DCCS Salesforce Licenses

Price Quote Form must be completed and returned to RFQ@ocfs.ny.gov

NYS OCFS intends to procure Salesforce Licenses pursuant to its discretionary purchasing authority under State Finance Law §163(6). This procurement opportunity is limited to New York State businesses certified MWBE and SDVOB are qualified pursuant to Article 15-A of the New York State Executive Law and Article 3 of Veterans’ Service Law.

Price Quote Form must be completed and returned to RFQ@ocfs.ny.gov

1. SCOPE

Implement a full end-to-end process of grant management for the distribution of

Federal pandemic funds to NYS Child Care Providers by September 1, 2024.

o The Solution will provide: § Guided processes for Child Care Providers to apply for Assistance, delivering the optimal user experience

• Streamline and facilitate the eligibility and review process by delivering calculation and verification procedures
• Dynamic workflow capabilities to guide the application from submission through determination, incorporating email notifications/alerts, and task management, supporting grant processors, grant managers, and management oversight.
• Generate the disbursement schedule that childcare providers will be able to certify for payment processing
• Deliver OCFS the necessary reports and dashboards to ensure federal and state compliance and deliver transparency for the duration of the program.

For the duration of an Authorized User Agreement, the Cloud Solution shall conform to the Cloud Solution Manufacturer’s specifications, Documentation, performance standards (including applicable license terms, warranties, guarantees, Service Level Agreements, service commitments, and credits).

1. CLOUD SERVICE MODEL

Salesforce Government Cloud Plus is a partitioned instance of Salesforce's industry-leading Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), multi-tenant community cloud infrastructure built on AWS GovCloud (US) infrastructure. This is built into our subscription cost and customers do not need to procure it separately.

1. CLOUD DEPLOYMENT MODEL

Public cloud. Public portal for NYS Day Care providers to submit grant applications.

1. DATA CATEGORIZATION

Data classification is Confidentiality – moderate, Integrity – low, availability – low. The application will contain PPSI including unverified SSNs, tax id, and bank account numbers

1. DATA OWNERSHIP

OCFS shall own all right, title and interest in Data.

1. DATA LOCATION

All Data shall remain in CONUS.

1. ENCRYPTION

[The application shall be compliant with all New York State and federal legal

requirements or other regulations for data collected, transmitted, or stored via the

application. All Confidential Data shall be encrypted in transit and at rest in

accordance with NYS Information Security Policy NYS P03-002 and NYS Encryption

Standard NYS S14-007.

Salesforce acknowledges and agrees that the application must be compliant

with all New York State and federal legal requirements or other regulations for data

collected, transmitted, or stored via the application. All Confidential Data will be

encrypted in transit and at rest in accordance with NYS Information Security Policy

NYS P03-002 and NYS Encryption Standard NYS S14-007.

1. SECURITY

Secure System Development Lifecycle (SSDL)

The vendor must follow the Secure System Development Lifecycle Process

NYS and Federal Data Compliance

The application shall be compliant with all New York State and federal legal

requirements or other regulations for data collected, transmitted, or stored via the

application. All Confidential Data shall be encrypted in transit and at rest in

accordance with NYS Information Security Policy NYS P03-002 and NYS Encryption

Standard NYS S14-007.

Vulnerability scanning & management according to NYS ITS Standard NYSS15-

002

• Vulnerability scanning must be performed prior to go live. If NYS ITS

performs the scan, the schedule must allow for one week of testing,

depending on the size of the application. The vendor may perform the

scans and will be required to supply results to the State for analysis

and acceptance.

• Penetration testing must be performed prior to go live. If NYS ITS

performs the testing, the schedule must allow at least 2 weeks,

depending on resource availability and size of the application and

scope of the test. The vendor may perform the scans and will be

required to supply results to the State for analysis and acceptance.

• Vulnerability and penetration testing can be performed in parallel

Disaster Recovery, Auditing, CONUS restrictions and right to review logs

- Discuss Disaster recovery backups and offsite management. All Cloud

hosting and all data storage restricted to continental United States. All

vendor system administrators located within the continental United States.

- Audit logs and reporting functionality that captures, at a minimum, the

following:

o User ID

o Transaction date and time stamps

o IP address

o Log on success / failure.

- Upon request, the Contractor will be required to provide the State with

security logs and reports (such as SOC2 Type 2, CAIQ, and ISO27001) to allow

the State to make an informed decision about the Contractor’s security

controls and their effectiveness.

1. MAINTENANCE/SUPPORT

Maintenance & Operations of the system will be provided by MTX for

12-months and will be billed on a monthly basis.

