Note: Download the PDF file of General Terms and Conditions of Cybersecurity Services

Contact to request an accessible version of this document.

These General Terms and Conditions are part of the MOU for Enhanced Security Services between OCIO and Customer. In the event of a conflict or inconsistency between the terms and conditions set forth here and those set forth in the MOU CD&E, the terms and conditions in the MOU CD&E shall take precedence.

  1. Definitions. Unless otherwise specifically defined in the MOU, all capitalized terms used herein shall have the meanings ascribed to them under Iowa Code chapter 8B and corresponding implementing rules found at Iowa Administrative Code chapter 129. In addition, the following terms shall have the following meanings:
    1. “Authorized Contractor(s)” means independent contractors, consultants, or other Third Parties used by OCIO to provide ESS.
    2. “Confidential Information” means, subject to any applicable federal, State, or local laws and regulations, including Iowa Code Chapter 22, any information disclosed by either Party (“Disclosing Party”) to the other Party (“Receiving Party”) that, at the time of disclosure, is designated as confidential (or like designation), is disclosed in circumstances of   confidence, or would be understood by the Parties, exercising reasonable business judgment, to be confidential. Confidential Information does not include any information that: (i) was rightfully in the possession of the Receiving Party from a source other than the Disclosing Party prior to the time of disclosure of the information by the Disclosing Party to the Receiving Party; (ii) was known to the Receiving Party prior to the disclosure of the information by the Disclosing Party; (iii) was disclosed to the Receiving Party without restriction by an independent Third Party having a legal right to disclose the information; (iv) is in the public domain or shall have become publicly available other than as a result of disclosure by the Receiving Party in violation of this MOU or in breach of any other agreement with the Disclosing Party; (v) is independently developed by the Receiving Party without any reliance on Confidential Information disclosed by the Disclosing Party; (vi) is disclosed in accordance with the terms of the MOU; or (vii) is disclosed by the Receiving Party with the written consent of the Disclosing Party. Subject to the foregoing exclusions, Confidential Information includes Customer Data.
    3. “Customer Data” means all Customer data or information accessed by OCIO or disclosed to OCIO in connection with this MOU including “System Data” such as security or software logs, system event information, system audit logs and records, and other similar information, and “User Data” such as files, database entries, or electronic records created by end users for governmental or business purposes.
    4. “Customer Systems” means Customer’s web sites, applications, databases, data centers, servers, networks, desktops, endpoints, or any other like systems or equipment that are monitored, assessed, defended, or otherwise accessed by OCIO in the performance of the ESS.   Customer Systems may be more fully described in an Exhibit to the MOU.
    5. “Enhanced Security Services” or “ESS” or “Services” means the security services or any related services offered and provided by OCIO, by and through the Security Operations Center, designed to assist governmental entities in the State of Iowa in safeguarding against unauthorized access, disclosure, theft, or modification of or to government systems and data; and preventing, detecting, and responding to Security Incidents, Security Breaches, and other significant cyber events. Enhanced Security Services may be more fully set forth in an Exhibit to the MOU. 
    6. "Office-Supplied Tools” means any hardware, equipment, software, applications, or tools used by OCIO to interface with or connect to Customer Systems; that host, store, process, or transmit Customer Data; or that are otherwise used by OCIO in connection with provisioning ESS.
    7. “Security Incident” means an occurrence that actually jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. “Security Incident” shall also be deemed to include any breach of security, confidentiality, or privacy as defined by any applicable law, rule, regulation, or order.
    8.  â€śSecurity Operations Center” or “SOC” means the State of Iowa’s dedicated unit from which Customer Systems and Customer Data are monitored and assessed to detect Security Incidents.
    9. “Third Party” means a person or entity not a party to this MOU.
