Page 1 of 41
GEORGIA HOUSING AND FINANCE AUTHORITY
60 Executive Park South, NE
Atlanta, GA 30329
REQUEST FOR QUOTES ("RFQ")
Issued October 4, 2022
CONSTRUCTION INSPECTION AND ANALYSIS SERVICES
Responses must be submitted no later than 4:00 p.m. Eastern Standard Time,
November 4, 2022.
I. Statement of Purpose
The Georgia Housing and Finance Authority (the "Authority" or "GHFA") is seeking
qualified Consultants to submit quotes for construction inspection and analysis services
for projects located in the state of Georgia for compliance with required application
criteria, local building codes, and applicable federal and state accessibility laws and
regulations, including standards and practices for project monitoring and review. The
programs of GHFA are administered by the Georgia Department of Community Affairs
(“DCA”), a legislatively created executive branch of State government.
II. Overview of DCA Financing Programs
GHFA’s Multifamily Housing Program (“Program”) administers several financing
programs designed to increase available affordable multifamily housing statewide.
The DCA HOME Partnership Program provides low-interest
construction/permanent loans to third parties for rehabilitation or new construction
of affordable multifamily rental housing developments for families and seniors.
These loans are often combined with an allocation of Georgia Federal and State
Low Income Housing Tax Credits (“LIHTCs”).
The federal low-income housing tax credit program which includes the allocation
of 9% credits as well as the issuance of Letters of Determination for tax-exempt
properties seeking a 4% credit allocation.
The Georgia National Housing Trust Program (NHTF) provides low-interest
construction/permanent loans to third parties for rehabilitation or new construction
of affordable multifamily rental housing developments for families and seniors.
These loans may be combined with an allocation of Federal and State LIHTCs.
The DCA Tax Credit Assistance Program (TCAP) provides low-interest acquisition
loans for Affordable Housing Properties. These loans may be combined with an
allocation of Federal and State LIHTCs.
Page 2 of 41
III. Schedule of Events
The schedule of events* for this RFQ is as follows:
Advertise RFQ
October 4, 2022
Responses Due (receipt by GHFA)
November 4, 2022 (by 4:00 PM EST)
Selected for Oral Presentations, Oral
Presentations, and Confirmation of
Scope of Services (if the Authority
deems necessary)
November 18, 2022 – December 2, 2022
Announcement of Selected
Consultants
No later than December 16, 2022
* Dates are approximate and may change as needed.
IV. Response Submittal Instructions
A. The Response should be prepared in a straightforward and concise manner,
detailing the Consultant’s capabilities to satisfy the requirements of this RFQ.
B. All Responses shall be submitted electronically to:
[email protected]nmicrosoft.com. Proposals submitted at or after 4:01 p.m. EST
on November 4, 2022, will not be considered.
C. All Responses must include a transmittal letter on the Consultant’s stationery,
signed by an individual who is authorized to bind the company to all statements in
the Response and the services and requirements as stated in the RFQ. If any
addendum or amendments have been issued to this RFQ, the Consultant shall
acknowledge same in this section. On the transmittal letter, please indicate who
will be the contact person at the firm with whom the Authority will communicate all
information regarding this RFQ. Please include the phone and facsimile numbers
and e-mail addresses for this individual. The transmittal letter should clearly state
that the Quote is in response to the Construction Inspection and Analysis Services
RFQ.
D. Responses must not exceed ten (10) pages, excluding the cover letter, certification
statement and attachments/exhibits. Additional pages or extra material will not be
reviewed.
E. If there are any questions related to this RFQ, please send them via email to
[email protected]nmicrosoft.com. All questions are due by October 21, 2022 by
4:00 p.m. EST. Phone calls will not be accepted.
F. All questions and answers will be posted on DCA’s web page at:
Page 3 of 41
https://www.dca.ga.gov/safe-affordable-housing/rental-housing-
development/housing-tax-credit-program-lihtc/other-requests
Only written responses or statements posted on the website shall be binding. No
other means of communication, whether oral or written, shall be construed as an
official response or statement of GHFA.
G. Responses will be evaluated based upon the responses to the specific items
outlined in the “Response Content Requirements.” Although the Authority reserves
the right to contact respondents and ask them for required information omitted from
the Response, any Response that omits requested information or exceeds
requested parameters may be rejected as non-responsive.
V. Minimum Qualifications
The following qualifications must be met to be considered for contract award:
A. The Consultant shall have at least three (3) years of experience, including recent
experience within the last three (3) years, providing construction inspection and
analysis services for multifamily rental housing properties; and
B. Any key personnel assigned to the Contract shall have a minimum of three (3)
years of recent experience providing construction inspection and analysis services
for multifamily rental housing properties.
VI. Scope of Services Under this RFQ
If selected, the Consultant will be required to provide construction inspection and analysis
services for Federally Funded , 9% LIHTC, and Bond/4% LIHTC projects of varying sizes
located across the State. Consultants may submit responses and pricing for any number
of the following services and regions (Note: each service has a separate Scope of Work
as shown on the attached Exhibits).
A. Exhibit A: 4%/ 9% LIHTC funded projectsconstruction inspections
B. Exhibit B: Federally Funded projects’ construction draw request review
inspections to be performed monthly during the construction prior to the General
Contractor’s application for payment.
C. Exhibit C: Davis Bacon Compliance (Applicable Federally funded projects)
Interviews shall be performed during required inspections to ensure compliance
with Davis Bacon and related Acts.
Page 4 of 41
VII. Response Content Requirements
All Responses must contain the following information and relevant documentation in the
order outlined below:
A. Minimum Qualifications
The Consultant shall demonstrate that it meets the qualifications outlined in
Section V.
B. Executive Summary Scope of Work
The Consultant shall condense and highlight the contents of the Response in
a separate section titled “Executive Summary.” The summary shall provide a
broad overview of the Consultant’s understanding of the contents of the RFQ
and of how the Consultant’s proposal meets the scope of services outlined.
C. Summary of Experience and General Capability
1. Experience. The Consultant shall provide an overview of its experience
rendering services similar to those outlined in Section VI and the relevant
exhibits of this RFQ and how that experience is relative to this RFQ. This
narrative shall also include a summary of the experience of key personnel
proposed to be assigned to this Contract. Resumes, brochures, and other
relevant documentation may be included in this section.
Section should include a listing of multifamily rental housing projects for
which Consultant has performed construction inspections within the past
three (3) years. This listing should include a summary concerning the
value of the project, number of units, whether the project is a new
construction or rehab, type of ownership, source of financing, and
whether the project was assisted with Government funding.
Include a copy of any applicable license(s).
2. References. The Consultant must provide the names, addresses, telephone
numbers, and contact persons of three (3) current clients or clients from the
past three years for whom similar services required by this RFQ were
performed. GHFA reserves the right to contact any known current or former
client.
3. Sample electronic copies of reports applicable to the services proposed (e.g.
construction inspection, draw request review) that your firm has completed
in the last twelve (12) months for a multifamily housing development must
be submitted. A development with Low Income Housing Tax Credits and/or
Federally Funded funds is preferable. If the sample copy of a complete report
Page 5 of 41
meeting these requirements has previously been submitted to DCA,
Consultant should state so in written form and provide the DCA project name
and number.
D. Work Plan
The Consultant shall provide a work plan presenting how the services described
in this RFQ shall be provided by the Consultant should the Consultant be awarded
a Contract. At a minimum, the Work Plan shall include the following:
1. The Consultants understanding of the services to be provided.
2. The Consultant’s approach to managing the performance of work
including, overall organization, and support resources.
3. The tasks and methods to be utilized in completing the required
services described in Section VI of this RFQ.
E. Key Personnel
Identify the specific key individuals being designated in this Response for the
project team and specify the division of responsibility that is envisioned among
these individuals to perform the scope of services listed in Section VI and the
relevant exhibits of this RFQ. If the personnel are not employees of the Consultant,
indicate the relationship with the Consultant and confirm their availability to work
on assignments within the deadlines established in the scope of services. For each
individual named, include a resume that highlights:
1. Educational background;
2. Relevant general experience;
3. Relevant specialized experience as it relates to the minimum
qualifications outlined in Section V.
Should the Response be accepted by GHFA, these designated individuals will be
the only ones authorized pursuant to the contract to provide the Construction
Inspection and Analysis Services set forth in this RFQ.
F. Conflict of Interest
Consultants shall consider any conflicts of interest which presently exist or which
may arise if the Consultant is selected for contract award. A conflict of interest is
defined as a relationship of such a character that would raise doubts in the mind
of an independent observer about the Contractor’s ability to conduct an impartial
review of the assigned project.
Page 6 of 41
If during the term of the Contract the Consultant becomes aware of any such
conflict of interest, or the potential appearance of a conflict, the Consultant shall
disclose same, in writing, within five (5) business days from the time the Consultant
becomes aware of the relationship. It shall be the Consultant’s Administrator’s
responsibility to determine whether or not the contractual relationship so disclosed
would constitute a conflict sufficient to present the appearance of impropriety.
Describe any facts that may create a conflict of interest with your firm’s services
under this RFQ.
G. Price Proposal
A description of pricing for each of the services outlined in the Scope of Work
should be provided. The price proposal should be as detailed as possible to enable
GHFA to appropriately budget for services under this RFQ.
VIII. Non-Binding Request for Proposal
The expectations, plans, and requests expressed in this RFQ are not to be considered a
commitment or contract in any way. In addition, this RFQ does not in any way obligate
GHFA to pay any costs incurred in the preparation or mailing of a Response.
IX. Reservation of Rights
In connection with this RFQ, and the services to be provided by the Consultant
selected pursuant to this RFQ, the Authority reserves the right to:
1. cancel this solicitation at any time;
2. reject any or all proposals;
3. waive minor deficiencies and informalities;
4. request additional information from individuals or firms prior to final selection;
5. change the schedule of events or cancel any funding program without any financial
obligation for services provided or out-of-pocket expenses incurred, or any other
obligation to the appraisers; and
6. amend or modify this RFQ to include additional services
X. Georgia Open Records Act and Program Accessibility
Page 7 of 41
A. Georgia Open Records Act. The Georgia Open Records Act (O.C.G.A. §§ 50-
18-70 et. seq.) requires that public records be open and available for inspection
by any member of the public.
As such, any Proposal submitted in response to this RFQ is subject to the
Georgia Open Records Act. By submitting a response to this RFQ, firms
acknowledge that this RFQ is subject to the Georgia Open Records Act.
B. Accessibility. GHFA is committed to providing all persons with equal access to
its services, programs, activities, education, and employment regardless of
race, color, national origin, religion, sex, familial status, disability, or age.
Please contact OHFRFP@gadca.onmicrosoft.com if any reasonable
accommodations are required. For example, Consultants that respond to this
RFQ should contact OHFRFP@gadca.onmicrosoft.com at least one day in
advance if they require special arrangements when attending the Oral
Presentations (if applicable).
XI. Evaluation Process
DCA will designate a review committee comprised of DCA staff (“Evaluation
Committee”). The Evaluation Committee will evaluate the Responses in accordance
with this RFQ. The Evaluation Committee will conduct their evaluation of the Technical
Responses received on the basis of the following criteria in descending order of
importance:
A. Minimum Qualifications
B. Experience and General Capability
C. Work Plan
D. Key Personnel
E. Executive Summary
F. Pricing
G. Conflict of Interest
H. Certification Statements
XII. Selection and Award
Any contract award(s) resulting from this RFQ will be made to the lowest priced,
responsive and responsible Consultant(s) receiving an acceptable score as determined
Page 8 of 41
by DCA ranking criteria and with whom the Authority has reached an agreement on all
contract terms and conditions. DCA reserves the right to select one or more
Consultants for award and to award all items to one or more Consultants, individual line
items to one or more Consultants, or subcategories of products/services to one or more
Consultants when to do so is in the best interests of the State of Georgia.
Unless this RFQ states otherwise, the resulting award of the contract does not
guarantee volume or a commitment of funds.
XIII. Contract Term
The Contract resulting from this RFQ shall commence after all appropriate State
approvals have been obtained and shall extend for a period of one (1) year. The initial
term may be extended by agreement of the parties for three additional one (1) year
terms.
XIV. Miscellaneous
Insurance Requirements. If awarded a contract, Consultant must show proof of
professional liability/errors and omissions insurance. The limit of liability for such
coverage shall be no less than $1 million per occurrence. The Consultant, its directors,
officers, and key individuals being designated in this Proposal shall be named as
“additional insureds” under such policy. Consultant shall also demonstrate proof that it
maintains current workers’ compensation insurance.
Criminal/Credit Background Check Authorization. Consultant, its directors,
officers,and any key personnel designated to work on this Project may be subject to
credit and criminal background checks. By submitting a Proposal, Consultant
understands and agrees that authorizations will be furnished to DCA upon request to
allow these checks to be performed.
Delinquent Taxes. Consultant must certify for DCA that it does not owe any unpaid
taxes to the Georgia Department of Revenue (“GDR”). DCA reserves the right to obtain
an authorization from the Consultant to check its tax status in Georgia. DCA will not
enter into a Contract for professional services with consultant if 1) delinquent taxes are
owed to GDR, and 2) no written arrangement exists as of the date of this RFQ to pay
them.
Identity of Interest. Consultant must disclose any identity of interest with:
1. any member, officer or employee of DCA; and
Page 9 of 41
2. the owner, developer, or manager of any DCA-funded affordable housing
project.
Debarment or Suspension. Consultant must disclose whether Consultant has ever been
debarred or suspended from participating in any local, state, or federal housing program.
Minority and Women’s Business Enterprises. Consultant should disclose status as
MBE/WBE and submit the applicable certification documentation.
XV. List of RFQ Attachments
The following documents make up this RFQ:
A. RFQ (this document)
B. Exhibit A 4%/9% LIHTC Scope of Work
C. Exhibit B Federally Funded Projects Construction Draw Request Inspection
Scope of Work
D. Exhibit C – Applicable Federally Funded Projects – Davis Bacon Compliance
E. Appendix A Inspection Checklist for 9% Tax Credit, 4% Tax Exempt Bonds,
and Federally Funded Projects
F. Appendix B Report Format for Project Inspections
G. Addendum-Example Master Agreement & Security Exhibit
XVI. Certification Statements
Submission of the Contractor Affidavit along with answers to the following questions
satisfies the Certification Statements threshold under Section XI of this RFQ:
A. All Proposals shall include a signed and notarized Contractor Affidavit, which can
be found on page 12 of this RFQ.
B. The following shall be signed by an individual authorized to bind the firm:
1. “I agree and certify that our firm, as well as any person or entity associated
with our firm, is in compliance with the applicable requirements of Municipal
Securities Rulemaking Board Rule G-37.
