Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
#18-7284 (JetPay Payment Services, FL, LLC)
WWW.JETPAY.COM Merchant Application & Agreement Phone:877-813-0199 ISO/Agent ID#&Name: Sales Agent Name&IDN NOTICE:AGENTS MUST INCLUDE THEIR ID IN ORDER TO RECEIVE CREDIT FOR THE APPLICATION. Merchant Name (DBA or Trade) Legal Name(if different) Tax ID: 59-6000558 Collier County Florida,a Political Subdivison of the State of Florida Location Address Address Address 1: 3299 Tamiaml Trail East, Suite 601 Address 1: Address 2: Address 2: City: Naples State: FL Zip Code: 34112 City: State: Zip Code: DBA Phone Number: 239-252-8723 Name Ito Appear on Cardholder Statement): Collier County Florida Company Website: www.colliercountyfl.gov Phone#(to Appear on Cardholder Statement If MO/r0): 239-252-8723 © © Contact Information (Select any/o8 that apply. Owner)will be used for those not selected.) © Account Maintenance Statements PCI Chargebacks Name: Heather George E-mail: financefl@jetpay.com Phone: 866-756-6041 Fax: Address: 316 S Baylen Street, Suite 590 City: Pensacola State: FL Zip: 32502 Business o Individual/Sole Propriety a Corporation E3 Private 0 Non-Pro51 0 Partnership LLC IStole,_I Ei Publicly Traded ®Government Type: Average Ticket Amount;91 Highest Ticket Amount;50,000 Monthly AXP/VS/MC/DISC Network Volume$ 44,340,94*of Doily Transactions: eof Employees Does this location currently take AMERICAN EXPRESS*"'/VISAC/MASTERCARDC/DISCOVER Networko?®Yes a No Reason for leaving? Has the Merchant/Owner ever been terminated from accepting cards for any business? Yes ©No It Yes,please explain? #Years in Business: 20+ Has Merchant or Owners/Principals ever filed bankruptcy? 0 Yes ©No E3 Business Bankruptcy It yes,please provide explanation: Owner/Officer Information: Owner I Name: Collier County Florida,a Political Subdivison of the States Owner 2 Name: "dsdla:ul.Lau int txede se)s!.La el Title: Andy Solis,Chairman Title: Address line 1: do Len Price,Department Head for Administration Services Address Line I: Address Line 2 3299 Tamiami Trail East,Suite 601 Address Line 2: City: Naples State FL Zip 34112 country US _ City. State Zip Country Horne Phone:239-252-8908 Celt Fax: Home Phone: Cell: Fax: E-mon Address: Len.Price@colliercountyfl.gov E-mail Address: US Citizen: Yes 0 No US Citizen: Yes 0 No American Express: EXISTING ACCOUNTS:It yen arrrnty adept AXP payments,ard your AXP vdumo Is marathon s1MM annually,you moot eubrrul your existing AXP#. Flame submit your current SEP and vie volt convey this IoAMEX. basting AXP SEA NEW ACCOUNTS:If you do not sweetly acrxpt AXP payments,and your annul volume is less than 51 MM,we wdi assign you an AXP#fa this account as you can start accepting AXP payments.If you do not currently have an AXP#,and your annual volume is more lhrn 5l MM we wl direct ynd to AXP to direct setup.In the event your vdume exceeds more Nan SIMM ennuaily,you may be moved direcl y to AXP.Opt out of AXP Offers and Promotions:If yea do not ash to receiver future offers a promotions of AXP products or seroces from AXP via offline or online means(sat as u aJitonal mail and telephme),please contact metered serxw with applicable law.for us to process your op at request emit aslomer senate al•esast4ielpay.00m. Merchant has the right not to accept at Cad Aesaiolon cad typos.Some Point d Salol software and prngrame cannot pohibil the acceptance of spOOifie types of payment cards.Setae to lie merchants responsibility to enforce this.If you qualify, Jebay as processor,and not Merchant Bank,volt setae American Express. Acquiring Bank Disclosure MemborBank(Acquired Responsibilities: Important Merchant Responsibilities II EMO barns Bank N.A.15o N.Martingale Rd,Ste sou Sdaamboi0,IL 60173847-740-bvL3 I.The ti,ox nme rely a bli c+ Ll,nenyinuo ci esel I En:u,e Comri,e+in eel Annedae'ao'cey.arlxh rayrervuu,xnr. Crgsmvatim pmdccls,Hcsdr fooMeroteri 3.Mint.Vaud ar•d dtargebahs hekmCad Orgadeavm nneshdds, 2. The Berk mast lea p.atdpal(signa)to the Merchant Agreement 3.Reoiew Indsmdcrarnd the terms cf thetkichnt Agreement. Pteceosm Olsclosure a.its Barihsespcesdola ofus-atingrrxacl,aus on pout vdVna 4.Ccellyw.th Cord O,gnoabonrukv. Procelia grind throughout this agre'.:ent will refer in Po entity,JetPay Paymn'.)new).aS,TX, and 6h,lM'ai Rules seth vdrkh Akrchnh mustcomph.and S.Retaw a serial copy of Nn dsdoswepago. ILC,3361Boyhng'mOr.S•:e.180 aridlton,TX:vOOd.Incumbinatimxi".JelPo,r'ayn' t hi,inram,pati;.,horam+dwdtePraeatx. Merchant Resources: Seuviobc,FL,LLC.Jetl'aymyc,Acquire lu'•scvlyer NeOWak and Ain,Ren F',de;'et ,dub) 4.The Banka:relpm ti la std nus!provide esorluuru Ifonds to p. ;a3h�;';y.-��,�;./;;;;'y;;.erc:,:;+;„.,:'.�.:•L::,.p".. card hansadions. het,kaolrat llsru_:: :9::ct:::.Warr: ter.: -5kyr_ss^�-.7,,:ras.dd 5.The Bank Isiespoeslbk for dttund,holl in memo. adip .0,A0VrAMIpPr Signature: / ✓ Dale:Vim\\1`."T'] A overt as o f and legali• ATAFiT 'n ev .2 01&FL Page I C r. TA • L L l{ A11 jam:,y P, rel S ccs,TX,LLC Is a registered ISO/MSP of BMO Horrls Sank N.A.,Chi o,IL. g ►. / =.: Scott ea BY: :1tl•4�tlt a , eputy CountyAttc , cinn,nhirA nnWV: IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIINIIIIMIIIIIIIIIIIIMIIII it WWW.JETPAY.COM Phone:877-813-0199 Merchant Application & Agreement QIR Certification: ❑ Virtual Terminal: Name: 0 Gateway Name: Number: 0 Software Name: Third Party Chargeback Service Company: Banking Information: Public Utilities DepositesMain Deposit Account-Landfill Deposites ®Main Deposit Account © - Bank Name 1: First Florida Integrity Bank Bank Name 2: First Florida Integrity Bank Collier County Board of County Commissioners Account Nome 1: Collier County Board of County Commissioners Account Name 2: Account Type I: Locations 120, 131,& 132/Utilities Account Type 2: Location 144/Landfill Routing#1: 53000010 Routing#2: 53000010 Account#1: 1058522 Account#2: 1056506 ' Disclaimer MERCHANT may select to participate In third party services that are not provided by BANK.MERCHANT agrees that BANK is not a party to any agreement for services that are provided by a third party and any such agreement Is strictly between MERCHANT and the company providing the service.MERCHANT must be approved by each third party company and each company may send Its teens and conditions to the address of MERCHANT indicated herein upon such approval.MERCHANT agrees to be bound by such companys tens and conditions. Acknowledgments and Signature By executing this Merchant Application and Agreement("Merchant Application')on behalf of the merchant described above(the-Merchant),the undersigned Individual(s).(11 represent(s)and warrant(s)that all Information contained in this Merchant Application is true,correct,and complete as of the date of this Merchant Application and any fines,losses,or penalties that arise due to In-accurate information will be assessed to the Merchant,and that such individual(s)have the requisite corporate power and authority to complete and submit this Merchant Application and provide the acknowledgments,authorizations,and agreements set forth below,both on behalf of the Merchant and individually;(ii)acknowledge(s)that the Information contained In this Merchant Application is provided for the purpose of obtaining,pricing,and acceptance for processing or maintaining a merchant account with Processor and Bank on behalf of the Merchant;(xi)authorize Processor and Bank to Investigate the credit of Me Merchant and each person listed on this Merchant Application;and (iv)agree,on behalf of the Merchant and in the event this Merchant Application is accepted and executed by Bank and Processor,to all of the terms and conditions set forth in the Merchant Agreement(defined below), Schedules,Addenda,and Fees,as shown in ExhibitlAppendixlSchedule A as a separate attachment or fees listed th a separate agreement = signing below,you acknowledge that you have read,understood and agree to those terms and conditions and that you agree to accept electronic notification of any changes to those teens and conditions as •sled from time to time at the Pro r . •• B address for merchant terms listed above.If the merchant is a corporation,its proper Corporate Officers must sign.This Agreement may be signed by one or more..nterparts a all signed agreem: • • .e , •idered as one,below and by signing below state they are valid signers for such corporation. The parties hereby incorporate the attached ' rchant d P . . _ . d .'ditions with it's Exhibits. Merchant Owner 1Date: �r\�\\\<-1Signature of office/Owner: Merchant Owner 2 Date: Signature of officer/Owner: Bank Signature and&title: Date: (14 � ra Processor Signature and& ���� / 4/(144.1 erre, • - iDte: tIt /t/I tVz6/6 _ title: r�l ATTEST W^ ,T V- , j Ans. ov-d as o and legality CRYSTAL 4.40.;1- • .. ; i� -Attest as to chairman's ,' IMr'ORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT To help the government fight the funding of terrorism and money laundering activities,Federal law requires all financial institutions to obtain,verify,and record information that identifies each beneficial owner who has 25%or more of ownership and all controlling person(s)of this entity. Rev:2.2.08272018-FL Page 2 JetPay Payment Services,TX,LLC Is a registered ISO/MSP of BMO Harris Bank N.A.,Chicago.IL. WWW.JETPAY.COM Merchant Application & Agreement Phone:877-813-0199 NATURE OF BUSINESS: What type of service or product is being sold: Merchant Type: O Relat Restaurant MOTO OInternet/Gateway Other: Sales Method:(by percent,total should=I GO%) Retail Swipe % Internet % Mail Order % Phone % Mobile % When is the card charged$ On Order 0 On Shipment Other(please explain): 0 Recurring Payments % When is the product or service delivered? O Time of Sale I-3 Days O A-5 Days O 6-10 Days ❑I 1-15 Days O 16+Days Seasonal Sales? Yes ONe If yes,check all that apply; Jan O Feb Mar OAm May OJun Jul Aug OSep 0Oc1 O Nov 0 Deo Refund Policy: No Refund O 30 Days or less O Exchange O Other: Merchant PCI DSS Information Public Utilityy D�epparment e-mail IS YOUR ORCA7.113A7i9N CURRENTLY PCI DSS COMPLIANT;®Yeses No PCI Contact Name: Jhonv DesinorJhonv.Desinore.collien If YES,Merchant MUST submit a current PCI DSS certificate in order to OPT OUT of Processor's Compliance Program(not PCI Breach Insurance). Active PCI DSS compliance is required to obtain a merchant account.By participating in Processor's PCI Compliance program,you wiT gob access to PCI DSS compliance documentation-assistance in completing tasks requked to become complaint and gain PCI breach insurance policy coverage.Your coverage will begin on the first day of the month after signing this agreement.The above contact wit be contacted with login Information.Contact comptancemletpoy.com for additional information regarding the Processor's Compliance Program and PCI Breach Insurance.This provided name and email will be contacted with login credentials. Card Brands to Accept: © VISA © MC © DISC PIN DEBIT © AMEX "Merchant shall certify PCI compliance for each additional location. Rev:2.2.08272018-FL Page 3 JetPoy Payment Services,TX.LLC is a registered ISO/MSP of BMO Harris Bank N.A.,Chicago,IL. Appendix A— Collier County Board of Commissioners Boarding Set Up 1. CIS SYSTEM UTILIZED: inHANCE&CityView and other County Departments as identifed 2. WEB MODULE UTILIZED inHANCE—Transaction Warehouse/CityView—JetPay MAGIC Re-Direct, JetPay fully Hosted as requested for all other departments 3. IVR SYSTEM UTILIZED: inHANCE—Transaction Warehouse/JetPay for all other departments 4. POS SYSTEM UTILIZED: JetPay MAGIC Fully Hosted or Standalone EMV,Parkeon Vending 5. POS DEVICES UTILIZED: Pax S300,Pax S500,Pax S90 and Verifone 520 6. Merchant Category Code: 9399&4900 7. FEES: Set Up Fees $0.00 FIXED Recurring Fees(monthly/annual) $0.00 Accepting Credit and Debit Cards Yes Transactional Fees Public Utility Department-2.0%plus$.25/All other Departments/Divisions 2.0% Fees to be paid by Client Accepting eChecks Yes Transactional Fees $0.20 per eCheck 'Fees to be paid by Client Re-presentment count 1 Miscellaneous Fees Options: Kiosk-$500.00 EMV Swipe Readers:no charge Miscellaneous Fees Charge-backs(credit cards) $10.00 Paid by CLIENT Credits $0.00 Paid by CLIENT Non-NSF Check Returns $0.00 Paid by CLIENT NSF Check Returns` $20.00 Paid by PAYER Any changes to this Appendix will be in the form of an Amendment,executed by all Parties li BANK DISCLOSURE Processor Information: Acquiring Bank Information: JetPay Payment Service,TX. LLC BMO Harris Bank N.A 3361 Boyington Dr., Suite 180 150 N. Martingale Rd.Ste.900 Carrollton,TX. 75006 Schaumburg, IL 60173 (800) 834-4405 847-240-6600 I Important Member Bank Responsibilities: • The Bank is the only entity approved to extend acceptance of Card Organization products • Important Merchant Responsibilities directly to a Merchant. • Ensure compliance with cardholder data security • The Bank must be a principal(signer)to the and storage requirements. Merchant Agreement. • Maintain fraud and chargebacks below Card • The Bank is responsible for educating Merchants Organization thresholds. on pertinent Visa and MasterCard Rules with • Review and understand the terms of the which Merchants must comply;but this Merchant Agreement. information may be provided to you by • Comply with Card Organization rules. Processor. • Retain a signed copy of this Disclosure Page. • The Bank is responsible for and must provide settlement funds to the Merchant. Merchant Resources You may download"Visa Regulations"from Visa's website http://www.mastercard.com/us/merchant/support/rules.html at: You may also visit JetPay's website for more information http://usa.visa.com/merchants/operations/op reeulations.html on PCI,Merchant Terms and Conditions at: You may download"MasterCard Rules"from MasterCard's http://www.ietpay.com/merchant/merchant-services,php website at: The responsibilities above do not replace the terms of the Merchant Agreement and are provided to ensure the Merchant understands some important obligations of each party. ROCESSOR DISCLOSURE: rocessor listed throughout this agreement will refer to the entity,JetPay Payment Services,TX, LLC,3361 Boyington Dr.Ste.180,Carrollton, X.75006.JetPay is your Acquirer for American Express and Discover Network card transactions. Merchant Information Business Legal Name'x <3SGD:••,,--L-V. -_' i-NO'Stnlame: • Principal Name: 't- -)10.119:/. Title: �i --`cw'w`L Signature: ,' Date: \ L�\\\% ATTEST CRYSTA KIlVZEL,CL t , • )proves as ,, 'e d legality • 6111 � t as to Chairman s,!,4) / / f S �A cath, Dcputy County Attorney (( 4'L �s;Old f.� l di ii-e r s' JetPay Payment Services, , C is a registered ISO/MSP of BMO Harris Bank, N.A. A JP FL 08242018 Merchant Card Processing Terms and Conditions The Merchant Agreement("Agreement"), made as of the Effective Date by and among Merchant, Processor, and Bank, consists of the completed application form for Merchant submitted to Processor("Merchant Application"),these Merchant Card Processing Terms and Conditions, and all exhibits, addenda, attachments, and schedules incorporated in the Merchant Application and these Merchant Card Processing Terms and Conditions, as each may be modified or amended in accordance with their terms. Processor,as an agent of Bank,provides certain Services,and subject to Processor's approval of Merchant for the Services in accordance with the Agreement,Merchant desires to use such Services. All capitalized terms used in the Agreement and not otherwise defined shall have the meanings ascribed below. JetPay Payment Services, FL, LLC is a wholly-owned subsidiary of JetPay Corporation, and will use JetPay Payment Services, TX, LLC ("Processor"), that is also wholly-owned by JetPay Corporation, as the processor for all payment processing activities. Processor Disclosure The Processor is: JetPay Payment Services, TX, LLC, a Texas limited liability company, whose address is: 3361 Boyington Drive, Suite 180, Carrollton, TX 75006 MERCHANT AGREEMENT In consideration of the mutual promises and covenants contained in this Merchant Agreement ("Agreement"),the parties agree as follows: 1. Parties. The parties to this Agreement are ("Bank", as set forth on the Merchant Application & Agreement, with respect to Visa and Mastercard Transactions), JetPay Payment Services, TX, LLC, a Texas limited liability company whose address is 3361 Boyington Drive, Suite 180, Carrollton, TX 75006 ("Processor"), and the Merchant set forth on the Merchant Application and Agreement to which this Agreement is attached ("Merchant"). 2. Definitions. For the purposes of this Agreement and the Exhibits, Addenda, Attachments and Schedules referred to herein, the following definitions apply unless the context otherwise requires: (a) Address Verification shall mean a service that allows Merchant to verify the home address of Cardholders with the relevant Issuer. (b) Authorization shall mean an affirmative response, by or on behalf of an Issuer to a request to effect a Transaction, that a Transaction is within the Cardholder's available JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 1 credit limit and that the Cardholder has not reported the Card lost or stolen. All Transactions require Authorization. (c) Authorization Center shall mean the facility or facilities designated from time to time by Bank or Processor to which Merchant shall submit all requests for Authorization. (d) Business Day shall mean any day other than (i) a Saturday or Sunday, or(ii) a day on which banking institutions are authorized by law or executive order to be closed (and on which Bank is in fact closed). (e) Card(s) shall mean either American Express, Visa, Mastercard, or Discover Network credit card,debit card, or other similar card that may or may not require a PIN for identification purposes, or pre-paid, stored-value or gift card. (f) Card Association(s) shall mean American Express Travel Related Services Company, Inc. (AXP), VISA USA, Inc. ("Visa"), Mastercard International, Inc. ("Mastercard"), Discover Financial Services, LLC registered trademark ("Discover"), and each Debit Network determined by Processor through which debit transactions submitted by Merchant may be routed by Processor from time-to-time. (g) Card Association Operating Rules are relevant portions of the Visa International Operating Regulations, the Mastercard Rules, the American Express Merchant Requirements, the Discover Merchant Operating Regulations, and the bylaws, rules, regulations, policy statements, guidelines, bulletins, notices, and similar documents issued by the Card Associations, and may be obtained through the Card Associations' own websites or by contacting Processor directly at: assist@jetpay.com. (h) Cardholder (also referred to as "Card Member" or "Cardmember" in some Card Association materials) shall mean a person authorized to use a Card. (i) Chargeback shall mean a Transaction that Bank returns to Merchant pursuant to this Agreement. (j) Data Breach means any alleged or actual compromise, unauthorized access, disclosure, theft, or unauthorized use of Card information, Cardholder information, or Confidential Information, regardless of cause, including without limitation the intrusion of any system,failure,malfunction,inadequacy,or error affecting any system, or its hardware or software, through which Card or Cardholder information resides, passes through, and/or could have been compromised. (k) Fees shall mean the rates, fees, network fees, and/or assessments charged by the Card Associations,Processor and the Bank as set forth in Appendix A to the Merchant Application and Agreement. The Card Associations charge Processor and Bank these fees in order to facilitate a Transaction. These "Fees" include interchange and assessments for Visa,Mastercard,American Express and Discover Network along with all associated fees in their operating rules and Discount Rate, Network Fee, for American Express as outlined in their operating rules and regulations (I) Issuer shall mean a member of an Card Association that enters into a contractual relationship with a Cardholder for the issuance of one or more Cards. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 2 (m)Merchant Statement shall mean an itemized monthly statement of all charges and credits to the Operating Account (as that term is defined in Section 17 of this Agreement). (n) PA-DSS shall mean the certification of a Payment Application as within PCI DDS compliance standards as listed by the PCI Security Standards as listed by the PCI Security Council currently available at: https://www.pcisecuritystandards.org/document library?association=PA-DSS (o) Payment Application shall refer to software and/or hardware that are used to facilitate a payment transaction. This shall include but not be limited to payment terminals, gateways, hospitality management surplus, virtual terminal, and retail POS systems. (p) PCI shall mean the then-current standards, rules, policies, procedures, and guidelines promulgated by the PCI Security Standards Council,LLC(or any successor organization), including without limitation the Payment Card Industry Data Security Standard and the Payment Application Data Security Standard, accessible at https://www.pcisecuritystandards.org/. (q) Pre-Authorized Recurring Order Transactions shall mean Transactions that have been pre-authorized by the Cardholder and for which the goods or services are to be delivered or performed in the future by Merchant without having to obtain approval from the Cardholder each time. (r) Services shall mean the transaction processing services provided by Bank or Processor under this Agreement. (s) Transaction shall mean the acceptance of a Card or information embossed on the Card for payment for goods sold and/or leased or services provided to Cardholders by Merchant and receipt of payment from Bank or Processor, whether the Transaction is approved, declined, or processed as a Forced Sale. The term "Transaction" also includes credits, errors, returns disputes, and adjustments. (t) Merchant is also referred to"Collier County Board of County Commissioners"or, "County". (u) Processor is also referred to as"Contractor". (v) Parties shall mean, the Merchant, Processor, and Bank, collectively. (w)Request for Proposal shall refer to the solicitation issued by the County under#18- 7284 "Payment Processing and Related Services, including any solicitation exhibits/attachments and addendum, attached hereto as Exhibit A. (x) Processor's Proposal shall refer to the proposal submitted by the Processor in response to the County's Request for Proposal #18-7284 "Payment Process Related Services,"attached hereto as Exhibit B. JetPay Payment Services, TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 3 3. Merchant agrees to participate in the card processing services program established by Bank and Processor. 3.1 Contact with Merchant. If Merchant elects to receive messages from Bank, Processor, and Card Associations regarding products, services and resources available to it, as indicated on the Merchant Application, Merchant agrees messages may be sent by Bank,Processor,and Card Associations to the phone numbers, facsimile numbers,or email addresses provided by Merchant. If a wireless number is provided, Merchant agrees communications may be sent via SMS or text in addition to automated calls.Merchant may opt out of receiving messages by contacting Processor at assist.opt-out@jetpay.com. Opting-out will not preclude you from receiving important transactional or relationship messages from Bank, Processor, and Card Associations. 4. Processor to provide services to Merchant. During the term of this Agreement, subject to the terms and conditions of this Agreement, Processor agrees to provide technical documentation and support in order to allow Merchant to accept and process Transactions. Processor shall provide technical support and customer support for all Transactions, including, without limitation, Authorization, Settlement, Chargeback processing and reporting, twenty- four hours each day, seven days each week(Settlement in conjunction with non-bank holidays and weekends) during the term of this Agreement. Processor agrees to provide Merchant with the Services on Appendix A to the Merchant Application and Agreement and as outlined in Exhibit A— Merchant's Request for Proposal and Exhibit B —Processor's proposal attached hereto. This Agreement may be amended from time to time by the parties, subject to the terms and conditions of this Agreement.As permitted by law, Merchant authorizes: (a)Processor to obtain a credit report (and subsequent credit reports throughout the Term) on Merchant; (b) Bank and any other financial institutions used by Merchant to release financial information and account information to Processor; and (c) Processor to disclose information and data regarding Merchant including without limitation credit report information, financial information,and information regarding Merchant's transactions,disputes,and other activity to Bank, the Card Brands, governmental agencies, without liability to Merchant. Merchant understands that Processor is obligated to report certain information, including but not limited to Merchant's and its officer's identification information and transaction activity to governmental agencies in accordance with applicable Law. Merchant will establish and maintain a privacy policy and will ensure such policy allows the sharing of information regarding each customer and transaction with Processor,Bank,and each Card Association,and notes that each such party may use or disclose the information in accordance with their own respective rules and regulations.Processor provided a proposal in response to the Merchant's solication #18-7284 "Payment Process Related Services." The Processor agrees to provide Merchant the services as outlined in the Processor's proposal, as Exhibit B. The parties agree to incorporate into this Agreement the County's Request for Proposal #18-7284 "Payment Process Related Services," including any solicitation exhibits/attachments, addendum, and Merchant's proposal, as Exhibit A. 5. Compliance with Card Association Operating Rules. The terms of the Card Association Operating Rules form a part of and are incorporated into the Merchant Agreement. To the extent permitted by law, Merchant agrees to comply with the Card Association Operating JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 4 Rules, as the same may be amended from time to time.The Card Association Operating Rules may change with little or no advance notice to Merchant and Merchant will be bound by all such changes. In the event the provisions of this Merchant Agreement conflicts with the provisions of the Card Association Operating Rules, this Agreement would govern. 6. Term. This Agreement shall begin on the Effective Date and shall remain in full force and effect for an initial term of five (5) years ("Initial Term"). This Agreement may be renewed for successive two(2)additional three(3)year periods(each a"Renewal Term")unless parties give written notice of termination of this Agreement at least ninety (90) days prior to the expiration of the then-current Term, in which case this Agreement will terminate at the end of the then-current Term. 7. Merchant Operating Account. Prior to accepting any Cards, Merchant shall establish a demand deposit account at a financial institution approved by Bank and Processor("Operating Account"), through which fees, charges and credits due in accordance with this Agreement may be processed. 8. Fees. Merchant agrees and shall pay Bank and Processor all fees specified on Appendix A to the Merchant Application and Agreement, as amended by the parties from time to time. 9. Billing. Processor will invoice all amounts owed to Bank or Processor in a month by the fifth day of the subsequent month or the next business day if the fifth day is a weekend or a holiday. Merchant authorizes Processor to debit Merchant's account or Merchant will submit payment to Processor separately on or by the fifth day of the subsequent month or the next business day if the fifth day is a weekend or a holiday. 10.Account Monitoring. Merchant acknowledges that Bank or Processor will monitor Merchant's daily credit card transaction activity. Merchant agrees that Bank or Processor may upon reasonable grounds, divert the disbursement of Merchant's funds and/or temporarily suspend processing under this Agreement and/or terminate this Agreement, and Bank or Processor shall provide Merchant with notice of such action.Reasonable grounds shall include, but not be limited to, the following: suspicious or unusual transaction activity; material variance in the nature of Merchant's business, type of product and/or service sold, average ticket size, monthly volume or swiped/keyed percentages, from such disclosures made by Merchant in this Agreement; Merchant does not authorize transactions; Bank or Processor receives excessive retrieval requests against Merchant's prior activity; excessive chargebacks are debited against Merchant's prior activity. If the Merchant's funds are diverted by Bank or Processor or Bank or Processor has temporarily suspended processing under this Agreement, such diversion or suspension shall be for any reasonable period of time required by Bank or Processor to fully investigate Merchant's account activity and resolve, to Bank or Processor's sole satisfaction, the subject questionable, suspect or fraudulent transactions or activity of Merchant. Any funds diverted shall be maintained by Bank or Processor in a non-interest bearing account at Bank or Processor. Bank or Processor shall have no liability for any losses, either direct or indirect, which Merchant may attribute to any reasonable diversion of funds, suspension of processing or termination of this Agreement by Bank or Processor pursuant to this paragraph. Notwithstanding anything to the contrary in this Agreement, Processor shall reimburse Merchants for any banking fees and/or loss of interest that are incurred due to JetPay Payment Services,TX, LLC is a registered ISO/M5P of BMO Harris Bank N.A., Chicago, IL 5 Processor's or its subcontractor's error in the clearing and settlement of any credit card and e- check payments. 11. Equipment. Merchant is solely responsible for obtaining and maintaining all software and equipment necessary to use the Services, or otherwise used in conjunction with the Services, including but not limited to point-of-sale systems, terminals, gateways, card readers, and pin-pads (collectively"Equipment"). Usage. Merchant will only use the Equipment in accordance with the operating instructions for such Equipment. Merchant will promptly notify Processor of any equipment malfunction, failure, or incident relating to the Equipment. Merchant will ensure such equipment is approved by Processor and properly interfaces with Processor's systems and understands that Processor will have no liability for and will not be obligated to process any transactions which are not submitted to Processor in accordance with the Rules and Processor's Policies,including but not limited to Processor's transaction entry formats and other technical specifications. If Processor does process any improperly formatted or submitted transactions, such transactions may be subject to rate tier downgrades or other fee increases, to the extent specifically permitted in Appendex A. Processor's approval of any Equipment will not constitute a representation or warranty that such Equipment will operate error free, function properly, interface with Processor's systems, or otherwise fulfill any function desired by Merchant. Setup. Merchant will be solely responsible for the installation of such Equipment and any alterations necessary for such installation. Processor will not be liable for any delay or incompletion of an installation of Equipment. Merchant will be responsible for maintaining and paying for electrical power and a secured phone line or other secure internet connection to be used solely by the Equipment to communicate with Processor. Security. Merchant will ensure all Equipment used complies with the PCI Rules and all other applicable Rules. Merchant is solely responsible for the security, safekeeping, and proper operation of all Equipment. Merchant will adopt all security measures and processes necessary to prevent unauthorized access or use of the Equipment. If any loss, unauthorized use, or unauthorized access of the Equipment does occur,Merchant will immediately notify Processor. Equipment. In processing Transactions, Merchant shall use only equipment or software programs provided or approved by Processor("equipment")and related equipment installed or approved by Processor, and the following additional terms: (a)The equipment shall be suitable for processing the Services and in the event that at any time during the term of this Agreement that the equipment is not in compliance with the current prevailing PCI DSS requirement,JetPay will provide replacement equipment at no cost to the County that is in compliant with such PCI requirements; JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 6 (b) Merchant will provide, at Merchant's expense, suitable electric power and telephone services and will pay for any alterations to Merchant's premises required to properly locate Merchant's equipment; (c) If Merchant is using equipment, Merchant acknowledges receipt of a copy of the equipment User's Guide. Merchant will use and operate the equipment only in accordance with the equipment User's Guide; and (d) Bank or Processor will have no liability to Merchant if any installation is delayed or cannot be completed. To the extent any Equipment is leased or provided to Merchant by Processor, upon termination of this Agreement Merchant will return the Equipment to Processor in good and working order and free of damage (ordinary wear and tear excepted). Merchant will be liable to Processor for any damage to Equipment, and if such Equipment is not returned in good and working order upon termination of this Agreement, Merchant will be responsible for the cost of a new terminal (or similar Equipment satisfactory to Processor) at Processor's then-current rates. 12. Documenting Transactions. Merchant shall submit the following information to Processor and Bank or their designee in connection with Transaction processing: (a) The DBA name of Merchant(if any), name of Merchant and Merchant's address; (b) Merchant's customer service telephone number; (c) Merchant's Internet address (if applicable); (d) The Merchant Number assigned to Merchant by Bank; (e) The name, address and telephone number of Cardholder; (f) Additional information as may from time to time be required by Bank and/or the relevant Issuer; and (g) Any other information that may be required to identify and reverse a transaction. Merchant shall not submit a Transaction to Bank or Processor (electronically or otherwise) until Merchant has performed its obligations to the Cardholder in connection with the Transaction or obtained Cardholder's consent for a Pre-Authorized Recurring Order Transaction. Merchant shall not transmit any Transaction to Bank that Merchant knows or should have known to be fraudulent or not authorized by the Cardholder. Merchant is responsible for its employees' actions. Merchant may transmit a Transaction that effects a prepayment of services or full prepayment of custom-ordered merchandise, manufactured to a Cardholder's specifications, if Merchant advises Cardholder of the immediate billing at the time of the Transaction and within time limits established by the Associations. 13. Authorization for Transactions. Merchant will only submit to Processor transactions which have been authorized by the Cardholder and arise out of a bona fide transaction between a Cardholder and Merchant. Each transaction must be submitted in accordance with all JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 7 O�� applicable Rules, Policies, and Laws. Merchant will clearly identify itself as the merchant of record to each customer in connection with each transaction and provide such customer with Merchant's name and address. Authorization. Merchant will obtain an Authorization for each transaction prior to submitting such transaction to Processor. Merchant will not submit for processing any transaction which did not receive an "approved" response code in response to the Authorization request. An "approved" Authorization response code does not constitute a representation, warranty, or guaranty that the transaction is authorized by the Cardholder,the Card is legitimate,or that the transaction will not later be rejected or charged back. Merchant is solely responsible for ensuring that each Card used in a transaction is valid, authorized, and belongs to the Cardholder. Merchant understands that obtaining an authorization or processing a transaction does not constitute a guarantee of payment,and any such transaction can be returned or charged back to Merchant as set forth in the Rules. Documentation. For each transaction, Merchant will be responsible for evidencing such transaction with the appropriate transaction documentation required by the Rules, and if appropriate, obtain the Cardholders signature authorizing such transaction. Such documentation will include the Merchant's name, address, and phone number. After completing a transaction, Merchant will provide a copy of the transaction documentation to the customer, provided that Merchant will ensure such copy of the transaction documentation is formatted in accordance with the Rules and Laws, including but not limited to the truncation of Card numbers and expiration dates. If required by Bank or Processor, in connection with each transaction Merchant will obtain from the Cardholder information required by Bank or Processor, including but not limited to the name, address, and telephone number of the Cardholder. Within one business day of Processor's request, Merchant will provide a copy of all information and transaction documentation to Processor, provided however that Merchant will not provide Processor with any Protected Healthcare Information(as defined in the Health Insurance Portability and Accountability Act of 1996, as amended) in connection with any transaction or otherwise without providing written notification to Processor of the status of such information. Such documentation will include evidence of a terminal capture or Card imprint for each Card present transaction. Merchant is solely responsible for maintaining complete backup records and documentation of information relating to its customers' orders, inquiries, purchases, sales, and other customer information in accordance with this Agreement and all applicable Laws and Rules. Responsibilities. Merchant will fulfill each transaction by delivering the goods or providing the services prior to submitting the transaction to Processor for processing, unless such transaction is a pre-authorized transaction which complies with all Rules and Laws applicable to pre-authorized transactions and adequate written permission has been obtained from (with a copy of such permission provided to) the Cardholder. Merchant will not submit any pre- authorized transaction if such authorization had been revoked prior to the submission of such transaction or if the Card has expired or otherwise become invalid. For each card not present transaction, Merchant will verify and submit to Processor: the Cardholder's address through the address verification functionality (and the results of such verification along); the Card's security code (CVV2 or equivalent); and a designation specifying the order type (mail order, JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 8 CAO telephone order, e-commerce order,or pre-authorized order). Merchant will not retain or store any magnetic stripe information, CVV2, or equivalent data after authorization except as explicitly required by this Agreement,the Rules, or any applicable Law. Transaction Restrictions. Merchant will not submit to Processor any transaction: (a)Merchant knows is illegal or should know is illegal; (b) Merchant knows, or should know, is fraudulent or unauthorized; (c) which violates any Rule or Law; (d) originated through any method (e.g. card present,mail order,telephone order,e-commerce order,or pre-authorized order)which is not designated on the Merchant Application or which has not been approved by Processor; (e) which represents a sale to any principal, partner, or owner of Merchant; or (f) in connection with any Merchant location other than those locations set forth on the Merchant Application. Additionally, Merchant will not: (g) obtain multiple Authorizations for amounts less than the total sale amount; (h) obtain an Authorization for the purpose of setting aside a Cardholder's credit line for use in future sales; (i) extend credit for or defer the time of payment of the total cash price in any transaction; (j) extract any agreement or security from a Cardholder in connection with a transaction; (k) submit any transaction that was not originated directly between Merchant and a Cardholder for those goods or services set forth on the Merchant Application and provided by Merchant; (1)use Merchant's own Card or the Card of any owner or principal in any Transaction; (m) initiate any credit unless the Account contains sufficient funds to pay for such credit; (n) use the Equipment for any purpose other than use of the Services; (o) use any information obtained in connection with this Agreement to evaluate, or draw or convey any inference concerning, a person's creditworthiness, standing, capacity, character, general reputation, personal characteristics, or mode of living; (p) disclose any information obtained regarding a transaction to any third party except as required by the Rules or Laws; (q) add any tax to a transaction unless required by Law; (r) disburse funds, cash, travelers checks, or cash equivalents to a Cardholder in connection with a transaction (except as explicitly allowed by the Rules); or (s) accept any Card for an unlawful transaction, including without limitation any unlawful internet gambling transaction. Refunds. Merchant will maintain a fair exchange and return policy and clearly disclose such policy to its customers(prior to and at the time of any reservation or transaction). If no refund or return will be given, Merchant will advise the Cardholder in writing that the sale is a"final sale"and that"no returns"are permitted at the time of the transaction. Merchant will issue all refunds, returns, and other credits to the Card used in the corresponding purchase transaction, and will not issue any refunds, returns, or other credits to such Card which, in the aggregate, exceeds the amount of the original purchase transaction. Merchant will not provide cash or any cash equivalent to the Cardholder in connection with any return, refund, or other credit if the original transaction was paid for using a Card. Merchant will retain sufficient information and/or transaction documentation to identify a transaction and be able to issue a refund upon a customer's request. Disputes and Chargebacks. Merchant will provide customer service to each Cardholder and customer with regard to each transaction and will be solely responsible for resolving any dispute with a Cardholder. With regard to each dispute, Merchant will maintain a written record of, and provide to Processor upon request,the following information: the Cardholder's name; the Card number; the date and time of the asserted claim; the nature of the claim; and JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 9 C the action taken by Merchant to attempt to resolve the claim. If a Cardholder disputes any transaction, if a transaction is charged back for any reason by the Card issuing institution,or if Processor,Bank,or a Card Brand has any reason to believe a pending transaction or previously processed transaction is questionable, not genuine, or otherwise unacceptable, the amount of such transaction may be charged back and deducted from any payment due to Merchant or may be charged against the Account, or any other account in Merchant's name. Merchant acknowledges and agrees that it is bound by the Rules with respect to any chargeback and, if Merchant disagrees with any chargeback, it must notify Bank and Processor of its decision to dispute such chargeback and provide all related documentation within ten (10) days of the chargeback. Merchant further acknowledges that it is solely responsible for providing Processor, Bank, and each Card Brand with any available information to re-present a chargeback and that, regardless of any information provided or not provided, Merchant shall be solely responsible for the liability related to such chargeback. A list of the reasons for chargebacks and the process for resolving chargebacks is set forth in the Rules. Chargebacks, returns, and other credits will be set off against the proceeds of processed transactions on a daily basis. If the amount of any chargeback, refund, return, or other credit is uncollectible through withholding the current transaction proceeds for Merchant or withdrawing from the Account, upon demand from Processor, Merchant shall pay to Processor the full amount of such chargeback, refund, return, or other credit. Merchant agrees to satisfy directly with the Cardholder any claim, chargeback, or compliant arising in connection with any transaction, regardless of whether such claim or compliant is brought by the Cardholder, Processor, Bank, an issuing bank, or any third party. Settlement Redirection. Merchant acknowledges that any payment made or credit given to Merchant as settlement for a Transaction is an advance of funds, until the Transaction is not capable of being subject in whole or in part to a Chargeback or other adjustment. Processor and Bank may monitor Merchant's transactions and may, at their sole discretion, refuse to process, chargeback, reverse, or redirect the proceeds of any transaction which Processor or Bank deems or suspects to be fraudulent,suspicious,unusual,or unauthorized,that varies from transactions typical of Merchant's business or those set forth on the Merchant Application,that is submitted through unauthorized payment methods, or which Bank or Processor otherwise determine, in their sole discretion, to be in violation of this Agreement, the Rules, Laws, or likely to be charged back. Redirected transactions will be deposited into an Account and held in until,at Processor's sole discretion: (a)an investigation related to such transactions has been completed and Processor and Bank deem the maintenance of such amount is unnecessary to secure the obligations of Merchant with respect to such transactions; or (b) such amount is released. Processor and Bank shall have no liability to Merchant or any third party for the redirection of any funds otherwise due to Merchant into an Account. Card Recovery. Merchant will not complete a transaction and should attempt to recover a Card by reasonable, peaceful means if: the Card number appears in a card recovery bulletin issued by the Card Brands; Bank or Processor request its retention; or if Merchant receives notification of cancellation, theft, or counterfeiting. Merchant must immediately notify Processor and Bank that it has recovered such Card and request further instructions. Under no circumstances will Merchant engage in any act of violence or otherwise breach the peace in connection with the recovery of any Card or otherwise. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 10 Merchant Locations. Additional Merchant locations may be added to the Merchant Application and Agreement at no additional cost beyond those identified in Appendix A. Merchant shall certify PCI compliance for each additional location. 14. Prohibition of Furnishing Account Information. The parties shall not, without the Cardholder's consent, sell,purchase,provide or exchange Card account number information in the form of Transaction documents, carbon copies of imprinted Transaction documents, mailing lists,tapes,journal rolls or other media obtained by reason of a Card,or any other data obtained through the duration of this Agreement to any third party. 15.Daily Reconciliation of Transactions. 15.1 Electronically Transmitted Transactions. Transactions will be settled on a daily basis when applicable. (Excluding Sundays and holidays) Bank and/or Processor shall deliver payment to Merchant within forty-eight(48)hours provided Bank and/or Processor receives funds from the card associations by a credit to the Operating Account of the merchant.This credit will be reduced,if necessary,by:(i)the sum of all Cardholder charges denied, refused or charged back; (ii) all refunds processed on account of Cardholders during said time period; (iii)the fees and charges, including Chargebacks, Merchant owes Bank or Processor hereunder; (iv) all taxes, penalties, charges and other items incurred by Bank that are reimbursable pursuant to this Agreement; and (v) all applicable rates, fees and charges described on Appendix A to the Merchant Application and Agreement. 15.2 Reconciliation of Transactions. Merchant shall reconcile each settled Transaction within fifteen (15) days after the date on which such Transaction is submitted to Bank for payment, and shall notify Bank and Processor immediately in writing of any discrepancies or errors Merchant notes as a result of such reconciliation. In any case, Bank and/or Processor are not responsible for any downgrades assessed in merchant fees. When asked Processor will work with Merchant to help transactions qualify at their best rate. Neither Bank nor Processor shall have any responsibility or liability for Transaction-related errors or omissions that are brought to their attention more than thirty (30) days after the date on which the Transaction to which such error or omission relates is first presented to Bank for settlement. 15.3 Provisional Credit. Any credits to the Operating Account are provisional only and subject to revocation by Bank until such time that the Transaction is final and no longer subject to Chargeback by the Issuer, Cardholder or Associations. Bank may withhold payment for a Transaction to Merchant, for any reason, until such time as the Transaction has been verified as legitimate by the relevant Issuer or Bank and/or Processor receive adequate supporting documentation from Merchant to authenticate the Transaction and mitigate Chargeback risk. 16. Merchant Statement. For Merchants that absorb the transaction fee, at least once per month, Bank or Processor shall provide Merchant with a statement online(the"Merchant Statement"). All information appearing on the Merchant Statement shall be deemed accurate and affirmed sJetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 11 by Merchant unless Merchant objects by written notice specifying the particular item in dispute within thirty(30) days of the date of the Merchant Statement. 17.Retention of Original Sales Information. Merchant shall retain the information required by Sections 14 and 15 for seven(7)years from the date of the Transaction.At the request of Bank, Merchant shall provide such information to Bank or Processor, as directed by Bank or Processor, within ten (10) days of receipt of a request from Bank or Processor. 18. Customer Complaints. Merchant shall respond promptly to inquiries from Cardholders and shall resolve any disputes amicably. If unresolved disputes occur with a frequency unacceptable to Bank or Processor, Bank and Processor may terminate this Agreement Merchant agrees to maintain the following information in writing with respect to each claim or defense asserted by a Cardholder for which Merchant has received notice: (a) The Cardholder's name; (b) The Card account number; (c) The date and time the Cardholder asserted the claim or defense; (d) The nature of the claim or defense; and (e) The action that Merchant took in an attempt to resolve the dispute. Upon request, Merchant shall furnish Bank and Processor with this information in writing within ten (10) days. 19. Confidentiality. Merchant, Bank and Processor shall treat all information received in connection with this Agreement as confidential to the extent permitted by law. Confidentiality of information contained in this agreement is subject to the requirements of the Florida Public Records Act, Chapter 119, Fla. Stat., and the Florida Sunshine Law, Chapter 286, Fla. Stat. Associations' and Issuers' Requirements. Merchant shall comply with all bylaws, rules, regulations, policies and/or guidelines of the Card Associations and any Issuer whose Cards are used to process Transactions in accordance with this Agreement. Merchant will display prominently at its place of business Approved Card Associations emblems and other promotional material and literature provided by Bank and Processor directly or through Processor. Merchant will pay all Card Association fines, fees, penalties and all other assessments or indebtedness levied by Card Associations and/or regulatory agencies to Bank, which are attributable, at the Bank's discretion, to Merchant's transaction processing or business. 20. Compliance with Applicable Law. Merchant, Bank and Processor represents and warrants that it has obtained all necessary regulatory approvals, certificates and licenses to sell any product or provide any service it intends to offer, and that it is in compliance with the Telephone Disclosure and Dispute Resolution Act and the regulations of the Federal Trade Commission and the Federal Communications Commission. Merchant, Bank and Processorshall comply with all present and future federal, state and local laws and regulations JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 12 0 pertaining to Transactions,including,without limitation,the Federal Fair Credit Reporting Act, the Federal Truth-in-Lending Act, the Electronic Fund Transfers Act and the Federal Equal Credit Opportunity Act, as amended. 21. Taxes. Each party hereto shall report its income and pay its own taxes to any applicable jurisdiction, if applicable. If Bank or Processor are required to pay any taxes, interests, fines or penalties owed by Merchant, said amount shall become immediately due and payable by Merchant to Bank or Processor. If excise, sale or use taxes are imposed on the Transactions, Merchant shall be responsible for the collection and payment thereof. Bank or Processor shall be entitled to recover of any of said taxes paid by it on behalf of Merchant from Merchant immediately after payment. The Merchant, Collier County, Florida as a political subdivision of the State of Florida, is exempt from the payment of Florida sales tax to its Contractors under Chapter 212, Florida Statutes, Certificate of Exemption#85-8015966531C-1. 22. Limitation of Liability. Notwithstanding anything to the contrary in this Agreement or to the extent limited by law, Processor and Bank will have no liability to Merchant or any customer of Merchant under any cause of action for or arising out of: (a) any loss or liability resulting from the decline of any transaction, even if such decline was wrongful or improper; (b) Merchant's retention of, or attempt to retain, any Card, whether in accordance with this Agreement or otherwise; (c) any loss caused by the Equipment, including but not limited to any loss resulting from the misuse of such Equipment,unauthorized access of such Equipment, the Equipment's non-compliance with any applicable Law or Rule, or any defect or error in such Equipment; (d) any loss caused by a transaction downgrade, whether resulting from defective or faulty Equipment, or otherwise, without regard to the owner or Processor of any Equipment; (e) any transaction not received by Processor; (f) any action or inaction of any Third Party Service Processor,including but not limited to the failure to comply with any Rules or Laws; (g) any error, omission, delay, computer virus, loss of data or records, or disclosure of confidential information; (h) a Data Breach of Merchant's systems or process or of a third party that is not caused by Processor; or(i) any interruption or termination of the Services. To the extent allowable by law, under no circumstances will Processor or Bank be liable for any lost profits, lost interest, lost business, reputational damage or for special, consequential, punitive,indirect,or exemplary damages arising out of or in any way related to this Agreement, the Services, any transaction, or for any other reason, including but not limited to damages arising out of placing a Merchant's name on any terminated merchant list for any reason, even if advised of the possibility of such damages. The total cumulative liability of Processor and Bank for any amounts arising out of or relating in any way to this Agreement, including but not limited to the malfunction of the Services,personal injury,or property damage shall, in the aggregate, be limited to actual and direct money damages in an amount not to exceed three(3) month's average Fees paid by Merchant and retained by Processor under this Agreement(for the avoidance of doubt Fees retained by Processor do not include, without limitation, interchange fees, assessments, and other fees and costs imposed by a Card Brand or any other third party in connection with the Services) measured over the twelve (12) month period immediately prior to the event giving rise to the claim, or such lesser number of months as shall have elapsed subsequent to the Effective Date. This shall be the extent of Processor's and Bank's collective liability arising out of or in any way relating to this Agreement,including alleged acts of negligence,breach of contract,or otherwise and regardless of the form in which JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 13 any legal or equitable action may be brought against Processor or Bank,whether contract,tort, or otherwise, and the foregoing shall constitute Merchant's exclusive remedy. Indemnification by the Merchant is subject to the limitation set forth in Section 768.28, Fla. Stat. MERCHANT ACKNOWLEDGES THAT BANK HAS PROVIDED NO WARRANTIES, EITHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO ANY EQUIPMENT AND THAT BANK HAS NO LIABILITY WITH RESPECT TO ANY EQUIPMENT. BANK MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE SERVICES IT PROVIDES HEREUNDER. SHOULD THERE BE ERRORS, OMISSIONS, INTERRUPTIONS OR DELAYS RESULTING FROM BANK'S OR PROCESSOR'S PERFORMANCE OR FAILURE TO PERFORM OF ANY KIND, BANK'S AND PROCESSOR'S LIABILITY SHALL BE LIMITED TO CORRECTING SUCH ERRORS IF COMMERCIALLY REASONABLE OR SUPPLYING SUCH OMISSIONS IN THE WORK PRODUCT IN WHICH THEY HAVE OCCURRED. 23. Processor Credit Investigation and Bank Auditing. Each party may audit, from time to time, compliance with the terms of this Agreement, including the Merchant Application and Agreement, in its entirety. The parties shall provide all information requested to complete the audit. Merchant authorizes parties contacted by Bank or Processor to release the credit information requested by Bank or Processor, and Merchant agrees to provide Bank and Processor a separate authorization for release of credit information, if requested. Unless required by a legal,regulatory or other similar entity,the Bank and Processor shall not conduct onsite audits of the Merchant. 24.Termination. The Merchant shall remain liable for any fees or chargebacks incurred after termination or expiration of this Agreement, if such fees or chargebacks are based on transactions that occurred before such termination or expiration. Merchant shall keep its Operating Account open for a minimum of one hundred eighty(180) days after termination or expiration of this Agreement for the settlement of such fees or chargebacks. 24.1 Termination of Agreement by Bank and Processor. Bank or Processor may terminate this Agreement upon at least thirty (30) days' prior written notice to the other parties. Any such notice of termination by Bank is effective upon delivery if personally delivered, upon confirmation of transmission if sent by facsimile transmission, upon the third business day after mailing if sent by registered or certified mail, and upon receipt if sent by reputable courier. In addition, Bank or Processor may terminate this Agreement without notice to Merchant under any of the below listed circumstances: (a) Any act of fraud or dishonesty is committed by Merchant, its employees and/or agents,or Processor or Bank believes in good faith that Merchant,its employees and/or agents have committed, are committing or are planning to commit any acts of fraud or misrepresentation; JetPay Payment Services, TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 14 C (b) Chargebacks are excessive in the opinion of Bank; (c) Breach of this Agreement by Merchant; (d) Any representation or warranty made by Merchant in this Agreement is not true and correct; (e) Merchant files a petition under any bankruptcy or insolvency law; (f) Merchant fails to maintain sufficient funds in the Operating Account to cover the amounts due to Bank hereunder; (g) Merchant's percentage of error Transactions or retrieval requests is excessive in the opinion of Bank; (h) Any insurance policy obtained by Bank, Processor or Merchant relating to Transactions and/or Chargebacks is cancelled or terminated for any reason; (i) Merchant fails to maintain PCI DSS compliance or is not using a compliant Payment Application per card association mandates; (j) If any circumstances arise regarding Merchant or its business that create harm or loss of goodwill to any Card Association. Bank or Processor may selectively terminate one or more of Merchant's approved locations without terminating this entire Agreement. In the event of termination, all obligations of Merchant incurred or existing under this Agreement prior to termination shall survive the termination. Merchant's obligations with respect to any Transaction shall be deemed incurred and existing on the transaction date of such Transaction. 24.2 Termination of Agreement by Merchant. Should the Processor be found to have failed to perform the services in a manner satisfactory to the Merchant as per this Agreement,the Merchant may terminate said Agreement for cause upon at least thirty(30) days' prior written notice to the other parties in the event Processor has not corrected the services in a manner satisfactory to the Merchant. Further the County may terminate this Agreement for convenience with a thirty (30) day written notice. The County shall be the sole judge of non-performance. In the event that the Merchant terminates this Agreement, Processor and Bank's recovery against the Merchant shall be limited to that portion of the Agreement Amount earned through the date of termination. The Processor and Bank shall not be entitled to any other or further recovery against the Merchant, including, but not limited to,any damages or any anticipated profit on portions of the services not performed. 24.3 Automatic Termination. This Agreement shall automatically terminate upon termination or expiration of the Merchant Application and Agreement. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 15 25. Third-Parties. Before using any third-party software system in the payment process that is not already listed in Appendix A or identified in Exhibit A, the Merchant shall request Processor's approval. Within thirty (30) days after receiving such notice, Processor may approve or reject for commercially reasonable purposes the usage of the third-party. In the event that the Merchant does not receive a response from Processor within the thirty(30) day period, Processor's approval is automatically granted. Processor may revoke its approval for commercially reasonable purposes with thirty (30) days' notice to the Merchant. Processor will attempt in good faith to establish an integration, in a form acceptable to the County, with third-party software systems requested by the County. 26.Existing Third-Parties. Within 10 days from executing the Agreement,the Processor agrees to provide the Merchant a deployment timeline for implemention of the location(s) Merchant is ready to commence deployment at, including the integration of Merchant's exisiting third- parties software systems that are listed in Appendix A and those identified in Exhibit A. The intergration with the Merchant's existing third-parties shall be at no cost to the Merchant. 27. Amendments to this Agreement. From time to time the parties may amend this Agreement. The Amendment must be in writing and executed by Merchant, Bank and Processor in advance. 28. Assignment.The parties may not assign,transfer, or delegate this Agreement or any rights or obligations under this Agreement, by operation of law or otherwise,to any third party without the prior written consent of each other. Any attempt by any partyto assign,transfer,or delegate this Agreement or its rights or obligations under this Agreement in violation of this Section 31 shall be void. 29.Financial Accommodations. Bank, Processor and Merchant intend this Agreement to be construed as a contract to extend financial accommodations for the benefit of Merchant. 30. Cooperation. In their dealings with one another, each party agrees to act reasonably, in good faith, and to fully cooperate with each other in order to facilitate and accomplish the transactions contemplated hereby. 31. Entire Agreement. This Agreement, including, the Merchant Application and Application, attached Fee schedules, the Rules, the Policies, Exhibit A - Merchant's solication #18-7284 "Payment Process Related Services," including any solicitation exhibits/attachments, addendum, and Exhibit B- Merchant's proposal, and all other exhibits and attachments incorporated into this Agreement by reference, constitutes the entire agreement between Merchant, Processor, and Bank with respect to its subject matter, and supersedes all prior agreements and understandings between the parties,whether oral or in writing,with respect to that subject matter. 32. Severability. If any provisions of this Agreement shall be held, or deemed to be, or shall in fact be, inoperative or unenforceable as applied in any particular situation, such circumstance shall not have the effect of rendering any other provision or provisions herein contained invalid, inoperative or unenforceable to any extent whatsoever. The invalidity of any one or JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 16 more phrases, sentences, clauses or sections herein contained shall not affect the remaining portions of this Agreement or any part hereof. 33. Notices. Except for notices provided by Bank or Processor to Merchant on the Merchant Statement, all notices,requests,demands or other instruments which may or are required to be given by any party hereunder shall be in writing and each shall be deemed to have been properly given when (i) served personally on an officer of the party to whom such notice is to be given, (ii) upon expiration of a period of three(3)Business Days from and after the date of mailing thereof when mailed postage prepaid by registered or certified mail, requesting return receipt, or(iii) upon delivery by a nationally recognized overnight delivery service, addressed as follows: If to BANK: Address listed on Acquirer Discloser With a Copy to: PROCESSOR If to Processor: JETPAY ATTN: Risk Manager 3361 Boyington Dr. Suite 180 Carrollton TX 75006 If to MERCHANT: Address listed on Merchant Application Any party may change the address to which subsequent notices are to be sent by notice to the others given as previously mentioned. 34. Governing Law.This Agreement shall be governed and construed in accordance with the laws of the State of Florida, without regard to internal principles of conflict of laws, and federal law. 35. Captions. Captions in this Agreement are for convenience of reference only and are not to be considered as defining or limiting in any way the scope or intent of the provisions of this Agreement. 36.No Waiver. Any delay, waiver or omission by Bank or Processor to exercise any right or power arising from any breach or default of the other party in any of the terms, provisions or covenants of this Agreement shall not be construed to be a waiver of any subsequent breach or default of the same or any other terms, provisions or covenants on the part of the other party. All remedies afforded by this Agreement for a breach hereof shall be cumulative. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 17 0 37. Force Majeure. The parties shall be excused from performing any of their respective obligations under this Agreement which are prevented or delayed by any occurrence not within their respective control including but not limited to strikes or other labor matters, destruction of or damage to any building, natural disasters, accidents, riots or any regulation, rule, law, ordinance or order of any federal, state or local government authority. 38. ACH Processing. When requested by Merchant, Processor will also provide ACH processing services at the rates specified in Appendix A.Merchant agrees that information supplied in this application may be used to establish a separate ACH account. If this service is requested, Merchant understands that a personal credit review may be deemed necessary and authorizes such an action. Merchant agrees that Bank and Processor will deduct processing fees from the Operating Account on a daily basis unless a monthly basis is specified on Appendix A. Merchant also agrees to pay Bank or Processor the amount of any fees, charges or penalties assessed against Bank or Processor. Merchant agrees to abide by all National Automated Clearing House Association (NACHA) rules and regulations governing ACH processing and use of their networks. 