ary, 2013 ons in with the o take imitation, City’s ate and d 798.3(a), ugh onduct al and ectives, n, oing City to on”, porated ng to a variety e City, ained by privacy nia laws, ng the ment for ce and ccess ithful t onal ff to on. extent y result in DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 empl D) E In the Policexce “ISMas m accoform storawill c the reand h by th E) M This 2. RE A) R The Ccoord The Cpartyperfo The and tin derespoinciddepa Non-inclu B) R The drawfor a initiaplann addre Privacy Policy loyment and/o EXCEPTIONS e event that a cy, the employption request ”). The emplmay be reques ordance with gby the City A age, access, rconsult with th equest, the ehis or her sup he CIO, acting MUNICIPAL OR Policy will su SPONSIB RESPONSIBILIT CIO, acting bdinate the imp City’s employy contractors ormance of th ISM will be rethe effectivenetailed, auditaonsible for theents that arisartment-specif -Disclosure Ading, without RESPONSIBILIT Information Swn from the vall information tives and actining processe essed at the a y or legal conse a City employ yee may requt will be review oyee, with thested by the IS guidelines appAttorney. The P retention, usahe CIO to app xception requpervisor. The g by the ISM. RDINANCE persede any BILITIES O TY OF CIO AND y the ISM, wiplementation yees, in particunder contraceir job respon esponsible forness of the Poble technical e City’s IT enve in regard tofic policies an greements (Nlimitation, loc TY OF INFORMA Security Steerarious City desecurity effor ivities. The ISes to ensure t appropriate C equences. ee cannot ful est an excepwed and adm e approval of M. The ISM w proved by thePolicy’s guide age, and proteprove or deny uest dispositioapproval of a City policy, ru OF CITY S D ISM ll establish anof information cular, softwarect to the City tnsibilities. r: (a) developolicy; (c) the drequirementsvironments; (o potential viond procedures NDAs) signedcal or ‘cloud-b ATION SECURI ring Committepartments, wrts, including SSC will providthat informatio City departme ly comply with tion by submministered by t his or her suwill conduct a e City’s Chief elines will incl ection of the Ithe exception on will be comny request m ule, regulation STAFF n information n security me e application to provide ser ing and updadevelopment os, which will bd) assisting thlations of the s which fall un by third partybased’ softwa TY STEERING ee (the “ISSCwill provide thekey informatio de input to thon security ris nt level. h one or more itting Securitythe City’s Info pervisor, will a risk assessm Information Olude at a mini nformation idn request. Af mmunicated, imay be subjec n or procedur security maneasures by the users and darvices, shall b ating the Policof privacy stabe designed ahe City’s staff Policy; (e) render the purv y contractorsare services to COMMITTEE ”), which is coe primary direon security an e informationsks are adequ InInforma e element(s) y Exception Rormation Secu provide any ament of the re Officer (“CIO”imum: purpos dentified in thefter due cons in writing, to tct to counterm re regarding i nagement frame City’s gove atabase usersby guided by cy, (b) enforciandards that wand maintaineff in evaluatingeviewing and view of this Po , which will pro the City. omprised of tection, prioritiznd privacy ris n security anduately consid City of nformation Teation Security Pa 31 Janua described in Request.The urity Manager additional infoquested exce ) and approvese, source, co e request. Theideration is gi the City emplomeasures esta nformation pr mework to initrnment. s, and, indirecthis Policy in ng compliancwill manifest ted by the persg security andapproving olicy; and (f) r rovide service he City’s empzation and apsks, programs privacy stratered, assess Palo Alto chnology Services age 4 of 8 ary, 2013 this r (the ormation eption in ed as to ollection, e ISM iven to oyee ablished rivacy. tiate and ctly, third the ce with he Policy sons d privacy reviewing es, ployees, pproval s, tegic ed and DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 C) R All auproce D) R The C City’scomp intern E) R The (NDA the Sexec controbjec by thoccu The Cappro 3. PR A) O The Infor by, ocontractivother The tother desiginformcompmainconfithird B) P Exce doingpersoas a Privacy Policy RESPONSIBILIT uthorized useesses and tec RESPONSIBILIT City’s IT Man s networks, wpliance with th nal reporting RESPONSIBILIT ISM will ensuA), whenever Software as a cuted prior to t ractors. The Cctives, policie he ISM at planrred. CIO, acting bopriate, comm IVACY PO OVERVIEW Policy appliesmation of per or entrusted toractors under ities include, r networks, sy term “informar related orga gned, implemmation assetspromise, and ntain informatidentiality, inteparties. PERSONAL INF ept as permitte g business wion has conselocal governm y TY OF USERS ers of the Infochnologies wi TY OF INFORMA agers, who a will be responshe City’s infor of events that TY OF AUTHOR ure that the Ciaccess to the Service (Saathe sharing of City’s approacs, processes nned intervals y the ISM, wimencing from OLICY s to activities rsons doing b o, the City andcontract to thwithout limitaystems, or de ation assets” aanizations whi ented, and ms. The City’s sinappropriateion managemegrity, and av FORMATION AN ed or provide ith the City, oented to the Cment agency rmation will bithin the scop ATION TECHNO re responsibl sible