The URL can be used to link to this page

Virtual Project ManagerCity of La Quinta Attn: Carley Escarrega 78495 Calle Tampico La Quinta, CA 92253 RE: OFFICIAL RESPONSE TO CITY OF LA QUINTA RFP - PROJECT MANAGEMENT SOFTWARE To whom it may concern, Virtual Project Manager is pleased to present our proposal for Project Management and Construction Management Software to manage Capital Improvement projects for the City of La Quinta, California. We are very interested in providing you with the best project management software made specifically for public agencies. We have 24 years of experience working directly with public agencies and listening to what makes managing CIP projects easier. Our cloud -based software is unlike any other software on the market today. It is out-of-the-box ready with native modules specific to public works design and construction. Virtual PM provides construction project management tools and simplicity to projects. Virtual PM is made for public agencies and only for public agencies. We are cloud -based with no software to install. Our licensing is unlimited, which means unlimited users, unlimited projects, and unlimited cloud - storage for a low fixed fee that is guaranteed for five years. We have streamlined the project management process to be quick, easy, and efficient. We look forward to working with the City of La Quinta, California and know that you will find our software to be high in value and quality. We know how to work with the City of La Quinta because we are former Public Works Directors and Project Managers who have worked for decades in Southern California. If you have any questions or need additional information, please do not hesitate to contact me directly. Thank you, Lex Zuber CEO/President Virtual Project Manager (760) 881-6627 lex@virtual-pm.com Contact Person: Dirk Epperson Chief Operating Officer Virtual Project Manager (619) 867-8572 dirk@virtual-pm.com 110 Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Firms Background, Qualifications, and Experience Virtual Project Manager has 24 years of experience working directly with public agencies and listening to what makes managing CIP projects easier. Our cloud -based software is unlike any other software on the market today. It is out-of-the-box ready with native modules specific to public works design and construction. Virtual Project Manager is specifically designed for public agencies and those that work on public agency projects. We meet with all our clients with regards to improvements through user group meetings. This is how we continue to improve and add new features. We have access to over 200 public agency leaders to pull resources, ideas, and solutions. Virtual Project Manager has a 99 percent retention rate. Our staff also includes former project managers and public works officials who understand and apply project management principles and how they apply specifically to public agency projects. Project Team Members: Lex Zuber — CEO/President Lex was an environmental contractor for 18 years working with public agencies. He then founded Virtual Project Manager in 2000 to help him manage his company. He then tailored the software to meet the specific needs of public agencies and the management of Capital Improvement Programs. Since 2000 Lex has worked directly with public agencies to understand their needs and make Virtual Project Manager easy to use and easy to implement. Lex will be resource for The City of Lacey to answer questions about the software as well as help in the development of future software features to continuously improve our service for Lacey, WA. Lex works from his home office in Bend, Oregon. Dirk Epperson, P.E., CCM, MPA, QSD — Chief Operating Officer Dirk spent 20 years in the public sector working as an engineer, project manager, manager, and Director of Public Works for various public agencies. He was a user of Virtual Project Manager for 15 years. He joined Virtual Project Manager in July of 2020. He has been involved with several of the key modules that have been created over the years and brings a wealth of public agency knowledge to Virtual Project Manager. He has firsthand experience implementing Virtual Project Manager at several public agencies. Dirk will lead client training and assist in user support. Dirk works from his home office in San Diego, California. Ian Sutherland, P.E. — National Sales Manager lan Sutherland has over eight years' experience in geotechnical engineering, construction inspection, material testing, and environmental consulting services. lan is a registered engineer in Kansas and Missouri and joined Virtual Project Manager as a sales representative in April of 2021. He manages the sales team and covers territory that includes the Midwest and Eastern United