HSCC Salesforce Licenses

NYS OCFS intends to procure Salesforce Licenses pursuant to its

discretionary purchasing authority under State Finance Law §163(6). This

procurement opportunity is limited to New York State businesses certified

MWBE and SDVOB are qualified pursuant to Article 15-A of the New York

State Executive Law and Article 3 of Veterans’ Service Law.

HSCC Price Quote Form must be completed and returned to RFQ@ocfs.ny.gov

1. SCOPE

User licensing for the Office of Children and Services Human Services Call Center’s (OCFS HSCC) 250 users of the Salesforce CRM solution currently under development. License period will cover February 1, 2025 through January 31, 2026.

For the duration of an Authorized User Agreement, the Cloud Solution shall conform to the Cloud Solution Manufacturer’s specifications, Documentation, performance standards (including applicable license terms, warranties, guarantees, Service Level Agreements, service commitments, and credits).

1. CLOUD SERVICE MODEL

Salesforce Government Cloud Plus is a partitioned instance of Salesforce's Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), multi-tenant community cloud infrastructure built on AWS GovCloud (US) infrastructure.

1. CLOUD DEPLOYMENT MODEL

Public/Government Cloud. Customer Relationship Management environment utilized by the OCFS HSCC.

1. DATA CATEGORIZATION

Data classification is Confidentiality – moderate, Integrity – low, availability –moderate. The application will contain PPSI

1. DATA OWNERSHIP

OCFS shall own all right, title and interest in Data. Contractor shall not conduct Data Mining, cross tabulate, monitor, or perform any other Data Analytics without OCFS’ consent.

1. DATA LOCATION

All Data shall remain in CONUS.

1. ENCRYPTION

The application shall be compliant with all New York State and federal legal

requirements or other regulations for data collected, transmitted, or stored via the

application. All Confidential Data shall be encrypted in transit and at rest in

accordance with NYS Information Security Policy NYS P03-002 and NYS Encryption

Standard NYS S14-007.

Salesforce acknowledges and agrees that the application must be compliant

with all New York State and federal legal requirements or other regulations for data

collected, transmitted, or stored via the application. All Confidential Data will be

encrypted in transit and at rest in accordance with NYS Information Security Policy

NYS P03-002 and NYS Encryption Standard NYS S14-007.

1. SECURITY

Must comply with all relevant NYS Information Security policies and standards ( https://its.ny.gov/policies ).

Secure System Development Lifecycle (SSDL)

The vendor must follow the Secure System Development Lifecycle Process

NYS and Federal Data Compliance

The application shall be compliant with all New York State and federal legal

requirements or other regulations for data collected, transmitted, or stored via the

application. All Confidential Data shall be encrypted in transit and at rest in

accordance with NYS Information Security Policy NYS P03-002 and NYS Encryption

Standard NYS S14-007.

Vulnerability scanning & management according to NYS ITS Standard NYSS15-

002

• Vulnerability scanning must be performed prior to go live. If NYS ITS

performs the scan, the schedule must allow for one week of testing,

depending on the size of the application. The vendor may perform the

scans and will be required to supply results to the State for analysis

and acceptance.

• Penetration testing must be performed prior to go live. If NYS ITS

performs the testing, the schedule must allow at least 2 weeks,

depending on resource availability and size of the application and

scope of the test. The vendor may perform the scans and will be

required to supply results to the State for analysis and acceptance.

• Vulnerability and penetration testing can be performed in parallel

Disaster Recovery, Auditing, CONUS restrictions and right to review logs

- Discuss Disaster recovery backups and offsite management. All Cloud

hosting and all data storage restricted to continental United States. All

vendor system administrators located within the continental United States.

- Audit logs and reporting functionality that captures, at a minimum, the

following:

o User ID

o Transaction date and time stamps

o IP address

o Log on success / failure.

- Upon request, the Contractor will be required to provide the State with

security logs and reports (such as SOC2 Type 2, CAIQ, and ISO27001) to allow

the State to make an informed decision about the Contractor’s security

controls and their effectiveness.

1. MAINTENANCE/SUPPORT

Maintenance & Operations of the system will be provided by Salesforce Professional Services and OCFS HSCC for the duration of the project development. Post go-live, Maintenance & Operations of the system will be provided by OCFS HSCC.

