Laserfiche WebLink
State of Minnesota -U.S. Bank Commercial Card Solutions -Participating Addendum <br />Contract# 75413 Purchasing Card Contract# 75427 Fleet Card <br />Appendix B-Minnesota General Terms, Conditions and Specifications <br />d. Data Management. Contract Vendor will not use State data, including production data, for testing or development <br />purposes. Contract Vendor has implemented and will maintain procedures to physically and logically segregate <br />State data, unless otherwise explicitly authorized by the State Chief Information Security Officer or delegate. <br />e. Data Encryption. Contract Vendor shall encrypt all State data in transit, if such data Is part of or associated with <br />Contract Vendors cloud computing or hosting services. Encryption keys to State data shall only be accessed by <br />Contract Vendor as necessary for performance of this Contracl/Agreement. <br />f. Data Storage. Contract Vendor agrees that any and all State data will be stored, processed, and maintained solely <br />on designated servers and that no such data at any time will be processed on or transferred to any portable <br />computing device or any portable storage medium, unless that storage medium is in use as part of the Contract <br />Vendor's designated backup and recovery processes. <br />g, Data Center and Monitoring/Support Locations. During the term of the Contracl/Agreement, Contract Vendor <br />agrees to: (1) locate all production and disaster recovery data centers that store, process or transmit State data only <br />in the continental United States, (2) store, process and transmit State data only in the continental United States, <br />and (3) locate all monitoring and support of all the cloud computing or hosting services only in the continental <br />United States. The State has the right to on-site visits and reasonable inspection of the data centers upon notice to <br />Contract Vendor of seven calendar days prior to visit. <br />h. Security Audits & Remediation. Contract Vendor will audit the security of the systems and processes used to <br />provide any and all cloud computing or hosting services, including those of the data centers used by Contract <br />Vendor to provide any and all cloud computing or hosting services to the State. This security audit: (1) will be <br />performed at least once every calendar year beginning with 2014; (2) will be performed according to appropriate <br />industry security standards; (3) will be performed by third party security professionals at Contract Vendors election <br />and expense; (4) will result in the generation of an audit report ("Contract Vendor Audit Report") which will, to the <br />extent permitted by applicable law, be deemed confidential information and not public data under the Minnesota <br />Government Data Practices Act; and (5) may be performed for other purposes in addition to satisfying this section. <br />Notwithstanding subsection h (3) above, the security audit for the Payment Analytics application may be conducted <br />by independent internal security professionals at Contract Vendor's expense. <br />The Contract Vendor Audit Report will address the control procedures used by Contract Vendor to provide any and <br />all cloud computing or hosting services, including specifically an assessment of whether (A) the control procedures <br />were suitably designed to provide reasonable assurance that the stated internal control objectives would be <br />achieved if the procedures operated as designed and (B) the control procedures operated effectively at all times <br />during the reporting period. The Contract Vendor Audit Report must also address relevant controls of any <br />subservice providers of any and all cloud computing or hosting services. <br />Upon the State's reasonable, advance written request, Contract Vendor will provide to the State a copy of the <br />Contract Vendor Audit Report. <br />Contract Vendor will make best efforts to remediate any control deficiencies identified in the Contract Vendor Audit <br />Report in a commercially reasonable timeframe. <br />If the State becomes aware of any other Contract Vendor controls that do not substantially meet the State's <br />requirements, the State may request remediation from Contract Vendor. Contract Vendor will make best efforts to <br />remediate any control deficiencies identified by the State or known by Contract Vendor, in a commercially <br />reasonable timeframe. <br />I. Subcontractors. Contract Vendor agrees that no State data shall be transmitted, exchanged or otherwise provided <br />to other parties except as specifically agreed to in writing by the State Chief Information Security Officer or <br />delegate. Contract Vendor must ensure that any contractors, subcontractors, agents and others to whom it <br />provides State data, agree in writing to be bound by the same restrictions and conditions under this <br />Contracl/Agreement that apply to Contract Vendor with respect to such data. <br />j. Compliance with Payment Card Industry Data Security Standard. All of Contract Vendors systems and <br />components that process, store, or transmit State data shall comply with the applicable and then most recent <br />version of the Payment Card Industry Data Security Standard ("PCI DSS") promulgated by the PCI Security <br />Standards Council. The Contract Vendor shall, upon request, provide the State with Contract Vendors currently <br />available and applicable Attestation of Compliance signed by a PCI QSA ("Qualified Security Assessor'). <br />Page 37 of 37