States. lan will assist with training as well as provide technical support for the City. Ian works remotely from his home office in Kansas City, Kansas. RFP Questions a. Number of Years in Business: 24 b. Taxpayer Identification Number: 46-1289884 c. Number of Years performing Software Management: 24 d. Firm ownership and if incorporated, list the state in which the firm is incorporated and the date of incorporation: Owned by Lex Zuber. Incorporated in the State of Oregon. Incorporated on October 15, 2012. e. If the firm is a subsidiary of a parent company, identify the parent company: Virtual Project Manager is not a subsidiary of a parent company OA Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 References of California Government Agencies Virtual Project Manager works with over 60 public agencies and consultants working for public agencies in the State of California. Below are several California city references. Ceres, CA Wing Chang- Assistant Engineer Office: 209-538-5623 Cell: 209-872-3597 Guirong.Chang@ci.ceres.ca.us Project Description: Project Management Software including implementation, training and support. Project Start and End Date: 2017-2024 Staff Assigned: Russ Klug Summary of final outcome: The City of Ceres has been a customer since 2017. City of Palmdale, CA Client Project Manager: Hamed Hshemian- Deputy Director of Public Works Telephone Number: (661) 267-5303 Email: hhashemian@cityofpalmdale.org Project Description: Provide Project Management Software including implementation, training and support. Start and End Date: 2022 -Present Staff Assigned: Dirk Epperson Summary of final outcome: The City of Palmdale has been a customer since 2022 City of La Mesa, CA Client Project Manager: Michael Kinnard- Engineering Project Manager Telephone Number: (619) 667-1155 Email: mkinnard@cityoflamesa.us Project Description: Provide Project Management Software including implementation, training and support. Start and End Date: 2001 -Present Staff Assigned: Lex Zuber Summary of final outcome: The City of La Mesa has been a customer since 2001 City of San Jose, CA Client Project Manager: Aaron Becker- Construction Manager Telephone Number: (831) 234-8439 Email: aaron.becker@sanjoseca.gov Project Description: Provide Project Management Software including implementation, training and support. Start and End Date: 2010 -Present Staff Assigned: Russ Klug Summary of final outcome: The City of San Jose has been a customer since 2010 OA Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Scope of Services Construction Management Virtual Project Manager was developed specifically to help public agencies manage construction projects. The modules within Virtual PM have been refined over the years based on input and feedback from the public agencies that we work with. While Virtual PM could be used to track other types of projects, the modules have been designed specifically for construction projects. Project Management Virtual PM's software manages CIP projects from start to finish. It allows agencies to track project schedules, contractual days, submittals, change orders, RFI's, transmittals, budgets, payments, and punch list items. Our licensing is unlimited users so inspectors, project managers, management staff, administrative staff, consultants and contractors can use one system for uploading, reviewing, approving and tracking project data and documents. Project items can be reassigned and sent automatic email notifications that they are being asked to review or approve. The VPM assistant allows all users to view all pending assignments within the system and the number of days they have to complete each task. Contract Management Virtual PM can track projects through the entire project lifecycle. Project budgets and schedules can be created within the VPM Design Module, while the VPM Construction Module tracks contract bid items, contractual working days, change orders, RFIs, Submittals and all other documents for your project. Virtual Bid is our new procurement module for posting project information for contractors to review and submit their bids. Budget Tracking The VPM Budget module allows agencies to track project budgets from start to finish. Budget expense categories are customizable and allow the City to keep track of expenses from various funding sources. All expenses, encumbrances and commitments can be tracked within the budget module and contractor payments are automatically routed to the budget module after approval within the Payments module. OA Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Wells Park Indoor Soccer and Pickle Ball Budget Overview 14 Total Expenses 11 Total Commitments • Paid To Oate • Remaining To Be Paid • Remaining Budget $ 4,000,000.00 LINKED CONSTRUCTION PROJECTS 44.93 % S 