□ Yes □ No
Page 10 of 41
2. “I agree and certify that our firm, and any contractors employed by our firm,
will operate within a drug-free workplace during the time of any performance
of any contract resulting from the RFQ.”
□ Yes □ No
3. “I agree and certify that our firm is in compliance with the Immigration
Reform and Control Act of 1986 (IRCA), D.L. 99-603, the Georgia Security
and Immigration Compliance Act (O.C.G.A. §13-10-90 et. seq.), the Illegal
Immigration Reform and Enforcement Act of 2011 (HB 87) and any other
applicable state or federal immigration law.
□ Yes □ No
4. “Pursuant to O.C.G.A. §§50-5-84, 50-5-84.1, and 50-5-84.2 I certify that our
firm is not a scrutinized company.
□ Yes □ No
5. "I certify that this bid, offer, or proposal is made without prior understanding,
agreement, or connection with any corporation, firm, or person submitting a
bid, offer, or proposal for the same materials, supplies, services, or
equipment and is in all respects fair and without collusion or fraud. I
understand collusive bidding is a violation of state and federal law and can
result in fines, prison sentences, and civil damage awards.”
□ Yes □ No
6. “I agree to abide by all conditions of this RFQ and certify that all information
provided in this Response is true and correct, that I am authorized to sign
this Response for the firm and that the firm is in compliance with all
requirements of the RFQ.”
□ Yes □ No
[Signature on next page]
Page 11 of 41
Contractor’s Full Legal Name:
(PLEASE TYPE OR PRINT)
Authorized Signature:
Printed Name and Title of
Person Signing:
Date:
Company Address:
Email Address:
Page 12 of 41
Page 13 of 41
EXHIBIT A
GEORGIA DEPARTMENT OF COMMUNITY AFFAIRS
CONSTRUCTION INSPECTION SERVICES
SCOPE OF WORK
FUNDING SOURCE(S):
4% and 9% LIHTC Projects
(no other DCA resources)
I. SERVICES:
A. This document details the purpose, timing, level of inspection, sampling
requirements, and report format for Georgia Department of Community Affairs
Office of Housing Finance and Development (HFD) Construction Inspections.
B. A scope of work is provided below for each type of inspection required under
the 9% and 4% LIHTC PROJECTS: Interim, Final, Final follow-up, Monthly for
2021 funded deals (follow Ex. B guidance) and Quarterly for 2022 and later
deals.
C. The Consultant will be required to render services in the area of construction
inspection at different times during the construction process:
1. Interim
30-60% construction complete
2. Final
100% construction complete, including
punch list items
3. Final follow-up
After final inspection;
If necessary, as directed by DCA
4. Monthly (for funded 2021
developments)
From construction start (commence of
construction) to AIA Certification of
Substantial Completion, see Exhibt B.
5. Quarterly (for funded 2022
and later developments)
25%, 50%, 75%, 100% (construction
completion)
D. It is expected one Consultant will perform all inspections on each assigned
project.
E. DCA shall provide the Consultant with the following information after the
execution of the Contract:
1. Application for Funding
2. Pre-application architectural waivers, where applicable
Page 14 of 41
3. File correspondence, where pertinent
4. Conceptual Site Development plan
F. Consultant will be responsible for obtaining the following information directly
from the development team, as needed:
1. Construction drawings
2. Specifications
3. Project Schedule
4. Accessibility plan review
5. Schedule of Values
6. Physical Needs Assessment/Scope of work narrative (rehab only)
7. Owner/contractor agreement
II. INTERIM INSPECTION
A. Purpose
1. DCA monitors the construction of multifamily properties funded with 9%
Tax Credit and 4% Low-Income Housing Tax Credits (LIHTC)/Bonds to
verify that the properties meet Program requirements with the goal of
encouraging best practices in construction and identifying barriers to
timely project completion.
2. The Interim Inspection will verify the progress of construction activities in
accordance with DCA Accessibility and Architectural Manual along with
DCA timelines.
B. Timing of Inspections
1. Interim -Conducted midway through construction at 3060% construction
completion, the Consultant is engaged by the DCA Construction Manager
Specialist (CMS) once ready for the interim inspection. The Consultant
should review the DCA Commencement Submission and recently
executed AIA pay application or contractor requisition form sent
electronically by CMS to optimize the collection of information for
completing the Inspection Checklist (Appendix A).
C. Scope of Services
1. Perform an independent on-site inspection to observe the status of the
entire construction project. This inspection will include walking the entire
project.
2. Unit sampling requirements are 20% of the total unit count with the
following additions/inclusions: all vacant and down units, one unit in each
building, one of each type of accessible units (where they exist), one of
each unit configuration type, and all other community/common areas and
maintenance spaces.
3. Report verbally, or by email to DCA within 48 hours of the completion of
the inspection, if any issues or concerns are noted.
Page 15 of 41
4. A copy of the completed on-site inspection should be submitted to DCA
within 7 calendar days of the completed inspection and formatted to
include: a completed report form template (Appendix B) titled “interim
inspection” with photographs included and a checklist (Appendix A) titled
interim checklist” combined in pdf format.
5. An electronic copy of the Report is required to be submitted to:
hfdconstructionservices@dca.ga.gov.
D. Report Format
1. Cover Sheet:
a. DCA project number
b. DCA project name
c. project address
d. date of inspection
e. name of inspector and inspection company
2. Site Observations:
a. Weather conditions under which the inspection was performed
b. Name, title, and contact phone number of all personnel interviewed
and/or contacted on the site.
c. Narrative regarding all work to date and work in progress on site
including configurations of the buildings and units, amenities, condition
of the property, and any other observations that may pertain to the
property and conditions.
3. Progress:
a. Provide an approximate percentage of work completed.
b. Determine the General Contractor’s projected completion date.
c. Provide an opinion of the likelihood of completing construction by the
deadline set forth under the applicable funding source/program.
4. Quality/Compliance:
a. Comment on the condition of the development as a whole and whether
the project represents accepted standards of good workmanship.
b. Review the completed work, and ensure it is in compliance with all
applicable project information including:
i. Plans and specifications
ii. Physical needs assessment and work scope (if applicable)
iii. DCA Application
iv. DCA Architectural Manual (i.e. Architectural Standards, Amenities
Guide, etc.)
c. Identify any discrepancies, deficiencies or problems including, but not
limited to:
i. poor workmanship
ii. substitutions in materials/components
iii. building code violations
iv. health and life safety violations
v. failure to meet the original work scope
Page 16 of 41
vi. failure to meet the DCA Accessibility and Architectural Manual.
d. Accessibility compliance with accessibility regulations is not specifically
part of the scope of the inspections, however, glaring violations should
be noted.
5. Photographs: Provide enough photographs to provide a comprehensive
picture of work to date on site. A clear visual representation of the property
is expected. Provide specific photographs of all discrepancies or
deficiencies. There is no limit to the number of photographs to be attached
to the report.
III. FINAL INSPECTION
A. Purpose
1. DCA monitors the construction of multifamily properties funded with 9%
Tax Credit and 4% Low-Income Housing Tax Credits (LIHTC)/Bond to
verify that the properties meet Program requirements with the goal of
encouraging best practices in construction and identifying barriers to
timely project completion.
2. The Final Inspection will verify the compliance of the completed project in
accordance with DCA Accessibility and Architectural Manuals along with
DCA timelines.
B. Timing of Inspections
1. Final Conducted at 100% construction completion, the Consultant is
engaged by the DCA Construction Manager Specialist (CMS) once
ready for the final inspection. The Consultant should review the Final
Inspection Submission and executed contractor’s pay application or
requisition form sent electronically by CMS showing final retainage to
optimize the collection of information for completing the Inspection
Checklist (Appendix A).
C. Scope of Services
1. Perform an independent on-site inspection to observe the status of the
entire construction project. This inspection will include walking the entire
project.
2. Unit sampling requirements are 20% of the total unit count with the
following additions/inclusions: all vacant and down units, one unit in each
building, one of each type of accessible units (where they exist), one of
each unit configuration type, and all other community/common areas and
maintenance spaces.
3. Report verbally, or by email to DCA within 48 hours of the completion of
the inspection, if any issues or concerns are noted.
4. A copy of the completed on-site inspection should be submitted to DCA
within 7 calendar days of the completed inspection and formatted to
include: a completed report form template (Appendix B) titled “final
Page 17 of 41
inspection” with photographs included and a checklist (Appendix A) titled
“final checklist” combined in pdf format.
5. An electronic copy of the Report is required to be submitted to:
hfdconstructionservices@dca.ga.gov.
D. Report Format
1. Cover sheet:
a. DCA project number
b. DCA project name
c. Project address
d. Date of inspection
e. Name of inspector and inspection company
2. Site observations:
a. Weather conditions under which the inspection was performed.
b. Name, title, and contact phone number of all personnel interviewed
and/or contacted on the site.
c. Narrative regarding all work to date and work in progress on site
including configurations of the buildings and units, amenities, condition
of the property, and any other observations that may pertain to the
property and conditions.
3. Progress:
a. Provide an approximate percentage of work completed (if additional
issues noted)
b. Determine the General Contractor’s completion date (if additional
issues noted)
c. If additional issues (as noted above) to General Contractor’s
completion/percentage of work completed, provide an opinion on the
completion for the notated issues and discuss with assigned CMS if a
final inspection follow-up will be needed.
4. Quality/Compliance:
a. Comment on the condition of the development as a whole and
whether the project represents accepted standards of good
workmanship.
b. Review the completed work and ensure it is in compliance with all
available project information including:
i. Plans and specifications
ii. Physical Needs Assessment and scope of work presented at
application (for rehab projects)
iii. DCA Core Application (provided by CMS)
iv. Applicable DCA Accessibility and Architectural Manual (i.e.
Architectural Standards, Rehabilitation Standards, etc.)
v. Final Inspection Submission
vi. Retainage pay application or contractor’s requisition
(included in final inspection submission)
Page 18 of 41
vii. Post award project concept change and DCA approved
architectural waivers (included in final inspection
submission)
c. Identify any discrepancies, deficiencies, or problems including, but
not limited to:
i. Poor workmanship
ii. Substitutions in materials/components
iii. Building code violations
iv. Health and life safety violations
v. Failure to meet the original scope of work
vi. Failure to meet the DCA Accessibility and Architectural
Manuals for the applicable funding year
d. Accessibility compliance with accessibility regulations is not
specifically part of the scope of the inspections, however, glaring
violations should be noted.
5. Photographs: Provide enough photographs to provide a comprehensive
picture of the work completed on site. A clear visual representation of the
property is expected. Provide specific photographs of all discrepancies or
deficiencies. There is no limit to the number of photographs to be
attached to the report.
IV. FINAL INSPECTION FOLLOW-UP
A. Purpose
1. DCA monitors the construction of multifamily properties funded with 9%
Tax Credit and 4% Low-Income Housing Tax Credits (LIHTC)/Bond to
verify that the properties meet Program requirements with the goal of
encouraging best practices in construction and identifying barriers to
timely project completion.
2. The Final Inspection Follow-up will re-verify the compliance of the
completed project due to incomplete or non-compliant construction in
accordance with DCA Accessibility and Architectural Manual along with
DCA timelines.
B. Timing of Inspections
1. Final follow-upConducted after 100% construction completion, the
Consultant is engaged by the DCA Construction Manager Specialist
(CMS) if a re-inspection of the property is required.
C. Scope of Services
1. Utilizing the original final report and checklist submitted electronically as
stated above in section III. Final Inspection, Consultant provides review
and confirmation of non-compliant and/or incomplete work on project as
compliant.
Page 19 of 41
2. Provide an opinion as to whether the work satisfactorily addresses the
issues notated.
3. Provide a list (if applicable) of any remaining non-compliant, deficient work
pending resolution by General Contractor and/or Property Management
team (if applicable).
4. Report verbally, or by email to DCA within 48 hours of being on-site if no
changes to the original issues reported in the final inspection report
5. A copy of the revised on-site inspection should be submitted to DCA within
7 calendar days of the completed inspection and formatted to include: a
completed report form template (Appendix B) titled “final re-inspection”
with photographs included and a checklist (Appendix A) titled “revised
final checklist” combined in pdf format.
6. An electronic copy of the Report is required to be submitted to:
hfdconstructionservices@dca.ga.gov.
D. Report Format for a follow-up
1. Same format as section III. Final Inspection within Exhibit A, with updates
to the incomplete or non-compliant issues notated on the Final Inspection
Report first submitted.
2. Photographs should display:
a. Confirmation of repaired/remedied items.
b. Work on pending items due to unacceptable repairs, delays, and/or
outstanding items.
V. Quarterly Inspections (2022 projects and later)
A. Purpose
1. DCA monitors the construction of multifamily properties funded with 9%
Tax Credit and 4% Low-Income Housing Tax Credits (LIHTC)/Bond to
verify that the properties meet Program requirements with the goal of
encouraging best practices in construction and identifying barriers to
timely project completion.
2. The Quarterly Inspections will verify the progress of construction
activities in accordance with these DCA timelines, DCA Accessibility
Manual, and DCA Architectural Manual.
B. Timing of Inspections
1. Quarterly - At least four inspections shall be conducted during the
construction lifecycle. The first will be scheduled at 25% construction
completion, the second will be scheduled at 50% construction completion,
the third scheduled at 75% construction completion, and the last at 100%
construction completion. It is the responsibility of the Consultant to contact
the appropriate parties to schedule the quarterly inspections and request
the needed documentation from the Owner to review before and after each
site inspection. The specific timing is left to the determination of the
Page 20 of 41
Consultant. The Consultant should review the following documentation
and/or submissions listed below to optimize the collection of information for
completing the inspection checklist and report (Appendix A and B).:
a. DCA 60-day submission
b. DCA Commencement Submission
c. Change Orders
d. Most recent executed certified pay application
e. Revised/updated drawings and/or specifications
C. Scope of Services
1. Perform an independent on-site inspection to observe the status of the
entire construction project. Each inspection must include a site walk of
the entire project.
2. Inspection consultants will need to furnish their own Windows based
operating system to be able to successfully download the Emphasys
Construction Inspection Application to facilitate all inspections and deliver
an acceptable inspection report to DCA per Exhibit A of the RFQ.
3. Unit sampling requirements are 20% of the total unit count with the
following additions/inclusions: all vacant and down units, one unit in each
building, one of each type of accessible units (where they exist), one of
each unit configuration type, and all other community/common areas and
maintenance spaces.
4. Report verbally, or by email to DCA within 48 hours of the completion of
the inspection, if any issues or concerns are noted.