39.Honoring Cards. Merchant will accept all valid Cards when properly presented by Cardholders in payment for goods or services, subject to American Express, Visa, Mastercard and/or Discover Network rules and/or regulations requiring Merchant to elect whether it will accept credit only, debit only or both debit and credit Cards. Merchant may not (i) indicate or imply that the Card Associations endorses any Merchant goods or services, (ii) refer to a Card Association in stating eligibility for Merchant's products, services or membership, or (iii) use any marks, symbols or logos owned by any Card Association for any purpose other than those permitted in the Card Association Operating Rules. 40. Important Processor,Bank and Merchant Responsibilities. (a) Ensure compliance with payment card industry data security standard (PCI DSS) requirements. (b) Fully comply with Visa's Account Information Security Program (as set forth in the Visa Rules), Site Data Protection Program (as set forth in the Mastercard Rules), Data Security Requirements (DSR) (as set forth in the American Express Merchant Guide) and Discover Information Security & Compliance program (as set forth at Discovernetwork.com/DISC), (c) Implement and maintain those security measures, processes, encryption methods, software, and hardware necessary to ensure that Card numbers, Card security codes, transaction information, and other Confidential Information is not accessed or used for any reason or by any person other than for Merchant's performance of its obligations under this Agreement (including preventing any unauthorized access to such information through Merchant's website, Equipment, or other payment channels or methods through which Card information and other Confidential Information is received, accessed,transmitted, or stored by or on behalf of Merchant) JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 18 (d) Will not store any Confidential Information, including without limitation any Card numbers, Card expiration dates, Card security codes, or other transaction information without Processor's prior written consent. (e) Maintain fraud and chargebacks below Card Association thresholds. (f) Review and understand the terms of the Merchant Agreement. (g) Comply with all Card Association Operating Rules. 41.The responsibilities listed above do not supersede the terms and conditions of this Merchant Agreement, and are provided to ensure the parties understand their important obligations.The Card Associations are the ultimate authority whereas the parties must operate within the card acceptance procedures. 42.Discover Program Marks. Merchant is prohibited from using the Program Marks,as defined below, other than as expressly authorized in writing by Processor. Program Marks mean the brands, emblems, trademarks, and/or logos that identify Discover Cards, including, without limitation, Diners Club International Cards.Additionally, Merchant shall not use the Program Marks other than to display decals,signage,advertising,and other forms depicting the Program Marks that are provided to Merchant by Processor pursuant to the Merchant Program or otherwise approved in advance in writing by Processor.Merchant may use the Program Marks only to promote the services covered by the Program Marks by using them on decals, indoor and outdoor signs, Web sites, advertising materials and marketing materials; provided that all such uses by Merchants must be approved in advance by Processor in writing.Merchant shall not use the Program Marks in such a way that customers could believe that the products or services offered by Merchant are sponsored or guaranteed by the owners of the Program Marks. Merchant recognizes that it has no ownership rights in the Program Marks. Merchant shall not assign to any third party any of the rights to use the Program Marks. 43. Information about Bank's responsibilities. American Express Card Transactions and Discover Network Card Transactions are not provided to you by Bank but are provided by Processor,as the Acquirer of American Express and Discover Network. The provisions of this Agreement regarding Discover Network Card Transactions and American Express Card Transactions constitute an agreement solely between you and Processor. Bank is not a party to this Agreement in so far as it relates to American Express Card Transactions and Discover Network Card Transactions, and Bank is not responsible, and shall have no liability to you in any way with respect to American Express Card Transactions and Discover Network Card Transactions. 44.Payment and Interest Fees. Payments are due upon receipt of a proper invoice and incompliance with Chapter 218, Fla. Stats., otherwise known as the "Local Government Prompt Payment Act."Any late interest fees shall be pursuant to Section 218.74, Fla. Stat. 45. Sales Tax. Collier County,Florida as a political subdivision of the State of Florida, is exempt from the payment of Florida sales tax to its vendors under Chapter 212, Florida Statutes, Certificate of Exemption# 85-8015966531C-1. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 19 0 46. No Discrimination.The Processor agree that there shall be no discrimination as to race, sex, color, creed or national origin. 47.Public Entity Crime. By its execution of this Agreement, the Processor acknowledges to comply with the terms of Section 287.133 of the Florida Statutes and inform the County of the conviction of a public entity crime. 48. Insurance. The Processor shall provide insurance as follows: A. Commercial General Liability: Coverage shall have minimum limits of$1,000,000 Per Occurrence, $2,000,000 aggregate for Bodily Injury Liability and Property Damage Liability. This shall include Premises and Operations;Independent Contractors;Products and Completed Operations and Contractual Liability. B. Workers' Compensation: Insurance covering all employees meeting Statutory Limits in compliance with the applicable state and federal laws. The coverage must include Employers' Liability with a minimum limit of$100,000 or each accident. C. Cyber Liability: Coverage shall have minimum limits of$5,000,000 per claim. D. Technology Errors & Omissions: Coverage shall have minimum limits of$5,000,000 per claim. Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR, Collier County Government shall be listed as the Certificate Holder and included as an "Additional Insured" on the Insurance Certificate for Commercial General Liability where required.This insurance shall be primary and non-contributory with respect to any other insurance maintained by, or available for the benefit of, the Additional Insured and the Processor's policy shall be endorsed accordingly. Current,valid insurance policies meeting the requirement herein identified shall be maintained by Contractor during the duration of this Agreement.The Processor shall provide County with certificates of insurance meeting the required insurance provisions. Renewal certificates shall be sent to the County thirty (30) days prior to any expiration date. Coverage afforded under the policies will not be canceled or allowed to expire until the greater of: thirty(30) days prior written notice, or in accordance with policy provisions. Processor shall also notify County, in a like manner, within twenty-four (24) hours after receipt, of any notices of expiration, cancellation, non-renewal or material change in coverage or limits received by Processor from its insurer, and nothing contained herein shall relieve Processor of this requirement to provide notice. Processor shall ensure that all subcontractors comply with the same insurance requirements that the Processo is required to meet. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 20 49. Indemnification. To the maximum extent permitted by Florida law, the Processor and Bank shall defend, indemnify and hold harmless Collier County, its officers and employees from any and all liabilities,damages, losses and costs,including,but not limited to,reasonable attorneys' fees and paralegals' fees, whether resulting from any claimed breach of this Agreement by Processor and Bank, any statutory or regulatory violations, or from personal injury, property damage, direct or consequential damages, or economic loss, to the extent caused by the negligence, recklessness, or intentionally wrongful conduct of the Processor and Bank or anyone employed or utilized by the Processor and Bank in the performance of this Agreement. This indemnification obligation shall not be construed to negate, abridge or reduce any other rights or remedies which otherwise may be available to an indemnified party or person described in this paragraph. This section does not pertain to any incident arising from the sole negligence of Collier County. 49.1 The duty to defend under this Article 49 is independent and separate from the duty to indemnify, and the duty to defend exists regardless of any ultimate liability of the Processor and Bank, County and any indemnified party. The duty to defend arises immediately upon presentation of a claim by any party and written notice of such claim being provided to Processor and Bank. Processor and Bank's obligation to indemnify and defend under this Article 49 will survive the expiration or earlier termination of this Agreement until it is determined by final judgment that an action against the County or an indemnified party for the matter indemnified hereunder is fully and finally barred by the applicable statute of limitations. 50. Conflict of Interest.Processor represents that it presently has no interest and shall acquire no interest, either direct or indirect,which would conflict in any manner with the performance of services required hereunder. Processor further represents that no persons having any such interest shall be employed to perform those services. 51. Subject to Appropriation. It is further understood and agreed by and between the parties herein that this Agreement is subject to appropriation by the Board of County Commissioners. 52.Prohibition of Gifts to County Emplolyees. No organization or individual shall offer or give,either directly or indirectly,any favor, gift, loan, fee, service or other item of value to any County employee, as set forth in Chapter 112, Part III, Florida Statutes, Collier County Ethics Ordinance No. 2004-05, as amended, and County Administrative Procedure 5311. Violation of this provision may result in one or more of the following consequences: a. Prohibition by the individual, firm, and/or any employee of the firm from contact with County staff for a specified period of time;b. Prohibition by the individual and/or firm from doing business with the County for a specified period of time, including but not limited to: submitting bids, RFP, and/or quotes; and, c. immediate termination of any Agreement held by the individual and/or firm for cause. 53. Compliance with Laws. By executing and entering into this Agreement, the Processor and Bank formally acknowledging without exception or stipulation that it agrees to comply, at its own expense, with all federal, state and local laws, codes, statutes, ordinances, rules, regulations and requirements applicable to this Agreement, including but not limited to Collier JetPay Payment Services, TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 21 County Manager's Administration Procedures (CMA) CMA #5401- Information Systems Lifecycle Management, CMA # 5402- Remote Access Policy, CMA # 5403- Third Party Access Policy, CMA # 5905- Computer-Technology Use, as amended, Collier County's Architectural Compatibility& Supportability(TACS),F.S. §501.171 Security of Confidential Personal Information, Immigration Reform and Control Act of 1986 as located at 8 U.S.C. 1324, et seq. and regulations relating thereto, as either may be amended; taxation, workers' compensation, equal employment,and the Florida Public Records Law Chapter 119, including specifically those contractual requirements at F.S. § 119.0701(2)(a)-(b) as stated as follows: IF THE CONTRACTOR HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES, TO THE CONTRACTOR'S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS CONTRACT, CONTACT THE CUSTODIAN OF PUBLIC RECORDS AT: Communication and Customer Relations Division 3299 Tamiami Trail East, Suite 102 Naples, FL 34112-5746 Telephone: (239) 252-8383 The Contractor must specifically comply with the Florida Public Records Law to: 1. Keep and maintain public records required by the public agency to perform the service. 2. Upon request from the public agency's custodian of public records, provide the public agency with a copy of the requested records or allow the records to be inspected or copied within a reasonable time at a cost that does not exceed the cost provided in this chapter or as otherwise provided by law. 3. Ensure that public records that are exempt or confidential and exempt from public records disclosure requirements are not disclosed except as authorized by law for the duration of the contract term and following completion of the contract if the Contractor does not transfer the records to the public agency. 4. Upon completion of the contract,transfer,at no cost,to the public agency all public records in possession of the Contractor or keep and maintain public records required by the public agency to perform the service.If the Contractor transfers all public records to the public agency upon completion of the contract,the Contractor shall destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. If the Contractor keeps and maintains public records upon completion of the contract,the Contractor shall meet all applicable requirements for retaining public records. All records stored electronically must be provided to the public agency, upon request from the public agency's custodian of public records, in a format that is compatible with the information technology systems of the public agency. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 22 CAO If Contractor observes that the Contract Documents are at variance therewith, it shall promptly notify the County in writing. Failure by the Contractor to comply with the laws referenced herein shall constitute a breach of this Agreement and the County shall have the discretion to unilaterally terminate this Agreement immediately. 54. Dispute Resolution. Prior to the initiation of any action or proceeding permitted by this Agreement to resolve disputes between the parties,the parties shall make a good faith effort to resolve any such disputes by negotiation. The negotiation shall be attended by representatives of Contractor with full decision-making authority and by County's staff person who would make the presentation of any settlement reached during negotiations to County for approval. Failing resolution,and prior to the commencement of depositions in any litigation between the parties arising out of this Agreement, the parties shall attempt to resolve the dispute through Mediation before an agreed-upon Circuit Court Mediator certified by the State of Florida. The mediation shall be attended by representatives of Contractor with full decision-making authority and by County's staff person who would make the presentation of any settlement reached at mediation to County's board for approval. Should either party fail to submit to mediation as required hereunder, the other party may obtain a court order requiring mediation under section 44.102, Fla. Stat. 55. Venue. Any suit or action brought by either party to this Agreement against the other party relating to or arising out of this Agreement must be brought in the appropriate federal or state courts in Collier County, Florida,which courts have sole and exclusive jurisdiction on all such matters. 56. Governing Law. The Agreement shall be interpreted under and its performance governed by the laws of the State of Florida. 57. Security. The Processor and Bank is required to comply with County Ordinance 2004-52, as amended. Background checks are valid for five (5) years and Processor and Bank shall be responsible for all associated costs. If required, Processor and Bank shall be responsible for the costs of providing background checks by the Collier County Facilities Management Division for all employees that shall provide services to the County under this Agreement.This may include, but not be limited to, checking federal, state and local law enforcement records, including a state and FBI fingerprint check, credit reports, education, residence and employment verifications and other related records. Contractor shall be required to maintain records on each employee and make them available to the County for at least four (4) years. All of Processor and Bank employees and subcontractors must wear Collier County Government Identification badges at all times while performing services on County facilities and properties. Contractor ID badges are valid for one (1) year from the date of issuance and can be renewed each year at no cost to Processor and Bank during the time period in which their background check is valid, as discussed below. All technicians shall have on their shirts the name of the contractor's business.Processor and Bank shall immediately notify the Collier County Facilities Management Division via e-mail (DL-FMOPS@colliergov.net) whenever an employee assigned to Collier County separates from their employment. This notification is JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 23 critical to ensure the continued security of Collier County facilities and systems. Failure to notify within four(4) hours of separation may result in a deduction of$500 per incident. 58. Processor agrees to provide the level customer service as defined in Processor's proposal, Section 18 "Customer Service," and Busines Continuty Plan attached hereto as Exhibit B. 59. The Processor agrees to store all Transaction data for this Agreement for a period of seven (7) years and upon termination the Processor shall provide to Merchant the data in a format requested by the Merchant. The Processor or Bank does not own any data created or transmitted through this Agreement. 60. The Processor agrees to be PCI DSSL Level 1 compliant for the duration of the Agreement and shall provide an annual confirmation of this certification to the Merchant. The Processor should not take any action, or omit to take any action,which would reasonably be expected to have an adverse effect on the Business compliance, or current or future efforts to become compliant, with Payment Card Industry Data Security Standards. The Merchant has the authority to conduct an audit PCI compliance anytime during the duration of this Agreement. 61. HIPPA Compliance. It is understood by the parties that County personnel or their agents have access to protected health information(hereinafter known as "PHI")that is subject to the requirements of 45 C.F.R. Section 160, 162, and 164 and related statutory and regulatory provisions. In the event the Processor or Bank is considred by the County to be a covered entity or business associate or otherwise required to comply with the Health Information for Economic and Clinical Health Act (HITECH"), the Processor or Bank shall fully protect individually identifiable health information as required by HIPAA and HITECH. The Processor and Bank agrees to be bound by the terms of the Business Associate Agreement attached as Exhibit C, which is incorporated herein. Where required, Processor shall handle and secure such PHI in complinance with HIPAA, HITECH and its related regulations and, if required by HIPAA, HITECH, or other laws, shall include in its"Notice of Privacy Practices" notice of Processor and Bank and County's use of a client's PHI. The requirement to comply with this provision, HIPAA and HITECH shall survive the expiration or termination of this Agreement. 62. The Processor and Bank shall inform the Merchant within twenty-four (24) hours of any data breach of JetPay's systems that result in the compromise of Merchant's data, including transaction data and PII of Merchant's customers. The Processor and Bank will be liable for all cost and damages associated with the breach and shall hold the Merchant harmless. 62.1 Hosting Services. All services required of Processor under this Agreement, including as set forth in Exhibit B, to ensure that the Software is available to County and third party users over the Internet consistent with the terms of this Agreement. Except as may be limited by Exhibit B, these services include: all required programming or modification/configuration of the Software to meet County's ongoing needs; integration, customization, enhancements, or modifications to the Software; maintenance of the Hardware; development or consulting activities; and training or project management. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 24 62.2 Software. All proprietary or third party software or other intellectual property rights, including the Documentation, provided or licensed to County or third party users pursuant to this Agreement, including the computer programs (in machine readable object code form) listed in Exhibit B and any subsequent updates, upgrades, releases, or enhancements thereto developed by Processor during the term of this Agreement. 62.3 Support and Maintenance Services. The support and maintenance services required for County to achieve and maintain optimal performance of the Software, including as further described in Exhibit B. JetPay will provide access to its payment processing and reporting portal 24 hours per day, 7 days per week with the exception of scheduled maintenance windows. 62.4 System. Processor's Software and Hosting Services provided pursuant to this Agreement that will be accessible to County and third party users through the Internet, as described in this Agreement including the Exhibits hereto. 62.5 Scope of Services. Processor shall perform all work specified in this Agreement inclusive of the Exhibits. Unless stated otherwise in this Agreement, the work required of Processor includes all labor, materials and tasks, whether or not enumerated in the Agreement, that are such an inseparable part of the work expressly stated in the Agreement that exclusion thereof would render Processor's performance impractical, illogical, or unconscionable. 62.6 License. Processor grants to County a perpetual, royalty-free, nonexclusive license,with no geographical limitations, for an unlimited number of users, to the Software and System including to any embedded third party software within the System or required to operate or access the Software or use the System, for use solely for County governmental and business purposes, including on- and off-site access and use of the Software and use by authorized third party users, including those persons or entities with which County may contract to operate the Software,and for the benefit of and use by all governmental entities within the County, including the offices of the County constitutional officers. 62.7 Prohibited Uses. Except as otherwise provided for in this Agreement or required under Florida law,County shall not reproduce,publish,or license the Software to others. County shall not modify, reverse engineer, disassemble, or decompile the Software or any portion thereof,except(a)to the extent expressly authorized in Exhibit A,in which event such authorized actions shall be deemed within the license grant or (b) to the extent permitted under any applicable open source license. 62.8 Hosting, Support and Maintenance Services. Processor shall provide County with the Hosting Services as set forth in this Agreement in accordance with the Exhibit B. For the duration of this Agreement, Processor and the Hosting Services shall comply with the Service Level as set forth in Exhibit B. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 25 0 (a) Updates, Upgrades and Releases. For the full term of this Agreement, Processor shall promptly provide to County, with advance notice and at no additional cost, any and all updates (including error corrections, bug fixes, security updates, and patches), upgrades, or new releases to the Software, including all that Processor has made available to other licensees of all or part of the Software licensed pursuant hereto. All such updates, upgrades, and new releases shall remain the sole property of Processor and shall be deemed to be included within the scope of the license granted under this Agreement. Any critical updates, upgrades, or releases shall be applied within thirty (30) days of release during 11:00 p.m. — 7:00 a.m., Monday through Friday and upon notification of the Merchant. (b) Compatibility. For the full term of this Agreement, Processor will ensure the continued compatibility of the Software with all major releases, updates, or upgrades of any third party software used by County for access or operation of the Software or the System. In the event Processor is not be able to support any third party software update, upgrade, or new release that changes major functionality and is not backwards compatible with the System,Processor shall use all reasonable efforts to resolve such issues and to provide optimal functionality of the System in accordance with this Agreement. If Processor is unable to provide continued optimal functionality of the System in accordance with this Agreement due to any third party software release, update, or upgrade, County shall be entitled to terminate the Agreement upon written notice with no further obligation to Processor. (c) Software Enhancements or Modifications. If requested by County, Processor shall incorporate certain features and enhancements into the licensed Software, and the source code for those features and enhancements shall be provided to and be the property of County. Any such request shall be formalized into a Statement of Work that shall define in detail the services to be performed, the financial terms, and the proposed project staffing and schedule. Any such Statement of Work shall be incorporated into a Work Authorization,to the extent permitted herein, or an amendment to this Agreement. 62.9 Other Equipment. County may access and operate the System from the Designated Equipment. County may also access and operate the System on separate servers and in any and all development, test, failover, disaster recovery, and backup configurations, at no additional fee. 62.10 Documentation. Processor shall deliver copies of the Documentation to County within seven (7) days of the Effective Date, and thereafter shall promptly provide any updated Documentation as it becomes available during the term of this Agreement. Processor represents and warrants that the Documentation is sufficiently comprehensive and of sufficient quality to enable a competent user to operate the System efficiently and in accordance with Exhibit B. County has the right to copy and modify the Documentation as it deems necessary for its own internal use. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 26 63. County Proprietary Rights. Processor acknowledges and agrees that County retains all rights, title and interest in and to all materials, data, documentation and copies thereof furnished by County to Processor hereunder, including all copyright and other proprietary rights therein, which Processor as well as its employees, agents, subconsultants, and suppliers may use only in connection with the performance of Services under this Agreement. Processor represents and warrants that it is the owner of all right, title, and interest in and to the Software, that it has the right to grant to County the rights and the licenses granted under this Agreement, and that it has not knowingly granted rights or licenses to any other person or entity that would restrict rights and licenses granted hereunder, except as may be expressly stated herein. 64.Limited Warranty. For the full term of this Agreement, Processor represents and warrants to County that the Software and System, when used with the Designated Equipment, will perform substantially as described in the Documentation and in the Statement of Work(Exhibit B). This warranty does not cover any failure of the Software or System resulting from (a) use of the Software or System in a manner other than that for which it was intended; (b) any modification of the Software or System by County that is not authorized by Processor; or (c) County's provision of improperly formatted data to be processed through the Software or System. 65.Warranty Regarding Viruses and PCI Compliance. Processor further represents, warrants, and agrees that the Software is free from currently-known viruses or malicious software (at the time the Software and any subsequent version thereof is initially made available to County), and that Processor has and will continue, for the full term of this Agreement, to use commercially reasonable security measures to ensure the integrity of the Software and System from data leaks, hackers, denial of service attacks, and other unauthorized intrusions. Ifthe Software will accept,transmit or store any credit cardholder data,Processor represents and warrants that the Software complies with the most recent of the Security Standards Council's Payment Card Industry("PCI")Payment Application Data Security Standard. 66. Intellectual Property Warranty. Processor represents and warrants that at the time of entering into this Agreement, no claims have been asserted against Processor (whether or not any action or proceeding has been brought) that allege that any part of the Software or System infringes or misappropriates any patent, copyright, mask copyright or any trade secret or other intellectual or proprietary right of a third party, and that Processor is unaware of any such potential claim. Processor also agrees, represents and warrants that the Software and System to be provided pursuant to this Agreement will not infringe or misappropriate any patent, copyright, mask copyright, or any trade secret or other intellectual or proprietary right of a third party. n and to certain ideas, designs and methods, specifications, and other documentation related thereto developed by Processor and its subconsultants specifically for County (collectively, "Developed Works") shall be and remain the property of County. Accordingly, neither Processor nor its employees, agents, subconsultants, or suppliers shall have any proprietary interest in such Developed Works. The Developed Works may not be utilized, reproduced, or distributed by or on behalf of Processor, or any employee, agent, subconsultants, or supplier thereof, JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 27 CAO without the prior written consent of County, except as required for Processor's performance hereunder. 67. Ownership. Except for custom work products, if any, County acknowledges that all copies of the Software (in any form) provided by Processor are the sole property of Processor. County shall not have any right, title, or interest to any such Software or copies thereof except as expressly provided in this Agreement, and shall take all reasonable steps to secure and protect all Software consistent with maintenance of Processor's proprietary rights therein. 69. Non-Exclusive Relationship. Except as stated in a separate written agreement signed by the parties nothing in this Agreement shall prohibit Merchant from obtaining Merchant Card Payment Processing services from other suppliers, nor prohibit the Processor and Bank from offering such services to other customers. JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 28 EXHIBIT A SOLICIATION#18-7284"PAYMENT PROCESSING AND RELATED SERVICES" (FOLLOWING THIS PAGE) JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 29 6 EXHIBIT A TO MERCHANT CARD PROCESSING TERMS AND CONDITIONS Coter County Administrative Serv;ces Depaitrnent Procurement Semrices aivsivn COLLIER COUNTY BOARD OF COUNTY COMMISSIONERS REQUEST FOR PROPOSAL (RFP) FOR PAYMENT PROCESSING AND RELATED SERVICES SOLICITATION NO.: 18-7284 VIVIANA GIARIMOUSTAS, PROCUREMENT STRATEGIST PROCUREMENT SERVICES DIVISION 3295 TAMIAMI TRAIL EAST, BLDG C-2 NAPLES, FLORIDA 34112 TELEPHONE: (239) 252-8375 VivianaGiarimoustas@colliergov.net (Email) This solicitation document is prepared in a Microsoft Word format(Rev 8/7/2017). Any alterations to this document made by the Vendor may be grounds for rejection of proposal, cancellation of any subsequent award,or any other legal remedies available.to the Collier County Government. SOLICITATION PUBLIC NOTICE REQUEST FOR PROPOSAL(RFP) 18-7284 NUMBER: PROJECT TITLE: PAYMENT PROCESSING AND RELATED SERVICES LOCATION: PROCUREMENT SERVICES DIVISION,CONFERENCE ROOM A,3295 TAMIAMI TRAIL EAST,BLDG C-2,NAPLES,FLORIDA 34112 RFP OPENING DAY/DATE/TIME: Monday,February 26,2018 at 10:00AM EST PLACE OF RFP OPENING: PROCUREMENT SERVICES DIVISION 3295 TAMIAMI TRAIL EAST,BLDG C-2 NAPLES,FL 34112 All proposals shall be submitted online via the Collier County Procurement Services Division Online Bidding System: https://www.bidsync.com/bidsvnc-cas/ INTRODUCTION As requested by the Administrative Services Department (hereinafter, the "Department"), the Collier County Board of County Commissioners Procurement Services Division (hereinafter, "County") has issued this Request for Proposal (hereinafter, "RFP") with the intent of obtaining proposals from interested and qualified vendors in accordance with the terms, conditions and specifications stated or attached. The vendor,at a minimum,must achieve the requirements of the Specifications or Scope of Work stated. The results of this solicitation may be used by other County departments or Constitutional Offices once awarded according to the Board of County Commissioners Procurement Ordinance. The purpose of this RFP is to select a"single"vendor to provide an enterprise application software and services solution for Point of Sale Transactions,Billing or Payments,Credit Cards and PCI Compliance for various departments. Collier County is composed of four major Departments that currently utilize various and separate solutions to processes approximately$90,000,000 annually via: POS applications,website and mobile interfaces, and third-party transaction services(detailed below). Collier County's goal is to implement a single integrated system for County wide utilization. However,the solution must be flexible enough to encompass other functions,modules and features,as needed,in the future. The County understands that this will be a complex and extensive,multi- year effort and therefore, interested parties are invited to respond to this RFP outlining their approach to such a project implementation,taking into account that the County is open to hearing from interested parties offering different points of view on the components outlined above. BACKGROUND Collier County's current Point of Sale Applications,Billing or payments, and Credit Card processing are highly decentralized with many functions,overall management and compliance are being performed by the individual departments. Currently,a limited number of the divisions within the departments,process credit card transactions through point terminals while a smaller number handle credit cards online through some sort of e-business web interface. Since a growing number of additional divisions within the agency plan to implement credit card processing,it is imperative that the process of authorizing,billing or receiving payments,and reconciling of credit card transactions be centralized in a single solution,with both the technical ability to establish and maintain a secure credit card processing gateway, and the accounting acumen to manage the increasing volume of transactions. Additionally, distributed credit card processing implies distributed risk. By centralizing credit card processing, a single vendor and solution is desired to handle sensitive financial information and be responsible for developing and implementing required processing controls. Public Utilities Department The Department currently processes approximately$29,000,000 in credit card transactions annually with the ability to accept chipped cards. Approximately 2%is point of sale, 72%is web payments, and 26%is IVR payments. The Department does not take any payments over the Collier County telephone system. All phone calls are through the IVR and that is a public telephone network line external to the county's firewall,through Transaction Warehouse. There is a point of sale for solution Solid Waste facilities as well. For credit card payments on the web or IVR,the Department uses Transaction Warehouse(a partner of Harris)as a host and Jet Pay as the 3rd party approver,and for point of sale,Jet Pay,acts as both host and 3rd party approver. The Department also collects credit card monies for the Estoppel program over the web through a locally developed software system,that is hosted and 3rd party approved by Jet Pay. Growth Management Department The Department utilizes Magic Writer solely through the use of mobile devices without any point of sale terminals to process approximately $8,500,000.00 in credit card transactions and$5,000,000.00 in ACH transactions.This solution provides a payment CAO platform which requires manual processing of all ACH and Credit/Debit Card transactions. The Airport Authority utilizes OMNI machines in three separate locations throughout the county to process approximately$2,250,000 in credit card transactions annually. The sales are not directly connected to a Point of Sale application. PCI compliance has not yet been achieved at these locations and chip readers have not been installed. Manual cash journal entries are required to upload sales data to the SAP financial reporting system. Public Services Department The Parks and Recreation Division currently utilize Active Network as an Activity Management Software Solution (AMSS) that enables staff to serve its customers with greater efficiency and to enhance internal operations. The solution currently provides for easy management, allow for future growth, and deploy easily to functional areas of Parks &Recreation in the areas of Program registrations,Facility reservations,Memberships,League scheduling,Point of sale,Admissions,Payment processing, and Ad hoc reporting. Active Network currently requires that all equipment be purchased separately and,all hosting services are separate from our County's IT Network. All transactions through Active Network are subject to a transaction fee. Cash/Check transactions processed by staff are subject to a 1.5%fee.All credit card transactions(online or entered by staff)are subject to a 4.25%transaction fee. The division processes approximately$6,000,000 annually total through this solution with$3,000,000 in credit card transactions. Beach parks and boat launch areas utilize credit card machines provided JetPay. The division processes approximately $640,000 annually through these credit card machines. Administrative Services Department The department currently utilizes Magic Writer in the Emergency Medical Services Division to process credit card and ACH payments. Other Constitutional Offices There is a possibility that other Collier County Constitutional Offices will utilize this agreement during implementation or at a later date. TERM OF CONTRACT The contract term, if an award(s) is/are made is intended to be for five(5)years with one(1)three(3)year renewal option. Prices shall remain firm for the initial term of this contract. Surcharges will not be accepted in conjunction with this contract,and such charges should be incorporated into the pricing structure. DETAILED SCOPE OF WORK The Selected Vendor will provide payment processing services for payments made to the County using the vendor provided payment channels, such as but not limited to,walk-in payment locations, self-service payment kiosks, internet/web, mobile and interactive voice response systems. Payments will be processed for various receivables owed to the County. The Selected Vendor will be required to interface with each of its line of business applications (see above and appendix xxx for a listing)using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency's SAP financial system(see section 5.Below). Vendors are invited to respond to this solicitation outlining their approach to such a project implementation, taking into account that the County is open to hearing from interested parties offering different points of view on the components outlined above. Selected Vendor will be responsible for,but not limited to,the following requirements: 1.Cashiering Front-End Provide all front-end systems for Selected Vendor to process County payments,regardless of payment channel. 2.Real-time Payment Processing County operations depend on real-time recording of payments against the receivable. 3.Interfaces The Selected Vendor must create the interface between the Selected Vendor's own front-end payment processing software and the County's line of business systems establishing the ability for the Selected Vendor to: • query and search real-time for County debt owed by customer • provide payment transaction information real-time to the County • retrieve County revenue reporting for reconciliation purposes C Selected Vendors must provide payment information through the with each of the County's line of business applications(see above and appendix xxx for a listing)using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency's SAP financial system(see section 5.Below).. Selected Vendors must be able to provide the necessary information using a secure authentication method and provide data formatted as required by the line of business applications vendors. Selected Vendor must work with the County's Information Technology Division and the line of business application vendors to achieve the required secured connection and communication. The Selected Vendor must also create interfaces to the County's existing (contracted-out) payment processing Selected Vendor systems to: • process payment card payments • process ACH payments • process check images 4.Hosting The Selected Vendor will be responsible for hosting and maintaining the services and providing IT support for county staff. Please note,Collier County will not consider any solicitation the does not include hosting services. 5.Current Financial System Collier County's financials are managed within SAP,which is at current and fully supported release levels,namely SAP ECC 6.0— Enhancement Pack 7.The SAP application uses the following modules: FI, CO,FM,AP,MM,SD(Misc.Billing),BCS,HR,BN, and PY. In addition to these core SAP modules,the invoice payment and approval process is managed and optimized using an SAP integrated solution called Dolphin PTS-AP. 6.Payment Deposits The Selected Vendor is required to initially and directly deposit, immediately or next banking day depending on payment type as directed by the County,all payments received on behalf of the County into a County owned bank account. All payments are to be deposited in whole, without reduction of any kind by the Selected Vendor. Selected Vendor will use County obtained Merchant accounts for any payment processing,as required. Selected Vendor must reimburse the County for any lost interest when payments to the County are not deposited as required to the designated depository. The lost interest will be calculated based on the average federal funds rate for the period during which the deposits were not made as required. 7.Reconciliation Selected Vendor is required to reconcile each day's payment collections to County system reports of revenue recorded and to daily deposits into County bank accounts. All discrepancies must be investigated and resolved, and findings provided to the County for related adjustments. 8.Revenue Shortages The Selected Vendor is required to reimburse the County for all vendor caused Revenue Shortages,payments collected on behalf of the County,which are not accounted for,are lost,misdirected,or otherwise not provided to the County as required. 9.Returned Payments For all payments originally processed by the Selected Vendor,the Selected Vendor is required to: • monitor,manage and respond to any payment challenges • Enter information,as defined by the County,into County systems for all returned payments,regardless of payment type. 10.Workflow Mapping Selected Vendor must provide and maintain application and business workflows for current and revised workflow processes during the term of the Agreement. In the event of new technologies that become available and which may enhance or may otherwise be provided as an additional service under the terms of the Agreement, the Selected Vendor may provide such business transaction opportunities to the County. The County reserves the right to incorporate such changes if deemed to be in the best interest of the County. 11.Training The Selected Vendor must train and manage quality controls of its personnel to adapt the business processes associated with such training instructions and guidelines,and monitor performance on an ongoing basis. Selected Vendor staff must establish the expertise to search for all debt related to a particular transaction and provide the needed customer service needed to properly complete the transaction. 12.PCI and Data Security Compliance In as much as the County is required to have its outside Selected Vendors comply with the latest PCI requirements as determined by certified PCI Compliance authorities,so too must the Selected Vendor be required to submit to those standards as may be applicable and to provide industry accepted documentation of their compliance. 13.HIPAA and HITECH Act Compliance Any information and transactions involving personal information which require compliance with the most current Health Information Portability and Accountability Act requirements must be provided for by the Selected Vendor. 14.Security Protocols The Selected Vendor must provide for electronic and hardcopy security of all Collier County related documents and all other related data while in the Selected Vendor's custody and control. Selected Vendor must provide to the County,upon request,the identification of personnel who will be providing services under the Agreement,and any details which may be required by the County of such personnel for security purposes. Personnel will also be required to be fingerprinted and approved per the agency fingerprinting ordinance. 15.Reporting The Selected Vendor will be required to provide reports to the County which will include,but are not limited to: a. Any instance of lost, stolen, misdirected, not delivered, or breach in security, even if temporary, must immediately be reported to the authorized representative of the Department managing the Agreement. Selected Vendor will be responsible for all costs associated with a breach including,but not limited to,notifications and credit reporting to impacted individuals, legal fees and fines,any other costs associated with a data breach. b. Any instance of a system application or other communication line being unavailable for a customer's use(downtime),must be reported to the authorized representative of the Department managing the Agreement. c. Selected Vendor must provide County with online access to daily and monthly reconciliation reports to allow County personnel to account for and reconcile receipts collected through the Selected Vendor's system. d. Selected Vendor must provide a usage report to Department at least on a monthly basis,and more frequently if so requested, indicating the following metrics per transaction made(or attempted to be made)for all payments: o range of dates for the reporting period o dates and time of day when transaction occurred o location where transaction occurred o number of transactions made,by payment type • check,ACH or image • payment card • U.S.currency o identify which transaction resulted in a transaction error o number of errors made o number of reported problems o time of downtime incurred o total amount of payments made e. Selected Vendor must provide a reporting format to compare against the County's revenue collection report,to facilitate an efficient account reconciliation review by the authorized representative of the Department. f. Other reports as requested by the County. 16.Back-up Documentation Selected Vendor must provide a reliable process for maintaining a copy of each completed transaction,in the event of system crash or other business interruption,such that the completed transaction record can be replicated,if necessary. 17.Convenience Fee Any Convenience Fee charged to the Customer,if applicable,by the Selected Vendor must be agreed upon by the County and will be pursuant to the Agreement between the County and Selected Vendor.The Convenience Fee may be a set fee or a percentage of the payment amount. 18.Customer Service Selected Vendor will be required to provide customer service support to customers in relation to payments processed by Selected Vendor. 19.Refunds Selected Vendor will not process any refunds,or return payments to customers after settlement,without expressed written authority from the County. 20.Scheduled Recurring Payments The Selected Vendor may provide scheduled payment processing services allowing County customers to provide needed payment information and have a series of scheduled recurring payments automatically submitted to the County for posting to receivables of 67) 0 various debt types. 21.Single User Sign-On The Selected Vendor's interne payment channel may provide the option for customers to create a secure account with the ability to voluntarily link debt from various County receivable systems. Customers creating such an account would be able to sign-on to this account as needed to view and pay debt associated with the account. REQUEST FOR PROPOSAL(RFP)PROCESS 1.1 The Proposers will submit a qualifications proposal which will be scored based on the criteria in Section 5.0 Grading Criteria for Development of Shortlist,which will be the basis for short-listing firms. The Proposers will need to meet the minimum requirements outlined herein in order for their proposal to be evaluated and scored by the COUNTY. The COUNTY will then grade and rank the firms and enter into negotiations with the top ranked firm to establish cost for the services needed. With successful negotiations,a contract will be developed with the selected firm,based on the negotiated price and scope of services and submitted for approval by the Board of County Commissioners. 1.2 The COUNTY will use a Selection Committee in the Request for Proposal selection process. 1.3 The intent of the scoring of the qualifications proposal is for respondents to indicate their interest, relevant experience, financial capability,staffing and organizational structure. 1.4 Based upon a review of these qualification proposals,the COUNTY will rank the Proposers based on the discussion and clarifying questions on their approach and related criteria,and then negotiate in good faith an Agreement with the top ranked Proposer. 1.5 If,in the sole judgment of the COUNTY,a contract cannot be successfully negotiated with the top-ranked firm,negotiations with that firm will be formally terminated and negotiations shall begin with the firm ranked second. If a contract cannot be successfully negotiated with the firm ranked second,negotiations with that firm will be formally terminated and negotiations shall begin with the third ranked firm,and so on. The COUNTY reserves the right to negotiate any element of the proposals in the best interest of the COUNTY. GRADING CRITERIA FOR DEVELOPMENT OF SHORTLIST: 1.6 For the development of a shortlist,this evaluation criterion will be utilized by the COUNTY'S Selection Committee to score each proposal. Proposers are encouraged to keep their submittals concise and to include a minimum of marketing materials. Proposals must address the following criteria: Evaluation Criteria Maximum Points 1. Cover Letter/Management Summary 5 Points 2. Certified Minority Business Enterprise 5 Points 3. Business Plan 20 Points 4. Cost of Services to the County 20 Points 5. Experience and Capacity of the Firm 20 Points 6. Specialized Expertise of Team Members 20 Points 7. Local Vendor Preference 10 Points TOTAL POSSIBLE POINTS 100 Points Tie Breaker: In the event of a tie at final ranking, award shall be made to the proposer with the lower volume of work previously awarded.Volume of work shall be calculated based upon total dollars paid to the proposer in the twenty-four (24)months prior to the RFP submittal deadline.Payment information will be retrieved from the County's financial system of record.The tie breaking procedure is only applied in the final ranking step of the selection process and is invoked by the Procurement Services Division Director or designee. In the event a tie still exists, selection will be determined based on random selection by the Procurement Services Director before at least three(3)witnesses. Each criterion and methodology for scoring is further described below. EVALUATION CRITERIA NO.1:COVER LETTER/MANAGEMENT SUMMARY(5 Total Points Available) Provide a cover letter, signed by an authorized officer of the firm, indicating the underlying philosophy of the firm in providing the services stated herein. Include the name(s), telephone number(s) and email(s) of the authorized contact person(s)concerning proposal. Submission of a signed Proposal is Vendor's certification that the Vendor will accept any awards as a result of this RFP. EVALUATION CRITERIA NO.2:CERTIFIED MINORITY BUSINESS ENTERPRISE(5 Total Points Available) Submit certification with the Florida Department of Management Service, Office of Supplier Diversity as a Certified Minority Business Enterprise. EVALUATION CRITERIA NO.3:BUSINESS PLAN(20 Total Points Available) In this tab,include but not limited to: •Detailed plan of approach(including major tasks and sub-tasks). Describe and demonstrate the technical expertise and capabilities to process the outlined transaction volumes,amounts,and tracking to without interruption. •Detailed time line for implementation of the project. •Include with the Business Plan or as an attachment,an example of work product(s).This should be for one of the projects listed as a reference. EVALUATION CRITERIA NO.4: COST OF SERVICES TO THE COUNTY(20 Total Points Available) In this tab,include but not limited to: •Provide the projected total cost and estimated calendar day duration(including projected hours)for which your firm will provide the work as described in this RFP. •Provide a schedule of merchant or related fees,maintenance,chargeback fees,etc.which should include pricing for any convenience fees. Please discuss any special rules pertaining to convenience fees and credit/debit card fees. •Provide pricing variation for each transaction type(ACH,credit cards,etc.)per transaction EVALUATION CRITERIA NO.5:EXPERIENCE AND CAPACITY OF THE FIRM(20 Total Points Available) In this tab,include but not limited to: • Provide information that documents your firm's and subcontractors' qualifications to produce the required deliverables, including abilities, capacity, skill, and financial strength, and number of years of experience in providing the required services. •Respondent must provide evidence of their PCI DSS compliance,including evidence for any subcontractors,third party processors and any other involved parties. •Describe the various team members'successful experience in working with one another on previous projects. The County requests that the vendor submits three(3)completed reference forms from clients whose projects are of a similar nature to this solicitation as a part of their proposal. Provide information on the projects completed by the vendor that best represent projects of similar size, scope and complexity of this project using form provided on the online bidding system. Vendors may include two(2)additional pages for each project to illustrate aspects of the completed project that provides the information to assess the experience of the Proposer on relevant project work. EVALUATION CRITERIA NO. 6: SPECIALIZED EXPERTISE OF TEAM MEMBERS (20 Total Points Available) In this tab,include but not limited to: •Description of the proposed contract team and the role to be played by each member of the team. •Attach brief resumes of all proposed project team members who will be involved in the management of the total package of services,as well as the delivery of specific services. • Attach resumes of any sub-vendors and attach letters of intent from stated sub-vendors must be included with proposal submission. EVALUATION CRITERIA NO.7:LOCAL VENDOR PREFERENCE(10 Total Points Available) Local business'is defined as the vendor having a current Business Tax Receipt issued by the Collier or Lee County Tax Collector for at least one year prior to proposal submission to do business within Collier County, and that identifies the business with a permanent physical business address located within the limits of Collier or Lee County from which the vendor's staff operates and performs business in an area zoned for the conduct of such business. O/13 INSURANCE AND BONDING REQUIREMENTS Insurance/Bond Type Required Limits 1. ®Worker's Compensation Statutory Limits of Florida Statutes, Chapter 440 and all Federal Government Statutory Limits and Requirements Evidence of Workers' Compensation coverage or a Certificate of Exemption issued by the State of Florida is required. Entities that are formed as Sole Proprietorships shall not be required to provide a proof of exemption.An application for exemption can be obtained online at https://apps.fldfs.com/bocexempt/ 2. X Employer's Liability $_100,000 single limit per occurrence 3. X Commercial General Bodily Injury and Property Damage Liability(Occurrence Form) patterned after the current $1.000,000_single limit per occurrence, $2,000,000 aggregate for Bodily Injury ISO form Liability and Property Damage Liability. This shall include Premises and Operations; Independent Contractors; Products and Completed Operations and Contractual Liability. 4. X Indemnification To the maximum extent permitted by Florida law,the ContractorNendor shall defend, indemnify and hold harmless Collier County,its officers and employees from any and all liabilities, damages, losses and costs, including, but not limited to, reasonable attorneys'fees and paralegals'fees,to the extent caused by the negligence,recklessness, or intentionally wrongful conduct of the Contractor/Vendor or anyone employed or utilized by the ContractorNendor in the performance of this Agreement. 5. ❑Automobile Liability $ Each Occurrence; Bodily Injury & Property Damage. Owned/Non-owned/Hired;Automobile Included 6. 0 Other insurance as noted: 0 Watercraft $ Per Occurrence 0 United States Longshoreman's and Harborworker's Act coverage shall be maintained where applicable to the completion of the work. $ Per Occurrence ❑ Maritime Coverage (Jones Act) shall be maintained where applicable to the completion of the work. $ Per Occurrence 0 Aircraft Liability coverage shall be carried in limits of not less than$5,000,000 each occurrence if applicable to the completion of the Services under this Agreement. $ Per Occurrence 0 Pollution $ Per Occurrence ❑Professional Liability $ Per claim&in the aggregate ❑Project Professional Liability $ Per Occurrence 0 Valuable Papers Insurance $ Per Occurrence X Cyber Liability $5,000,000 Per Occurrence X Technology Errors&Omissions $5,000,000 Per Occurrence 7. 0 Bid bond Shall be submitted with proposal response in the form of certified funds,cashiers'check or an irrevocable letter of credit,a cash bond posted with the County Clerk,or proposal bond in a sum equal to 5%of the cost proposal.All checks shall be made payable to the /'1 Collier County Board of County Commissioners on a bank or trust company located in the State of Florida and insured by the Federal Deposit Insurance Corporation. 8. ❑Performance and Payment For projects in excess of$200,000,bonds shall be submitted with the executed contract Bonds by Proposers receiving award,and written for 100%of the Contract award amount,the cost borne by the Proposer receiving an award.The Performance and Payment Bonds shall be underwritten by a surety authorized to do business in the State of Florida and otherwise acceptable to Owner;provided,however,the surety shall be rated as"A-"or better as to general policy holders rating and Class V or higher rating as to financial size category and the amount required shall not exceed 5%of the reported policy holders' surplus,all as reported in the most current Best Key Rating Guide,published by A.M. Best Company,Inc.of 75 Fulton Street,New York,New York 10038. 9. ® Vendor shall ensure that all subcontractors comply with the same insurance requirements that he is required to meet. The same Vendor shall provide County with certificates of insurance meeting the required insurance provisions. 10. ® Collier County must be named as "ADDITIONAL INSURED" on the Insurance Certificate for Commercial General Liability where required.This insurance shall be primary and non-contributory with respect to any other insurance maintained by,or available for the benefit of,the Additional Insured and the Vendor's policy shall be endorsed accordingly. 11. ® The Certificate Holder shall be named as Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County,OR Collier County Government,OR Collier County. The Certificates of Insurance must state the Contract Number,or Project Number,or specific Project description,or must read: For any and all work performed on behalf of Collier County. 12. ® Thirty(30)Days Cancellation Notice required. C Care County Email: VivianaGiarimoustas@colliergov.net Telephone: (239) 252-8375 Administrative Services Division Purchasing ADDENDUM #1 Memorandum Date: January 2, 2018 From: Viviana Giarimoustas, Procurement Strategist To: Interested Parties Subject: RFP 18-7284 Payment Processing and Related Services The terms for this agreement have changed. Previously the terms were for five (5) years with one (1) three(3) year renewal option. The five (5) year initial term remains the same, however the renewal option will now be two (2)three(3) year renewal option. If you require additional information please call Viviana Giarimoustas, Purchasing Department at 239- 252-8375 or by e-mail at VivianaGiarimoustas[a?coliiergov.net . Thank you. 1 BCC Collier County Collier County Information Technology Requirements 2017 C INDEX 1. Technical Architectural Compatibility & Supportability (TACS) - - - _ A • 3. Architectural diagram. 4. Total Cost Ownership (TCO). 5. Vendor Background Checks County Ordinance No 2007-64 a. Ordinance 2007-64 b. Field print Instructions for Vendors c. Contractor Fingerprint Form 01-20-2015 d. Collier County Contractor Fingerprint Packet 01-20-2015 e. CCSO Background Check Form f. Canadian Background Check Process 6. Vendor Network Access Agreement 7. IT Account Management Requests / Modifications form 8. County Practices and Procedures CMA's a. CMA 5401 Information Systems Lifecycle Management b. CMA 5402 Remote Access Policy c. CMA 5403 Third Party Access Policy d. CMA 5405 Computer-Technology Use &Attestation e. CMA 5406 Computer Software License Control f. CMA 5905 Restricted Network Access Agreement g. CMA 5908 Media Reuse or Replacement Policy 9. Change Management & Change Advisory Board 10.Enterprise Incidents 11.Elevated Network Access Policy 12. Fla. Stat. § 501.171 Florida Information Protection Act 1. Technical Architectural Compatibility&Supportability(TAGS) Technical Architectural,Compatibility and Supportability Requirements Document(TACS) Collier County Information Technology Department Version:12 Revision Date:2/14/2017 Revised by:Richard J.Badge Requesting Div/Dept: Vendor name: Vendor signature: Application name: Date: Ices for C16:C44 it internal required.if hosted N-A <—Required 0"r,pnnnat,brit ma:y:n0/uge aadmwral costs to s::nPv.t Hey for C46:C49 /ace an X in the YES or NC column,mid ally comments requ:re41 in ueiumn Weighted for optional Technical Requirement RID business Vendor's Vendor's requirement for response comments Notes Team responsible depts.fielding REPS Web-based candidate software shall utilize Microsoft Internet Explorer.No The department purchasing the software benefits other browser is supported.Current Collier Production Version is 1E11 or R1 R from increased security,efficiency,and lower Service Desk Edge, support costs over the life of the software Please list any other supported browsers in column G,they may or may not be considered as acceptable.Any non-Microsoft browser considered as R2 D Applications acceptable will incur dedicated support costs. The vendor must submit any applicable license agreements for any proposed Allows the department that is purchasing the elements including a description of the licensing model,and list prices for all R3 R software to determine the limitations of the Applications license types and whether or not custom licensing arrangements are evadable. licensing and the short and long-term costs The vendor must submit any applicable maintenance agreements for any For the department purchasing the software this proposed elements Including a description of the maintenance plan,software information will help them plan when will and how upgrade policies and exclusions,and list prices for all maintenance agreement R4 R often these events take place and to manage Applications types and whether or not custom maintenance agreements are available. their costs more efficiently. SAP is Collier's financial apprication and as such: •Applications cannot directly interface with SAP •Applications that have a point of sales component must be able to produce a batch file daily containing all financial transactions far that day RS R Applications •The batch file sill use the format supplied by the Collar County Clerk of Courts CAS, Technical Architectural,Compatibility and Supportability Requirements Document(TACS) Collier County Information Technology Department Version:12 Revision Date:2/14/2017 Revised by:Richard J.Badge Requesting Div/Dept: Vendor name: Vendor signature: Applicator name: Date: Key for C16:C44 ,.it Internal required,I:hosted 4/:A Repotted Oa Optional,but may involute additional costs to aupp0K Key for C46:C49 ?late an X in the YES or NO column;add any comments required in irritant it All desktop software applications must utilise Microsoft Operating System, current Collier Production Version release with current patches and service 136 R Opera0ons packs.Windows 10(64-bit.Windows 7 will be phased out by 10/1)2017 Applications may not use Exchange Event Sinks or Exchange Public Folders. R7 R Operations If US-CERT posts vulnerabilities associated with an application then the application must be mitigated within a 30 day timeframe by the software Rt R Operations vendor. Software must comply with e4/Federal,State and Local regulation.Especially the Florida Information Protection Act(FIPA Fla.Stat 501.171).Vendors and consultants must be able to show that their applications either a)do not store the type of sensitive data mentioned in FIPA in their application's database or R9 R Administrative b)be prepared to demonstrate how they secure the type of sensitive data mentioned in FIPA in their epplca0on's database. HIPAA compliance is required for any applications that contain an individuals' electronic personal information if it is created,received.used,or maintained in 010 0 the software. All applications that include point of sales systems or accept any type of Vendors are required to meet banking industries payments using credit cards must be PCI(Payment Card Industry Date R11 R PCI compliance requirements Security Standard)compliant and recertify every year.All credit card >:cino must be done outside of the RCC network. Alvendors vendors requiring access to Collier County facilites and the computer network must comply with current published County ordinances and polities. Those ordinances and policies requirements that all county R12 R employees must agree to,which include finger printing,a background check, and signing any user agreements required access the BCC computer _network CA) Technical Architectural,Compatibility and Supportability Requirements Document(TACS) Collier County Information Technology Department Version:12 Revision Date:2114/2017 Revised by:Richard J.Badge Requesting Div/Dept: Vendor name: Vendor signature: Application name: Date: Key for C16:C44 ielrtonal required.If t:astnti N:A V..Repotted >=etpr:c:utl,but luny mctude.tnditlonel cnets to ui ppn:t Key for C46:C49 Mace an X in the'YES or NO culvrmn,add any us"nmcnh required in column et Any software which stores personally identifying information,including but not limited to passwords,SSN,driver's license numbers,etc....or any financial information,such as credit card numbers,bank routing information,etc...must All IT teams fully protect the information and disclose the methods of protection used, R13 R es protection methods,and life cycle handling of this data.Industry standard encryption methods utilizing at least 256 bit encryption techniques are rnnrirpd Software vendors will aclmovdedge in writing prior to selection,that Collier R14 R Applications County Govemment will own any and all data and the databases. Technical specifications, requirements, The candidate software application proposal must Include a complete and visual representations h hardware the candidate's s hardware topology diagram and recommended hardware configurations. presen Vendor Deliverables: Ct R recommended software solution will enable the Applications -Topology Diagram selection committee to understand the complexity -Recommended hardware requirements(workstation and server) of the application and costs to support it. -Network bandwidth requirements Web-based software must utilize IIS 7.5 or newer Kith current patches and The department purchasing the software benefits service packs. from increased security,efficiency,and lower Operations CO R support costs over the life of the software Applications that utilize a web browser for an intemal or external access will utilize TLS1.2 instead of SSL CO R Operations Software applications should support and run on current shipping release of virtual servers,including: Operations-VMware ESX(most current version) G4 R Technical Architectural,Compatibility and Supportability Requirements Document(TACS) Collier County Information Technology Department Version:12 Revision Date:2/14/2017 Revised by:Richard J.Badge Requesting Div/Dept: Vendor name: Vendor signature: Application name: Date: Key for C16:C44 :=)t internal marlin-id,11 hosted bib =ftequiied Ox Optional,huI truly!hUt1tlC eddittonal assts to uiiprvut • Key for C46:C49 Place an X in the'YES or NG column,add;any comments required in column G All software upgrades or changes required by the selected vendor must be fuly tested before being moved into the production environment Therefore vendors must include in their proposal the costs for licensing,professional CS R Applications service and annual maintenance to set up and maintain test and development environments. System must support the current the use of Netbackup in the Collier Production environment with NetBackup most current version. C6 R Operations All server software applications must utilize Microsoft Operating System, Standardizing the desktop operating system to a current Collier Production Version release with current patches and service C7 R few specific versions decreases the management operations packs,current version is Server 2012 R2 overhead for support and lowers the cost to the aoencv. Solutions requiring a back-end database must utilize Microsoft SQL Server Standard or Enterprise edition.The solution must use Microsoft SOL Server 2012(64-bit)or newer.Compatibility mode must match the version of CS R Development Microsoft SQL Server. For SQL Server based solutions,the use of the defauh SOL SA account is prohibited.The use of the SA role for daily functions is also prohibited.The co R Development solution will adhere to the least privilege principle. Hard coding account access shall not be permitted. Provides enhanced application security by removing the issue of being unable to change C10 user account names and passwords if that Operations/Development information is compromised If a geographic information systems(GIS)is included in the solution,the solution must leverage the Countys ESRI GIS infrastructure,which includes ArcGIS for Server Enterprise Advanced version.Loosely couple architecture CII R Development using the REST endpoints is the preferred architecture solution.The County strives to keep its ESRI GIS current with the latest released version. • • • • • • • • • Technical Architectural,Compatibility and Supportability Requirements Document(TACS) ti lli.rrnar.aiasa,'I i.nrr_»,n,.n.,,l.I/id,. Revision Date:2114/2017 Revised by:Richard d,Badge Kev for C18;C44 m If Internal req:md.If liovtne N/A Rrquhoa rs OpYena7:isur may lncilue audiganal r n-.r,to support Key for C46:C49 Piacei .the YES or NO column,.cd-�,!y cirnrhevtc rcgw:e9 i.l column ti All optional items listed below may incur additional casts for support and maintenance for the application that Is proposed.All additional costs,for implementation and ongoing maintenance would be borne by the department putchasme the application. Incident Support providing 24x7/365 coverage shall be offered.Incident This service is appropriate when a department's response service levels shall be specified, critical business is run outside of the normal 8 to 5 Monday to Friday work week(example: evenings,weekends,holidays)and the software systems are proprietary or complex enough that 01 0.10 the BCC IT department cannot always resolve Aptllcadoes the issue without assistance from the vendor. There Is however,a premium associated with the cost of this type of vendor support,which the deparbnent purchasing the software would bare. Client software applications ons silent aport and[the vendor should, gvide ■■Results in lower supportthatand the software.costs package definition files wiM silent install without user interaction,using for the department that owns the software. Microsoft SCCM current version.Supported installation packages include: 02 0.10 Applications MSI,Microsoft Windows installer MSI eompelble All software application vendors are required to notify Collier County when new Allows the department that owns the software to releases become available and when curtest releases and related systems are ■ get the latest functionality that the vendor is 03 010 Applications no longer supported. offering along with patches that keep software wbili Preferred solutions should take advantage of the Countys Active Directory Provides enhanced security by eliminating the environment and utilize Windows Authentication at the application,database possibility of a disgruntled former employee or and server tier,run fully in the user context,and not require elevatedO4 O-10 vendor getting access toe department's All IT teams permissions or administrative permissions.Elevated permissions require application since their network account with be adherence to all relevant policies,such as the Elevated Privileges and disabled. E evated Database P rmissixns•oroes Vendor Required Software for their applications to run Yes No Vendor's software acted in ted sectionwill support require P comments additional dedicated casts for support pI 0 • • • Technical Architectural,Compatibility and Supportability Requirements Document(TACS) Collier County Information Technology Department Version:12 Revision Date:211412017 Revised by: shard J.Badge Requesting DIV/Dept: Vendor name: Vendor signature: Application name: Date: Rev for Cl 6:C44 ::::it Internal reguMed.It:nested Nig sse Requited OTM Optional;but mny include sddtdrnial comb to support Key for C46:C49 Place an X In the Yes Cr NO column;odd any ocmmenta required in column t9 Applications Does the application require Flash? adons Does the application require Java? ApplAppllcications Does the application require Silvedight? Applications Does the application require any type of PDF software? c90 2. CCIT Construction Standards Version 5 2-24-14 This section has been removed as it does not apply to this project. 