1.797.000.00 34.55 0 f 1.382,050.00 25.52'x. 5920.950.00 Weds PaI0 Ineo0r Soccer and Pic410 Ball Expense Summary $ 4,025,000.00 • Archltachtural Services TOIL_ BUDGE ,ED E0.00 • Consulting Services IOTA. 0',...74 5445.00000 • Engineering Services c,,. wc� osis w IAL BUDGETED 1000 0 Export Budget CS4 Bid Schedule View Off 1 + Link a Constru04on Project Funding SOUrCeS + Add Funding Sou1ce APPROVED PAYMENT PERCENT COMPLETE 4Total 00 LINKED EXPENSE TYPE SUMMARY TOT, ENCUMBERED SUMMARY TOTAL PAID SO $ 3,179,05060 E 1,797,000.00 ICTAL ENCUMBERED 000 TOTAL ENCUMBERED i 46aaw.CU IDTAL ENCUMBERED f 800.000.00 S 0.00 PAID 10 DA10 i macaw: PAID le BATF 122.000.06 TITLE American Rescue Plan Mt (ARPA) 72 c $ 2,900,00000 Wastewater Enterprise Fund 25 45. $ 1,000.000,00 General Fund 25", $100,000.00 lora PROJECT BUDGET $ 4,000,000.00 I,T'gL i�ErPPR.IN'J I O BE PAIL' 5000 TOTAL REMAINING 10 BE PAN 9404,500.00 TOTAL REMAINING 10 BE PAN 8 171.00000 PERCENT OF TOTAL 3 Funding Sources Add Project Expense Type <.n NI,rAPv REMAPIPCPIIDGETED $ 845,950.00 Set Budget Eail REMAINING 00000TE8 $OA0 Set 9udget Edit A. REMAINING °LOGEmma 9OAP Set Cu4yat Ed, V REMAINING RUCGEIED 7 •800.006.00 Scheduling The VPM Schedule module allows users to track project schedules from start to finish. Tasks can be entered and linked to project phases. Users can link dependent tasks on a project and also assign tasks to users within VPM. Project schedules can be viewed in the users dashboard, which can be filtered for different time periods, project managers, and project types. Danny Schedule Feb 2023 Mar 2023 Az. 2023 Ma; 2023 456 PD HVAC T132456 OVERLAY 2023 1213 P2023-1 Wells Park Indoor Soccer and Pickle 041 1A Project A MS -2023 Main Street FILTER Design PrgrclE Construction Danny Demo Danny Demo E Danny Demo las Sutherland Ian Sutherland T04599 Traffic Signal Upgrades 2024 Danny Demo 458745 1805 First Ave Danny Demo RDW 21078 200 South Reconstruction, Phase 1 200 East to 900 East 70-5294 Traffic Signal at Las Posas/Temple 1959 Kenton Avenue 2024-001 Brand New Project Danny Demo Danny Demo Ian Sutherland Ian Sutherland ra Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Task Tracking Tasks can be assigned in VPM in multiple ways. Tasks can be assigned within the schedule module described above. Users are also notified within other modules that they have been assigned a task, including within the following modules: Plan Review, Payments, Change Orders, Punchlist, Submittals, RFIs. Tasks are easily reassigned within VPM so that the correct user can quickly review or approve pending items. Workflow Virtual PM is a flexible software that is ready to use out of the box. We work with agencies to improve on their current processes and be more efficient. Payments and change order approvals are routed from user to user seamlessly and can include contractors, consultants, and internal city users. Submittal templates can be created so users have a clear understanding of where their submittal documents need to be submitted and the project managers are notified that submittal documents need to be reviewed. Weekly Statement of Working Days are automatically generated for each week of a project with the necessary information. Document Control With unlimited cloud -storage, there is no limit to the number of documents and files that can be stored in your Virtual PM system. Users can create custom folder structures for different types of projects or different project users. Files can be uploaded and stored in the documents module or uploaded into other modules within the system for accurate documentation. VPM allows users to upload and store numerous file types, including pictures, pdf files, excel, and video files. Status of documents created in Virtual PM are tracked with notifications when status changes on items including submittals, transmittals, change orders, punch list items and payment applications. Ability to Have Different File System Templates Virtual PM allows the city to create custom file system templates. The City can create multiple file system templates and then easily import one or multiple folder templates into a project. Ability to Export Reporting in Formats Readable by Microsoft Excel, text files, .csv, and/or Portable Document Formats Virtual PM reports can be exported in .csv format, readable by Microsoft Excel and Portable Document Formats. Integration with Other Software Integration with other platforms can be done for an additional fee. We can provide a cost for integrations after the city provides their required integrations. Virtual PM does not integrate with BlueBeam because we offer our own markup and review tool that is included. Training City Staff on Software We will provide all of the training necessary for the City to use Virtual