5. A copy of the completed on-site inspection should be submitted to DCA
within 7 calendar days of the completed inspection and formatted to
include: a completed report form template (Appendix B) titled “quarterly
inspection” with photographs included and a checklist (Appendix A) titled
quarterly checklist” combined in pdf format.
6. An electronic copy of the Report is required to be submitted to:
hfdconstructionservices@dca.ga.gov.
D. Report Format
1. Cover Sheet:
a. DCA project number
b. DCA project name
c. project address
d. date of inspection
e. name of inspector and inspection company
2. Site Observations:
a. Weather conditions under which the inspection was performed
Page 21 of 41
b. Name, title, and contact phone number of all personnel interviewed
and/or contacted on the site.
c. Narrative regarding all work to date and work in progress on site
including configurations of the buildings and units, amenities, condition
of the property, and any other observations that may pertain to the
property and conditions.
3. Progress:
a. Provide an approximate percentage of work complete.
b. Determine the General Contractor’s projected completion date.
c. Provide an opinion of the likelihood of completing construction by the
deadline set forth under the program.
4. Quality/Compliance:
a. Comment on the condition of the development as a whole and
whether the project represents accepted standards of good
workmanship.
b. Review the completed work, and ensure it is in compliance with all
available project information including:
1. Plans and specifications
2. Physical needs assessment and work scope (if applicable)
3. DCA Application
4. DCA Architectural Manual including the Architectural Standards,
Amenities Guidebook, etc.
c. Identify any discrepancies, deficiencies or problems including, but not
limited to:
vii. poor workmanship
viii. substitutions in materials/components
ix. building code violations
x. health and life safety violations
xi. failure to meet the original work scope
xii. failure to meet the DCA Accessibility and Architectural Manuals.
d. Accessibility compliance with accessibility regulations is not
specifically part of the scope of the inspections, however, glaring
violations should be noted.
5. Photographs: Provide enough photographs to provide a comprehensive
picture of work to date on site for each quarterly inspection. A clear visual
representation of the property is expected. Provide specific photographs of
all discrepancies or deficiencies. There is no limit to the number of
photographs to be attached to the report.
Page 22 of 41
EXHIBIT B
GEORGIA DEPARTMENT OF COMMUNITY AFFAIRS
CONSTRUCTION INSPECTION SERVICES
SCOPE OF WORK
FUNDING SOURCE(S):
FEDERALLY FUNDED Projects
I. A scope of work is detailed below for monthly inspections required for
disbursement of Federal funds.
II. Monthly inspection services will verify that the amount requested from the
general contractor each month is appropriate for the work in place and that
construction is progressing in accordance with GHFA/DCA timelines and
Accessibility and Architectural Manual for quality of work. Reference the following
for GHFA/DCA standards applicable to this project:
A. Qualified Allocation Plan
B. Architectural Standards
C. Architectural Submittal Instructions
D. Submission Requirements Guide
E. Amenities Guidebook
F. Accessibility Manual
G. Environmental Manual
H. Rehabilitation Guide
III. A report must be submitted in the format outlined in Appendix B.
IV. Consultants must attend Pre-Construction conferences facilitated by DCA.
V. Consultant shall assist GHFA/DCA in evaluating the construction of the project
and all draw requests and make itself available for GHFA/DCA as often as
reasonable and necessary to advise and discuss with GHFA/DCA its
observations and conclusions.
VI. It is expected one Consultant will perform all inspections on each assigned
project.
VII. GFHA/DCA shall provide the Consultant the following information after execution
of the Contract:
A. Current Qualified Allocation Plan
B. Current Architectural Manual
C. Current Architectural Submittal Instructions
Page 23 of 41
VIII. The Consultant is responsible for securing the following from the development
team:
A. Owner/Contractor agreement
B. Schedule of values
C. Project schedule
D. Construction drawings
E. Specifications
IX. Site visit must occur in every month that the General Contractor submits an
application for payment, as well as loan closing draws if hard cost are requested.
X. Consultant shall attend monthly draw meetings conducted by the owner,
contractor, and architect.
XI. This site visit shall be performed within 3 business days of receipt of the
Borrower’s draw request.
XII. Report verbally, or by email to DCA within 48 hours of the completion of the
inspection, if any issues or concerns are noted.
XIII. A copy of the completed on-site inspection should be submitted to DCA within 7
calendar days of the completed inspection and formatted to include: a completed
report form template (Appendix B) titled “monthly inspection” with photographs
included and a checklist (Appendix A) titledmonthly checklist” combined in pdf
format.
XIV. One (1) electronic copy, in PDF format, shall be submitted to
hfdconstructionservices@dca.ga.gov.
Page 24 of 41
EXHIBIT C
GEORGIA DEPARTMENT OF COMMUNITY AFFAIRS
FEDERALLY FUNDEDDAVIS BACON COMPLIANCE
SCOPE OF WORK
I. The Davis Bacon and Related Acts requires that contractors on federally funded or
assisted contracts for construction or repair pay their laborers and mechanics no less
than the locally prevailing wages and fringe benefits for corresponding work. DCA
ensures compliance to Davis Bacon by comparing these employee interviews and
observations with certified payrolls. A scope of work is detailed below for interviews
required for Davis Bacon Compliance.
II. Consultant shall perform between two (2) and four (4) “Davis Bacon” interviews, lasting
½ hour of time each on average, at two separate stages during the construction process.
Interviews shall be performed on two separate visits during the required federally funded
inspections, at Consultant’s discretion.
III. Consultants shall interview laborers or mechanics from the range of trades on site during
the visit. Interviews shall include consultant observations of work performed by the
employee during the visit, as well as responses from employees themselves. Form
HUD-11 should be completed to the extent possible.
IV. Interviews shall be submitted within 48 hours of completion on the appropriate Form
HUD-11. Electronic copies of interviews shall be submitted to
hfdconstructionservices@dca.ga.gov.
V. Consultant shall perform the Davis Bacon interviews for a cost of $175 per two
interviews, estimating approximately 30 minutes per interview. Where DCA requests
interviews to be performed outside of required monthly inspections (when Consultant is
already on site), a separate trip charge would be charged, which is based upon $75 per
hour travel time from the home office.
VI. Invoice for services should be submitted directly to hfdconstructionservices@dca.ga.gov
upon the completion of services.
Page 25 of 41
APPENDIX A
GEORGIA DEPARTMENT OF COMMUNITY AFFAIRS
Office of Affordable Housing
Interim, Final, Final Follow-up, Quarterly Inspection Checklist
PART I: PROJECT INFORMATION
Project #
DCA Funding Sources
(select all that apply):
Project name
HOME/NHTF
City
9% tax credit
4% tax credit/bonds
New or rehabilitation?
Tenancy characteristics:
# units (field verify)
o HFOP
# residential buildings (field verify)
o Elderly (Senior)
# parking spaces
o Family
Site acreage
o Special Needs
# each bedroom type (field verify)
1 BR
2BR
3BR
4BR
# each bedroom type (field verify)
1 BA
2BA
3BA
4BA
Original Contract Cost
Final Construction Cost (original
contract plus change orders)
(attach copy of final Application for
Payment)
Time & date of site visit
Inspector Name
Inspection Company
Persons contacted & met on site
Page 26 of 41
Unit #s Inspected.
PART II: VERIFICATION OF DCA DESIGN STANDARDS
AMENITIES
Directions to consultants: write N/A when not applicable, see applicable year QAP for full requirements.
Site Amenities
Installed?
Community room or building
Accessible exterior gathering area located in a central area (gazebo or covered porch
on community building)
On-site laundry (1 washer & 1 dryer / every 25 units)
*If washers & dryers are installed and maintained in every unit at no additional cost to
tenants, an on-site laundry is not required.
Additional Site Amenities
The number of amenities required depends on the total unit count:
1-125 units = 2 additional amenities
126 + = 4 additional amenities
(See DCA AMENITIES AND DESIGN OPTIONS RE-CERTIFICATION
form for the additional amenities certified to provide prior to construction)
(required for Elderly & HFOP only) Buildings more than two story construction must
have interior furnished gathering areas in several locations in the lobbies and/or
corridors
(required for Elderly & HFOP only) 100% of the units are accessible and adaptable
(Required for Elderly & HFOP only) If more than one story: elevator; more than 2
floors: gathering places
Unit Amenities
HVAC systems
Stove
EnergyStar Refrigerator
EnergyStar Dishwasher
Microwave ovens
Page 27 of 41
Powder-based fire suppression canister under range hood or electronically controlled
solid cover plates over stove burners
EnergyStar Washing Machines
SUSTAINABILITY
Directions to consultants:
All elements are required As notates in applicable QAP. See the applicable QAP year for full
policy reference.
All projects 2019 and later are required to have Sustainable Building Certification, see
applicable QAP year for full policy reference and core application.
2021 projects required to have sign-off from qualified professional in addition to Sustainable
Building Certification, see applicable QAP year for full policy reference.
Installed?
Bathroom fans must be Energy STAR certified, wired with a light, and equipped
with either a humidistat OR a timer that ensures the fan operates for a minimum
of 10 minutes once the light has been switched off.
Lighting: Install fluorescent or LED lights for at least 95% (by fixture count) of
the required lighting. Required lighting includes kitchens, dining rooms,
living/family rooms, bathrooms, hallways, stairways, entrances/foyers,
bedrooms, garages, utility rooms, and outdoor fixtures mounted on the building.
Low VOC interior wall/ceiling and floor finishes. As defined by “40 CFR Part
59 – National Volatile Organic Compound Emission Standards for Consumer
and Commercial Products” and maximum levels determined by the DCA QAP,
interior applied paints and finishes shall contain a maximum VOC level of: • 50
grams/liter for wall and ceilings (DCA QAP requirement) • 100 grams/liter for
floor finishes (DCA QAP requirement)
Water heaters: Comply with ENERGY STAR Multifamily New Construction
(MFNC) program (Version 1) for Uniform Energy Factor (UEF).
Plumbing fixtures: Georgia Plumbing Code High Efficiency Plumbing
Fixtures and Fittings in all units; shower heads ≤ 2.5 gpm, bathroom
faucets < 1.5 gpm, kitchen faucets < 2.0 gpm, toilets ≤ 1.28 gpf.
New construction and Adaptive Reuse units must meet new construction standards
under the applicable Georgia Energy Code requirements. (ONLY
APPLICABLE AT 100% INSPECTION) **NEW CONSTRUCTION
ONLY**
Rehabilitation units are required to achieve a 20% improvement over existing
conditions based upon pre-
rehabilitation “duct leakage” and “dwelling unit air
filtration” rates or
meet new construction standards for specified duct and
envelope leakage rates. All projects must complete a “pre-rehab” duct leakage and
dwelling air infiltration test to determine a baseline. To arrive at the pre-
rehabilitation leakage rates, a sampling of units (that includes one of each unit type
in its various configurations within the property) must have pre-rehabilitation duct
leakage and dwelling unit air infiltration performance testing, utilizing RESNET-
approved performance testing methodologies, conducted upon them prior to the
rehabilitation of the property. **REHAB ONLY**
Page 28 of 41
PROJECT DESIGN
Directions to consultants:
write N/A when not applicable;
See DCA AMENITIES AND DESIGN OPTIONS RE-CERTIFICATION form for the Project
Design Options certified to provide prior to construction
Exterior Wall Finishes (1 of the following:)
Pre-
Constructio
n
Promised?
Post-
Construction
Installed?
Exterior wall faces must have an excess of 30% brick or natural or
manufactured stone on each of the exterior wall surfaces. This is
applicable to all sides of the buildings including the front wall face,
each side’s wall face and the rear wall face of the buildings. This is
NOT applicable to the interior wall faces of open breezeways. On all
exterior walls the brick/stone must extend to all areas of grass,
landscaping and other areas of soil or mulch.
For the rehabilitation of buildings that are eligible for historic
preservation credits, maintain and if necessary replace with matching
materials, the existing or original exterior finish surfaces including
the front wall face, rear wall face and both side wall faces.
For the rehabilitation of buildings that do not have existing brick or
stone in excess of 30% (and are not eligible for historic credits),
replace and upgrade the existing exterior finish surfaces on all wall
faces including the front wall face, rear wall face and both side wall
faces with brick, natural or manufactured stone, or a product that
provides a 40-year warranty. This is NOT applicable to the interior
wall faces of open breezeways.
For single family units, the total building envelope shall have 30%
minimum brick or natural or manufactured stone coverage; remaining
70% must be fiber cement siding or other 40-year warranty product.
Major Building Component Materials and Upgrades (1 of the
following:)
Fiber cement siding or other 30-year warranty product installed on all
exterior wall surfaces not already required to be brick. Rehabilitation
projects that do not propose adding 30% brick or natural or
manufactured stone or maintaining existing 30% brick or natural or
manufactured stone are not eligible for this option.
Upgraded “Architectural” shingles with a warranty of 40 years.
Comments:
Page 29 of 41
Page 30 of 41
APPENDIX B
GEORGIA DEPARTMENT OF COMMUNITY AFFAIRS
Report Format
• All information in italics inside brackets indicates directions for what should be included
in the section. The directions should not appear in the report.
GA DCA Interim, Final, Final Follow-up, Quarterly, FEDERALLY FUNDED #xx--xxx
[Project Name]
[Project Street Address]
[City], [State] [Zip Code]
Inspection Date: , 2022
Inspected by:
[Inspector’s Name]
[Inspector’s Company]
Report Date: , 2022
[Company project # or other company information]
Page 31 of 41
TABLE OF CONTENTS
I. Project Description
II. Draw Summary
III. Site Observations
IV. Change Orders
V. Schedule
VI. Other (Stored Materials & Testing)
VII. Photographs
VIII. Copy of current AIA
Project name here
Report date here
I. PROJECT DESCRIPTION
Owner:
[Ownership Entity] Developer:
[Development Company]
Contractor:
[General Contractor Company]
Architect:
[Architectural Firm]
Unit Amenities--application requirements:
[list all unit amenities proposed in the application]
Site Amenities:
[list all community building and site amenities proposed in the application]
Energy Efficiency:
[list all energy efficiency components detailed in a memo provided by DCA]
Project Description:
[Insert narrative that includes the following information:
New construction or rehabilitation (or both)
# of buildings and a description of the style of building (for example: garden style, mid-rise,
etc.)