3. Architectural diagram. IT Customer Portal-Architectural Diagrams and Reviews Page 1 of 1 • SharePoint OrtegaAnnia— ? IT Customer Portal tSearch:.his site Architectural Diagrams and. Reviews Architectural Diagrams and Reviews [Revised 12 May 2015] The IT Division requires that all network applications submit and maintain an architectural diagram. Architectural diagrams and reviews fulfill the following purposes: • To determine if the proposed solution is feasible before significant resources are spent on implementation and to assess the impact on network and systems performance • To ensure that the project lead understands all the parts of the application,how the application works and any dependencies the application has. • To ensure that the proposed architecture will be evaluated against permissible service level • This is a planning tool to help identify what is needed. • So you know what the solution is going to look like and how it fits with our agency architecture • To help assess the impact of changes and system failures both individually and any proposed/planned environment • Know where all the parts and pieces live and how they interact • Servers(including types) = Databases • Services used(email,AD,etc) • Firewall configurations(ports,destinations,etc) = IPs = Software components,services and what and how they communicate with each other • CIFS shares or mapped drives • Identify software dependencies = Any software dependencies including version requirements. Examples include Java,Internet Explorer or other browsers,Internet Information Server,etc. • Part of the documentation set needed to maintain the solution • Serves as a troubleshooting tool for system failures or malfunctions • Uncover any potential security issues • Understanding the suitability of the solution for deployment on multi-tenet dedicated resources Architectural Diagrams consist of the following: • Visio diagram(s)with all the pieces,parts and communications that reside on the county's infrastructure. Components not on the county's infrastructure,such as those related to hosted or Software as a Solution(Saar),do not need to be included. = Servers(including types) = Databases • GIS = Services used(email,AD,etc) • Firewall configurations(ports,destinations,etc) .. IPs • Software components,services and what and how they communicate with each other CIFS shares or mapped drives • Summary of the proposed solution(word doc.) Architectural reviews are required when: • At the time the Scope of Work(SOW)is developed • Prior to procurement • After procurement but prior to deployment if the proposed architecture changes • Prior to any architectural changes • Anytime issues are escalated to IT management At project closeout 0 htm•//hcccn02/sites/ITCP/Wiki%20PaRes/Architectural%20Diagrams%20and%20Reviews.•.. 08/11/16 Providing secure Authentic s configuration users Preventing; IC t On Protecting ng o sen 4' is data rnaniputation Application { Database S ver 4110111.11.0 ' Browser 4 44 • ' A i a ,.,r. ,.,Obi Database Protecting data USer Encrypting or and hashing seven �� �ti� Iran i sensitive sss g datahi king and inertAuthenticating and okiticAting r replay upstream attacks identifies 4. Total Cost Ownership (TCO). Vendor solution maintenance support projects out 3 years to 5 years for 0 & M cost for budget planning. Provides full transparent disclosure of any partnership costs to integrate their vended solutions to other vendor solutions. The vendor must identify and disclose how much the integration will cost and whether it is included in vendor bid or identify it as an additional expense Collier UBCS would be asked to absorb in project. Including future maintenance costs. 0 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 Year of Total Initial Funding Fiscal Year Funding 20XX 20XX 20XX 20XX 20XX 20XX 20XX 20XX 20XX To Date Appropriation Roll Over Funding Total Funding Available Software _ 0.00 Training 0.00 Yearly Maintenance 0.00 Yearly Portal Maintenance 0.00 Yearly IVR Maintenance 0.00 Licensing/Software 0.00 Productivity Tools 0.00 Change orders 0.00 Services Platform 0.00 Server Hardware 0.00 Server Operating System 0.00 Desktop Hardware 0.00 Virtual Desktop/OS 0.00 Storage 0.00 Database 0.00 Network 0.00 Disaster Recovery IT Operational Support Tier 2 Application Support 1 FTE 0.00 -IT Staff 0.00 Tier 2 MIS Support 0.00 Education/Training 0.00 Migration/Upgrade Services Soft Costs-Business Unit FTE's 0.00 Design/Configuration 0.00 Test 0.00 Support 0.00 Total Spending per FY 0.00 It 5. Vendor Background Checks County Ordinance No 2007-64 a. Ordinance 2007-64 b. Field print Instructions for Vendors c. Contractor Fingerprint Form 01-20-2015 d. Collier County Contractor Fingerprint Packet 01-20-2015 e. CCSO Background Check Form f. Canadian Background Check Process .rrwl�■�r. 56?.ci9 N 70 ci NOV 2007 Eno `ter „zt.zo-r„ ,-, ORDINANCE NO.2007- 64 AN ORDINANCE OF COLLIER COUNTY, FLORIDA, AMENDING ORDINANCE 04-�.�F`: v ,PURSUANT TO SECTION 125.5001,FLORIDA STATUTES,MANDATING STATE rr, 'S" AND FEDERAL CRIMINAL HISTORY RECORD CHECKS FOR ALL POSmONS OF - EMPLOYMENT IN COLLIER COUNTY OR BY OUTSIDE CONTRACTORS OR i.^: '• VENDORS; PROVIDING FOR INCLUSION INTO THE CODE OF LAWS AND •�,!:1" ORDINANCES;PROVIDING FOR CONFLICT AND SEVERABIUTY;PROVIDING AN -- EFFECTIVE DATE. 7.r ' WHEREAS, Section 125.5801, Florida Statutes, (2006), authorizes the Board of County Commissioners to adopt this Ordinance to mandate state and federal criminal history records checks for applicants for employment in positions of employment deemed by the Board to be critical to security or to public safety;and WHEREAS, the Collier County Board of Commissioners deems that all County employees and positions are critical to security or to public safety;and WHEREAS,Collier County employees are placed in positions of trust and positions which require them to Interact with citizens,visitors and vendors in Collier County,and as such all Collier County employees are in positions deemed critical to security or public safety;and WHEREAS, these criminal history records checks can apply to private individual contractors,employees or other representatives of contractors including vendors,repair persons,or delivery persons,any of whom are deemed by the Board to be critical with regard to security or to public safety,including concerns with regard to any such Collier County owned or operated building or facility and/or school board building and parks; and WHEREAS, these criminal history records checks include having the applicant, employee, private individual contractors, employees or other representatives of contractors including vendors, repair persons, or delivery persons fingerprinted and submitting the Individual's fingerprints to the Florida Department of Law Enforcement (for a state criminal background check)and to the Federal Bureau of Investigation for a national criminal history records check;and WHEREAS,the information obtained from the criminal history records checks will be used to determine the respective individual's eligibility for employment and continued employment by the County or by any contractor with whom that County might contract; and Page 1A6 C WHEREAS, each individual applying for County employment, or who is then employed by the County, in any position then deemed by this Ordinance (or Board Resolution adopted pursuant to this Ordinance) to be critical to security or to public safety,can be denied employment(or if already employed,such employment can be terminated),if the individual has been or Is convicted of any felony or any misdemeanor of the first degree,and the conviction need not be related to the respective position of employment or appointment. NOW, THEREFORE, BE IT ORDAINED BY THE BOARD OF COUNTY COMMISSIONERS OF COLLIER COUNTY,FLORIDA,that: SECTION ONE: AMENDMENT TO THE CODE OF LAWS AND ORDINANCES. A-nem-auction 2-66 of the Collier County Code of Laws and Ordinances(in Article III of Chapter 2)Is hereby amended tweaked to read as follows: Sec. 2-66. Criminal History Record Checks Applicable to Individuals Employed in Positions of Employment Deemed by the Board of County Commissioners to be Critical to Security or Public Safety. (a) Each Collier County employee and'position of employment"Ycied-below s deemed to be critical to security or public safety.Fef-the (b)Position of employment'is not limited to true employees,but shall be liberally construed to include each individual who Is "appointed" to the position; and also includes each Individual who,because of his/her relation to an entity that has entered into a contract with the County,who,because of that relationship,will be afforded any opportunity to be a risk to security or to public safety,such as,but not limited to,each individual who,with or without authorization,could gain physical access to any place (restricted access location) where such individual could poison or otherwise contaminate any potable water that might be supplied by the County,or by the Collier County Water-Sewer District,to any consumer or end-user, or who,because of such relationship, could physically harm or destroy any functionality of any potable water Nee 2.9L6 facility owned or controlled by Collier County or by said District; or who could damage or destroy any telecommunications system or major telecommunications facility or computer system or network;and provided the individual will not always be subject to continuous, direct and Immediate supervision by at least one (1) individual who had passed the background checks. (1) Positions of Employment: (al All Collier County employees,applicants,and incumbents; rouerkted area: Writer. Ackrtiaict. - Sccretcry= Pope 3 of 6 0 • ( .44)-jp,LAdditlonal Positions:-Each additional position or classification added to this subsection from time-to-time by Resolution(s)of the Board. (b)(2) Applicants: Each individual who submits an application to Collier County to be considered for employment '• . . . . . hall be fingerprinted,and those fingerprints shall be submitted to the Florida Department of Law Enforcement(for a state criminal history records check)and also to the Federal Bureau of Investigation for a national criminal history records check. The information obtained from each respective criminal history record will be used to determine the applicant's eligibility for employment (or continued employment) to the respective position, or, if then employed,continued employment in any position that is required to successfully pass the respective criminal history record checks. (3) Procedure:The fincemrintino shall be conducted by the Collier County Facilities Department. All employees shall be re-finserprinted every five years. $(4.) Other positions of employment(or appointment)deemed by the Board of County Commissioners to be critical to security or to public safety can be added to this Ordinance by Resolution(s)adopted from time-to-time by the Board. (d)- j Contracts can mandate that each such position deemed to be critical to security or public safety shall undergo these criminal history records checks, and information obtained from,or as a result of,any such records check can be the sole basis to place Page 4of6 limitations on the places(locations)where such individuals shall be denied all physical access at all times. (aj(¢) This Ordinance shall be liberally construed. This Ordinance does not affect any law, any other ordinance,or any rule or regulation related to criminal history records checks except that pursuant to Section 125.5801 and subsection 112.011(2)(c),Florida Statutes,each individual applying for County employment(or who is then employed by the County)in a position that is then deemed by this Ordinance(or resolution adopted by the Board under this Ordinance)to be critical to security or to public safety, is not protected by Section 112.011, Florida Statutes,and,therefore, such individual can be denied employment(or if then already employed,the employment can be terminated)If that individual has been or is convicted of any felony or any misdemeanor of the first degree,whether or not the conviction is related to that employment. SECTION TWO: CONFUCT AND SEVERABILITY. In the event this Ordinance conflicts with any other Ordinance of Collier County or other applicable law, the more restrictive shall apply. If any phrase or portion of this Ordinance Is held invalid or unconstitutional by any court of competent jurisdiction,such portion shall be deemed a separate, distinct and independent provision and such holding shall not affect the validity of the remaining portions. SECTION THREE: INCLUSION IN THE CODE OF LAWS AND ORDINANCES. This Ordinance shall be made a part of the Code of Laws and—Ordinances of Collier County,Florida,as anew Section 2-66,as amended of that Code. The sections of the Ordinance may be renumbered or relettered to accomplish that result, and the word "Ordinance'may be changed to Section, `Article"or any other appropriate word. SECTION FOUR: EFFECTIVE DATE. This Ordinance shall be effective upon filing with the Florida Department of State. Page 5 of 6 r`) PASSED AND DULY ADOPTED by the Board of County Commissioners of Collier County,Florida,this 23AJ day of OC(O s e k. 2002. ATTEST: BOARD OF COUNTY COMMISSIONERS Dwight E.Brock,Clerk COWER COUNTY,FLORIDA B ,LLA-A �!! .e �0.t,t4.00 By: __ Attain% I `�Na l matt $ 'A s14naturs ott1■ Approved as to form and legal sufficiency: By: gre4t Colleen M.Greene Assistant County Attorney • Ptge6of6 This ordinance filed with the Secretary of State's Office the 24''`day of()rko6ty 20o7 and acknowledgement of that filing received this day of Novt�nao By o.ouH C STATE OF FLORIDA) COUNTY OF COLLIER) I , DWIGHT E. BROCK, Clerk of Courts in and for the Twentieth Judicial Circuit, Collier County, Florida, do hereby certify that the foregoing is a true and correct copy of : ORDINANCE 2007-66 Which was adopted by the Board of County Commissioners on the 23rd day of October, 2007, during Regular Session. WITNESS my hand and the official seal of the Board of County Commissioners of Collier County, Florida, this 26th day of October, 2007 . DWIGHT E. BROCK Clerk of Courts and Clerk Ex-officio to Boa.rfl ,?f • County Commiss ,0nOT :. F . • By: Martha V= •:ra,. . Deputy C, Instructions for using Fieldprint • Go to https : //florida .fieldprint. com/User/Signin • Enter your e-mail address in the "New Users 1 Sign Up" section New Users I Sign Up If you are a new user. please register with Fieldprint®in order to schedule your fingerprinting appointment. Begin the registration process by entering your e-mail address below. Email address: Sign Up • Enter your password and security question information • Select "I know my Fieldprint Code" on the "Reason" page Reason why you need to be fingerprinted I know my Fieldprint Code See More Detailed Descriptions of Reasons Select... Continue • Provide our access code: o FPCollierCoGovl • Enter your personal information • Schedule a time and location • Confirm the appointment • Go to the local FieldPrint office that was specified for fingerprinting. For any questions/concerns, please contact the Fieldprint Customer Service Team: Fieldprint, Inc. 400 Lippincott Drive Suite 115 Marlton, NJ 08053 Toll-free phone: (877) 614-4364 CustomerService(ailfieldprint.com Collier County Department of Facilities Management Government Security Section 239-252-2222 c o ,e-r~ couyrty Administrative Services Division Facilities Management Department of Facilities Management-Government Security Section Contractor Fingerprinting and Background Check Request Form To Be Completed By Collier County Project Manager(PM)/Sponsor* First Name: Last Name: Division Department E-Mail Address: Phone: @colliergov.net (239)- - Does contractor require card access?*: YES NO If yes, please send e-mail authorization to DL-FMOPS@colliergov.net . *If this section is not completed, the contractor will be issued a non-access identification badge. To Be Completed By The Individual To Be Fingerprinted (Para Ser Completado Por El Contratista) Your Name (Tu Nombre) x Employer(Empleador) x Job Title (Titulo de Empleo)x I understand that Collier County Ordinance No. 04-52 (amended in October 2007) requires state and federal criminal history record checks for all contract workers through fingerprinting. The cost of the fingerprinting is the responsibility of the contractor. The cost is currently $40.00 and may be paid by check or money order made out to "BCC" or exact cash. Credit and debit cards are not accepted. Criminal histories are generally valid for five (5) years. Contractors identending to continue work after that time will then be required to repeat the fingerprinting process and pay the current fee. Identification badges are valid for one(1)year from date issued and may be renewed at no cost to the contractor. I, x (Please print legal name/Escribe su nombre con letras de molde) have read and understand the information above and consent to the above mentioned fingerprinting and criminal history records checks. Signature (Firma) x Date (Fecha) x To Be Completed By Department of Facilities Management Staff -- Fingerprint ID#: Date Fingerprinted: Badge Photo/Face Tagged: YES NO Employee Initials: Comments: Address: 3335 Tamiami Trail E Ste 101 Questions?: Building W (Facilities Management) Office: (239)-252-8380 Naples, FL 34112 E-mail: DL-FMOPS@colliergov.net Revised January 20th, 2015 0 0 Cotter County Administrative Services Division Facilities Management Department of Facilities Management Government Security Section Background Check Guide • Local Contractors/Vendors: o Complete the Collier County Fingerprinting Packet. o Bring the completed packet, valid U.S. Federal or State issued ID, and payment to: • 3335 Tamiami Trail Ste 101 • Building W (Facilities Management) • Naples, FL 34112 o If you will be working in Collier County Sheriff's Office facilities,you will also need to complete their background check process.We have included their form and instructions for your convenience. • Remote Contractors/Vendors: o Completely read the Fieldprint Instructions for Vendors document. o Make a Fieldprint appointment and send us an e-mail notification of your appointment that contains your name and your company's name. • We do not see employment information on Fieldprint,therefore this step is crucial to prevent any delays in processing your background check. • Canadian Contractors/Vendors o Completely read the Canadian Background Check Process document. o Make an appointment with the Royal Canadian Mounted Police for a background check and send us an e-mail notification of your appointment that contains your name and your company's name. • Contractors/Vendors from outside of the U.S. and Canada: o Please contact us directly for assistance with your international background check. PLEASE NOTE: • U.S. background check results typically take 24 to 48 hours to process. • Criminal histories are generally valid for five (5)years. Contractors intending to continue work after that time will then be required to repeat the fingerprinting process and pay the current fee. Identification badges are valid for one (1)year from date issued and may be renewed at no cost to the contractor. This document was last updated on Thursday,January 29,2015 and is subject to change based on legal and/or contractual requirements. Please contact us at 239-252-8380 or DL-FMOPS@colliergov.net if you have any additional questions. �o ID Card Issued ��'►��`:,. Date & Initial ��� `oma o,t, �i vl* Collier County Sheriffs Office 4►3 0,9427Z,,4 3319 East Tamiami Trail �� _ Naples, FL 34112 (239) 774-4434 Collier County Sheriff's Office Background Investigators will conduct a background screening on all contract employees accessing the vehicles, buildings, properties,databases, or documents of the Sheriff. Please have prospective contract employees complete the following questionnaire and return it to the Collier County Sheriff's Office. The questionnaire will then be forwarded to the Background Investigators in Human Resources. EMPLOYER OR ORGANIZATION: Address: 1. NAME: Email Address and Phone Number: 2. ALIAS NAMES(MAIDEN, ETC.) 3. DATE OF BIRTH: 4. SOCIAL SECURITY NUMBER: 5. RACE AND SEX: 6. DRIVER'S LICENSE NUMBER(INCLUDING STATE): 7. STATES OF PRIOR RESIDENCY: 8. PLACE OF BIRTH: In compliance with Florida Statute 119.071(5),this document serves to notify you of the purpose for the collection and usage of your Social Security Number(SSN). The Collier County Sheriffs Office collects and uses your SSN only for the following purposes in performance of its duties and responsibilities related to vendor background investigations,to Include FCIC/NCIC/IQ checks,driver license checks,Accurint checks,local and state records checks,clerk of court checks,and clarification for duplicate or additional names. (INITIALS OF APPLICANT) CERTIFICATION: I hereby certify that all statements made on this form are true to the best of my knowledge. I understand that I am authorizing CCSO to conduct a background investigation and that any negative outcome may result in my being denied access. If the background Information is not acceptable to the CCSO for any reason(in their sole and absolute discretion)I may be denied access. I hereby release and agree to hold harmless from liability,the Sheriff,any of his agents,designees or employees in relation to their receipt,review and use of such background Information. Signature Date FOR AGENCY USE ONLY: 0 WinGS: (See Attached Printouts) ❑ FCIC/NCIC: (See Attached Printouts) 0 IQ(if applicable): (See Attached Printouts) ❑ IAQ (ICE Check): (See Attached Printout) ID#of Agency Member completing Check Date RECOMMENDATIONS:APPROVED/DISAPPROVED Signature/ID: Date: Date Fingerprinted: Results Date: Agency Supervisor Copied to Pauline Hours of Access & Door Access Purpose for Employment (Job Function) • http://www.rcrnp-grc.qc.ca/cr-ci/finu-empr2-enu.htm How to Obtain a Certified Criminal Record Check Civil Fingerprinting Screening Services NOTE: After 90 days, the Canadian Criminal Real Time Identification Services destroys fingerprint submissions relative to civil screening when the search process is completed. The fingerprints are not added to the RCMP National Repository of Criminal Records and are not searched for future purposes. Full set of fingerprints required • To conduct a criminal record check we require a full set of fingerprints, including both rolled and flat impressions of all ten fingers. • Complete all fields on the fingerprint form. • You must have your fingerprints taken on form C-216C at your local police station or private accredited fingerprinting agency. • Depending on the police jurisdiction, a fee may be required. Reason for Request Clearly indicate the reason for your certified criminal record check: • Employment - federal, provincial, municipal governments • Applicants must specify the job title or position sought in the "REASON FOR APPLICATION" portion of the fingerprint form. Identification of police service or fingerprinting agency Verify the information recorded by the official taking your fingerprints and ensure that the official's name and signature, and the name of the agency is indicated on your fingerprint form. Final step (checklist): Before sending your request, make sure it contains the following: • Original fingerprint form • Full name • Date of birth • Sex/Gender • Mailing address • Phone number and/or email address • Reason for application • Processing fee ( if applicable) • Third party consent letter o Send the results to: Security Chief Douglas Hendley Collier County Department of Facilities Management 3335 Tamiami Trail E Ste 101 Naples, FL 34112, USA 0 RCMP Approved Vendors L-1 Identity Solutions http://www.11id.com/pages/556-find-out-more-about-our-canadian-services Contact Us to Begin Using L-1 Centers in Canada for Your Processing Needs • Phone: (800)749-7554 • Fax: (902)835-4167 • Email- Llinfo@Ilid.com Canadian Enrollment/Fingerprint Locations • Alberta • British Columbia • Manitoba • Newfoundland • New Brunswick • Northwest Territories • Nova Scotia • Ontario • Prince Edward Island • Quebec • Saskatchewan Frequently Asked Questions How long will it take for digital fingerprints to be processed by the RCMP? If the applicant does not have a criminal record and has never been fingerprinted for a criminal offence in Canada,the RCMP will make every effort possible to process the request within 72 hours of receiving the electronic submission. This means that the RCMP will put the results in the mail for mailing back to the applicant or third party within 72 hours.In view of this,please ensure sufficient time is allowed for receipt of the results in the mail before commencing inquiries about the status of fingerprint records.If a criminal record is encountered during the verification process, processing will be increased to 120 days. How can I find out about the status of a submission once it has been sent to the RCMP? Once L-1 Identity Solutions submits your fingeprints electronically you will recieve confirmation via e-mail(if an e-mail address is provided on your application)that your fingerprints have been successfully received by the RCMP.If you require further information or have questions regarding your fingerprints you can contact the RCMP Civil Fingerprint Screening Services either by phone at(613)998-6362 or by e-mail at Link Text Do I need an appointment to be fingerprinted? I Appointments are not needed at most of our locations.Please see Canada Locations for a complete list of locations, directions,contact information and business hours. How long will it take for my fingerprints to be taken? Our digital process is fast,efficient and clean.A complete fingerprint session normally takes approximately 20 minutes to complete.Our traditional ink and roll fingerprinting sessions take approximately 10 minutes to complete. How are my results obtained? Each applicant's criminal record verification results can be sent directly to the individual or to a designated third party,such as an employer,immigration or pardon's agency.If an applicant is under the age of 18,results must be returned directly to the home address of the applicant.Please ensure that all of the address information for the applicant or third party is available during the application process. Can I get a copy of my application? All applicants can receive a true copy of the digital submission to the RCMP or a copy of the ink and roll submission. An additional charge may apply. What identification do I need to bring with me to my appointment? You must provide two pieces of valid government issued identification,at least one of which must have a photo of you. The following types of identification are acceptable: • Passport • Citizenship Card or Document • Immigration Document(Student Visa,Work Visa,Landing Papers) • Birth Certificate • Driver's License • Permanent Resident Card or Record of Landing for Citizenship applicants • Government ID(if you are employed by a federal or Provincial branch of the Government) • Health card with photo(please note not all provinces accept health cards as valid government issued ID. Please refer to provincial regulations or call the office nearest you. Please note that it is recommended that applicants have with them a letter for file number from the requesting agency if applicable and that ALL digital fingerprinting requests for Canadian Citizenship must include a letter from Citizenship and Immigration Canada.This letter must include the address for third party results submissions and should have a CIC file number.Please ensure this letter is available during your fingerprinting session. Commissionaires http://www.commissionaires.ca/national/en/services-personal/personal-fingerprinting/ How to Get Your Fingerprints Applicants should bring two pieces of valid government issued identification and one must be a photo ID.The following are types of acceptable identification. Please check with your local office for additional types of identification which may be accepted: • Passport • Driver's License • Birth Certificate • Canadian Citizenship Card • Permanent Resident Card 0 • Certificate of Indian Status • Immigration Documents i.e.work or study permits • Military Family ID card (MFID) • Record of Landing for Citizenship Applicant • Certificate of Live Birth • Nexus card Note: • All identification must be current and not expired; Payment Methods We accept major credit cards, debit or cash at most of our locations. Please check locations to confirm. Appointments Please check locations to confirm hours of operation and determine if an appointment is necessary. Locations Frequently Asked Questions about Fingerprinting What is digital fingerprinting? Digital fingerprinting is the electronic capture of a person's fingerprints via an optical scanner at a capture station.The scanned fingerprints, along with the application details, are then formatted into a standardized electronic package that is attached and emailed,via a secure link, direct to the RCMP's Canadian Criminal Real Time Information System (CCRTIS). CCRTIS compares the fingerprint package against the RCMP's criminal record database. If no record is present,the RCMP will issue a certificate indicating a clear record. If the applicant does have a criminal record this will be indicated in the results. Will the results of my fingerprints include a transcript? Yes,fingerprint results will include a transcript.A transcript is a record of the applicant's criminal record and will clearly indicate either a clean record or it will list convictions.The transcript also details the nature of the conviction(s).This transcript is released to the applicant, or it can be released to third parties if the applicant provides consent at the time of fingerprinting. How long will it take for digital fingerprints to be processed by the RCMP? If the applicant does not have a criminal record and has never been fingerprinted for a criminal offence in Canada,the RCMP will make every effort possible to process the request within 72 hours of receiving the electronic submission. (This means that the RCMP will put the results"in the mail"for mailing back to the applicant or third party within 72 hours.) In view of this, please ensure sufficient time is allowed for receipt of the results in the mail before commencing inquiries about the status of fingerprints. If a criminal record is encountered during the verification process, processing will be increased to 120 days. How can I find out about the status of a submission once it has been sent to the RCMP? Commissionaires provides the best service to all our clients. Clients are advised that once the RCMP informs Commissionaires that the electronic submission has been received and is successfully processing,the RCMP will not release any further transaction status information to Commissionaires. Clients (e.g., applicant or authorized third party) may inquire about the status of their electronic and/or traditional ink and roll submission by contacting the RCMP Civil Fingerprint Screening Services at 613-998-6362 or civilnpsPrcmp-grc.gc.ca. Do applicants need an appointment? Appointments are recommended although some locations welcome walk-ins. Please check locations to confirm hours of operation and determine if an appointment is necessary. How long will it take to get fingerprints taken? Our digital process is fast,efficient and clean and normally takes approximately 20 minutes to complete. Our traditional ink and roll methods take approximately 10 minutes to complete. How are results obtained? Each applicant's criminal record verification results can be sent directly to the individual or to a designated third party,such as an employer or immigration or pardons agency. If an applicant is under the age of 18, results must be returned directly to the home address. Please ensure that all the address information for the applicant and third party are ready during the application process. May applicants get a copy of the application? All applicants can receive a true copy of the digital submission to the RCMP of a copy of ink and roll submission. An additional charge may apply. Is Commissionaires a government agency? Commissionaires is not a government agency. Commissionaires is a not-for-profit organization employing former military and police as well as responsible citizens of all ages in rewarding careers. #C.er County Administrative Services Division Facilities Management Department of Facilities Management Government Security Section Notice of Collection of Social Security Numbers The Collier County Facilities Management Department, as a department of the Collier County Government Agency, in conjunction with its background check duties and responsibilities authorized by Florida Statutes Section 125.5801 and County Ordinance No. 2007-64, requests your social security number to complete criminal history checks with State and federal authorities. Your social security number is collected for the following reason: 1. FBI/FDLE Fingerprint background checks. Your Social Security Number will only be collected and disclosed for the listed purpose(s), and as may otherwise be authorized by law, and once collected, will be maintained as confidential and exempt records under Chapter 119, Florida Statutes by this agency. Providing your social security number is voluntary. Refusing to voluntarily provide your social security number will not result in the denial of any right, privilege or benefit provided by the County but may result in the denial of your eligibility for employment with the County. Additionally, refusal to provide your social security number may result in delays processing your background check. X Employee/Contractor Signature (Firma) Building Automation Technician Signature REVISED—04/03/2012 G:\Building Operations\Operations Center\Forms-Procedures-Manuals\Building Autornation\Forms\Fingerprinting\SSN Collection Notice 04-03-2012 6.Vendor Network Access Agreement Form Collier County Government Vendor Remote Network Access Agreement I agree that I will not use my network access to the Collier County network in any manner inconsistent with the work I am contracted to do. This includes only accessing information systems or data files required in the performance of my work. I agree to notify the appropriate Collier County contact of all accesses, and details of actions or modifications that I have performed on systems while connected. I further affirm that I have read and agree to abide by the Collier County End User Computing Policy and Remote Access Policy as provided to me. I also agree to notify the Information Technology Department as soon as network access is no longer needed, so that my access can be removed. I understand that violation of any of these policies could lead to loss of access,termination of vendor or contractor status, or prosecution under the applicable statute. I understand that vendor access is restricted to the hours of 8:00AM to 5:00PM Collier County Local time, unless otherwise agreed to and noted on this agreement. Printed Name Signature Date C 7. IT Account Management Form_11012016 C Information Technology Department Co Service Desk ti. -ler County Phone (239)252-8888 Fax(239)252-6346 IT Account Mana'ement Form This form is to be used for new account creation, disabling existing accounts, account name changes (existing employee changing their name), account position changes (existing employee moving to another department),new shared calendars,new generic email accounts,new distribution lists, and updates to email, calendar, or distribution list ownership . Please complete the section of this form relating to your request, sign the bottom of the document, and fax it to the IT department using the fax number listed above. Questions regarding this form may be e-mailed to BCCAccountRequest cr colliergov.net. Thank you for your cooperation. Please mark one of the following options and fill out the corresponding section: ❑ Create an Employee Account Section #1 Required ❑ Modify an Employee Account(Add/Remove Access) Section#1 Required" ❑ Disable an Existing Account Section #1 NAME ONLY ❑ Account Name Change(Employee Name change) Section#2 Required ❑ Account Position Change (Employee Dept/Job Title change) Section #3 Required ❑New Shared Calendar or Shared Mailbox Section#4 Required ❑New Generic Email Section#4 Required ❑New Distribution List(DL) Section#4 Required ❑ Update/Change Calendar,Email, or DL Owner Section #4 Required Section #1 New Account Creation/Modify (This section is for new employees only) Employee Name (please print) Employee Department Employee SAP ID* ❑ Full/Part-time Employee ❑ Volunteer/Intern (*expires iii 30 days wfo SAP) ❑ Contractor/Vendor ❑ Sharepoint account only *Special applications or access that the employee will need: ❑ Active Sync ❑ RDS (Terminal Services) ❑ Internet Access ❑ MinuteTraq (please circle the ones that apply: Prime, Prepare,Approve) ❑ Office 365 Cost Center * (required) ❑ OWA ❑ SAP ❑ VPN (for working from home/remote location) ❑NeoGov-Online Hiring Center circle all that apply: Hiring Manager to view applicants, Approver to approve requisitions, Originator to create requisitions) Special distribution lists (other than Subscribers),such as DL-SAP : Section #2 Account Name Change (For existing employees who have changed their name) Employee's Previous Name Employee's New Name Section #3 Account Position Change (For existing employees that have moved to another department/Job Position) Employee Name Previous Department New Position Title New Department **Important notes for account position changes: 1. Please move any relevant data from the employee's F drive to the G drive for the previous department prior to the employee moving to the new department. 2. The F drive of an employee moving to another department will still be accessible to that employee in his/her new position. 3. The G and H drive associated with the employee will be changed to those specific folders in use by the new department.If access is also required for the previous department's G and/or H drives,the director for the previous department must authorize this by sending an email to BCCAccountRequest@colliergov.net. 4. Employee E-Mail will NOT be affected by the change. 5. Specify Special Applications needed for new position. Section #4 Special calendar, Email account, or Distribution List Name of Calendar,Email, or Global DL (Distribution List) New/Current Responsible Party's Name Phone Number (REQUIRED) Initial Access List(employees or groups with access to this calendar/email/list): *** Please note: The following section is required for all requests. *** This portion must be filled out by a supervisor (All Fields Required) Supervisor Name: Phone: Supervisor Signature: Date: Please note:Account requests may take up to 5 business days for processing. *By selecting this,you signify that you have Budget Authority to spend money in the Cost Center listed. �1 8. County Practices and Procedures CMA's a. CMA 5401 Information Systems Lifecycle Management b. CMA 5402 Remote Access Policy c. CMA 5403 Third Party Access Policy d. CMA 5405 Computer-Technology Use &Attestation e. CMA 5406 Computer Software License Control f. CMA 5905 Restricted Network Access Agreement g. CMA 5908 Media Reuse or Replacement Policy 0 CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT §5401-1.Purpose. §5401-2.Procurement and Deployment. §5401-3. Ongoing Support and Maintenance. §5401-4.Application Retirement. §5401-5.Waivers,Mitigation and Remediation. §5401-6. Currency. [Effective Date: April 18, 1997(Revised: October 1,2001; Revised: October 1,2003; Revised: January 21,2016)] § 5401-1.Purpose. The purpose of this Instruction is to define a standard, efficient, and effective method for procurement and lifecycle management of information systems and services that are compatible with the agency's information architecture, supportable, interoperable, secure and comply with the County Information Technology Division (IT) standards and practices. All purchases must comply with the requirements of the County procurement ordinance and policy. § 5401-2.Procurement and Deployment. A. A completed Technical Architectural Compatibility Standards (TACS) signed by the IT Director and the procuring Operating Division Director is required prior to procurement. The current TACS form is available on the IT Division's Intranet website. All requirements must be met. Exceptions may be granted with sufficient mitigation or a waiver see§ 5401-5. Waivers,Mitigation and Remediation. B. Operating Division Director must determine permissible service levels including the maximum number of failures on an annual basis,the maximum downtime per incident and the acceptable data loss per incident in minutes. C. Information systems must comply with all local, state and federal laws. Health Insurance Portability and Accountability Act(HIPAA),Personally Identifiable Information(PII) and Payment Card Industry Data Security Standard(PCI DSS) requirements must be identified and addressed if applicable. PCI DSS certifications must submitted on an annual basis by the Operating Division Director. D. An architectural diagram must be prepared and review conducted in compliance with IT policy. Approval by the IT Division Director is required prior to procurement and deployment. § 5401-3. Ongoing Support and Maintenance. A. Systems must have an active vendor maintenance agreement that includes patches and upgrades. B. Systems must support platform patches within 30 days of release. If patches cannot be installed appropriate mitigations must be identified and deployed within that timeframe Page 1 of 3 CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT by the Operating Division Director(see§ 5401-5. Waivers,Mitigation and Remediation). C. Vulnerabilities identified and published by the Department of Homeland Security's United States Computer Emergency Readiness Team(US-CERT) must be mitigated by the Operating Division Director within 30 days of notice by IT (see § 5401-5.Waivers, Mitigation and Remediation). D. The Operating Division Director is responsible for submitting a completed Technical Architectural Compatibility Standards (TACS)to IT on an annual basis. All requirements must be met Exceptions may be granted with sufficient mitigation or a waiver see§ 5401-5. Waivers,Mitigation and Remediation. § 5401-4. Application Retirement. A. All system components must be shut down and decommissioned when systems are retired. This includes servers, databases, storage and uninstalling associated applications on PCs. B. Budget inventory changes must be made at system retirement. C. The Operating Division Director is responsible for public records compliance for all retired system data and contacting the agency's Records Manager to determine the appropriate retention period. The operating Division Director is responsible for maintaining the systems to read the backup media including any required hardware and software and all associated costs. D. Operating Division Director will review retirement plan with IT to ensure compliance with this CMA. § 5401-5. Waivers,Mitigation and Remediation. A. Mitigation is required for systems that are not TACS compliant or require the use of older version of/or insecure components. Viable mitigation options include the use of technical controls, replacement or upgrade of the system and retiring the system. a. The Operating Division Director is responsible for working with IT to develop an acceptable mitigation strategy. Scenarios involving technical controls are subject to the same review process as new systems. b. The Operating Division Director is responsible for all costs, including support staff, associated with mitigation. These costs may include,but are not limited to: i. Support for 1. Non-standard databases 2. Operating Systems 3. System components 4. Web servers ii. Creation and maintaining development environments iii. Initial and ongoing support for Firewalls and Intrusion Detection/Prevention systems and monitoring B. Waivers may be granted under extenuating circumstances. Page 2 of 3 nA CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT a. All waivers must be reviewed by the IT Director. b. The Operating Division Director may grant a waiver where the impact is limited to their division. c. Department Heads may grant waivers where the impact is limited to their department. d. The Information Technology Executive Committee(ITEC)will make a recommendation to grant a waiver where the impact is at the agency level with final approval by the County Manager or his designee. C. Remediation costs associated with a breach or system failure as the result of a waiver must be fully funded by the Operating Division Director. § 5401-6. Currency. The Information Technology Division is responsible for maintaining the currency of this Instruction. Page 3 of 3 CMA # 5402 REMOTE ACCESS POLICY § 5402-1.Purpose. § 5402-4.Enforcement. § 5402-2.Background. § 5402-5.Definitions. § 5402-3.Policy. § 5402-6.Currency. [Effective Date: January 1, 2005] § 5402-1. Purpose. The purpose of this Policy is to define standards for connecting to Collier County's network from any host (computer or other device that connects to the network). This Policy will also ensure Collier County's compliance with applicable license, copyright, local, state and federal laws and regulations. § 5402-2. Background. This Policy is required to minimize the risk that any individual device could be configured or used in a manner which could compromise the integrity and availability of the network and associated resources. Damages include the loss of productivity due to downtime, damage to public image, and damage to critical Collier County internal systems, and access to non-public data, which could result in possible violations of law concerning privacy (HIPAA, etc.). This Policy applies to all Collier County employees, contractors, vendors and agents that connect to the Collier County network. This Policy does not apply to access of the County's e-mail system via the Internet (Outlook Web Access) nor any publicly available service provided by Collier County on the Internet. § 5402-3. Policy. A. Requirements: (1) All requests for remote access will be submitted to the Information Technology (IT)Department. (2) All trusted network connections and devices must be configured to meet the authentication and configuration requirements of the Collier County network. (3) With the exception of approved vendors, only computers owned and supported by Collier County will be permitted to connect to the Collier County network. (4) Vendors requesting access to the Collier County network will be provided a copy of all applicable policies governing remote access and will demonstrate acceptance 5402:1 09-15-2007 OFFICE OF COUNTY MANAGER ADMINISTRATIVE § 5402-3 PROCEDURE § 5402-5 of those policies by signing a Third Party Access Agreement,' of which a copy will be retained by the IT Department. (5) The approved methods of remote access to the Collier County network are as follow: VPN, dial-up, trusted network via direct connection, un-trusted network via firewall. (6) Collier County employees and vendors with remote access privileges must ensure their computer or workstation that is remotely connected to Collier County's corporate network is not connected to any other private network at the same time with the exception of personal networks that are under the complete control of the user. (7) All remote access clients for VPN access will be configured by IT personnel according to IT Department procedures. (8) It is the responsibility of the County employees who have been granted remote access to ensure that the computers used for this access be connected to the network at least once in a thirty-day period so that it can receive the proper security patches and updates. Computers requiring security updates will be prevented from accessing the network until the required updates are completed. § 5402-4. Enforcement. A. It is the responsibility of remote access users to comply with all applicable Collier County computer usage policies. B. Any employee found to have violated this Policy may be subject to disciplinary action, up to and including termination of employment. § 5402-5. Definitions. As used in this Policy, the following terms shall have the meanings indicated: HOST—Computer or other device connected to a network. PRIVATE NETWORK — A network secured from external access from other networks and the Internet. REMOTE ACCESS — All present and future methods by which hosts connect to the CCBCC's private network, such as dial-up, VPN,PC Anywhere, etc. TRUSTED NETWORK — A system that has the necessary controls to ensure that security policies will not be compromised UN-TRUSTED NETWORK — A system with no verifiable security controls that would present a security risk to the CCBCC network. 1. Editor's Note:See CMA 5300,Third Party Access Policy,and its accompanying attachments. 5402:2 09-15-2007 § 5402-5 REMOTE ACCESS POLICY § 5402-6 VPN — Virtual Private Network. An encrypted connection to the CCBCC network via the Internet. § 5402-6. Currency. The Information Technology Department is responsible for maintaining the currency of this Instruction. 5402:3 09-15-2007 [ l CMA # 5403 THIRD PARTY ACCESS POLICY r § 5403-1.Purpose. § 5403-6.Currency. § 5403-2. Concept. Third Party Network Access § 5403-3.Policy. Agreement § 5403-4.Enforcement. § 5403-5.Definitions. [Effective Date: January 1, 2005] § 5403-1. Purpose. The purpose of this policy is to define standards for vendors, contractors, consultants, and others who connect to Collier County's network from any host. These standards are designed to minimize the potential exposure to Collier County from damages that may result from unauthorized use of Collier County resources. Damages are defined to include, but not limited to: the loss of productivity due to downtime, loss of sensitive or confidential data, loss of intellectual property, damage to public image, damage to critical Collier County internal systems, etc. § 5403-2. Concept. A. This policy applies to all Collier County contractors, vendors and agents with a Collier County-owned or personally owned computer or workstation used to connect to the Collier County network. This policy applies to direct and remote access connections used to perform work on behalf of Collier County including reading or sending e-mail and viewing intranet web resources. B. Access implementations covered by this policy include all methods of direct and remote access to the Collier County network. § 5403-3. Policy. A. General. (1) It is the responsibility of Collier County that vendors, contractors, consultants, and others having access privileges to Collier County's network ensure their access connection is given the same consideration as the user's on-site connection to Collier County.' (2) The following policies must be reviewed by vendors, contractors, consultants, and other parties for details of protecting information when accessing the Collier 1. Editor's Note:See the Third Party Network Access Agreement at the end of this CMA. 5403:1 09-15-2007 0 OFFICE OF COUNTY MANAGER ADMINISTRATIVE § 5403-4 § 5403-3 PROCEDURE County network via remote access methods and the acceptable use of Collier County's network: (a) End User Computing Policy.2 (b) Remote Access Policy.3 B. Requirements. (1) Secure access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the End User Computing Policy. (2) At no time should any third party (as described above) provide their login, password, or e-mail their password to anyone. (3) Those with access privileges must ensure that a Collier County-owned or personal computer or workstation which is connected to Collier County's corporate network is not connected to any other network at the same time. (4) All hosts connected to Collier County networks must use the most up-to-date anti-virus software from a reputable vendor. (5) Equipment used to connect to Collier County's networks must meet the same requirements as Collier County-owned equipment. (6) Organizations or individuals who wish to implement non-standard solutions to the Collier County production network must obtain prior approval from the IT Department. (7) Vendors, consultants and other third parties will be permitted to access the Collier County network only during normal business hours (8:00 a.m. to 5:00 p.m. local Collier County time), unless otherwise agreed to. (8) Vendors, consultants and others will notify the IT Department in writing of all changes that will be made or work that will be conducted while logged into the Collier County network. (9) Vendors, consultants and others will notify the IT Department immediately if passwords are lost, accounts are no longer required or of any attempts of intrusion are detected. § 5403-4. Enforcement. Any third party found to have violated this policy may be subject to loss of Collier County network access privileges or other penalties as prescribed in the vendor's contract with Collier County or by applicable laws. 2. Editor's Note:See CMA 5405. 3. Editor's Note:See CMA 5402. 5403:2 09-15-2007 Nor § 5403-5 THIRD PARTY ACCESS POLICY § 5403-6 § 5403-5. Definitions. As used in this CMA,the following terms shall have the meanings indicated: HOST—Computer or other device connected to a network. PRIVATE NETWORK —A network secured from external access from other networks and the Internet. REMOTE ACCESS — All present and future methods by which hosts connect to the CCBCC's private network, such as dial-up, VPN, PC Anywhere, etc. TRUSTED NETWORK — A system that has the necessary controls to ensure that security policies will not be compromised. UN-TRUSTED NETWORK — A system with no verifiable security controls that would present a security risk to the CCBCC network. VPN (Virtual Private Network) — An encrypted connection to the CCBCC network via the Internet. § 5403-6. Currency. The Information Technology Department is responsible for maintaining the currency of this Instruction. 5403:3 09-15-2007 a�,a THIRD PARTY ACCESS POLICY CMA 5403 Attachment 1 Collier County Government Third Party Network Access Agreement I, , agree I will not use my network access to the Collier County network in any manner inconsistent with the work I am contracted to perform. This includes only accessing information systems or data files required in the performance of my work. I agree to notify the appropriate Collier County contact of all accesses and details of actions or modifications which I have performed on systems while connected. I further affirm that I have read and agree to abide by the Collier County End User Computing Policy and Remote Access Policy as provided to me. I also agree to notify the Information Technology Department as soon as network access is no longer required so my access can be removed. I understand that violation of any of these policies could lead to loss of access, termination of vendor or contractor status,or prosecution under the applicable statute. I understand that vendor access is restricted to the hours of 8:00 a.m. to 5:00 p.m. Collier County local time, unless otherwise agreed to and noted on this agreement. Printed Name Signature Date CMA 5403 Attachment 1:1 09-15-2007 CAO CMA 5405 COMPUTER/TECHNOLOGY USE [Effective Date: June 10, 1999(Revised: December 1,2000; Revised: February 12,2001; Revised: October 1,2001; Revised: October 1,2003; Revised: May 30,2004; Revised: June 11,2004; Revised: January 1,2005; Revised: April 1,2006; Revised: July 1,2009; Revised: December 16, 2009; Revised: March 18,2011)1 § 5405-1. Purpose. A. The goal of this instruction is to ensure the integrity, proper operation and security of the County's technology resources by setting rules of conduct for use by all County employees, contract employees,and business partners. B. This instruction applies to the Collier County Board of Commissioners Agency's internal business network and associated systems and resources. This instruction does not apply to the Library's public use network,the Transportation Signalization Network, the Public Utilities Plant Control and SCADA Networks, Emergency Management non-IP two way communication systems and their associated systems and resources, except where they interface with the Agency's internal business network. C. This instruction sets forth the Agency's practices and procedures governing the utilization of technology resources and disciplinary recourse for violations. This policy also sets forth guidance for compliance with applicable laws governing the handling of specific kinds of data created with or transmitted by network resources. § 5405-2. Definitions. A. AUTHORIZED ADMINISTRATIVE STAFF—IT staff and other staff authorized by the Director, Information Technology Department who have elevated privileges and access rights for the purpose of maintaining network resources and services. B. BUSINESS PARTNERS — any person not directly employed by the Board of County Commissioners who is authorized to utilize County technology resources. Examples of business partners would include,but not be limited to: vendors,contractors, and advisory board members. C. DATA—Information stored by technology assets, or transmitted from or through the network. D. DATA CUSTODIANS - Staff with the authority for acquiring, creating, and maintaining data within their assigned area of control. E. INAPPROPRIATE CONTENT - Content that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or contains sexual comments, obscenities, nudity, pornography, abusive or degrading language, antisocial behavior, or inappropriate comments concerning race, color, religion, sex, national origin, marital status, or disability or is otherwise unlawful is inappropriate for the workplace and may not be sent by e-mail or other form of electronic communication or displayed on County computers or stored in the County's systems. F. LIMITED NON-BUSINESS USE—Use of the County's technology assets that does not impact employee productivity and complies with all other aspects of this policy. Page 1of11 C CMA 5405 G. NETWORK — The data, voice, and multimedia communication system made up of devices (switches/routers /firewalls and the like), wires, fiber optics,jacks, access points (physical and wireless),software and services. H. NETWORK RESOURCES — Any services which may be accessed through the Collier County network. Examples include, but are not limited to: software applications, e-mail, data, telecommunications, the 800 MHz Public Safety Radio System, and Internet resources accessed from or through the network. I. REGULATED DATA—data that requires special handling due to statutes, regulations or agency policies. At this time, regulated data includes, but not limited to: Protected Health Information (PHI)protected under HIPAA rules and statutes,Payment Card Industry(PCI)and other personal financial information (PFI) (e.g. credit card and bank account numbers) and personal identifying information (PII) (e.g. social security numbers), addresses and names of judges and law enforcement officials, and other data exempted from the State of Florida's Public Records Laws by statute. J. SLATE—a form factor for a computing device that meets the following criteria: 1. Does not run Windows operating system as its base operating system,and 2. Uses"touch" as its primary mode of user interface. K. TECHNOLOGY ASSETS — any devices owned by Collier County that are part of or used for data or voice communications. Examples include, but are not limited to: computers, network switches and routers, servers, databases,personal data assistants, smart phones, cellular air cards, printers,telephones, 800 MHz radios,and associated software and accessories. L. TECHNOLOGY RESOURCES — includes all of the following: TECHNOLOGY ASSETS, information/data stored or in transit, the County's private data network, NETWORK RESOURCES, and all resources and services associated with other networks accessed from or through the County network, including the Internet, Internet Services, and other agencies' or corporate networks and services. M. USER—Inclusively, staff, elected/appointed officials, and/or business partners authorized to use County technology resources. § 5405-3. Concept. A. Compliance: 1) This policy applies to all users of Collier County technology assets,network and/or network resources including authorized administrative staff except when utilizing properly authorized elevated privileges or access rights in the discharge of their duties. a. Authorized administrative staffs use of elevated privileges is governed by IT Department policies. b. Employee violations will be assessed and disciplinary actions will be governed by CMA 5351 —Discipline, and CMA 5311.1 -Standards of Conduct. c. Business partner violations will be subject to loss of the use of technology assets, network and/or network resources and contractual sanctions. Page 2 of 11 e CMA 5405 2) Because of the interdependent nature of network and communications systems, interruptions of service can have a broad impact with the potential for large adverse financial consequences or impact to health and safety. Loss of technology resources and/or misuse of network resources can cause financial damage to the County, the taxpayers of Collier County, and those who depend on County services,therefore,these resources must be protected. As such,violations of this policy may unduly expose the network to intended or unintended risks,which may or may not result in actual losses. a. Department Directors are required to consult with the Director, Information Technology when assessing penalties for violations of this policy. b. The severity of infractions will be assessed by the Director, Information Technology who will forward a risk/ threat assessment to the supervising Department Director for use in making recommendations for disciplinary actions in accordance with CMA 5351 -Discipline. c. The Human Resources department will advise Department Directors in order to ensure consistency in the handling of employee violations of this policy. 3) Collier County,at its discretion,reserves the right to monitor any use of network resources,to monitor computer and internet usage, including, but not limited to: sites visited, searches conducted, information uploaded or downloaded and to access, retrieve and delete any data stored in, created, received, or sent over the network or using network resources for any reason and without the permission or prior knowledge of any user. Collier County may monitor the use of technology assets, content of electronic communications and the usage of network resources to support operational, maintenance, auditing, security, disciplinary, and investigative activities. 4) County employees and authorized business partners using County owned technology or network resources have no right or expectation of personal privacy for any voice communications,e-mails, internet searches, internet sites visited,or data stored in, created by, received with, or transmitted using technology resources. Use of passwords or other security measures, whether mandatory or voluntary, does not in any way diminish Collier County's rights or create any privacy rights of users. Collier County has administrative tools that permit it to monitor all activities on the network and access all data stored within technology resources. 