Specifications include, but are not limited to: 1. Data Ownership The State shall own all right, title and interest in all data used by, resulting from, and collected using the services provided. The Bidder shall not access State User accounts, or State Data, except (i) in the course of data center operation related to this solution; (ii) response to service or technical issues; (iii) as required by the express terms of this service; or (iv) at State ’s written request. 2. Data Protection Protection of personal privacy and sensitive data shall be an integral part of the business activities of the Bidder to ensure that there is no inappropriate or unauthorized use of State information at any time. To this end, the Bidder shall safeguard the confidentiality, integrity, and availability of State information and comply with the following conditions: • All information obtained by the Bidder under this contract shall become and remain property of the State. • At no time shall any data or processes which either belong to or are intended for the use of State or its officers, agents, or employees be copied, disclosed, or retained by the Bidder or any party related to the Bidder for subsequent use in any transaction that does not include the State. 3. Data Location The Bidder shall not store or transfer State data outside of the United States. This includes backup data and Disaster Recovery locations. The Bidder will permit its personnel and contractors to access State data remotely only as required to provide technical support. 4. Encryption The Bidder shall encrypt all non-public data in transit regardless of the transit mechanism. For engagements where the Bidder stores non-public data, the data shall be encrypted at rest. The key location and other key management details will be discussed and negotiated by both parties. Where encryption of data at rest is not possible, the Bidder must describe existing security measures that provide a similar level of protection. Additionally, when the Bidder cannot offer encryption at rest, it must maintain, for the duration of the contract, cyber security liability insurance coverage for any loss resulting from a data breach. The policy shall comply with the following requirements: • The policy shall be issued by an insurance company acceptable to the State and valid for the entire term of the contract, inclusive of any term extension(s). • The Bidder and the State shall reach agreement on the level of liability insurance coverage required. • The policy shall include, but not be limited to, coverage for liabilities arising out of premises, operations, independent contractors, products, completed operations, and liability assumed under an insured contract. • At a minimum, the policy shall include third party coverage for credit monitoring. notification costs to data breach victims; and regulatory penalties and fines. • The policy shall apply separately to each insured against whom claim is made or suit is brought subject to the Bidder’s limit of liability. • The policy shall include a provision requiring that the policy cannot be cancelled without thirty (30) days written notice. • The Bidder shall be responsible for any deductible or self-insured retention contained in the insurance policy. • The coverage under the policy shall be primary and not in excess to any other insurance carried by the Bidder. • In the event the Bidder fails to keep in effect at all times the insurance coverage required by this provision, the State may, in addition to any other remedies it may have, terminate the contract upon the occurrence of such event, subject to the provisions of the contract.