Unit mix (number of each type of bedroom/bath configuration)
# of stories in the residential buildings
# of units
# of acres
# of units designated for the audio/visual impaired
# of units designated for the mobility impaired
# of parking spaces
# of HC parking spaces
# of elevators (where applicable)
Describe the general construction of the building systems including the foundations, framing,
roofing, exterior sheathing/cladding, sprinkler system if applicable
Describe typical interior finishes
Generally describe site, grading operations, storm water detention provisions, site utilities
work
Describe any unique features
Describe the sequencing of work (how many buildings at one time, etc)
Project name here
Report date here
Page 33 of 41
If rehab, describe the proposed work scope including the extent of site work, framing,
drywall, plumbing, hvac, roofing, cladding, and unit finishes replacement, sprinkler system if
applicable
Indicate whether the scope of work is the same in every unit
Indicate how the work will be staged (around tenants? Tenants relocated? As units become
available, as buildings become available?)]
II . DRAW SUMMARY
Date of Application
AIA #
% complete
Original Contract Amount
(+) Change Orders (*see section XX for
descriptions)
( =) Current Contract Amount
Work Complete to Date
(-) Retainage
(-) Previous Payments
(=) Current Amount Due
Current Amount Recommended
DCA Construction Contingency
Is retainage per the contract? [yes or no; if no, explain]
Project name here
Report date here
Page 34 of 41
III. SITE OBSERVATIONS
Inspection Conditions: [time, weather, approx. temp]
List personnel met on site: [personnel names] Trades on
site: [list trades on site during inspection]
Progress:
[insert narrative]
Are there any issues with the following:
Y/N (if Y, provide description)
1. industry standards of good workmanship
2. substitutions in materials/components
3. violations of building or fire and life safety
codes (*code compliance is not the legal
responsibility of monthly construction
consultant; however, obvious violations
should be noted)
4. plans and specifications
5. physical needs assessment and work scope
(rehabilitation projects only)
6. DCA Application
7. DCA Architectural Standards
8. DCA Accessibility Standards (*project
wide
accessibility compliance is not the legal
responsibility of monthly construction
consultant; however, obvious violations
should be noted)
Page 35 of 41
IV. CHANGE ORDERS
Change
Order #
Date
Description of Work
Amount
Reasonable
cost? [y/n]
Days
added to
schedule
Potential Change Orders:
[Describe the inspector’s knowledge of pending change orders or additional work for which a
change order should be submitted.]
[insert narrative]
Page 36 of 41
V. SCHEDULE
Construction start
Construction duration (per contract)
(+) Days added by change order
(=) Revised contract duration
(-) Days elapsed
(=) Days remaining to contract deadline
% of contract time elapsed
DCA deadline
Building #
Start date
Projected
completion date
Actual CO date
1
2
3
[inset rows as
necessary]
Community building
Schedule Commentary:
Page 37 of 41
[Comment on the general contractor’s ability to complete construction within the remaining
contract duration]
[Comment on the general contractor’s ability to complete construction within DCA’s statutory
time frame.]
VI. OTHER
Testing
Concrete testing reports reviewed this period? [Yes/No]
Adequate? [Yes/No]
Soil testing reviewed this period? [Yes/No]
Adequate? [Yes/No]
Other? [describe as applicable]
Stored materials
DCA defines stored materials as those materials that will not be incorporated into the project
within 30 days.
Are there materials stored on site that fit the above definition? [Yes/No] Are funds requested
for these materials this period? [Yes/No]
Page 38 of 41
Inspection company specific information such as disclaimers or notes regarding reliance
[insert as applicable]
Page 39 of 41
VII. PHOTGRAPHS
[attach site photos]
Page 40 of 41
VIII. COPY OF CURRENT Certified pay application or requisition form (Federal Funds
require DCA AIA pay application)
[attach copy of current pay application]
Page 41 of 41
ADDENDUM
GEORGIADEPARTMENTOFCOMMUNITYAFFAIRS
EXAMPLEMASTER
AGREEMENT&
SECURITYEXHIBIT
NOTE:AllserviceprovidersrespondingtoanagencyRequestforQuote
(RFQ)orrequestforstatementofwork(SOW)willberequiredto
executeaDCAMasterAgreementandtheagency’sSecurityExhibitas
seeninScheduleAofthismaterial.Thisdocumentisthereforeprovided
totherecipientsforillustrativepurposesonlyinordertobecome
familiarwiththescopeofsecurityrequirementsinvolved.Thematerial
isconfidentialandmustnottobereusedorredistributedtoanyparty
withouttheexpresspermissionoftheagency’sDepartmentofLegal
Services.
DCAOfficeofInformationSecurity;[email protected]
7282022
1
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
STATE OF GEORGIA
COUNTY OF FULTON
EXAMPLE MASTER AGREEMENT FOR PROFESSIONAL SERVICES
This Services Agreement is made and entered into this DAY day of MONTH, 2022, (“Effective
Date”) by and between the Georgia Department of Community Affairs (hereinafter referred to as “DCA”
or the “Agency” or “Client”), an agency of the State of Georgia, whose address is 60 Executive Park
South, NE, Atlanta, GA 30329, and THIRD PARTY SERVICE PROVIDER, (hereinafter referred to as
“Provider” or “Service Provider”), whose address is 6303 Barfield Road, Atlanta Georgia 30328,
collectively referred to as the Parties.
WHEREAS, DCA desires to engage the services of Service Provider, and Service Provider
desires to provide services to DCA with respect to the DCA’s Office of Information Security Annual Risk
and Vulnerability Assessment Plan (hereinafter referred to as the “______________________” or
“______________”) as described herein; and
WHEREAS, the DCA’s Office of Information Security has provided the Service Provider with its
Request for Proposal dated May 25, 2022(hereinafter referred to as the “RFP”) and has worked with the
Service Provider’s representatives to develop and finalize documentation on a _____________ Scope of
Work (hereinafter referred to as the “RFP SOW” or “SOW”) that is generally acceptable to both Parties
and is attached hereto in Schedule B; and
WHEREAS, the DCA’s Office of Information Security now wishes to engage the Service
Provider in the work described in their jointly developed SOW and thereby issue Service Provide with the
Purchase Order number and authorization for moving forward in the process of providing the services
outlined in the Parties SOW; and
WHEREAS, the Service Provider and the DCA’s Office of Information Security (hereinafter
referred to as the “OIS”) are both willing to move forward with the planning and scheduling of those
services outlined in the SOW upon the Effective Date of both Parties signing this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein, DCA and the
Service Provider do hereby agree as follows:
A. DURATION OF CONTRACT
Section 1. Term.
The initial term of this Agreement shall commence on the Effective Date (as indicated on the
signature page of this Agreement) and shall terminate on the 30
th
day of June, 2023, unless terminated
pursuant to the termination provisions contained in this Agreement or unless renewed pursuant to Section
2 below, entitled “Renewal”.
Section 2. Renewal.
This Agreement shall not automatically renew in subsequent fiscal years. DCA shall have the
option, in its sole discretion, to renew the Agreement for additional terms on a year-to-year basis by
giving Service Provider written notice of the renewal decision at least sixty (60) days prior to the
expiration of the initial term or renewal term. Renewal shall depend upon the best interest of the DCA,
2
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
funding, and Service Provider’s performance. O.C.G.A. Section 50-5-64, this Agreement shall not be
deemed to create a debt of DCA for the payment of any sum beyond the fiscal year of execution or, in the
event of a renewal, beyond the fiscal year of such renewal
Section 3. Extension.
In the event that this Agreement shall terminate prior to entering a renewed Agreement for the
identified services, DCA, with the written consent of Service Provider, may extend this Agreement to
afford it a continuous supply of the identified services.
B. DESCRIPTION OF SERVICES
Section 1. Scope of Work.
The Service Provider agrees to provide DCA with the Services described in the Scope of Work
(SOW) and comply with “Schedule B” to the Scope of Work” attached hereto, during the specified term
of this Agreement.
Section 2 Non-Exclusive Rights.
The Agreement is not exclusive. DCA reserves the right to select other Service Providers to
provide services similar to the services described in this Agreement during the term of the Agreement.
C. COMPENSATION
Section 1. Fees and Payment.
DCA shall pay Service Provider for services satisfactorily rendered in accordance with the fees
and payment stated in “Schedule D Fees and Payment” attached to this Agreement.
Section 2. Billing.
The Service Provider shall submit, on a regular basis, an invoice for services supplied to DCA at
DCA’s billing address. The invoice shall comply with all applicable rules concerning payment of such
claims. DCA shall pay all approved invoices in accordance with applicable provisions of State law.
Unless otherwise agreed in writing by the Parties, the Service Provider shall not be entitled to
receive any other payment or compensation from DCA for any services performed by or on behalf of the
Service Provider. The Service Provider shall be solely responsible for paying all costs, expenses and
charges it incurs in connection with its performance under this Agreement.
Section 3. Delay of Payment Due to Service Provider’s Failure.
If DCA in good faith determines that the Service Provider has failed to materially perform or
deliver any services as required, the Service Provider shall not be entitled to any compensation for those
Services until such services are performed. In this event, DCA may withhold that portion of the Service
Provider’s compensation which represents payment for services that were not performed. To the extent
that the Service Provider’s failure to perform in a timely manner causes DCA to incur costs, DCA may
deduct the amount of such incurred costs from any amounts payable to Service Provider. DCA’s authority
to deduct such incurred costs shall not in any way affect DCA’s authority to terminate this Agreement.
Section 4. Set-Off Against Sums Owed by the Service Provider.
3
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
In the event that the Service Provider owes DCA any sum under the terms of this Agreement,
pursuant to any judgment, or pursuant to any law, DCA may set off the sum owed to it against any sum
owed to the Service Provider in DCA's sole discretion.
D. TERMINATION
Section 1. Termination.
Pursuant to O.C.G.A. Section 50-5-64, this agreement will terminate in whole or in part, upon
Service Providers receipt of written notice of termination if DCA determines that adequate funds are not
appropriated or granted or funds are de-appropriated such that DCA cannot fulfill its obligations under the
Agreement, which determination is at DCA's sole discretion and shall be conclusive. Under such
termination for convenience, Service Provider shall be paid for services provided up to and including the
date of termination. Further, DCA may terminate the Agreement for any one or more of the following
reasons with 30 days advance notice (except for item (ii) which shall be subject to immediate termination
without advance notice):
(i) In the event the Service Provider is required to be certified or licensed as a condition precedent to
providing services, the revocation or loss of such license or certification may result in immediate
termination of this Agreement effective as of the date on which the license or certification is no longer in
effect;
(ii) DCA determines that the actions, or failure to act, of the Service Provider, its agents, employees or
subcontractors have caused, or reasonably could cause, life, health or safety to be jeopardized;
(iii) The Service Provider fails to comply with confidentiality laws or provisions; and/or
(iv) The Service Provider furnished any statement, representation or certification in connection with the
Agreement or the selection or bidding process which is materially false, deceptive, incorrect or
incomplete.
Section 2. Termination for Cause by DCA.
The occurrence of any one or more of the following events shall constitute cause for DCA to
declare the Service Provider in default of its obligations under this Agreement:
(i) The Service Provider fails to deliver or has delivered nonconforming services or fails to perform any
material requirement of this Agreement or is in violation of a material provision of the Agreement,
including, but without limitation, the express warranties made by the Service Provider;
(ii) DCA determines that satisfactory performance of this Agreement is substantially endangered or that a
default is likely to occur;
(iii) The Service Provider fails to make substantial and timely progress toward performance of the
Agreement;
(iv) The Service Provider becomes subject to any bankruptcy or insolvency proceeding under federal or
state law to the extent allowed by applicable federal or state law including bankruptcy laws; the Service
Provider terminates or suspends its business; or DCA reasonably believes that the Service Provider has
4
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
become insolvent or unable to pay its obligations as they accrue consistent with applicable federal or state
law;
(v) The Service Provider has failed to comply with applicable federal, state and local laws, rules,
ordinances, regulations and orders when performing within the scope of this Agreement;
(vi) The Service Provider has engaged in conduct that has or may expose the State or DCA to significant
liability, as determined in DCA’s sole discretion; or
(vii) A court has determined that the Service Provider has infringed any patent, trademark, copyright,
trade dress or any other intellectual property rights of the State, DCA, or a third Party.
B. Termination for Cause by Service Provider: Service Provider shall have the right to terminate
this Agreement based on the occurrence DCA’s breach of a material requirement of this Agreement after
being given reasonable notice with a cure period.
Section 3. Notice of Default.
If there is a default event caused by the Service Provider, DCA shall provide written notice to the
Service Provider requesting that the breach or noncompliance be remedied within the period of time
specified in DCA’s written notice to the Service Provider, but not less than thirty (30) days. If the breach
or noncompliance is not remedied within the period of time specified in the written notice, DCA may:
(i) Immediately terminate this Agreement without additional written notice; and/or
(ii) Reprocure reasonably equivalent substitute services from another source and charge the difference
between the Agreement and the substitute contract to the defaulting Service Provider; and/or,
(iii) Enforce the terms and conditions of this Agreement and seek any legal or equitable remedies.
Section 4. Termination Upon Notice.
Following thirty (30) days’ written notice, DCA may terminate this Agreement for convenience
without the payment of any penalty or incurring any further obligation to the Service Provider. Following
termination upon notice, the Service Provider shall be entitled to compensation, upon submission of
invoices and proper proof of claim, for services provided under the Agreement to DCA up to and
including the date of termination.
Section 5. Termination Due to Change in Law.
DCA shall have the right to terminate this Agreement for convenience without penalty by giving
thirty (30) days’ written notice to the Service Provider as a result of any of the following:
(i) DCA’s authorization to operate is withdrawn or there is a material alteration in the programs
administered by DCA; and/or
(ii) DCA’s duties are substantially modified.
Section 6. Payment in the Event of Termination.
5
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
In the event of termination of this Agreement for any reason by DCA, DCA shall pay only those
amounts, if any, due and owing to the Service Provider services actually rendered up to and including the
date of termination of the Agreement and for which DCA is obligated to pay pursuant to this agreement or
Purchase Instrument. Payment will be made only upon submission of applicable invoices and Service
Provider agrees to provide documentation, if further requested to support Service Provider’s claim. This
provision in no way limits the remedies available to DCA under the Agreement in the event of
termination. DCA shall not be liable for any costs incurred by the Service Provider in its performance of
the Agreement.
Section 7. Service Provider’s Termination Duties.
