Common use of FTI Compliance Clause in Contracts

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section only, all words in this Section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section from time to time as needed to maintain currency with the then- current requirements of Pub 1075. (b) In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (iv) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v) The Successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii) All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii) No work involving FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) The IRS, DIR, and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected DIR Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected DIR Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. In the event additional Service Providers or Subcontractors are used, Service Provider shall identify responsibilities for coordination of the forty-five (45) day notification period for the use of additional Service Providers or Subcontractors with access to FTI. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected DIR Customer and, upon request, to the IRS reviewing office. All employees with access, including system administrators and programmers, must (1) receive disclosure awareness training prior to being granted access to FTI and annually thereafter and (2) sign a confidentiality statement. (x9) DIR will have the right to void the Agreement, whole or in part, if Service Provider fails to provide the safeguards described above. (10) Specific data breach incident reporting procedures must be established and the required disclosure awareness training must include review of these procedures. (11) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent Service Provider pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful RespondentService Provider’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification certification, and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section only, all words in this Section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR DCS Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section from time to time as needed to maintain currency with the then- current requirements of Pub 1075. (b) In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (iv) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v) The Successful successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent contract at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the agency or his or her designee with a statement containing the date data of destruction, description of material destroyed, and the method used. (vii) All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii) No work involving involved FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR DCS Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR DCS Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) The IRS, DIR, and the affected DIR DCS Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (ie) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (iif) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iiig) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (ivh) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (vi) The Successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vij) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used. (viik) All computer systems receiving, processing, storing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viiil) No work involving FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ixm) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (xn) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xio) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xiip) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiiiq) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xivr) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xvs) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvit) The IRS, DIR, and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. In the event additional Service Providers or Subcontractors are used, Service Provider shall identify responsibilities for coordination of the forty-five (45) day notification period for the use of additional Service Providers or Subcontractors with access to FTI. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected Customer and, upon request, to the IRS reviewing office. All employees with access, including system administrators and programmers, must (1) receive disclosure awareness training prior to being granted access to FTI and annually thereafter and (2) sign a confidentiality statement. (x9) DIR will have the right to void the Agreement, whole or in part, if Service Provider fails to provide the safeguards described above. (10) Specific data breach incident reporting procedures must be established and the required disclosure awareness training must include review of these procedures. (11) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent Service Provider pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful RespondentService Provider’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification certification, and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) ‌ The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. In the event additional Service Providers or Subcontractors are used, Service Provider shall identify responsibilities for coordination of the forty-five (45) day notification period for the use of additional Service Providers or Subcontractors with access to FTI. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected Customer and, upon request, to the IRS reviewing office. All employees with access, including system administrators and programmers, must (1) receive disclosure awareness training prior to being granted access to FTI and annually thereafter and (2) sign a confidentiality statement. (x9) DIR will have the right to void the Agreement, whole or in part, if Service Provider fails to provide the safeguards described above. (10) Specific data breach incident reporting procedures must be established and the required disclosure awareness training must include review of these procedures. (11) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent Service Provider pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful RespondentService Provider’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification certification, and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) ‌ The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected DIR Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected DIR Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected DIR Customer and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi9) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent Service Provider fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section only, all words in this Section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section from time to time as needed to maintain currency with the then- current requirements of Pub 1075. (b) In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (iv) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v) The Successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data date will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the agency or his or her designee with a statement containing the date data of destruction, description of material destroyed, and the method used. (vii) All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii) No work involving FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) The IRS, DIR, and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (ia) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (iib) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iiic) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (ivd) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (ve) The Successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vif) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used. (viig) All computer systems receiving, processing, storing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viiih) No work involving FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ixi) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (xj) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xik) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xiil) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiiim) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xivn) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xvo) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvip) The IRS, DIR, and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with with, solely to the extent required by, as applicable IRS Publication 1075 ("Pub 1075"). For purposes of this Section only, all words in this Section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent the location of Federal Tax Information (FTI) that is subject to the following provisions (e.g., the databases, servers, mainframes, etc.). DIR and Successful Respondent will amend this Section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) In performance of this contract, the Successful Respondent agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i) All work will be done under the supervision of the Successful Respondent or the Successful Respondent’s employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (iv) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v) The Successful Respondent certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii) All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii) No work involving FTI furnished under this contract will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent will maintain a list of employees with authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent fails to provide the safeguards described above. (xii) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) Additionally, it is incumbent upon Successful Respondent to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) The IRS, DIR, and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected DIR Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected DIR Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected DIR Customer and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi9) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent Service Provider fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.