for confirmation secur t may have co RIZATION COOR ity’s employeee Information aS) Security af the Informat ch to managin, and procedu s, or wheneve ll review and the date of it that involve tusiness with t d will be madhe City to proation, accessinevices. also includes ile those asse maintained to estaff will act toe disclosure oment systems,vailability of its ND CHOICE d by applicab r receiving seCity’s sharing owith third par be responsiblee of responsi OLOGY (IT) MA e for internal, guring, maintrity and privac ompromised RDINATION es secure thewill be grante and Privacy Ttion of person ng informationures for inform er significant c recommend ts adoption. he use of thethe City or re e available tovide Softwareng the Interne the personal ets are under ensure that oo protect its inor alteration. T networks ans information ble laws, the C ervices from thof such informrties under co e for complyinibility of each ANAGERS , external, dir taining and secy policies. T network, syst e execution ofed to third par Terms and Cons covered by n security andmation securit changes to se changes to th e City’s informceiving servic o the City’s eme as a Serviceet, using e-ma information othe City’s con nly authorizenformation asThe City will pnd processes assets to the City will not sh he City, in viomation duringontract to the C InInforma ng with informuser. rect and indire ecuring the Chey are also tem or data s f Non-Disclosrty contractor onditions. An y this Policy w d its implemety) will be rev ecurity implem he Policy ann mation assets,ces from the C mployees ande consulting sail, accessing of the City’s entrol. Securit d persons wilssets from theplan, design, in order to ase City’s emplo hare the Infor olation of this the conduct City to provid City of nformation Teation Security Pa 31 Janua mation privacy ect connection City’s IT networesponsible fo ecurity. sure Agreemers, in conjunct NDA must bewith third party entation (i.e. viewed indepe mentation hav nually, or as namely, the City, which ar d third party services. Theg the City’s int employees anty measures w ll enjoy acceseft, damage, limplement anssure the appoyees and aut rmation of any Policy, unlesof the City’s be services. Palo Alto chnology Services age 5 of 8 ary, 2013 y ns to the orks in or timely ents tion with e y endently ve re owned se tranet or nd any will be ss to the oss, nd ropriate thorized y person ss that business DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 C) M The Ccolle businmay and wforma The Csite m City wthe In the bInter the ucomp their on hi sites D) U In theDepa custoUtiliti applyother with Busin havemont residand/o the s Busin coveInfor E) P The couldunles F) A The C acceaffec Privacy Policy METHODS OF C City may gathction of such ness as a locabe gathered with other tecation in order City’s staff wimay use “coo will note that nternet Protoc browser softwnet address o user’s computpromise the u computers byis or her com . UTILITIES SERV e provision ofartment (“CPA omers. To theies Rules and y; provided, hrwise directed other City dep nesses and re e secure accethly utility usa dents with nonor billing data standard mon nesses and re red by the samation under PUBLIC DISCLO Information th d be incorporass such inform ACCESS TO PE City will take ss to that percted persons w y COLLECTION O her the Informinformation is al governmenat service win chnologies, whr to secure the ll inform the pkies” to custo a cookie contcol address o ware and operof the website ter by using thuser’s privacy y using any oputer, it will n VICE f utility serviceAU”) will colle e extent the md Regulations however, any d or approved partments ex esidents with ss through a age and billing n-standard or a provided to t thly billing. esidents with ame privacy pr applicable fe OSURE hat is collecte ated in a publmation is exem ERSONAL INFO reasonable s rson’s Informawho can revie OF PERSONAL mation from a s both necess nt agency in itndows and co herever the Ce City’s servic persons whosomize the brow tains unique iof the compute ating systemse from which t he City’s webor security. U of the widely aot prevent or es to personsect the Informa management or other ordi such Rules ad by the Coun cept as may b standard utili CPAU websig data. In add experimentathem through such non-sta rotections anederal and Ca ed by the City lic record thatmpt from disc ORMATION teps to verify ation. Each Cew and updat INFORMATION variety of sousary and appr ts governmenontact centers City may interaces. se Informationwsing experie information ther used to ac s used, the dathe user linke site do not cUsers can refu available methprohibit the u s located withiation in order of that informnances, rules and Regulationcil. This inclu be required b ity meters and te to their Infodition to their r l electric, wat non-City elec andard or exp d personal inalifornia laws. in the ordina t may be subjclosure to the a person’s id City departmente that informa urces and resropriate in ord ntal and proprs as well as a act with perso n are coveredence with the hat a web siteccess the City ate and time ed to the City’s contain the Infuse the cooki hods. If the ususer from gain in Palo Alto, tr to initiate an mation is not ss, regulations ns must confudes the shar by law. d/or having n ormation, inclregular month ter or natural ctronic portal perimental me nformation exc