Upon receipt of notice of termination or upon request of DCA, the Service Provider shall:
(i) Cease work under this Agreement and take all necessary or appropriate steps to limit disbursements
and minimize costs, and furnish a report within thirty (30) days of the date of notice of termination,
describing the status of all work under this Agreement, including, without limitation, results
accomplished, conclusions resulting there from, and any other matters DCA may require;
(ii) Immediately cease using and return to DCA, any personal property or materials, whether tangible or
intangible, provided by DCA to the Service Provider;
(iii) Comply with DCA’s instructions for the timely transfer of any active files and work product
produced by the Service Provider under this Agreement;
(iv) Cooperate in good faith with DCA, its employees, agents and Service Providers during the transition
period between the notification of termination and the substitution of any replacement Service Provider;
and
(v) Immediately return to DCA any payments made by DCA for services that were not rendered by the
Service Provider.
vi) This Agreement and SOW does not include costs for “transition work” –as further outlined in
Section 32 of this agreement. Service Provider is expected to deliver work performed under this
Agreement to the client in a usable format. Any work requested by DCA for the Service Provider to
transition the work to a different provider would be performed under an new, negotiated SOW.
E. CONFIDENTIAL INFORMATION
Section 1. Access to Confidential Data.
The Service Provider’s employees, agents and subcontractor may have access to confidential data
maintained by DCA to the extent necessary to carry out the Service Provider's responsibilities under this
Agreement. The Service Provider shall presume that all information received pursuant to the Agreement
is confidential unless otherwise designated by DCA. Each disclosure of confidential information is
subject to this Agreement for five years following the initial date of disclosure. If it is reasonably likely
the Service Provider will have access to DCA’s confidential information, then:
(i) The Service Provider shall provide to DCA a written description of the Service Provider's policies and
procedures to safeguard confidential information to the extent publicly available (or a summary thereof if
such policies and procedures are not publicly available);
6
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
(ii) Policies of confidentiality shall address, as appropriate, information conveyed in verbal, written, and
electronic formats;
(iii) The Service Provider must designate one individual who shall remain the responsible authority in
charge of all data collected, used, or disseminated by the Service Provider in connection with the
performance of this Agreement; and
(iv) The Service Provider shall provide adequate supervision and training to its agents, employees and
subcontractors to ensure compliance with the terms of this Agreement.
(v) The private or confidential data shall remain the property of DCA at all times. Performance by Service
Provider requires the Service Provider to sign a DCA nondisclosure agreement (hereinafter referred to as
the “NDA”) and accept the Agency’s
Data Protection and Information Security Exhibit found in
Schedule A below. Service Provider understands and agrees that refusal or failure to sign such a
nondisclosure agreement, if required, may result in termination of the Agreement.
(vi) Service Provider may disclose, disseminate, and use information that is already in its possession
without obligation of confidentiality, developed independently, obtained from a source other than DCA or
discloser without obligation of confidentiality, publicly available when received or subsequently becomes
publicly available through no fault of the Service Provider, or disclosed by DCA or discloser to another
without obligation of confidentiality. For avoidance of doubt, information that falls within any of the
categories of information listed in this subparagraph (vi) is not “confidential information”.
Section 2. No Dissemination of Confidential Data.
No confidential data collected, maintained, or used in the course of performance of this
Agreement shall be disseminated except as authorized by law and with the written consent of DCA, either
during the period of this Agreement or thereafter. Any data supplied to or created by the Service Provider
shall be considered the property of DCA. The Service Provider must return any and all data collected,
maintained, created or used in the course of the performance of this Agreement, in whatever form it is
maintained, promptly at the request of DCA.
Section 3. Subpoena
In the event that a subpoena or other legal process is served upon the Service Provider for records
containing confidential information, the Service Provider shall promptly notify DCA and cooperate with
DCA in any lawful effort to protect or disclose the confidential information in accordance with the
subpoena or other legal process.
Section 4. Reporting of Unauthorized Disclosure
The Service Provider shall immediately report to DCA any unauthorized disclosure of
confidential information.
Section 5. Survives Termination.
The Service Provider’s confidentiality obligation under the Agreement shall survive termination
of this Agreement.
7
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
F. INDEMNIFICATION
Section 1. Service Provider’s Indemnification Obligation.
The Service Provider agrees to indemnify and hold harmless DCA and State officers, employees,
agents, and volunteers (collectively, "Indemnified Parties") from any and all costs, expenses, losses,
claims, damages, liabilities, settlements and judgments, including reasonable value of the time spent by
the Attorney General’s Office, related to or arising from:
i. [Reserved]
ii. any negligent, intentional or wrongful misconduct of Contractor or any employee, agent or
subcontractor utilized or employed by Contractor;
iii. the negligence or fault of Contractor in design, testing, development, manufacture, or otherwise
with respect to the Software or Services provided under the Statewide Contract;
iv. claims, demands, or lawsuits that, with respect to the Software or any parts thereof, allege
product liability, strict product liability, or any variation thereof;
v. claims, demands, or lawsuits that, with respect to the Software or its operation or failure, allege
breach of privacy or other rights of third parties;
vi. any failure by Contractor to comply with the "Compliance with the Law" provision of the
Statewide Contract;
vii. any failure by Contractor to make all reports, payments and withholdings required by federal
and state law with respect to social security, employee income and other taxes, fees or costs
required by Contractor to conduct business in the State of Georgia or the United States of
America;
viii. any infringement of any copyright, trademark, patent, trade dress, or other intellectual property
right subject to section G.4 below; or
ix. any failure by Contractor to adhere to the confidentiality provisions of the Statewide Contract.
This indemnification shall apply notwithstanding the fact that the Indemnified Parties may be
partially responsible for the situation giving rise to the claim. However, Contractor shall only
be liable to the extent of Contractor's contribution to the situation giving rise to the claim. It
will not be deemed Contractor's contribution if Contractor is performing as specifically
directed by the Agency, except for criminal or obviously illegal acts or omissions. This
indemnification shall not apply if the situation giving rise to the claim results solely from the
act or omission of the Indemnified Parties.
8
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Section 2. Duty to Reimburse for Tort Claims Fund.
To the extent such damage or loss as covered by this indemnification is covered by the State of
Georgia Tort Claims Fund ("the Fund"), the Service Provider (and its insurers) agrees to reimburse the
Fund. To the full extent permitted by the Constitution and the laws of Georgia and the terms of the Fund,
the Service Provider and its insurers waive any right of subrogation against DCA, the Indemnified Parties,
and the Fund and insurers participating there under, to the full extent of this indemnification.
Section 3. Litigation and Settlements.
The Service Provider shall, at its own expense, be entitled to and shall have the duty to participate
in the defense of any suit against the Indemnified Parties. No settlement or compromise of any claim, loss
or damage entered into by the Indemnified Parties shall be binding upon Service Provider unless
approved in writing by Service Provider. No settlement or compromise of any claim, loss or damage
entered into by Service Provider shall be binding upon the Indemnified Parties unless approved in writing
by the Indemnified Parties.
G. INSURANCE
Service Provider shall obtain and maintain all required insurance including commercial general
liability insurance to insure against all losses and damages that are the result of or the fault or negligence
of the Service Provider, its agents, servants, members, employees, contractors and subcontractors in their
performance of the services. Service Provider shall provide insurance certificate upon DCA’s request.
H. Reserved
I. WARRANTIES
Section 1. Construction of Warranties Expressed in the Agreement with Warranties Implied by Law.
All warranties made by the Service Provider and/or subcontractors in all provisions of the
Agreement, whether or not this Agreement specifically denominates the Service Provider’s
and/or subcontractors’ promise as a warranty or whether the warranty is created only by the
Service Provider’s affirmation or promise, or is created by a description of the services to be
provided to DCA shall not be construed as limiting or negating any warranty provided by law,
including without limitation, warranties which arise through course of dealing or usage of trade,
the warranty of merchantability, and the warranty of fitness for a particular purpose. The
warranties expressed in this Agreement are intended to modify the warranties implied by law
only to the extent that they expand the warranties applicable to the services provided by the
Agreement. The provisions of this section apply during the term of this Agreement and any
extensions or renewals thereof. Service provider warrants that the Services provided will be
performed in a workmanlike manner and Service Provider’s products that are delivered or used
to perform Services under this Agreement meet their specifications, i.e., Provider specifications
for Provider products. Provider does not warrant uninterrupted or error-free operation of an
Provider Product or that Provider will correct all defects or prevent third party disruptions or
unauthorized third party access to an Provider Product.Provider warranties will not apply if there
has been misuse, modification, damage not caused by Provider, or failure to comply with
instructions provided by Provider. Preview services and non-Provider Products are sold under
9
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
the Agreement as-is, without warranties of any kind. Third parties may provide their own
warranties to Client.
Section 2. Conformity with Contractual Requirements.
The Service Provider represents and warrants that the services provided in accordance
with the Agreement will appear and operate in conformance with the terms and conditions of the
Agreement and maintain conformance with the Agency’s Data Protection and Information
Security Exhibit provided herein as Schedule A (hereinafter referred to as the “DPIS”).
Section 3. Authority to Enter into Contract.
The Service Provider represents and warrants that it has full authority to enter into this
Agreement and that it has not granted and will not grant any right or interest to any person or
entity that might derogate, encumber or interfere with the rights granted to DCA.
Section 4. Obligations Owed to Third Parties.
Service Provider represents and warrants that all obligations owed to third Parties with
respect to the activities contemplated to be undertaken by the Service Provider pursuant to this
Agreement are or will be fully satisfied by the Service Provider so that DCA will not have any
obligations with respect thereto.
Section 5. Industry Standards.
The Service Provider represents and warrants that the Services provided will be
performed in a workmanlike manner and Service Provider’s products that are delivered or used
to perform Services under this Agreement meet their specifications, i.e., Provider specifications
for Provider products. This requirement shall be in addition to any express warranties,
representations, and specifications included in the Agreement, which shall take precedence.
J. CONTRACT ADMINISTRATION
Section 1. Drug-free Workplace.
The Service Provider hereby certifies as follows:
(i) Service Provider will not engage in the unlawful manufacture, sale, distribution, dispensation,
possession, or use of a controlled substance or marijuana during the performance of this
Agreement; and
(ii) If Service Provider has more than one employee, including Service Provider, Service
Provider shall provide for such employee(s) a drug-free workplace, in accordance with the
Georgia Drug-free Workplace Act as provided in O.C.G.A. Section 50-24-1 et seq., throughout
the duration of this Agreement; and
10
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
(iii) Service Provider will secure from any subcontractor hired to work on any job assigned under
this Agreement the following written certification: "As part of the subcontracting agreement with
(Service Provider's Name), (Subcontractor's Name) certifies to the Service Provider that a drug-
free workplace will be provided for the subcontractor's employees during the performance of this
Agreement pursuant to paragraph 7 of subsection (b) of Code Section 50-24-3."
(iv) Service Provider may be suspended, terminated, or debarred if it is determined that:
(a) Service Provider has made false certification here in above; or
(b) Service Provider has violated such certification by failure to carry out the requirements of
O.C.G.A. Section 50-24-3(b).
Section 2. Boycott of Israel.
Service Provider certifies that Service Provider is not currently engaged in, and agrees for
the duration of this Agreement not to engage in, a boycott of Israel, as defined in O.C.G.A. 50-5-
85.
Section 3. Amendments.
The Agreement may be amended in writing from time to time by mutual consent of the
Parties. If the Agreement award exceeds the delegated purchasing authority of DCA, then DCA
must obtain approval of the amendment from the Department of Administrative Services
(DOAS). All amendments to the Agreement must be in writing and fully executed by duly
authorized representatives of DCA and the Service Provider.
Section 4. Third Parties Beneficiaries.
There are no third-Party beneficiaries to the Agreement. The Agreement is intended only
to benefit DCA and the Service Provider.
Section 5. Choice of Law or Forum.
The laws of the State of Georgia shall govern and determine all matters arising out of or
in connection with this Agreement without regard to the choice of law provisions of State law. In
the event any proceeding of a quasi-judicial or judicial nature is commenced in connection with
this Agreement, such proceeding shall solely be brought in the Superior Court of Fulton County,
Georgia. This provision shall not be construed as waiving any immunity to suit or liability,
including without limitation sovereign immunity, which may be available to DCA.
Section 6. Parties’ Duty to Provide Notice Intent to Litigate and Right to Seek Mediation.
(i) In addition to any dispute resolution procedures otherwise required under this Agreement or
any informal negotiations which may occur between the Parties, no civil action with respect to
any dispute, claim or controversy arising out of or relating to this Agreement may be commenced
11
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
without first giving fourteen (14) calendar days written notice to the other Party of the claim and
the intent to initiate a civil action. At any time prior to the commencement of a civil action, either
Party may elect to submit the matter for mediation. Either Party may exercise the right to submit
the matter for mediation by providing the other Party with a written demand for mediation
setting forth the subject of the dispute. The Parties will cooperate with one another in selecting a
mediator and in scheduling the mediation proceedings. Venue for the mediation will be in
Atlanta, Georgia; provided, however, that any or all mediation proceedings may be conducted by
teleconference with the consent of the mediator. The Parties covenant that they will participate in
the mediation in good faith, and that they will share equally in its costs; provided, however that
the parties will endeavor to minimize costs to both parties with a goal to limits costs to five
thousand dollars ($5,000.00) each; in the event the parties determine that mediation costs will
exceed this threshold, then the parties shall have the right to look to the courts for resolution.
(ii) All offers, promises, conduct and statements, whether oral or written, made in the course of
the mediation by any of the Parties, their agents, employees, experts and attorneys, and by the
mediator or employees of any mediation service, are inadmissible for any purpose (including but
not limited to impeachment) in any litigation or other proceeding involving the Parties, provided
that evidence that is otherwise admissible or discoverable shall not be rendered inadmissible or
non- discoverable as a result of its use in the mediation. Inadmissibility notwithstanding, all
written documents shall nevertheless be subject to the Georgia Open Records Act O.C.G.A.
Section 50-18-70 et seq.
(iii) No Party may commence a civil action with respect to the matters submitted to mediation
until after the completion of the initial mediation session, forty-five (45) calendar days after the
date of filing the written request for mediation with the mediator or mediation service, or sixty
(60) calendar days after the delivery of the written demand for mediation, whichever occurs first.
Mediation may continue after the commencement of a civil action, if the Parties so desire.
Section 7. Assignment and Delegation.
The Agreement may not be assigned, transferred or conveyed in whole or in part without
the prior written consent of DCA. For the purpose of construing this clause, a transfer of a
controlling interest in the Service Provider shall be considered an assignment.
Section 8. Use of Third Parties.
Except as may be expressly agreed to in writing by DCA, Service Provider shall not
subcontract, assign, delegate or otherwise permit anyone other than Service Provider or Service
Provider's personnel to perform any of Service Provider's obligations under this Agreement or
any of the work subsequently assigned under this Agreement. No subcontract which Service
Provider enters into with respect to performance of obligations or work assigned under the
Agreement shall in any way relieve Service Provider of any responsibility, obligation or liability
under this Agreement and for the acts and omissions of all subcontractors, agents, and
employees. To the extent applicable under the subcontractor’s performance of work/service, the
restrictions, obligations and responsibilities of the Service Provider under the Agreement shall
also apply to the subcontractors. Any contract with a subcontractor must also preserve the rights
12
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
of DCA. DCA shall have the right to request the removal of a subcontractor from the Agreement
for good cause.