  2. Brokered I.T. Devices and Services. In addition to or in lieu of the Services or Office-Supplied Tools provided by OCIO by more direct means hereunder, OCIO may enter into Information Technology Master Agreements with Information Technology Vendors pursuant to which Customer may purchase Information Technology Devices or Services intended to enhance Customer’s overall security posture and readiness. Where Customer purchases Information Technology Devices and Services pursuant to an Information Technology Master Agreement made available by OCIO, such purchase shall constitute a separate, distinct, and independent contract between Customer and the applicable Vendor; Customer shall be solely responsible for any payments due and duties and obligations otherwise owed such Vendor under such agreement. In addition, OCIO bears no obligation or liability for Customer’s losses, liabilities, or obligations, including Vendor’s failure to perform, arising out of or relating in any way to such purchase.
  3. Customer’s Responsibilities. Customer is responsible for:
    1. Third-Party Cloud Services, to enable OCIO to provide the ESS hereunder. OCIO will work to provide Customer with Office-Supplied Tools where possible, but where it is unable to do so or unable to obtain funding to do so, Customer may be responsible for doing so at Customer’s own cost or expense, or have to forego the ESS provided hereunder or aspects thereof.
    2. Granting and facilitating OCIO access to any Customer Systems or facilities as is necessary for OCIO to install or connect any Office-Supplied Tools to provide ESS.
    3. Working collaboratively with OCIO, including providing appropriate staff to attend meetings and to address matters related to this MOU and OCIO’s provision of ESS.
    4. Identifying Customer’s point of contact who OCIO should notify during normal business hours and off hours in the event OCIO identifies a Security Incident, Security Breach, or other significant cyber event that may impact or involve Customer Systems or Customer Data;
    5. Identifying under what circumstances, if any, OCIO may act, unilaterally and without prior approval, to contain a Security Incident, Security Breach, or other significant cyber event that may impact or involve Customer Systems or Customer Data, or under what circumstances OCIO must obtain prior approval from Customer prior to containing such event.
    6. Determining whether a Security Incident, Security Breach, or other cyber event reported to Customer by OCIO constitutes a Security Breach or other privacy or confidentiality violation or event for purposes of any reporting, notification, or other obligations that may be required by applicable law, rule, or regulation.
    7. Reporting any Security Incident, Security Breach, or other cyber event to appropriate law enforcement or other relevant authority and notifying any consumers or other adversely affected individuals as may be required by applicable law, rule, or regulation.
    8. Conducting forensic investigations that may be necessary to determine the full scope or impact of a Security Incident, Security Breach, or other cyber event. Generally, ESS provided by OCIO do not include forensic investigations, although OCIO may assist Customer in identifying Third Parties who are qualified to provide such services.
    9. Not Misusing the Services or Office-Supplied Tools provided or performed by OCIO. Each of the following constitutes a “Misuse(ing)” for purposes of this MOU:
      1. Using the Services or Office-Supplied Tools in a manner that is inconsistent with OCIO’s directions or instructions.
      2. Using the Services or Office-Supplied Tools in a manner that is inconsistent with any applicable Third-Party license agreement or terms and conditions governing the use thereof.
      3. Indirectly providing the Services or Office-Supplied Tools to unauthorized Third Parties, including through a service bureau or other like arrangement.
      4. Using OCIO’s Services or Office-Supplied Tools in a manner that infringes, violates, or misappropriates any patent, trademark, copyright, trade dress, trade secret, or any other intellectual property right or proprietary right of OCIO, the State, or any Third Party.
      5. Using the Services or Office-Supplied Tools in a manner that is inconsistent with or violates applicable law, rule, or regulation.
        1. Using the Services or Office-Supplied Tools in a manner that does not directly further the Customer’s governmental objectives.
  4. Information Exchanges, Third-Party Access, and Cloud Storage/Processing.
    1. Information Exchanges. The SOC exchanges security incident information and analysis with a variety of Third Parties, including federal, state, and not-for-profit cybersecurity organizations such as the United States Department of Homeland Security, Iowa Homeland Security & Emergency Management, the Iowa National Guard, Iowa Secretary of State, and Multi-State Information Sharing and Analysis Center (MS-ISAC). By entering into this MOU, Customer consents to these information exchanges.
