Common use of Data Security and Integrity Clause in Contracts

Data Security and Integrity. All facilities, whether Vendor hosted or Third-Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for City Data. Such measures, when applicable due to the presence of Protected Information, include, but are not limited to, all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) §▇▇-▇▇-▇▇▇ et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor shall submit to ▇▇▇▇▇▇▇▇, within fifteen (15) Calendar Days of ▇▇▇▇▇▇▇▇’▇ written request, copies of Vendor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor has access, and if applicable, Vendor shall comply with all HIPAA requirements contained herein or attached as an exhibit. Vendor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. Vendor shall use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, anti-virus and anti-malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). Vendor shall, and shall cause its Subcontractors, to do all of the following: Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. Maintain network, system(s), and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements consistent with evolving industry standards. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. Comply with all rules, policies, procedures, and standards that are issued by ▇▇▇▇▇▇▇▇’▇ Technology Services Security Section. Subject to Vendor’s reasonable access security requirements and upon reasonable prior notice, Vendor shall provide ▇▇▇▇▇▇▇▇ with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. Vendor shall perform current background checks in a form reasonably acceptable to ▇▇▇▇▇▇▇▇ on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. Vendor will provide notice to the security and compliance representative for ▇▇▇▇▇▇▇▇ indicating that background checks have been performed. Such notice will inform ▇▇▇▇▇▇▇▇ of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. If Vendor will have access to Tax Information under the Agreement, Vendor shall comply with the background check requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. If applicable, Vendor shall use, hold, and maintain Confidential and Protected Information in compliance with all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. Prior to the Effective Date of this Agreement, Vendor will, at its expense, conduct or will have conducted the following, and thereafter, Vendor will, at its expense, conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: A SSAE 16/SOC 2 or other mutually agreed upon audit of Vendor’s security policies, procedures and controls; A quarterly external and internal vulnerability scan of Vendor’s Systems and facilities, to include public facing websites that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; A formal penetration test, performed by a process and qualified personnel of Vendor’s Systems and facilities that are used in any way to deliver Services under this Agreement. Vendor will provide ▇▇▇▇▇▇▇▇ the reports or other Documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days of Vendor’s receipt of such results, if requested by ▇▇▇▇▇▇▇▇. Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor will, within thirty (30) Calendar Days of receipt of such results, promptly modify its security measures to meet its obligations under this Agreement and provide ▇▇▇▇▇▇▇▇ with written evidence of remediation. ▇▇▇▇▇▇▇▇ may require, at its expense, that Vendor perform additional audits and tests, the results of which will be provided to ▇▇▇▇▇▇▇▇ within seven (7) Calendar Days of Vendor’s receipt of such results. Vendor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Party data integrity audits. Vendor will provide ▇▇▇▇▇▇▇▇ the results of the above audits, if requested by ▇▇▇▇▇▇▇▇. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify ▇▇▇▇▇▇▇▇ in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with ▇▇▇▇▇▇▇▇ regarding its response; Cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide ▇▇▇▇▇▇▇▇ with a copy of its response. If ▇▇▇▇▇▇▇▇ receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, ▇▇▇▇▇▇▇▇ will promptly provide a copy to Vendor. Vendor will supply ▇▇▇▇▇▇▇▇ with copies of data required for ▇▇▇▇▇▇▇▇ to respond within forty-eight (48) hours after receipt of copy from ▇▇▇▇▇▇▇▇ and will cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with its response.

Data Security and Integrity. 1. All facilities, whether Vendor hosted or Third-Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for City Data. Such measures, when applicable due to the presence of Protected Information, include, but are not limited to, all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) §▇▇-▇▇-▇▇▇ et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor shall submit to ▇▇▇▇▇▇▇▇, within fifteen (15) Calendar Days of ▇▇▇▇▇▇▇▇’▇ written request, copies of Vendor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor has access, and if applicable, Vendor shall comply with all HIPAA requirements contained herein or attached as an exhibit. 2. Vendor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. 3. Vendor shall use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, anti-virus and anti-anti- malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). 4. Vendor shall, and shall cause its Subcontractors, to do all of the following: : a. Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. . b. Maintain network, system(s), and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements consistent with evolving industry standards. . c. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. . d. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. . e. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. . f. Comply with all rules, policies, procedures, and standards that are issued by ▇▇▇▇▇▇▇▇’▇ Technology Services Security Section. . g. Subject to Vendor’s reasonable access security requirements and upon reasonable prior notice, Vendor shall provide ▇▇▇▇▇▇▇▇ with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. . h. Vendor shall perform current background checks in a form reasonably acceptable to ▇▇▇▇▇▇▇▇ on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. . i. Vendor will provide notice to the security and compliance representative for ▇▇▇▇▇▇▇▇ indicating that background checks have been performed. Such notice will inform ▇▇▇▇▇▇▇▇ of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. . j. If Vendor will have access to Tax Information under the Agreement, Vendor shall comply with the background check requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. If applicable, Vendor shall use, hold, and maintain Confidential and Protected Information in compliance with all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. Prior to the Effective Date of this Agreement, Vendor will, at its expense, conduct or will have conducted the following, and thereafter, Vendor will, at its expense, conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: A SSAE 16/SOC 2 or other mutually agreed upon audit of Vendor’s security policies, procedures and controls; A quarterly external and internal vulnerability scan of Vendor’s Systems and facilities, to include public facing websites that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; A formal penetration test, performed by a process and qualified personnel of Vendor’s Systems and facilities that are used in any way to deliver Services under this Agreement. Vendor will provide ▇▇▇▇▇▇▇▇ the reports or other Documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days of Vendor’s receipt of such results, if requested by ▇▇▇▇▇▇▇▇. Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor will, within thirty (30) Calendar Days of receipt of such results, promptly modify its security measures to meet its obligations under this Agreement and provide ▇▇▇▇▇▇▇▇ with written evidence of remediation. ▇▇▇▇▇▇▇▇ may require, at its expense, that Vendor perform additional audits and tests, the results of which will be provided to ▇▇▇▇▇▇▇▇ within seven (7) Calendar Days of Vendor’s receipt of such results. Vendor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Party data integrity audits. Vendor will provide ▇▇▇▇▇▇▇▇ the results of the above audits, if requested by ▇▇▇▇▇▇▇▇. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify ▇▇▇▇▇▇▇▇ in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with ▇▇▇▇▇▇▇▇ regarding its response; Cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide ▇▇▇▇▇▇▇▇ with a copy of its response. If ▇▇▇▇▇▇▇▇ receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, ▇▇▇▇▇▇▇▇ will promptly provide a copy to Vendor. Vendor will supply ▇▇▇▇▇▇▇▇ with copies of data required for ▇▇▇▇▇▇▇▇ to respond within forty-eight (48) hours after receipt of copy from ▇▇▇▇▇▇▇▇ and will cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with its response.C.R.

Data Security and Integrity. 8.1 All facilities, whether Vendor Contractor hosted or Third-Third Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) Service availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for the City Data. Such measures, when applicable due to the presence of Protected Information, measures include, but are not limited to, to all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (viv) the Family Education Rights and Privacy Act (FERPA), (viivi) §▇▇-▇▇-▇▇▇ et seq., (viiivii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ixviii) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor The Contractor shall submit to ▇▇▇▇▇▇▇▇the Manager, within fifteen (15) Calendar Days days of ▇▇▇▇▇▇▇▇’▇ the Manager’s written request, copies of Vendorthe Contractor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor the Contractor has access, and if applicable, Vendor Contractor shall comply with all HIPAA requirements contained herein or attached as an exhibit. Vendor herein. 8.2 Contractor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. Vendor The City may allow exceptions to encryption, however any limitations to this provision will be by written agreement between the Parties. 8.3 Contractor shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, to anti-virus and anti-malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). Vendor . 8.4 Contractor shall, and shall cause its Subcontractors, to do all of the following: : 8.4.1 Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. . 8.4.2 Maintain network, system(s)system, and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements enhancements consistent with evolving industry standards. . 8.4.3 Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. . 8.4.4 Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. . 8.4.5 Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. . 8.4.6 Comply with all rules, policies, procedures, and standards that are issued by ▇▇▇▇▇▇▇▇’▇ the City’s Technology Services Security Section. . 8.4.7 Subject to VendorContractor’s reasonable access security requirements and upon reasonable prior notice, Vendor Contractor shall provide ▇▇▇▇▇▇▇▇ the City with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. Vendor . 8.4.8 Contractor shall perform current background checks in a form reasonably acceptable to ▇▇▇▇▇▇▇▇ the City on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days 30 days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. Vendor . 8.4.9 Contractor will provide notice to the security and compliance representative Project Manager for ▇▇▇▇▇▇▇▇ the City indicating that background checks have been performed. Such notice will inform ▇▇▇▇▇▇▇▇ the City of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. . 8.4.10 If Vendor Contractor will have access to Federal Tax Information under the Agreement, Vendor Contractor shall comply with the background check requirements defined in IRS Publication 1075 and § §24-50-1002, C.R.S. If applicable, Vendor C.R.S. 8.5 Contractor shall use, hold, and maintain Confidential and Protected Information in compliance with any and all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. . 8.6 Prior to the Effective Date of this Agreement, Vendor willContractor, will at its expense, expense conduct or will have conducted the following, and thereafter, Vendor will, Contractor will at its expense, expense conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: : 8.6.1 A SSAE 16/SOC 2 or other mutually agreed upon audit of VendorContractor’s security policies, procedures and controls; ; 8.6.2 A quarterly external and internal vulnerability scan of VendorContractor’s Systems systems and facilities, to include public facing websites websites, that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; ; 8.6.3 A formal penetration test, performed by a process and qualified personnel of VendorContractor’s Systems systems and facilities that are used in any way to deliver Services under this Agreement. Vendor . 