ry course and ject to inspecpublic by Ca dentity before nt that collectation at reaso InInforma sources, provder for the Cit rietary capaciat web sites, b ons who need d by this Police City of Palo A e can use to try’s web sites, a user accesss web sites. C formation, andies or delete t ser chooses nning access t the City of Pad manage uti specifically ad or procedure form to this Poring of CPAU- on-metered m luding, withouhly utilities bil gas meters ms at different etering will ha change rules d scope of co ction and copyalifornia law. e the City will g ts Informationonable times. City of nformation Teation Security Pa 31 Janua ided that the ty to conduct ties. That infby mobile app d to share suc cy that the CitAlto web site rack, among othe identificat sed the site, aCookies creat d thus do notthe cookie file not to accept to or using the alo Alto Utilitieility services t ddressed in thes, this Policy olicy, unless -collected Info monthly servic ut limitation, thling, business may have theiintervals than ave their Inform applicable to onducting its b ying by the pu grant anyone n will afford ac Palo Alto chnology Services age 6 of 8 ary, 2013 formation plications, ch ty’s web . The others, tion of and the ted on t es from a cookie e City’s es to he y will ormation ces will heir ses and ir usage n with mation o business ublic, e online ccess to DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 G) S Exceperso partiereaso perso The C Inforinsta such If the occubreac date(and t H) D The C periodestr I) S The C servi In ord thosethe S proviservi confi Theswhic serviinclu moniterm comp Priorservi evenrequ prom J) F CPAmana Privacy Policy SECURITY, CO ept as otherwions covered b es without theonable contro ons covered b City may auth mation of pernces, the City Information o e City become rred, with resch in accorda (s) of the knowthe proposed DATA RETENTI City will store od is establishruction. SOFTWARE AS City may eng ces, common der to assure e who receiveSaaS services ider, shall desces and/or fu dentiality and se requiremenh the services ces provider’ding disaster itoring service“IT infrastruc puters, and da r to entering inces provider nt that the Saairements duri mptly inform th FAIR AND ACC U will requireage utility ser y NFIDENTIALITY ise provided bby this Policy e express writols that are de by this Policy horize the City rsons who do y will require only in further es aware of a spect to the Inance with app wn or suspecaction to be ION / INFORMA e and secure a hed by law, fo A SERVICE (S age third part nly known as the privacy a ed services fros provider and sign, install, purnishes good d privacy of th nts include infs are provided s operations recovery and es to ensure acture” refers to atabase man nto an agreemto complete a aS services png the course he ISM. URATE CREDIT utility customrvices to them Y AND NON-DIS by applicable as confidenti tten consent oesigned to pro . y’s employee business withthe City’s em rance of City- breach, or ha nformation of licable laws. cted breach, ttaken or the r ATION RETENTI all Information or seven (7) ye SAAS) OVERSI ty contractors Software-as- and security o om the City, ad its subcontr provide, and mds to the City, he Information formation secd to the City, and maintenad business co a secure and o the integrate agement dev ment to providand submit an provider reasoe of providing T TRANSACTIO mers to providm. SCLOSURE law or this Poial and will no of the personotect the conf and or third p h the City or rployee and/o -related busin as reasonable a person, theThe notice of he nature of tresponsive ac ION n for a period ears, and the GHT s and vendors a-Service (Sa of the Informa as a conditionractors, if any maintain a secto the extent n. curity directiveincluding con ance processontinuity plann reliable envired framework vices, upon wh de services ton Information onably determ services, the ON ACT OF 200 de their Inform olicy, the Cityot disclose it, n affected. Thefidentiality and party contrac receive servicor the third pa ness and in ac e grounds to e City will notiff breach will in the Informatioction taken by d of time as m ereafter such i s to provide s aaS). ation of those n of selling goy, including an cure IT envirot any scope of es pertaining nnection to th es needed toning; and (c) t ronment and k, including, w hich digital ne o the City, theSecurity and mines that it cae City will requ 03 mation in orde InInforma y will treat theor permit it to e City will devd security of t ctors to acces ces from the Crty contractor ccordance wit believe that a fy the affectenclude the da on that is the y the City. may be require information w software appli who do busin oods and/or sny IT infrastru onment, whilef work or serv to: (a) the IT e City's IT sy o support the the IT infrastr service availawithout limitat etworks opera e City’s staff w Privacy Que annot fulfill thuire the SaaS er for the City City of nformation Teation Security Pa 31 Janua e Information oo be disclosed velop and mathe Informatio s and/or use City. In thosers to agree to th the Policy. a security bre d person of sate(s) or estim subject of the ed by law, or i will be schedu cation and da ness with the ervices to thecture service e it performs svices implicat infrastructurestems; (b) the IT environmeructure perfor ability to the Ction, data cen ate. will require