5) All Collier County employees and business partners who have access to technology assets and/or network resources must affirm that they have read and understood all applicable policies annually. B. User Responsibility: 1) Authorized network users are responsible to ensure that network resources are used only for their intended purposes. a. Except for services intended for use by the public (kiosks, terminals and public wireless services) technology assets, technology resources, network resources, the network and data are intended exclusively for the use of authorized employees and business partners only. Page 3 of 11 CMA 5405 b. Technology assets, technology resources, network resources, the network and data are the property of Collier County Government. Collier County provides these systems to be used for County business purposes, although limited non-business use is permitted. All communications and data transmitted by, received from, passed through, or stored in these systems are the exclusive property of Collier County. At all times, employees and authorized business partners have the responsibility to use these resources in a professional,ethical,and lawful manner. c. Use of technology and network resources is a privilege that may be monitored, restricted or revoked at any time. Collier County reserves the right to revoke the privileges of any user at any time. d. Conduct that interferes with the normal and proper operation of Collier County's network or network resources, which adversely affects the performance of the network or the ability of others to use the network or network resources or, which is harmful or offensive to others will not be permitted. Such actions may subject employees to disciplinary action in accordance with CMA 5351 - Discipline. Such actions by business partners may result in the loss of network privileges and/or contractual sanctions. e. The Director, Information Technology can authorize actions to remediate network or application performance problems during an incident where network or application performance has been adversely affected. f. A user may not use the County network or technology assets to connect to or make use of other computer systems unless specifically authorized to do so by the operators of those systems. g. Because network and data security are dependent upon physical security, all Collier County employees have a responsibility to ensure that only authorized employees and/or business partners or properly escorted visitors have access to areas where network access is available and that only authorized employees have access to secure spaces where network resources are located. 2) Staff and authorized business partners are issued credentials (user name and password) for accessing the network and network resources. Users are responsible for periodically changing their passwords and safeguarding their passwords. a. Users are responsible for all transactions made using their credentials. b. Users are responsible for protecting the confidentiality of their credentials and are prohibited from sharing their credentials with anyone. c. Users shall not leave their computers unattended while their account is logged in without first locking the computer, using the Windows "Lock Computer" functionality. d. User passwords for County network accounts or passwords for County application/ system access may not be printed or stored online in any file, database or Internet service. It is the user's responsibility to safeguard their password. If a user suspects for any reason that their password may have been compromised, they must immediately change it. e. No user may access the network or network resources with another user's credentials. If access to another user's account is required, access can be granted by the IT Service Desk upon request from the user's manager. f. All network access must be accomplished by user specific credentials, and as a normal course of business, generic or "shared" network accounts are not issued. In special cases the IT Service Desk Manager can authorize the use of shared accounts with proper authorization from the users' management under circumstances where Page 4 of 11 CMA 5405 individual accounts can't adequately meet business needs and their use will not compromise identity integrity and auditing. g. Misrepresenting, obscuring,suppressing, or replacing a user's identity on the network is forbidden. The user name, e-mail address, County affiliation, and related information included with electronic messages or postings shall reflect the actual originator of all messages or postings. 3) Network Security a. Users shall report any suspicion of violations of any provision of this policy to their supervisor or the Information Technology Department Service Desk. Users shall notify the Service Desk of any instances where they observe or have reason to believe that data is inappropriately accessible to employees, the public, or business partners. b. Users shall promptly report all information security alerts, warnings, suspected system vulnerabilities,etc.to the IT Service Desk. c. Users shall not exploit inadvertent rights or deficiencies in information systems security to damage systems or data, obtain resources beyond those to which they have been authorized, or to obtain or take resources away from other users or gain access to other systems for which proper authorization has not been granted. d. Users who receive virus alerts or notice unusual system behavior, such as missing files, frequent system crashes, misrouted messages, etc., should immediately notify the IT Service Desk. To prevent possible damage to Collier County data,technology assets and network resources, users are not permitted to remove viruses on their own. If users believe they may have been the victim of a virus or other malicious software, they must immediately inform the IT Service Desk. e. In order to ensure that virus signatures, patches and security software are up to date, any workstations or portable computers that have not been updated within 30 days will be removed from the network. Updates occur upon login. Action by the IT Service Desk will be required to restore connectivity. 4) Inappropriate Use a. Internet browsing on websites with inappropriate content is prohibited. Use of the Internet will be monitored and corrective actions will be taken by the user's department, in coordination with Human Resources and Information Technology. b. Except for employee services administered on the County's Intranet by the Human Resources Department, Collier County's technology assets, network and network resources may not be used for dissemination or storage of commercial or personal advertisements, solicitations, promotions, political material, inappropriate content or any unauthorized use deemed inappropriate. c. Users are not permitted to store, download or transmit copyrighted materials with network resources unless written permission has been granted. Examples of copyrighted materials include, but are not limited to: commercial music, video, graphics, or other intellectual property. Collier County will not provide a defense for violators of copyrights. Collier County allows reproduction of copyrighted material only to the extent legally considered "fair use" or with the permission of the author/owner. All doubt about whether software or other material is copyrighted, proprietary, or otherwise inappropriate for duplication should be resolved in favor of not duplicating such information. d. Users are not permitted to make any defamatory statements using network resources. Page 5 of 11 CMA 5405 e. County Employees are not permitted to subscribe to information services without the approval of their supervisor. f. Users are not permitted to capture, store or create digitized images of signatures (other than their own) or attach or affix a digitized image of a signature (other than their own) to any document or e-mail or use such image of a signature in any way that could be interpreted as representing information as being originated, approved, or sanctioned by another person without the express permission of the signatory. C. Business Partners. 1) Employees are responsible to ensure that business partners requiring access to the network or network resources are properly authorized. Business partner accounts will be issued on a monthly basis and will expire on the last day of each month. Employees are responsible for requesting extension of business partner accounts if required. Generic business partner accounts will not be issued. All business partner accounts must be issued in the name of the user. 2) Any business partner requiring access to the network or network resources must complete the Third Party Use Agreements, file them with the IT Department, and maintain compliance with the terms of that agreement. 3) Once granted access, business partners must comply with this policy in its entirety. Business partner violations of this policy may result in loss of access and purchasing sanctions. D. E-mail 1) All e-mails entering or leaving the County's e-mail system are duplicated and retained in an administrative mailbox in addition to each user's mailbox. As such,users are free to delete e- mails from their mailbox when their usefulness to the user has ended. However, if the user would like future access to such e-mails,they should retain them. At the designated time, all e-mail in Outlook will be archived. At this time,e-mails are never deleted from the archive. 2) BCC staff are required to use the county email system and only the county email system for county business. Use of external email systems compromise the Agency's ability to execute complete public records requests. 3) Users shall not send unsolicited/non-business e-mail to persons without their consent. Chain letters or other non-business related use of network resources is prohibited. 4) Mass e-mailing for business purposes must be coordinated with the IT Service Desk. Non- business related mass e-mailing is prohibited. 5) The use of the "Subscribers" and "BCC-Agency" distribution lists are restricted to department directors,division administrators and the County Manager's office. 6) Tampering, forging, or altering e-mail identity information is prohibited. Sending an e-mail which in any way appears as though it was sent by someone else (who did not send it) is prohibited. Page 6 of 11 CMA 5405 7) Inappropriate content may not be sent by e-mail or other form of electronic communication or displayed on or stored in the County's computers. Any message received that contains intimidating, hostile, offensive or inappropriate content should be reported immediately to management so that appropriate measures can be taken. 8) Users must not originate or forward any e-mails with inappropriate content as defined in section 2(E)and 3(D)6. Reference CMA 5311.1 (Standards of Conduct). 9) Users receiving e-mail messages with inappropriate content as defined in section 2(E) or 3(D)6 must immediately notify their supervisor, manager, or department director. Reference CMA 5311.1 (Standards of Conduct). a. The following information must be provided: (1) the date and time the e-mail was sent/received; (2) the sender's e-mail address (or, if unavailable, any identifying information);(3)and the subject line. b. Do not forward the e-mail. Once the information specified in Section D.(8)a. is passed on to a supervisor,the e-mail should be deleted. c. Supervisors, managers or directors receiving such reports from their employees shall provide these reports to the HR Generalist for their department/division. Additionally, if the user reports having received repetitive inappropriate or explicit e- mails from the same external sender, these reports and all supporting documentation should be provided to the IT Service Desk as well as Human Resources. 10) Signatures, tag lines, and background settings should be professional in nature and reflect positively on the County. a. Signatures may contain some or all of the following: Name, Agency Name, Department/Division, Title, Address, Telephone Number, Fax Number, Cell Phone Number, e-mail Address. Colors and fonts other than the default settings are acceptable. b. Tag lines conveying personal, inspirational, or political messages are subject to interpretation and are, therefore, prohibited. Tag lines may contain agency, department or division mottos, mission or vision statements, or logos. c. To portray a professional image,no backgrounds should be used in e-mail settings. E. Hardware/Equipment: 1) County technology assets, network and network resources are provided as a tool to enhance productivity and perform job duties. Access to County technology assets is a privilege. a. Only devices which are managed by the IT Department are permitted on the Agency's business network. b. The processes and procedures for purchasing technology are on the Agency's Intranet and updated periodically. Improperly purchased technology items may be refused network access. c. The use of personally owned computing devices is permitted but such devices will be limited to publically available websites and internet resources. Personally owned computing devices are not managed by the IT Department and are not permitted access to the Agency's business network. d. SLA 1'h computers may be approved for purchase for special purpose applications in limited numbers after review and approval by the IT Department. At this time, SLATE computers are not managed by the IT Department and are not permitted Page 7 of 11 C CMA 5405 access to the Agency's business network, however a list of SLATE computers that can be managed and will be allowed internal network access will be developed and posted on the intranet as they are qualified. Special considerations that may apply to the purchase,governance,recurring charges, and use of SLATE devices can be found on the Agency's intranet. 2) Unauthorized Equipment. a. Users may not connect any device to County technology assets or the network. Only authorized administrative employees are permitted to add devices to the network. This prohibition includes, but is not limited to, personal network hubs, routers or switches, wireless access devices, USB hubs, portable computers, smart phones, and storage devices. IT Employees are required to disconnect and remove any such equipment upon discovery. b. Portable storage devices like USB "thumb" drives are permitted for the transport of non-executable (data) files as long as their use does not require any installable software or cause the installation of software. Executing programs stored on these devices is prohibited. These devices shall not be used as primary storage. Transporting regulated data files via these devices is prohibited. c. Employees and business partners may not use cameras, cell phone cameras, digital cameras, video camera, or other form of image-recording device in the workplace without the express permission of the supervising Department Director and of each person whose image is recorded. This provision does not apply to employees who must use such devices for business purposes in connection with their positions of employment. 3) Users shall not tamper with technology assets in any manner. All repairs must be coordinated through the IT Service Desk. a. Users shall not connect or disconnect any technology asset or network resource without prior coordination with and approval from the IT Service Desk. All hardware installations, repairs, moves, additions or changes must be coordinated through the IT Service Desk. b. Users shall not install, deactivate, uninstall or change any settings for any software provided by the County on any technology asset. Software provided includes, but is not limited to, virus detection and correction software, internet filtering software, monitoring software, power management settings, screen savers, and agents for software distribution. c. Users are prohibited from setting BIOS passwords. d. Settings in windows that are user accessible (e.g. desktop wallpaper, power management settings, color schemes, etc.) and application settings that are user accessible(e.g. browser favorites) are not covered under this Instruction and may be set and personalized by the user, although they may be altered by operating system patches and may or may not be transported in machine replacements. 4) Supervisors have the discretion to allow Collier County computers to be used by employees at home for County-related work purposes. The restrictions pertaining to the use of County computers at home will be the same as if they were directly connected to the County network and all policies apply. Use of County technology assets and network resources are for the exclusive use of authorized users only. IT support for home use will be limited to telephone support, or users will be required to bring County equipment to the workplace and will be Page 8 of 11 CA0 CMA 5405 provided assistance during business hours. The IT Department does not provide on-site support for home use of computers. F. Operating System/Software 1) Users are prohibited from possessing or distributing computer viruses, spyware, or other malicious software development and/or distribution tools. Users found to be in possession of such software may be subject to disciplinary action, including discharge, and possible civil and/or criminal penalties. 2) Users are prohibited from possessing tools commonly used for gathering technical information about the network or network resources useful for attempts to hack or breach security. Users found to be in possession of such software may be subject to disciplinary action,including discharge, and possible civil and/or criminal penalties. 3) Installing Software. a. Users are not permitted to download executable software. b. Users are not permitted to install executable software on IT Assets. The IT Service Desk will assist users with authorized software installs. c. Users with Windows Administrative Rights have been granted these rights solely to permit them to use software that requires these rights in order to run properly. Users with Windows Administrative Rights are not permitted to install executable software on IT Assets, unless they have an agreement authorized by the Director, Information Technology to do so. d. Users with fully executed "Special Service Level Agreements," which have been paid and are in good standing, are permitted to install the software identified in that agreement on the specific IT ASSETS specified within the agreement. 4) License Compliance. a. The IT Department is responsible for the Agency's compliance with certain software license agreements. Users are forbidden from making unauthorized copies of software. Collier County will not provide a defense for violations of licensing agreements. b. Collier County allows reproduction of copyrighted material only to the extent legally considered "fair use" or with the permission of the author/owner. All doubt about whether software is copyrighted, proprietary, or otherwise inappropriate for duplication should be resolved in favor of not duplicating such information. c. The IT Department provides license compliance services, however if the user prefers not to use IT's compliance service,they shall be responsible for proper and adequate physical security and protection of software in their possession. A locked file cabinet or locked desk drawer should be used to safeguard software. d. Users shall not copy or use County owned software on their personally owned home computers,laptops,or other electronic devices. e. Users shall not provide copies of County owned software to any business partner, client, or third person, or perform any other action that would cause non-compliance with any licensing agreement. f. Unlicensed or unauthorized software will be removed immediately upon discovery by IT employees. Staff found to be in possession of unlicensed or unauthorized software may be subject to disciplinary action, including discharge,and possible civil and/or criminal penalties. Employees who become aware of any misuse of software Page 9 of 11 I C, CMA 5405 or violation of copyright law should immediately report the incident to their immediate supervisor. G. Data Management: 1) Users should be aware that deletion of any data may not truly eliminate the information from systems. Most data is stored in a central back-up system in the normal course of data management. 2) In order to protect overall network performance, the County reserves the right to reprioritize and/or apply size limitations on data stored in or transmitted over the network. The County reserves the right to disconnect or otherwise manage circuits during incidents which jeopardize network performance. 3) Users may not access or alter in any manner data that is not involved in the execution of their job functions. a. Users are not permitted to access,modify, delete, and/or utilize data,which they may have access to, for any purpose except their job duties, Collier County business objectives,or business practices. b. Users shall utilize information that they are authorized to access only for the specific purposes for which it is intended. c. Except for authorized public records searches and special investigations, data and communications (e.g. e-mail and voice communications) shall be treated as confidential and accessed only by the intended custodian/recipient(s). Users are • strictly prohibited from accessing any data or communications to which they are not intended to have access or are not the intended recipient. 4) No user may encrypt data for transmission over or storage on network resources without written permission from the Director, Information Technology. The system and methods required to encrypt and decrypt data must be approved by the Information Technology Department. If the encryption method relies on secret keys, the Information Technology Department must manage the storage and security of such encryption keys. The Information Technology Department has methods in place to store secret keys securely, assuring the secrecy of encryption keys and the ability to decrypt data. If encrypted data is discovered,the data owner must provide clear text/unencrypted data along with the encryption system and secret keys to the Director,Information Technology upon request. 5) Regulated Data. a. Generally,all data and records created, stored, sent, or received on the Collier County network and network resources are public records except those exempted in Chapter 119 and 435.09 of the Florida Statutes or in any other applicable laws. Protected Health Information (PHI) protected under HIPAA rules and statutes as well as Payment Card Industry (PCI) data, personal financial information (PFI) (e.g. credit card and bank account numbers) and personal identifying information (PII) (e.g. social security numbers)are specifically excluded from the public record. b. Based on the content of data, statutes and/or agency policies may apply to the proper handling. It is the responsibility of the user to know the statutes/policies/rules that govern the handling of the regulated data to which they have access and to act in accordance with the applicable statutes/rules. Employees should consult with the Page 10 of 11 0 CMA 5405 County Attorney's Office to resolve any questions regarding proper legal handling of data. The data custodian shall be responsible to inform the Director, Information Technology of any regulated data that is collected or stored in any network resources so that it may be handled appropriately. The County has taken measures to ensure the confidentiality, integrity and availability of sensitive information, including PHI, PFI,and PII and that access to sensitive information is restricted to authorized users. Users must take steps to minimize the possibility of unauthorized access including, but not limited to, making sure that the position of their monitor is not subject to unauthorized viewing, not leaving regulated data on an unattended computer screen, and, proper custodianship of printouts. Regulated data shall not be stored on any computer's local storage or any other type of portable storage device. Regulated data shall never be stored on a portable computer. Any inadvertent access of regulated data by users who should not have access must be reported to the Director, Information Technology. c. Users shall not make copies of regulated data, encryption keys, or secure(encrypted) data in its clear text (unencrypted) state. The approval of the Director, Information Technology is required if it becomes necessary to make a copy or replicate regulated or encrypted data. This includes storing such data in documents, data warehouses, secondary databases,portable computers, or portable storage devices. H. Social Media Services: Internet based social media services (SMS) (e.g. Facebook, Twitter, MySpace) accounts may be authorized for agency or departmental promotion, outreach, or other public relations purposes and must be authorized by the County Manager's Office. All use of }; social media must comply with the provisions set forth in CMA 1200, Media and Public Relations. Upon approval, a request for access must be submitted to IT by the Department Director. IT will provide approved site owners with the tools and instructions to archive their information for compliance with Public Records statutes and agency procedures. Each department is responsible for the proper archiving and retention of social media records. § 5405-4. Currency. The Information Technology Department is responsible for the currency of this policy. ( Page 11 of 11 0 Agreement to the terms, conditions and restrictions of CMA 5405 ATTESTATION: I hereby attest that I have read and understand CMA 5405, Computer/Technology Use,dated March 18, 2011 and agree to be bound by its terms. Signed: Date: Printed Name: Department: Witnessed by (manager): Date: CAO CMA # 5406 COMPUTER SOFTWARE LICENSE CONTROL § 5406-1.Purpose. § 5406-3.Practice. § 5406-2.Concept. § 5406-4.Currency. [Effective Date: November 5, 2003 (Revised May 1, 2004)] § 5406-1. Purpose. The purpose of this policy is to ensure all software license agreements are strictly followed and enforced in a fiscally responsible manner. § 5406-2. Concept. Vendors and software companies regulate use of their products through license agreements. When software is purchased, the agreement establishes whether it is licensed by machine, by user, or by a maximum number of users who can access the software at any given point in time. Licenses for major software installations can be very costly and must be managed and controlled to assure that all employees who need to use the system can do so, the number of licenses is within the number purchased by Collier County, and that licenses are not issued to employees who do not access the system. § 5406-3. Practice. The County's Information Technology Department is responsible for installing all computer software and, therefore, maintaining control over all software licenses. Software licenses are customarily nontransferable; therefore, all licenses shall be registered in the name of the agency (not the department or the individual employee). The authority for distributing and assigning user licenses for software programs will be as follows: A. Boxed/Off-the-Shelf Software: Owned by the department that makes the purchase and distributed as per the department's direction; off-the-shelf software is licensed to a single user or machine, will be installed by the Information Technology Department in accordance with the license agreement, and can only be moved if it is first removed from one machine and reinstalled on another. B. Multi-User License/Single Department Purchase: Owned by the department that makes the purchase; licenses will be assigned and reassigned by the Information Technology Department as per owner department direction. C. Multi-User License/Multi-Department or Cross-Agency Purchase: When purchases of this type are made, ownership is, generally assigned to the agency. License distribution shall be controlled and monitored by the Information Technology Department in accordance with direction from the County Manager and/or user departments. License allocation will be determined at the time of purchase and additional licenses will be 5406:1 09-15-2007 OFFICE OF COUNTY MANAGER ADMINISTRATIVE 5406-4 § 5406-3 PROCEDURE § purchased by departments that determine a later need. The IT Department retains the right to recapture and redistribute unused licenses and licenses from users who consistently do not access the system during a specified period (not less than three months). When this becomes necessary to avoid purchasing additional licenses or avoid costly fines for usage exceeding license limits, IT will coordinate with department heads and, if necessary, will provide fair value in return to retain the integrity of the fund that acquired the licenses. D. Other: Any licensing schemes or structures not mentioned above will be handled in accordance with the respective license agreements and in coordination with the department making the initial purchase. § 5406-4. Currency. The Information Technology Department is responsible for the currency of this policy in accordance with CMA Instruction 5405, Section 204:2 Prohibited Activities, 5, Misuse of Software. 5406:2 09-15-2007 CAO CMA # 5905 RESTRICTED NETWORK ACCESS AGREEMENT § 5905-1.Purpose. § 5905-3.Guidelines. § 5905-2.Definitions. § 5905-4.Currency. [Effective Date: April 1,2006] § 5905-1. Purpose. The purpose of this form is to document the agreement of Collier County non-employees who have been granted network accounts and permission to access the Collier County Data Network using only County workstations. § 5905-2. Definitions. As used in this CMA, the following terms shall have the meanings indicated: COUNTY DATA NETWORK — Availability restricted to those individuals granted special permission and who can only access the network from County workstations. COUNTY DATA SERVICES —Unrestricted availability for those individuals using Internet access from any workstation. § 5905-3. Guidelines. A. Access Description. The undersigned user is granted restricted access to the Collier County Data Network resources and applications. Access is limited to only using a Collier County owned and maintained workstation. Access from other workstations is restricted to those services accessible using the Internet. B. Agreement Acknowledgement Form. User's Printed Name: User's Title: User's Telephone Number: User's Office and Location: I have read the Collier County End User Computing Policy, and understand and accept the responsibilities as described therein. I also understand that misuse of County resources will be cause for system privilege revocation, as well as possible criminal or civil penalties as provided by law. 5905:1 09-15-2007 OFFICE OF COUNTY MANAGER ADMINISTRATIVE 5905-4 § 5905-3 PROCEDURE § I agree that I have no expectations of privacy with regards to any information entered into or passed through the County's Data Network. Any such information will be subject to Florida's statutes regarding public records unless specifically exempted. I also agree to promptly report any violations or suspected violations of information security policies to the Information Technology Department. User Signature: Date: For the Collier County IT Department: Date: § 5905-4. Currency. The Information Security Manager (ISM) is responsible for maintaining the currency of this document. Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. 5905:2 09-15-2007 0 CMA # 5908 MEDIA REUSE OR REPLACEMENT POLICY § 5908-1.Purpose. § 5908-3.Guidelines. § 5908-2.Definitions. § 5908-4.Currency. [Effective: April 1, 2006] § 5908-1. Purpose. This policy describes how each area of the IT Department will implement appropriate procedures for managing devices used to store electronic data. The purpose of this policy is to improve Collier County's ability to protect electronically stored data using the various devices and media used by the Collier County IT Department. § 5908-2. Definitions. As used in this CMA,the following terms shall have the meanings indicated: COUNTY ASSETS — Collier County's electronic information and data, in all its forms, is an asset of Collier County government. Throughout its life cycle, County data must be protected to comply with the policies of the Collier County BCC and meet the requirements of state and federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). ELECTRONIC MEDIA — This policy and related procedures apply to the hard drives, storage systems, removable disks, floppy drives, CD-ROMs, PCMCIA cards, memory sticks, and all other forms of removable, electronic media and storage devices. § 5908-3. Guidelines. The Collier County IT Department's Operations Group will develop procedures and controls for protecting data that is electronically stored on devices or media under its control. At a minimum, these procedures will include the following measures: A. Prior to destroying or disposing of any storage device or removable media, steps must be taken to ensure that the device or media does not contain electronic protected health information (EPHI). B. If the device or media contains the only copy of EPHI required or needed, a retrievable copy of the EPHI must be made prior to disposal. C. If the device or media contains EPHI that is no longer required or needed, and is not a unique copy, a data destruction tool must be used to destroy data stored on the device or media prior to disposal. A typical reformat is not sufficient since it does not overwrite the existing data. 5908:1 09-15-2007 r OFFICE OF COUNTY MANAGER ADMINISTRATIVE 5908-4 § 5908-3 PROCEDURE § D. If removable media is used for the purpose of system backups and disaster recovery, and the aforementioned removable media is stored and transported in a secured environment, the use of a data destruction tool is not necessary. E. When storage devices and removable media are used to transport EPHI, a procedure must be implemented to track and maintain the movement of these devices and media, and list the individuals responsible for the devices and media during their movement. § 5908-4. Currency. The Information Security Manager (ISM) is responsible for maintaining the currency of this document. Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. 5908:2 09-15-2007 9. Change Management&Change Advisory Board IT Customer Portal - Change Management Page 1 of 2 SharePoint OrtegaAnnia+' Or ? • IT Customer Portal Search this site may;:. -- �.-._.�._..._. Chance Vanacement Background Change management has been in place since 2007 for the Information Technology Department. It is using an in-house,temporary application to log requests for change that was to be replaced by an integrated system in 2008/2009. There is a new initiative to replace the temporary application with the Microsoft Service Manager product. The change management application can be installed by the IT Service Desk at x8888. • Requests for changes are submitted via this temporary application by the user(s)that are involved with planning and implementing the changes. The application is straight-forward and has built-in help to assist users with submitting their requests for changes. • Depending on the type of request,there may or may not be a review by the Change Advisory Board(CAB)and IT Management. When these reviews are necessary will be described later in this procedure. Change Types The following types of requests for change have been implemented in the temporary application: • Emergency • Urgent • Logging • Minor/Major Emergency The purpose of this change request type is to collect minimal information related to an emergency change. Emergency changes are defined as one where critical systems and services are unavailable and a change is needed with little or no coordination and communication. Emergency changes should be associated to an issue and work order. Since most emergency changes are done with little to short notice, the form is used more to document that a change was made to a system. The only items that need to be entered are when the change was made,the work order number,and a description of the change. The username and date that the form was submitted is captured behind the scenes. Examples of Emergency Changes: • File and print server locked up and customers can not print • Exchange is not functioning,and requires a reboot • Network equipment failure with no redundancy in place In most cases,emergency change requests are filled out after the event. The Change Advisory Board(CAB)does not review emergency change requests prior to implementation. Urgent Urgent changes are the same as minor/major changes except for the approval time. Urgent changes are not emergencies but normally need to be done in a hurry due to political reasons,such as consultant availability,possible hardware failure,or simply due to scheduling issues. Examples of Urgent Changes: • The County Manager wants a product rolled out to all desktops by the end of the week • A vendor can be on-site ahead of schedule to implement a high priority modification Qii http://bcesp02/sites/ITCP/W iki%20Pages/Change%20Management.aspx 08/11/16 IT Customer Portal- Change Management Page 2 of 2 Urgent changes typically require the approval of the IT Director and/or his designee,and typically originate under the direction of the IT Director. Since there is no lead time for this type of request,the Change Advisory Board(CAB)does not review urgent change requests prior to implementation. Logging Many changes are repetitive and do not need to pass through the formal Change Advisory Board approval process as they have been pre- approved. These changes still should be logged using the normal process to document and schedule the change. The primary goal of logging these pre-approved changes is to minimize scheduling conflicts. The log will also provide an audit trail of changes made to systems or services. Examples of Logging Changes: • Adding processor,memory or storage to an existing virtual machine • Deploying update patches Logging changes are typically not reviewed by the Change Advisory Board(CAB)prior to implementation. • Minor/Major Minor/major changes follow the standard process and should be submitted two weeks in advance of the actual implementation of the change. These changes need to be properly communicated and coordinated with other changes. Minor/major changes require assessment and approval by the Change Advisory Board(CAB). Change Advisory Board(CAB) The Change Advisory Board(CAB)is the governing body responsible for assessing the request for changes in terms of risks,impacts and scheduling conflicts. Currently the agency is struggling with the appropriate roles and responsibilities of the Change Advisory Board(CAB)in lieu of several other missing Information Technology Infrastructure Library(ITIL)dependencies,such as a configuration management database and a service catalog. This struggle will be tackled through an iterative process in which the Change Advisory Board(CAB)will define its roles and responsibilities from a core then build upon the core through a trial and error process. Change Advisory Board(CAB)members are: • Agency Applications(Geordi George) • Operations(Mark Fowski) • Project Management(Richard Badge) • Service Desk(Shaun Putnam) CAB Responsibilities The Change Advisory Board(CAB)responsibilities are to ensure: • Identification of risks associated with the implementation of the change • Identification of impacts to services when the change is implemented CAB Meetings The Change Advisory Board(CAB)meets weekly to review and approve requests for changes. They currently meet on Tuesday at 8:30 am. To allow the Change Advisory Board(CAB)members enough time to review the requests for changes it must be submitted by Monday 12:00 pm. The Change Advisory Board(CAB)may defer requests to the next meeting if the submittal deadline is not met. C http://bccsp02/sites/ITCP/W iki%20Pages/Change%20Management.aspx 08/11/16 10. Enterprise Incidents C IT Customer Portal - Enterprise Incidents Page 1 of 4 IT Customer Portal Enterprise Incicents Revision History:(5 July 2017) Purpose: Explain how to report and document an Enterprise Incident(El) per the associated Enterprise Incident Policy. Procedure: 1. Open MS SCSM 2. Highlight your Groups Work Order queue.(BCC-IT-Applications Analyst Work Orders/BCC-IT-Dev/GIS Work Orders/BCC-IT-Network Administrator Work Orders/BCC-IT-Service Desk Work Orders) System Center Service Manayet Console' Fite. View Go Toots Talks Fietp : ,.. •i , W*fk*tarsus BCC ti•Apniic-itu3'cis.Anatyst Work°tcters. :j FICC'-n•DEWG1S Wank Oftlers ecC•,T-IT•Secunty 0 BCC-FT-Network Aatnrnistrate r Work°rtier+, .... BCC IT_Resolved..Work Orders 11,4'BCC-TT-Service(X,5k Work Orders C7a5si'rt Int aairnt (ice€scatateeed i,veidents C,4 Incroent Support Group 'Tr My C:ortrohmir.e irtcitients 3. Right Click your Groups queue&select"Create Incident".This will open a New Work Order. -; *"JO ,rte rrt+tr .r >•%4344-444.4**i 1444414..4 VMS*,Elk.v4e,air • „mss- 3M«... 4. Affected User:Enter(Last name), if known.If not,enter your name. Affected user; * Kttd�lJ xllrKrndsI t �c�ndsIffMtd Desrnpt:on 5. Title:Use first line of El Template (Issue). http://sp 16/sites/ITCP/Wiki%20Pages/Enterprise%20lncidents.aspx 08/17/17 r�l�• IT Customer Portal -Enterprise Incidents Page 2 of 4 1. Issue:Description of what Issue is 2. Current Status:Down/Intermitent/Up/Resolved 3. Impact:Who is Impacted by this Issue 4. Root cause:Explanation of What the Cause is(El cannot be Closed without Root Cause being Identified.If one cannot be found,you will need your Manager's Approval to Close El.) 5. Action:Actions taken to Resolve Issue(Need to include Immediate, as well as the Root Cause Fix.If NO Root Cause Fix can be Identified,you will need your Manager's Approval to Close El.) 6. Notification: How were you Notified;User/Monitoring Tools/etc 7. Responsible:LEAD 8. Priority:High/Medium/Low 9. Original Date&Time:MM/DD/YY, HH:MM AM/PM 10. Resolution Date&Time:MM/DD/YY,HH:MM AM/PM 11. Number of Users Impacted:Estimated number of Users Impacted 12. Total Time Down:Total Down Time for Issue, HH:MM 13. Total User Hours Down: Number of Users Down*Total Time for Issue 6. Description:Contains ALL information from El Template.(Copy&Paste El Template into Description Field) 1. If you are not sure of Information,leave that line Blank.It can be updated later. Title El•Issue: Cityview documents not pnntind Description: Issue: C+ty^vieww documents not printing Current Status.Completed Impact CityView users 7. Classification Category:You will Only use those listed under"Enterprise Incident".These are the Possible Causes, not the Actual Issue. 1. If Classification is Unknown,use EI-Unknown.It can be changed later with updates. _ •. " ,. #.1.11,04 Iaa ;. e , � y 8. Source:This is for How You Were Made Aware of the Incident;Phone,Instant Messenger, Email, In Person (Walk- In), Reporting Tools(Configuration Manager,Operations Manager,etc) Tithe Fl-ll4.4r (^.vavw ldesa"*' ;m 1.,.7 fr'�'"..a,'i&y V,e*,iw pa ry,n:t r,maw:4't.,6..),,,,w%:•3A? J i:N,se Sawa' ..tfA Kilt) wax 9. Impact: 42/1 httn://sp 16/sites/ITCP/Wiki%20Pages/Enterprise%20lncidents.aspx 08/17/17 IT Customer Portal -Enterprise Incidents Page 3 of 4 1. Low is 1 person.By Definition,an El has to affect More than 1 person. 2. Medium,Up to 1 Department is affected. 3. High, More than 1 Department is affected. 10. Urgency: 1. Low, Users are still able to function,with No Loss of Productivity. 2. Medium,Slight to Moderate impact to productivity. 3. High,Affected users are unable to perform duties/functions. .... . ... . . . .. di nkle C+r iere.document not txnsm i:rtgvrw mmil nC:.^trrrt:3t iiir+.+i! %flu,.L$atf.teYVI clwlf[31tuNmower &twee. • xis: �Ck 'mote n.-nor 11. Support Group:This needs to be the IT Group you belong to. 1. Applications Analysts—Apps Support, Developers—Dev Support, Network Administrators—Network Admins,Service Desk—Service Desk <••..1.lTainr .. "+ Y f �vs'.i':.Vn.+ /Awe'+...Mnn.«.s. . .•' -..w.-. i • ...r;:+ '. IF f�'•e4tia.:iY:E '9{":_.. w;':nx:r k:— ';i t•. .:s �a 1 ... t wu < ax rJn• ��* .aM^ 1tr, ......._ ...3 12. Assigned To:This is the IT Person responsible(Yourself),unless entering for someone else. 13. Primary Owner:Same as Assigned To.Can also be any BCC Employee,who may be involved with resolving (Aaron Cromer,James Price,etc). Source' twit tk n cstego7w gwer. ,......... ........... waitted& Ur T•• fhlecer StlCisatt SXauA: .__._._. ,. . Elcm.ann5,esoft 14. Updates&Resolving:When updating the information,update the information in the Description.This is what displays for reports. 1. You can enter other information in the Action Log "Comments" Section. 2. You will also need to send this information to the Service Desk,so that the El Announcement can be updated as well. C http://sp 16/sites/ITCP/Wiki%20Pages/Enterprise%o201ncidents.aspx 08/17/17 rrr IT Customer Portal -Enterprise Incidents Page 4 of 4 3. When the El is Resolved,Click on the Resolve Link on the Right Side of the Window,enter in needed information &forward to the Service Desk,for Closing. 40.01. P4'iGrf[y1 7.!4 ot&rvass40 Ua tter tee t tie rvf�dry rawr+tier: t x 15. When forwarding to the Service Desk, Remove your name from the"Assigned To"field, &change the"Support Group"to Service Desk. 16. Send an email to DL-SystemOwners notifying everyone that there is an active El using the following format: 1. Subject:Enterprise Incident—Incident Description 2. Body: 1. Issue: 2. Current Status: 3. Impact: 4. Root cause: 5. Action: 6. Notification: 7. Responsible: 8. Priority: 9. Original Date&Time: 10. Resolved Date&Time: 11. Work Order#: 17. Immediately upon resolution of the El send an email to that updates the status of the notification email. The subject should be modified by prepending"Resolved". The items in the body of the email should be updated to reflect the current status. 18. Within S business days prepare and file an Enterprise Incident Report using the template (G:\Documentation\Admin\Enterprise Incidents\EI_template v20170705.docx). The El Report should provide a detailed description of: 1. What happened 2. The root cause(s)of the issue 3. The root cause corrective action(s) 19. Enterprise Incident Reports are to be filed in G:\Documentation\Admin\Enterprise Incidents\year folder. The file name should be formatted:yyyymmdd WO WorkOrderNumber WorkOrderDescription(see folder location for examples). 20. Enterprise Incident Reports should be reviewed and approved by your manager/supervisor prior to posting. 21. Incidents with no Root Cause identification should be escalated to your manager/supervisor for escalation to the IT Director. http://sp 16/sites/ITCP/Wiki%20Pages/Enterprise%20lncidents.aspx 08/17/17 11. Elevated Network Access Policy Approvals Collier County Name Date IT Department Security Policy Barry H.Axelrod E.Michael Berrios ELEVATED NETWORK Jeff A.Bolen Title ACCESS POLICY John J.Daly Bert Miller Tammy Smith SOP Number Prepared by: Jeff Bolen Page 1 of 04 Pages Checked by: Revision Date Change Description Draft 1 10/31/2006 Draft for Review by IT Staff Draft 2 11/07/2006 Draft for Review by IT Staff Draft 3 1/12/07 Added Section B8 FINAL 2/6/07 Finalized per JAB PolicyAdoption ITS- 001 Date Feb 6, 2007 Number U:\CAMS\RFP\Technical Specs\l I_Elevated Network Access Policy.doc 1/4 INFORMATION TECHNOLOGY ELEVATED NETWORK ACCESS POLICY SUBJECT: ELEVATED NETWORK ACCESS POLICY I. PURPOSE This policy establishes computer usage guidelines for the Collier County Board of County Commissioners (CCBCC), Information Technology Department staff during the course of their job duties on CCBCC Computer Systems. Guidelines stated herein are intended to protect the rights and security of CCBCC clients as well as those of the department staff. II. DEFINITIONS Special Access: Individual with password and privileges to use a special account on a CCBCC computer or subsystem, or having privileges above and beyond those of a normal user. III. GUIDELINES • A. Special Access One of the keys to trust in the services and integrity of the Information Technology Department is assurance that information stored on the network is secure. Members of the CCBCC IT Dept. staff are required to abide by all the items outlined in CMA 5405 as well as those policies outlined here. In addition to being the guardians/supporters of CCBCC resources, department staff members also serve as examples of professionalism for others in the CCBCC user community. All members of the IT staff have some level of special access. The first time a member of the CCBCC IT staff requests special access, he/she is asked to read and sign the Administrative Network Access Policy Agreement (See section C, below). This agreement presents general guidelines for using special access in a responsible and ethical manner. The agreement also specifies behaviors and practices that are prohibited. All members of the CCBCC IT staff will reference the information in this document and the CCBCC Human Resources Practices and Procedures Manual whenever they have a question regarding proper use of special access. Exceptions to this policy may be allowed for special situations, investigations and emergencies and must be requested through your manager, and approved by the Information Security Manager (ISM) or the Director. In case of the ISM or IT Director's unavailability, other IT Management staff may approve exceptions. B. Specific Rules of Special Access 1. Do not share special access passwords with anyone. 2. Do not share wireless encryption keys with anyone outside of the IT Department. U:\CAMS\RFP\Technical Specs\11_Elevated Network Access Policy.doc 2/4 3. Do not write down the special access passwords. 4. Do not read or send personal mail, play games, edit personal files or surf the web using a special access account, (Special access accounts are those accounts that are used to log into servers, etc). 5. Do not browse other user's files, or E-mail using a special access account, or any account with special access,unless in the course of normal duty. 6. Do not make a change on any system that is not directly related to your job duties without consulting IT Management. 7. Do not possess, or use programs, software, hardware, materials or any other device or system that could be construed as"hacking", unless you are approved to do so in writing by the Information Security Manager. 8. Do not remotely access a users PC until or unless the user gives their permission to do so. Exceptions to this would be in the course of a security investigation or other situations approved by Management. Definitions; Special Access — Those accounts with a higher level of access than a regular user, (all IT Staff regular accounts). Special Access Accounts—Those accounts with elevated permissions which are used to log into servers, network devices, etc. U:\CAMS\RFP\Technical Specs\11 Elevated Network Access Policy.doc 3/4 C. Administrative Access Policy Agreement The following agreement must be signed thus signifying that the individual understands and will comply with the conditions stated in this policy. The individual whose signature appears below understands that failure to conform to the "Administrative Network Access Policy Agreement" and to all other applicable policies may result in severe disciplinary action up to and including dismissal from Collier County Government employment. I, , have read and understood all aforementioned policies and will comply with the conditions stated above. Signed: Date: IV. CURRENCY The Information Security Manager (ISM) is responsible for maintaining the currency of this document. Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. • U:\CAMS\RFP\Technical Specs\11_Elevated Network Access Policy.doc 4/4 0 Previ.ousNex.t Fla. Stat. § 501.171 Copy Citation The Florida code and constitution are updated through the 2016 regular session. • LexisNexis�� Florida Annotated Statutes. • Title XXXIIL Regulation of Trade, Commerce,Investments,and Solicitations (Chs. 494- 5601 • Chapter 501. Consumer Protection. • Part I. General Provisions. § 501.171. Security of confidential personal information. • (1)Definitions. As used in this section, the term: o (a) "Breach of security"or"breach"means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. o (b) "Covered entity"means a sole proprietorship, partnership, corporation,trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity. o (c) "Customer records"means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service. o (d) "Data in electronic form" means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. o (e) "Department"means the Department of Legal Affairs. o (f) "Governmental entity"means any department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality of this state that acquires,maintains, stores, or uses data in electronic form containing personal information. o (g) • 1. "Personal information"means either of the following: • a. An individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual: • (I) A social security number; C: • (II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; • (III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account; • (IV) Any information regarding an individual's medical history,mental or physical condition, or medical treatment or diagnosis by a health care professional; or • (V) An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. • b. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. ■ 2. The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity.The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable. o (h) "Third-party agent" means an entity that has been contracted to maintain, store,or process personal information on behalf of a covered entity or governmental entity. • (2)Requirements for data security.— Each covered entity, governmental entity, or third- party agent shall take reasonable measures to protect and secure data in electronic form containing personal information. • (3)Notice to department of security breach. o (a) A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred. o (b) The written notice to the department must include: • 1. A synopsis of the events surrounding the breach at the time notice is provided. • 2. The number of individuals in this state who were or potentially have been affected by the breach. • 3. Any services related to the breach being offered or scheduled to be offered, without charge,by the covered entity to individuals, and instructions as to how to use such services. • 4. A copy of the notice required under subsection (4) or an explanation of the other actions taken pursuant to subsection(4). • 5. The name, address,telephone number, and e-mail address of the employee or agent of the covered entity from whom additional information may be obtained about the breach. o (c) The covered entity must provide the following information to the department upon its request: • 1. A police report, incident report, or computer forensics report. • 2. A copy of the policies in place regarding breaches. • 3. Steps that have been taken to rectify the breach. o (d) A covered entity may provide the department with supplemental information regarding a breach at any time. o (e) For a covered entity that is the judicial branch, the Executive Office of the Governor, the Department of Financial Services, or the Department of Agriculture and Consumer Services, in lieu of providing the written notice to the department,the covered entity may post the information described in subparagraphs (b)1.-4. on an agency-managed website. • (4)Notice to individuals of security breach. o (a) A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach.Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay,taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph(b) or waiver under paragraph(c). o (b) If a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary.A law enforcement agency may,by a subsequent written request,revoke such delay as of a specified date or extend the period set forth in the original request made under this paragraph to a specified date if further delay is necessary. o (c) Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies,the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years.The covered entity shall provide the written determination to the department within 30 days after the determination. o (d) The notice to an affected individual shall be by one of the following methods: • 1. Written notice sent to the mailing address of the individual in the records of the covered entity; or • 2. E-mail notice sent to the e-mail address of the individual in the records of the covered entity. o (e) The notice to an individual with respect to a breach of security shall include, at a minimum: • 1. The date, estimated date, or estimated date range of the breach of security. • 2. A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security. C ■ 3. Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual. o (f) A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed$250,000,because the affected individuals exceed 500,000 persons, or because the covered entity does not have an e-mail address or mailing address for the affected individuals. Such substitute notice shall include the following: • 1. A conspicuous notice on the Internet website of the covered entity if the covered entity maintains a website; and • 2. Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside. o (g) Notice provided pursuant to rules,regulations, procedures, or guidelines established by the covered entity's primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Under this paragraph, a covered entity that timely provides a copy of such notice to the department is deemed to be in compliance with the notice requirement in subsection (3). • (5)Notice to credit reporting agencies.— If a covered entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time,the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices. • (6)Notice by third-party agents; duties of third-party agents; notice by agents. o (a) In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide notices required under subsections(3) and(4). A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements. o (b) An agent may provide notice as required under subsections(3) and (4) on behalf of the covered entity;however, an agent's failure to provide proper notice shall be deemed a violation of this section against the covered entity. • (7)Annual report.— By February 1 of each year,the department shall submit a report to the President of the Senate and the Speaker of the House of Representatives describing the nature of any reported breaches of security by governmental entities or third-party agents of governmental entities in the preceding calendar year along with recommendations for security improvements. The report shall identify any governmental entity that has violated any of the applicable requirements in subsections(2)-(6) in the preceding calendar year. • (8)Requirements for disposal of customer records.— Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer C records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. • (9)Enforcement. o (a) A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501.207 against a covered entity or third party agent. o (b) In addition to the remedies provided for in paragraph(a), a covered entity that violates subsection (3)or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows: ■ 1. In the amount of$1,000 for each day up to the first 30 days following any violation of subsection(3) or subsection (4) and,thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. • 2. If the violation continues for more than 180 days, in an amount not to exceed $500,000. • The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach. o (c) All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund. • (10)No private cause of action.— This section does not establish a private cause of action. • (11)Public records exemption. o (a) All information received by the department pursuant to a notification required by this section, or received by the department pursuant to an investigation by the department or a law enforcement agency, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution,until such time as the investigation is completed or ceases to be active.This exemption shall be construed in conformity with s. 119.071(2)(c). o (b) During an active investigation, information made confidential and exempt pursuant to paragraph (a) may be disclosed by the department: • 1. In the furtherance of its official duties and responsibilities; • 2. For print,publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or improper disposal of customer records, except that information made confidential and exempt by paragraph(c)may not be released pursuant to this subparagraph; or • 3. To another governmental entity in the furtherance of its official duties and responsibilities. o (c) Upon completion of an investigation or once an investigation ceases to be active,the following information received by the department shall remain confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution: • 1. All information to which another public records exemption applies. • 2. Personal information. • 3. A computer forensic report. • 4. Information that would otherwise reveal weaknesses in a covered entity's data security. • 5. Information that would disclose a covered entity's proprietary information. o (d) For purposes of this subsection,the term"proprietary information"means information that: • 1. Is owned or controlled by the covered entity. • 2. Is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations. • 3. Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public. • 4. Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the department. • 5. Includes: • a. Trade secrets as defined in s. 688.002. • b. Competitive interests,the disclosure of which would impair the competitive business of the covered entity who is the subject of the information. o (e) This subsection is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2019,unless reviewed and saved from repeal through reenactment by the Legislature. History S. 3, ch. 2014-189, eff. July 1, 2014; s. 1, ch. 2014-190, eff. July 1, 2014. ''Annotations ..................................................: Notes Editor's Notes Section 1, ch. 2014-189, provides: "This act may be cited as the `Florida Information Protection Act of 2014.' " Section 2, ch. 2014-190, provides: "The Legislature finds that it is a public necessity that all information received by the Department of Legal Affairs pursuant to a notification of a violation of s. 501.171,Florida Statutes, or received by the department pursuant to an investigation by the depa,tment or a law enforcement agency,be made confidential and exempt from s. 11.9.07(1), Florida Statutes, and s. 24(a), Article.1.of the State Constitution for the following reasons: "(1)A notification of a violation of s. 501.171, Florida Statutes, is likely to result in an investigation of such violation because a data breach is likely the result of criminal activity that C may lead to further criminal activity. The premature release of such information could frustrate or thwart the investigation and impair the ability of the Department of Legal Affairs to effectively and efficiently administer s. 501.171, Florida Statutes. In addition, release of such information before completion of an active investigation could jeopardize the ongoing investigation "(2)The Legislature finds that it is a public necessity to continue to protect from public disclosure all information to which another public record exemption applies once an investigation is completed or ceases to be active.Release of such information by the Department of Legal Affairs would undo the specific statutory exemption protecting that information. "(3)An investigation of a data breach or improper disposal of customer records is likely to result in the gathering of sensitive personal information, including social security numbers, identification numbers, and personal financial and health information. Such information could be used for the purpose of identity theft. In addition, release of such information could subject possible victims of the data breach or improper disposal of customer records to further financial harm. Furthermore, matters of personal health are traditionally private and confidential concerns between the patient and the health care provider. The private and confidential nature of personal health matters pervades both the public and private health care sectors. "(4)Release of a computer forensic report or other information that would otherwise reveal weaknesses in a covered entity's data security could compromise the future security of that entity,or other entities, if such information were available upon conclusion of an investigation or once an investigation ceased to be active. The release of such report or information could compromise the security of current entities and make those entities susceptible to future data breaches. Release of such report or information could result in the identification of vulnerabilities and further breaches of that system. "(5)Notices received by the Department of Legal Affairs and information received during an investigation of a data breach are likely to contain proprietary information, including trade secrets, about the security of the breached system.The release of the proprietary information could result in the identification of vulnerabilities and further breaches of that system. In addition, a trade secret derives independent, economic value, actual or potential, from being generally unknown to, and not readily ascertainable by, other persons who might obtain economic value from its disclosure or use.Allowing public access to proprietary information, including a trade secret, through a public records request could destroy the value of the proprietary information and cause a financial loss to the covered entity submitting the information. Release of such information could give business competitors an unfair advantage and weaken the position of the entity supplying the proprietary information in the marketplace." Amendments. The 2014 amendment added (11). Florida Information Protection Act Attestation: I hereby attest that I have read and that I understand the provisions of Florida Information Protection Act (Fla. Stat.501.171). I also understand that I can be subject to disciplinary action up to and including dismissal for violations of this act. Signed: Date: Printed Name: Witnessed by(manager): Date: C EXHIBIT B PROCESSOR'S PROPOSAL TO #18-7284"PAYMENT PROCESSING AND RELATED SERVICES" (FOLLOWING THIS PAGE) JetPay Payment Services,TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 30 EXHIBIT B TO MERCHANT CARD PROCESSING TERMS AND CONDITIONS Collier County Board of County Commissioners Request for Proposal (RFP) for Payment Processing and Related Services Solicitation No.: 18-7284 February 26th,2018 tpay .0 Offeror Contact Information: Christopher F Battel, Chief Operating Officer JetPay Payment Services,FL,LLC 316 South Baylen Street, Suite 590 Pensacola,Florida 32502 (850) 858-3321 Telephone (850) 444-9331 Fax chris.battel@jetpay.com www.jetpay.com COVER LETTER/MANAGEMENT SUMMARY: February 26, 2017 Viviana Giarimoustas Procurement Strategist Procurement Services Division 3295 Tamiami Trail East, Bldg C-2 Naples, FL 34112 Re: Payment Processing and Related Services Solicitation No.: 18-7284 Dear Ms. Giarimoustas: It is my pleasure to submit the attached proposal from JetPay Payment Services, FL, LLC ("JetPay"), a wholly-owned subsidiary of JetPay Corporation (Nasdaq: JTPY), in response to Collier County Solicitation NO. 18-7284 Payment Processing and Related Services. Based upon our understanding and experience serving Collier County Utilities since February 2012 (added service to Landfill, Parks & Recreation and Animal Services in 2016) and from reviewing the RFP, I am confident that JetPay and our Proposal is an excellent fit and overall solution for Collier County and its customers. JetPay's Proposal provides: (i) electronic bill presentment, (ii) payment acceptance and processing in every payment channel (point-of-sale, on-line, mobile, IVR, AutoPay/scheduled payments, kiosk, SMS text, emal, etc.) including posting transactions back in real-time, attainment of all application integration, data and reporting requirements, (iii) a highly secure environment that limits Collier County's PCI scope, (iv) at no cost, access to our embedded customer communication tools which could be used to send electronic reminder invoices that are dynamically created to your customers via SMS text or email (increased customer satisfaction and improved collections), (v) exceptional and responsive service to the staff and customers of Collier County, and (vi) a lower cost to recognize JetPay's longstanding service to Collier County. When integrating in our preferred methods, all of your customers' payment card and banking information is only on JetPay's servers—this materially reduces Collier County's Payment Card Industry Data Security Standard scope and risk of a data breach. As a certified PCI Level 1 Service Provider (the highest level), JetPay maintains policies and practices that have been tested and proven to successfully protect sensitive payment card data, banking data and Personally Identifiable Information ("PII"). Payment data and PII is always encrypted while at rest or in-transit, as well as is encrypted point-to-point when swiped or dipped at point-of-sale. We tokenize data when customers elect to establish an account and save their payment card and banking data for use in the future. Our payments business is headquartered in Carrollton, Texas and we are a leading provider of credit card, debit card and e-check payment processing services to state and local government entities throughout the U.S. Our clients are comprised of counties, cities, townships as well as two statewide electronic payment processing contracts (Illinois and Missouri). Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa, MasterCard, Discover and American Express payment networks (end-to-end connected on authorization of payments as well as on the clearing and settlement of funds). As a result, we are able to offer low all-in pricing (includes Interchange, Dues, Assessments, gateway and all other costs associated with accepting and processing electronic payments) and unmatched transaction/settlement execution for your customers' credit card and debit card payments. JetPay is one of the leading merchant processors—we have processed over$15 billion of credit and debit card payments per annum. C Also, JetPay is based exclusively in the United States of America, and we will not use any subcontractors to perform the services in our Proposal. Collier County customers may utilize their preferred mode of payment (point-of-sale, web/ mobile or IVR) and their preferred brand of credit or debit card at any time to submit a payment. We continue to see individuals and businesses express interest in new and innovative methods to submit electronic payments and we will continue to introduce new payment technologies that address these desires. JetPay is Collier County's partner in increasing staff operational efficiency in billing and collection while maintaining customers' satisfaction. We will integrate our Solution with your departments' applications so that there will be perfect account validation, no double entry of data and payment transactions will be automatically posted back into the software systems. In addition to processing electronic payments, our platform Solution enables the County to send communications (i.e. bills/invoices, court date reminders, etc. that are dynamically created) to customers in their desired method (email or SMS text) which will improve customer satisfaction (reminder to take action and lessen fines and penalties) and improve collection of amounts due. Collier County's accounting and finance staff can experience increased efficiency with JetPay's reporting and proprietary settlement process that enables daily reconciliation in minutes compared to a typical merchant account which is difficult to reconcile and takes extensive time daily. JetPay is committed to providing responsive customer service every day in every payment transaction. We experience a very low level of customer service tickets in our business—on average, approximately 1 ticket per 1,000 transactions. Furthermore,we are proud of our record of conclusively resolving 97% of all customer support tickets within 1 business day. Similarly, JetPay is proud of maintaining a continuously available system for customers to make payments. The JetPay Team is committed to ensuring that the credit and debit card processing services provided under this contract are performed diligently every day. Likewise, we will provide exceptional customer service to the customers and staff of to Collier Cotounty. On behalf ofnthe entire JetPay Team, we welcome the opp Y customers and staff! Best Regards, )1`9° Christopher F. Battel, President of Government Services, Chief Operating Officer 850-858-3321 direct, 850-607-3659 mobile Chris.Battel@JetPay.com C CERTIFIED MINORITY BUSINESS ENTERPRISE: C BUSINESS PLAN: JetPay Payment Services, FL was founded in 1999 to serve exclusively the government sector. We serve state agencies (we have state-wide electronic payments processing contracts with the states of Missouri and Illinois), counties, cities, tax collectors and municipal utilities throughout the U.S. JetPay is committed to providing an exceptional experience for your customers in submitting payments, while increasing the operational efficiency of your staff.JetPay's web-based payment processing system processes all payment types;Visa,MasterCard,Discover, Amex,all branded debit cards and e-Checks,via all collection modes including web,IVR,point-of-sale,mobile,and pre-authorized payments. In addition to its payment processing services, JetPay also offers e-Bill presentment and customer communication platform. The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations,and technical data conversions.The team has extensive experience working in collaboration with our clients in a large variety of project implementations,maintenance,and support. We process on average approximately 500,000 transactions per day. We do not have a maximum number of simultaneous users. Our processing platform is highly scalable, and we coordinate with our clients to identify estimated processing volumes and any expected spikes in activity. We then assign the necessary computing resources to ensure an optimal payment experience.We monitor our processing system in real-time and JetPay has never experienced a situation in which we were not able to process payments due to bandwidth issues or due to the system being overloaded with transactions. Even though JetPay currently serves Collier County, we will hold an organizational meeting to discuss any new departments or payment types that the County requests JetPay to begin processing. In addition,we will discuss the method of integration with the County's customer information systems. There may be opportunities to streamline integration that results in increased efficiency and lower costs.Prior to any new service implementation,JetPay will meet with appropriate County and IT staff to establish client profiles and databases within our fully functioning test environment.The profiles include fee schedules,organizational units,payment types,collection modes,user names and passwords, as well as all other critical information required to accept and process payments. The boarding process involves establishing all necessary accounts for processing Visa,MasterCard,Discover,American Express, and ACH transactions. In parallel, JetPay's integration staff works with the appropriate County and Department personnel to identify overall system requirements including APIs, Data Interoperability, and general System Attributes(payment types,distribution accounts,settlement methodologies,user groups and rights,etc.). For new departments or integration requirements (fully hosted or payment re-direct), we typically experience the boarding/conversion of a client similar in scope to Collier County within 6 weeks;however,in certain cases where a client has third party software partners involved,the timing could extend up to 12 weeks where the additional time is associated with schedule conflicts associated with the additional parties involved. JetPay will engage with the County prior to the implementation of the boarding/conversion process. The typical deployment timeline for a client similar in size and scope is: 1. Week 1 a. Agreement executed with client as result of RFP award b. Points of contact and responsible parties(County,departments,&third-party vendors)established c. Requirements review performed by our team in conjunction with County and third- party vendor(organization structure,payment types,systems interoperability) 2. Week 2—Week 5 a. County test instance established i. Team works with third party to ensure proper system interoperability ii.End user testing initiated for County acceptance b. County production instance established i. End user testing initiated for final County acceptance c. Production instance initialized with production data(user profiles,organization profiles,payment types) d. Integrate County's and/or Third Party's software which accepts payments with our Payment Processing Solution using our Fully Hosted or Virtual Terminal integration (all payment card and banking data on our system) i. Utilize web service calls or file import/export process for validation and posting data back into County's and/or Third Party's software e. Necessary merchant services accounts established 3. Week 6 a. Training(onsite)if needed b. Establish rollout process and schedule with the County for offices/locations using the JetPay solution in a point-of-sale or face-to-face environment. c. Go live date established d. Site live 4. Week 7—Week 12 a. Handle any holdups in implementation and boarding process due third-party vendors, or issues out of our control Below is an example of a GANTT Chart for a typical Client boarding: 11 A P4 .114 Vitib( /My kV *SpitilA NT. !+w*4N.M'9'1PIR**X*IMrM1 1Y9114 Sl9*'K4 gPry, MYb'r#p arfllMMeiYS.J IMOa wM+V 4.1110 ow warn ovaa M9YYp1HR+lA1 !fMMI -*Miltt Ak IWif�11 iMlkli tmermt..11.4.0,04.60 6-141r4 W14111 *f ramorw.v Eat wer"wry!°'rya b' 811141.41101•113~PM et 111a.t.1131.144 .w•.a Jav'r..nir •ryV+.•;lx.! *v.A.v.a•.34Y ' t444.-4 AK 1111 �'ry.:vc.-wat t Eta 31105.r Meal Mt.at xxm'uay.�.em4 x:^kemtx£.r.: :,ax.:-m�'s.�nR.ac:A.iat: r.Pant..0.3* 1.104.4 0.01.1*. ?wygitxa'. 1..41,0, 7Mi .. yf CAF" "hc'' `.Y.Vu Y Ct x.i rw+'YMmart.a.=ir:-.iRa.wce!o�N. 'y1 *aia*w4N.SM►.w$* e.,o si •tLC4n* APY .f.14 bY,Yaii:4.4iFtii.iY'✓1�1'��'L''.�'ti i 0:4:7:41=111.0M. M10611 63411.1(+PI 0'4mR'1 rYMi"i 'SP.":'.'MarNie.YCiMii 111 :4V^`! F 10313134310.011 I.0s.,.4 s...Wm.0 o., Alghli jd11'J ,l, tyr :AtM- Rs✓3y4;:l+yYyi MRti"M ni'••.,y � „e.rsx CAt- COST OF SERVICES TO THE COUNTY: Collier County Request For Proposal Merchant Services RFP 18-041 PRICING PROPOSAL JetPay's business model is such that we strive to generate 100%of our revenues from transactional fees that are paid by the consumer or, in some cases, the client. By presenting one simple pricing structure, much of the ambiguity typically presented by card processors has been removed, making it easier for the County to anticipate the true cost which they or their consumers must incur.Additionally,this simple fee structure can be utilized across the County's various departments and their respective various transaction amounts. Further, our platform could enable cost reductions and increased customer satisfaction through the use of our e- communication tools which enable the County to engage with its customers using SMS text,email or outbound IVR on any topic including electronic bills,payment reminders,etc. CONVENIENCE FEE Credit/Debit Cards 2.00% + $0.25 per transaction $0.20 per transaction e-Checks Other Fees The following items and services are offered at no additional charge to the County or its constituents: $0.00 I e-billing $0.00 VRR $0.00 Installation/Implementation Fees $0.00 Training $0.00 Customization Services $0.00 Software Maintenance $0.00 Hosting $0.00 Licensing $0.00 Support $0.00 2nd Year Maintenance $0.00 3rd Year Maintenance The following items will incur additional charges: EMV Equipment per device $0.00 JetPay's preferred EMV device is the Pax S300 or Pax S500 (other models available) Purchase price includes a full warranty for the duration of the contract Pax S90 or Check Scanners $0.00 Non-EMV encrypted Magtek wedge swipe devices $0 Chargebacks $10 Returned Checks (fee paid by customer) $20 EXPERIENCE AND CAPACITY OF THE FIRM: JetPay Payment Services,FL,LLC,is a leading provider of credit card, debit card and e-check payment processing services to state and local government entities throughout the U.S. Our clients are comprised of counties, cities, townships as well as two statewide electronic payment processing contracts (Illinois and Missouri). Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa, MasterCard, Discover and American Express payment networks (end-to-end connected on authorization of payments as well as on the clearing and settlement of funds).As a result,JetPay is able to offer low all-in pricing (includes Interchange, Dues,Assessments, gateway and all other costs associated with accepting and processing electronic payments)and unmatched transaction/settlement execution for your customers'credit card and debit card payments.JetPay is one of the leading merchant processors—we have processed over$15 billion of credit and debit card payments (excludes volume from all e-check/ACH transactions) in over 50 million transactions per annum. JetPay is committed to providing an exceptional experience for your customers in submitting payments, while increasing the operational efficiency of your staff. JetPay's web-based payment processing system processes all payment types; Visa, MasterCard,Discover,Amex, all branded debit cards and e-Checks,via all collection modes including web, IVR, point-of-sale, mobile, and pre-authorized payments. In addition to its payment processing services,JetPay also offers e-Bill presentment and customer communication platform. JetPay's primary value proposition is providing complete payment processing solutions that are fully integrated with our government clients' systems and operational processes that result in: (i) an exceptional payment experience for customers, (ii) increased staff productivity of our clients, and (iii) a highly cost-effective solution overall. For electronic bill presentment, JetPay dynamically creates the bill/invoice that is Section 508 compliant for all customers to view,including visually impaired and blind persons(typically,our competitors provide PDFs in their e- bill offering which are not accessible for blind persons). Likewise, unlike many competitors, JetPay puts all of its fees into payment transactions—there are no fees or expenses other than for processing payment transactions,i.e.no integration fee,no hourly software development charges,no charges to present electronic bills/invoices,no charges to send SMS text, email or outbound IVR messages to customers. Overall, JetPay believes that we provide an excellent solution from a feature/function/integration perspective (we do not see any competitor with a superior solution)at a highly competitive price. JetPay Corporation is solvent and will to continue to meet all of its financial obligations when they become due in the future as we have done historically.Based upon the most recent public filing of our financial statements with the Securities and Exchange Commission as well as those filings by our peer group of publicly traded processors,JetPay Corporation is growing,increasing cash flows and had a Total Debt to EBITDA ratio that is less than all of our peer group of payment processing public companies. In addition to our cash flow as a source of satisfying our financial obligations, JetPay Corporation has access to the public and private debt and equity capital markets to raise additional funding. The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations,and technical data conversions.The team has extensive experience working in collaboration with our clients in a large variety of project implementations, maintenance, and support. The key personnel servicing Collier County will include,but are not limited to: Christopher Battel,Chief Operating Officer and Executive Officer Rick Griffiths,Director of Account Management and Project Manager Joe Lennon,Director of Sales and Business Development&Senior Relationship Manager Lynn Yelverton,Customer Service Manager Rick Carroll,Chief Financial Officer Heath Gardner,Software and Development Director Paul Shave,Information Technology and PCI Director Shirley Everage,Technical Account Manager Joseph Lennon,Director of Sales and Business Development&Senior Relationship Manager Phone:(850)858-3319 joe.lennon@jetpay.com Joe Lennon joined JetPay in the first quarter of 2015. Mr. Lennon has spent 30 years delivering customized customer experiences and solutions to prominent national, regional and boutique businesses in the hospitality and health care industries.He has comprehensive leadership experience and knowledge in entrepreneurial,analytical and sales oriented environments. He is responsible for the leadership and implementation of Customer Relations, Sales and the Business Development strategy of JetPay Payment Services,FL,with a focus on customer satisfactions and business growth.Mr.Lennon will serve as the Relationship Manager for this contract,and will serve as the primary point of contact. Christopher Battel,Chief Operating Officer Phone:(850)858-3321 chris.battel@jetpay.com Chris Battel joined JetPay in September of 2013 after a 25 year career in investment banking. Mr. Battel is a Chartered Financial Analyst, with 25 years of investment banking experience at prominent national, regional and boutique investment banks serving clients in technology, business services, financial services and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for directing the leadership, strategy and operations of JetPay Payment Services,FL,with a focus on business growth and performance. Prior to joining JetPay,Mr.Battel held executive leadership positions at corporations and financial institutions, and coordinated more than 100 transaction processes involving mergers, acquisitions, public offerings, private placements of debt and equity securities.Mr.Battel received his Bachelor of Science in Finance from the University of Virginia, Masters of Business Administration from Georgia State University, and holds the globally recognized Chartered Financial Analyst credential for finance and investment professionals. Rick Griffiths,Director of Account Management and Project Manager Phone:(850)858-3309 Rick.griffiths@jetpay.com Rick Griffiths joined JetPay in January 2014 and services as Director of Account Management. Prior to joining JetPay Mr. Griffiths served as a Corporate Account Manager for WebMD, and was a founding partner of Health Data Services.Mr. Griffiths has over 16 years of experience in account management.In addition to his role as the Director of Account Management, Mr. Griffiths has served as a key project manager for JetPay. He was instrumental in the migration of JetPay Payment Services, FL clients to our recently developed Magic platform, and has worked on large and complex clients' on-boarding such as the State of Illinois ePay program and their various participants throughout the state including state agencies,counties,cities,universities,etc. Lynn Yelverton,Director of Customer Service Phone:(850)858-3303 lynn.yeIverton@jetpay.com Lynn Yelverton joined JetPay in June 2011 and is Director of Customer Service. Mrs. Yelverton manages JetPay Payment Services,FL's Customer Service efforts and the JetPay Help Desk.Mrs.Yelverton is partially responsible for client training in conjunction with the client's relationship manager, and the JetPay help desk is responsible for all Tier 1 service calls. Mrs.Yelverton has over 17 years of experience in customer service, and has held leadership roles in the customer service industry for over 12 years. Mrs.Yelverton earned her bachelor's degree in Office Systems and MBA from Troy University. Rick Carroll,Chief Financial Officer Phone:(850)858-3315 rick.carroll@jetpay.com Rick Carroll,a Florida licensed CPA,joined JetPay in June 2012 and currently serves as Chief Financial Officer.He is responsible for development and implementation of the corporate strategic plan with emphasis on increasing market share,data management,and cost control. Prior to joining JetPay, Mr. Carroll had his own practice for over 10 years. Before that, Mr. Carroll held financial positions in the Banking and Healthcare industries.Mr.Carroll earned his Bachelor's Degree in Accounting from the University of West Florida. Heath Gardner,Software Development Director Phone:(850)858-3314 heath.gardner@jetpay.com Mr. Gardner joined JetPay in May 2012 as the lead Software Developer for JetPay's secure web based payment application. His primary responsibilities include software maintenance and development of new enhancements for the JetPay eCollections Portal User Interface and software configuration management. Prior to joining JetPay,Mr.Gardner worked for over 15 years in software engineering and project management roles providing him with broad experience and expertise in the software development lifecycle. Mr. Gardner earned a Master of Science in Management from Troy State University in addition to earning his Bachelor of Science in Computer Science from the University of West Florida. Paul Shave,Information Technology Director Phone:(850)858-3310 paul.shave@j etpay.com Mr. Shave joined JetPay in May 2010.He is responsible for Network Integration, Security,and Service Delivery for the organization.He has worked in the Enterprise Network and Telecommunications field for over 20 years.During this time he has worked with a wide variety of technologies and implemented mission critical solutions and designs for many organizations worldwide. Prior to JetPay he was a Senior Network engineer for a regional technology integration firm performing network design and consulting in the areas of operational guidance, wide area/local area networking, VOIP, and network security.Previously,Mr. Shave served as a Network Administrator with the United States Air Force,specializing as troubleshooting and implementation for logistics systems in the European and Southwest Asia theaters. Shirley Everage,Technical Account Manager (850)858-3300 Shirley.martinez@jetpay.com Shirley Everage joined JetPay in January 2013 as a Customer Service Representative. In 2015 Mrs. Everage transitioned into a technical account management role with JetPay. Mrs. Everage has been instrumental in the migration of JetPay Payment Services,FL's client base from our Legacy platform to our new Magic platform.Prior to joining JetPay, Mrs. Everage served as a Sales Associate at Collective Solutions. Mrs. Everage earned her Bachelor's Degree in Marketing from Texas State University. Selected Vendor will be responsible for,but not limited to,the following requirements: 1.Cashiering Front-End Provide all front-end systems for Selected Vendor to process County payments,regardless of payment channel. JetPay's web-based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry, and is ideal for accepting online/e-Commerce payments, point-of-sale EMV transactions, mobile app, IVR and virtual terminal payments for mail in/phone in payments.JetPay's payment processing system processes all payment types; Visa, MasterCard, Discover, Amex, all branded debit cards and e-Checks, via all collection modes including web, IVR, point-of-sale, mobile, and pre-authorized payments. JetPay's payment pages and user interface are designed to be as simple and intuitive as possible for your customers and staff.Magic is entirely web-based and is accessible using the current version of all of the leading web browsers (Edge, Internet Explorer, Chrome, Safari and Firefox). Magic is a .NET MVC application with SQL Server databases and Razor and JQuery on the user interface. In addition, Magic has both a REST & SOAP API to support integrations to third party software systems. JetPay's system is highly configurable and would enable the County to edit/create a point-of-sale payment type to fit its specific needs.For example,the County would be able to customize whether it wants this specific payment type to require a metadata lookup based upon account or user data provided by the County, and whether this lookup can be partial or is required to be full. For example, this specific payment type could enable County staff to search for a payer's account by many different identifiers such as name, address, or account number, and then have shopping cart information pre-filled based on accurate payer billing information. The search can be either partial or required to be full search, and search results can be configured to include identifiers that the County may choose to be displayed based upon the information passed to our system. Payment validation would enable the County to have a payment type that uses a metadata lookup in which a customer service representative enters the specific payment identifier(s) of the customer which then brings up that customers account information and account balance that is pre-filled in the shopping cart.The customer service representative can then have the customer insert/swipe their card to complete the payment with no need for the customer service representative to manually enter customer account data or a payment amount. This is all done through an integration to your account management system either through real-time web service calls or through a file import/export process via SFTP. By integrating our payment platform with the County's account management system, we can enable payment validation and post-back of data into your account management system with no double entry of data by your staff. For point-of-sale transactions,JetPay's platform supports Chip-and-Pin transactions using the PAX S300 and PAX S500 EMV devices in semi-integrated mode,the PAX S500 EMV device in a standalone mode, and the PAX S90 for cellular/wireless transactions. JetPay's PAX S300, S500, and S90 have been certified by each of the payment networks in processing EMV dipped transactions. The PAX S300, S500 and S90 accept near- field communication transactions, and our system uses end-to-end encryption and tokenization in the card reader,whether EMV or non-EMV is present. Point-of-sale payments utilize end-to-end encryption which is performed at the Point of Interaction by the EMV reader through the use of the SRED chip, rather than through a software solution. JetPay's recommended connection of our EMV solution is via ethernet to reduce the footprint on clients' networks and workstations. As a result of ethernet connection of the EMV readers, there is no software, including drivers,that are installed on client workstations.Although our preferred connection is via Ethernet, JetPay's PAX S500 is capable of accepting analog or wifi transactions, and the PAX S90 can accept cellular transactions. JetPay also supports Verifone VX520 EMV terminals in stand-alone mode with an analog connection.JetPay can provide check scanners as well that scan paper checks at the point-of-sale and convert them to e-Checks which are processed at the point-of-sale. Below are screenshots of the payment screens &experience using the PAX S300 in semi-integrated mode: C V.L.1 ir,torm.re, ett*P.24100.,,ath* teCentnfurretor Saaepl;Cart How are yow making tide payment? ,,nrotr SCAC (1414450-1 MOde POtS T.1044) x 0404 lraflcOt1011 • fit•A, r•V.. Ns• Add Paylnerti Wkat would you like to pay? Purwent Category 0114014 • P°.r.'g 7).P. VII, Please*hue tilt fifth:6AMIsfermhrine to Identify the payment tsrotor inbett 412:1705 et A:FOLIV. rlPao(Vit twewserir Pewnent Amount Roma:,Due I o 040155545% 0 nos laws ow carrwur =CM= deshbearl Payment Rermstl Reports hl omega- &terry INInsete- CO' anew wax. .0 Ill.: tcn.Ann. Make A Payment-CSI Live ShannlAs Opt Vet tlInawrentln`ctrnation UtIlIty 1.t. %taw.% 00 Payment Retells :inky 01111103-letPay llist•11,00 t 4 1750041 L' 0 Please follow the onwtreen instrardwn on the PAN S301k ta template The trettwAtion. Make A Payment-CSI live Thank You for Your Payment Pia ratio this confirmationmunber for your pervnnlai re on . irdRELIANCESTAR Customer Name WINI:,ATEiJF.ROMEA Effective(late 1,27/M75:10 PIA Central Standard Time Payment Confirmation Number 219:3 Item Amount Ulil`.ty Subtotal: $5.00 Total Amount Due: $5.00 Visa 471575 000,n 21c0 expires 59,2318 1$8`00 Total Amount Paid: tSs'ool Remaining Amount Due: $0.00 Payment Details utility 577 ..j (' 5051t-1$:00 i ea Email TO 6 Print Receipt 2.Real-time Payment Processing County operations depend on real-time recording of payments against the receivable. JetPay only utilizes real-time authorization and reporting for all credit card, debit card and e-check transactions.JetPay Payment Services,FL,LLC,is a leading provider of credit card,debit card and a-check payment processing services to state and local government entities throughout the U.S. Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa,MasterCard,Discover and American Express payment networks(end-to-end connected on authorization of payments as well as on the clearing and settlement of funds).As a result,JetPay is able to offer low all-in pricing(includes Interchange,Dues,Assessments,gateway and all other costs associated with accepting and processing electronic payments) and unmatched transaction/settlement execution for your customers'credit card and debit card payments. 3.Interfaces The Selected Vendor must create the interface between the Selected Vendor's own front-end payment processing software and the County's line of business systems establishing the ability for the Selected Vendor to: • query and search real-time for County debt owed by customer • provide payment transaction information real-time to the County • retrieve County revenue reporting for reconciliation purposes Selected Vendors must provide payment information through the with each of the County's line of business applications (see above and appendix xxx for a listing) using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency's SAP financial system (see section 5. Below).. Selected Vendors must be able to provide the necessary information using a secure authentication method and provide data formatted as required by the line of business applications vendors. Selected Vendor must work with the County's Information Technology Division and the line of business application vendors to achieve the required secured connection and communication. The Selected Vendor must also create interfaces to the County's existing (contracted—out) payment processing Selected Vendor systems to: C • process payment card payments • process ACH payments • process check images JetPay will develop integrations to the County's line of business systems using the API of the County/third- party software system or JetPay will provide its API (REST or SOAP) to the County/third-party software system to develop the interface to JetPay. JetPay uses Swaggerio framework for its REST API, which provides documentation, definitions, code samples, and an efficient interface to more easily and efficiently integrate to the Magic platform. If the County has a software system that we have not previously integrated with,we will establish a mutually acceptable integration,whether it be through real-time web service calls or an automated file import/export, at no cost to the County. JetPay will ensure that data is formatted in a mutually agreed upon format required by each line of business application vendor, and ensure a secured connection and communication for all integrations.Additionally,JetPay will create interfaces to the County's existing(contracted-out)payment processing system to process payment card payments,ACH payments,and process check images. JetPay's system is highly configurable and would enable the County to edit its various payment types to fit its specific needs.For example,the County would be able to customize whether it wants a specific payment type to require a metadata lookup based upon account or user data provided by the County, and whether this lookup can be partial or is required to be full.For example,this specific payment type could enable customers to search for their account by many different identifiers such as name,address,or account number,and then have shopping cart information pre-filled based on accurate payer billing information. The search can be either partial or required to be full search,and search results can be configured to include identifiers that the County may choose to be displayed based upon the information passed to our system.This metadata lookup can be based on one payment identifier or multiple payment identifiers. This is all done through an integration to your account management system(s)either through real-time web service calls or through a file import/export process via SFTP. By integrating our payment platform with the County's account management system(s), we can enable payment validation and post-back of data into your account management system with no double entry of data by your staff. JetPay's payment platform enables real-time validation and real-time posting of payments with no double entry through integrating our payment platform with your various software systems.JetPay's system can do this through either the use of real-time web service calls to the County's account management system under our preferred integration alternatives (fully hosted or payment re-direct), or through an automated file import/export process for validation and posting back into the County's third-party software system. JetPay only recommends system integrations where all of your customers' payment card data and banking information is solely on our network and payment processing platform. This materially limits the scope of your required compliance with the Payment Card Industry Data Security Standard. Under a fully hosted integration, all activity associated with accepting/submitting a payment is on JetPay's web pages/user interface and servers.The customer starts on the County's website and clicks on a button,i.e. Pay Bill, where the customer is re-directed to JetPay's fully hosted user interface and servers to make a payment.All payment information is solely on our screens which limits the PCI scope and risk of the client. JetPay will develop an interface to your or a third-party vendor's software.This enables validation through either the use of real-time web service calls to your software or through the use of files with such validation information which are provided by the client to our system using our secure FTP file processing. Likewise, JetPay's system will post back all transaction data back into the County's systems in an automated process which will either be performed in real-time or through a batch file update process. Under a payment re-direct integration,the County or a third-party software vendor develops the interface to JetPay's processing platform. The customer remains on the County's user interface until payment information is entered,at which point,they are re-directed to JetPay's user interface and servers to complete the transaction.This integration also limits the County's PCI risk by maintaining all customer payment data and banking information on JetPay's user interface and servers. The payment is processed in real-time on JetPay's user interface and then upon successful completion of the payment transaction, the customer is re- directed back to the County's website. CAO Under the Fully Hosted integration, JetPay is in complete control of the development schedule, and can ensure that the boarding process will be conducted within our established timeframe.Under the Payment Re- Direct integration, JetPay will collaborate with the County or their third-party software partner on developing the interface using JetPay's API. JetPay will provide documentation, code samples, and be responsive to all questions when the County or a third-party software vendor writes an interface to our system. 4.Hosting The Selected Vendor will be responsible for hosting and maintaining the services and providing IT support for county staff. Please note,Collier County will not consider any solicitation the does not include hosting services. JetPay's web-based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry. JetPay's preferred integrations are fully hosted or payment re-direct, in which all payment card data and banking information resides solely on our network and screens. Our fully hosted solution can be white labeled and branded to fit all of the desired needs of the County. JetPay will provide ongoing hosting services for the application and the County's Magic instance throughout the life of the contract if awarded.Transaction data is stored in JetPay's system in compliance with each client's document retention policy.Data is never deleted before this time frame,and as such,unless otherwise directed,transaction data will be available for as long as the merchant remains a client of JetPay. All Collier County data will be stored within the 48 contiguous states or Washington, D.C. The JetPay primary data center is a hosted facility located in a SSAE-16/ISO 2000 SRI compliant data center in the U.S. Physical Security includes video monitoring, combination keycards card and biometric access controls, redundant dual rail power,fire suppression and cooling systems.Secondary data center is located at lights out Amazon Web Services Data centers in the U.S.Physical security is provided by data center hosting staff.Only designated IT personnel have direct access to systems. Lights out secondary data center administrative functions are only accessible to designated IT staff. Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event,physical security staff are notified. In order to ensure uninterrupted processing capabilities, JetPay maintains multiple processing sites. In the event of a failure at the primary processing site, JetPay's secondary processing site is made active using established procedures. JetPay's primary data center is located in Alabama and the secondary is in Virginia. The Florida site can act as a tertiary processing site as needed. Sites are located and maintained in hardened, PCI compliant facilities with multiple redundant power, connectivity, and security systems. Each site contains load-balanced server farms. This architecture allows JetPay to ensure processing capabilities in the event of overall site failure or intra-site hardware failure. We monitor our Solution in real-time at all times of every day. Our quality control and monitoring includes testing system availability as well as transaction processing,and we compare historical performance metrics. We are alerted in real-time through multiple methods including SMS text,voice and email using our tools, physical oversight and network protocol tools. When system problems occur, we will notify our affected clients within 30 minutes of the identification of an outage of any type. 5.Current Financial System Collier County's financials are managed within SAP,which is at current and fully supported release levels,namely SAP ECC 6.0—Enhancement Pack 7.The SAP application uses the following modules: FI,CO,FM,AP,MM, SD (Misc. Billing),BCS,HR,BN, and PY. In addition to these core SAP modules,the invoice payment and approval process is managed and optimized using an SAP integrated solution called Dolphin PTS-AP. JetPay's payment platform enables automated posting of payments with no double entry into your SAP financial system and its various modules. JetPay will establish an automated file import/export process via SFTP, in the desired structured file format of the County to post-back transactions into the County's SAP financial system and its various modules. Once payments are processed,JetPay will update the County's SAP system using an automated process with an export file to an SFTP server. ....-.<.... r= rn .., JetPay only recommends system integrations where all of your customers' payment card data and banking information is solely on our network and payment processing platform. This materially limits the scope of your required compliance with the Payment Card Industry Data Security Standard. 6.Payment Deposits The Selected Vendor is required to initially and directly deposit, immediately or next banking day depending on payment type as directed by the County, all payments received on behalf of the County into a County owned bank account. All payments are to be deposited in whole,without reduction of any kind by the Selected Vendor. Selected Vendor will use County obtained Merchant accounts for any payment processing,as required. Selected Vendor must reimburse the County for any lost interest when payments to the County are not deposited as required to the designated depository. The lost interest will be calculated based on the average federal funds rate for the period during which the deposits were not made as required. Funding of transaction activity is performed using ACH which is a product of the banking industry.JetPay prepares the ACH files for all funding activity and presents such ACH files to its ODFI (Originating Depository Financial Institution)partners.ACH files will be per the Collier County specifications. JetPay settles credit and debit card payments based upon authorization. Cards (Credit and debit) are settled to your DDA Bank Account as one overall remittance based upon transaction date, not across several dates that is typical with a merchant account. This authorization settlement method greatly simplifies the client's remittance management efforts — you are able to perform daily reconciliations that match to the penny, between your account software system,our platform and your financial institution(deposits).For a given day, card collections reflected in your account software system will equal the same amount reflected in our system's dashboard that also equals the actual card deposit made to your DDA account. The settlement process takes place on every "bank day" and the exact day of funding is determined up front, mutually, between the client and JetPay.A typical funding schedule is as follows: Payment Card Settlement Process Monday Tuesday Wednesday I Thursday Friday Monday Transactions Batched righlk 1111 ACH.to Client DDA Monday: Web Visa, MasterCard and Discover card payments from 12:01 AM through 12:00 PM are submitted by customers Tuesday: Monday's transactions are batched,and an ACH is sent to client's DDA Wednesday:Funds are available in client's DDA Manual/standalone terminals can be set up for automatic settlement in which the transactions are batched and imported into our system at the end of the day, and subsequently included in the daily settlement batch for payment card transactions for that day. In addition, at the County's request,for point-of-sale transactions that are accepted through JetPay's Magic gateway/application on banking days prior to 5:30pm Eastern, JetPay can settle these transactions with an • ACH on the same day.This typically results in funds availability on these transactions to the County on the following banking morning. 7.Reconciliation Selected Vendor is required to reconcile each day's payment collections to County system reports of revenue recorded and to daily deposits into County bank accounts. All discrepancies must be investigated and resolved,and findings provided to the County for related adjustments. A particular report set of the JetPay reporting suite that is useful when conducting daily reconciliations, Funding Reports,provides clients with complete details on remittance batches and the respective remittance batch deposits. This report would allow the County to drill down and view the individual transactions contained in each individual remittance, match totals to ensure that it matches the specified date's all transaction or payment type summary totals and match the totals from the County's financial institution (deposits). These reports would allow the County to view the transactions contained in each individual remittance. Our reporting suite greatly simplifies remittance management efforts — the client is able to perform daily reconciliations which match to the penny,between their account software system,our platform and their financial institution(deposits). Payment Method Summary Report for 24 hours Report Parameters O Run Report Payment Type Summary ,127t2417 2,14.21.AAS 10572017 12'00'00 AM.111512017 11.59 0017411 Al 01p/1,41141 Unix 1 Al 005941100 14204$ 8.A4ny Paymonts Gatltts Totals Paymant Typo Count Amount Count Amount. Court Amount Tu 13111 7 S19401 BB 0 50.00 7 $19,481.88 Tata101 T 919,401.80 0 90.00 7 $194101.08 Albany Totals, T 019,481.88 0 10.00 7 519,401.06 t ul 1 • Date January 15th, 2017 • Total amount - $19,481 .88 I Settlement (Deposit) Report 4 4 oft 7' 41 4 w,8 r 4 Funding Report tc47..*v'lt117?.1'741 Jul 1'1512017 12 0090 AU..1 224201 7 11:5490 813184 Dfgarvadon fl,sts 1.+wM Paymen4 Types 1,Albany Otto of Balch fooSi g D t. Orp*4K Too Oroomootloo UM P.moot iVpr MN Amount 1 074,512017 0 v2a7017 e*treca Aa Ofgarezasa'l i."..,.tt ra.L1.4 rT-1731200334 104 OHM 10 2 014152017 014181017 e1C43sd. At Horwa*or Urea 7oe 434 ELI 70169.,.010:'00 525.70800 3 0111732047 01220.2017 C578Cees 19 CovotAisat Uftt1 To 09 E.L3?9.t2f,7.S:t iaii 514,141140 4 0171732311 014162013 .041.45 AS 1agratabgn Lint. 10 N+ tL.111l3,1L4Lt3..199 $23,291,07 5 01I1S/2017 O71f V2017 .Cham Al OrgrwiaottUnto Tie Bp. ET 170117 1114L1td 120,001:24 0 01110",40/7 '01719/2047 Cwd.Caro 04 0.0104401 1,18188 Tax Bo 1.1.3/0(19_43,10-MM 3:15002 7 331$#2231' 01717+2017 oCott* AlO 1484,01x'l1 too 541 Eii70117 11 20.20 c 1+1,0 >:•C 170119491 9 �7375201 0771(32017 Cnt14 Cal 211 Cxgr2zasan!3'441 tie ea4t,*rrraF+� 9 01!1112017 0171832201.7 CetWO Cott A2 C r a1K7a7.c0 Lr=7a taxes EL174.l1.9..G111.11 O 14,7;4,21 t0 01/1473017 0131732017 tCtora Al Cmamrstat U'00 Tax Bi fT 1701171118104 $15,54850 11 01113+1117 01417/2017 oC.nae* Al<YOanzatcr:tuxla fax Bat ELIZILULMILIE 512,711..10 12 0111312017 01710/2017 C td0 Card AIDgar t',a an UrAs 101 OA ELIZQ325$Q12 491 17273.47 ,.. ,. t. Ab5t51l 1:1100; Page i 7771 Toff Records,12 • Date of Batch January 15th,2017 • Total amount-$14,920.26+$4,561.62=$19,481.88 • Bank Statement: L01119117 AC}I CC PAYJTPYACH TRANS 2420717515I4t5J JTPYA LB ANYTiX 3%74i"dl.2.r:} 01tI947 AC:HCCPAY„MT Aril TRANS 2420717A181410S2ITN 9LB%ANTAX 04kIfi3) 8.Revenue Shortages The Selected Vendor is required to reimburse the County for all vendor caused Revenue Shortages, payments collected on behalf of the County,which are not accounted for,are lost,misdirected,or otherwise not provided to the County as required. JetPay will reimburse the County for all vendor caused Revenue Shortages which are not accounted for, are lost,misdirected,or otherwise not provided to the County as required. 9.Returned Payments For all payments originally processed by the Selected Vendor,the Selected Vendor is required to: • monitor,manage and respond to any payment challenges • Enter information, as defined by the County, into County systems for all returned payments,regardless of payment type. JetPay fully manages all chargebacks as the occur and alerts the County and consumer via email when chargebacks are received. The customer will be notified of both customer-initiated and non-customer- initiated charge-backs to their card. The management of chargeback related issues by JetPay abstracts the client away from the complications of chargeback dispute management.As a best practice,JetPay disputes all chargebacks on behalf of our clients. Chargeback disputes are fully managed and tracked by JetPay as a function of our service agreement terms. JetPay acts as the merchant on behalf of the County to coordinate with financial institutions and associated entities to resolve disputed payments In cases where the customer cancels/chargebacks the transaction, then: (i) the County and the customer receive an email from JetPay alerting the parties to such cancel/chargeback, (ii) the customer is refunded immediately for the total amount of the transaction including the transaction fee, if one was charged to the customer, (iii) JetPay refunds the customer's card for the total amount of their transaction, (iv) unless directed otherwise, JetPay will fight all chargebacks, (v) if the County wins the chargeback, there is no further action to the County (your account was never debited for the amount), and JetPay receives the payment amount from the card issuer, and (vi) if the customer wins the chargeback, JetPay will inform the CAO County when the final decision on the chargeback is determined and JetPay will send an ACH debit to the County for the amount of the chargeback.From a funding perspective,JetPay funds on a gross basis—credits and chargebacks are handled in a separate ACH debit transaction in order to make reconciliation and reporting simple and easy for clients. JetPay provides a chargeback report which displays all chargebacks within JetPay's system in real-time,and daily chargeback activity is available within JetPay's reporting suite.Chargebacks can be viewed by multiple different factors such as separated by department/organization unit.Through our Administration Console, all reports can be viewed in real time to give you immediate access to information when needed in the case of a chargeback or a necessary void of the transaction. Designated personnel have the ability to view as well as to void the full amount of a transaction prior to the payment being submitted for settlement. Full or partial credits are available after the date of the transaction. • For e-check returns,... 10.Workflow Mapping Selected Vendor must provide and maintain application and business workflows for current and revised workflow processes during the term of the Agreement. In the event of new technologies that become available and which may enhance or may otherwise be provided as an additional service under the terms of the Agreement, the Selected Vendor may provide such business transaction opportunities to the County. The County reserves the right to incorporate such changes if deemed to be in the best interest of the County. JetPay will provide and maintain application and business workflows for current and revised workflow processes during the term of the agreement. JetPay's current payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry.JetPay uses an agile approach to software development.Software is updated on an as needed basis with no impact to our clients. JetPay's Magic platform is a public facing web-based product,and as such system enhancements or updates will automatically be pushed live as they occur. How a Credit/Debit Card is Processed(our preferred integration alternatives): magic Magic updated 3n real-nae c= - JetPay' PH captured for customer Authorization& communication Magic Setr-integrat&!hosted Capture in real-time VISA NO Settlement Legend 443116 , �. .real-tune 1311 � latency. Client Selectmen!Sae* �. +»` �...��normal 1. Customer goes to the County's website to submit a payment and is then re-directed to JetPay's fully hosted screens or the customer remains on the County's screens until payment information is entered,at which point,the customer's payment is re-directed to JetPay's screens and servers to complete the payment transaction.Customer account information is validated and the item(s)is placed into a shopping cart and additional items can be added to the transaction. 2. Payment card and PII data is entered by Customer then encrypted 3. JetPay's system requests authorization from the payment networks(Visa/MasterCard/Discover/ Amex) 4. Card Issuing Bank responds through payment network with either authorization/decline 5. If authorized,customer is provided receipt with confirmation number;if declined,customer is notified in real-time of the reason for the decline 6. JetPay's system updates the County's account system with transaction payment details utilizing either real-time web service calls or through a file import process which can be automated and provide updates at any frequency level required by our client 7. Funds are deposited into County's account In addition to its payment processing services,JetPay's system offers a-bill presentment,embedded customer communication tools, a white labeled mobile app, and check processing at the point-of-sale to further optimize the execution and efficiency of your billings and collections.All of these items our built into our core product, and as such there is no additional charge outside of our standard transaction fees for these additional service offerings. JetPay's e-Communication platform enables the County to send customizable messages via email or text (SMS) to all of their customers, a subset of their customer base, or an individual customer. Messages can be anything from reminders to pay their bill to electronic bills and any other topic that affects your customers. All communication and additional information provided to the customer can be managed and sent in JetPay's e-Communication platform by the County. Below is an example demonstrating how SMS text messages are received by the customer on their mobile device/phone: Hello, Jeff Stokes. You are delinquent on your bill from American Water as of 08/15/2017. To avoid having your water shut off follow the link to view and pay your bill. AmericanDemo C �* 1111,t2017 0414 AMERICAN WATER -Amount u $74.23 Watu AlI IPYt'+Ar 123 Yi`ACor 8f j 'It at 043 N.!12,343 Serle A4drwu Make Cheeps P4Y4bi.Tnt 3a4 34344 464424Uttar 52:3'134 AWkatd 123 WASAt 123 Suite A You;City,NJ 12343 1341 11.4344 Fl 32581 56 sx aw.5 fiW ha. .,rw ..n 5. ttaf:^ AO. a.Y AcIMty Chug* Total F'tsviar:s fia!ance 38.90 39.90 Aueount Atuvity 06,032017.07,171V20t7 374.23 Inn 574.23 0444a 14314444 Mwu4agee Aay 444 444 3414tYaa 38 dA.y3 VAMC 4:14 3411 data 3a 343'3441.tJ tentanation and Arty aseociatett Lees. hceou+fl$Aumbes Due Dale "^7_..o.tH Du* Q27S475 84131131117 .$74.23 44.5.44'fl3WVA.VAAA124Hnbme a luw'ua:W't.mnaa rAe4M'un yow tala81110.daallg U:Wuw bo,v=rt CaCivtbir 334*-Aldo caa;5& MAXlA'xa3vl'—?'.KYa%frae3I AM 4.1 I.MOM.£1.tiAse Rale+<w3Rfrtuak f[w rtai.21 0.vIai prrfesk 1c,°IMW ut+R1NJ!w>daa avi wa l®k Acv gV.611`..S•Va :yo6.fAt.cmtorI01)a!31Ta.mtktvi...wow,CA youts,liaa mal aillna a} AmTACIXa WOO p'e}afga Rwa'a;i'cy+s 1731 'II +▪'ac 1111i 43740 vmmya away w�Mwa++oe a,za ia.p oso=kh rasirwyC-+wx«saa�+ c:r a e:1t PY •C MIL, a yumgasq r:-.V •1t PM •;t76[..' «, Q A1fldRaQA6.:"r'-9 eat PM ■4 TaYt 1....'r a AtAt4a,5AX Make A Payment-Payment Expiration Year Information-American Water 2018 ae`hedt Security Code Pt l:utlnfiurtlattcn 123 6, :,mrm trtor r,,)t'c.n Card Zip Code .................__................._............................._...... fie xt Step.Review Pa,mmer,.'O Y. .....123.15 •Payment Information Amount Due •Shopping(art I? Please select your Payment Methods Water and Sewer 474.23 Payment ............ .... .......... a Credit Card - Subibtai......... (74,23 n ;4 23 Projected Fee $I.00 Card Number projected fee $0.50 41111111111-MM11 CB .. .. - i.;eCheck Name on Card Payment Details Water and Sewer jeff Stokeq._......._.........,.._._.._....�...._...._ - .-574.23 Expiration Month 1111.113 . 01 ExpiratianYear .•. V •NtPM at 23%1 •w••:4nnr V 147 PM •;97x1.-.° in (!..Slee 4n the amount of$1 GO aas /Make A Payment-American hr„t acid%dasaconeenlen(efeefor ltdlagree tothe yd eett'dr*t5,dl Water Me(oIW::!,7,trai,u a;vr,. t:_.o2 and authorize this payment. tillhngAddreess H tack to Paament Method ,<' Jeff Stokes x23 7hIS Avenue ,I Mage Payment QRewle:r Psyment Suite Gulf Stearn,Pi.37551 r Shopping Cart J Payment Method Amount t2.;g)v„g.3£ 3 Water and Sewer $74.7.3 Water and Sewer 57423 Transatt=on Fee:Visa 41.00 Subtotal 374,23 411111**'#ie 11 1 expires 31.00 I agree to the P artnzs:z �:r;res rA Projected Fee Otl.013 ';.r t't antt authnrixe this payment, Total Amount Due: 375.23 Payment Details `haps m-J Se,var Visa 411111*****1111 ($75.23) ° 4_s expire$01r201811.",, A Pack to Payment Method Total Payment Methods: ($75.23) -- - x Cancel Transaction ..•k=n e 0ny0n.n. n a f......,..,,,,,,.../-a cl on r•:.< •I a]%■'. �.,_.Sprint r waw •f v!cc:::, .,:::..sarin s 3:43 Pat ........,arxlra• evawe •iuxa..:, - tor Total Am oun[Dw: 575.23 Make A Payment-American Effective Date Transaction Fee:Vita 411111 131.001 Water 9/12/2017 8;42 PM Central Standard Time ....is 1111 expires 0t/2018 Payment Confirmation Number 00 6 V6a4111i1*****1lttexpirts 1375.231 Thank You for Your Payment 2000 01/201$ Pleasesave this confirmation number for your personal recards. Amown TotalAmount Paid: (575.23) j item ` AM TRICAN WATERRemalning Amount Due: 50011 j\ Water and sewer $74.23 r Customer Name Subtotal: 574.23 - ietf StokesPayment Details Total Amount Due: 575.23 Water and Sewer Effective Date i,A;:;..,„1,2,547,t.$74,23 8;12/2017 8:42 PM Central Standard Time Transaction Fee:Visa 411111 151 001 *****1111 expires 01/2018 _....... ....._. Payment Confirmation Number Vixa 411111*****1111 expires (375.23) _ --- , 20000006 01/2018 nil Email To - [Amount Total Amount Paid; (070.231 Item Q SMS TO - Remalning Amount Due: 50.00 Water and Sewer 574.23 4 Print Receipt Subtotal: 574.23 - .. Payment Details JetPay has a mobile app that can be white-labeled for Collier County that will be customizable and configurable.This mobile app is white-labeled for our client and is available on then-current versions of iOS and Android operating systems.This mobile app can be customized to satisfy the County's needs exactly,and can be used to show usage history, make a one-time payment, and create customer profiles to save accounts and payment methods for future use. ..... 1,ni,or : 11.13 AM T WM' Account Registration 1 of 3 oil '.'New Braunfels"Utilities' Please create a user name and password Touch ID for"NBt3" Sign on with Touch IDA or enter E;:tx:r 8 P5S w.nazi itli password. _.. _.. :.. # 1:it>t i.3u'�;: ,:'.::a of Cancel Note'OW n' Ad oiler int carotin be i. '11^e. '. User 1,1'0,lrliiO no,,,,a1 least a enaratOM5. ttassnnroxi:n:,<.:t..roirei::a4 leas;tO{'hosiers,on, mine t Ala ano::}aurratte.hara:'ler. 5 Vl' ci :si e ••• v.,la an I)13 AM IMIr *wan s 11.14 AM 4Ink <Back Account Registration 2 of 3 <Back Account Registration 3 of 3 NiSIU PaSU Enter your account number for lookup Enter your email and mobile number verification oter Elates your Z,Cct r1,3,:bet MU3,Nie# 0 Nati. 95502 KV 40't Pon.,2100.0. A.122224,5,901 !Ow 0549451120.0 00510*sO torai afirit094 Timae.nErtif,,h000L3 9.1,11t39 i1541.1 4210 00 pr,idt, Stliinf.:0041 5,116t005.0 iMoit;le Continue vciitinx, min AM IMk 11:11 AM 0suor Account Cf. kt) N rof" Water Uteity teldadeb809OrtfelfrOdO13.., ILJP Amount Due $125.00 > New Braunfels Utilities tomnretr Add Account Log On forgot User 10 or Pnesero;OR Mal 110. ES , <Account Account Detail <Account Detail Account Usage History Usage History Ilwa, $125.00 current balance Pay Now Or Schedule Payment S View Payment History See your usage history WA Usage VrflZOn 1I1 AM . „ imm• 11 AM ••*• 1 IOW <Account Detail Payments -orq- Water Utility Tel 3aileihSOgi381d1DOci013.- Amount Due $125.00 25 00 „,.Af 0,11.7F2017 "'"" Selo l Payment ProlUtr Visa'r."1111 02120 02/20 Add New Payment method Gathering Payment Info Please wait Continue Continue CAO 11:12 AM •Me 11 12 F.II. 1 IMF Receipt Confirmation Support Hein&Support v Payment Succcess Office Locations ) Total Refueled $126.00 FAQt., ) • Contimatina Numbef Contact Information ) 20002093 CkIlit.12d PaymeM Py Report Outage Vii",,lilt 02120 Payment Remitted Date 0710312017 Contact Us C %klieg'Utility 555555 Y.:id tinTV.has t:Int,innt.ed 1,1 tia,ii,:lav,v iwkIrT,I.,111.110 1,0 View Account Detail s.e.? i...., ..,,, ...- ',I 1.11 Ie. 11.12 AU 1 OW ••• ::ver,cn, 1112 ALA •MP (Support Locations Settings oWimataiIt ko, , Hi New Braunfels Customer ....hre Privacy j Terms ,firanch := 1,114,,::.vc, Seltaigs&Sallow 14etivel 44i v 0.10t0r0ef'PrOfile Setting ) ... a :0" Nytnent.Profile SettingS > o:f!,,,, 8 Notifications > i 1 . NIA CiauniMs!' 40w:11910,W C3 GNe.tis Your Feedincir > ,SoIrr a Z,ceuiz, aal0..ey- - Vil otrvest.t. P11001111 I 2PP.520111 0:07 g:+1:1a04.001s ti:ty 0043.315 0 ,,,,n .,,.:,' ., ,..,,) ........ I I * ,:ue,wet Setkletp 40 I' 1113AM ! .�� .-t.r Il.t:,, "' Support Frequently Asked Questions Account 1.'1 Vater t3tillty Can lap*for service over the photle4 1c788deb9o0941d3P0do13..;: Yes Moose cal one cl our Customer Service Representatives at 183.^1020 8400 er 1830) Alecunt Due $0.00 606-2074(Sari Antonio torero}the apritica011€1 prxass may the cn nre,te11 roe!the phone or an - 01p1,01100 e011010Feng 11 you In£ii 000 0011 .. 1010111 by lex 0''1001.O:IW fax itaritocr is 18301 8228-2118. What is needed when apptyir1 for service? f Ad�l en le the eMplelerl atlphnlion,1,0,1.I I A1,0.101101 10 ue1180e wle IAA,Ske,i0,Senn lay Sign Out number and a copy of aellir drivers license orAre you wee you want to exit? valid'texas ID. Doi have to pay a deposit? NO Yes Yee,a d8;)0rh re heft to iretiete 58040 1304 roadies 5 tyro1.1011-t1 00101011311101:11119 depAslt 040011 a derenninaci by toe average WWin{1 history tor the location that 1s lasing sp1p1100 10r. When applying for newly CS riniIuCt$;)nrnln The riefet It will b4 hayed On Ile efits I'O toosige of the home.One-81111.`.1:he de9A0'i5 du6 when olaeine aypilcaiw0 for scoriae alai the balance at the Coosa vri ee billed Dy 0454 0n 18.1 fret iron h O'vn:mq Can 1 pay my uttSty bill using a credit card? Vol eitiechal inoltureort,may call IIa `�-, :;i c;?,:ter ,..>, ...K s. s,"r,' •se.... 11.Training The Selected Vendor must train and manage quality controls of its personnel to adapt the business processes associated with such training instructions and guidelines, and monitor performance on an ongoing basis. Selected Vendor staff must establish the expertise to search for all debt related to a particular transaction and provide the needed customer service needed to properly complete the transaction. JetPay continuously monitors performance of its contracts on an ongoing basis and makes an effort to have frequent relationship update presentations and calls with clients.To this effect,JetPay strives to notify clients of new features and functionality that have been provided to the Magic Platform upon the release of new updates. JetPay's policy with each new contract is to establish a dedicated relationship manager who is the primary point of contact for that client. If awarded, Rick Griffiths, Director of Account Management, will continue to act as Relationship Manager for this contract. Mr. Griffiths' overall responsibility includes relationship development for JetPay but will be Collier County's primary contact. Mr. Griffiths will be available 24/7. There is no additional charge for this service.Mr.Griffiths can be contact at: Rick Griffiths,Director of Account Management JetPay Payment Services,FL,LLC. 316 South Baylen Street,Suite 590 Pensacola,Florida 32502 (850)858-3309 Telephone(850)444-9331 Fax Rick.griffiths@jetpay.com Customer Service is a focal point of JetPay's payment processing solution. JetPay's policy with each new contract is to establish a relationship manager who is the primary point of contact for the client. The relationship manager is available 24/7 to handle any escalated tier 2 issues or customer needs that may arise. JetPay's Help Desk serves as the focal point for customer support.All Tier 1 calls are directed to the Help Desk.JetPay provides a staffed call center which is accessible at all times(24 hours a day,7 days a week,365 days a year). JetPay's Help Desk closes 97% of service tickets within one day.Additionally, the Help Desk will develop familiarity with the County's account and the specifications used throughout the duration of the account. In addition to the dedicated client support team, Collier County will always have access to the JetPay Executive,Christopher Battel,Chief Operating Officer,for all government clients. JetPay provides live online training sessions as well as when appropriate, on-site training of the JetPay payment processing platform and reporting suite. The initial training is divided into: (a) overall CAC administrative system management, (b) the payment screens, (c) the dashboard/reporting suite, and (d) all point-of-sale equipment.System administrators are provided training on all areas of the JetPay platform,and end-user/Customer Service Representatives are typically trained on just the payment screens. Additionally, JetPay provides electronically generated training materials in PDF format as well as hardcopies.Ad-hoc and on-going training is available on-demand via the JetPay relationship manager. Furthermore, in addition to training in the live environment and prior to going live, JetPay will train the client's staff in the test environment. 12.PCI and Data Security Compliance In as much as the County is required to have its outside Selected Vendors comply with the latest PCI requirements as determined by certified PCI Compliance authorities,so too must the Selected Vendor be required to submit to those standards as may be applicable and to provide industry accepted documentation of their compliance. Below is JetPay's proof of PCI DSS Level 1 Compliance, and JetPay will provide at least an annual confirmation of this certification during the term of this contract: 4 e ," 171115eturiCy ra ,sstandaLs Coun<M Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments — Service Providers Version 3,2 April 2016 CAS 1 • 1251 Security Standards Council Section 1: Assessment Information �. instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the service provider's assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessrnent Procedures(PCI DSS).Complete all sections:The service provider is responsible for ensuring that each section is completed by the relevant parties,as applicable.Contact the requesting payment brand for reporting and submission procedures. Part 1. Service Provider and Qualified Security Assessor Information Part 1a.Service Provider Organization information Company Name: JelPay Paw grit Services, ;OSA(doing JetPay Payment Services, : Florida LIG business as): Florida LLC Contact Name: Paul Shave Title: IT Director Telephone: (850)444-9330 x 310 E-mail: Paul.Shave®jetpay.com Business Address: 316 S Baylen Si,. Suite City: Pensacola #590 _, •.. . _ ,USA Zip: 32502 State/Province: FL Country: URL: http://collectorsolutions.com __,.. Part lb.Qualified Security Assessor Company information(If applicable) Company Name: Kirkpatrick Price,Inc. Lead OSA Contact Name: Scott Worrell Title: ,Pia anon Security Lead . er _ _. .c.. Telephone: ___ _..__ -977-3154 • E-mat s.worrell@kirkpatnckprice.co m Business Address: 16057 W Tampa Palms City: Tampa Blvd State/Province: Ft. Country: USA Zip: . 33647 URL: w+vw.kirkpatrickprice.Com PCI ASS v32 Attestation of Compliance for Cnsrre Assessments-Service Providers,Rev.1.0 April 2015 0 2006.201$PCI Security Standards Council.LLC All Rights Peserved. Page 1 0 1ZN Part 2. Executive Summary Part 2a.Scope Verification Services that were INCLUDED in the scope of the PCI DS S Assessment(check all that apply): Name or service(s)assessed: Legacy and Magic card.not-present processing Systems Type of service(s)assessed: Hosting Provider: Managed Services(specify): Payment Processing 0 Applications I software 0 Systems security services 0 POS I owl present 0 Hardware 0 IT support 1 Internet t e-convrterce 13 Infrastructure I Network 0 Physical security ED MOTO 1 Call Center 0 Physical space(co.location) 0 Terminal Management System 0 ATM 0 Storage 0 Other services(specify): 0 Other processing(Specify): 0 Web 0 Security services O 3.0 Secure Hosting Provider 0 Shared Hosting Provider o Other Hosting(specify): • — „ 0 Account Management 0 Fraud and Chargeback i 0 Payment DatevrayrSwitch 0 Back-Office Services 0 Issuer Processing 0 Prepaid Services 0 Billing Management 0 Loyalty Programs 0 Records Management . . 0 Clearing and Settlement 0 Merchant Services 0 Tax/Government Payments o Network Provider 0 Others(specify): Note:These categories ere provided for essIstance only,and am not intended to limit or predetermine en entity's service description.If you feel these categories don't apply to your service,complete "Others. If you're unsure whether a category could apply to your service,consult with the applicable payment brand, PCI OSS v3,2 Aftesterion of Coreptionco for Onsite Asseetunents—Service Provident Rev 1,0 Apse 2018 0 2006-2016 PCI Security Stendardc Ceuta,UC.All Rights.Resolved Page 2 • tr.o, • S•sexi•ss to...•• Part 2a.Scope Verification(continued) - Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment(check all that apply): Name of service(s)not assessed None — . Type of service(s)not assessed: Hosting Provider: ' Managed Services(specify): , Payment Processing: 0 Applications!software 0 Systems security services ' 0 POS 1 card present 0 Hardware 0 IT support 0 Internet!e-commerce 0 Infrastructure/Network 0 Physical security 0 MOTO/Call Center 0 Physical space(co-location) • 0 Terminal Management System 0 ATM 0 Storage :0 Other services(specify): 0 Other processing(specify): 0 Web 0 Security services 0 3-0 Secure Hosting Provider 0 Shared Hosting Provider i 0 Other Hosting(specify): 0 Account Management 0 Fraud and Chargebacit ' 0 Payment Gateway/Switch ... 0 Back-Office Services 0 Issuer Processing ; 0 Prepaid Services 0 Billing Management 0 Loyalty Programs •0 Records Management 0 Clearing and Settlement0 Merchant Services 0 Tax/Government Payments , 0 Network Provider 0 Others(specify): Provide a brief explanation why any checked services were not included in the assessment: PC/055 v3,2 Attestation of Compliance for Oris/le Assessments–Service Providers,Rev. 10 April 2016 ip 2006.2016 PCI Security Standards Coma LLC.All Mghts Reserved, Page 3 0 Part 2b.Description of Payment Card Business Describe how and in what capacity your business JetPay Payment Services,Florida LLC accepts card- stores,processes,and/or transmits cardholder data, not-present credit card data through their web application and clients have the ability to facilitate transactions on behalf of their end-users over the telephone. End-users can create an account.make a payment,and in limited cases register a credit card data for reoccurring payments via JetPays web- based Legacy or Magic systems.The credit card data is then encrypted using Rijndael 255-bit or AES 256- bit encryption and stored in a Microsoft SOL database. Payments can also be made via phone calls where payment information is manually entered into the Legacy or Magic by clients on behalf of the end-user.Cardholder data types for both acceptance channels Include PANs,CVV2s(in limited instances), • cardholder name, and card expiration date. Some PANs,cardholder names, and card expiration date data is retained to allow recurring transactions. CVV2 data is never stored after the transaction has been completed. Transactional data is currently retained • indefinitely.However,expired,slate and unused PAN data is purged after 5 years of Inactivity. Describe how and in what capacity your business is JetPay Payment Services,Florida LIC is responsible otherwise involved in or has the ability to impact the for the physical security, configuration and security of cardholder data. management of the systems and applications utilized to collect and submit credit Card transactions, Part 2c.Locations •List types of facilities(for example,retail outlets,corporate offices,data centers,call centers,etc.) and a summary of locations Included in the PCI 055 review. Ty pe of facility: Number of facilities Location(s)of facility(city,country): of this type Example:Retail outlets 3 !lesion,MA,USA Corporate Office I j Pensacola.FL,USA • TeltLink Colocalion/Datactinter . 