Salesforce is committed to providing excellent service reliability, and is pleased to

offer OCFS a service level commitment of 99.7% general availability that applies to

the on-line services the customer purchases under an order form that SFDC makes

generally available to its customers on or after the SLA Effective Date, (collectively

“SLA Services”) with exceptions: (i) to the extent the customer already has an SLA for

a Service as part of the Agreement, such SLA remains in full force and effect for such

Service and such Service is excluded from the SLA Services and (ii) the Services listed

at

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/usl

a-excluded-services.pdf, (“Excluded Services List”), which may be updated from time

to time, provided any on-line services the customer purchases under an order form

that SFDC makes generally available to its customers that is not on the Excluded

1. INFRASTRUCTURE SUPPORT SERVICES

Infrastructure support services will be provided by AWS which is the supporting infrastructure for the Salesforce Government Cloud platform.

1. BUSINESS CONTINUITY/DISASTER RECOVERY (BC/DR) OPERATIONS

Customer data, up to the last committed transaction, is replicated to disk in near-real

time at the designated disaster recovery data center and is backed up at the primary

data center and then cloned to the disaster recovery data center. Disaster recovery

tests verify our projected recovery times and the integrity of the customer data.

Backups are performed daily at each data center facility without stopping access to

the application. Backup cloning is transmitted over an encrypted network (our MPLS

network across all data centers). Tapes never leave our secure data center facilities

unless they are to be retired and destroyed through a secure destruction process.

The backup retention policy is 90 days (30 days for sandboxes). Deleted / modified

data cannot be recovered after 90 days (30 days for sandboxes). If customers want a

longer retention, they can use the weekly export feature available in the system.

1. AUTHENTICATION TOKENS

For authentication, the Salesforce environment will leverage the NYS NY.Gov single sign-on.

1. APPLICATION PROGRAM INTERFACE (API) OR SELF ELECTRONIC PORTAL

Application will utilize several APIs for email/sms messaging, integration with on-premises systems (CAPS, SFS), and account validation services

1. STATEMENT OF WORK

1. IMPLEMENTATION OF CLOUD SOLUTION

Initiate Salesforce cloud environment. Develop Application and integrations. UAT Test. Security Audit. Train Staff. Go live.

1. RECURRING SERVICES

Maintenance & Operations of the system will be provided by MTX for

12-months and will be billed on a monthly basis.

1. TRANSFER OF DATA

Once initiation of the Salesforce cloud environment, OCFS will be added as an owner of the environment and will be able to dictate how we extend our use of the host application or transfer the data to the NYS network.

Contractor cannot charge for the transfer of Data unless the charges are provided for in response to this RFQ.

1. AUTHORIZED USER TERMS AND CONDITIONS

Agency will purchase some or all of the quantities of the products and services detailed in the Financial Response (see Excel spreadsheet) over a ninety (90) day period from date of award, but not necessarily at one time. The Agency requires that the prices be held for ninety (90) days from the date of submission.

Only bids submitted on the RFQ Financial document will be considered responsive to this RFQ.

1.DATA BREACH – REQUIRED CONTRACTOR ACTIONS

MTX Incident Response (IR) Process

Initiation

• Business user identifies issue
• Business user communicates to OCFS point of contact
• OCFS point of contact assesses business request worthiness and priority
• OCFS point of contact logs case / request / issue in MTX Beans portal

(including email of business user)

• Automatic email acknowledgment sent to OCFS point of contact

Triage

• Case / request / issue triaged by MTX IR Lead

? All required information correctly populated

? Correctly prioritized

? Within contractual parameters (e.g., size, etc.)

? Communicates with client point of contact for clarity when needed

• MTX IR Lead assesses an LOE for request / issue
• Forwards to support queue (i.e. change in status w/ notification to OCFS point

of contact)

Resolution

1. AUTHORIZED USER ACCESS TO DATA

The Authorized User shall have access to its Data at all times, through the term of the Authorized User Agreement, plus [STATE THE ADDITIONAL TIME PERIOD REQUIRED FOR EXPIRATION, TERMINATION OR SUSPENSION OF SERVICES.]

The Authorized User shall have the ability to import or export Data in piecemeal or in its entirety at the Authorized User’s discretion at no charge to the Authorized User. This includes the ability for the Authorized User to import or export Data to/from other Contractors.

3.CONTRACTOR ACCESS TO DATA

Contractors shall have access to data on a need to know basis.

4.SUSPENSION OF SERVICES

During any period of suspension of service, the Authorized User shall have full access to all Data at no charge. The Contractor shall not take any action to erase and/or withhold any Authorized User Data, except as directed by the Authorized User.