    2. Third-Party SOC Access. OCIO may grant access to the SOC to certain Third Parties to enable these Third Parties to monitor Customer Systems and Customer Data in furtherance of the Third Party’s official duties. For example, in connection with an election, OCIO may grant the Iowa National Guard, operating in accordance with an active-duty order, access to the SOC to monitor Customer Systems that may be utilized or involved in facilitating election-related processes. As another example, OCIO may grant the U.S. Department of Homeland Security access and connection to the SOC to conduct certain vulnerability assessments. Customer consents to such Third Parties access to the SOC and Third-Party monitoring of Customer Systems and view or access Customer System Data to perform their official duties. Customer’s User Data will only be accessed as necessary for Third Parties to perform their official duties.
    3. Cloud Storage/Processing. Some of OCIO-Supplied Tools utilized by OCIO in providing the Services under this MOU include Third-Party Cloud Services. Customer consents to OCIO’s use of Third-Party Cloud Services to supply the Services contemplated hereunder, acknowledging that such Third-Party Cloud Services may host, store, process, or transmit Customer Data.
  5. Confidentiality.
    1. Office’s Treatment of Customer’s Confidential Information. OCIO will implement and maintain reasonable and appropriate security measures to safeguard against unauthorized access, disclosure, theft, or modification of Confidential Information and will require the same of any Third Parties used in provisioning the Services or Office-Supplied Tools hereunder.
    2. Customer’s Treatment of Office or Third-Party Confidential Information. OCIO Confidential Information, as well as Confidential Information of Third parties used to provide Office-Supplied Tools used by OCIO in connection with ESS shall at all times remain the property of OCIO or applicable Third Party, and OCIO or applicable Third Party shall retain exclusive rights thereto and ownership thereof. Customer may have access to such Confidential Information solely to the extent reasonably necessary to use the Services provided under this MOU. Customer shall hold such Confidential Information in confidence. Customer shall not gather, store, log, archive, use, or otherwise retain such Confidential Information in any manner other than as expressly authorized or contemplated by this MOU and will not disclose, distribute, sell, commercially or politically exploit, share, rent, assign, lease, or otherwise transfer or disseminate such Confidential Information to any Third Party, except as expressly permitted hereunder or as expressly approved by OCIO in writing. Customer will immediately report the unauthorized access to or disclosure of such Confidential Information to OCIO. Customer may be required to return and destroy, and provide proof of such return or destruction, such Confidential Information to OCIO upon the expiration or termination of this MOU, as directed by OCIO.
    3. Compelled Disclosures. To the extent required by applicable law, the Receiving Party may disclose Confidential Information to a Third Party, subject to the following conditions:
      1. As soon as becoming aware of a compelled disclosure of Confidential Information and no less than five (5) business days prior to disclosing Confidential Information pursuant thereto, the Receiving Party will notify the Disclosing Party in writing, specifying the nature of and circumstances surrounding the contemplated disclosure, and forward any applicable source material, such as process or subpoena, to the Disclosing Party for its review.
      2. The Receiving Party will consult with the Disclosing Party on the advisability of taking steps to resist or narrow any required response or disclosure.
      3. The Receiving Party will use best efforts not to release Confidential Information pending the outcome of any measures taken by the Disclosing Party to contest, oppose, or otherwise seek to limit such disclosure by the Receiving Party and the Receiving Party will cooperate with the Disclosing Party regarding such efforts.
      4. Solely the extent the Receiving Party is required to disclose Confidential Information to a Third Party, the Receiving Party will furnish only such portion or aspect of Confidential Information as it is required to disclose and will exercise reasonable efforts to obtain an order or other reliable assurances that any Confidential Information disclosed will be held in confidence by any Third Party to which it is disclosed.

        Notwithstanding any such compelled disclosure by the Receiving Party, such compelled disclosure will not otherwise affect the Receiving Party’s obligations hereunder with respect to Confidential Information ultimately disclosed to a Third Party.

    4. Non-Exclusive Equitable Remedy. Each Party acknowledges and agrees that due to the unique nature of Confidential Information, there can be no adequate remedy at law for any breach of its obligations hereunder, and therefore, that upon any such breach or any threat thereof, each Party will be entitled to seek appropriate equitable remedies, and may seek injunctive relief from a court of competent jurisdiction without the necessity of proving actual loss, in addition to whatever remedies either of might be available at law or equity. Any breach of this Section will constitute a material breach of this MOU and will be grounds for the immediate termination of this MOU in the exclusive discretion of the non-breaching Party.