1 Btrmin9hem.A I USA PCI DSS v3,2 Altesteson of Comptionce for Onsite Assessments—Senate Providers.Rev 1.0 April 2016 SP 2006-2016 PCI Security Standards Council,1.1,C.All Rights Reserved. Page 4 42' Part 2d,Payment Application Does the organization use one or more Payment Applications? DYes 1E1 No Provide the following information regarding the Payment ApplicatiOns your organization uses: Payment Application Version Application I is application PA-OSS Listing Expiry Name Number Vendor PA-DSS Listed? date(IIapplicable) Yes ONo 0 Yes DNa 0 Yes 0 No I 0 Yes DNa I a Yes 0 No E]Yes DNo i LI Yes DNa I Yes 0 No Part 2e.Description of Environment Provide a hiati.faval description of the environment Inbound: covered by this assessment. End-users and clients utilize HTfPSITLS Web. For example: based applications,Legacy end Magic,to I transmit • Connections into Florida to,letPay Payment Sevces, systems. environment(CDE,). • Crake'system components within the CDE,such as POS devices,databases,web SOWS,etc.,and any other Outbound: necessary payment components.us applicable. .Outgoing DI-ID are transmitted via HTTPSFILS configured ORA which are entirety provided and I managed by JetPay and Authorize,Net to process the transactions. The third-pony transaction providers'secured Lillis era invoked prior to transmission of Cl-3D. JetPay Payment Services,Florida LLC's processing systems reside within the corporate fadny's datacenter and leiclink's• ColocationiDatacenter and consists of Web Servers,Application Servers,Database Servers, Domain Controller,VPN and management/detection systems Note:JetPay Payment Services,Florida LLD and JetPay are assessed as two separate entities. Does your business use network segmentation to affect the scope of your PDI OSS yes El No environment? (Refer to"Network Segmentation"section of PC1 OSS for guidance on network segmentalion) PC1 OSS v3.2 Artestat.on of Compliance far Onsite ASSOSSM9Ar$ Service Providers,Pet, 1.0 April 2016 O 2006-2016 PCI Security Standards Council,LLC.Alt Rights Resolved. Page 5 rf";) Part 2L Third-Party Service Providers Does your company have a relationship with a Quanfied Integrator Reseller(01R)for 0 Yes No the purpose of the services being validated? If Yes: Name of QIR Company: QIR individual Name: Description of services provided by 01R: Does your company have a relationship with one or more 1111nd-early service providers(for g Yes 0 No example,Qualified Integrator Resellers(01R),gateways,payment processors,payment service providers(PSP),web-hosting companies,airline booking agents,loyally program agents.etc.)for the purpose of the services being validated? If Yes: Name of service provider: Description of services provided: JatPay Transaction Processing Authorize.Nal Transaction Processing Note:Requirement 12.6 applies to all entities in this list. PCI OSS v3.2 Attestation of Compilance for Onsite Assessments—Service Providers,Rev.1.0 April 2016 .'2006.2016 PCI Semite)?Standards Council,UC. Rights Reserved Page 6 Part 2g.Summary of Requirements Tested ' For each PCI DSS Requirement,select one of the following: • Full-The requirement and all sub-requiremenis of that requirement were assessed,and no sub• requirements were marked as"Not Tested"or"Not Applicable'in the ROC. • Partial-One or more sub-requirements of that requirement were marked as-Not Tested"or"Not Applicable'in the ROC. • None-At sub•requirernents of that requirement were marked as"Not Tested"and/or'Not Applicable" in the ROC. For all requirements identified as either'Partial'or'None,'provide details in the"Justification for Approach" column,Including: • Details of specific sub-requirements that were marked as either"Not Tested'and/or'Not Applicable'in the ROC • Reason why subtequirement(s)were not tested or not taPPliObte Note:Ono labia to be completed for each sorter)covered by this AOC.Additional copies of this section am available on the PCI SSC websile. Name of Service Assessed: Legacy and Magic cardnot-present processing Systems • Details of Requirements Assessed .„. Justification for Approach PCI DSS tnetrairert ler at Tamar and None'responses.Identify which Requirement Full Partial None 1 Sub•reqUafellIerth Yiefe nd tested and the mason) Requirement 1.2.2.8,6-Routers are not utilized within the CDE. Components of 1.2.3.b.Wireless environments are not connected the CM Wheless access points aro utilized at the corporate office suite but ore segmented via a dedicated VLAN and do not transmit CHD. 1.3.7.b•Private IP addresses are not disclosed externally. • • Requirement 2: 0 • 0 2.1.1.a,b,c,d,e•Wireless environments are not connected the CDE. Wireless access points are utilized at the corporate office suite but are segmented via a dedicator,VLAN and do not transmit CHD. 26-JetPay Payment Services,Florida LLC is not a Shared Hosting Provider. Requirement 3: 0 r'41 3.2.a.b JotPay Payment Services,Florida LLC Is not an Issuers and does not support issuing scribes. 3.4.c-Removable media is not utilized to store CHD, • 3.4.e-Hashed and truncated versions of the same PAN are not present in the CDE. 3.4.1,a,b,c Disk encryption technology is not utilized within the CDE. 3.5.1-Control Is nets requirement until January 31, 2018. . _ PCI OSS 42 Attestation of ComplIence for Onsite Assessments-Service Providers,Rev.1.0 April 2010 2006-2015 PCI Security Standards Council,LLC.Art Rights Reserved. Pegs 7 IbICI,F'* 1 3.5.a-Cryptographic key*ars riot shared with customers for transmission or storage of CHD. 3.8.e.e,b-Clear-text cryptographic key-management operations are not utilized. Requirement 4: 0 ® 0 4.1.1-Wireless environments ars not connected the COE. Wireless access points are utilized at the corporate office suits but are segmented via a dedicated VLAN and do not transmit CHO. 4.2.a•CHD Is not send over end.uaer technologies. Requirement S: 0 0 0 6.1.2•All servers and workstations utilize antivirus. Requirement 8: 0 ® 0 $.4.8-Control is not required until January 31,2018. Requirement 7: 0 0 Requirement 8: 0 0 8.6.1-JetPaY Payment Services,Florida LLC does not have remote access to customer premises. Requirement 9: 0 ® 0 Components of 9.1-Computer rooms are not utilized as part of.to Interface with,or support of the CDE. Components l.1.3-Wireless environments are not connected the CDE. Wireless access points are utilized at the corporate office Suite but are segmented via a dedicated VLAN end do not transmit CHD. 8.9•No devices that capture payment card data are utilized. 11.1.1.a,b,c•No devices that capture payment card data aro utilized. 9.9.2.a,b-No devices that capture payment card data ere utilized. 0.1.3.3,8•No devices that capture payment card data are utilized. Requirement 10: 0 0 0 Components of 10.4.1.a,b•Only one designated Urns server Is utilized. Components of 10.4.3•lime updates era not encrypted. 10.8.a,b-Control is not currently In place and Is not a requirement until January 34,2018. 10.$.1.4,b•Control Is not a requirement until January 31,201e, Requirement 11: ❑ ® I ❑ Components of 11.2.1.c-Third-parties perform vulnerability scans. Components of 11.2.2.b•External vulnerability rescan were not required to be performed. Components of 11.2.3.a-No significant external Infrastructure changes were made over the previous 12 months. PCI ASS v3 2 Attestation of Compaenee for Ones Assessments—Service Providers,Rev.1.0 A,ofil18 Page dl 2008-2016 PC1 Securely Standards Council,LLC.Alf Rights Reserved. �Tor eah Co • mN 11.2.3.b-Internal vulnerability reecans were not required to be performed. 11.2.3.0•Third•partles perform vulnerability.cane. Components of 11.3.1.b-Third•parties perform penetration testing. Components of 11.3.2.b-Third-parties perform penetration testing. Components of 11,3,4,a,b,c—Segmentation Is not utilized. 11.3.4.1.0•Control is not a requirement until January 31,20111. Requirement 12: 0 ® 0 Component.of 12.1•Vendors and business partners have no need to access the COE. 12.4.1•Control is nota requirement until January 31, 2011. 12,114,b-Control is not a requirement until January 31,201$. 12.11.1..•Control Is not a requirement until January 31,201$. Appendix Al: 0 0 i Jet+y Payment Services,Florida LIC Is not Shared Hosting Provider. the CDEM PO1 terminals are not utilized toonne to zec Appendix A2: ❑ El 0 1 connect PCI DSS v3.2 Attestation of Compliance for Onsite Assessments—Service Providers,Rev.1.0 April 2016 ©2006.2016 PCI Security Slanderda Counts,LLC.All Rights Reserved. Page 9 PC Section 2: Report on Compliance This Attestation of Compere reflects the results of an onsite assessment,which is documented in an accompanying Report on Compliance(ROC). The assessment documented In this attestation and In the ROC was completed 4412017 on: Have compensating controls been used to meet any requirement In the ROC? { Yes 27 No Were any requirements In the ROC Identified as being not applicable(NiA)? ®Yes 0 No Were any requirements not tested? la Yes d No Were any requirements In the ROC unable to be met due to a legal constraint? 0 Yes Eg No PCI DSS v3.2 Attestation of Compliance for Onsilo Assessments—Service Providers,Rev.1.0 April 2016 4120062016 PCI Security Standards Council,LLC.A8 Rights Reserved, Page 10 Section 3: Validation and Attestation Details Part 3.PCI DSS Validation This AOC is based on results noted in the ROC dated 4/912017. Based on the results documented in the ROC noted above,the signatories identified in Parts 3b-3das applicable,assert(s)the following compliance status for the entity identified in Part 2 of this document (check one): ( i Compliant:All sections of the PCI DSS ROC are complete.all questions answered affirmatively, resulting In an overall COMPLIANT rating;thereby JetPay Payment Services.Florida/LC has demonstrated full compliance with the PCI OSS. D Non-Compliant: Not all sections of the PCI DSS ROC are complete,or not all questions are answered affirmatively.resulting In an overall NON-COMPLIANT rating,thereby(Service Provider Company Name)has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be requited to complete the Action Plan in Part 4 of this document.Check with etre payment brands)before completing Pert 4. D . Compliant but with Legal exception: One or more requirements are marked Not in Pince due to a legal restriction that prevents the requirement from being met This option requires additional review from acquirer or payment brand. if checked complete the following: Affected Requirement I Details of how legal constraint prevents requirement being met Part 3a.Acknowledgement of Status '` Signatory(s)centimes: (Check ail that apply) The ROC was completed according to the PCI()SS Requirements and Security Assessment Procedures,Version 3,2,and was completed according to the instructions therein. r5 `.All information within the above-referenced ROC and in this attestation fairly represents the results of my assessment In at material respects. 0 I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. ._ _.. ._ Ha I have read the PCI DSS and I recognize at I must maintain PCI DSS compliance,as applicable to my environment,at all times. ® If my environment changes,I recognize I must reassess my environment and implement any additional PCI OSS requirements that apply. PCI DSS va2 Attestation of Compliance for°eslto Assessments-Service Providers.Rev. 1..0 April 2016 02006-2010 PCI Security Standards Council.tt.C.AP Rights Reserved Page 11 nrrrr Part 3a Acknowledgement of Status(continued) Q ; No evidence of full track data',CAV2.CVC2 CIO or CVV2 data',or PIN data'storage after transaction authorization was found on ANY system reviewed during this assessment. ASV scans are being completed by the PCI SSC Approved Scanning Vendor Clone Systems,Ina under certttlate number 4262.01-09. Part 3b.Service Provider Attestation Signature of Service rovider1C4 .9. k. c Officer 4, Dale: Service Provider ExvcuNvo Officer Name tit)r. Part 3c.Qualified Security Assessor(QSA)Acknowledgement(If applicable) If a OSA was Involved or assisted with this Full PCI DSS Assessment assessment,describe the role performed. Signature of Duty Aulhonzed Officer of QSA Company T Dale:5+41201 Duly Authorized Officer Name:Joseph Kirkpatrick QSA Company Kirkpatnek Price,Inc. Part 3d.Internal Security Assessor(ISA)Involvement(If applicable) If an ISA(s)was involved or assisted with this assessment,identify the ISA personnel and describe the rote performed: ' Orta encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card.present transaction.Entities may not retain full track data alter transaction authorization.The only elements of track data that may be retained are primary account number(PAN),expiration dile.and ea/chaser name, The three-or tour-digit value printed by the signature panel or on the tax of a payment card used to verify card-not-present transactions. Personal'identification number mewed by cardholder during a card-present transaction,atsteer enc+yptw PIN two present within the transaction message. PC!DSS v3.2 Attestation of Compliance for Onsite Assessments—Service Providers,Rev.1.0 April 7016 ii 2©06.2016 PCI Security Standards Council,LLC.All Rights Reserved. Page 12 I��V • Part 4.Action Plan for Non-Compliant Requirements Select the appropriate response for'Compliant to PCI DSS Requirements"for each requirement.If you answer No to any of the requirements,you may be required to provide the date your Company expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement. Check with the applicable payment brand(s)before completing Part 4 1 Compliant to 1 ; RontodioUonDate and PCI DSS i DSS Requirements > Actions Description of Requirement (Select One) tit"NO"selected for any Requirement {- Requirement) YES I NO '� : Install and nwifitain a firewall1 _) configuration to protect cardholder data Do not use vendor supplied defaults for 2 system passwords and other security Q 0 parameters 3 Protect stored cardholder data 0 0 4 Encrypt transmission of cardholder data Q across open,public networks Protect en systems against malware 5 and regularly update anti-virus software ❑ ❑ or programs Develop and maintain secure systems a 0 and applications T Restrict access to cardholder data by Q Q business need to know 8 Identify and authenticate access to a Q .... . system components Restrict physical access to cardholder 9. 0 o •data • Track and monitor all access to network o Q resources and cardholder data tt Regularly test security systems and 0 processes 12 Maintain a policy that addresses information security for at personnel _.. Additional PCI On Requirements for Rppendix Al Shared Hosting Providers Appendix A21 Additional PCI DSS Requirements for Q Entities using SSUearty TLS 0tRMY DISCOVER c3: ( VISA MasterCard PCI 03S v3.2 Attaslefr'on of Compliance for Onsite Assessments—Service Providers,Rev.1.0 Apnl 2016 page 13 02006.2016 PCI Security Standards Council,U.C.All Rights Reserved. It 13.HIPAA and HITECH Act Compliance Any information and transactions involving personal information which require compliance with the most current Health Information Portability and Accountability Act requirements must be provided for by the Selected Vendor. For any information and transactions involving personal information which requires compliance with HIPAA and HITECH Act,JetPay will ensure that compliance is provided. 14.Security Protocols The Selected Vendor must provide for electronic and hardcopy security of all Collier County related documents and all other related data while in the Selected Vendor's custody and control. Selected Vendor must provide to the County, upon request, the identification of personnel who will be providing services under the Agreement, and any details which may be required by the County of such personnel for security purposes. Personnel will also be required to be fingerprinted and approved per the agency fingerprinting ordinance. Security is of the highest level of importance, and JetPay is a PCI DSS Level 1 Service Provider(the highest level).JetPay adheres to industry standard levels of security including PCI DSS Level 1,NACHA compliance, SSAE16, external audits by a certified QSA, and credit card association rules and regulations. JetPay does not plan to use any subcontractors or third party processors. JetPay maintain policies and practices that have been tested and proven to successfully protect sensitive Personally Identifiable Information and payment card data.Payment card data is always encrypted while at rest or in-transit, as well as is encrypted end-to-end when dipped or swiped at point-of-sale.To safeguard the security of transactional and all information, our platform only utilizes Transport Layer Security (TLS) protocols at 256-bit encryption in all online sessions,which is an industry best practice.Further,point-of-sale payments utilize end-to-end encryption which is performed at the Point of Interaction by the EMV reader using the SRED chip,and not through a software solution.All PII,payment card and banking information is encrypted while in-transit or at rest. JetPay's system tokenizes payment card and banking information when your customers elects to store it for re-use in the future including when setting up on-line accounts and for pre-authorized and recurring payments. For one-time payments, our system does not store the complete Primary Account Number nor a CW/security code.The system does store the last 4 digits of credit card and debit card transactions to enable search and lookup based upon such criteria; however, whenever payment card, banking information or Personally Identifiable Information is stored,JetPay encrypts such information. Upon request JetPay will provide the County the identification of personnel who will be providing services under the agreement,and any details which may be required by the County for security purposes.As we have done previously with Collier County, personnel will be required to be fingerprinted and approved per the agency fingerprint ordinance. 15.Reporting The Selected Vendor will be required to provide reports to the County which will include,but are not limited to: a. Any instance of lost, stolen, misdirected, not delivered, or breach in security, even if temporary, must immediately be reported to the authorized representative of the Department managing the Agreement. Selected Vendor will be responsible for all costs associated with a breach including, but not limited to, notifications and credit reporting to impacted individuals, legal fees and fines, any other costs associated with a data breach. Any instance of lost,stolen, misdirected,not delivered, or breach in security will be immediately reported to the authorized representative of the Department managing the agreement,and JetPay will be responsible for all costs associated with a breach. There has never been a compromise to any JetPay Payment Services FL system through a security breach. The JetPay primary data center is a hosted facility located in a SSAE-16/ ISO 2000 SRI compliant data center.Physical Security includes video monitoring,combination keycards card and biometric access controls, redundant dual rail power, fire suppression and cooling systems. Secondary data center is located at lights out Amazon Web Services Data centers. Physical security is provided by data Qd,7 center hosting staff. Only designated IT personnel have direct access to systems. Lights out secondary data center administrative functions are only accessible to designated IT staff.Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event,physical security staff are notified. b. Any instance of a system application or other communication line being unavailable for a customer's use (downtime),must be reported to the authorized representative of the Department managing the Agreement. JetPay is proud of maintaining a continuously available system for customers to make payments,and as such we experienced no unscheduled down-time in 2016 or 2017. JetPay monitors its system in real-time at all times every day.Our quality control and monitoring includes testing system availability as well as transaction processing.We are alerted in real-time through multiple methods including SMS text,voice and email using our tools, physical oversight and network protocol tools. When system problems occur, we will notify our affected clients within 30 minutes of the identification of any type of outage. c. Selected Vendor must provide County with online access to daily and monthly reconciliation reports to allow County personnel to account for and reconcile receipts collected through the Selected Vendor's system. JetPay's reporting suite is accessed through our web-based administration console or Dashboard upon entering our Magic payment processing platform. Real-time reporting capabilities are deeply integrated into the JetPay payment solution. Reports can be generated at any time by the County, and the County can be assured that the reports generated in JetPay's system will be accurate. JetPay's reporting suite has a multitude of reports available via the client specific dashboard.The reports provide clients with a single view of all transactions regardless of the Collection Mode or Payment Method. Web, IVR, and/or POS transactions,for example, are all easily viewable and reconcilable within a single report. JetPay's system has a multitude of reports to filter views based on multiple characteristics of the transactions including Payment Type,Organizational Unit,an/or Collection Mode.Reports can be presented in several different logical views with each report containing logically organized sections. For example, a 'by payment type' report will be broken into sections representing each payment type (i.e. property tax, utility, etc), with each section identified and all information subtotaled.The organized sections include: • Total System • By Collection Mode • By Organizational Unit • By Payment Type • By User For daily and monthly reconciliations,County personnel can select the specific date range of transactions(i.e. all transactions for specific date or payment type summary for specific date) and compare the totals from these reports to what is in the settlement and funding batches for the specified date's transactions. The funding report provides clients with complete details on remittance batches and the respective remittance batch deposits. This report would allow the County to drill down and view the individual transactions contained in each individual remittance, match totals to ensure that it matches the specified date's all transaction or payment type summary totals and match the totals from the County's financial institution (deposits).Additionally,the County can view the All Transactions report,or a Payment Type Summary report grouped by organization unit/department location. The County can choose to settle by organization unit/ department location as well and would be able to reconcile each organization unit deposit to the totals from the grouped by organization unit reports.Additionally,for customer service representatives reconciling only their receipts, JetPay's reporting suite has tiered levels of user access in which the CSR could have user credentials with established permissions to only be able to access specific reports like the My Transactions report, which only shows the CSR the transactions that they processed. Below are screenshots of the Reconciliation reports in JetPay's reporting suite: Odd' Payment Type Summary 2l 6/2018 1:27:43 AM 2!1/2018 12:40:00 AM-2111201811:59:00 PM All Organization Units I All Payment Types I All Collection Modes 1. -. Credit Card Name Transactions Aat Fee Amount Total Remitted 2018 Real Estate Taxes 33', $35,615.89 $720.59 $36,336.48 Commercial Electrical 2 19.63 $16.89 $836.52 Commercial Fire Alarm 1 $110.50 $2.46 $112.96 Dumpster-Commercial 1, ,$200.00 $425 $204.25' Dumpster-POD 1 ($25.00. $0.75 $25.75 Dumpster-Temporary 1 $200,00 $425 $20425 Facility Rental 2 $375.00 $800 $383.00 Machinery-Temporary 1 i' $80.00 h $1 85 $81 85 Residential HVAC 1 $146.50 $3.18 $149.68 Credit Card Total: 43 $37,572.52 $762.22 $38,334.74 E-Check Name Transactions Amount Fee Amount Total Remitted 2018 Real Estate Taxes 38565,063.07 $19.00 $65,082.07 E,.Check Total: 38 $65,063.07 $19.00 $65,082.07 Totals 81 $102,635.59 $78122 5103,416.81 ti Funding Report Selecting the individual batch shows each 2/16(2018 1:30:09 AM transaction included in the batch 2(1(201812:00:00 AM•2/5/2018 11:59:00 PMI All Organization Units I Ail Payment Types Date of Batch Funding Data Deposit Type Organization Unit Payment Type TRN Amount 1 01/30/2018 02101/2018 Credit Card QUICK MED CLAIMS All Payment Types EL 109211, 015_9.4 $2,279.20 I 2 01/30/2018 02/01/2018 Credit Card Tax All Payment Types FT 180201 015.fed $32,819.94 3 i 01130/2018 02/01/2018 : Credit Card Rec Pro Permits Ali Payment Types .F _180201 1015,fed $750.00 4 1 01/30/2018 02/01/2018 i Credit Card permits,Licenses,and All Payment Types FT_184201 1015.fed $1,456.24 Inspections 5 � 01/31/2018 I 02/02/2018 ` Credit Card : QUICK MED CLAIMS All Payment Types. FT_18020_1048,1ed $100.00 6 01/31/2018 1 02/02(2018 Credit Card . Tax Ail Payment Types FT_1802" 1048.fed 521,715.81 7 I 01/31/2018 02/02/2018 Credit Card Rec Pro Permits Ali Payment Types Lj_, ;#2 048.fed $825.00 918 _ 8 01/3112018 I 02/0212018 Credit Card Public Works!Permits All Payment Types _ :r t 1048.fod $285.00_ 9 i 01/31/2018 . 02/02/2018 ' Credit Card Permits,Licenses,and All Payment Types FT 1:a r2 1048,fed $576.00 Inspections ............ . ... � . _ 10 01/31/2018 02/01/2018 eCheck Tax All Payment Types FT 1 rr .+ 101511¢ 575, 11 02/01/2018 ; 02/02/2018 eCheck Tax All Payment Types FT 1r•, 02_1048.fed $65,063.07 12 02/01/2018 02/05/2018 Credit Card ; Tax All Payment Types FT...1._?2Q_, 419 13 02/0112018 02/05/2018 Credit Card Rec Pro Permits All Payment Types FT_180205_1004.fed $375.00 14 15 ; 02/0112016 02/01/2018 02/05/2018 . Credit Card Public Works/Permits All Payment Types FT.180205_1004.fed 500 a: 02/05/2018 'i Credit Card `: Permits,Licenses,and Ali Payment Types FT 180205_10( ,,,,$1,075.83 Inspections 16 02/02(2018 ` 0210512018 eCheck i Tax Ail Payment Types FT180205.._1004,fed $132,022.50 17 02/03/2018 . 02/05/2018 eCheck Tax All Payment Types FT 180205 1004.fed $102,427.15 18 02/04/2018 02/05/2018 ether* i Tax All Payment Types FT 180205 1004,fed $111,202.89 01) 010111111101111.0.001000, I Funding Details Report 2/1612018 1:58:30 AM FT 180205_1004.fed 1/31/2018 12:00:00 AM-2151201811:59:00 PM I Tax I All Payment Types Trane/Reveraal PRC Name Card Number TRN Amount Fee Amount Total Date Remitted 1 2/1/2018 12:39:34 20012430 414720-xx- FT_180205_1004.f$d 5262,06 35.49 5267.55 AAA i 7350 2 2/11201812:57:51 20.0.12431431196-u- FT_180205_1004.fed $314.84 56.55 3321,39 AM 8818 ._.._..... 3 21112018 4:10:10 20012432 s 371342-xx- . FT_180205_1004.fed $3,769.11 $75.63 $3,844 74 AM 1001 4 211(2018 6:09:54 20012433 530765-xx- I FT_180205_1004.fed $896.48 $18.18 S914.66 AM 6795 i - . 5 120012434 I 52 xx Ff 180205_1004.fed $1,600.84 $3227 $1,833 11 0892 e,s 6 211120187.06:55 209/2437 "v,;, 547497-xx- , FT_180205_1004.fed $200.00 $4.25 $20425 AM 3849 ' 7 2/1/2018 7:13:11 20012439 .= 547497-xx- FT_160205_1004,1ed 520000 $4,25 5204.25 AM _ 3849 8 2/112018 725:23 20012440 550608-xx- FT_180205_1004.fed $150.00 53.25 S15325 AM °, 8724 ................. .. 9 21112018 7:33:54 20012441 '£ 443040-xx- FT 186245_1004.fed E185.74 53.96 5189 70 AM 5731 10 2/112018 7:37:11 20012442 547182-xx- FT_180205_1004.fed $184.40 $3.94 $18834 AM a 7063 11 2/1/2018 8:05:38 20012.-44 552433-u- FT,_180205,,10041ed 51,389.21 $28.03 $1,417.24 AM 5560 12 2/112018 8:09:23 20012445 424631-xx- Ff_180205_1004.fed 5110.50 $246 5112.96 AM 8231 13 211/20188:17:23 20012448 424631-xx- F7_180205 j004.fed $135.13 $2.95 3138.08 AM 8231 410977-xx- ! 14 211Y1018 9:02:45 20012450 FT_180205_1004.fed $894.75 S18.15 3912.90 AM _ Q14k . All Transactions Report 211872018 1:5448 AM 121112018 12:0000 AM-2611201811:59:00 P164I Tax I AS Collodion Modes TRANSACTIONS-Gross Date Date Time - PRC Naim Card Collection "Amount. Fee Amount Remitted Date Funded Effective Entered Type MOde 1 2/1!2018 2/1/2018 12:39 AM 20012430 Web $262:D6 $5.49 3267.55 2/5/2019 2 2/112016 2/112018 i 12:57 AM 200/2431 `- 1�Y Web $314.84 $6.55 $321.38 2/5/2018 3 2/172018 21112018 1 04:10 AM 20011432 ,....;,....12.."" Web $3,769.11 $75.63 $3,844.74 272/2018 • 4 2/1/2018 2/1/2018 ' 06:09 AM . 20012433 't' 89648 Web $ $18.18 5914.86 212/2018 ' 5 271/2018 2/1/2013 06:16 AM r 200124.4 I. Web $1,600.84 $32.27 $1.633.11 2/212018 L' $.1, .. .......__ ._.....-_.... j � '. Web $1.235.36 _... $0.50 $1.235.88 2/212018 6 211!2018 211/2018 , 06'S9 AM 20012435 7 2/112018 2/1/2018 . 07:33 AM I 20012441 ve Web $185.14: 53.96 $18970 2/2/2018 _. ..... .. 821172016 2J112018 1 0 07 37 AM 1 Z1612442 `; we $184.40 $3.94 $188.94 21212018 ._._. _.._.....211 ..._ 8 21112018 21172018 08:05 AM ': 20012443 � �. Web $1.389.21 $26.03 $1,417.24 Z12t201D 10 2/1/2018 211/2018 08:14 AM 2001244... , '....' '. Web 54,40944 S0.50 $4,409.94 21272018 11 211/2018 2/12018 06:02 AM 20012449 E-..-:2:70Web $483.85. $0.50 $484.35 212/2018 12 261/2018 2/112018 09:02 AM `... 20012450 "MrWeb $894.75. $18.16 $912.90 2/272018 13 2/1/2018 2/1/2018 , 09:03 AM 20012451 " Web $2,531.14! $0.50 $2.531.64 2/212018 __.. ._.. Web $1,097.48' $0.50 $1,097.96 2/2/2018 14 211!2018 2/772018 09:55 AM 20012486 E.:,-,, 15 2;1@018 21112018 i 09:59 AM 20012457 �� Web $4,535.10, 50.50 54,535.60 26262018 ._... ... .. 16 2/1!2018 2/112018 1 10 1 B AM I 20012458 '. 1 Web .$4,843.41 $0.50 $4,843.91 2/212018 L 17 2/1/2018 2/1/2015 i 10:25 AM °: n 4.,_2459 1.--t!".7! Web $243.01 i $0.50 $243.51 2/2!2018 18 2/1/2018 2/1/2018 1 10:31 AM j 20012480 i Web $223.00; $4.71 5227.71 212/2018 19 21112018 21112018 1 10:33 AM i 29.0:12.4.11, VeTTAF Web 51.102.80. $22.51 $1,125.11 2/2/2018 20 2/1/2018 2/1/2018 ` 10:41 AM 4012462 �;,'_ Web 5338.18 $0.50 5338.88 262/2016 JetPay's reporting suite would also enable the county to group transactions/totals by organization unit or location. For example, if the Utility department has multiple locations in which payments are accepted, reports can be broken out to group transactions at the individual location level. ry Payment Type Summary 2/16/2018 2:13:22 AM By Organization Unit 2/15/2018 12:00:00 AM-2/1512018 11:59:00 PM I All Organization Units I All Payment Types All Collection Modes 1. Agency 3-Longwood Credit Card Name Transactions Amount Fee Amount Total Remitted Birth Certificate 1 $21.25 $1.00 $22.25'1 Business Tax 1 $25.00 $1.00 $26.00. Vehicle/Vessel/Driver License 49 $3,721.25 $90.96 $3,812.21 Credit Card Total: 51 $3,767,50 $92.96 $3,860.46 Debit Card Name Transactions Amount Fee Amount Total Remitter! Hunting/Fishing 2 $68.00 $1.69 $68.00. Property Tax 1 $1,494.15 $1.50 $1,495,65 Vehicle I Vessel I Driver License 43 $5,351.85 $65.82 $5,416.35 Debit Card Total: 46 $6,914.00 $69.01 $6,980.00 Agency 3-Longwood Total: 97 $10,681.50 $161.97 $10,840.46 Agency 5-Lake Mary Credit Card Name Transactions Amount Foe Amount Total Remitted Business Tax 1 $3.00 $1.00' $4.00 Property Tax 1 $1,240.48 $26.67 $1,267.15 Vehicle/Vessel/Driver License 98 $7,383.36 $175.62 $7,558.98 Credit Card Total: 100 $8,626.84 $203.29 $8,830.13 Debit Card Name Transactions Amount Fee Amount Total Remitted Hunting/Fishing 1 $17.00 $1.50 $18.50 Property Tax 1 $368.52 $1.50 $370.02 .. ......._ Vehicle/Vessel/Driver License 73 $6,533.61 $109.50 $6,643.11 Debit Card Total: 75 $6,919.13 $112.50 $7,031.63 Agency 5-Lake Mary Total: 175 $15,545.97 $315.79 $15,861.76 Lake Mary Admin. Credit Card Name Transactions Amount Fee Amount Total Remitted CWIS 5 $471.00 $10.14 $481.14 Credit Card Total: 5 $471.00 $10.14 $481.14 Debit Card d. Selected Vendor must provide a usage report to Department at least on a monthly basis, and more frequently if so requested,indicating the following metrics per transaction made(or attempted to be made) for all payments: o range of dates for the reporting period o dates and time of day when transaction occurred o location where transaction occurred o number of transactions made,by payment type • check,ACH or image • payment card • U.S.currency o identify which transaction resulted in a transaction error o number of errors made o number of reported problems o time of downtime incurred o total amount of payments made JetPay's reporting suite is accessed through our web-based administration console or Dashboard. Real-time reporting capabilities are deeply integrated into the JetPay payment solution.All reports are available in real- time ensuring a timely and accurate dissemination of information.When selecting reports the County has the ability to specify a date range from a drop-down selection. Group Sy BiOlvanization Unit ..... r Date From 02/15/2018 Date To featuary 2010• ..'_i_. .' Sun Mon lug W40 Thu RI Sal • 2 3 • Start Time „ .. 4 5 6 7 5 9 10 11 12 13 14 16 18 17 ... ...... .. .. .... ... .. ._.. .. End Time L. ....__26..27.._28 . ...... ...._ .. ......... .. ......... ......... ...._ . Organization Unit • ...._.. Coiteotton Mode Vii • _ . . 0 Run Report JetPay's reporting suite would also enable the County to group transactions/totals by organization unit or location. For example, if the Utility department has multiple locations in which payments are accepted, reports can be broken out to group transactions at the individual location level.By configuring each location for a department as an organization unit,the County could track the location where transactions occur in our reports. Payment Type Summary 2/16/2018 2:13:22 AM By Organization Unit 2/15/2018 12:00:00 AM-2/15/2018 11:59:00 PM t All Organization Units I All Payment Types All Collection Modes 1 ` Agency 3-Longwood Credit Card Name Transactions Amount Fee Amount Total Remitted Birth Certificate 1 $21.25 $1.00 $22.25 Business Tax 1 $25.00 $1.00 $26.00 Vehicle/Vessel/Driver License 49 $3,721.25 $90.96 $3,812.21 Credit Card Total: 51 $3,767.50 $92.96 $3,860.46', Debit Card Name Transactions Amount Fee Amount Total Remitted Hunting/Fishing 2 $68.00 $1.69 868.00 Property Tax 1 $1,494.15 $1.50 $1,495.65 Vehicle I Vessel/Driver License 43 $5,351.85 $65.82 $5,416.35 Debit Card Total: 46 $6,914.00 $69.01 $6,980.00 Agency 3-Longwood Total: 97 $10,681.50 $161.97 $10,840.46 Agency 5-Lake Mary Credit Card Name Transactions Amount Fee Amount Total Remitted Business Tax 1 $3.00 $1.00 $4.00 Property Tax 1 $1,240.48 $26.67 $1,267.15 Vehicle/Vessel/Driver License 98 $7,383.36 $175.62 $7,558.98 Credit Card Total: 100 $8,626.84 $203.29 $8,830.13 Debit Card Name Transactions Amount Fee Amount Total Remitted Hunting/Fishing 1 $17.00 $1.50 $18.50 Property Tax 1 $368,52 $1.50 $370.02 Vehicle/Vessel/Driver License 73 $6,533.61 $109.50 $6,643.11 Debit Card Total: 75 $6,919.13 $112.50 $7,031.63 Agency 5-Lake Mary Total: 175 $15,545.97 $315.79 $15,861.76 Lake Mary Admin. Credit Card Name Transactions Amount Fee Amount Total Remitted CWIS 5 $471.00 $10.14 $481.14 Credit Card Total: 5 $471.00 $10.14 $481.14 Debit Card Our all transactions report shows every transaction over the specified date range and shows the date and time the transaction occurs.This report also provides the ability to drill down and see all of the details on a specific transaction. All Transactions Report 2/16/2018 2:19:01 AM By 0manlzatlal Unit 2115/2018 12:00:00 AM-2/15(201E 11:59:00 PM i All Organization Units I All Collection Modes TRANSACTIONS-Gross - '-" Agency 2•Casselberry Date Date lime PRO Name Card Collection Amount fee Amount Total Date Funded Effective Entered _ Type Mode T _ Remltt*d 1 2/1512018 2115/2018 08:34 AM 2)0254/37 - 1390414POB 58220', $1.50 563.70. 2115/2018 (scanned) 2 2/15/2018; 211512016 . 08:38 AM 20025492 I BANK P05 5212.35! $1.50 5293.85 2/1512018 (scanned) 3 2/15/2018' 2/15/2018 08:39 AM 20025494 POS $36.10; 51.00 $37.10 2/15/2018 (scanned) 4 2/15/2018 2(1512018 08:41 AM 20025496 lomat POS $106.75 51.50 5108.25 2/15/2018 (scanned) 5 2/16/2018` 211572018 08:41 AM 20025497 MNK POS 510.00 $1.50. $11.50 2/1572018 (scanned) 6 1 271572018 211511018 06:41 AM 20026498 ® ....POS $5425; 51.17 $55.42 2/1512018 (scanned) 7 2/1572018 2/15/2018 08:41 AM 20025499 salsr POS $5925; 51.49 570.74. 2/15/2018 (scanned) 8 2/1572018 2/15/2018 08:44 AM 20025509 Mrr POS $32.25; $1.00 533.25 2115/2018 (scanned) ; ..... . ....._ 9 21161201 B 2/1572018 06:47 AM 20025515 I eer+e1 POS 595,35i $1.50. 596.65 2/16/2018 (scanned) 10 2/15/2018' 2/1512018 08:51 AM 20025519 : F POS $171.35: 51.50', 5172.85', 2/15/2018 i (scanned) _ . ._.. $3.76 5178.81 2'15/2018 11 2115/2018 2/15/2018 08:54 AM 20025522 Q POS $174.85 (scanned) 12 21152018, 2t15/2018 O8:56 AM 20025524 va4' PO5 531.25; 51.00 53225 2115/2018 (scanned) 13 2/152018 2/152018 08:59 AM 20025530 MKT PO5 510.00; 51.00 511.00' 2/15/2018 (scanned) 14 2/15/2018 2/15/2018 09:02 AM 20025535 : !RANK POS 5100.50; 51.50' 5102.00 2/1512018 (scanned) 15 2/152018 271512018 09:03 AM 20025536 v[!A' POS $59.04: $127 590.31 2115/2018 (scanned) _.... - 18 27162018 211512018 09:08 AM 20025439 7 POS 555.10 51.18 $5828 21152018 ' (scanned) 17 27152015 2/1572018 09:09 AM 20025543 v�isc... POS 831.25: 51.00, 53225 21152018 I (scanned) 18 2/15/2018 2/152018 09:09 AM 20025544 ,„ria_ POS 531.25' $1.00 532.25 2/15/2018 ......r.. (scanned) ID Transaction Detail 2/18/2015 2 28:46 AM......._... PRC:20025498 Payment Information Date Entered Date Effective PRC Collection Mode Amount Fee Amount Total Remitted 2/15/2018 8'41 AM 02/1512018 20025498 POS(scanned) $54.25 $1.17 $55.42 ;Line teams Payment Type E Vehicle/Vessel 1 Driver License 542500 ;Card Payments __.. ._ CarddNumber Expiration Data CT Name on Card Total Remitted Remit Status Notes i 531260.9otxx-1689 j 10/2020555.42 Remitted • Payer Name Address City ; State Zip ! Phone Email Transaction Details Key Value :PAX Authorization Code 154814 PAX Approved Amount 55.42 PAX ECR Reference Number 20025498 .PAX Host Reference NUmoer 201802150842150001,.., ;PAX Tlmesc3m p -:201 8021 5084 111 'PAX Transaction Amount 59.25 JetPay Token ....._.. ...... IJJMJIMCBKCJIKNKHNJHOILII JetPay Transaction ID !PJYYjSmYbQcPiQnQhTJROSISt PAXTermina8d :100657960735 The Payment Type Summary report when grouped by collection mode & card type shows total transaction counts and amounts by each payment type for each collection mode and payment method(i.e.Personal check, ACH,card type,etc.) 6 Payment Type Summary 2/16/2018 2:44:30 AM 2/15/2018 12:00:00 AM-2/15/2018 11:59:00 PM 1 All Organization Units I Alt Payment Types I All Collection Modes 1. POS(scanned) MasterCard Name Transactions Amount Fee Amount Total Remitted Water and Sewer 4 $399.19 $11.18 $399.19 Payments Water and Sewer 1 $126.80 $2.50- $129.30 MasterCard Total: 5 $525.99 $13.68 $528.49 Visa Name Transactions Amount Fee Amount Total Remitted Water and Sewer 14 $1,269.77 $35.55 $1,269.77 s' `. Payments Water and Sewer 2 $145.17 55.00; $150.17 Visa Total: 16 $1,414.94 $40.55 $1,419.94 Debit Card Name Transactions Amount Fee Amount Total Remitted ",Water and Sewer 2 $180.78 $5.06 $180.78 :Payments Water and Sewer 17 $1,608.66 $42 50 $1,651.16 Debit Card Total: 19 $1,789.44 $47.56 $1,831.94 Personal Name Transactions Amount Fee Amount Total Remitted Water and Sewer 10 $1,092.47 $6.00 $1,092.47 Payments Deposits 3 $293:40 $1.80 $293.40 Payments Water and Sewer 20 $1,811.97 $12.00' $1,81197 Personal Total: 33 $3,197.84 $19.80 $3,197.84 POS(scanned)Total: 73 $6,928.21 $121.59 $6,978.21 . 1. .. C .' ':Total: 73 $8,928.21 $121.59 $8,978.21 The Non-Approved Transactions report shows all declined transactions over the specified date range. 0 Non-Approved Transactions Report 2!18/2018 2.54:25 AM 211/2018 12:00:00 AM-2/18/2018 11:59:00 PM i All Organ nation Units 1 Ail Collection Modes 1. . (e) Date Date Time PRG Name Card Collection Mods Description Total Remitted Entered Effective Type Paymentiyps d 1 2?1/201$ 2/1/2018 09:22 AM 20017931 POS(scanned) Declined $46.10 • Vehicle/Vessel!Driver License 2 2!1/2018 . 2'112018POS AM 20018003 � (scanned) Declined $1,840.85 Veh 3 2/1/2018 21120181cie��ssel!OlIverLicense ;=, wgzr 04 AM 20018005 POS(scanned) Declined $1.840.85 , Vehicle/Vessel I Diver License 4 2/7f2018 2/112018 13:29 AM 20018720 `ear+KP0Sscanned J (scanned) Declined $31.25 Vehicle l Vessel!Driver License , � - : 5 21/2018/2018 2/1/2018 15:47 AM 20018150 „` P08(scanned) Declined 531.25 Vehicle l Vessel/Driver License 6 2!1/2018 . 2112018 11:47 AM 24018151 41 POS(scanned) Declined $31.25 Vehicle I Vessel Driver License 7 2!1/2018 2/1!2018 12:58 PM 20018248 leAnal POS(scanned) Declined $412.95 Vehicle/Vessel1 Diver License .. 8 2/112018 2/1/2018 01:06 PM 20018262 �. POS(scanned) Declined $54.25 Vehicle I Vessel!Driver License 005(scanned) Declined $54.25 9 2/1/2018 2172018 01:07 PM 20018263 keANal Vehicle!Vessel!Driver License $7220 10 2/1/2018 21!2018 01:13 PM 20018277 ' POS(scanned) Declined Vehicle I Vessel!Driver License 11 211/2018 21/2018 01:52 PM 20018333 nHal POS(scanned) Declined $72.20 Vehicle/Vessel!Driver License 12 2!7!2018 211207$ 01:52 PM 20018334 faNlal POS(scanned) Declined $7220 Vehicle!Vessel!Driver License 13 27/2018 2/1/2018 02:13 PM 20018358 �YeeN� POS(scanned) Declined $376.85 Vehicle!Vessel/Driver License 14 2/1/2018 2112015 02:14 PM 20018360 lU1gd POS(scanned) Declined 5376:85 Vehicle!Vessel!Driver License 1of15 Each report in JetPay's system shows an overall total with a dollar amount for the total over the specified date range, so if the County were to look at a report such as the Payment Type Summary report or All Transactions report for the specified date and time range the overall totals line item would display the total amount of payments made. e. Selected Vendor must provide a reporting format to compare against the County's revenue collection report, to facilitate an efficient account reconciliation review by the authorized representative of the Department. JetPay's revenue report shows the number of transactions, reversals, dollar volume, fee amounts, and total remitted by card type. It also separates transaction amounts and volumes by credit card and eCheck volume, and provides an overall total.This report can be compared against the County's revenue collection report to facilitate an efficient account reconciliation review. This report can also be broken out or grouped by organization unit/location. 0 JetPay Revenue Report: Revenue Report 218/2017 11:21;57 AM 1/1/2017 12:00:00 AM-113112017 11:59:59 PM All Organization Units{A9 Collection Modes(All Users Amex 29. ,,.0 $88400,70 $1,775.28 $0,00 $90,175.98: Visa 237 0 $231,040.20. $4,680.04 $0.00 $235,720.24. ._. __ . MasterCard 114 0 5142,185,11 $2.672..16 $13.00 5946,05729; Discover 17 0 517.078.83 534579 $0.00 $17.422.82 Business 65 0 5316,043.01' $32,50' SOLO 5316,075.51. Personal 336 0 $781,133.82' $168.00 $0.00 $781,301,82' Credit Card Total: 397 0 $475,702.84 $9,873.29 $0.00 $488,378.13 E.Check Total: 401 0 ;1,097,178.83 $200.50 $0.00 51,097,377.33 Total T9t1 0 51,513,879.87 59,873" S"A0 $1,585,753.48 f. Other reports as requested by the County. JetPay can implement customized ad hoc reports if they do not currently exist in our reporting suite upon request after meeting with the County to establish a mutually agreed upon timeline for the generation of said reports.JetPay can build custom reports for the County on a timed basis per the request of the County. 16.Back-up Documentation Selected Vendor must provide a reliable process for maintaining a copy of each completed transaction,in the event of system crash or other business interruption, such that the completed transaction record can be replicated, if necessary. JetPay's disaster recovery plan was last updated on November 17, 2016, and our disaster recovery plan is tested and updated on an annual basis. The JetPay primary data center is a hosted facility located in a SSAE-16/ISO 2000 SRI compliant data center. Physical Security includes video monitoring, combination keycards card and biometric access controls,redundant dual rail power,fire suppression and cooling systems. Secondary data center is located at lights out Amazon Web Services Data centers. Physical security is provided by data center hosting staff. Only designated IT personnel have direct access to systems.Lights out secondary data center administrative functions are only accessible to designated IT staff.Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event,physical security staff are notified. In order to ensure uninterrupted processing capabilities, JetPay maintains multiple processing sites. In the event of a failure at the primary processing site, JetPay's secondary processing site is made active using established procedures. JetPay's primary data center is located in Alabama and the secondary is in Virginia. The Florida site can act as a tertiary processing site as needed. Sites are located and maintained in hardened, PCI compliant facilities with multiple redundant power, connectivity, and security systems. Each site contains load-balanced server farms. This architecture allows JetPay to ensure processing capabilities in the event of overall site failure or intra-site hardware failure. We monitor our Solution in real-time at all times of every day. Our quality control and monitoring includes testing system availability as well as transaction processing,and we compare historical performance metrics. We are alerted in real-time through multiple methods including SMS text, voice and email using our tools, physical oversight and network protocol tools.When system problems occur we will notify our affected clients within 30 minutes of the identification of an outage of any type. Below is JetPay's Disaster Recovery Plan which outlines the process for maintaining and backing up transaction data in the event of a system crash or other business interruption: 0 JetPay Disaster Recovery Plan Overview JetPay has established a formal policy and supporting procedures concerning Disaster Recovery Event Handling.This policy is to be implemented immediately. It will be evaluated and tested on an annual basis for ensuring its adequacy and relevancy regarding organizational needs and goals.This plan will be tested on an annual basis. Policy JetPay will ensure that the Disaster plan adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards(PCI DSS)initiatives: • The recovery plan includes, at a minimum, roles, responsibilities and communication strategies in the event of a compromise,including,also at a minimum,notification of the payment brands. • The Incident Response plan includes specific incident response, business recovery and continuity procedures and data backup processes. • The Incident Response plan includes legal requirements for reporting any compromises to the cardholder data environment. • The Incident Response plan includes coverage and response mechanisms for all critical system components and all other IT resources deemed critical. • The Incident Response plan also includes reference or inclusion of incident response procedures from the payment brands. • The Disaster Plan is to be tested annually. • Designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity,detection of unauthorized wireless access points, critical Intrusion Detection Systems(IDS)alerts and/or reports of unauthorized critical system or content file changes. • Staff with responsibilities for security breach responses is periodically trained. • Monitoring and responding to alerts from security systems including detection of unauthorized wireless access points constitute an important component of the Incident Response plan. • Processes are in place to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments as needed. Procedure JetPay has developed and implemented a comprehensive Disaster plan,which encompasses the categories and supporting activities listed below. These policy directives will be fully enforced for ensuring the Incident Response plan initiatives are executed in a formal manner and on a consistent basis for all system components within the cardholder data environment and all other IT resources deemed critical. The five(5)main categories of the Incident Response plan include the following(NIST,n.d.): • Preparing for an incident • Detecting an incident • Responding to and containing an incident • Recovery from an incident • Post-incident activities and awareness Preparing for an Incident All employees should be aware of common threats and computer incidents that may potentially compromise the organization's network infrastructure,cause harm to other related systems or pose a significant financial, operational or business threat to the organization as a whole that can lead to having to bring the backup operations to a fully functional status. The Disaster Response plan should be viewed as a set of procedures for preparing for, detecting,responding to,containing,recovery and any other necessary post-incident activities. There are numerous threats and computer incidents that are potentially detrimental to any organization, such as the following: • Data Center Failure • Communications Failures • Malware (computer viruses, worms, trojan horses, most rootkits, spyware and other malicious and unwanted software) • Social engineering attacks • Denial of Service Attacks C•1 • Additional network attacks,including hacking and other common attack vectors • Physical and environmental conditions resulting in threats to the organization's system resources Adequately preparing for an incident requires personnel to be aware of common threats to systems and to implement safeguards and control mechanisms that protect system resources. The Response Team is to have clear roles and responsibilities for properly responding to any incident. Preparation is just as important as the response to the incident. Other aspects of preparing for an incident include the necessary steps, processes and procedures to take once an incident has occurred. This also includes an understanding of what actions are to be taken with respective third parties,if necessary,such as clients, law enforcement agencies, local/federal/state agencies, the media and any other third parties considered to be within our scope. MOW 12,94 Description of Incident Response Team p __ hole and Contact Responsibility of the „*tet Title Infnrmaitian Incident Rillvnse Team Paul U lig IT Director Cell IT Lead Chris Battel * dell Mena_mem Leel CavilOperations Cell Public Director Relationtional Coordination Lynn Yelverton Customer Cell Customer Response Service Coordinator Dircctor —wHeath Gardner . Sofi arc Cell Software Lead Director 1.11111.111.11111111111111.1111111111111 Declaring a Disaster Declaring a disaster recovery event requires a commitment by all employees to be constantly aware of their surroundings for any type threats. Additionally, detection also requires due diligence and consistency by employees. Cit. rr . Table 12.9,b Name of Systems Components and Response Mechanisms hi Place for All System Components and other IT Resources other IT Resources (Devices) (1)Contact the Incident ResporISZTeam(IRT). .21 IRT will immediately enact response nsc I'a nisms commensurate with the incident to include law enforcement notification. Fircwtill Appliances IRT will develop plan for containing an incident along recovery procedure. (I)Contact the incident Response Team(1K (2) IRT will immediately enact response mechanisms commensurate Public Web Berks with the incident to include law enforcement notification. (3)IRT will develop plan for containing an incident along with reeovcry (1)Contact the Incident Response Teams(IR (2)IRT will immediately enact response mechanisms commensurate Database SUMS with the incident to include law enforcement notification. (3)IRT wiilldevelop plan for+ taining an incident along with recovery Responding to and Containing an Incident Any incident deemed to be a threat to the organization requires a rapid response from authorized personnel, such as the Incident Response Team. This rapid response will follow a standard course of action designed to minimize the impact of the incident to the organization's critical network and system infrastructure. Response Action Plan For DR Failover: 1. Declare Failover(management lead) 2. Start customer contact(Customer Service lead) 3. Establish restoration order(management lead) 4. Restore most recent database backups(IT Lead) 5. Initiate DNS record move to lights out data center primary IP.(IT Lead) 6. Start DB initialization based on order established by management lead.(IT Lead/Software Lead) 7. Coordinate with customers to inform them of service availability.(Customer Service lead) C Tab It 12.9_c Response Meohanisms forAll Critical System Components and All Other IT Resources Doomed Critical Name Taming Convention of System Logging and game of Frequency of Systems L. of Administrative Audit Trail Reviewer of Review for Components theRights for the .Mechanisms Logging and Logging and and other IT Device Device to Place Audit Trails Audit Trails Resources (Devices) ETON lege Only CentralizedIT IT Doily ` Firewalls begi 1���:e Database , IT & Software Centralized SQLXDevelopment IT Daily Servos Ingpirg Team ' 1TuftwrsWWW Centralized DevelopmentT Daily .s Team 11' & SoftwareFrp Centralized. FTPX Development logginglT Daily 'Savers ' ` Monitor and maintain DR system,evaluate primary site status and coordinate fallback when appropriate. The following documented response mechanisms serve as the Standard Operating Procedures (SOP) for responding to any incident within the organization: 1.For any incident that has been detected,the Incident Response Team is to be immediately notified. 2.The Incident Response Team is to formally assume control and to identify the threat and its severity to the organization's information systems. 3.In identifying the threat, the Incident Response Team is to specifically identify which resources, both internal and external, are at risk and which harmful processes are currently running on resources that have been identified as at risk. 4.The Incident Response Team is to determine whether the resources at risk (hardware, software, etc.) require physical or logical removal. Resources posing a significant threat to the continuity of the business are to be immediately removed or isolated,either physically or logically.Resources that may require physical or logical removal or isolation may include,but are not limited to,the following: • All IP addresses in use • Firewalls • Routers and switches • Intrusion Detection Systems(IDS)/Intrusion Prevention Systems(IPS) • Any enterprise-wide applications(CRM systems,etc.) • Remote access • Point-to-point secure data transmission methods used for data traversing back and forth on the network • Wireless networking or networks • Authentication servers(RADIUS) • Web servers • File servers • Email servers • DNS servers • Operating systems • Databases • Applications C 5.If the incident has affected the cardholder data environment in any way, and has impacted the system components within this environment,it must be immediately reported,its severity and other essential information to the major payment brands. Listed in the following table are the links to the major payment brands,which also supply information on how to handle an incident that has resulted from a breach of the cardholder data environment.It is the policy to formally acknowledge and adhere to these guidelines as set forth by the major payment brands. Tab% l .lw,r1 Payment Brand Information on Incident Handing and Reporting http fi,'*usa_v isa.corn"me.rchant rnsic inanagementicisp if VISA cmnpr ised i brip)/www,masterearti,eorMasiiriereltantisecurityffrand MasterCard _prevent c n.ht nl https:1 www.amerieaneapress.corr 'contenl'merchan American Express fra sd•prevention,htrnl http://www,discovernetworiccomgraudsecurityldatabre Discover Card aeh.htrrti 1.If the incident has in any way resulted in a criminal matter that may be readily identified, it must immediately be reported it to law enforcement officials,such as the following: • Local law enforcement(Dependent upon which data centers may be involved) o Pensacola Police Department 850-435-1900 • The United States Secret Service(for credit card fraud) o Birmingham,AL 205-731-1144 o Tallahassee,FL 850-942-9523 • The Federal Bureau of Investigation(FBI) o Pensacola,FL 850-432-3476 o Birmingham,AL 205-326-6166 2.Investigating the incident is also a critical process within the Incident Response plan. Proper investigative techniques are to include,but are not limited to,the following: • Understanding how the incident occurred and what led to the compromise • Reviewing all necessary system documentation such as logs, audit trails, rule sets, configuration and hardening standards and all other supporting documentation • Interviewing personnel as needed • Examining any third-party providers and their respective products and services that are utilized within network architecture • If warranted, a third-party resource for assisting in the investigation of the incident may be utilized(this will be done at the management's discretion) Recovery from an Incident Recovery procedures will include but are not limited to the following: • Restoring systems from clean backups(a trusted source only). • Completely rebuilding systems as needed and warranted. CA • Replacing systems as needed (this includes all system components within the cardholder data environment and any other IT resources deemed critical. • Reconfiguring network security (stronger, more adaptive configuration and hardening rules) for all system components within the cardholder data environment and any other IT resources deemed critical. The recovery procedures will be commensurate with the incident that has occurred. This will be conducted on a case-by-case basis with all aspects of the recovery process fully documented. Response Action Plan For DR Failback: • Declare Failover during a low usage period(Early Sunday morning)(management lead) • Start customer contact(Customer Service lead) • Establish restoration order(management lead) • Restore most recent database backups(IT Lead) • Initiate DNS record move back to primary IP.(IT Lead) • Start DB initialization based on order established by management lead.(IT Lead/Software Lead) • Coordinate with customers to inform them of service availability.(Customer Service lead) • Monitor and maintain production system. Post-Incident Activities and Awareness A formal and documented Incident Response Report(IRR)is to be compiled and given to management within an acceptable timeframe following the incident. The IRR must contain the following elements(NIST,n.d.): • Detailed description of the incident • Response mechanisms undertaken • Reporting activities to all relevant third parties as needed • Recovery activities undertaken for restoring affected systems • A list of Lessons Learned from the incident and which initiative can be taken to mitigate and hopefully eliminate the likelihood of future incidents Below is JetPay's Continuity of Operations Plan including high-level diagrams of our infrastructure: JetPay Payment Services FL Business Continuity Plan Risk Mitigation • Client payment processing o Notify Clients and tell them we are/will be offline. • Help Desk support o Jerry will provide support remotely. o We will designate a backup resource for assistance. • Daily processes o Heath will perform all daily processes remotely(access to www 1-rl-barn). • Birmingham data center o Paul will monitor. • Communication with clients o Even if we manage to cover all service areas remotely to where service is uninterrupted for our clients,we need to let them know our plans. S o If we have areas of interrupted service,then we should address those concerns specifically according to the JetPay Processing-Failure Management document. o Need to update the communication messages accordingly as conditions change. o Send an"after action"email to clients for how we managed during the outage—service remained up,we were down but back up after x hours,etc.and reiterate our commitment to serve our clients. • JetPay payroll o Maureen would handle deposit to Regions if outsourced Payroll company is impacted. • Securing JetPay Office o Protecting equipment o Protecting electronic files Make sure files are on network,not hard drive o Protecting hard copy files and documents o Have had internal water sprinklers go off,need to prepare accordingly • Communication with JetPay team o Who is evacuating and where are they going? o Staff updates and staying in touch • Send text message AM and PM to Carol o Notification of office evacuation/closure • Take devices with you(dongles,laptops,etc.) o Helping staff recover if damage is sustained • Family ok? ▪ Home ok? o Staff expectation to return to work 17.Convenience Fee Any Convenience Fee charged to the Customer, if applicable, by the Selected Vendor must be agreed upon by the County and will be pursuant to the Agreement between the County and Selected Vendor.The Convenience Fee may be a set fee or a percentage of the payment amount. JetPay's business model is such that we strive to generate 100% of our revenues from transactional fees. By presenting one simple pricing structure, much of the ambiguity typically presented by card processors has been removed,making it easier for the County to anticipate the true cost which they or their consumers must incur. Additionally, this simple fee structure can be utilized across the County's various departments and their respective various transaction amounts.Any convenience fee charged to the Customer will be agreed upon with the County and fully established and disclosed in the "Cost of Services to the County" section of this proposal. Further,our platform could enable cost reductions and increased customer satisfaction through the use of our e-communication tools which enable the County to engage with its customers using SMS text, email or outbound IVR on any topic including electronic bills,payment reminders,etc. 18.Customer Service Selected Vendor will be required to provide customer service support to customers in relation to payments processed by Selected Vendor. Customer Service is a focal point of JetPay's payment processing solution. JetPay's policy with each new contract is to establish a relationship manager who is the primary point of contact for the client. The relationship manager is available 24/7 to handle any escalated tier 2 issues or customer needs that may arise. JetPay's Help Desk serves as the focal point for customer support.JetPay's Help Desk is United States based software support, and All Tier 1 calls are directed to the Help Desk. JetPay provides a staffed call center which is accessible at all times (24 hours a day, 7 days a week, 365 days a year), with a return call made within twenty (20) minutes to resolve customer service issues. JetPay's Help Desk closes 97% of service tickets within one day. Additionally, the Help Desk will develop familiarity with the Metro Government's account and the specifications used throughout the duration of the account. JetPay has established Customer Support tiers and corresponding response times based upon such tiers. Customer Service is a focal point of JetPay's payment processing solution. Tier I Tier I (or Level 1, abbreviated as T1 or L1) is the initial support level responsible for basic Customer and Client issues.At this level,we gather the Customer/Client information and determine the issue by analyzing the symptoms and figuring out the underlying problem. This level gathers as much information as possible from the end user. The information typically includes: error message,web browser and version being used, screen shots,what other software system is being used with this payment issue,any data used by the end user or any sequence of steps used by the end user,etc.This information needs to be recorded into the issue tracking or issue logging system. Once identification of the underlying problem is established, the specialist can begin sorting through the possible solutions available. Technical support specialists in this group typically handle straightforward and simple. Examples of Tier 1: 1. Confirmation of Payment: a. Ask for the last four digits of debit or credit card,or last four digits of checking account b. Ask for the date of payment. 2. Receipt Request: a. Ask for the last four digits of debit or credit card,or last four digits of checking account b. Ask for effective date of payment. c. Confirm or obtain email address. 3. Charge Inquiry-Caller questioning a charge on cardholder statement: a. Ask for the description listed on the customer's credit card statement or bank statement. b. Ask for the last four digits of the debit or credit card,or last four digits of checking account c. Ask for date of payment 4. Void Payment Requests in Magic portal—Same day or post-dated payments: Some clients may choose to issue their own credits and voids.Other clients may choose to defer requests to the Help Desk as needed.Each client is able to determine business rules. a. Client calls: i. Ask for Confirmation/PRC number ii. Verify the customer name,the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Email the credit receipt to participant if requested. b. Customer Requesting Void(subject to Client's business rules): i. Ask for Confirmation number ii. Verify the customer name,the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Confirm and/or obtain email address and email credit receipt to customer. Tier II Tier II (or Level 2, abbreviated as T2 or L2) is a more in-depth technical support level than Tier I. It is important to review the information or incident,ticket,etc.,to see what has already been accomplished by the Tier I technician. If a problem is new and/or personnel from this group cannot determine a solution, they are responsible for raising the issue to the technical support or software development group. This may require additional information including: the program name that failed, any database related details (table name, view name, package name,etc.)or API names. Examples of Tier 11 1. Settlement deposit error 2. PCI matters 3. URL,server,SQL or other replicated errors. 4. Windows,browser,or other operating system errors. 5. Software or setting issues which cannot be resolved by Tier I. 6. Financial errors including fees,invoices,or other types of calculated financial errors. 7. Replicated errors in reporting,report filtering,or report formatting which cannot be resolved by Tier I. 8. Failure of import or export,validation file routines. 9. Any other file exchange or API lookup issue or malfunction. 10. User or payment maintenance that is outside the expertise of Tier I. 11. Any issue which falls outside of the training or expertise level of a normal Tier I function. Tier III Account Manager or Proiect Manager Escalation Examples of Tier III Escalation: 1. System outage or unable to process payments,render payment screens or run reports. 2. Failure of reporting or financial deposits. Any issue which becomes delayed or unresponsive by Tier I or Tier II. 19.Refunds Selected Vendor will not process any refunds, or return payments to customers after settlement, without expressed written authority from the County. JetPay's Magic platform provides each client with access to reports for exception items such as credits/voids and chargebacks as well as the ability for County administrators to process voids or credits without any JetPay staff involvement.JetPay always complies with our client's business rules,and as such will not process any refunds or return payments to customers after settlement without the expressed written authority from the County.Through our Administration console,designated personnel have the ability to view as well as void the full amount of a transaction prior to the payment being submitted for settlement. Full or partial credits are available after the date of the transaction. When processing a void or credit, JetPay's system will automatically determine whether the transaction should be processed as a same-day void or full/partial credit depending on the date of the transaction.This can be seen in JetPay's outlined Customer Service Tiers in the response to#18: 1. Void Payment Requests in Magic portal—Same day or post-dated payments: Some clients may. choose to issue their own credits and voids.Other clients may choose to defer requests to the Help Desk as needed.Each client is able to determine business rules. a. Client calls: 0 i. Ask for Confirmation/PRC number ii. Verify the customer name,the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Email the credit receipt to participant if requested. b. Customer Requesting Void(subject to Client's business rules): i. Ask for Confirmation number ii. Verify the customer name,the amount of payment and make sure the date reflects the current date or is post-dated. ill. Issue void from management console iv. Confirm and/or obtain email address and email credit receipt to customer. The process of crediting/voiding a payment can be seen below: Step 1: Credit Payment by PRC- 111111111111.111 PRC Number 20000008 Next Step 2: Credit Payment;20000008 Credit Availible Payment Fee Amount for Credit Type Amount To Credit Name Type Method Amount Amount Credited yPe Credit im 471575 $169.04 $3.55 $169.04 50.00 Chargeback the fit numberrpadieS has retched Ix ***** Internal Credit crece:isnuc. 