PM. Typically, training consists of five, 1.5 hour training sessions. Each training session is specific to a particular group of users. The actual number of training sessions will be dependent on the City's needs. Additional training will be provided for the release of new features and modules. Software Setup and Customizations Virtual PM is completely cloud -based so there is no software to install. Prior to training, we will schedule a kick-off meeting with management level staff to discuss custom settings. These settings will be setup during the training sessions and can be changed at any time by the City's Agency Administrators. OA Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Describe the software, its platform and/or its delivery: Is the software desktop/local or cloud -based? Cloud Based. How frequently is the software updated? Monthly or as needed. The updates do not interfere with use of the software and happens after hours and lasts less than 10 minutes (average is 2 minutes) Describe the technology or system requirements including servers/memory/storage if applicable. No servers, memory or storage requirements. Virtual PM can be accessed on a desktop, laptop, tablet or smartphone with internet connection and running Safari, Chrome or Firefox. If cloud based/hosted, please list how many times over the past two years the system was unavailable to clients. Describe the back-up system in place, including disaster recovery or business continuity plans. The software has not had any instances where the software was unavailable to its customers over the last two years. For back-up system including disaster recovery plan please see the attached Security Incident Response Plan. Describe all security measures and disclose any hosting partners if applicable. Please see the attached VPM Security and Data Integrity Addendum. Describe the historical data the software maintains. Virtual PM will save all of the data input by the agency for as long as the agency continues to be a customer of Virtual PM. See the attached VPM Security and Data Integrity Addendum for more information. Provide an estimated implementation timeline and describe how existing data will be imported into the software. The following is an estimated timeline from the time the contract terms have been agreed upon and both parties have signed the agreement: Kickoff Meeting and System Activation: Within 2 weeks of contract signing Complete Training: Within 2 months of Contract Signing. The importing of existing data will be dependent on the type of data and the amount. We will meet with the City to determine the best method for importing data. What integrations are a part of the service, and which require additional fees. No integrations are included with the out-of-the-box service fee. Integrations with Microsoft Project and other software can be performed for an additional fee provided in the list of services and corresponding prices. List resources provided for customer service, technical support and training, including business hours available and average response time for technology -related inquiries. The primary resource for customer service, technical support and training will be your account representative, which can be contacted by phone or email. Requests for service, support or training will be responded to within 24 hours; however, typically responses are provided the same day. Additional contacts besides your primary account representative will also be provided. 110 Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Training sessions are recorded and provided to the client to share with new users. Additional training will be provided as new features are developed. Our in-house customer support is available during normal business hours, Monday -Friday, 7:30 AM to 5:30 PM Pacific Time. Unique Qualities Virtual Project Manager is unique in that: • Only make software for public agencies • Unlimited users, projects, and storage • VPM has former project managers and Public Works Directors that provide insight into our customers needs and workflows • We value taxpayer dollars; therefore, our pricing reflects the need for public agencies to invest in infrastructure. That is why we keep our pricing consistent and low. OA Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Complete Pricing List The following tables list the out -of -the box pricing for Virtual PM for years 1, 2 and 3 with no special configuration or integration with other software. Pricing Summary Year 1 Item No. Description Unit Cost 1 Total Software Costs Year 1 Lump Sum, Cost not -to- exceed $18,000.00 2 System Implementation Services Year 1 Lump Sum, Cost not -to- exceed $6,000.00 3 System Services Maintenance and Support Costs Year 1 Lump Sum, Cost not -to- exceed Included