FTI Compliance. (a) ‌ The following provisions are included in accordance with IRS Publication 1075 ("Pub 1075"). For purposes of this Section section only, all words in this Section section shall have the meaning provided in Pub 1075, notwithstanding any other definition that may be provided elsewhere in this Agreement. The following terms and conditions shall apply to Successful Respondent’s Service Provider's performance of the Services to the extent provided by Pub 1075. Affected DIR Customer(s) shall be responsible for identifying to Successful Respondent Service Provider the location of Federal Tax Information (FTI) FTI that is subject to the following provisions (e.g., i.e. the databases, servers, mainframes, etc.). DIR and Successful Respondent Service Provider will amend this Section section from time to time as needed to maintain currency with the then- then-current requirements of Pub 1075. (b) . In performance of this contractAgreement, the Successful Respondent Service Provider agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (i1) All work will be done under the supervision of the Successful Respondent Service Provider or the Successful Respondent’s Service Provider's employees. (ii) The Successful Respondent and the Successful Respondent’s employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075. (iii2) Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contractAgreement. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contractAgreement. Disclosure to anyone other than an officer or employee of the contractor Service Provider will be prohibited. (iv3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (v4) The Successful Respondent Service Provider certifies that the data processed during the performance of this contract Agreement will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Successful Respondent Service Provider at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor Service Provider certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (vi5) Any spoilage or any intermediate hard hard-copy printout that may result during the processing of IRS data will be given to the agency affected DIR Customer or his or her its designee. When this is not possible, the contractor Service Provider will be responsible for the destruction of the spoilage or any intermediate hard hard-copy printouts printouts, and will provide the agency affected DIR Customer or his or her its designee with a statement containing the date of destruction, description of material destroyed, and the method used. (vii6) All computer systems receiving, processing, storing, or transmitting FTI Federal tax information must meet the requirements defined in IRS Publication Pub 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI. (viii7) No work involving FTI furnished under this contract Agreement will be subcontracted without prior written approval of the IRS. (ix) The Successful Respondent 8) Service Provider will maintain a list of employees with authorized access. Such list will be provided to the agency affected DIR Customer and, upon request, to the IRS reviewing office. (x) In addition to including the above provisions into the Services Management Manual to be drafted by the Successful Respondent pursuant to the Agreement, the Services Management Manual should also include details concerning the Successful Respondent’s responsibilities during a safeguard review and the support required to resolve identified findings. (xi9) DIR will have the right to void the Agreement, in whole or in part, if Successful Respondent Service Provider fails to provide the safeguards described above. (xii) . Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five (5) years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (xiii) . Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Agreement. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Agreement. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as one (1) year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee United States for Federal employees in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (xiv) . Additionally, it is incumbent upon Successful Respondent Service Provider to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (xv) . Granting a contractor access to FTI must be preceded by certifying that each individual understands the affected DIR Customer's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the affected DIR Customer's files for review. As part of the certification certification, and at least annually afterwards, contractors should be advised of the provisions of IRC sections Sections 7431, 7213, and 7213A. The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. For both the initial certification and the annual certification, Successful Respondent Service Provider should sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. (xvi) . The IRS, DIR, DIR and the affected DIR Customer shall have the right to send its officers and employees into the offices and plants of Successful Respondent Service Provider for inspection of the facilities and operations provided for the performance of any work under this Agreement. On the basis of such inspection, specific measures may be required in cases where Successful Respondent Service Provider is found to be noncompliant with Agreement safeguards.