0g44 > Standard Credit Totals: 5169.04 53.55 5169.04 50.00 Notes .........__.__...._................... 0 Process Credit Payment History Payment Method Amount Fee Amount Total User Name Effective 471575 we*+0944 $169.04 $3.55 $172.59 Rick Griffiths 12/30/2016 5:50:50 PM 471575*****0944 (5169.041 ($3.55) ($172.59) Rick Griffiths 12/30/2016 5:52;04 PM View Credit Receipt 0 20.Scheduled Recurring Payments The Selected Vendor may provide scheduled payment processing services allowing County customers to provide needed payment information and have a series of scheduled recurring payments automatically submitted to the County for posting to receivables of various debt types. JetPay's system enables customers to setup an on-line account for pre-authorized and recurring payments. JetPay's system tokenizes payment card and banking information when your customer elects to store it for re-use in the future including when setting up on-line accounts and for recurring payments.When a customer creates a user account they are able to create both saved payment methods and set up a recurring payment or autopay payment plan. JetPay also supports Payment Plans that can be set up solely by the County staff or also by customers online based upon the specific rules of the County department that is accepting the payment.We believe supporting the creation and processing of payment plans could be beneficial to the County. 21.Single User Sign-On The Selected Vendor's internet payment channel may provide the option for customers to create a secure account with the ability to voluntarily link debt from various County receivable systems. Customers creating such an account would be able to sign-on to this account as needed to view and pay debt associated with the account. JetPay's Magic platform enables customers to log in and create an account to save different payment methods and accounts with one single sign-on.Payment data and PII is always encrypted while at rest or in-transit,as well as is encrypted end-to-end when dipped or swiped at point-of-sale. We tokenize data when customers elect to establish an account and save their payment card and banking data for use in the future. After creating an account, customers can link different payment accounts/debt from various County receivable systems that they regularly make payments for. They can also create and manage recurring payment plans and autopay recurring payments for payment types the County chooses to employ this feature.Additionally, customers would have the ability to save various payment methods for reuse in the future. Below are screenshots of the user dashboard that shows customers their payment history,saved payment methods,etc.: Illinois:Healthcare Family Services 0tie•TIMC P,,muit 8 Legh aloe U UnfMr G payment tiriM1aut VeJdfg plans, attbmn.lktk Lac Mon Waved ntlyou unit ge iultadto!ric pl'3F tOterlpt.cmc .—.-••- ,t,ke a one-time payment O Ht{a,mr4rauvcld. or Create an Account H 0 WSW 46 PAY A This sgc is c+rren^.ly as Iasi mode. Register-Illinois Healthcare Family Services ..................................................................................................................................................................................................................................................................................................................... Name username ._............................................................................................................................................................................................................................................................ ................................................................................................................................................................................................................................................................. Fesseoord Cordirm Noosed VOA Conarm Email Addrasa Mdbdt Phone t9rmbet .._..................................................... Address Address Continued City Seale ..._.. __.. ........ _... _...... ._.._. ............__............_. Zip Code CCream Nov 4) r IP 7 My Magic Illinois:Healthcare Family Services lime Zone CeAtrel S-aneard lime PrVin 700.30Mi7 582,565.01: 71240017 eftwk titecklny,"•••1111 Wire +CTeitti,Azymott Mettiott Profit rrhrck tin Uiflt 1=11 Hosp:ml Assessment Am..%Numb., Mtwara Coe N...,. Street City Dale ZtpdC leAr 111 I.ntdr test 11.1,4 12:14 tiernroge 111) SPECIALIZED EXPERTISE OF TEAM MEMBERS: The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations,and technical data conversions.The team has extensive experience working in collaboration with our clients in a large variety of project implementations,maintenance,and support. JetPay's policy with each new contract is to establish a dedicated relationship manager who is the primary point of contact for that client. If awarded, Rick Griffiths, Director of Account Management, will continue to act as Relationship Manager for this contract. Mr. Griffiths' overall responsibility includes relationship development for JetPay but will be Collier County's primary contact. Mr. Griffiths will be available 24/7. There is no additional charge for this service.Mr.Griffiths can be contact at: Rick Griffiths,Director of Account Management JetPay Payment Services,FL,LLC. 316 South Baylen Street,Suite 590 Pensacola,Florida 32502 (850)858-3309 Telephone(850)444-9331 Fax Rick.griffiths@,jetpay.com In addition to Mr. Griffiths, Joe Lennon (Director of Sales and Business Development) and Shirley Everage (Technical Account Manager)will work hand in hand with the County throughout the implementation.If awarded, JetPay plans to convert the County from our Legacy platform to our Magic platform in an effort to offer the latest and greatest innovations in the payment processing industry to Collier County. JetPay's web-based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry, and is ideal for accepting online/e-Commerce payments, point-of-sale EMV transactions, mobile app, IVR and virtual terminal payments for mail in/phone in payments. With the Magic platform JetPay is able to offer the County the latest features and functionality in the payments industry and offer a level of configuration and customization that can specifically meet each of the County's departments specific needs.County administrators would have the ability to customize and configure the County's instance of the Magic platform in real-time through the Manage tab of the JetPay Magic Administrative dashboard.Administrators would have the ability to change and configure things such as: changing office users' and client customers' account information & doing password resets, configuring organization units, payment categories, payment types, devices, branding, logos, managing customer payment plans, etc. Mr. Griffiths, Mr. Lennon, and Mrs. Everage have worked together since the launch of the Magic in 2015 to organize the migration of JetPay Payment Services FL's existing client base from our Legacy platform to the Magic platform is as seamless a process as possible. Heath Gardner (Head of Software Development) and Paul Shave (Information Technology and PCI Director) lead all software development and IT efforts in relation to the scope of services of this contract such as any work with integrations, client profiles and databases, etc. Lynn Yelverton (Customer Service Manager) will manage all tier 1 customer service requests for the County. Chris Battel (Chief Operating Officer)will serve as the Executive Officer to the County on the behalf of JetPay. The key personnel servicing Collier County will include,but are not limited to: Christopher Battel,Chief Operating Officer and Executive Officer Rick Griffiths,Director of Account Management and Project Manager Joe Lennon,Director of Sales and Business Development&Senior Relationship Manager Lynn Yelverton,Customer Service Manager Rick Carroll,Chief Financial Officer Heath Gardner,Software and Development Director Paul Shave,Information Technology and PCI Director Shirley Everage,Technical Account Manager • Joseph Lennon,Director of Sales and Business Development&Senior Relationship Manager Phone:(850)858-3319 joe.lennon@jetpay.com Joe Lennon joined JetPay in the first quarter of 2015. Mr. Lennon has spent 30 years delivering customized customer experiences and solutions to prominent national, regional and boutique businesses in the hospitality and health care industries.He has comprehensive leadership experience and knowledge in entrepreneurial,analytical and sales oriented environments. He is responsible for the leadership and implementation of Customer Relations, Sales and the Business Development strategy of JetPay Payment Services,FL,with a focus on customer satisfactions and business growth:Mr. Lennon will serve as a Relationship Manager for this contract and will serve as a point of contact to the County from an account management perspective,along with Rick Griffiths. 0 JOSEPH W. LENNION 56 Highpoint Drive Gulf Breeze,Florida 32561 .1OELf COLLECTORSDLUTIORISCOM (854)-572-7664 QUALIFICATIONS SUMMARY Top-performing Client Development Executive and multi-unit Operations Leader with consistent track record of surpassing retention targets, financial expectations and quality indicators. Proven ability to recruit, train, and develop top performing teams that met or exceeded clients and companies expectations. Demonstrated success leading complex retention processes resulting in protecting revenues and retaining customers. • Competitive Analysis • Project Management • Consultative/Solution Selling • Revenue&Expense Forecasting • Customer and Client Satisfaction • Staff Recruitment&Training • Business Process Improvement • Quality Improvement • Strategic Planning • Presentation&Negotiation Skills PROFESSIONAL EXPERIENCE CoilectorSolutions,Inc,Pensacola Florida 2016—Present DIRECTOR,SALES AND BUSINESS DEVELOPMENT Leads both business development as well as customer relations of an electronic payment processing and communications firm headquartered in Pensacola, Florida. As Director of Sates and Business Development, has taken the lead in developing strategies and delivering diverse solutions for clients to collect monies from their customers electronically (credit card, debit card, e-check). In 2014 CollectorSolutions, Inc. (www.collectorsolutions.com)processes over S4 Billion with a staff of only 23. Service Team Of Professionals,Inc. 2013-Present OWNER/FRANCHISEE As a franchisee, purchased exclusive rights to tri-county market from a national restoration company. Responsible for all phases of the business from developing the marketing plan, establishing sales routes, operations and financials. • 300%increase in year over year sales • Expanded services from emergency remediation response to full service restoration • Built a strong network of marketing support through serving on local boards to include Chambers of Commerce,Santa Rosa C.E.R.T.(Civilian Emergency Response Team),President of Optimist,Gulf Breeze • Leadership Of Santa Rosa Graduate,Class of 25 • Selected Business Of The Month—December 2014 • Selected"Emerging Leader Of The Year"for 2014 56 highpoint Drive Gulf Breeze Florida 32561 Cell(850)-554-4367—Email'Joe.Lannont5>Betlaouth.nal 0 Sodexo,Inc.Southern United States, 2007 to 2012 SENIOR CLIENT DEVELOPMENT EXECUTIVE Responsible for leading retention processes to protect$536,223,356 of revenue and$61,866,210 of gross profit while supporting cross-selling processes within existing hospital business in the Southern United States. Accomplished Platinum Level Performance in Fiscal Years 2008,2010,and 2012. • 98.2%Client Retention rate In FY 2012 • Successfully led complex and competitive retention processes resulting in Blue Chip and overall client retention goals of 96.63%over 6 years. • Employed an enterprise approach to organizing,motivating,and directing diverse teams to accomplish desired retention outcomes and growth opportunities with existing business. • Developed strategies for long-term contract renewal in assigned Blue Chip accounts. Sodexo,Inc.South East United States 1999-2007 DISTRICT MANAGER Responsible for 68 Sodexo managers and $39,080,993 in managed volume in 17 Strategic Business Units across 3 states.Strategic business units include a mixture of Food and Environmental Services. Outcomes over the last 6 years include exceeding budget expectations while growing profitability over each previous year. Client satisfaction consistently exceeded goals and previous year scores. Client dissatisfaction was fess than 1%. • 100%Client Retention over six fiscal years. • Recognized for Excellent 98%Client Satisfaction.Highest in Health Care Division for fiscal 2002. • Recognized for Outstanding Financial Growth for fiscal 2004. • Recognized for Outstanding Account Growth for fiscal 2006. • Realized 20.3%yearly average profit growth over comparable business for last 6 fiscal years. • Established pattern of managing troubled contracts and retaining business while increasing profitability and client satisfaction. • Oversaw development and promotion of 7 General Managers. • Recognized for Leadership role in Hurricane and Disaster Relief. Sodexo Marriott,Philadelphia Pennsylvania 1994-1999 GENERAL MANAGER OF SUPPORT SERVICES Responsible for multiple support departments and outsourced services for inner-city teaching hospital as on-site representative of Marriott Health Care (Sodexo Marriott Services). Managed a budget of $21,000,000 and reported to CEO. In this capacity, provided leadership for 3 campuses, thirteen (13) departments of 300 employees in 1,600,000 sq.ft.facility space. Consistently achieved or exceeded all goals in patient,family and physician satisfaction and cost reduction as listed below. EDUCATION&TRAINING B.S.,Management,Focus op Hospitality,Hotel and Restaurant Mercyhurst University,Erie Pennsylvania Professional Development On-going workshopslseminars;Winning Sales Proposals/Shipley Associates, Conceptual Selling I Miller Heiman,Winning Sales Presentations/Mandel Communications, Sates Negotiations l Bay Group international,Relationship Edge I Delta Point.Inc.. Trusted Advisor I Global Partners,Influence Edge/Vengel Consulting,Killer Presentations and Master Presenter/M62, Associations Chambers of Commerce,Navarre and Guff Breeze Optimist International,Knights of Columbus,Civilian Emergency Response Team 56 highpoint Drive Gulf Breeze Florida 32561 Cell(850)•554-1367-Email:Joey Lernon liellsouth.net Christopher Battel,Chief Operating Officer Phone:(850)858-3321 chris.battel@j etpay.com Chris Battel joined JetPay in September of 2013 after a 25 year career in investment banking. Mr. Battel is a Chartered Financial Analyst, with 25 years of investment banking experience at prominent national, regional and boutique investment banks serving clients in technology, business services, financial services and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for directing the leadership, strategy and operations of JetPay Payment Services,FL,with a focus on business growth and performance. Prior to joining JetPay,Mr.Battel held executive leadership positions at corporations and financial institutions, and coordinated more than 100 transaction processes involving mergers, acquisitions, public offerings, private placements of debt and equity securities.Mr.Battel received his Bachelor of Science in Finance from the University of Virginia,Masters of Business Administration from Georgia State University, and holds the globally recognized Chartered Financial Analyst credential for finance and investment professionals. 0 (0)850-858-3321 CHRISTOPHER F.BATTEL, CFA (C)850-607-3659 736 PEAKES POINT GULF BREEZE,FLORIDA 32561 Chris.B(d)CollectorSolutions.cottl PROFILE l` investment banker with 25 years of prominent national,regional and boutique investment banks advising corporate clients in technology,business services,financial services and health carr.industries 'k Led service businesses and employees in eattrepreneurial,analytical and salts oriented environments * Ran 100+transaction processes involving mergers,acquisitions,sales,leveraged buyouts, recapitalizations,public offerings and private placements of debt and equity securities 'k Expert on securities insurance and repurchases,business and securities valuation,due diligence, representations&warranties,minority and controlling ownership transactions * Chartered Financial Analyst---globally recognized credentials for finance and invesunent.professionals 'k Co-Founder of health care data and analytical company for hospital and emergency medicine patients EXPERIENCE CHIEF OPERATIONS OFFICER Collecior,Sohrlions,Inc.,Pensawla,Florida 2013-Present Lands the day to day operations of both business development av well as software development of an electronic payment processing and communications firm headquartered in Pensacola,Florida. As COO,has taken the lead in developing and delivering diverse solutions for clients to collect monies from their customer's electronically(credit card,debit card,e-check). In 2014 CollectorSolutions,Inc.(www.collectorsolutions.corn)processes over S4 Billion with a staff of only 23. PRESIDENT AND MANAGING DIRECTOR Legacy Securities Corp.Pensacola,Florida and Atlanta,Georgia 1994-2007 and 2008-2013 Co-founder and head of independent investment bank providing institutional capital raising services and merger& acquisition financial advisory services to entrepreneurial companies that are in the middle market(valuations up to $250 million).Legacy Securities(w w.le&acyseckri!j pg)is a prominent boutique investment bank with an excellent transaction execution reputation in the South across a variety of industries including technology,healthcare, consumer services,business and fiinancial.services. CO-FOUNDER AND CHIEF EXECUTIVE OFFICER Metis Health LLC,Gulf Breeze,Florida 2011-2013 Co-founder and CEO of Metis Health(www_inetisphr con)which empowers patients with all of their personal medical information(gather and continuously update diagnoses,procedures,prescriptions,lab results)and engages patients in managing their health.Metis engages patients and hospitals and emergency medicine to be more involved in managing their health which results in lower costs and better health outcomes. MANAGING DIRECTOR Headwater Af13,LLC;Atlanta,Georgia 2007-2008 Led tae Atlanta office and the Business Services industry practice for Headwaters MB,www.headwatcremb.com,a national investment hank. • 0 CHRISTOPHER F. BATTEL„CFA VICE PRESIDENT,INVESTMENT BANKING Morgan Keegan&Company,Inc.;Atlanta,Georgia 1990-1994 Co-led hotel REIT practice—lead banker far Equity Inns and.Winston Hotels relationships.Investment banker responsible for business development and transacting public and private equity and debt offerings,mergers& acquisitions,financial advisory engagements and merchant banking investments. FINANCIAL ANALYST,INVESTMENT BANKING Prudential-Bache Capital Funding;Atlanta,Georgia 1988-1990 Financial Analyst responsible for performing financial analyses in public and private equity and debt offerings,mergers &acquisitions,leveraged buyouts and recapitalizations. ASSISTANT SECRETARY Irving Trust Company;New York,New York 1986-1988 Bank offtcerresponsible for financial analysis of potential mergers&acquisitions for corporate development department of this prominent international commercial hank..Completed credit and corporate finance training program finishing first among 25 graduate and undergraduate peers. STAFF CONSULTANT Peterson&Co.;San Francisco,California 1985-1986 Provided litigation support and financial analyses used as expert court testimony of financial damages in construction claims,enterprise valuations and bankruptcy filings. EDUCATION CHARTERED FINANCIAL ANALYST GEORGIA STATE UNIVERSITY Atlanta,Georgia–Masters of Business Administration,1990 UNIVERSITY OF VIRGINIA Charlottesville,Virginia–Bachelor of Science in Finance(Graduate with Distinction), 1985 ASSOCIATIONS Center for Innovation and Entrepreneurship,Policy Board Member and Instructor Atlanta Society of Financial Analysts Chartered Financial Analyst Institute Legacy Capital Partners,Manager(a private investment partnership) Rotary,Five Flags of Pensacola 0 Rick Griffiths,Director of Account Management and Project Manager Phone: (850)858-3309 Rick.griffiths@j etpay.com Rick Griffiths joined JetPay in January 2014 and services as Director of Account Management. Prior to joining JetPay Mr. Griffiths served as a Corporate Account Manager for WebMD, and was a founding partner of Health Data Services.Mr.Griffiths has over 16 years of experience in account management. In addition to his role as the Director of Account Management,Mr. Griffiths has served as a key project manager for JetPay, and will continue to serve as the relationship manager to Collier County. He was instrumental in the migration of JetPay Payment Services,FL clients to our recently developed Magic platform, and has worked on large and complex clients' on- boarding such as the State of Illinois ePay program and their various participants throughout the state including state agencies,counties,cities,universities,etc. O Rick Griffiths 2494 Portland St Sarasota, FL. 34231 R g123bellsouth.net Career Profile • Over 20 years hands-on experience developing and managing full life cycle applications in a highly complex environment, full life cycle product and project management with experience with multidimensional/relational OLAP (MOLAP, ROLAP), relational and dimensional modeling for decision support environments, understanding various development phases and issues related to data warehouse implementations, fundamental concepts and architectural principles of data warehousing, business driven requirements design process, website design and configuration. • Deep knowledge and experience in every area of data analytics, data architecture, data management, data governance and Business Intelligence software and procedures. • Seasoned professional, with outstanding project planning, execution, monitoring and resource balancing skills with ability to support multiple simultaneous projects in a matrix organizational structure. • Excel at communicating with stakeholders to provide accurate reporting and information regarding the ongoing projects and initiatives. • Unique ability to translate corporate needs and business objectives into scalable, long-term technology solutions. • Excellent track record of leveraging operational excellence and broad business expertise to translate company vision into revenue growth and operational successes. Experience Metis Health Data - 2010 to Present CO-Founder / Chief Operating Officer • Metis provides custom PHI data release solutions for any entity that holds a properly authorized HIPAA release. • Designed multiple systems, transforming manual paper processes to electronic processes; designed and implemented initial integrated data warehouse, combining Healthcare claim data with Pharmacy claim data; designed electronic enrollment system, transforming process from manual paper process to electronic process. ' Developed product and project lifecycle programs for integrated system delivery. • Established policies and procedures establishing data governance initiatives, data quality, data modeling, standards, practices and principles and data architecture. • Established data product life cycle requirements and developed new product functionality while balancing budget restraints and client requirements. • Responsible for design, development, deployment, maintenance, enhancement, business socialization of Data Management, architecture, all aspects of enterprise business intelligence & data warehouse, enterprise data integration strategy. CORE Health Data Services - 2009 to 2010 Founder / Chief Executive Officer ' CORE provides PHI data solutions to (PMS) vendors, electronic medical records (EMR) vendors and hospital information systems (HIS) vendors that require PHI data for multiple programs. • Developed CORE Exchange Services and companion analytical software allowing exchange of actionable PHI data between data requestors and data suppliers. • Developed data usage and governance policies according to HIPAA, HITECH, Red Flag, State and local laws. • Managed data architects, programmers and database administrators; created MBOs and performance metrics for technical staff. • Managed and tracked the progress of all aspects of target accounts, including long term data strategy, data usage restrictions, account management and revenue opportunities. ' Resolved project delivery problems by analyzing issues, discerning the most appropriate courses of action, providing tactical direction and, when necessary, reallocating resources. ' Provided operations analysis and consulted to government clients on business process improvement. WebMD / ENVOY — 1993 to 2009 Director Corporate Accounts, WebMD 2002-2009 • Responsible for Strategic Account Development, by maintaining partnerships and relationships with assigned corporate accounts key decision makers. • Developed data exchange partnership programs with Payers, MCOs and ACOs. • Managed corporate accounts that produced over$26 million in annual revenue. • Demonstrated strong critical analysis, strategic development, budget management and problem solving skills. • Created budgets and forecasting models and associated management plans to achieve goals. • Extensive experience developing business partner strategies and directing complex business functions. • Developed marketing plans for assigned accounts and channel partners. ' Demonstrated ability to interact at senior executive levels, and build and expand on new relationships. Acquisition/Integration Team, WebMD 2000-2002 • Lead product system integration analyst for integration team. • Performed due-diligence on possible acquisition companies and created detailed system and product summaries on potential companies. ' Review technical and acquisition alternatives and assist in conducting benefit-cost analysis. • Prepare specifications, statements of work, and technical material for incorporation in the delivery document. • Verify that user-written statements of work and functional specifications are technically feasible and not unduly restrictive. Account Manager, ENVOY 1993-2000 • Project managed Y2K migration and mitigation plans for assigned accounts. • Responsible for designing and programming first electronic billing system. • Developed first electronic enrollment program for ENVOY. • Created data models and ETL polices for sales and account management support. • Managed business intelligence, data quality, data analysis and data conversion processes across multiple divisions. Harrington, Righter & Parsons LLC. (HRP/COX) — 1992 to 1993 0 Media Buyer • Negotiated and purchased television, radio, and print media for all accounts within an assigned group of markets. • Estimated, updated and adjusted all broadcast ratings per demographic, per quarter. • Negotiated rates, special placement and added value by medium for all markets. • Executes all media plans in the assigned group of markets within established budgets; buys media space and air time. • Meets with media representatives and accesses media database to research available options for media placement. • Maintained all media buys and is responsible for the post-buy results of all buys. • Monitored buys in progress by spot checking placement and negotiating credit or billing adjustments when necessary. Education 1992 - B.A. Mass Communications, University of South Florida Technical / Practical Summary • Project Management: Agile and Six Sigma processes. ' Databases: Oracle, Sybase, SQL Server, IBM UDB/DB2 and MS Access. • Data Modeling: Erwin, Power Designer, Embarcadero ER/Studio, MicroStrategy. • Database Reporting and Analytics: Oracle Business Intelligence Enterprise Edition, (OBIEE), Oracle BI Applications, Business Objects, Web Intelligence, Cognos and Micro Strategy. • Extraction,Transformation and Load: Informatica, SQL Server Information Services, Data Integrator. ' Other Software: IBM Web Sphere, Oracle Web Logic, SAP Net Weaver, Microsoft Office Tools, Microsoft Project, Microsoft Visual Studio, Lotus Notes, Adobe PDF tools. • Operating Systems: Windows 95/98/2000/NT/XP/Vista, Windows NT Server, UNIX, and IBM AIX. ▪ Languages: Visual Basic, C, COBOL, Progress, HTML, XML, JavaScript. • Protocols: TCP/IP, WAP, ATM, Frame Relay. • Training: Siebel CRM, Siebel Analytics/OBIEE, MS Dynamics, ePiphany CRM, Project Management, SAP Overview, Cognos, Business Objects, Data Integrator, Micro Strategy, Informatica, Erwin, Hyperion HFM, Hyperion Planning C Lynn Yelverton,Director of Customer Service Phone:(850)858-3303 lynn.yelverton@j etpay.com Lynn Yelverton joined JetPay in June 2011 and is Director of Customer Service. Mrs. Yelverton manages JetPay Payment Services,FL's Customer Service efforts and the JetPay Help Desk.Mrs.Yelverton is partially responsible for client training in conjunction with the client's relationship manager, and the JetPay help desk is responsible for all Tier 1 service calls. Mrs. Yelverton has over 17 years of experience in customer service, and has held leadership roles in the customer service industry for over 12 years. Mrs.Yelverton earned her bachelor's degree in Office Systems and MBA from Troy University. C) Lynn YeWvelton 2407 Portobella Place Cantonment,Florida 32533 Home Phone.8504374771 WORK EXPERIENCE: 2011-Present CollectorSolutlons,inc. Director of Customer Service • Provide excellent customer service to our clients and their customers. • Provide appropriate(raining,direction and motivation to team members to enable success. • Collaborate with the Director of Operations to define Customer Service policy and procedures. • Ensure that client/customer support activity is logged into ConnectWise. • Conduct client quarterly follow up calls. • Provide support to Sales. • Provide support to Merchant Services. 20077-2011 Medical Center Clinic--Office Administrator • Provide business function support for an office of 20 business managers and 75 physicians. • Manage customer interface and problemresolutions with professionalism and decisiveness, • Communicate with and manage communications for administrative Staff and multiple departments, • Serve as the"face"of our organization for our customers and guests in both personal and electronic interface. • Perform finance functions such as Physician audits and invoice routing,recording,and processing. • Perform administrative functions such as writing reports,preparing correspondence,and managing work order systems in a highly confidential environment 1999-2007 Progressive Management of America,Inc.—Property Manager • Conduct regular onsite management reviews. • Ensure compliance to property personnel policies and procedures. • Supervise and motivate on-site staff. • Implement rental increases andenforce collection procedures. • Ensure property compliance with Pair Housing Laws and Occupancy Guidelines. • Monitor resident selection criteria. • Submit accurate"'Weekly Rental/Leasing"information to Corporate Office. • Prepare marketing plans and resident profiles as requested. • Provide on-site management to other apartment communities when necessary. • Develop and maintain quality hiring and evaluation procedures. consistent with Owner requirements. • Ensure the collection of rents are accurately recorded and reported. 199&1999 Progressive Management of America,Inc.--Leasing Agent • Responsible for leasing packets,processing applications,certifications and(re)certifications according to federal and Owner regulations. • Maintain resident files. • Show the model and available ready vacancies. • Greet new residents and assist with the move-in process. • Assist in preparing market surveys. • Other duties outlined by the Property Manager. 1998 Touch I Communications—Segmentation Analyst • Analyze customer and prospect base to identify significant information as it pertains to marketing efforts. • Identify specialty list resources and make usage recommendations to project and channel managers. EDUCATION: 1994: MBA Business Administration,Troy University 1993: BS Office Systems,Troy University 1990: AS Office Management Technology,Pensacola Junior College C40 Rick Carroll,Chief Financial Officer Phone:(850)858-3315 rick.carroll@jetpay.com Rick Carroll,a Florida licensed CPA,joined JetPay in June 2012 and currently serves as Chief Financial Officer.He is responsible for development and implementation of the corporate strategic plan with emphasis on increasing market share,data management,and cost control. Prior to joining JetPay, Mr. Carroll had his own practice for over 10 years. Before that,Mr. Carroll held financial positions in the Banking and Healthcare industries.Mr.Carroll earned his Bachelor's Degree in Accounting from the University of West Florida. RTCHARD A. CA:RROL.L 022 NORT13.11Yt'rr AVENUE,PENSACOLA,FL 32501 WORK EXPERIENCE CollectorSolutions,Inc. June 2012-present CollectorSoutions,l:nc,is a third party payment processing company,an e-business,CollectorSolutions processes payments for a variety of industries,but focuses on tax collectors,other state agencies,and utility companies.In 2011, CollectorSolutions processed over 3 million transactions with a dollar amount in excess of 2.5 billion dollars. Chief Financial.Officer • Develop and implement strategic plan with emphasis on increasing market share,data management,and cost control. • Preparation of all federal,state and local tax returns. • Partner with other upper management on the development of annual budget. • Coordinate with external CPA firm on the completion of annual financial audit and SSAE.16 reporting. • Manage finance department. Richard A.Carroll,Certified Public Accountant,LLC,Pensacola,.Florida January 2002-May 20,1.2 In January 2002 established a certified public accounting firm serving a variety of clients including individuals,sole proprietors,LLCs,S-Corporations,C-Corporations,and Non-Profits. • Tax preparation for individual and business clients. • Complete payroll services covering a variety of industries,such as construction,restaurants,and non-profits. • Bookkeeping and compilation services. • Consulting projects,including budgeting,cost allocation,break-even analysis,and preparation of various forms and applications. • Educate business owners and train client staff on all accounting and tax issues. • Manage internal staff. Capital One Financial Corporation,Richmond,Virginia Capital One is a publicly traded Fortune Five Hundred company with over$200 billion in revenue. Capital One is comprised of over 50 companies and has a presence in several countries including the United States,Canada,United Kingdom,France,South Africa,China,and India. Accounting Specialist—Corporate Accounting January 2001—January 2002 • Worked as an accounting specialist for the international pillar of the corporate accounting office. The international pillar was responsible for consolidating the results of all corporate divisions,international and domestic,and presenting the results to upper management. • Personally responsible for summarizing the results of Canada and China divisions of the corporation. Worked closely with members of each of these divisions throughout the month as well as during month end on all major financial accounting issues. • Served as main point of contact for all international corporate accounting issues for all foreign divisions. • Consolidated Balance Sheet and income Statements for all corporate divisions. • Calculated effects of currency translations on financial results. • Calculated and recorded results of derivative transactions. • Improved existing Excel spreadsheets through the use of macros and pivot tables. As a result,improved accuracy and time efficiency during month end processes. • Training liaison during conversion to PeopleSoft accounting software. 375 West Chase Street Office 850.437.9870 Pensacola,FL 32302 email rlckgrcarrolicpe.corn • Involved in interview process for all new hires within corporate accounting. Baptist Healthcare Corporation,Pensacola,Florida Baptist Healthcare is a regional 1,100 bed integrated delivery system comprised of five community hospitals,a continuing care retirement center,the state's largest mental health facility,home health services,long term care facilities and a physician practice company. Reimbursement Analyst December 1998—January 2001 Promoted to Reimbursement Analyst in December 1998. Reimbursement department is responsible for all incoming revenue paid by Medicare,Medicaid,and other contractual payers. • Analyzed monthly revenue in order to calculate contractual allowances for five health care facilities and report results to senior management. • Gathered and analyzed appropriate data and determined allowable expenses based on governmental guidelines for annual cost reports. • Prepared annual Medicare and Medicaid cost reports for four facilities and submitted to appropriate agencies (Health.Care Financing Administration and Agency for Health Care Administration). • During annual audits,provided analysis and reports to government agencies, • Researched and investigated proposed audit adjustments and provided documentation to support the organization's position in disputed issues. • Interpreted and communicated current state and federal regulations to senior management and other staff members. • Directly responsible or key participant in developing revenue budgets for eight facilities with revenues in excess of$600 million. Chief Accounu nit December 1995. —December 1998 Monthly Close: ▪ Analyzed all expense accounts comparing actual to budgeted amounts,explaining and/or correcting where necessary. • Recorded adjusting and accrual entries,including detailed analysis of accounts receivable and bad debt reserves. • Performed employee benefit analysis and allocated expenses to all facilities for over 4,000 employees. • Prepared monthly report for Board of Directors,which included narrative,financial statements and graphical depiction of supporting information. • Assisted department managers with understanding the financial results of their departments. Audit: • Coordinated with external audit firm,Ernst&Young,during entire audit cycle. • Performed detailed account analysis to explain variances which exceeded scope. • Prepared various schedules and worksheets,such as bad debt analysis and long term debt roll-forward,as well as prepared graphs and footnotes for audited financial statements. • Compiled information for the corporate tax return. Budget: • Assisted department managers in developing S190 million expense budget for over 350 departments. • Solely responsible for budgeting 10 overhead departments,including items such as benefits,depreciation,and interest expense. The Oyster Bar,Pensacola,Florida Controller July 1994-December 1995 Collection Services,Inc.,Pensacola,FL 32501 Staff Accountant October 1991—December 1994 Citizens&Builders Federal Savings,Pensacola,FL 32501 Staff Accountant May 1990—October 1991 0 EDUCATION Certified Public Accountant,Florida,1995 Bachelor's Degree in Accounting,University of West Florida,Pensacola,Florida 1989 ADDITIONAL INFORMATION Computer Experience:Excel,QuickBooks,Peachtree,ATX tax,Word,Harvard Graphics,Internet,and industry specific accounting software programs. References Available upon request Heath Gardner,Software Development Director Phone:(850)858-3314 heath.gardner@j etpay.com Mr. Gardner joined JetPay in May 2012 as the lead Software Developer for JetPay's secure web based payment application. His primary responsibilities include software maintenance and development of new enhancements for the JetPay eCollections Portal User Interface and software configuration management. Prior to joining JetPay,Mr.Gardner worked for over 15 years in software engineering and project management roles providing him with broad experience and expertise in the software development lifecycle. Mr. Gardner earned a Master of Science in Management from Troy State University in addition to earning his Bachelor of Science in Computer Science from the University of West Florida. HEATH GARDNER 6637.Indian Street•Navarre,FL 32464•Phone:850-384-9522• • h-• r, *ti.rig. ,r • Director of Software Development Technology professional with experience managing enterprise information systems. Expert in gathering, analyzing and defining business and functional requirements;designing/re-engineering processes,workflows, and technology solutions. Proven ability to lead implementations and deliver next-generation technical solutions improving workplace productivity. Expertise Highlights • Software Architect • Database Design and SQL Queries • Project Management • Web Services • Agile Scrum Methodologies • ASP.net,VB.net and C#.net Development Professional Experience COLLECTORSOLUTIONS INCORPORATED(CSI)—PENSACO,FL 2012 to Present Director of Software Development Director of Software Development for CSIs secure web based payment application. CSI is an ePayment. company specializing in the processing, management and reconciliation of eCheck and Credit Card transactions uta hog the power flexibility,and scope of the Internet. Key Responsibilities: • Chief Software Architect for legacy and new software development projects • Oversee software developers and software development processes • Lead software team in agile scrum methodologies • Implement software development security best practices following OWASP Top Ten guidelines • Manage and oversee complete rewrite of payment platform by an outsourced software development team • Implemented the use of Atlassian product suite of lira,Stash,Bamboo,Confluence and Hipchat • Interact with payment acquirers/processors,vendor partners and clients on technical matters • Assist sales team with requests for proposals and demos to potential new dients TYBRIN CORPORATION—EGLIN AFB,FL 2000 to 2012 Software Enaineer-Level 5 Lead developer for Center Scheduling Enterprise (CSE) for Eglin,AFB. CSE is a resource scheduling and deconfliction web based application used at Eglin AFB,Edwards AFB,Nellis AFB,and other Air Force Primary Training Ranges(PTRs). Also a developer on an implementation of CSE for Space Command at Schriever AFB, Key Responsibilities: • Use software lifecyde principles for requirements, design, implementation, integration, testing, deployment,and maintenance of CSE. • Develop database tables,relationships and stored procedures using SQL Server 2008 Enterprise Tools. • Develop business logic layers and data access layers with VB.net in Visual Studio 2010. • Develop master pages,web pages,web controls,and web services using ASP.net,JavaScript,and Ajax in Visual Studio 2010. • Develop reports using Crystal Reports 11 and Microsoft SQL Server Reporting Services. Heath Gardner Resume Page 1 1111111k- _ 4 • Develop mapping display capabilities with Scalable Vector Graphics (SVG) and geospatial de-confliction with Geomedia Objects. O Utilize Team Foundation Server(TFS)for software configuration control management practices to ensure integrity of software builds for CSE. • Analyze and resolve technical problems that arise in a CSE production environment. • Provide end-user training of CSE application to customers as a CSE Instructor for Eglin's Test Engineer (TE)Boot Camp. • Instruct,train and review the work of lower level personnel. Prepare technical presentation and proposals to management in support of information technology programs and projects. • Enforce the Capability Maturity Model(CMM),Capability Maturity Model Integration(CMMI),and ISO 9001 standards for preparation of documentation including user manuals and design and requirements documentation. • Attended VS Live and Dev Connection conferences representing the organization to keep abreast of current and emerging technologies. IMAGE API, INC.,TALLAHASSE, FL 1999 to 2000 Prolect Manager Project manager for Image API's professional services group. Experience in project management, process reengineering, systems design and implementation,database design,and program management Key Responsibilities: • Designed and implemented a wide variety of solutions providing clients with measurable cost, performance,and management benefits. • Translated business needs into end-user requirements and provided end-user training of application to customers. • Applied industry knowledge of project planning and overall software development life methods. - Performed application design, development, testing, implementation, training, and user manual development. LIFEWAY CHRISTIAN RESOURCES—NASHVILLE,TN 1998 to 1999 Associate System Engineer Served as art associate system engineer for LifekiVay"s Information Technology Department. LifeWay Christian Resources is one of the largest leading resource suppliers for Christian churches and bookstores in the United States. Key Responsibilities: • Microsoft Access and Access Basic development. • Developed and implemented automated software build procedures. • Automated journal entries to interface with the companies accounting system. - Performed database repairs, bug fixes,and Y2K compliance. • Analyzed and resolved technical problems involving database management concepts, methods, and principles. NETPDTC (NAVAL EDUCATION AND TECHNOLOGY PROFESSIONAL DEVELOPMENT 1996 to 1998 AND TECHNOLOGY CENTER)—PENSACOLA,FL Computer Soecialist Served as a Computer Specialist CO-OP for 2 alternating semesters and 2 part-time semesters. Heath Gardner Resume Page 2 10 . Key Responsibilities: • Developed and established methods for computation,analysis,display and storage of information. - Developed database applications using Oracle Designer 2000 CASE Tool. - Developed windows application using Visual Basic 5.0 accessing an Oracle database. US NAVAL RESERVES—PENSACOLA,FL 1991 to 1997 Hosoltal Corpsman Hospital Corpsman(HM)perform duties as assistants in the prevention and treatment of disease and injury and assist health care professionals in providing medical care to Navy people and their families. Key Responsibilities; • Performed general military and hospital corpsman duties. • Assistant Leading Petty Officer Clinical Division NH Unit 108. • Performed maintenance on DB3 personnel application. Education TROY STATE UNIVERSITY—FORT WALTON BEACH,FL Masters of Science in Management,2004 Emphasis In leadership and organizational effectiveness UNIVERSITY OF WEST FLORIDA—PENSACOLA, FL Bachelor of Science in Computer Science/Computer Information Systems,1997 Technology Summary Training: Microsoft Ignite,OWASP Application Security Training,Enterprise Development,Dev Intersection,Dev Connections,VS live,Tybrin Capability Maturity Model Training,Tybrin OSSP v2.4 Cartography Approach Training,ISO 9001 Basics Training, Tybrin introduction to organizations set of standard processes training Awards: Tybrin Corporation's first President's Award for Excellence,Team Eglin Award,SES Outstanding Team Award Applications: Visual Studio,Team Foundation Server, GTT,Jira,Stash,Bamboo, Confluence, Hipchat, Microsoft SQL Enterprise Manager, Microsoft SQL Query Analyzer, Crystal Reports, Microsoft SQL Server Reporting Services, Microsoft Visio, Microsoft Project, Microsoft Office Systems: Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server 2003,Windows Server 2008,Windows Server 2012 Languages: SQL, C#.net, VB.net,ASP.net,JavaScript,VBScript,AJAX,Visual Basic for Applications (VBA),Pascal,COBOL,C,C++ References Available upon request Heath Gardner Resume Page 3 �rrnrr� Paul Shave,Information Technology Director Phone:(850)858-3310 paul.shave@jetpay.com Mr. Shave joined JetPay in May 2010.He is responsible for Network Integration, Security,and Service Delivery for the organization.He has worked in the Enterprise Network and Telecommunications field for over 20 years.During this time he has worked with a wide variety of technologies and implemented mission critical solutions and designs for many organizations worldwide. Prior to JetPay he was a Senior Network engineer for a regional technology integration firm performing network design and consulting in the areas of operational guidance, wide area/local area networking, VOIP, and network security.Previously,Mr. Shave served as a Network Administrator with the United States Air Force,specializing as troubleshooting and implementation for logistics systems in the European and Southwest Asia theaters. Paul Shave pauls@collectorsolutlans.com Summary of Technical Skills Dedicated Information Technology Professional with extensive real world experience.Adept with network security operations,policy development,and project management in fast paced environments.Proven track record of achievements and the development of innovative solutions to end user needs. IPS/IDS Vulnerability Management/Assessment Host Based Security Systems Patch Management/Deployment Systems Training Development Wireless Intrusion Detection Methods Classified Material Management Project Management Host Based Security Systems Policy Creation&Compliance Management Experience 2010-Present • information Technology Director,CollectorSolutions,Inc. Responsible for all aspects of IT management for an online payment processing ecosystem hosted in a high availability environment. Responsibilities: Annual budget planning/management Policy Development/implementation -Payment Card Industry Data Security Standard(PCI) -IT Security Policy End user training Microsoft Windows Server Microsoft SQL Server 2000/2005/2008 Server Virtualization Backup/Disaster Recovery Planning Mobile Device Management Systems Wireless IP Phone Management Data Center Planning Vendor Management Storage Area Networking Remote Management Technologies Customer Relationship management systems Network Security Management -FirewelliIntrusion Detection Management Technologies 2000 —2010 Senior Network Engineer,WAVEnet technologies,inc. Responsible for a team of 20 network engineers supporting a wide range of customers from small business up to Fortune 500 organizations and technologies in an engineering,sales, and management roles. 0 Shirley Everage,Technical Account Manager (850)858-3300 Shirley.martinez@j etpay.com Shirley Everage joined JetPay in January 2013 as a Customer Service Representative. In 2015 Mrs. Everage transitioned into a technical account management role with JetPay. Mrs. Everage has been instrumental in the migration of JetPay Payment Services,FL's client base from our Legacy platform to our new Magic platform.Prior to joining JetPay, Mrs. Everage served as a Sales Associate at Collective Solutions. Mrs. Everage earned her Bachelor's Degree in Marketing from Texas State University. SHIRLEY J EVERAGE CELL: 512.927.7097 • E-MAIL SHIRLEYMARTINEZCS@GMAIL.COM JOB OBJECTIVE:Seeking a job where I can utilize my experience and my knowledge to add value to an organization. KEY QUALIFICATIONS • 15+years in customer service and customer support • Verbal and written communication • Fluent in Spanish and English • Excellent skills in Microsoft Office Suite WORK EXPERIENCE JetPay Payment Services FL(January 2013—Present) Sales/Account Manager(January 2015—Present) • Identify new business opportunities • Planned marketing campaigns to develop long-term relationships with potential clients • Assisted in the development of the pricing structure for new clients as well as other contract terms and conditions. • Account Management Customer Service Representative(January 2013—2015) • Expressing clearly and concisely over the phone,via email and in person • Maintaining a high level of organization throughout the day • Performing a variety of tasks daily-using various computer programs and functions Collective Solutions June 2011—June 2012 Sales Associate • Assist in the development of a strong pipeline of new clients and projects in accounts through direct or indirect client contact and prospecting • Reviewed market research,interpreted data,and presented findings to marketing management. • Assist in solicitation and follow-up of customers'needs EDUCATION Texas State University, San Marcos,TX, June 2010,Bachelor's Degree in Marketing, **Reference available upon request** E LOCAL VENDOR PREFERENCE: 0 Detail by Entity Name Page 1 of 2 Florida Department of State Division oF CORPORATIONS 5,1b19/IV/1%W rg 3:frat.!,1-nail,Po tetrifilm Department of State / Division of Corporations / Search Records / Detail By Document Number/ Detail by Entity Name Foreign Limited Liability Company JETPAY PAYMENT SERVICES, FL,LLC Filing Information Document Number M16000004288 FEI/EIN Number 81-2280449 Date Filed 05/27/2016 State DE Status ACTIVE Last Event LC NAME CHANGE Event Date Filed 10/21/2016 Event Effective Date NONE Principal Address 7450 Tilghman Street Allentown,PA 18106 Changed:03/27/2018 Mailing Address 3939 West Drive Center Valley, PA 18034 Changed:03/27/2017 Registered Agent Name&Address C T CORPORATION SYSTEM 1200 SOUTH PINE ISLAND ROAD PLANTATION,FL 33324 Authorized Person(s)Detail Name&Address Title MBR DAVIDSON,PETER 7450 Tilghman Street Allentown,PA 18106 Title MBR KRZEMIEN,GREGORY M 0 http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype—Entity... 5/16/2018 Detail by Entity Name Page 2 of 2 7450 Tilghman Street Allentown,PA 18106 Annual Reports Report Year Filed Date 2017 03/27/2017 2018 03/27/2018 Document Images 03/27/2018—ANNUAL REPORT View image in PDF format D3/2712017--ANNUAL REPORT View image in PDF format 10/21/2010--LE Name Chane View image in PDF format 10/21/2016--t.:.Name Change View image in PDF format 08102/20.6--Merger View image in PDF format 06/27/2016--Foreign Limited View image in PDF format Florida Department of State,DrviSen of Cor;erat:nn. • http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=Entity... 5/16/2018 CAL County Admnstravve Seroces Department Ph:nun:me:It ux5 Form 2: Vendor Check List IMPORTANT: THIS SHEET MUST BE SIGNED.Please read carefully,sign in the spaces indicated and return with your Proposal. Vendor should check off each of the following items as the necessary action is completed: El/ The Solicitation Submittal has been signed. All applicable forms have been signed and included,along with licenses to complete the requirements oldie project. Any addenda have been signed and included. ALL SUBMITTALS MUST HAVE THE SOLICITATION NUMBER AND TITLE Name of Firm: .cra!7/1 L Address: 3/is. City,State,Zip: Ada.e et:A7-- 7 Telephone: ce c — 3-51./ Email: /1 4 , Representative Signature: Representative Name: tki-ft( Date 7 / Cattier C.,01411tY trlunelratrve Serves Department cwc ucvneti, Form 3:Conflict of Interest Affidavit The Vendor certifies that,to the best of its knowledge and belief,the past and current work on any Collier County project affiliated with this solicitation does not pose an organizational conflict as described by one of the three categories below: Biased ground rules —The firm has not set the "ground rules" for affiliated past or current Collier County project identified above (e.g., writing a procurement's statement of work, specifications,or performing systems engineering and technical direction for the procurement)which appears to skew the competition in favor of my firm. Impaired objectivity—The firm has not performed work on an affiliated past or current Collier County project identified above to evaluate proposals J past performance of itself or a competitor,which calls into question the contractor's ability to render impartial advice to the government. Unequal access to information—The firm has not had access to nonpublic information as part of its performance of a Collier County project identified above which may have provided the contractor(or an affiliate)with an unfair competitive advantage in current or future solicitations and contracts. In addition to this signed affidavit,the contractor I vendor must provide the following: I. All documents produced as a result of the work completed in the past or currently being worked on for the above mentioned project;and. 2. Indicate if the information produced was obtained as a matter of public record(in the"sunshine")or through non-public(not in the"sunshine")conversation(s),meeting(s),document(s)and/or other means. Failure to disclose all material or having an organizational conflict in one or more of the three categories above be identified. may result in the disqualification for future solicitations affiliated with the above referenced project(s). By the signature below. the firm (employees, officers and/or agents) certifies, and hereby discloses, that, to the best of their knowledge and belief, all relevant facts concerning past, present, or currently planned interest or activity (financial, contractual, organizational, or otherwise) which relates to the project identified above has been fully disclosed and does not pose an organizational conflict. Firm: fa, /�Ec .. . ' Gf'5 ft' t C._- . • Airy Signature and Date: -,,..w... _3 Print Name:_ 0114= _ _._._.. . -}- -'. -1�/ ( _._...._& V01,r vim• Title of Signatory: (� fM.r.' t � 1 Co'. ier County Administraltve Serw:e5 Department Pwcurerwar Service, ns Form 4:Vendor Declaration Statement BOARD OF COUNTY COMMISSIONERS Collier County Government Complex Naples,Florida 34112 Dear Commissioners: The undersigned,as Vendor declares that this response is made without connection or arrangement with any other person and this proposal is in every respect fair and made in good faith,without collusion or fraud. The Vendor agrees, if this solicitation submittal is accepted,to execute a Collier County document for the purpose of establishing a formal contractual relationship between the firm and Collier County, for the performance of all requirements to which the solicitation pertains. The Vendor states that the submitted is based upon the documents listed by the above referenced Solicitation,. Further, the vendor agrees that if awarded a contract for these goods and/or services, the vendor will not be eligible to compete,submit a proposal, be awarded,or perform as a sub-vendor for any future associated with work that is a result of this awarded contract. WITVESS WHEREOF.WE haveAreunt9 subscribed our names on this /7 day of 417 ,20 iSin the County of in the State of d e- e-- Firm's Legal Name: e/1907 ,arktif- (24(0 ce-s 1— Address: 3 / 5 ar firedI City,State,Zip Code: Ati. CSA 3 20Z— Florida Certificate of PA 1 (00000042,ft Authority Document Number Federal Tax Identification 3 e;,7 A7 Number *CCR#or CAGE Code *Only if Grant Funded Telephone: bó — 33 24 1 / ,03 Signature by: r F cdf4 (Typed and written) /' i Ca' Pr-e4 661/611"4641- ielej Title: Additional� Contact Information Send payments to: P(Jd �l�'C-fM S r vits, (required if different from Company nafne used ras payee above) ConMhl0t- CAvro( I Contact name: Title: C+4 hlti14.44 ttei' Address: rj • A �I/"�"G/ , C90 City,State,ZIP Avila�.8�"a /FL, s2...9)7-—� Telephone: ¢J ,1 •- 3 3/ST Email: t �`k i 11 rv7111 T • coviA Office servicing Collier .,v-e Q s .hive- a` s)/// County to place orders (required if different from above) Contact name: J be Levi tncrA Title: Address: 3/c, 6U. PI Alt Vred/ ,/ c o , City,State,ZIP kida Q /r/,'r-- / 52502- — Telephone: ' ‘05-B. r 33/ J Email: Joe , Letgoovl 114 12/7 CtrAk0 Cotner County Acknimtrotivesen cas Depaftment Prccutrrti'nt Ser.sces „is '+ Form 5: Immigration Affidavit Certification This Affidavit is required and should be signed, notarized by an authorized principal of the firm and submitted with formal solicitation submittals. Further, Vendors are required to enroll in the E-Verify program, and provide acceptableevidence of their enrollment, at the time of the submission of the Vendor's proposal. Acceptable evidence consists of a copy of the properly completed E-Verify Company Profile page or a copy of the fully executed E-Verify Memorandum of Understanding for the company. Failure to include this Affidavit and acceptable evidence of enrollment in the E-Verifv program may deem the Vendor's proposal as non-responsive. Collier County will not intentionally award County contracts to any Vendor who knowingly employs unauthorized alien workers, constituting a violation of the employment provision contained in 8 U.S.C. Section 1324 a(e)Section 274A(e)of the Immigration and Nationality Act("INA"). Collier County may consider the employment by any Vendor of unauthorized aliens a violation of Section 274A (e) of the INA. Such Violation by the recipient of the Employment Provisions contained in Section 274A (e) of the INA shall be grounds for unilateral termination of the contract by Collier County. Vendor attests that they are fully compliant with all applicable immigration laws (specifically to the 1986 immigration Act and subsequent Amendment(s))and agrees to comply with the provisions of the Memorandum of Understanding with E-Verify and to provide proof of enrollment in The Employment Eligibility Verification System (E-Verify), operated by the Department of Homeland Security in partnership with the Social Security Administration at the time ,of submission of the Vendor's proposal. /Nat s'vtc S F 6C_ Company Name " Print Name CiA '1 Sf f r -" SeN Title 1 014 l Signature ti Date Cf"7_ 2617 �.. �• /�'� State of L • v r Omar Agulla County of GM G I J} ~ :Commission#FF163t133 .: .: Expires: SEP 2h 2018 ;.• EONDEDURD 447...0" 1ST FLORIDA MOTAP LLC The signee of these Affidavit guarantees,as evidenced by the sworn affidavit required herein,the truth and accuracy of this affidavit to interrogatories hereinafter made. 043 • • • • • • • ElitrgitIsm° •a �Yfy'. EEGERTI*uolvIrr.rau3 ▪ 3 ': 1;1 i 4010S: 912 ::ori �1JAllATO14 1,41110.11TZt ▪.4.4,17.0 • CIp v ...f EVenly Company ID Number: 1154679 THE E-VERIFY MEMORANDUM OF UNDERSTANDING FOR EMPLOYERS ARTICLE I PURPOSE AND AUTHORITY The parties to this agreement are the Department of Homeland Security (DHS) and the JetPay Payment Services, FL, LLC (Employer). The purpose of this agreement is to set forth terms and conditions which the Employer will follow while participating in E-Verify. E-Verify is a program that electronically confirms an employee's eligibility to work in the United States after completion of Form 1-9, Employment Eligibility Verification (Form 1-9). This Memorandum of Understanding (MOU) explains certain features of the E-Verify program and describes specific responsibilities of the Employer, the Social Security Administration (SSA), and DHS. Authority for the E-Verify program is found in Title IV, Subtitle A, of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (IIRIRA), Pub. L. 104-208, 110 Stat. 3009, as amended(8 U.S.C. § 1324a note). The Federal Acquisition Regulation (FAR) Subpart 22.18, "Employment Eligibility Verification" and Executive Order 12989, as amended, provide authority for Federal contractors and subcontractors (Federal contractor)to use E-Verify to verify the employment eligibility of certain employees working on Federal contracts. ARTICLE II RESPONSIBILITIES A. RESPONSIBILITIES OF THE EMPLOYER 1. The Employer agrees to display the following notices supplied by DHS in a prominent place that is clearly visible to prospective employees and all employees who are to be verified through the system: a. Notice of E-Verify Participation b. Notice of Right to Work 2. The Employer agrees to provide to the SSA and DHS the names, titles, addresses, and telephone numbers of the Employer representatives to be contacted about E-Verify. The Employer also agrees to keep such information current by providing updated information to SSA and OHS whenever the representatives' contact information changes. 3. The Employer agrees to grant E-Verify access only to current employees who need E-Verify access. Employers must promptly terminate an employee's E-Verify access if the employer is separated from the company or no longer needs access to E-Verify. Page 1 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 Company ID Number: 1154679 4. The Employer agrees to become familiar with and comply with the most recent version of the E-Verify User Manual. 5. The Employer agrees that any Employer Representative who will create E-Verify cases will complete the E-Verify Tutorial before that individual creates any cases. a. The Employer agrees that all Employer representatives will take the refresher tutorials when prompted by E-Verify in order to continue using E-Verify. Failure to complete a refresher tutorial will prevent the Employer Representative from continued use of E-Verify. 6. The Employer agrees to comply with current Form 1-9 procedures, with two exceptions: a. If an employee presents a "List B" identity document, the Employer agrees to only accept"List B" documents that contain a photo. (List B documents identified in 8 C.F.R. § 274a.2(b)(1)(B)) can be presented during the Form 1-9 process to establish identity.) If an employee objects to the photo requirement for religious reasons, the Employer should contact E-Verify at 888-464-4218. b. If an employee presents a DHS Form 1-551 (Permanent Resident Card), Form 1-766 (Employment Authorization Document), or U.S. Passport or Passport Card to complete Form 1-9, the Employer agrees to make a photocopy of the document and to retain the photocopy with the employee's Form 1-9. The Employer will use the photocopy to verify the photo and to assist DHS with its review of photo mismatches that employees contest. DHS may in the future designate other documents that activate the photo screening tool. Note: Subject only to the exceptions noted previously in this paragraph,employees still retain the right to present any List A, or List B and List C, document(s) to complete the Form 1-9. 7. The Employer agrees to record the case verification number on the employee's Form 1-9 or to print the screen containing the case verification number and attach it to the employee's Form 1-9. 8. The Employer agrees that, although it participates in E-Verify, the Employer has a responsibility to complete, retain, and make available for inspection Forms 1-9 that relate to its employees, or from other requirements of applicable regulations or laws, including the obligation to comply with the antidiscrimination requirements of section 274B of the INA with respect to Form 1-9 procedures. a. The following modified requirements are the only exceptions to an Employer's obligation to not employ unauthorized workers and comply with the anti-discrimination provision of the INA: (1) List B identity documents must have photos,as described in paragraph 6 above; (2)When an Employer confirms the identity and employment eligibility of newly hired employee using E-Verify procedures, the Employer establishes a rebuttable presumption that it has not violated section 274A(a)(1)(A) of the Immigration and Nationality Act (INA)with respect to the hiring of that employee; (3) If the Employer receives a final nonconfirmation for an employee, but continues to employ that person, the Employer must notify DHS and the Employer is subject to a civil money penalty between $550 and $1,100 for each failure to notify OHS of continued employment following a final nonconfirmation; (4) If the Employer continues to employ an employee after receiving a final nonconfirmation, then the Employer is subject to a rebuttable presumption that it has knowingly Page 2 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 S3 Cf e x E_v r.r y111110 Company ID Number: 1154679 employed an unauthorized alien in violation of section 274A(a)(1)(A); and (5) no E-Verify participant is civilly or criminally liable under any law for any action taken in good faith based on information provided through the E-Verify. b. DHS reserves the right to conduct Form 1-9 compliance inspections, as well as any other enforcement or compliance activity authorized by law, including site visits, to ensure proper use of E-Verify. 9. The Employer is strictly prohibited from creating an E-Verify case before the employee has been hired, meaning that a firm offer of employment was extended and accepted and Form 1-9 was completed. The Employer agrees to create an E-Verify case for new employees within three Employer business days after each employee has been hired (after both Sections 1 and 2 of Form 1-9 have been completed), and to complete as many steps of the E-Verify process as are necessary according to the E-Verify User Manual. If E-Verify is temporarily unavailable,the three-day time period will be extended until it is again operational in order to accommodate the Employer's attempting, in good faith, to make inquiries during the period of unavailability. 10. The Employer agrees not to use E-Verify for pre-employment screening of job applicants, in support of any unlawful employment practice, or for any other use that this MOU or the E-Verify User Manual does not authorize. 11. The Employer must use E-Verify for all new employees. The Employer will not verify selectively and will not verify employees hired before the effective date of this MOU. Employers who are Federal contractors may qualify for exceptions to this requirement as described in Article 11.13 of this MOU. 12. The Employer agrees to follow appropriate procedures(see Article III below) regarding tentative nonconfirmations. The Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E-Verify case. The Employer agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer agrees to provide written referral instructions to employees and instruct affected employees to bring the English copy of the letter to the SSA. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. Further, when employees contest a tentative nonconfirmation based upon a photo mismatch, the Employer must take additional steps (see Article I II.B. below) to contact DHS with information necessary to resolve the challenge. 13. The Employer agrees not to take any adverse action against an employee based upon the employee's perceived employment eligibility status while SSA or DHS is processing the verification request unless the Employer obtains knowledge (as defined in 8 C.F.R. § 274a.1(I))that the employee is not work authorized.The Employer understands that an initial inabilty of the SSA or DHS automated verification system to verify work authorization, a tentative nonconfirmation, a case in continuance (indicating the need for additional time for the government to resolve a case), or the finding of a photo mismatch, does not establish, and should not be interpreted as, evidence that the employee is not work authorized. In any of such cases, the employee must be provided a full and fair opportunity to contest the finding, and if he or she does so, the employee may not be terminated or suffer any adverse employment consequences based upon the employee's perceived employment eligibility status Page 3 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 v, Fr Company ID Number: 1154679 (including denying, reducing, or extending work hours, delaying or preventing training, requiring an employee to work in poorer conditions, withholding pay, refusing to assign the employee to a Federal contract or other assignment, or otherwise assuming that he or she is unauthorized to work) until and unless secondary verification by SSA or DHS has been completed and a final nonconfirmation has been issued. If the employee does not choose to contest a tentative nonconfirmation or a photo mismatch or if a secondary verification is completed and a final nonconfirmation is issued, then the Employer can find the employee is not work authorized and terminate the employee's employment. Employers or employees with questions about a final nonconfirmation may call E-Verify at 1-888-464- 4218 (customer service) or 1-888-897-7781 (worker hotline). 14. The Employer agrees to comply with Title VII of the Civil Rights Act of 1964 and section 274B of the INA as applicable by not discriminating unlawfully against any individual in hiring, firing, employment eligibility verification, or recruitment or referral practices because of his or her national origin or citizenship status, or by committing discriminatory documentary practices. The Employer understands that such illegal practices can include selective verification or use of E-Verify except as provided in part D below, or discharging or refusing to hire employees because they appear or sound "foreign" or have received tentative nonconfirmations. The Employer further understands that any violation of the immigration-related unfair employment practices provisions in section 274B of the INA could subject the Employer to civil penalties, back pay awards, and other sanctions, and violations of Title VII could subject the Employer to back pay awards, compensatory and punitive damages. Violations of either section 274B of the INA or Title VII may also lead to the termination of its participation in E-Verify. If the Employer has any questions relating to the anti-discrimination provision, it should contact OSC at 1-800-255-8155 or 1-800-237-2515 (TDD). 15. The Employer agrees that it will use the information it receives from E-Verify only to confirm the employment eligibility of employees as authorized by this MOU. The Employer agrees that it will safeguard this information, and means of access to it(such as PINS and passwords), to ensure that it is not used for any other purpose and as necessary to protect its confidentiality, including ensuring that it is not disseminated to any person other than employees of the Employer who are authorized to perform the Employer's responsibilities under this MOU, except for such dissemination as may be authorized in advance by SSA or DHS for legitimate purposes. 16. The Employer agrees to notify DHS immediately in the event of a breach of personal information. Breaches are defined as loss of control or unauthorized access to E-Verify personal data. All suspected or confirmed breaches should be reported by calling 1-888-464-4218 or via email at E-Verify dhs.gov. Please use"Privacy Incident— Password" in the subject line of your email when sending a breach report to E-Verify. 17. The Employer acknowledges that the information it receives from SSA is governed by the Privacy Act (5 U.S.C. § 552a(i)(1) and (3)) and the Social Security Act (42 U.S.C. 1306(a)). Any person who obtains this information under false pretenses or uses it for any purpose other than as provided for in this MOU may be subject to criminal penalties. 18. The Employer agrees to cooperate with DHS and SSA in their compliance monitoring and evaluation of E-Verify, which includes permitting DHS, SSA, their contractors and other agents, upon Page 4 of 17 E-Verify MOU for Employers l Revision Date 06/01/13 rt Y Nzw Company ID Number: 1154679 reasonable notice, to review Forms 1-9 and other employment records and to interview it and its employees regarding the Employer's use of E-Verify, and to respond in a prompt and accurate manner to DHS requests for information relating to their participation in E-Verify. 19. The Employer shall not make any false or unauthorized claims or references about its participation in E-Verify on its website, in advertising materials, or other media. The Employer shall not describe its services as federally-approved, federally-certified, or federally-recognized, or use language with a similar intent on its website or other materials provided to the public. Entering into this MOU does not mean that E-Verify endorses or authorizes your E-Verify services and any claim to that effect is false. 20. The Employer shall not state in its website or other public documents that any language used therein has been provided or approved by DHS, USCIS or the Verification Division, without first obtaining the prior written consent of DHS. 21. The Employer agrees that E-Verify trademarks and logos may be used only under license by DHS/USCIS (see M-795 (Web)) and, other than pursuant to the specific terms of such license, may not be used in any manner that might imply that the Employer's services, products, websites, or publications are sponsored by, endorsed by, licensed by, or affiliated with DHS, USCIS, or E-Verify. 22. The Employer understands that if it uses E-Verify procedures for any purpose other than as authorized by this MOU, the Employer may be subject to appropriate legal action and termination of its participation in E-Verify according to this MOU. B. RESPONSIBILITIES OF FEDERAL CONTRACTORS 1. If the Employer is a Federal contractor with the FAR E-Verify clause subject to the employment verification terms in Subpart 22.18 of the FAR, it will become familiar with and comply with the most current version of the E-Verify User Manual for Federal Contractors as well as the E-Verify Supplemental Guide for Federal Contractors. 2. In addition to the responsibilities of every employer outlined in this MOU, the Employer understands that if it is a Federal contractor subject to the employment verification terms in Subpart 22.18 of the FAR it must verify the employment eligibility of any"employee assigned to the contract" (as defined in FAR 22.1801). Once an employee has been verified through E-Verify by the Employer, the Employer may not create a second case for the employee through E-Verify. a. An Employer that is not enrolled in E-Verify as a Federal contractor at the time of a contract award must enroll as a Federal contractor in the E-Verify program within 30 calendar days of contract award and, within 90 days of enrollment, begin to verify employment eligibility of new hires using E-Verify. The Employer must verify those employees who are working in the United States, whether or not they are assigned to the contract. Once the Employer begins verifying new hires, such verification of new hires must be initiated within three business days after the hire date. Once enrolled in E Verify as a Federal contractor, the Employer must begin verification of employees assigned to the contract within 90 calendar days after the date of enrollment or within 30 days of an employee's assignment to the contract, whichever date is later. Page 5 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 1 IIla S"k E T:iST, y.,1 _ eri , „„,. , „,_, N\IIIIIII, Company ID Number: 1154679 b. Employers enrolled in E-Verify as a Federal contractor for 90 days or more at the time of a contract award must use E-Verify to begin verification of employment eligibility for new hires of the Employer who are working in the United States, whether or not assigned to the contract, within three business days after the date of hire. If the Employer is enrolled in E-Verify as a Federal contractor for 90 calendar days or less at the time of contract award,the Employer must, within 90 days of enrollment, begin to use E-Verify to initiate verification of new hires of the contractor who are working in the United States, whether or not assigned to the contract. Such verification of new hires must be initiated within three business days after the date of hire. An Employer enrolled as a Federal contractor in E-Verify must begin verification of each employee assigned to the contract within 90 calendar days after date of contract award or within 30 days after assignment to the contract, whichever is later. c. Federal contractors that are institutions of higher education (as defined at 20 U.S.C. 1001(a)), state or local governments, governments of Federally recognized Indian tribes, or sureties performing under a takeover agreement entered into with a Federal agency under a performance bond may choose to only verify new and existing employees assigned to the Federal contract. Such Federal contractors may, however, elect to verify all new hires, and/or all existing employees hired after November 6, 1986. Employers in this category must begin verification of employees assigned to the contract within 90 calendar days after the date of enrollment or within 30 days of an employee's assignment to the contract, whichever date is later. d. Upon enrollment, Employers who are Federal contractors may elect to verify employment eligibility of all existing employees working in the United States who were hired after November 6, 1986, instead of verifying only those employees assigned to a covered Federal contract. After enrollment, Employers must elect to verify existing staff following DHS procedures and begin E-Verify verification of all existing employees within 180 days after the election. e. The Employer may use a previously completed Form 1-9 as the basis for creating an E-Verify case for an employee assigned to a contract as long as: i. That Form 1-9 is complete (including the SSN) and complies with Article II.A.6, ii. The employee's work authorization has not expired, and iii. The Employer has reviewed the Form 1-9 information either in person or in communications with the employee to ensure that the employee's Section 1, Form 1-9 attestation has not changed (including, but not limited to, a lawful permanent resident alien having become a naturalized U.S. citizen). f. The Employer shall complete a new Form 1-9 consistent with Article II.A.6 or update the previous Form 1-9 to provide the necessary information if: i. The Employer cannot determine that Form 1-9 complies with Article II.A.6, ii. The employee's basis for work authorization as attested in Section 1 has expired or changed, or iii. The Form 1-9 contains no SSN or is otherwise incomplete. Note: If Section 1 of Form 1-9 is otherwise valid and up-to-date and the form otherwise complies with Page 6 of 17 E-Verify MOU for Employers l Revision Date 06/01/13 C VeriF Y Company ID Number: 1154679 Article 11.0.5, but reflects documentation (such as a U.S. passport or Form 1-551)that expired after completing Form 1-9, the Employer shall not require the production of additional documentation, or use the photo screening tool described in Article II.A.5, subject to any additional or superseding instructions that may be provided on this subject in the E-Verify User Manual. g. The Employer agrees not to require a second verification using E-Verify of any assigned employee who has previously been verified as a newly hired employee under this MOU or to authorize verification of any existing employee by any Employer that is not a Federal contractor based on this Article. 3. The Employer understands that if it is a Federal contractor, its compliance with this MOU is a performance requirement under the terms of the Federal contract or subcontract, and the Employer consents to the release of information relating to compliance with its verification responsibilities under this MOU to contracting officers or other officials authorized to review the Employer's compliance with Federal contracting requirements. C. RESPONSIBILITIES OF SSA 1. SSA agrees to allow DHS to compare data provided by the Employer against SSA's database. SSA sends DHS confirmation that the data sent either matches or does not match the information in SSA's database. 2. SSA agrees to safeguard the information the Employer provides through E-Verify procedures. SSA also agrees to limit access to such information, as is appropriate by law,to individuals responsible for the verification of Social Security numbers or responsible for evaluation of E-Verify or such other persons or entities who may be authorized by SSA as governed by the Privacy Act (5 U.S.C. § 552a), the Social Security Act (42 U.S.C. 1306(a)), and SSA regulations(20 CFR Part 401). 3. SSA agrees to provide case results from its database within three Federal Government work days of the initial inquiry. E-Verify provides the information to the Employer. 4. SSA agrees to update SSA records as necessary if the employee who contests the SSA tentative nonconfirmation visits an SSA field office and provides the required evidence. If the employee visits an SSA field office within the eight Federal Government work days from the date of referral to SSA, SSA agrees to update SSA records, if appropriate, within the eight-day period unless SSA determines that more than eight days may be necessary. In such cases, SSA will provide additional instructions to the employee. If the employee does not visit SSA in the time allowed, E-Verify may provide a final nonconfirmation to the employer. Note: If an Employer experiences technical problems, or has a policy question, the employer should contact E-Verify at 1-888-464-4218. D. RESPONSIBILITIES OF DHS 1. OHS agrees to provide the Employer with selected data from OHS databases to enable the Employer to conduct, to the extent authorized by this MOU: a. Automated verification checks on alien employees by electronic means, and Page 7 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 W j.S f ,}/ EVenly Company ID Number: 1154679 b. Photo verification checks (when avaiable) on employees. 2. DHS agrees to assist the Employer with operational problems associated with the Employer's participation in E-Verify. DHS agrees to provide the Employer names, titles, addresses, and telephone numbers of DHS representatives to be contacted during the E-Verify process. 3. OHS agrees to provide to the Employer with access to E-Verify training materials as well as an E-Verify User Manual that contain instructions on E-Verify policies, procedures, and requirements for both SSA and DHS, including restrictions on the use of E-Verify. 4. DHS agrees to train Employers on all important changes made to E-Verify through the use of mandatory refresher tutorials and updates to the E-Verify User Manual. Even without changes to E-Verify, OHS reserves the right to require employers to take mandatory refresher tutorials. 5. DHS agrees to provide to the Employer a notice,which indicates the Employer's participation in E-Verify. DHS also agrees to provide to the Employer anti-discrimination notices issued by the Office of Special Counsel for Immigration-Related Unfair Employment Practices (OSC), Civil Rights Division, U.S. Department of Justice. 6. OHS agrees to issue each of the Employer's E-Verify users a unique user identification number and password that permits them to log in to E-Verify. 7. DHS agrees to safeguard the information the Employer provides, and to limit access to such information to individuals responsible for the verification process, for evaluation of E-Verify, or to such other persons or entities as may be authorized by applicable law. Information will be used only to verify the accuracy of Social Security numbers and employment eligibility, to enforce the INA and Federal criminal laws, and to administer Federal contracting requirements. 8. DHS agrees to provide a means of automated verification that provides (in conjunction with SSA verification procedures) confirmation or tentative nonconfirmation of employees' employment eligibility within three Federal Government work days of the initial inquiry. 9. DHS agrees to provide a means of secondary verification (including updating DHS records) for employees who contest OHS tentative nonconfirmations and photo mismatch tentative nonconfirmations. This provides final confirmation or nonconfirmation of the employees' employment eligibility within 10 Federal Government work days of the date of referral to DHS, unless DHS determines that more than 10 days may be necessary. In such cases, OHS will provide additional verification instructions. ARTICLE III REFERRAL OF INDIVIDUALS TO SSA AND DHS A. REFERRAL TO SSA 1. If the Employer receives a tentative nonconfirmation issued by SSA, the Employer must print the notice as directed by E-Verify. The Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E-Verify Page 8 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 VeriIy4,e11 14 Company ID Number: 1154679 case. The Employer also agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer agrees to provide written referral instructions to employees and instruct affected employees to bring the English copy of the letter to the SSA. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. 2. The Employer agrees to obtain the employee's response about whether he or she will contest the tentative nonconfirmation as soon as possible after the Employer receives the tentative nonconfirmation. Only the employee may determine whether he or she will contest the tentative nonconfirmation. 3. After a tentative nonconfirmation, the Employer will refer employees to SSA field offices only as directed by E-Verify. The Employer must record the case verification number, review the employee information submitted to E-Verify to identify any errors, and find out whether the employee contests the tentative nonconfirmation. The Employer will transmit the Social Security number, or any other corrected employee information that SSA requests, to SSA for verification again if this review indicates a need to do so. 4. The Employer will instruct the employee to visit an SSA office within eight Federal Government work days. SSA will electronically transmit the result of the referral to the Employer within 10 Federal Government work days of the referral unless it determines that more than 10 days is necessary. 5. While waiting for case results, the Employer agrees to check the E-Verify system regularly for case updates. 6. The Employer agrees not to ask the employee to obtain a printout from the Social Security Administration number database (the Numident) or other written verification of the SSN from the SSA. B. REFERRAL TO DHS 1. If the Employer receives a tentative nonconfirmation issued by OHS, the Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E-Verify case. The Employer also agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. 2. The Employer agrees to obtain the employee's response about whether he or she will contest the tentative nonconfirmation as soon as possible after the Employer receives the tentative nonconfirmation. Only the employee may determine whether he or she will contest the tentative nonconfirmation. 3. The Employer agrees to refer individuals to OHS only when the employee chooses to contest a tentative nonconfirmation. 4. If the employee contests a tentative nonconfirmation issued by OHS, the Employer will instruct the Page 9 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 ri S:S� E-VeriFy s.. F.F...... Company ID Number: 1154679 employee to contact DHS through its toll-free hotline (as found on the referral letter) within eight Federal Government work days. 5. If the Employer finds a photo mismatch, the Employer must provide the photo mismatch tentative nonconfirmation notice and follow the instructions outlined in paragraph 1 of this section for tentative nonconfirmations, generally. 6. The Employer agrees that if an employee contests a tentative nonconfirmation based upon a photo mismatch, the Employer will send a copy of the employee's Form 1-551, Form 1-766, U.S. Passport, or passport card to DHS for review by: a. Scanning and uploading the document, or b. Sending a photocopy of the document by express mail (furnished and paid for by the employer). 7. The Employer understands that if it cannot determine whether there is a photo match/mismatch, the Employer must forward the employee's documentation to DHS as described in the preceding paragraph. The Employer agrees to resolve the case as specified by the DHS representative who will determine the photo match or mismatch. 8. DHS will electronically transmit the result of the referral to the Employer within 10 Federal Government work days of the referral unless it determines that more than 10 days is necessary. 9. While waiting for case results, the Employer agrees to check the E-Verify system regularly for case updates. ARTICLE IV SERVICE PROVISIONS A. NO SERVICE FEES 1. SSA and OHS will not charge the Employer for verification services performed under this MOU. The Employer is responsible for providing equipment needed to make inquiries. To access E-Verify, an Employer will need a personal computer with Internet access. ARTICLE V MODIFICATION AND TERMINATION A. MODIFICATION 1. This MOU is effective upon the signature of all parties and shall continue in effect for as long as the SSA and DHS operates the E-Verify program unless modified in writing by the mutual consent of all parties. 2. Any and all E-Verify system enhancements by DHS or SSA, including but not limited to E-Verify checking against additional data sources and instituting new verification policies or procedures, will be covered under this MOU and will not cause the need for a supplemental MOU that outlines these changes. Page 10 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 WIN 4119,14t E-verify Company ID Number: 1154679 B. TERMINATION 1. The Employer may terminate this MOU and its participation in E-Verify at any time upon 30 days prior written notice to the other parties. 2. Notwithstanding Article V, part A of this MOU, DHS may terminate this MOU, and thereby the Employer's participation in E-Verify, with or without notice at any time if deemed necessary because of the requirements of law or policy, or upon a determination by SSA or DHS that there has been a breach of system integrity or security by the Employer, or a failure on the part of the Employer to comply with established E-Verify procedures and/or legal requirements. The Employer understands that if it is a Federal contractor, termination of this MOU by any party for any reason may negatively affect the performance of its contractual responsibilities. Similarly, the Employer understands that if it is in a state where E-Verify is mandatory, termination of this by any party MOU may negatively affect the Employer's business. 3. An Employer that is a Federal contractor may terminate this MOU when the Federal contract that requires its participation in E-Verify is terminated or completed. In such cases, the Federal contractor must provide written notice to OHS. If an Employer that is a Federal contractor fails to provide such notice, then that Employer will remain an E-Verify participant, will remain bound by the terms of this MOU that apply to non-Federal contractor participants, and will be required to use the E-Verify procedures to verify the employment eligibility of all newly hired employees. 4. The Employer agrees that E-Verify is not liable for any losses, financial or otherwise, if the Employer is terminated from E-Verify. ARTICLE VI PARTIES A. Some or all SSA and DHS responsibilities under this MOU may be performed by contractor(s), and SSA and OHS may adjust verification responsibilities between each other as necessary. By separate agreement with OHS, SSA has agreed to perform its responsibilities as described in this MOU. B. Nothing in this MOU is intended,or should be construed, to create any right or benefit, substantive or procedural, enforceable at law by any third party against the United States, its agencies, officers, or employees, or against the Employer, its agents, officers, or employees. C.The Employer may not assign, directly or indirectly, whether by operation of law, change of control or merger, all or any part of its rights or obligations under this MOU without the prior written consent of DHS, which consent shall not be unreasonably withheld or delayed. Any attempt to sublicense, assign, or transfer any of the rights, duties, or obligations herein is void. D. Each party shall be solely responsible for defending any claim or action against it arising out of or related to E-Verify or this MOU, whether civil or criminal, and for any liability wherefrom, including(but not limited to) any dispute between the Employer and any other person or entity regarding the applicability of Section 403(d) of IIRIRA to any action taken or allegedly taken by the Employer. E. The Employer understands that its participation in E-Verify is not confidential information and may be disclosed as authorized or required by law and OHS or SSA policy, including but not limited to, Page 11 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 EVenly -� 5fiaIllll�i Company ID Number: 1154679 Congressional oversight, E-Verify publicity and media inquiries, determinations of compliance with Federal contractual requirements, and responses to inquiries under the Freedom of Information Act (FOIA). F. The individuals whose signatures appear below represent that they are authorized to enter into this MOU on behalf of the Employer and DHS respectively. The Employer understands that any inaccurate statement, representation, data or other information provided to DHS may subject the Employer, its subcontractors, its employees, or its representatives to: (1) prosecution for false statements pursuant to 18 U.S.C. 1001 and/or; (2) immediate termination of its MOU and/or; (3) possible debarment or suspension. G.The foregoing constitutes the full agreement on this subject between DHS and the Employer. To be accepted as an E-Verify participant, you should only sign the Employer's Section of the signature page. If you have any questions,contact E-Verify at 1-888-464-4218. Page 12 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 alt fry Vere 1ull�i Company ID Number: 1154679 Approved by: Employer JetPay Payment Services, FL, LLC Name (Please Type or Print) Title Christopher F Battel Signature Date Electronically Signed 12/29/2016 Department of Homeland Security—Verification Division Name (Please Type or Print) Title USCIS Verification Division Signature Date Electronically Signed 12/29/2016 Page 13 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 „:f ,, EVenly Company ID Number: 1154679 Information Required for the E-Verify Program Information relating to your Company: JetPay Payment Services, FL, LLC Company Name 316 South Baylen Street Suite 590 Pensacola, FL 32502 Company Facility Address Company Alternate Address County or Parish ESCAMBIA Employer Identification Number 812280449 North American Industry 522 Classification Systems Code Parent Company Number of Employees 20 to 99 Number of Sites Verified for 3 Page 14 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 CO Ev Company ID Number: 1154679 Are you verifying for more than 1 site? If yes, please provide the number of sites verified for in each State: FLORIDA 1 site(s) ILLINOIS 1 site(s) MISSOURI 1 site(s) Page 15 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 0 e Company ID Number: 1154679 Information relating to the Program Administrator(s)for your Company on policy questions or operational problems: Name Carol A Talamo Phone Number (850)858-3312 Fax Number (850)444-9331 Email Address carol.talamo@jetpay.com Name Rick A Carroll Phone Number (850)858-3315 Fax Number (850)444-9331 Email Address rick.carroll@jetpay.com Page 16 of 17 E-Verify MOU for Employers I Revision Date 06/01/13 EVenlyY,"t'. 5'!,,'0 . 1Ijuil( Company ID Number: 1154679 Page intentionally left blank Page 17 of 17 E-Verify MOU for Employers I Revision Date 06/01/1306 Colter' County ......---...--.....—..,.. 0.6-3,,6awe Sereces Departr44—. •-,V-IAWen:S.,<ell.; ',,A. Form 6:Vendor Substitute W-9 Request for Taxpayer Identification Number and Certification In accordance with the internal Revenue Service regulations. Collier County is required to collect the following information for tax reporting purposes from individuals and companies who do business with the County (including social security numbers if used by the individual or company for tax reporting purposes). Florida Statute 119.071(5) requires that the county notify you in writing of the reason for collecting this information, which will be used for no other purpose than herein stated. Please complete all information that applies to your business and return with your quote or proposal. I. General Information(provide all information) Taxpayer Name 7,re•r-PA i y. edgeg,ezwo,ki (as shown on Income tax return) Business Name ill different ii.om,taxpgyer name) Address 7(7TO "r/ ilelifriA...1 c-ik,/70 City ALL-Fkrataki State PA Zip jg/06 Telephone grb-gict-,32/-S" Email /VC-I<'CiA-17-0/k0477'7E7144r• Order Information(Must be tilled out) Remit I Payment Information(Must be filled out) Address yItu 61)-4.ti,-if Oa Address 3/G- S 6ctrie4i cirtel-- /I- 5r,0 gtits4 teA ...t... City State Zip -' 7-5112' City e-k(.5ez.Creq StaIte - Zip 32- 2- .— ,4/2 Email 4 te. I4'41001i (O, -1e riay , . Email t 'Ck- , CA rai it (g) J\ h9424i . ( 'I* i 2. Company Status(check only one) Individual/Sole Proprietor Corporation Partnership Tax Exempt(Federal income tax-exempt entity Limited Liability Company under Internal Revenue Service guidelines IRC 501 (c)3) Enter the tax classification ID= Disrevartied Fmital...L.',m_Cautaratitui...P= Purinershim 3, Taxpayer Identification Number(for tax reporting purposes only) Federal Tax Identification Number(TIN) cf0—0 6,.?,A 7t1 (Vendors who do not have a TIN,will be required to provide a social security number prior to an award), 4. Sign and Date Form:Certification: Under penult(C jet Zn,', I certifi,that tie i isonation shown on this form is correct to my knowledge. Sianat re V ( k lfri Date Thin; 0, Phone Mother It • i • CI e i ge-S/aed- ?„6„,,,,,,,..4- fi ct- f>,..13.• - 332- / • cxo) Fenn W'9 Request for Taxpayer Give Form to the (Ret December2014) identification Number and Certification requester.Do not Dopaement the send to the IRS. Internal Revenue Service 1 Name(as shown on your Income tax return).Name Is required on this Itne;do not leave this lino blank. JetPay Corporation t3 2 Business name/disregarded entity name,if different from above JetPay Payment Services,FL,LLC 3 Check appropriate box for federal tax classification;check only ono of the following seven boxes: 4 Exemptions(codes ly only to see 0 inevlduaVsole proprietor or ❑✓ C Corporation 0 S Corporation 0 Partnership ❑Trust/estate Instructions entitlon notae 3�): gsingle-member LLC Exempt payee code Of any) 0 Limited liability company.Enter the tax classification(C'C corporation.SSS corporation,Papartnershlp)► Exemption from FATCA reporting Noto.For a single-member LLC that la disregarded,do not chock LLC:chock the appropriate box In the Me above for the tax classification of tho single-member owner. code(If any) 0 Other(see instructions)* (Aviles to amours!'martarrdago,*r»usl 5 Address(number,street,and apt.or suite no.) Requester's name and address(optional) 2. 3939 West Drive N m 8 City,state,and ZIP code Center Valley,PA 18034 7 List account number(e)here(optional) Part-I Taxpayer identification Number(TIN) Enter your TIN in the appropriate box.The TiN provided must match the name given on tine 1 to avoid i Social seourtty number backup withholding,For individuals,this Is generally your social security number(SSN).However,fora resident alien,sole proprietor,or disregarded entity,sea the Part I Instructions on page 3.For other — — entitles,it is your employer Identification number(EIN),if you do not have a number,see How to get a TIN on page 3. or •Note.If the account Is in more than one name,see the Instructions for line 1 and the chart on page 4 for I Employer identification number guidelines on whose number to enter. 9 0 — 0 6 3 2 2 7 4 Part II Certification Under penalties of perjury,I certify that: 1. The number shown on this form Is my correct taxpayer Identification number(or I am waiting for a number to be Issued to me);and 2. i am not subject to backup withholding because:(a)I am exempt from backup withholding,or(b)I have not been notified by the Internal Revenue Service(IRS)that I am subject to backup withholding as a result of a failure to report all Interest or dividends,or(c)the IRS has notified me that I am no longer subject to backup withholding;and 3. I am a U.S.citizen or other U.S.person(defined below);and 4.The FATCA code(s)entered on this form(if any)indicating that I am exempt from FATCA reporting is correct. Certification Instructions.You must cross out Item 2 above If you have been notified by the IRS that you are currently subject to backup withholding because you have failed to report eg interest an•dividends on your tax return.For real estate transactions,item 2 does not apply.For mortgage interest paid,acquisition or abandonment of s,'f• red property,cancellation of debt,contributions to an individual retirement arrangement(IRA),and generally,payments other than interest d d.deride,you are not required to sign the certification,but you must provide your correct TIN.See the instructions on page 3. Sign stgnaturo• l Here u.s,parson► / Coto► General Instructions --"v4111111111110 •Form 1098(home mortgage interest),1098-E(student loan Interest),1098-T (tuition) Section references are to the Internal Revenue Coda unless otherwise noted. •Form 1099-C(canceled debt) Future developments.intonation about developments affecting Form W-9(such •Form 1099-A(acquisition or abandonment of secured property) as legislation enacted after we release h)la at wwwJrs.gov/tw9. Uso Form W-9 only ii you are a U.S.person(Including a resident alien),to Purpose of Form provide your correct TIN. An Individual or entity Font W-9 requester)who Is required to filo an Information It you do not return Form W-g to the requester with a TIN,you might be subject return with the IRS must obtain your correct taxpayer Identification number(TIN) to backup withholding.See What is backup withholding?on page 2. which may be your social security number(SSN),individual taxpayer Identification By signing the fifiod•cut form,you: number(MN),adoption taxpayer Identification number(ATIN),or employer 1.Certify that the TIN you are giving Is correct(or you aro wafting for number identification number(EIN) to report on an Information return the amount paid to to bo Issued) you,or other amount reportable on an information return.Examples of Information returns include,but are not limited to,tho following: 2.Certify that you aro not subject to backup withholding,or •Form 1099-iNT(interest earned or paid) 3.Claim exemption from backup withholding if you are a U.S.exempt payee.II •Form 1099-DIV(dividends,Including those from stocks or mutual funds) applicable,you are alsomcertifyingthat as a U.S.person your aa U.S.trade or ess Is notubocabb share of anect to the •Form 1099-MISC(r rlous types of Income,prizes,awards.or gross proceeds) withholding htax onartnership o reign partners'share of effectively connected Income,and •Form 1099-B(stock or mutual fund sales and certain other transactions by 4.Certify that FATCA codo(s)entered on this form(if any)Indicating that you aro brokers) exempt from the FATCA reporting,Is correct.See What is FATCA reporting?on •Form 1099-S(proceeds from real estate transactions) page 2 for further Information, •Form 1099-K(merchant card and third party network transactions) Cat.No.10231X Form W-9(Rev.12-2014) INSURANCE AND BONDING REQUIREMENTS Insurance/Bond Type Required Limits 1. Ei Worker's Compensation Statutory Limits of Florida Statutes, Chapter 440 and all Federal Government Statutory Limits and Requirements Evidence of Workers' Compensation coverage or a Certificate of Exemption issued by the State of Florida is required. Entities that are formed as Sole Proprietorships shall not be required to provide a proof of exemption. An application for exemption can he obtained online at https;l/apps.lid Is,com/bocexen)pt/ 2. X Employer's Liability S_100,000 single limit per occurrence 3. X Commercial General Bodily Injury and Property Damage Liability(Occurrence Form)patterned atter the 51.000,000_single limit per occurrence, $2,000,000 aggregate for Bodily Injury current ISO form Liability and Property Damage Liability. This shall include Premises and Operations; Independent Contractors; Products and Completed Operations and Contractual Liability. 4. X Indemnification To the maximum extent permitted by Florida law, the Contractor/Vendor shall defend, indemnify and hold harmless Collier County, its officers and employees from any and all liabilities,damages, losses and costs, including,but not limited to, reasonable attorneys' fees and paralegals' fees, to the extent caused by the negligence, recklessness, or intentionally wrongful conduct of the Contractor/ Vendor or anyone employed or utilized by the Contractor/Vendor in the performance of this Agreement. 5. 0 Automobile Liability S Each Occurrence; Bodily Injury & Property Damage. Owned/Non-owned/Hired;Automobile Included 6. 0 Other insurance as ® Watercraft Per Occurrence noted: .—,..---.�_.......�.__ ❑ United States Longshoreman's and Karborworker's Act coverage shall be maintained where applicable to the completion of the work. S Per Occurrence 0 Maritime Coverage(Jones Act) shall be maintained where applicable to the completion of the work. $ Per Occurrence ❑ Aircraft Liability coverage shall be carried in limits of not less than $5,000,000 each occurrence if applicable to the completion of the Services under this Agreement. S Per Occurrence ❑Pollution S ...._._....................... Per Occurrence ❑Professional Liability S Per claim&in the aggregate ❑ Project Professional Liability S.. ..._..._ ...._...,. Per Occurrence 0 0 Valuable Papers Insurance S Per Occurrence X Cyber Liability $5,000,000 Per Occurrence X Technology Errors&Omissions $5,000,000 Per Occurrence 7. ❑ Bid bond Shall be submitted with proposal response in the form of certified funds. cashiers' check or an irrevocable letter of credit, a cash bond posted with the County Clerk, or proposal bond in a sum equal to 5% of the cost proposal. All checks shall be made payable to the Collier County Board of County Commissioners on a bank or trust company located in the State of Florida and insured by the Federal Deposit Insurance Corporation. 8. 0 Performance and For projects in excess of$200,000, bonds shall be submitted with the executed Payment Bonds contract by Proposers receiving award, and written for 100% of the Contract award amount, the cost borne by the Proposer receiving an award. The Performance and Payment Bonds shall be underwritten by a surety authorized to do business in the State of Florida and otherwise acceptable to Owner;provided, however,the surety shall be rated as"A-"or better as to general policy holders rating and Class V or higher rating as to financial size category and the amount required shall not exceed 5% of the reported policy holders' surplus, all as reported in the most current Best Key Rating Guide, published by A.M. Best Company, Inc.of 75 Fulton Street,New York,New York 10038. 9. ® Vendor shall ensure that all subcontractors comply with the same insurance requirements that he is required to meet. The same Vendor shall provide County with certificates of insurance meeting the required insurance provisions. 10. ® Collier County must be named as "ADDITIONAL INSURED" on the insurance Certificate for Commercial General Liability where required. This insurance shall be primary and non-contributory with respect to any other insurance maintained by, or available for the benefit of, the Additional Insured and the Vendor's policy shall be endorsed accordingly. 11. ® The Certificate Holder shall be named as Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County,OR Collier County Government,OR Collier County. The Certificates of Insurance must state the Contract Number, or Project Number, or specific Project description, or must read: For any and all work performed on behalf of Collier County. 12. ® Thirty(30)Days Cancellation Notice required. Vendor's Insurance Statement We understand the insurance requirements of these specifications and that the evidence of insurability may be required within five(5),daays f the award of this solicitation. Name of Firm J—�i c is �tt—Date c/7/- ` . / �•�/ Vendor Signature 1 ' Print Name F Aatt-cL Insurance Agency wig.( of /46:0K-sy 4MM l Agent Name /6.144G- XC2R/Ai& Telephone Number F77-9114(-737( EXHIBIT C BUSINESS ASSOCIATE AGREEMENT (FOLLOWING THIS PAGE) II JetPay Payment Services,TX,LLC is a registered ISO/MSP of BMO Harris Bank N.A.,Chicago, IL 31 OVD EXHIBIT C TO MERCHANT CARD PROCESSING TERMS AND CONDITIONS BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is entered into between COLLIER COUNTY("Covered Entity")and JetPay Payment Services, TX,LLC,a Texas limited liability company, whose address is: 3361 Boyington Drive, Suite 180, Carrollton, TX 75006, ("Business Associate"), effective as of this ti*day of Pta r ,201 g (the"Effective Date"). WHEREAS, Covered Entity and Business Associate have entered into, or plan to enter into, an arrangement pursuant to which Business Associate may provide services for Covered Entity that require Business Associate to access, create and use Protected Health Information ("PHI") that is confidential under state and/or federal law;and WHEREAS,Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed by Covered Entity to Business Associate, or collected or created by Business Associate, in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), and the regulations promulgated there under, including, without limitation, the regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of the Department of Health and Human Services (the "Secretary") (the "HITECH Act"); and other applicable state and federal laws, all as amended from time to time, including as amended by the Final Rule issued by the Secretary on January 17, 2013 titled "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules"; and WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement with Business Associate meeting certain requirements with respect to the Use and Disclosure of PHI, which are met by this Agreement. NOW,THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement,the parties agree as follows: 1. Definitions. Capitalized terms used herein without definition shall have the meanings ascribed to them in the HIPAA Regulations or the HITECH Act,as applicable unless otherwise defined herein. 2.Obligations and Activities of Business Associate. a. Permitted Uses and Disclosures. Business Associate shall only Use or Disclose PHI for the purposes of(i) performing Business Associate's obligations under Merchant Application & Agreement, "Master Agreement" resulting from Covered Entity's Solicitation #18-7284 "Payment Processing and Related Services" of this Agreement and as permitted by this Agreement; or (ii) as permitted or Required By Law; or (iii) as otherwise permitted by this Agreement. Business Associate shall not Use or further Disclose PHI other than as permitted or required by this Agreement or as Required By Law. Page 1 of 8 trip Further,Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations or the HITECH Act if so used by Covered Entity, except that Business Associate may Use PHI(i) for the proper management and administration of Business Associate; and(ii) to carry out the legal responsibilities of Business Associate. Business Associate may Disclose PHI for the proper management and administration of Business Associate, to carry out its legal responsibilities or for payment purposes as specified in 45 CFR§ 164.506(c)(1) and(3), including but not limited to Disclosure to a business associate on behalf of a covered entity or health care provider for payment purposes of such covered entity or health care provider, with the expectation that such parties will provide reciprocal assistance to Covered Entity, provided that with respect to any such Disclosure either:(i)the Disclosure is Required By Law; or (ii) for permitted Disclosures when Required By Law, Business Associate shall obtain a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not use and further disclose such PHI except as Required By Law and for the purpose(s)for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. b. Appropriate Safeguards. Business Associate shall implement administrative, physical and technical safeguards that (i) reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity; and (ii) prevent the Use or Disclosure of PHI other than as contemplated by the Master Agreement and this Agreement. c. Compliance with Security Provisions. Business Associate shall: (i) implement and maintain administrative safeguards as required by 45 CFR§ 164.308,physical safeguards as required by 45 CFR § 164.3 10 and technical safeguards as required by 45 CFR § 164.3 12; (ii) implement and document reasonable and appropriate policies and procedures as required by 45 CFR§ 164.3 16;and(iii) be in compliance with all requirements of the HITECH Act related to security and applicable as if Business Associate were a"covered entity,"as such term is defined in HIPAA. d. Compliance with Privacy Provisions. Business Associate shall only Use and Disclose PHI in compliance with each applicable requirement of 45 CFR § 164.504(e). Business Associate shall comply with all requirements of the HITECH Act related to privacy and applicable as if Business Associate were a "covered entity," as such term is defined in HIPAA. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164,Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). e. Duty to Mitigate. Business Associate agrees to mitigate,to the extent practicable and mandated by law, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement. f. Encryption. To facilitate Business Associate's compliance with this Agreement and to assure adequate data security, Covered Entity agrees that all PHI provided or transmitted to Business Associate pursuant to the Master Agreement shall he provided or transmitted in a manner which renders such PHI unusable, unreadable or indecipherable to unauthorized persons, through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2)of the HITECH Act. Covered Entity acknowledges that failure to do so could contribute to or permit a Breach requiring patient notification under the HITECH Act and further agrees that Business Associate Page 2 of 8 shall have no liability for any Breach caused by such failure. 3. Reporting. a. Security Incidents and/or Unauthorized Use or Disclosure. Business Associate shall report to Covered Entity a successful Security Incident or any Use and/or Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law within a reasonable time of becoming aware of such Security Incident and/or unauthorized Use or Disclosure (but not later than five (5) days thereafter), in accordance with the notice provisions set forth herein. Business Associate shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered Entity,and(ii)any action pertaining to such Security Incident and/or unauthorized Use or Disclosure required by applicable federal and state laws and regulations. If such successful Security Incident or unauthorized Use or Disclosure results in a Breach as defined in the HITECH Act, then Covered Entity shall comply with the requirements of Section 3.b below. b. Breach of Unsecured PHI. The provisions of this Section 3.b are effective with respect to the Discovery of a Breach of Unsecured PHI occurring on or after September 23, 2009. With respect to any unauthorized acquisition, access, Use or Disclosure of Covered Entity's PHI by Business Associate, its agents or subcontractors,Business Associate shall(i)investigate such unauthorized acquisition,access, Use or Disclosure; (ii) determine whether such unauthorized acquisition, access, Use or Disclosure constitutes a reportable Breach under the HITECH Act; and (iii) document and retain its findings under clauses (i) and (ii). If Business Associate Discovers that a reportable Breach has occurred, Business Associate shall notify Covered Entity of such reportable Breach in writing within five(5)days of the date Business Associate Discovers such Breach. Business Associate shall be deemed to have discovered a Breach as of the first day that the Breach is either known to Business Associate or any of its employees, officers or agents, other than the person who committed the Breach,or by exercising reasonable diligence should have been known to Business Associate or any of its employees,officers or agents, other than the person who committed the Breach. To the extent the information is available to Business Associate, Business Associate's written notice shall include the information required by 45 CFR § 164.410(c). Business Associate shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under the HITECH Act with respect to such Breach. 4. Business Associate's Agents. To the extent that Business Associate uses one or more subcontractors or agents to provide services under Master Agreement, and such subcontractors or agents receive or have access to PHI, Business Associate shall sign an agreement with such subcontractors or agents containing substantially the same provisions as this Agreement. 5. Rights of Individuals. a. Access to PHI. Within ten(10) days of receipt of a request by Covered Entity, Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity or, as directed by Covered Entity,to an Individual to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524. Subject to Section 5.b below, (i) in the event that any Individual requests access to PHI directly from Business Associate in connection with a routine billing inquiry, Business Associate shall directly respond to such request in compliance with 45 CFR § 164.524;and(ii) in the event such request appears to be for a purpose other than a routine billing inquiry, Business Associate shall forward a copy of such request to Covered Entity and shall fully cooperate with Covered Entity in responding to such request. In either case, a denial of access to requested PHI shall not be made without the prior written consent of Covered Entity. Page 3 of 8 b. Access to Electronic Health Records. If Business Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity with respect to PHI,then,to the extent an Individual has the right to request a copy of the PHI maintained in such Electronic Health Record pursuant to 45 CFR § 164.524 and makes such a request to Business Associate, Business Associate shall provide such individual with a copy of the information contained in such Electronic Health Record in an electronic format and, if the Individual so chooses, transmit such copy directly to an entity or person designated by the Individual. Business Associate may charge a fee to the individual for providing a copy of such information, but such fee may not exceed Business Associate's labor costs in responding to the request for the copy.The provisions of 45 CFR§ 164.524,including the exceptions to the requirement to provide a copy of PHI, shall otherwise apply and Business Associate shall comply therewith as if Business Associate were the "covered entity," as such term is defined in HIPAA. At Covered Entity's request, Business Associate shall provide Covered Entity with a copy of an Individual's PHI maintained in an Electronic Health Record in an electronic format and in a time and manner designated by Covered Entity in order for Covered Entity to comply with 45 CFR§ 164.524, as amended by the HITECH Act. c. Amendment of PHI. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR§ 164.526 at the request of Covered Entity or an Individual,and in the time and manner designated by Covered Entity. d. Accounting Rights. This Section 5.d is subject to Section 5.e below. Business Associate shall make available to Covered Entity,in response to a request from an Individual,information required for an accounting of disclosures of PHI with respect to the Individual, in accordance with 45 CFR § 164.528, incorporating exceptions to such accounting designated under such regulation. Such accounting is limited to disclosures that were made in the six (6) years prior to the request and shall not include any disclosures that were made prior to the compliance date of the HIPAA Regulations. Business Associate shall provide such information as is necessary to provide an accounting within ten(10)days of Covered Entity's request. Such accounting must he provided without cost to the Individual or to Covered Entity if it is the first accounting requested by an Individual within any six(6) month period; however, a reasonable, cost-based fee may be charged for subsequent accountings during that period if Business Associate informs Covered Entity and Covered Entity informs the Individual in advance of the fee, the Individual is afforded an opportunity to withdraw or modify the request and charging such fee is not otherwise contrary to law. Such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI. e. Accounting of Disclosures of Electronic Health Records. The provisions of this Section 5.e shall be effective on the date specified in the HITECH Act.If Business Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity, then, in addition to complying with the requirements set forth in Section 5.d above, Business Associate shall maintain an accounting of any Disclosures made through such Electronic Health Record for Treatment, Payment and Health Care Operations,as applicable. Such accounting shall comply with the requirements of the HITECH Act. Upon request by Covered Entity, Business Associate shall provide such accounting to Covered Entity in the time and manner specified by Covered Entity and in compliance with the HITECH Act. Alternatively, if Covered Entity responds to an Individual's request for an accounting of Disclosures made through an Electronic Health Record by providing the requesting Individual with a list of all business associates acting on behalf of Covered Entity,then Business Associate shall provide such accounting directly to the requesting Individual in the time and manner specified by the HITECH. Act. f. Agreement to Restrict Disclosure. If Covered Entity is required to comply with a restriction on the Disclosure of PHI pursuant to Section 13405 of the HITECH Act, then Covered Entity shall,to the extent necessary to comply with such restriction,provide written notice to Business Associate Page 4 of 8 of the name of the Individual requesting the restriction and the PHI affected thereby. Business Associate shall, upon receipt of such notification,not Disclose the identified PHI to any health plan for the purposes of carrying out Payment or Health Care Operations, except as otherwise required by law. Covered Entity shall also notify Business Associate of any other restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR§ 164.522. 6. Remuneration and Marketing. a. Remuneration for PHI. This Section 6.a shall be effective with respect to exchanges of PHI occurring six (6) months after the date of the promulgation of final regulations implementing the provisions of Section 13405(d) of the HITECH Act. On and after such date, Business Associate agrees that it shall not, directly or indirectly, receive remuneration in exchange for any PHI of Covered Entity except as otherwise permitted by the HITECH Act. b. Limitations on Use of PHI for Marketing Purposes. Business Associate shall not Use or Disclose PHI for the purpose of making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless such communication: (I)complies with the requirements of subparagraph(i),(ii)or(iii)of paragraph(1)of the definition of marketing contained in 45 CFR § 164.501, and (2) complies with the requirements of subparagraphs (A),(B) or(C) of Section 1 3406(a)(2) of the HITECH Act, and implementing regulations or guidance that may be issued or amended from time to time. Covered Entity agrees to assist Business Associate in determining if the foregoing requirements are met with respect to any such marketing communication. 7. Governmental Access to Records. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary. 8. Minimum Necessary. To the extent required by the HITECH Act, Business Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed, to the minimum necessary to accomplish the intended Use, Disclosure or request, respectively. Effective on the date the Secretary issues guidance on what constitutes "minimum necessary" for purposes of the HIPAA Regulations, Business Associate shall limit its Use, Disclosure or request of PHI to only the minimum necessary as set forth in such guidance. 9. State Privacy Laws. Business Associate shall comply with state laws to extent that such state privacy laws are not preempted by HIPAA or the HITECH Act. 10. Termination. a. Breach by Business Associate. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate's obligations under this Agreement, then Covered Entity shall promptly notify Business Associate. With respect to such breach or violation, Business Associate shall take reasonable steps to cure such breach or end such violation, if possible. If such steps are either not possible or are unsuccessful, upon written notice to Business Associate,Covered Entity may terminate its relationship with Business Associate. Page 5 of 8 e .... imi..m...mjmgmi b. Breach by Covered Entity. If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity's obligations under this Agreement, then Business Associate shall promptly notify Covered Entity. With respect to such breach or violation, Covered Entity shall take reasonable steps to cure such breach or end such violation, if possible. If such steps are either not possible or are unsuccessful, upon written notice to Covered Entity,Business Entity may terminate its relationship with Covered Entity. c. Automatic Termination. This Agreement will automatically terminate, without any further action by the parties hereto, at such time as there are no longer any Service Agreements by and between the parties hereto. d. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity, that Business Associate or its agents or subcontractors still maintain in any form and shall retain no copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI shall be returned in a mutually agreed upon format and timeframe. If Business Associate reasonably determines that return or destruction is not feasible, Business Associate shall continue to extend the protections of this Agreement to such PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of such PHI not feasible. If Business Associate is asked to destroy the PHI, Business Associate shall destroy PHI in a manner that renders the PHI unusable, unreadable or indecipherable to unauthorized persons as specified in the HITECH Act. 11. Amendment. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement any new or modified standards or requirements of HIPAA, the HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or confidentiality of PHI. Upon the request of Covered Entity, Business Associate agrees to promptly enter into negotiation concerning the terms of an amendment to this Agreement incorporating any such changes. 12. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 13. Effect on Underlying Arrangement. In the event of any conflict between this Agreement and any underlying arrangement between Covered Entity and Business Associate, the terms of this Agreement shall control. 14. Survival. The provisions of this Agreement shall survive the termination or expiration of any underlying arrangement between Covered Entity and Business Associate. 15. Interpretation. This Agreement shall he interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with such laws. 16. Governing Law. This Agreement shall be construed in accordance with the laws of the State of Florida. Page 6 of 8 el 1 17. Notices. All notices required or permitted under this Agreement shall be in writing and sent to the other party as directed below or as otherwise directed by either party, from time to time, by written notice to the other. All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid,facsimile transmission,e-mail or personal or courier delivery: If to Covered Entity: Collier County Government Center 3311 Tamiami Trail E. Naples,FL 34112 Attn: Risk Management Director Telephone no:239-252-8461 Facsimile no: 239-252-8048 If to Business Associate: JetPay Payment Services, TX, LLC, a Texas limited liability company, whose address is: 3361 Boyington Drive, Suite 180, Carrollton, TX 75006 18. Indemnification. The Business Associate shall indemnify and hold harmless Covered Entity and any of Covered Entity's affiliates, directors, officers, employees and agents from and against any claim,cause of action,liability,damage,cost or expense(including reasonable attorney's fees)arising out of or directly relating to any non-permitted disclosure of Protected Health Information or other breach of this Agreement by Business Associate or any affiliate, director, officer,employee, agent or subcontractor of Business Associate. 19. Miscellaneous. a. Severability. In the event that any provision of this Agreement is adjudged by any court of competent jurisdiction to be void or unenforceable, all remaining provisions hereof shall continue to be binding on the parties hereto with the same force and effect as though such void or unenforceable provision had been deleted. b. Waiver. No failure or delay in exercising any right, power or remedy hereunder shall operate as a waiver thereof; nor shall any single or partial exercise of any right, power or remedy hereunder preclude any other further exercise thereof or the exercise of any other right, power or remedy. The rights provided hereunder are cumulative and not exclusive of any rights provided by law. c. Entire Agreement. This Agreement constitutes the entire agreement between the parties hereto relating to the subject matter hereof, and supercedes any prior or contemporaneous verbal or written agreements, communications and representations relating to the subject matter hereof. d. Counterparts, Facsimile. This agreement may be signed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall constitute one and the same instrument. A copy of this Agreement bearing a facsimile signature shall be deemed to be an original. Page 7 of 8 CO) IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be signed as of the date first set forth above. COVERED ENTITY: BOARD OF COUNTY COMMISSIONERS OF COLLIER COUNTY, FLORIDA By: e Walker, Director of Risk Management First Witness: - BUSINESS ASSOCIATE: Signature JetPay Payment Services, TX, LLC, a Texas 56S I V A rc,d6 limitedEal7lcony Print Name: By: Se aik. Witness: Print Name: ' `-/y/"V ' 61.# Fir ignat , Title: i' d; 6/g`v Lis Print Name: oFor a dL._.LL G . Teach Deputy County Attorney Page 8 of 8 Page 1 of 2 ACC ® DATE(MM/DD/YYYY) PREP CERTIFICATE OF LIABILITY INSURANCE 11/14/2018 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER,AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED,the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT NAME: Willis of Pennsylvania, Inc. PHONE FAX c/o 26 Century Blvd IA/C,No,EXt): 1-877-945-7378 (A/C,No): 1-888-467-2378 E-MAIL certificates@willis.com P.O. Box 305191 ADDRESS: Nashville, TN 372305191 USA INSURER(S)AFFORDING COVERAGE NAIC# INSURER A: Charter Oak Fire Insurance Company 25615 INSUREDINSURERS: Travelers Property Casualty Company of Ame 25674 JetPay Corporation 3939 West Drive INSURER C: Travelers Casualty Insurance Company of Am 19046 Attn: Gregory Krzemien INSURER D: National Union Fire Insurance Company of P 19445 Center Valley, PA 18034 INSURER E AXIS Insurance Company 37273 INSURER F: COVERAGES CERTIFICATE NUMBER:W8837514 REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES.LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. IPOLICY EFF POLICY EXP LTR TYPE OF INSURANCE NSD WVD POLICY NUMBER LIMITS (MM/DD/YYYY) (MM/DD/YYYY) X COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $ 1,000,000 DAMAGE CLAIMS-MADE X OCCUR PREM SESO(Ea occE ence) $ 1,000,000 A MED EXP(Any one person) $ 15,000 630 9K730803 06/21/2018 06/21/2019 PERSONAL&ADV INJURY $ 1,000,000 GE 'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $ 2,000,000 POLICY PRO- JECT LOC PRODUCTS-COMP/OPAGG $ 2,000,000 OTHER: $ AUTOMOBILE LIABILITY COMBINED SINGLE LIMIT $ 1,000,000 (Ea accident) x ANY AUTO BODILY INJURY(Per person) $ B OWNED SCHEDULED y BA 9K730803 06/21/2018 06/21/2019 BODILY INJURY(Per accident) $ AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE AUTOS ONLY AUTOS ONLY (Per accident) B X UMBRELLA LIAB X OCCUR EACH OCCURRENCE $ 10,000,000 EXCESSLIAB CLAIMS-MADE CUP 9K823988 06/21/2018 06/21/2019 AGGREGATE $ 10,000,000 DED X RETENTION$ 0 WORKERS COMPENSATION X PER OTH- AND EMPLOYERS'LIABILITY STATUTE ER Y/N C ANYPROPRIETOR/PARTNER/EXECUTIVE E.L.EACH ACCIDENT $ 1,000,000 OFFICER/MEMBER EXCLUDED? N/A UB-009K82006A 06/21/2018 06/21/2019 1,000,000 (Mandatory in NH) E.L.DISEASE-EA EMPLOYEE $ If yes,describe under 1,000,000 DESCRIPTION OF OPERATIONS below E.L.DISEASE-POLICY LIMIT $ D Cyber Ins./Privacy Liability 01-565-69-08 06/21/2018 06/21/2019 See below DESCRIPTION OF OPERATIONS/LOCATIONS/VEHICLES (ACORD 101,Additional Remarks Schedule,may be attached if more space is required) Additional Named Insureds: JetPay Payment Services, TX, LLC, JetPay Payment Services, FL, LLC, JetPay Payment Services, PA, LLC, JetPay HR & Payroll Services, Inc., Payroll Tax Filing Services, Inc., JetPay ISO Services LLC, JetPay Merchant Services LLC, JetPay, LLC, ACI Merchant Systems, LLC, CollectorSolutions, Inc. , CollectorSolutions, LLC SEE ATTACHED CERTIFICATE HOLDER CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE Collier County Board of County Commissioners 3295 Tamiami Trail E (�01(,L(CC`_ Naples, FL 34112 /j�� ©1988-2016 ACORD CORPORATION. All rights reserved. ACORD 25(2016/03) The ACORD name and logo are registered marks of ACORD SR ID: 17047454 BATCH: 953725 AGENCY CUSTOMER ID: _ LOC#: A ADDITIONAL REMARKS SCHEDULE Page 2 of 2 AGENCY NAMED INSURED Willis of Pennsylvania, Inc. JetPay Corporation 3939 West Drive POLICY NUMBER Attn: Gregory Xrzemien See Page 1 Center Valley, PA 18034 CARRIER NAIC CODE See Page 1 See Page 1 EFFECTIVE DATE: See Page 1 ADDITIONAL REMARKS THIS ADDITIONAL REMARKS FORM IS A SCHEDULE TO ACORD FORM, FORM NUMBER: 25 FORM TITLE: Certificate of Liability Insurance Named Insureds Include: JetPay Payment Services, TX, LLC, JetPay Payment Services, FL, LLC, JetPay Payment Services, PA, LLC, JetPay HR & Payroll Services, Inc., Payroll Tax Filing Services, Inc.; JetPay ISO Services, LLC; JetPay Merchant Services, LLC; JetPay LLC; ACI Merchant Systems LLC; AD Computer Corporation dba JetPay Payroll Services; Collector Solutions, Inc.; Collector Solutions, LLC Cyber Insurance / Privacy Liability: Technology Errors and Omissions: $7,500,000 Network Security Liability: $7,500,000 Cyber/Privacy Liability: $7,500,000 Data Breach Fund: $2,500,000 Cyber Extortion: $7,500,000 Miscellaneous Professional Services: Each Claim: $7,500,000 / Aggregate: $7,500,000 Retention: $100,000 Solely in the performance of Payroll Management Services for others for a fee. Re: For any and all work performed on behalf of Collier County. Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR, Collier County Government, OR, Collier County are included as an Additional Insured as respects to General Liability and Auto Liability. General Liability and Auto Liability policy(ies) shall be Primary and Non-Contributory with any other insurance in force for or which may be purchased by Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR, Collier County Government, OR, Collier County. INSURER AFFORDING COVERAGE: AXIS Insurance Company NAIC#: 37273 POLICY NUMBER: MNN 631210/01/2018 EFF DATE: 06/21/2018 EXP DATE: 06/21/2019 TYPE OF INSURANCE: LIMIT DESCRIPTION: LIMIT AMOUNT: Crime See Below ADDITIONAL REMARKS: Employee Theft: $3,000,000 Premises: $125,000 In Transit: $125,000 Forgery: $3,000,000 Computer Fraud: $3,000,000 Funds Transfer Fraud: $3,000,000 Money Order and Counterfeit Currency Fraud: $250,000 Client Coverage: $1,000,000 Expense Coverage: $25,000 ACORD 101 (2008/01) ©2008 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD SR ID: 17047454 BATCH: 953725 CERT: W8837514