theestionnaire. In e informationS services pro to initiate and Palo Alto chnology Services age 7 of 8 ary, 2013 of d, to third aintain on of the use ach has such mated e breach, if no led for atabase City and e City, s such tes the e, by e SaaS ent, rmance City. The ters, e SaaS n the n security ovider to d DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A Information P Version 2.2 Fede 108-credi and ipreve CPAwhen chan Ther § 179 4. CO Info Chie Utili City Privacy Policy eral regulation 159), includinitor” which pro implement proent, respond U proceduresnever significa nges to CPAU e are Californ 98.92. ONTACTS rmation Secu ef Information ties Departm y Attorney’s O y ns, implement ng the Red Flaovides service ocedures for and mitigate s for potentialant changes t U identity theft nia laws which urity Manager n Officer: Rei ent: Auzenne Office: Kolling, ting the Fair a ag Rules, reqes in advance an identity thpotential iden identity theft to security im t procedures, h are applicab r: Patel, Raj < chental, Jona e, Tom <Tom Grant <Gran and Accurate quire that CPAe of payment eft program fontity theft of its will be reviewplementation or as approp ble to identity Raj.Patel@C athan <Jonath m.Auzenne@C nt.Kolling@Ci Credit Trans AU, as a “covand which ca for new and es customers’ wed independn have occurre priate, so as to y theft; they ar CityofPaloAlto han.Reichent CityofPaloAlto tyofPaloAlto.o InInforma sactions Act o ered financiaan affect cons existing accouInformation. dently by the ed. The ISM w o conform to re set forth in .org> tal@CityofPal o.org org> City of nformation Teation Security Pa 31 Janua of 2003 (Publi l institution orsumer credit, unts to detect, ISM annuallywill recomme this Policy. California Ci loAlto.org> Palo Alto chnology Services age 8 of 8 ary, 2013 c Law r develop , y or nd vil Code DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 1 of 16 Version 2.0 2 November 2016 Vendor Information Security Assessment (VISA) Questionnaire Purpose: This Vendor Information Security Assessment (VISA) Questionnaire requests information concerning a Cloud Service Provider (the Vendor), which intends to provide to the City of Palo Alto (the City) any or all of the following services: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). Note/Instructions:  SaaS, PaaS and IaaS are each a ‘cloud’ servicing model, in which software and database applications, computer network infrastructure and/or computer hardware/software platforms is/are hosted by the Vendor and made available to customers interconnected in a network, typically the Internet.  This Questionnaire is for the sole use of the intended Vendor and may contain confidential information of individuals and businesses collected, stored, and used the City. Any unauthorized collection, storage, use, review or distribution may be prohibited by California and/or Federal laws. If you are not the intended recipient of this Questionnaire, please contact the sender by e-mail and destroy all copies of the Questionnaire.  The Vendor shall provide answers to the questions or information to the requests provided below.  In the event that the Vendor determines that it cannot meet the City’s security and or privacy requirements, the Vendor may submit a request for an exception to the City’s requirements and propose alternative countermeasures to address the risks addressed in this Questionnaire. The City’s Information Security Manager (ISM) may approve or reject the exception request, depending on the risks associated with the exception request.  Security Exception Request shall be submitted if you cannot comply with this policy/requirements  Upon receipt of the Vendor’s response, the ISM will conduct a security risk assessment, using the following scoring methodology: A = Meets completely. B = Partially meets. The Vendor may be required to provide additional requested information. C = Doesn’t meet. The Vendor may be required to provide missing/additional detail. Vendor Information: Vendor Organization Name Professional Account Management, LLC. Address 1 West Manchester Blvd. Suite 602 Information Security Contact Person Name Dean Viereck, Regional Manager Email dviereck@duncansolutions.com Phone 562-619-5439 Date this Questionnaire Completed 10/10/2016 DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 2 of 16 Version 2.0 2 November 2016 1.0 BUSINESS PROCESS AND DATA EXCHANGE REQUIREMENTS # Question Response from the Vendor Score Additional Information/Clarification Required from the Vendor 1.1 Please provide a detailed description of the Vendor’s business process that will be offered to the City, as this relates to the proposed requirements of the City’s RFP or other business requirements Parking citation processing and collections services as agreed to in the Scope of Services with the City of Palo Alto. A 1.2 Has the Vendor adopted and implemented information security and privacy policies that are documented and conform to ISO 27001/2 – Information Security Management Systems (ISMS) Standards or NIST 800-53 (National Institute of Standards – NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations) Although we have adopted and implemented information security and privacy policies, we have not undertaken a formal project to determine our conformity to any of the standards listed. B 1.3 What data exchange will occur between the