    5. Survives Termination. Each Party’s duties and obligations as set forth in this Section shall survive termination of this MOU.
  7. Limitation of Liability. The Parties understand and accept that this MOU addresses a constantly changing cybersecurity global landscape and that there are inherent risks when addressing the cybersecurity needs of any entity. As such, other than subscription fees due and the right of OCIO to obtain payment for such subscription fees, the total aggregate liability of any Party under this MOU to another Party shall not exceed one month’s service subscription.
  8. Termination.
    1. Generally. Following forty-five (45) days written notice, either Party may terminate this MOU, in whole or in part, for convenience without the payment of any penalty or incurring any further duty or obligation. Termination for convenience may be for any reason or no reason at all. In the event of the expiration or termination of this MOU, Customer shall immediately cease using and return to OCIO, as directed by OCIO, Office-Supplied Tools or other Office- or State-owned or licensed property. Customer’s duties and obligations set forth in this Section shall survive termination of this MOU.
    2. Notice Calculated to Enable Acquisition of Replacement Services. While forty-five (45) days prior written notice is sufficient to terminate this MOU, in whole or in part, and cease providing any or all Services provided hereunder, OCIO will, where possible, endeavor to provide additional and reasonable advance notice to Customer of OCIO’s intention to cease providing any or all Services hereunder, which advance notice shall be calculated to enable Customer to plan for OCIO’s discontinuation of applicable Services and to procure comparable replacement services. In determining what is reasonable under the circumstances, OCIO will consider the likely impact of discontinuing any Services to Customer’s operations, and the ability of and time it would take Customer to obtain comparable replacement services.
  9. Administration.
    1. Relationship between the Parties. OCIO, its employees, agents and any subcontractors performing under this MOU are not employees or agents of Customer simply by virtue of work performed pursuant to this MOU. Neither OCIO nor its employees shall be considered employees of Customer for federal or state tax purposes simply by virtue of work performed pursuant to this MOU. Likewise, this MOU shall not constitute or otherwise imply a delegation of either Party’s legal duties or responsibilities to the other, or constitute, create, or imply a joint venture, partnership, or formal business organization of any kind. Neither Party shall be considered an agent, designee, or representative of the other for any purpose.
    2. Compliance with Law. Both Parties and their employees, agents, and subcontractors shall comply with all applicable federal, state, and local laws, rules, regulations, orders, ordinances, and permitting requirements in the performance of their respective duties, responsibilities, and roles under this MOU.
    3. Choice of Law and Forum. This MOU shall be governed in all respects by, and construed in accordance with, the laws of the State of Iowa, without giving effect to the choice of law principles thereof. Any litigation concerning the MOU filed by either Party shall be brought and maintained in the state or federal courts sitting in Des Moines, IA. However, if Iowa Code section 679A.19 is applicable, any dispute between the parties must be addressed in accordance with the statutory provision.
    4. Escalation of Disputes. Should a disagreement involving or stemming from this MOU arise between the Parties that cannot be resolved, and prior proceeding to litigation or any other formal dispute resolution process, the area(s) of disagreement shall be stated in writing by each Party and presented to the other Party for consideration. If an agreement is not reached within thirty (30) days, the Parties shall forward the written presentation of the disagreement to higher officials within their respective organizations for appropriate resolution. In the event the Parties are unable to reach an agreement after having completed that process, the parties may then, and only then, proceed to litigation or any other formal dispute resolution process in accordance with the terms of this MOU.
    5. Amendments. This MOU may be amended in writing from time to time by mutual consent of the Parties. Any such amendments must be in writing and fully executed by the Parties.
    6. No Third-Party Beneficiary Rights. There are no third-party beneficiaries to this MOU. This MOU is intended only to benefit OCIO and Customer.