5.EXPIRATION OR TERMINATION OF SERVICES

Upon expiration or termination of an Authorized User Agreement, the Authorized User shall have full access to all Data for a period of 60 calendar days. During this period, the Contractor shall not take any action to erase and/or withhold any Data, except as directed by the Authorized User. An Authorized User shall have the right to specify a period more than 60 calendar days in its RFQ.

1. ACCESS TO SECURITY LOGS AND REPORTS

Audit logs and reporting functionality that captures, at a minimum, the

following:

o User ID;

o Transaction date and time stamps;

o IP address

o Log on success / failure.

Upon request, the Contractor will be required to provide the State with

security logs and reports (such as SOC2 Type 2, CAIQ, and ISO27001) to allow

the State to make an informed decision about the Contractor’s security

controls and their effectiveness.

1. CONTRACTOR PERFORMANCE AUDIT

Trust.salesforce.com is the Salesforce community’s home for real-time information

on system performance and security. On this site you’ll find:

• Up-to-the minute information on planned maintenance
• Phishing, malicious software, and social engineering threats
• Best security practices for your organization
• Information on how we safeguard your data

1. MODIFICATION TO CLOUD SERVICE DEPLOYMENT MODEL, SERVICE MODEL, AND/OR INITIAL FUNCTIONALITY WITHIN AN AUTHORIZED USER AGREEMENT

As Cloud services, can be flexible and dynamic, delivery mechanisms may be subject to change. This may result in changes to the deployment model, service model, functionality, or SKU. The OGS and Authorized Users require notification of any such changes to ensure security and business needs are met.

Any changes to the deployment model, service model, functionality, or SKU (e.g., PaaS to IaaS) must be provided to OGS via Appendix C - Contract Modification Procedures.

In addition, notification must be provided to the Authorized User for review and acceptance, prior to implementation. Any changes to the Authorized User Agreement will require the Authorized User to re-assess the risk mitigation methodologies and strategies and revise the Authorized User Agreement as needed.

1. QUESTIONS

All questions shall be submitted in writing using “QUESTION ATTACHMENT” [to be developed by the Authorized User] citing the document name and document section. The questions shall be emailed to the Designated Contact E-Mail Address indicated on the Cover Page of this RFQ.

Vendors are strongly encouraged to submit questions as early as possible. However, all questions must be submitted by the Question due date and time listed on the Cover Page of this RFQ. Answers to all questions of a substantive nature shall be provided to all Vendors who received this RFQ in the form of a question and answer document.

1. DOWNSTREAM PROHIBITION

N/A

1. AUTHORIZED USER DISPUTE RESOLUTION PROCESS

Should a dispute or protest arise regarding this RFQ, the dispute or protest will be considered and decided by the Authorized User.

1.Disputes or Controversies Occurring During the Term of the Authorized User Agreement.

In the event there is a dispute or controversy during the term of the Authorized User Agreement resulting from this RFQ, the Vendor and Authorized User agree to exercise their best efforts to resolve the dispute as soon as possible. The Vendor and Authorized User shall, without delay, continue to perform their respective obligations under the resulting Authorized User Agreement and this Centralized Contract which are not affected by the dispute. Primary responsibility for resolving any dispute arising under the Authorized User Agreement shall rest with the persons designated by the Authorized User and the Contract’s Contract Administrator and/or Account Manager.

In the event the Authorized User is dissatisfied with the Vendor’s Products provided under the Authorized User Agreement, the Authorized User shall notify the Vendor in writing pursuant to the terms of the Contract. In the event the Vendor has any disputes with the Authorized User, the Vendor shall so notify the Authorized User in writing. If either party notifies the other of such dispute or controversy, the other party shall then make good faith efforts to solve the problem or settle the dispute amicably, including meeting with the party’s representatives to attempt diligently to reach a satisfactory result.

If negotiation between such persons fails to resolve any such dispute to the satisfaction of the parties within fourteen (14) business days or as otherwise agreed to by the Vendor and Authorized User, of such notice, then the matter shall be submitted to the persons designated by the Authorized User and the Vendor’s senior officer of the rank of Vice President or higher as its representative. Such representatives shall meet in person and shall attempt in good faith to resolve the dispute within the next fourteen (14) business days or as otherwise agreed to by the parties. This meeting must be held before either party may seek any other method of dispute resolution, including judicial or governmental resolutions. Notwithstanding the foregoing, nothing in this section shall be construed to prevent either party from seeking and obtaining temporary equitable remedies, including injunctive relief.

The Vendor shall extend the dispute resolution period for so long as the Authorized User continues to make reasonable efforts to cure the breach, except with respect to disputes about the breach of payment of fees or infringement of its or its licensors’ intellectual property rights.

Price Quote Form must be completed and returned to RFQ@ocfs.ny.gov