Section 9. Integration.
The Agreement represents the entire contract between the Parties. The Parties shall not
rely on any representation that may have been made which is not included in the Agreement, the
Agency NDA and the Agency DPIS.
Section 10. Not a Joint Venture.
Nothing in the Agreement shall be construed as creating or constituting the relationship
of a partnership, joint venture, (or other association of any kind or agent and principal
relationship) between the Parties thereto. Each Party shall be deemed to be an independent
contractor contracting for services and acting toward the mutual benefits expected to be derived
here from. Neither Service Provider nor any of Service Provider's agents, servants, employees,
subcontractors or Service Providers shall become or be deemed to become agents, servants, or
employees of DCA. Service Provider shall therefore be responsible for compliance with all laws,
rules and regulations involving its employees and any subcontractors, including but not limited
to employment of labor, hours of labor, health and safety, working conditions, workers'
compensation insurance, and payment of wages. No Party has the authority to enter into any
contract or create an obligation or liability on behalf of, in the name of, or binding upon another
Party to the Agreement.
Section 11. Joint and Several Liability.
If the Service Provider is a joint entity, consisting of more than one individual,
partnership, corporation or other business organization, all such entities shall be jointly and
severally liable for carrying out the activities and obligations of the Agreement, and for any
default of activities and obligations.
Section 12. Supersedes Former Contracts or Agreements.
Unless otherwise specified in the Agreement, this Agreement supersedes all prior
Contracts or Agreements between DCA and the Service Provider for the services provided in
connection with this Agreement.
Section 13. Waiver.
Except as specifically provided for in a waiver signed by duly authorized representatives
of DCA and the Service Provider, failure by either Party at any time to require performance by
the other Party or to claim a breach of any provision of the Agreement shall not be construed as
affecting any subsequent right to require performance or to claim a breach.
Section 14. Notice.
13
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Any and all notices, designations, consents, offers, acceptances or any other
communication provided for herein shall be given in writing by registered or certified mail,
return receipt requested, by receipted hand delivery, by Federal Express, courier or other similar
and reliable carrier which shall be addressed to the person who signed the Agreement on behalf
of the Party at the address identified by the Parties.
DCA
Steven Lovett
DCA Information Security Officer
60 Executive Park South, NE
[email protected]
470-528-7469
Service Provider
COMPANY
Representative
Title
Street Address
City, State Zip code
Email
Phone
Each such notice shall be deemed to have been provided:
(i) At the time it is actually received; or,
(ii) Within one (1) day in the case of overnight hand delivery, courier or services such as Federal
Express with guaranteed next day delivery; or,
(iii) Within five (5) days after it is deposited in the U.S. Mail in the case of registered U.S. Mail.
(iv) From time to time, the Parties may change the name and address of the person designated to
receive notice. Such change of the designated person shall be in writing to the other Party and as
provided herein.
Section 15. Cumulative Rights.
The various rights, powers, options, elections and remedies of any Party provided in the
Agreement shall be construed as cumulative and not one of them is exclusive of the others or
exclusive of any rights, remedies or priorities allowed either Party by law, and shall in no way
affect or impair the right of any Party to pursue any other equitable or legal remedy to which any
Party may be entitled as long as any default remains in any way unremedied, unsatisfied or
undischarged.
Section 16. Severability.
14
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
If any provision of the Agreement is determined by a court of competent jurisdiction to
be invalid or unenforceable, such determination shall not affect the validity or enforceability of
any other part or provision of the Agreement. Further, if any provision of the Agreement is
determined to be unenforceable by virtue of its scope, but may be made enforceable by a
limitation of the provision, the provision shall be deemed to be amended to the minimum extent
necessary to render it enforceable under the applicable law. Any agreement of the Parties to
amend, modify, eliminate, or otherwise change any part of this Agreement shall not affect any
other part of the Agreement, and the remainder of this Agreement shall continue to be of full
force and effect.
Section 17. Responsiveness of the Supplier.
Personnel providing services to DCA shall endeavor to be responsive to DCA’s
requirements under this Agreement and reasonable requests which are within the agreed upon
scope.
Section 18. Authorization.
The persons signing this Agreement represent and warrant to the other Party that:
(i) It has the right, power and authority to enter into and perform its obligations under the
Agreement; and
(ii) It has taken all requisite action (corporate, statutory or otherwise) to approve execution,
delivery and performance of the Agreement and the Agreement constitutes a legal, valid and
binding obligation upon itself in accordance with its terms.
Section 19. Successors in Interest.
All the terms, provisions, and conditions of the Agreement shall be binding upon and
inure to the benefit of the Parties hereto and their respective successors, assigns and legal
representatives.
Section 20. Record Retention and Access
The Service Provider shall maintain books, records and documents in accordance with
generally accepted accounting principles and procedures and which sufficiently and properly
document and calculate all charges billed to DCA throughout the term of the Agreement for a
period of at least five (5) years following the date of final payment or completion of any required
audit, whichever is later. Records to be maintained include both financial records and service
records. The Service Provider shall permit the Auditor of the State of Georgia or any authorized
representative of DCA, and where federal funds are involved, the Comptroller General of the
United States, or any other authorized representative of the United States government, to access
and examine, audit, excerpt and transcribe any directly pertinent books, documents, papers,
electronic or optically stored and created records or other records of the Service Provider relating
15
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
to orders, invoices or payments or any other documentation or materials pertaining to the
Agreement, wherever such records may be located during normal business hours. The Service
Provider shall not impose a charge for audit or examination of the Service Provider’s books and
records. If an audit discloses incorrect billings or improprieties, DCA reserves the right to charge
the Service Provider for the cost of the audit and appropriate reimbursement. Evidence of
criminal conduct will be turned over to the proper authorities.
Section 21. Solicitation.
The Service Provider warrants that no person or selling agency (except bona fide
employees or selling agents maintained for the purpose of securing business) has been employed
or retained to solicit and secure the Agreement upon an agreement or understanding for
commission, percentage, brokerage or contingency.
Section 22. Public Records.
The laws of the State of Georgia, including the Georgia Open Records Act, as provided
in O.C.G.A. Section 50-18-70 et seq., require procurement records and other records to be made
public unless otherwise provided by law.
Section 23. Debarred, Suspended, and Ineligible Status.
Service Provider certifies that the Service Provider and/or any of its subcontractors have
not been debarred, suspended, or declared ineligible by any agency of the State of Georgia or as
defined in the Federal Acquisition Regulation (FAR) 48 C.F.R. Ch.1 Subpart 9.4. Service
Provider will immediately notify DCA if Service Provider is debarred by the State of Georgia or
placed on the Consolidated List of Debarred, Suspended, and Ineligible Service Providers by a
federal entity.
Section 24. Use of Name or Intellectual Property.
Service Provider agrees it will not use the name or any intellectual property, including
but not limited to, DCA trademarks or logos in any manner, including commercial advertising or
as a business reference, without the expressed prior written consent of DCA.
Section 25. Certification Regarding Sales and Use Tax.
By executing the Agreement the Service Provider certifies it is either (a) registered with
State of Georgia Department of Revenue, collects, and remits State sales and use taxes as
required by Georgia law, including Chapter 8 of Title 48 of the O.C.G.A.; or (b) not a “retailer”
as defined in O.C.G.A. Section 48-8-2. The Service Provider also acknowledges that DCA may
declare the Agreement void if the above certification is false. The Service Provider also
understands that fraudulent certification may result in DCA or its representative filing for
damages for breach of contract.
Section 26. Taxes.
16
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
DCA is exempt from Federal Excise Taxes, and no payment will be made for any taxes
levied on Contractor’s employee’s wages. DCA is exempt from State and Local Sales and Use
Taxes on the services. The Exemption Certificates will be furnished upon request. Service
Provider or an authorized subcontractor has provided DCA with a sworn verification regarding
the filing of unemployment taxes or persons assigned by Service Provider to perform services
required in this Agreement which verification is incorporated herein by reference.
Section 27. Delay or Impossibility of Performance.
Neither Party shall be in default under the Agreement if performance is delayed or made
impossible by an act of God. In each such case, the delay or impossibility must be beyond the
control and without the fault or negligence of the Service Provider. If delay results from a
subcontractor’s conduct, negligence or failure to perform, the Service Provider shall not be
excused from compliance with the terms and obligations of the Agreement.
Section 28. Limitation of Service Provider’s Liability to DCA.
Except as otherwise provided in this Agreement, Service Provider’s liability to
DCA for any claim of damages arising out of this Agreement shall be limited to
direct damages and shall not exceed the total amount paid to Service Provider for the
performance under this Agreement. Service Provider shall not be liable, regardless
of the form of action, whether in contract, tort, negligence, strict liability or by
statute or otherwise, for any claim related to or arising under this Agreement for
consequential, incidental, indirect, or special damages, including without limitation
lost profits, lost business opportunities, or loss of, or damage to data.
No limitation of Service Provider’s liability shall apply to Service Provider’s liability
for damages for bodily injury (including death) and damage to State equipment or other
real property or tangible personal property while such equipment or property is in the
sole care, custody, and control of Service Provider’s personnel. Service Provider
hereby expressly agrees to assume all risk of loss or damage to any such State
equipment or other real property or tangible personal property in the care, custody, and
control of Service Provider’s personnel. Service Provider further agrees that equipment
or Software transported by Service Provider personnel in a vehicle belonging to
Service Provider (including any vehicle rented or leased by Service Provider or Service
Provider’s personnel) shall be deemed to be in the sole care, custody, and control of
Service Provider’s personnel while being transported. It is expressly agreed that
notwithstanding anything in this section, the State cannot and will not indemnify
Service Provider for third party claims.
Section 29. Obligations Beyond Contract Term.
17
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
The Agreement shall remain in full force and effect to the end of the specified term or
until terminated or canceled pursuant to the Agreement. All obligations of the Service Provider
and DCA incurred or existing under the Agreement as of the date of expiration, termination or
cancellation will survive the termination, expiration or conclusion of the Agreement.
Section 30. Counterparts.
The Parties agree that the Agreement has been or may be executed in several
counterparts, each of which shall be deemed an original and all such counterparts shall together
constitute one and the same instrument.
Section 31. Further Assurances and Corrective Instruments.
The Parties agree that they will, from time to time, execute, acknowledge and deliver, or
cause to be executed, acknowledged and delivered, such supplements hereto and such further
instruments as may reasonably be required for carrying out the expressed intention of the
Agreement.
Section 32. Transition Cooperation and Cooperation with other Service Providers.
Service Provider agrees that upon termination of this Agreement for any reason, it shall
provide sufficient efforts and cooperation to ensure an orderly and efficient transition of services
to DCA or another Service Provider. The Service Provider shall provide full disclosure to DCA
and the third-Party Service Provider about the equipment, software, or services required to
perform services for DCA. Subject to the terms of each license(s), including but not limited to
potential costs associated with such transfer, the Service Provider shall transfer licenses or assign
agreements for any software or third-Party services used to provide the services to DCA or to
another Service Provider.
Further, in the event that DCA has entered into or enters into agreements with other
Service Providers for additional work related to services rendered under the Agreement, Service
Provider agrees to reasonably cooperate with such other Service Providers. Service Provider
shall not commit any act, which will intentionally interfere with the performance of work by any
other Service Provider.
IN WITNESS WHEREOF, the Parties hereto have affixed their signatures on the date
first written above.
COMPANY NAME
CORPORATION
GEORGIA DEPARTMENT OF
COMMUNITY AFFAIRS
By:________________________ By:_______________________
Name:______________________ Name:_____________________
Title:________________________ Title: ______________________
18
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
INTENTIONALLY LEFT BLANK
19
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Schedule A
Example Data Protection and Information Security Exhibit
This Data Protection and Information Security Exhibit (“Schedule A, “Exhibit” or “DPIS”) is an
attachment to the Agreement and sets forth the information technology governance and security
requirements (Requirements”) of the Georgia Department of Community Affairs (“DCA” or
“Agency”) Vendor Risk Management Program with respect to the Agreement between DCA and
THIRD PARTY SERVICE PROVIDER NAME (“Provider” or “Service Provider”) (collectively,
the “Parties”). In the event of any inconsistencies between this Schedule A and the Agreement,
any Statement of Work (“SOW”) or any Purchase Order (“PO”) pursuant to the Agreement, the
Parties acknowledge that the terms and conditions of this Schedule A shall prevail. Throughout
the term of the Agreement and for as long as Provider provides its Work, Products and/or Services
as provided for in the Agreement and as outlined in Schedule B (collectively, the “Provider
Services”, ______________________ Services or Managed Services), Provider shall comply with
the Requirements set forth in this Exhibit. Any breach of this Exhibit shall be deemed a material
breach under the Agreement. A waiver of a breach of any term or condition in this Exhibit shall
not be deemed a waiver of any subsequent breach of the same or another Requirement, term or
condition.
The Parties shall comply with their respective obligations as Agency (e.g., principal data
owner/controller/regulated entity) and Provider (e.g. third-party supplier/third party service
provider/technology services provider/third party vendor/third party contractor) under all
applicable Industry Standards and Information Protection Laws. The Parties acknowledge that the
measures set out in this Data Protection and Information Security Exhibit will only apply to
Provider Services delivered to the Agency and those internal security practices related to those
Services delivered, and will not apply to Provider’s internal security practices unrelated to the
provision of those Services provided to the Agency.
1. Definitions
“Administrative Safeguards” means the administrative actions, the policies and the
procedures for managing the selection, development, implementation and maintenance of
security measures used to protect devices, network elements and equipment, information
systems hardware and software, and the electronic data within them from loss of control
by unauthorized access, use, disclosure, disruption, modification, or destruction, and used
to manage the conduct of a workforce in relation to the protection of these IT assets,
information about them and the electronic data within them.
“Affected Individual” means the individuals consuming the funds, work product, services
and support that are administrated by the Georgia Department of Community Affairs and
provided to individual citizens either directly or indirectly through one of the Agency's
20
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
public or private sector Partner Organization, and whose PII, CPNI and ePHI may be
collected and stored directly by the Agency or received indirectly from one of the Agency
Sponsors or Client Organizations.
“Authorized Personnel” means Provider’s employees or subcontractors who (i) have a need
to receive or access Confidential Information or Personal Information to enable Provider
to perform its obligations under the NDA; and (ii) are bound in writing with Provider by
confidentiality obligations sufficient for the protection of Confidential Information and
Personal Information in accordance with the terms and conditions set forth here in the NDA
and in any subsequent agreement between the Parties.