City and the Vendor? What data will be stored at the Vendor’s or other third party’s data storage location? (Provide data attributes with examples of the data to be stored) Electronic parking citation data will be sent from Database Consultants Australia (DCA) to Professional Account Management for processing. Scofflaw data will be sent back to DCA to be imported into the issuing devices. A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 3 of 16 Version 2.0 2 November 2016 Example: Payment Card Information, Social Security Number, Driving License number Patrons Name, Address, Telephone etc.), which are examples of personal information, the privacy of which are protected by California constitutional and statutory law. Parking Citation, adjudication and payment, related transactions and in state and out of state registered owner data is stored in AutoPROCESS. Social Security Numbers and credit card information is not stored in AutoPROCESS. 1.4 In the event that the Vendor is required to store Private Information (PI), Personally Identifiable Information (PII), and Sensitive Information (SI) about individuals/organizations with the service provider’s business systems, how does the Vendor maintain the confidentiality of the information in accordance with applicable federal, state and local data and information privacy laws, rules and regulations? [(The City of Palo Alto (the “City”) strives to promote and sustain a superior quality of life for persons in Palo Alto. In promoting the quality of life of these persons, it is the policy of the City, consistent with the provisions of the California Public Records Act, California Government Code §§ 6250 – 6270, to take appropriate measures to safeguard the security and privacy of the personal (including, without limitation, financial) information of persons, collected in the ordinary course and scope of conducting the City’s business as a local government agency. These We comply with the standards in the California Public records act. We store all client data in transit and at rest using 256 bit encryption. A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 4 of 16 Version 2.0 2 November 2016 measures are generally observed by federal, state and local authorities and reflected in federal and California laws, the City’s rules and regulations, and industry best practices, including, without limitation, the provisions of California Civil Code §§ 1798.3(a), 1798.24, 1798.79.8(b), 1798.80(e), 1798.81.5, 1798.82(e), 1798.83(e)(7), and 1798.92(c)]. 1.5 What mechanism and/or what types of tool(s) will be used to exchange data between the City and The Vendor? Example: (VPN, Data Link, Frame Relay, HTTP, HTTPS, FTP, FTPS, etc.) We use SFTP A 1.6 What types of data storage (work in progress storage and backup storage) are present or will be required at the Vendor’s site? Example: (PCI Credit Card Info, SSN, DLN, Patrons Name, Address, telephone etc.) We communicate with Lexis Nexus via SSL to obtain the social security numbers. The Social security numbers are stored on the account records in the Oracle database which resides on encrypted disk. We follow the State of California secure communications protocols to transmit and receive data from the state FTB system SWIFT. We are working on our SSAE SOC 2-Type 2, but that it will be some time before the audit is completed and published. I do not have an estimated date of completion. As soon as I do I will provide it to you. (this is the one we discussed on the phone) A 1.7 Is e-mail integration required between the City and the Vendor? No A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 5 of 16 Version 2.0 2 November 2016 Example: The provision of services may require the City to provide the Vendor with an e-mail account on the City’s e–mail server. 1.8 Has the Vendor ever been subjected to either an electronic or physical security breach? Please describe the event(s) and the steps taken to mitigate the breach(es). What damages or exposure resulted? Are records of breaches and issues maintained and will these records be available for inspection by the City? We have not experienced any breaches. To help prevent breaches we use a Juniper Security Firewall. In addition we use a Barracuda Web Application Firewall to further limit potential web payments breaches. In the unlikely event that a breach would occur, We would notify Palo Alto in accordance with the California privacy regulations A 1.9 Does the Vendor maintain formal security policies and procedures to comply with applicable statutory or industry practice requirements/standards? Are records maintained to demonstrate compliance or certification? Does the Vendor allow client audit of these records? Note: Please submit supporting documentation. Duncan maintains formal security policies and procedures that are consistent with the industry best practice standards. We do not participate in any security certification processes at this time. Since our solutions are multi-tenant, we do not permit a client audit of our security logs and records. B 2.0 What are the internet and the browser security configurations for the cloud application? What security standards and requirements does the Vendor maintain to ensure application security at the user interface? (A set of detailed documentation should be provided to support the compliance). SSL and TLS is used in