8.7 Contractor will provide ▇▇▇▇▇▇▇▇ City the reports or other Documentation documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days business days of VendorContractor’s receipt of such results, if requested by ▇▇▇▇▇▇▇▇. . 8.8 Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor Contractor will, within thirty (30) Calendar Days calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement and provide ▇▇▇▇▇▇▇▇ City with written evidence of remediation. ▇▇▇▇▇▇▇▇ . 8.9 City may require, at its expense, that Vendor Contractor perform additional audits and tests, the results of which will be provided to ▇▇▇▇▇▇▇▇ City within seven (7) Calendar Days business days of VendorContractor’s receipt of such results. Vendor . 8.10 Contractor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Third-Party data integrity audits. Vendor Contractor will provide ▇▇▇▇▇▇▇▇ City the results of the above audits, if requested by ▇▇▇▇▇▇▇▇. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify ▇▇▇▇▇▇▇▇ in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with ▇▇▇▇▇▇▇▇ regarding its response; Cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide ▇▇▇▇▇▇▇▇ with a copy of its response. If ▇▇▇▇▇▇▇▇ receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, ▇▇▇▇▇▇▇▇ will promptly provide a copy to Vendor. Vendor will supply ▇▇▇▇▇▇▇▇ with copies of data required for ▇▇▇▇▇▇▇▇ to respond within forty-eight (48) hours after receipt of copy from ▇▇▇▇▇▇▇▇ and will cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with its response.

Data Security and Integrity. All facilities, whether Vendor hosted or Third-Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for City Data. Such measures, when applicable due to the presence of Protected Information, include, but are not limited to, all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) §▇▇-▇▇-▇▇▇ et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor shall submit to ▇▇▇▇▇▇▇▇, within fifteen (15) Calendar Days of ▇▇▇▇▇▇▇▇’▇ written request, copies of Vendor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor has access, and if applicable, Vendor shall comply with all HIPAA requirements contained herein or attached as an exhibit. Vendor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. Vendor shall use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, anti-virus and anti-malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). Vendor shall, and shall cause its Subcontractors, to do all of the following: Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. Maintain network, system(s), and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements consistent with evolving industry standards. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. Comply with all rules, policies, procedures, and standards that are issued by ▇▇▇▇▇▇▇▇’▇ Technology Services Security Section. Subject to Vendor’s reasonable access security requirements and upon reasonable prior notice, Vendor shall provide ▇▇▇▇▇▇▇▇ with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. Vendor shall perform current background checks in a form reasonably acceptable to ▇▇▇▇▇▇▇▇ on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. Vendor will provide notice to the security and compliance representative for ▇▇▇▇▇▇▇▇ indicating that background checks have been performed. Such notice will inform ▇▇▇▇▇▇▇▇ of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. If Vendor will have access to Tax Information under the Agreement, Vendor shall comply with the background check requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. If applicable, Vendor shall use, hold, and maintain Confidential and Protected Information in compliance with all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. Prior to the Effective Date of this Agreement, Vendor will, at its expense, conduct or will have conducted the following, and thereafter, Vendor will, at its expense, conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: A SSAE 16/SOC 2 or other mutually agreed upon audit of Vendor’s security policies, procedures and controls; A quarterly external and internal vulnerability scan of Vendor’s Systems and facilities, to include public facing websites that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; A formal penetration test, performed by a process and qualified personnel of Vendor’s Systems and facilities that are used in any way to deliver Services under this Agreement. Vendor will provide ▇▇▇▇▇▇▇▇ the reports or other Documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days of Vendor’s receipt of such results, if requested by ▇▇▇▇▇▇▇▇. Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor will, within thirty (30) Calendar Days of receipt of such results, promptly modify its security measures to meet its obligations under this Agreement and provide ▇▇▇▇▇▇▇▇ with written evidence of remediation. ▇▇▇▇▇▇▇▇ may require, at its expense, that Vendor perform additional audits and tests, the results of which will be provided to ▇▇▇▇▇▇▇▇ within seven (7) Calendar Days of Vendor’s receipt of such results. Vendor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Party data integrity audits. Vendor will provide ▇▇▇▇▇▇▇▇ the results of the above audits, if requested by ▇▇▇▇▇▇▇▇. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify ▇▇▇▇▇▇▇▇ in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with ▇▇▇▇▇▇▇▇ regarding its response; Cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide ▇▇▇▇▇▇▇▇ with a copy of its response. If ▇▇▇▇▇▇▇▇ receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, ▇▇▇▇▇▇▇▇ will promptly provide a copy to Vendor. Vendor will supply ▇▇▇▇▇▇▇▇ with copies of data required for ▇▇▇▇▇▇▇▇ to respond within forty-eight (48) hours after receipt of copy from ▇▇▇▇▇▇▇▇ and will cooperate with ▇▇▇▇▇▇▇▇’▇ reasonable requests in connection with its response.