Salesforce is committed to providing excellent service reliability, and is pleased to

offer OCFS a service level commitment of 99.7% general availability that applies to

the on-line services the customer purchases under an order form that SFDC makes

generally available to its customers on or after the SLA Effective Date, (collectively

“SLA Services”) with exceptions: (i) to the extent the customer already has an SLA for

a Service as part of the Agreement, such SLA remains in full force and effect for such

Service and such Service is excluded from the SLA Services and (ii) the Services listed

at

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/usl

a-excluded-services.pdf, (“Excluded Services List”), which may be updated from time

to time, provided any on-line services the customer purchases under an order form

that SFDC makes generally available to its customers that is not on the Excluded

Services List

1. INFRASTRUCTURE SUPPORT SERVICES

Infrastructure support services will be provided by AWS which is the supporting infrastructure for the Salesforce Government Cloud platform.

1. BUSINESS CONTINUITY/DISASTER RECOVERY (BC/DR) OPERATIONS

Customer data, up to the last committed transaction, is replicated to disk in near-real

time at the designated disaster recovery data center and is backed up at the primary

data center and then cloned to the disaster recovery data center. Disaster recovery

tests verify our projected recovery times and the integrity of the customer data.

Backups are performed daily at each data center facility without stopping access to

the application. Backup cloning is transmitted over an encrypted network (our MPLS

network across all data centers). Tapes never leave our secure data center facilities

unless they are to be retired and destroyed through a secure destruction process.

The backup retention policy is 90 days (30 days for sandboxes). Deleted / modified

data cannot be recovered after 90 days (30 days for sandboxes). If customers want a

longer retention, they can use the weekly export feature available in the system.

1. AUTHENTICATION TOKENS

For authentication, the Salesforce environment will leverage the NYS NY.Gov single sign-on.

1. APPLICATION PROGRAM INTERFACE (API) OR SELF ELECTRONIC PORTAL

Application will utilize APIs for address verification.

B. STATEMENT OF WORK

1. IMPLEMENTATION OF CLOUD SOLUTION

Not applicable - Implementation is covered under a separate RFQ

1. RECURRING SERVICES

User licensing for the Office of Children and Services Human Services Call Center’s (OCFS HSCC) 250 users of the Salesforce CRM solution currently under development. License period will cover February 1, 2025 through January 31, 2026.

Salesforce user license cost will be a yearly, recurring expense.

1. TRANSFER OF DATA

Not applicable - Data transfer is covered under a separate RFQ.

Contractor cannot charge for the transfer of Data unless the charges are provided for in response to this RFQ.

C. AUTHORIZED USER Terms and Conditions

Agency will purchase some or all of the quantities of the products and services detailed in the Financial Response (see Excel spreadsheet) over a ninety (90) day period from date of award, but not necessarily at one time. The Agency requires that the prices be held for ninety (90) days from the date of submission.

Only bids submitted on the RFQ Financial document will be considered responsive to this RFQ .

Price must include all customs, duties, and charges and is net, F.O.B. destination any point in New York State, for orders, as designated by the ordering agency including Inside Delivery.

1. DATA BREACH – REQUIRED CONTRACTOR ACTIONS

Contractor Incident Response (IR) Process should include a comparable process to the follow:

Initiation

Security incidents should be reported to the Agency Information Security Officer within one hour of being identified by the contractor.

• Business user identifies issue
• Business user communicates to OCFS point of contact
• OCFS point of contact assesses business request worthiness and priority
• OCFS point of contact logs case / request / issue in Contractor portal

(Including email of business user)

• Automatic email acknowledgment sent to OCFS point of contact

Triage

• Case / request / issue triaged by Contractor IR Lead

? All required information correctly populated

? Correctly prioritized

? Within contractual parameters (e.g., size, etc.)

? Communicates with client point of contact for clarity when needed

• Contractor IR Lead assesses an LOE for request / issue
• Forwards to support queue (i.e. change in status w/ notification to OCFS point

of contact)

Resolution

• Pooled IR team receives notification of new client request in queue
• Pooled IR team picks up request from queue (based on priority, skillset, and
• Pooled IR team calls on internal SMEs as needed - e.g., mobile, integration, etc.
• Chatter for dialog about case (both internal and with OCFS)
• Updates to case status & current status notes fields, which will be used on

Reports

1. AUTHORIZED USER ACCESS TO DATA

The Authorized User shall have access to Salesforce CRM Data at all times, through the term of the Authorized User Agreement.

The Authorized User shall have the ability to import or export Data in piecemeal or in its entirety at the Authorized User’s discretion at no charge to the Authorized User. This includes the ability for the Authorized User to import or export Data to/from other Contractors.

1. CONTRACTOR ACCESS TO DATA

Contractors shall have access to data on a need-to-know basis and each user will be required to sign a non-disclosure agreement.

1. SUSPENSION OF SERVICES

During any period of suspension of service, the Authorized User shall have full access to all Data at no charge. The Contractor shall not take any action to erase and/or withhold any Authorized User Data, except as directed by the Authorized User.