    7. Assignment and Delegation. This MOU may not be assigned, transferred, or conveyed, in whole or in part, without the prior written consent of the other Party.
    8. Entire Agreement. This MOU represents the entire agreement between the Parties concerning the subject matter hereof. The Parties shall not rely on any representation, oral or otherwise, that may have been made or may be made and which is not included in this MOU. This MOU shall not be construed or interpreted against either Party on the basis of draftsmanship or preparation thereof.
    9. Supersedes Former MOUs. This MOU supersedes all prior MOUs or agreements between the Parties concerning the subject matter hereof.
    10. Headings or Captions and Terms. The section and paragraph headings or captions used in this MOU are for identification purposes only and do not limit or construe the contents of the sections, paragraphs, or provisions herein.
    11. Notices. Any and all legal notices, designations, consents, offers, acceptances or any other communication provided for herein shall be given in writing by registered or certified mail, return receipt requested, by receipted hand delivery, by Federal Express, courier or other similar and reliable carrier which shall be addressed to each Party to the contacts and at the addresses identified in the CD&E. Each such notice shall be deemed to have been provided (1) At the time it is actually received; (2) Within one (1) day in the case of overnight hand delivery, courier, or services such as Federal Express with guaranteed next day delivery; or (3) Within five (5) days after it is deposited the U.S. Mail in the case of registered U.S. Mail. From time to time, the Parties may change the name and address of a Party designated to receive notice. Such change of the designated person shall be in writing to the other Party.
    12. Severability. If any provision of this MOU is determined by a court of competent jurisdiction to be invalid or unenforceable, such determination shall not affect the validity or enforceability of any other part or provision of this MOU.
    13. Authorization. Each Party to this MOU represents and warrants to the other Party that it has the right, power and authority to enter into and perform its obligations under this MOU, and it has taken all requisite action (corporate, statutory, or otherwise) to approve execution, delivery and performance of this MOU, and that this MOU constitutes a legal, valid and binding obligation upon itself in accordance with its terms.
    14. Successors in Interest. All the terms, provisions, and conditions of this MOU shall be binding upon and inure to the benefit of the Parties hereto and their respective successors, assigns, and legal representatives.
    15. Waiver. Except as specifically provided for in a waiver signed by duly authorized representatives of the applicable Party, failure by either Party at any time to require performance by the other Party or to claim a breach of any provision of this MOU shall not be construed as affecting any subsequent right to require performance or to claim a breach.
    16. Cumulative Rights. The various rights, powers, options, elections and remedies of any Party provided in this MOU shall be construed as cumulative, and the exercise of any one remedy shall not affect or impair the right of any Party to pursue any other equitable or legal remedy to which they may be entitled.
    17. Exclusivity. This MOU is not exclusive. Customer may obtain similar or identical Services, or cooperate or collaborate on other similar projects, from or with Third Parties.
    18. Multiple Counterparts and Electronic Signatures. This MOU, including any amendments hereto, may be executed in several counterparts, all of which when taken together shall constitute one agreement binding on all Parties. Any such documents may be signed electronically in accordance with Iowa Code chapter 554D or other applicable law, and each Party waives any arguments concerning the validity of such electronically signed documents related to this MOU.
    19. Use of Third Parties. OCIO may use Authorized Contractors to provide the Services or Office-Supplied Tools contemplated hereunder. Any rights, authorizations, or consents conferred or granted to OCIO hereunder shall be deemed to be conferred or granted to and may be exercised by any Authorized Contractors used by OCIO to provide the Services or Office-Supplied Tools contemplated hereunder.
    20. Force Majeure. Neither Party shall be in default under this MOU if performance is prevented, delayed, or made impossible to the extent that such prevention, delay, or impossibility is caused by a “force majeure.” The term “force majeure” as used in this MOU includes an event that no reasonable foresight could anticipate or which if anticipated, is incapable of being avoided. “Force majeure” for OCIO includes: claims or court orders that restrict OCIO’s ability to perform or deliver the Services; strikes; labor unrest; supply chain disruptions; internet failures; power failures; hacker attacks; denial of service attacks; virus or other malicious software attacks or infections.