conjuction with Citrix’s secureICA traffic for Internet and Browser security. Microsoft Active Directory LDAP is used for user access authenctiaction. B 2.0 APPLICATION/SOLUTION CONFIGURATION DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 6 of 16 Version 2.0 2 November 2016 # Question Response from The Vendor Score Additional Information/Clafication Required from The Vendor 2.1 What is the name of the application(s) that the Vendor will be hosting in order to provide services to the City? (List all) AutoPROCESS and DocuPeak 2.2 What functionality will be provided to the City’s employees or the City’s customers or other recipient of City services through the application? City will have the ability to process parking citations, adjudication matters, payments and parking related transactions and service requests. Customers will have the ability to pay a parking citation online. A 2.3 Will the Vendor use a subcontractor and/or a third party service provider? (List all). If yes, then what data privacy and information security agreements are in place between the Vendor and any subcontractor/third party to ensure appropriate and accountable treatment of information? Note the City requires that the Vendor and each subcontractor and/or third party formally acknowledge that will comply with the City’s Information Privacy Policy and SaaS Security and Privacy Terms and Conditions  Fulltech for notice printing and mailing services  Lexis Nexis for Social Security Numbers and address updates.  National Law Enforcement Telecommunications System (Nlets) Non-disclosure agreements and/or contractual agreements We communicate with Lexis Nexus via SSL to obtain the social security numbers. The Social security numbers are stored on the account records in the Oracle database which resides on encrypted disk. We follow the State of California secure communications protocols to transmit and A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 7 of 16 Version 2.0 2 November 2016 receive data from the state FTB system SWIFT. We are working on our SSAE SOC 2-Type 2, but that it will be some time before the audit is completed and published. I do not have an estimated date of completion. As soon as I do I will provide it to you. (this is the one we discussed on the phone) 2.4 What is the Vendor's application(s) hosting hardware and software platform? Provide a detailed description, including security patches or security applications in use. Example: Windows or Unix Operating System (OS) and other detail. Microsoft Windows 2012 DataCenter R2 on Dell Hosts patched with MS Security patches A 2.5 How does the Vendor’s application and database architecture to manage or promote segregation of the City's data (related to its function as a local government agency) from the data of individuals providing services to or receiving services from the City? Public only has access to the application via defined web sites with limited functionality for taking payments. Staff has access to the AutoPROCESS, which is controlled by security to the applications based on the level of access granted by authorized city personnel. City staff only have access to data belong to the City of Plao Alto. B 2.6 Describe the Vendor’s server and network infrastructure. Please provide server and network infrastructure deployment topology, including data flow architecture, Access to the Duncan Application is via high available Netscalar gateway and Juniper firewall. Authentication into the network is via Microsoft’s Active Directory. Once authenticate the user A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 8 of 16 Version 2.0 2 November 2016 including but not limited to security management applications, firewalls, etc. accesses the Citrix storefront server which then presents that available application to the user. The user selects the application and is directed to the Citrix farm of servers to launch AutoProcess. AutoProcess launches, the user then logs into it using a separate set of credentials configured for AutoProcess. AutoProcess uses an Oracle backend running on a High Available Oracle cluster servers. 2.7 Please provide a detail proposed solution that will be developed as a part of the Vendor’s implementation to support this project. (For example detailed solution architecture, secured data flow to support business processes, etc.). Duncan will provide the necessary documentation for any new service offering the City of Palo Alto selects. The current services have been provided to the City of Palo Alto since 2007. A 3.0 DATA PROTECTION # Question Response from the Vendor Score Additional Information/Clafication Required the Vendor 3.1 What will be the medium of data exchange between the City and Vendor? Flat files are transmitted via SFTP A 3.2 . How will the data be kept secure during the data exchange process? Example: (VPN, Data Link, Frame Relay, HTTP, HTTPS, FTP, FTPS, SFTP A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 9 of 16 Version 2.0 2 November 2016 etc.) 3.3 How will the City’s data be kept physically and logically secure at the Vendor’s preferred storage location? Example: Locked storage, Digitally, Encrypted etc. Encrypted disk in locked cabinets in a Level II data center with physical security controls consisting of badge, pin number and finger print access requirements A 3.4 What application level protections