"Breach of Confidential Information” is an incident in which protected or non-public
Confidential Information pertaining to the disclosing party, whether in written, graphic or
machine-readable form under the control of the receiving party, has been accessed, viewed,
stolen, disclosed or used by an unauthorized party or unauthorized process.
“Client Organization” means a business or not for profit organization that is legally eligible
in the state of Georgia to qualify for and receive funds (cash) and other assets (such as
annuities, securities, credit, tax wavers and incentives), work product, services and/or
support administrated by the Georgia Department of Community Affairs based on
gathering Confidential Information and documentation that include the use of PII, CPNI
and/or ePHI from individuals involved in these going concerns as data directly disclosed
to and validated by the Agency and/or as data that has been indirectly disclosed to the
Agency and validated through one of its Sponsor or Partner Organizations, or through one
of the Agency Third-party Suppliers.
“Confidential Information” or “Confidential Information” as used here refers to any
information which has been provided by the DCA to Provider for the purpose of pursuing
and/or continuing a business relationship contemplated by the NDA, (i) including but not
limited to any Work Product developed by the Parties in consideration of the business
relationship being contemplated, (ii) all non-public and sensitive information about the
DCA received, collected or developed by Provider in conjunction their interactions and
activities involving DCA, (iii) the contents of any planning sessions conducted, including
all written documentation used and any verbal or recorded discourse or discourses shared
between the Parties while pursuing their new or continuing business relationship.
“Consumer” or “Individual” means a person legally eligible for citizenship in the state of
Georgia who has been qualified to receive funds, work product, services and/or support
administrated by the Georgia Department of Community Affairs based on gathering
Confidential Information and documentation requiring the use of their PII, CPNI and/or
ePHI which has then been directly disclosed to and validated by the Agency or has been
indirectly disclosed to the Agency and validated through one of its Sponsor, Client or
Partner Organizations, or through one of the Agency Third-party Suppliers (i.e. Product or
Service Providers).
“Common Software Vulnerabilities” (CSV) are application defects and errors that are
commonly exploited in software. This includes but is not limited to: (i) The CWE/SANS
Top 25 Programming Errors – see http://cwe.mitre.org/top25/ and
21
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
http://www.sans.org/top25-software-errors/; (ii) The Open Web Application Security
Project’s (OWASP) “Top Ten Project” – see http://www.owasp.org.
“Covered Entity” means any public sector institution or agency as well as any private sector
business or organization whose activities fall under one or more jurisdiction of the
Information Privacy Laws thereby identifying them as primary parties subject to
compliance with 16 CFR Part 314 the "Safeguards Rule" and subject to the enforcement
actions of the US Federal Trade Commission, the US Consumer Financial Protection
Bureau, and the US Department of Justice.
“CPNI” means Customer Proprietary Network Information as defined in 47 USC § 222(h)
and FCC rules and includes information regarding residential and business customers.
“Critical Infrastructure Information” (CII) means information about DCA’s network
architecture as well as that of its customers, including information about application access,
remote access procedures, user ID’s and passwords, the location and capability of central
offices, data centers, data warehouses, network access points, network points of presence
and other critical network sites, as well as the network elements and equipment within
them, and includes any information which DCA reasonably identifies as critical
infrastructure information.
“Cross platform content search (CPCS)” and its related discovery services (collectively,
the “CPCS Services”) are used to provide DCA consumer customer financial information
and account balances, and content to consumer customers.
“Electronic Protected Health Information” (ePHI) means the protected health information
(PHI) that is produced, saved, transferred or received in an electronic form as covered in
the United States under the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Security Rule, including but not limited any of 18 distinct demographics that can
be used to identify a patient such as: (i) Name, (ii) Address (including subdivisions smaller
than state such as street address, city, county, or zip code), (iii) Any dates (except years)
that are directly related to an individual, including birthday, date of admission or discharge,
date of death, or the exact age of individuals older than 89, (iv) Telephone or Fax number,
(v) Email address, (vi) Social Security number, (vii) Medical record number, (viii) Health
plan beneficiary number, (ix) Account number, (x) Certificate/license number, (xi) Vehicle
identifiers, serial numbers, or license plate numbers, (xii) Device identifiers or serial
numbers, (xiii) Web URLs, (xiv) IP address, (xv) Biometric identifiers such as fingerprints
or voice prints, (xvi) Full-face photos, (xvii) Any other unique identifying numbers,
characteristics, or codes.
“Industry Standards” mean generally recognized industry standards and benchmarks
including: (ii) National Institute for Standards and Technology – see http://csrc.nist.gov/ ;
(iii) ISO / IEC 27000-series – see http://www.iso27001security.com/; (iv) COBIT 5 –
http://www.isaca.org/cobit/; (v) Cyber Security Framework – see
http://www.nist.gov/cyberframework/; (vi) Cloud Security Alliance – see
https://cloudsecurityalliance.org/, and other standards applicable to the services provided
by Provider to DCA.
22
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
“Information Protection Laws” mean all local, state, and federal laws, and regulations
pertaining to information security, cyber security, data confidentiality, privacy, and
integrity, as well as data breach identification and notification that may be applicable to
Provider or DCA as Covered Entities.
“Information Technology Assets” or “IT Assets” means the devices, network elements
equipment and firmware, information system hardware and software components, laptop
and desktop computers and operating systems, software as a service solutions, Web
services, client server-based software, individual applications, IoT and code objects,
storage media, software-based utilities and tools owned by State of Georgia and in use by
the Provider, Provider’s subcontractors, DCA or one of DCA’s Third-party providers.
“Partner Organization” or “Partner” means a public sector agency or institution, or private
sector organization authorized to qualify Individuals and Client Organizations and assist in
distribution of the funds (cash) and other assets (such as annuities, securities, credit, tax
wavers and incentives), work product, services and/or support administrated by the Georgia
Department of Community Affairs based on gathering Confidential Information and
documentation that include the use of PII, CPNI and/or ePHI from legally eligible
Individual persons and from individuals involved in governing, owning and operating
qualified Client Organizations as data directly disclosed to and validated by the Partner
Organizations, and then shared with the DCA through one of the Agency Information
Systems or one of its Third-party Suppliers.
“Personal Information” also known as Personally Identifiable Information (PII), is
information of DCA customers, employees and subcontractors held or accessed by
Provider that can be used on its own or combined with other information to identify,
contact, or locate a person, or to identify an individual in context. Examples of Personal
Information include first and last name, address, social security number or national
identifier, biometric records, geolocation information, driver’s license number, account
number or username with password or PIN, either alone or when combined with other
personal or identifying information which is linked or linkable to a specific individual, such
as date and place of birth, mother’s maiden name, etc. Personal Information includes those
data elements defined under applicable state or federal law in the event of a Security
Incident. Personal Information also includes CPNI.
“Security Incident” is any actual or suspected occurrence of: (i) unauthorized access, use,
alteration, disclosure, loss, theft of, or destruction of Confidential Information or Personal
Information or the systems / storage media containing Confidential Information or Personal
Information; (ii) illicit or malicious code, phishing, spamming, spoofing; (iii) unauthorized
use of, or unauthorized access to, Provider’s systems; (iv) inability to access Confidential
Information, Personal Information or Provider systems as a result of a Denial of Service
(DOS) or Distributed Denial of Service (DDOS) attack; and (v) loss of Confidential
Information or Personal Information due to a breach of security.
“Physical Safeguards” means the physical controls, preemptive measures and assigned
personnel used to limit and/or monitor authorized access and visibility, prevent
unauthorized intrusion, and obstruct unauthorized visibility into non-public buildings,
23
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
protect the work areas and storage spaces, together with the IT Assets, physical contents,
and human readable information contained therein, from unauthorized observation,
alteration, damage, destruction, or the theft thereof, and protect authorized persons therein
from hazards, natural disasters and bodily harm.
“Agency Data” means confidential information, and collectively PII, CII, and ePHI of
Agency including that of its employees, contractors and customers, as applicable.
“Security” or “Security Measure” means the protective and preemptive actions that
encompass all of the Administrative, Physical and Technical Safeguards (collectively, the
“Safeguards”) applicable to any consulting service, managed service, IT Asset, Solution,
or combination thereof that is provided by Processor to Agency, or one of Agency’s
commercial customers and/or residential subscribers, or applicable to any IT Asset, Data
File, credit or debit card, prepaid debit or gift card, or any contracted service used by
Processor and its Authorized Personnel in doing business as a going concern, including: (i)
password protection, encryption, network partitioning, configuration management,
firewall, malware, virus, trap and circumvention protections, (ii) access, authorization,
logging, testing, patching, bug fixing, monitoring and auditing, (iii) developing and
updating disaster recovery plans, software licensing and lifecycle plans, IT hardware,
equipment and facility access, maintenance and lifecycle plans, electronic data storage,
retention and destruction plans, and Exploit Incident notification plans, as well as (iv) the
development of annual budgets and assurance reviews to validate the existence of these
measures and to evaluate their effectiveness.
“Sponsor Organization” or “Agency Sponsor” means a public sector agency or institution,
or private sector organization authorized to grant entitlements and assets (including cash,
annuities, securities, credit, tax wavers and incentives) under various specific legal
conditions, restrictions, eligibilities and administrative compliance requirements that have
been assigned to the Georgia Department of Community Affairs as a fiduciary
responsibility for administration and proper distribution to eligible and qualified
individuals and business in the state of Georgia.
“Technical Safeguards” means the IT controls and preemptive measures used to limit
and/or monitor authorized access and visibility, prevent unauthorized intrusion, and
obstruct unauthorized visibility into IT Assets and their contents, together with protection
of the machine-readable settings and electronic data contained therein, from unauthorized
observation, alteration, destruction, damage or the theft thereof.
“Provider” or “Third-party Provider” may also be referred to under Information Protection
Law and Industry Standards, as well as under regulatory guidance from federal agencies
including HUD, OCC, FTC, CFPB and the State of Georgia Technology Agency as Third-
party Vendor or Professional Service Provider, and refers to any party or third-party
pursuing and/or agreeing to continue a business relationship arrangement with the DCA,
or may refer to a business relationship that exists or may exist in the future between the
Provider and a non-affiliated third-party used by the Provider in provision of products
and/or services to the DCA as part of the business relationship being pursued and/or
continued between the parties by contract, license or otherwise, where the third-party entity
24
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
is not an affiliate of, or related by common ownership or corporate control with the
Provider.
“Vulnerability“ or “Security Vulnerability” is a flaw in any application, operating system
or IT Asset, including but not limited to susceptibility or weakness in an associated process,
Safeguard or Security Measure that can be exploited resulting in a Exploit Incident.
2. Third Party Security Program Requirements
Agency is required by internal policy and regulatory compliance to maintain a formal information
technology governance program including Administrative Safeguards and Security Measures
applied to the risk management and oversight of third party suppliers, vendors, contractors and
service providers in accordance with applicable Information Protection Laws and Industry
Standards. Provider is required by internal policy and regulatory compliance to maintain a formal
governance program, including Administrative, Physical and Technical Safeguards (collectively,
the “Safeguards”), applicable to the risk management and oversight of its employees, Authorized
Personnel, and all third party suppliers, vendors, contractors, subcontractors and service providers
(collectively, the Fourth Parties), including those providing IT Assets, and any related support and
services. Provider shall have internal governance, risk and control material as part of its own
information security program that has been developed, implemented and maintained in accordance
with Industry Standards and the applicable Security Measures specified in this Exhibit and any
additional Requirements or procedures prescribed under Information Protection Laws. At a
minimum the Safeguards and Security Measures in the Provider’s governance program shall
include, but not be limited to, the following elements:
2.1 General Security Compliance. Provider agrees that it shall: (i) comply with laws and
regulations applicable to its business, as an IT Service Provider its IT Assets, Agency’s
business and its IT Assets, and to laws and regulations applicable its Provider Services
performed and provided under the Agreement, including but not limited to privacy laws and
consumer protection laws, (ii) operate its IT Governance, risk and control practices to prevent
Security Vulnerabilities and prevent Exploit Incidents to its IT Assets and to Agency’s IT
Assets, (iii) cooperate in good faith with Agency to modify its IT Governance, risk and control
practices to accommodate future changes in the parties’ hardware, software, or the treatment
of third party suppliers, electronic data governance and IT security that may affect the
reasonableness of the protections under this Exhibit, (iv) comply with Provider’s own written
policies and procedures regarding employee Background Checks, (v) reasonably cooperate in
Agency’s requests to review and assess Provider’s compliance with the obligations contained
in the Requirements as may be in response to requests by state and Federal regulators or law
enforcement, and (vi) cooperate in Agency’s monitoring of Provider’s compliance with the
obligations contained in these Requirements.
25
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
2.2 Application Safeguards and Security Measures. Provider shall have a plan in place that shall
address the security Requirements necessary for its provision, deployment, use and support of
any code-based IT Assets, used by Provider to provide or otherwise in support of the provision
of the Provider Services during the Term of the Agreement. At a minimum, this plan shall
specify requirements to secure these code-based IT Assets and the associated hardware and
devices they operate in conjunction with, from threats including, Security Vulnerabilities,
Common Software Vulnerabilities, and Exploit Incidents.
2.3 Network Security. For all applicable networks and related IT Assets used by Provider to
provide or otherwise in support of the provision of the Provider Services during the Term of
the Agreement, Provider agrees to implement and maintain network Safeguards and Security
Measures that conform to Industry Standards including but not limited to the following:
a) Firewalls. Provider shall utilize firewalls to manage and restrict inbound, outbound and
internal network traffic to only the necessary hosts and network resources.
b) Network Architecture. Provider shall appropriately segment its network to only allow
authorized hosts and users to traverse areas of the network and access resources that are
required for their job responsibilities.
c) Demilitarized Zone (DMZ). Provider shall ensure that publicly accessible servers are
placed on a separate, isolated network segment typically referred to as the DMZ.
d) Wireless Security. Provider shall ensure that its wireless network(s) only utilize strong
encryption, such as WPA2.
e) Intrusion Detection/Intrusion Prevention (IDS/IPS) System. Provider shall have an IDS
and/or IPS in place to detect inappropriate, incorrect, or anomalous activity and determine
whether Provider's computer network and/or server(s) have experienced an unauthorized
intrusion.
f) Remote Access Risk Management. If Provider allows Authorized Personnel, employees,
Forth Parties and other persons acting in association with Provider to work remotely
outside of the Provider's offices or data centers used to provide the Provider Services to
Agency, Provider shall provide Authorized Personnel with the following Safeguards and
Security Measures to mitigate the inherent security risks of remote access:
i. A Provider provided and controlled IT Asset (e.g., laptop or workstation) that is
securely managed by the Provider's information technology team(s); OR
ii. A secure technology, service, or platform that enables the Provider to manage the
security configuration of the Authorized Personnel's personally owned IT Assets
used to provide Agency Provider Services, in order to meet the security
Requirements of both Provider and Agency, as defined within this Exhibit.