    21. Ancillary Agreements. Generally, the Customer Data OCIO, its Authorized Contractors, and other authorized Third Parties may be able to access or view in connection with this MOU will be limited to System Data as opposed to User Data. If access to or use of User Data is necessary to effectively provide the Services contemplated by this MOU, OCIO will provide Customer with notice prior to accessing or using any User Data in connection with the Services provided hereunder. OCIO acknowledges that access to and use of User Data may require the execution of additional agreements to address unique compliance, legal, confidentiality, or privacy concerns, such as, where applicable, a Business Associate Agreement as may be required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended. Upon mutual written agreement by the Parties, such “Ancillary Agreements” may be attached hereto as related special terms and conditions and incorporated by reference as if fully set forth herein. OCIO may decline to execute such Ancillary Agreements and Customer acknowledges that, as a result, OCIO may be unable to provide the contemplated Services, in whole or in part.
    22. Review Meetings. OCIO and Customer may meet on an annual basis to discuss the Services provided under this MOU, which may include discussion of any problems Customer has experienced in connection with the Services or areas for improvement or suggestions regarding new or additional service offerings. Customer authorizes the Iowa Counties Information Technology (“ICIT”) organization, an affiliate of the Iowa State Association of Counties (“ISAC”), to represent its interests and perspective at these annual review meetings, and shall communicate any concerns or suggestions to ICIT, which will consolidate such concerns or suggestions and communicate them to OCIO as part of these annual review meetings.
  10. Customer Systems/Data Access.
    1. Customer consents to and authorizes OCIO to access and monitor Customer Systems and Customer Data to the extent necessary to perform the ESS contemplated hereunder. Such access and monitoring may be subject to mutually agreed upon protocols outlining appropriate information, network, and device connections, as may be further defined and described in an Exhibit to the MOU. Such access and monitoring may include the following:
      1. Administrator level and/or system-level access to any network, computing, or communications device;
      2. Access for interactively monitoring and logging traffic on Customer Systems, including Customer’s networks; and        
      3. Access to information Customer Data that may be produced, transmitted, or stored on, from, or over Customer Systems, equipment, facilities, or premises.
    2. Customer acknowledges that the ESS and installation or connection of Office-Supplied Tools to Customer Systems, or Customer’s or OCIO’s use of Office-Supplied Tools that are Third-Party Cloud Services, involves a risk of potential adverse impacts or consequences to Customer Systems and Customer Data, including degradation, loss, or disruption of network and system performance or availability, or loss or destruction of Customer Data. Customer agrees to assume all risk for any damages, losses, expenses, and other adverse consequences resulting from or associated with the performance or provisioning of the ESS hereunder, including the ESS provided through the SOC, or that may otherwise result from the installation or connection of Office-Supplied Tools on Customer Systems or Customer’s or OCIO’s use of Office-Supplied Tools that are Third-Party Cloud Services. Consistent with the foregoing, Customer waives any claims it may have against OCIO or the State of Iowa involving Customer Property or Customer Data caused, in whole or in part, by OCIO’s provisioning of the ESS hereunder, including the ESS provided through the SOC, or installation or connection of Office-Supplied Tools to Customer Systems or Customer’s or OCIO’s use of Office-Supplied Tools that are Third-Party Cloud Services.
    3. OCIO’s provisioning of ESS hereunder, including through the SOC, including OCIO’s access to and monitoring of Customer Systems, may enable OCIO to access and monitor Customer Systems and Customer Data, which may be owned and managed by Customer. Customer, in turn, may be or may be comprised of governmental entities, such as the State of Iowa, cities, or counties, or departments, boards, agencies, commissions, or councils comprising the foregoing. Customer represents and warrants that it has the authority to grant OCIO the right to access and monitor such Customer Systems and Customer Data as contemplated in this MOU and has taken all requisite action (corporate, statutory, or otherwise, including obtaining review and approval from any governing boards, commissions, councils, or other like bodies where required by applicable law, rule, regulation, order, or charter) necessary to grant or permit access to and monitoring of the Customer Systems and Customer Data as contemplated by this MOU.