1. EXPIRATION OR TERMINATION OF SERVICES

Upon expiration or termination of an Authorized User Agreement, the Authorized User shall have full access to all Data for a period of 60 calendar days. During this period, the Contractor shall not take any action to erase and/or withhold any Data, except as directed by the Authorized User. An Authorized User shall have the right to specify a period more than 60 calendar days in its RFQ.

1. ACCESS TO SECURITY LOGS AND REPORTS

Audit logs and reporting functionality that captures, at a minimum, the

following:

o User ID

o Transaction date and time stamps

o IP address

o Log on success / failure

Upon request, the Contractor will be required to provide the State with

security logs and reports (such as SOC2 Type 2, CAIQ, and ISO27001) to allow

the State to make an informed decision about the Contractor’s security

controls and their effectiveness.

1. CONTRACTOR PERFORMANCE AUDIT

Trust.salesforce.com is the Salesforce community’s home for real-time information

on system performance and security. On this site you’ll find:

• Up-to-the minute information on planned maintenance
• Phishing, malicious software, and social engineering threats
• Best security practices for your organization
• Information on how we safeguard your data

1. MODIFICATION TO CLOUD SERVICE DEPLOYMENT MODEL, SERVICE MODEL, AND/OR INITIAL FUNCTIONALITY WITHIN AN AUTHORIZED USER AGREEMENT

As Cloud services, can be flexible and dynamic, delivery mechanisms may be subject to change. This may result in changes to the deployment model, service model, functionality, or SKU. The OGS and Authorized Users require notification of any such changes to ensure security and business needs are met.

Any changes to the deployment model, service model, functionality, or SKU (e.g., PaaS to IaaS) must be provided to OGS via Appendix C - Contract Modification Procedures.

In addition, notification must be provided to the Authorized User for review and acceptance, prior to implementation. Any changes to the Authorized User Agreement will require the Authorized User to re-assess the risk mitigation methodologies and strategies and revise the Authorized User Agreement as needed.

D. QUESTIONS

All questions shall be submitted in writing. The questions shall be emailed to the following email RFQ@ocfs.ny.gov.

Vendors are strongly encouraged to submit questions as early as possible. However, all questions must be submitted by the Question due date and time listed on the Cover Page of this RFQ. Answers to all questions of a substantive nature shall be provided to all Vendors who received this RFQ in the form of a question and answer document.

E. DOWNSTREAM PROHIBITION

N/A

F. AUTHORIZED USER DISPUTE RESOLUTION PROCESS

Should a dispute or protest arise regarding this RFQ, the dispute or protest will be considered and decided by the Authorized User.

1. Disputes or Controversies Occurring During the Term of the Authorized User Agreement.

In the event there is a dispute or controversy during the term of the Authorized User Agreement resulting from this RFQ, the Vendor and Authorized User agree to exercise their best efforts to resolve the dispute as soon as possible. The Vendor and Authorized User shall, without delay, continue to perform their respective obligations under the resulting Authorized User Agreement and this Centralized Contract which are not affected by the dispute. Primary responsibility for resolving any dispute arising under the Authorized User Agreement shall rest with the persons designated by the Authorized User and the Contract’s Contract Administrator and/or Account Manager.

In the event the Authorized User is dissatisfied with the Vendor’s Products provided under the Authorized User Agreement, the Authorized User shall notify the Vendor in writing pursuant to the terms of the Contract. In the event the Vendor has any disputes with the Authorized User, the Vendor shall so notify the Authorized User in writing. If either party notifies the other of such dispute or controversy, the other party shall then make good faith efforts to solve the problem or settle the dispute amicably, including meeting with the party’s representatives to attempt diligently to reach a satisfactory result.

If negotiation between such persons fails to resolve any such dispute to the satisfaction of the parties within fourteen (14) business days or as otherwise agreed to by the Vendor and Authorized User, of such notice, then the matter shall be submitted to the persons designated by the Authorized User and the Vendor’s senior officer of the rank of Vice President or higher as its representative. Such representatives shall meet in person and shall attempt in good faith to resolve the dispute within the next fourteen (14) business days or as otherwise agreed to by the parties. This meeting must be held before either party may seek any other method of dispute resolution, including judicial or governmental resolutions. Notwithstanding the foregoing, nothing in this section shall be construed to prevent either party from seeking and obtaining temporary equitable remedies, including injunctive relief.

The Vendor shall extend the dispute resolution period for so long as the Authorized User continues to make reasonable efforts to cure the breach, except with respect to disputes about the breach of payment of fees or infringement of its or its licensors’ intellectual property rights.

HSCC Price Quote Form must be completed and returned to RFQ@ocfs.ny.gov