Specifications include, but are not limited to: The system shall be available 24 x 7 x 365 with a minimum of 99.95% uptime, measured on a monthly basis (excluding maintenance windows). ☐ ☐ Vendor agrees that all data will be solely stored and/or transmitted within the lower contiguous 48 states. ☐ ☐ Upon termination of contract, all client data will be provided in a mutually agreed upon format with appropriate data dictionaries, schema, etc. to make the data usable. ☐ ☐ All system data and files shall be regularly backed up to a secondary data center/disaster recovery site outside of the main data center’s same weather pattern and power grid. Backups shall occur such that the City loses no more than 2 hours of transactions due to an unexpected outage. ☐ ☐ Hosting Providers/Respondents shall have a documented Security Incident Response Plan (SIRP) that addresses the Respondent’s plan for preventing, detecting, and responding to security breaches or cyberattacks in which the City’s data or operations may be compromised. ☐ ☐ Hosting Providers/Respondents shall have a documented Disaster Recovery Plan (DRP) that addresses recovery and maintenance of system data and operations in response to hazard or emergency scenarios. This plan shall be tested regularly to ensure that it is both tangible and actionable. ☐ ☐ Hosting Providers /Respondents shall have a documented Business Continuity Plan (BCP) that addresses localized or system outages that create an impact to one or more business functions. The BCP should account for the rapid restoration of services and redundancies in technology or process. ☐ ☐ Hosting Providers/Respondents shall undergo a SSAE 18 SOC2 Type 2 audit covering at a minimum the Security and Availability Principles on an annual basis and must have no unaddressed material concerns. Respondent shall provide a copy of their most recent audit report prior to contract award and annually or as requested. ☐ ☐ Hosting Providers/Respondents shall support and be compliant with all relevant regulations and requirements including, but not limited to: PCI-DSS FERPA, IPAA/HITECH GDPR.