2.4 Authorized Personnel. Provider shall require all Authorized Personnel to meet Provider’s
obligations and Requirements under this Exhibit as they apply to each SOW. Provider shall
monitor and evaluate all Authorized Personnel and shall provide appropriate privacy and
Security Measure training, as well as background checks of its Authorized Personnel in order
to meet Provider’s obligations under the Agreement and meet the Requirements of this Exhibit.
Upon Agency’s written request, Provider shall provide Agency with a list of Authorized
Personnel. Provider shall remain fully responsible for any act, error, or omission of its
Authorized Personnel.
26
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
a) Provider Fourth Party Security. Provider shall conduct Security Measure assessments
which may include background checks and other due diligence on their Fourth Parties
which materially impact Provider’s ability to provide the Provider Services to Agency as
described in the Agreement. For 2.4 a), “Provider Fourth Party” is defined as Provider’
sub-processesor who will be identified by company(ies) in accordance with subparagraph
c) below and in the applicable SOW.
b) Provider Outsourcing. Provider shall not outsource any work related to its Provider
Services provided to Agency under the Agreement in violation of any applicable laws or
regulations applicable to principal and to the Provider. Provider shall not use any IT Assets
in countries outside the United States of America to process or store and Agency Data or
support any Provider Services provided to Agency under the Agreement.
c) Identification of Fourth Parties. In accordance with subparagraph a) above, Provider shall
identify to Agency all of Provider’s Fourth Parties that materially impact its ability to
perform it obligations and responsibilities under the Agreement, including: (i) those Fourth
Parties providing subcontractors to Provider that are involved in the provision of Provider
Services to Agency under the Agreement, (ii) those Fourth Parties that provide IT Assets,
and any related support and services to Provider, and (iii) those Fourth Parties that will
have access to Agency’s IT Assets and Agency Data.
d) Security and Privacy Training. Provider, at its expense, shall provide ongoing training to
employees, Authorized Personnel and Fourth Parties at least annually in order to comply
with the Requirements under this Exhibit. Agency may provide specific training material
to Provider to include in its training for Authorized Personnel performing work under a
SOW.
e) Access Requirements. Provider access to Agency’s physical locations, non-public
buildings, protected work areas and storage spaces, including but not limited to Agency
data center, computer labs, network facilities, together with the IT Assets and physical
contents (collectively, Agency Facilities), along with the associated IT Assets, and CII shall
only be granted in controlled circumstances and should be approved by Provider based on
the type of access. Therefore, access to Agency Facilities shall adhere to the following
Safeguards, Requirements and Security Measures to mitigate the inherent security risks,
including:
iii. All Provider access must be approved by Agency Security.
iv. Non-Agency employee access must be accompanied by a Agency employee.
v. Access should be approved with clear reference to the reason why access is
necessary.
vi. Access provided shall be based on ‘least privilege and scope’ as necessary. The
access to be granted should match the authorized purpose and not exceed that level.
vii. The Provider is responsible for ensuring the Network System Administrator and
Agency Security are informed when access is no longer required so that the access
can be terminated.
viii. No Provider employee, Forth Parties and other persons acting in association
with Provider shall attempt to or access IT Assets or Agency Facilities for which
he/she has not been granted access.
27
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
ix. No Provider employee, Forth Parties and other persons acting in association with
Provider shall attempt to or access IT Assets or Agency Facilities to gain
information without valid business reasons.
x. No Provider employee, Forth Parties and other persons acting in association with
Provider shall access IT Assets for personal reasons to include making changes
without approval or authorization.
xi. No Provider employee, Forth Parties and other persons acting in association with
Provider shall attempt to, use or install device software and other forms of
obstructions, software, or malware to any IT Asset or equipment.
xii. All Electronic data, messages and transactions are the property of Agency and
should be considered private information.
xiii. Agency reserves the right to access and monitor all messages and files as
deemed necessary. All communication, including text and images, may be
disclosed to law enforcement or other third parties without prior consent of the
sender or the receiver.
xiv. All communication must be for professional reasons and must be used in an
effective, ethical and lawful manner.
xv. Use must not disrupt the operation of the Agency IT Assets.
xvi. Non-Agency IT Assets, mobile devices, or other information assets may not
be connected to Agency IT Assets without prior approval by Agency’s Information
Security team and shall only be used by a Agency-authorized user.
xvii. Provider shall provide employee, Forth Parties and other persons acting in
association with Provider personal and vehicle identification in accordance with
current Customer requirements.
f) Adherence to Physical Access Requirements. Provider is responsible for ensuring any
Provider employee, Authorized Personnel or Forth Parties acting in association with
Provider, adheres to the Requirements and Safeguards for access to Agency Facilities.
g) Violations of Physical Access Requirements. Provider is responsible for ensuring that its
employees, Authorized Personnel or Forth Parties acting in association with Provider, who
have been found by Agency or by Provider to have violated the access Requirements for
Agency Facilities and/or Agency IT Assets, shall be subject to disciplinary action, up to
and including denial of access to Agency Facilities and/or Agency IT Assets.
h) Telecommuting Security Measures. Provider shall have and maintain telecommuting
access Safeguards and Security Measures over its employees, Authorized Personnel and
Fourth Parties as well as over its support centers, data centers and processing environments
that conform to Laws and Industry Standards including but not limited to: (i) use of a
Provider controlled thin Client or PC, (ii) Provider employee verification, (iii) signed
Confidentiality Agreement, (iv) acceptance of Provider's clean desk policy or agreement,
(v) Two Factor Authentication, and (vi) Provider logging of Authorized Personnel and
Fourth Parties that telecommute remotely into Provider's offices, support centers or data
centers, maintained for a minimum of six (6) months or other duration applicable under
Information Protection Laws or Industry Standards.
2.5 Handling of Agency Data. Provider shall: (i) keep and maintain all Agency Data in accordance
with the terms of this Exhibit; and (ii) use Agency Data solely and exclusively for the purpose
for which the Agency Data is provided pursuant to the terms and conditions of the Agreement
28
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
and the applicable SOW. Provider shall not disclose Agency Data to any person other than to
Authorized Personnel, except to the extent required by applicable law, in which case, Provider
shall use best efforts to notify Agency before any such disclosure or as soon thereafter as
reasonably possible.
a) Compliance with Privacy Protection Laws. Provider represents and warrants that its
collection, access, use, storage, disposal, and disclosure of Agency Data shall comply with
all applicable federal, state, local and foreign data and privacy protection laws, as well as
all other applicable regulations and directives.
b) Data Re-Use. Provider agrees that any and all electronic data exchanged shall be used
expressly and solely for the purposes enumerated in the Agreement. Electronic data shall
not be distributed, repurposed or shared across other application, environments, or business
units of Provider. Provider further agrees that no Agency Data of any kind shall be
transmitted, exchanged or otherwise passed to other parties except on a case-by-case basis
as specifically agreed to in writing by Agency.
c) Data Destruction and Data Retention. Upon expiration or termination of the Agreement or
upon Agency’s written request, Provider and its Authorized Personnel shall promptly
return to Agency all Agency Data and/or securely destroy Agency Data. At a minimum,
destruction of data activity is to be performed according to the standards enumerated by
the National Institute of Standards, Guidelines for Media Sanitization - see
http://csrc.nist.gov/. If destroyed, an officer of Provider must certify to Agency in writing
within ten (10) business days all destruction of Agency Data. If Provider is required to
retain any Agency Data or metadata to comply with a legal requirement, Provider shall
provide notice to both the general notice contact in the Agreement as well as Agency’s
designated Security Contact.
d) Physical Threat Prevention. Provider agrees that it shall protect its data centers, work areas
and storage spaces, together with the IT Assets, physical contents, and human readable
information contained therein, from unauthorized observation, alteration, damage,
destruction, or the theft thereof, and protect authorized persons therein from hazards,
natural disasters and bodily harm in accordance with applicable Law and Industry
Standards.
2.6 Right to Audit. Upon Agency’s written request, to confirm compliance with this Exhibit, as
well as any applicable laws and industry standards, Provider shall promptly and accurately
complete a written information Security Measure questionnaire provided by Agency or a third
party on Agency’s behalf regarding Provider’s business practices and information technology
environment in relation to all Information being handled and/or services being provided by
Provider to Agency pursuant to the Agreement. Provider shall fully cooperate with such
inquiries. Agency shall treat the information provided by Provider in the Security Measure
questionnaire as Provider's confidential information.
2.7 Security Testing. Provider shall perform static, dynamic, automated, and/or manual Security
Measure testing on Provider's IT Assets and data processing environments used to provide or
otherwise in support of the provision of the Provider Services to Agency during the Term of
the Agreement, in order to identify threats including Security Vulnerabilities, Common
Software Vulnerabilities, and Exploit Incidents on an ongoing basis. Should any Security
29
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Vulnerabilities, Common Software Vulnerabilities, and Exploit Incidents be discovered,
Provider agrees to notify Agency and create a mutually agreed upon remediation plan to
resolve all vulnerabilities identified. Agency has the right to request or conduct additional
reasonable Security Measure testing throughout the Term of the Agreement.
3. Exploit Incident / Data Breach
The contact information identified below shall serve as each party’s designated Security
Contact for issues with any Requirements under this Exhibit, or any incidents that occur
during the term of the Agreement:
DCA Security Contact:
ATTN: Christy Barnes, Director of Legal Services
[email protected]
Service Provider Contact:
COMPANY NAME
Representative
Title
Street Address
City, State Zip Code
Enmail
Phone
3.1 Incident Response Requirements. Provider shall take commercially reasonable actions to
ensure that Agency is protected against any and all reasonably anticipated Exploit Incidents
and Breaches of Confidential Information (collectively an "Security Incident") including but
not limited to: (i) Provider's IT Assets are continually monitored to detect evidence of any
type of Security Incident; (ii) Provider has a Security Incident response process to manage
and to take corrective action for any type of suspected or realized Security Incident; and (iii)
upon request Provider shall provide Agency with a summary description of its Administrative
Safeguards used in handling relevant types of Security Incidents. If an Exploit Incident or a
Security Incident affecting Agency occurs, Provider, at its expense and in accordance with
applicable Industry Standards and Information Protection Laws, shall immediately remediate
with appropriate Security Measures and take action to prevent the continuation of the Security
Vulnerabilities that lead to the type of incident that occurred. Provider shall also make
appropriate personnel available to assist Agency in assessing the effectiveness of Provider's
Administrative Safeguards used, Security Measures and remediation activity performed.
30
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
3.2 Incident and Breach Notification. Within twenty-four (24) hours of Provider's initial
awareness of any Exploit Incident or other mutually agreed upon time period, Provider shall
notify Agency of the incident by calling by phone the Agency Security Contact(s) listed above.
Provider shall provide sufficient information for Agency to prepare and file any reports on the
Exploit Incident required by regulatory agencies.
3.3 Exploit Investigation and Remediation. Upon Provider's notification to Agency of Exploit
Incident identified in subparagraph 3.2, the Parties shall coordinate to investigate the Exploit
Incident. Provider shall be responsible for leading the investigation of the Exploit Incident,
but shall cooperate with Agency to the extent Agency requires involvement in the
investigation. Provider shall involve law enforcement in the investigation if required by
applicable law. Depending upon the type and scope of the Exploit Incident, Agency personnel
may participate in: (i) interviews with Provider's employees and Fourth Parties involved in
the incident; and (ii) review of all relevant records, logs, files, reporting data, IT Assets,
Provider devices, and other materials as otherwise required by Agency.
Provider shall cooperate, at its expense, with Agency in any litigation or investigation
deemed reasonably necessary by Agency to protect its rights relating to the use,
disclosure, protection and maintenance of Agency Data. Provider shall reimburse Agency
for actual costs incurred by Agency in responding to, and mitigating damages caused by
any Exploit Incident, including all costs of notice and remediation which Agency, in its
sole discretion, deems necessary to protect such affected individuals in light of the risks
posed by the Exploit Incident. Provider shall use reasonable efforts to prevent a
recurrence of any such Exploit Incident. Additionally, Provider shall provide (or
reimburse Agency) for at least one (1) year of complimentary access for one (1) credit
monitoring service, credit protection service, credit fraud alert and/or similar services,
which Agency deems necessary to protect affected individuals in light of risks posed by a
Exploit Incident.
3.4 Public Relations Crisis Management Plan. Provider shall cooperate with Agency to develop
and execute a public relations crisis management plan that addresses messaging to the public
and applicable government authorities including by providing a point person to coordinate
with Agency on the public relations plan. Notwithstanding anything to the contrary, Agency
has the right to control the issuance of any notification of Exploit or Security Incidents and
other public statements regarding the impact on Agency, its employees, contractors,
subscribers and other related third parties.
3.5 Incident and Breach Final Reporting. Provider shall provide Agency with a draft written
incident report without undue delay after resolution of an Exploit Incident or upon
determination that the Exploit Incident cannot be sufficiently resolved. Provider shall provide
Agency with a final written incident report within 45 days of the provide after resolution of
an Exploit Incident or upon determination that the Exploit Incident cannot be sufficiently
resolved. Provider shall provide sufficient information for Agency to prepare and file any
reports on the Exploit Incident required by regulatory agencies.
31
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
4. Changes
Changes to the Provider’s organization that materially affect its ability to meet the Requirements
under this Exhibit, including but not limited to technology advances, regulatory actions and audits,
or due to changes in business processes, IT security related certifications, data processing, data
center facilities and IT Assets, or any Fourth Parties that materially affect Providers ability to meet
the Requirements of this Exhibit, shall be formally controlled under the Provider’s IT governance
program. In the event that any material changes occur, Provider shall work in good faith with
Agency to promptly update Agency Security Contact(s) listed above, and if necessary work with
Agency to amend this Exhibit accordingly. In the event of any change in Agency’s data protection
or privacy obligations due to legislative or regulatory actions, industry standards, technology
advances, or contractual obligations, and if notified by Agency of such changes, Provider shall
work in good faith with Agency to promptly amend this Exhibit accordingly.
32
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Schedule B
RFP SCOPE OF WORK
33
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Schedule C
SERVICE PROVIDER WORK PLAN
34
DCAMasterServicesAgreement_DRAFT_slovett_7.20.2002v9.6
Schedule D
FEES AND PAYMENT