are in place to prevent the Vendor’s or a subcontractor/third party’s staff member from viewing unauthorized confidential information? For example, encryption, masking, etc. AutoProcess application incorporates role based security levels for all screens, functions, and reports A 3.5 What controls does the Vendor exercise over the qualification and performance of its team? Of their subcontractor/third party’s team(s)? (For example, criminal background verification prior to employment, providing security training after employment and managing Role Based Access Control (RBAC) during employment and network and application access termination upon employment termination. Standard background, criminal history checks, previous employement verification and drug testing are performed on staff prior to employement. Subcontrators requirements vary by contract, which are dependent on the services and work being performed. We are also bound by requirments from the California Department of Justice, National Law Enforcement Telecommunications System, California Department of Motor Vehicles, Franchise Tax Board, etc. The ability to access, level of access, etc. is based on the appropriate job function and level of responsibility. A 4.0 DATA BACK-UP # Question Response Score COPA’s Security Assessment DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 10 of 16 Version 2.0 2 November 2016 4.1 What are the Vendor’s method(s) used to keep data secured during the data backup process? Locked in a Duncan managed offsite facility in a physically secured room A 4.2 . Is the Vendor’s encryption technology used to encrypt whole or selective data? Whole data A 4.3 What types of storage media will the Vendor use for data backup purposes? For example, Tape, Hard Disk Drive or any other devices. Tape is used for standard data backup processes. In addition, encrypted client data stored in our AutoPROCESS application database is replicated via Oracle’s Data Guard product to the DR facility A 4.4 Are the Vendor’s backup storage devices encrypted? If ‘yes,’ please provide encryption specification, with type of encryption algorithm and detail process of encryption handling. If ‘no,’ provide a detailed description (with processes, tools and technology) to keep data secured during the back-up process. Yes. Veritas Backup Exec is used. Backup Exec supports two security levels of encryption: 128-bit Advanced Encryption Standard (AES) and 256-bit Advanced Encryption Standard. A key is created and applied and the data is backed up. A 5.0 DATA RETENTION # Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 11 of 16 Version 2.0 2 November 2016 5.1 What is the Vendor’s standard data retention period of the backed up data? The data retention process shall comply with the City’s data 7 (seven) years data retention policy. Note: In the event that the Vendor cannot comply with this requirement then the City’s Project Manager shall approval from the City’s data retention schedule/policy owner. We will comply with the 7 year policy A 5.2 Are the data backup storage media at the Vendor’s location or other third party location? Vendor’s location A 5.3 If the Vendor’s backup storage devices are stored with another company, please provide: a. Company Name: b. Address: c. Contact person detail (Phone and Email): d. What contractual commitments are in place to guarantee security compliance from these vendors Main COLO 3235 Intertech Dr., Brookfield WI, 53045 Jim Washburn jwashburn@DuncanSolutions.com 414-847-3746 Only authorized Duncan System and Database Administrators have access to the secured enclosure where our equipment is housed at both the main data center and back up facility. A 5.5 What is the media transfer process (I.e. The lock box The Palo Alto data is stored in an Oracle Database within A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 12 of 16 Version 2.0 2 November 2016 process used to send tapes off-site)? encrypted disk in the data center and changes are replicated to the Disaster Recovery site via Oracle Data Guard. In addition, the database is backed up to tape. Only authorized Duncan personnel transfer the tapes from the primary data center to the offsite location 5.6 Who has access to the data storage media lockbox(es)? (Provide Name and Role) Only authorized Duncan System and Database Administrators A 5.7 Who on the Vendor’s staff or subcontractor/third party’s staff is/are authorized to access backup data storage media? (Provide Name and Role) Only authorized Duncan System and Database Administrators A 5.8 What is the backup data storage media receipt and release authorization process(es)? (Please submit a soft copy of the process) Data is stored within a secured location in a Duncan facility and only authorized Duncan personnel have access to the backup tapes. A 6.0 ACCOUNT PROVISIONING AND DE-PROVISIONING (The Vendor must receive formal pre-authorization from the City’s Information Security Manager prior to provisioning and de-provisioning of application access account). # Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor 6.1 What is the account provisioning/removal process? Example: how are users accounts created and managed?) A new user request is submitted by the City to our service request application. Upon receipt helpdesk staff processes the request for service and adds the account. A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 13 of 16 Version 2.0 2 November 2016 6.2. What is the account deprovisioning/removal process? Example: how are users accounts created and managed?) A user removal request is submitted by the City to our service request application. Upon receipt helpdesk staff process the request for service and removes the account. A 6.3 How will the City’s employees gain access to required application(s)? Through the City provided internet connection using Citrix A 6.4 Does the application(s) have the capability to restrict access only from the City’s WAN (Wide Area Network)? Since we are multi-tenant, we cannot provide this restriction A 7.0 PASSWORD MANAGEMENT # Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor 7.1 What will be the policy and/or procedures for the logging, authentication, authorization and password management scheme? (Please provide a soft copy of the process) Standard Active Directory access is used for logging, authentication and password management. Authorization user permissions are managed through the AutoPROCESS application A 7.2. Where will the login and password credentials be stored? Active Directory A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 14 of 16 Version 2.0 2 November 2016 7.3 Are the password credentials stored with encryption? If ‘yes,’ please provide encryption scheme detail. Passwords are secured with a Microsoft Active Directory one way hash A 7.4 The Vendor’s application must comply with the following password requirements. Does the Vendor’s application meet these requirements? 1. First time password must be unique to an individual and require the user to change it upon initial login. 2. If the password is sent via plain text email to the City employee to mitigate security exposure. 3. The City requires first time password to have a time-out capability of no more than 7 days. 4. The e-mail notification must not be copied to anyone except the user. 5. The permanent/long term password must be changed frequently (at least TWICE a year) Password Use Policy User passwords are sensitive, confidential Duncan Solutions information and must not be shared with others. Passwords are the first line of protection against threats to network security, whether threats originate internally or externally. Minimum Password Length Wherever the system or application can accommodate, passwords must be a minimum of eight (8) characters in length. Administrative user account passwords must be a minimum of ten (10) characters in length. Minimum Password Age Password age refers to the time during which a password must be used before a new password can be selected. Where technically possible, the minimum password age at Duncan Solutions is one day. Password Expiration and History Management Policy • The Duncan Solutions standard expiration period is 60 days. No user account is set to non-expire. • Passwords must not be repeated within 12 generations. Password Lockout Policy A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 15 of 16 Version 2.0 2 November 2016 6. E-mail notification must be sent to the user whenever the password has been updated. 7. User should not be able to view data or conduct business unless an initial password has been updated with a different password. 8. The Vendor shall inform the City’s users that, when a new password is created, the user shall not use the City’s LDAP (Lightweight Directory Access Control Protocal) password. 9. The password must have 8 or more alphanumeric (/) characters and it must contain at least one character from each of the bullets noted below (i.e. Each line shall contribute at least one character):  abcdefghijklmnopqrstuvwxyz  ABCDEFGHIJKLMNOPQRSTUVWXYZ • Users are locked out of their account after three (3) failed logon attempts. Failed logon attempts are the result of attempting to logon using either a faulty logon ID (user name) or password. • The lockout period remains in force for 30 minutes and the counter is reset after the 30-minute lockout interval. Temporary Passwords First-time Duncan Solutions computer users (or those requiring a password reset) are given a random temporary password that must be changed immediately after the first login. Recommended Strong Password Complexity Duncan Solutions recommends using the “strong password” complexity guidelines below. This helps ensure that all systems, intellectual property, and other sensitive data are afforded a proven level of protection. Strong passwords have the following complex characteristics: • Do not contain personal information (such as the names of family members, pets, hobbies or personal interests, etc.); • Contain both upper (AABBCC…) and lower (aabbcc…) case letters of the alphabet in any combination; • Have at least three of the four: one integer (0-9), one special character (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./ ) upper and lower case letters of the alphabet; • Are not whole words in any language (including slang, dialect, jargon, etc.). DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 16 of 16 Version 2.0 2 November 2016  0123456789  !@#$%^&*()-+=`~,></\"'?;:{[}] --------------------------------------------------- End Of Document-------------------------------------------------- DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A DocuSign Envelope ID: D86B35DC-44A1-44CB-AE20-4144AA51575A