Total Year 1 $24,000.00 Pricing Summary Year 2 and Year 3 Item No. Description Unit Cost 1 Total Software Costs Year 2 Lump Sum, Cost not- to -exceed $18,000.00 2 Total Software Costs Year 3 Lump Sum, Cost not- to -exceed $18,000.00 3 System Services Maintenance and Support Costs Year 2 and Year 3 Lump Sum, Cost not- to -exceed Included Total Year 2 and 3 $36,000.00 110 Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 List of Complementary Services Offered by Proposer along with Corresponding Prices Description Unit Cost Additive Cost for Software Compatibility Per Hour $250 Additional Projects Per Each/Year Included Unlimited Users Per Year Included User Configuration Services Initial system setup is included with Year 1 Included User Configuration Services Per Hour $250 Configuration of Initial 50 Projects# Lump Sum $5,000 Trouble Shooting and Problem Solving Per Hour (<10 hours per month) Included Trouble Shooting and Problem Solving Per Hour (>_10 hours per month) $150 State Preparation Per Hour $250 Programming Per Hour $250 Installation Per Hour $250 De -bugging Per Hour $250 Setup and Training Options/Procedures System setup is a very simple process. We ask the agency for a .png transparent logo to add to your system and then we can activate your system. This will occur during a kickoff meeting that is scheduled with the agencies account representative. During this kickoff meeting, we will go over training options. Below is an example of the training sessions and different users in each session. Training sessions are all approximately 1.5 hours or shorter. Typically, training is completed within two months from the time the contract is signed, but this is dependent on the schedule of the agency users. 110 Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 L J VMTI Project Mand First Year Welcome to Team Virtual Project Manager! Let's get trained & managing projects. Now that you have decided to utilize Virtual PM to manage capital projects, we want to ensure that you and your team are successful. These implementation & training meetings are designed to get you up and running quickly. In most cases, the trainings run 1.6 hours. Depending on the needs of the customer some meetings can be combined, Kick-off Meeting Management, System Admins After Agreement Before System Sts rtu In -Person or Online After f=irst Year Within 1 Month After System Startup In -Person or Online Quarterly Monthly Check -In with Customer Champion Quarterly Check -In with Customer Champion Customer User Meetings for All Users Inspectors, CMs, Field Staff Within 1 Month After System Ad min Training In -Person or Online Project Managers & Engineers Within 1 Month After System Admin Training In -Person or Online Admin Training Administrative Staff Within 1 Month After System Admin Training In -Person or Online Your Account Representative Contact Information: Ian Sutherland (913) 634-6784 iantivirtual-pm.com General Virtual PM Phone Number. (855) 487-8776 Integration Services/Options For integration with other software, Virtual PM meets with agencies to determine what other software programs and what information they need to integrate with and will then provide the agency a price and timeline for completion. Virtual PM has provided unit prices for integration with other software. Virtual PM does not integrate with BlueBeam. Disclosures No Disclosures la Virtual Project Manager 855.487.6776 I www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 confirm that - CALIFORNIA - ATTACHMENT 2 INSURANCE REQUIREMENTS ACKNOWLEDGEMENT Must be executed by proposer and submitted with the proposal Lex Zuber (name) hereby acknowledge and Virtual Project Manager (name of company) has reviewed the City's indemnification and minimum insurance requirements as listed in Exhibits E and F of the City's Agreement for Contract Services (Attachment 1); and declare that insurance certificates and endorsements verifying compliance will be provided if an agreement is awarded. I am Owner/CEO of Virtual Project Manager (Title) (Company) Page 9 of 13 Commercial General Liability (at least as broad as ISO CG 0001) $1,000,000 (per occurrence); $2,000,000 (general aggregate) Must include the following endorsements: General Liability Additional Insured General Liability Primary and Noncontributory Commercial Auto Liability (at least as broad as ISO CA 0001) $1,000,000 (per accident) Personal Auto Declaration Page if applicable Errors and Omissions Liability $1,000,000 (per claim and aggregate) Worker's Compensation (per statutory requirements) Must include the following endorsements: Worker's Compensation Waiver of Subrogation Worker's Compensation Declaration of Sole Proprietor if applicable Cyber Liability $1,000,000 (per occurrence) $2,000,000 (general aggregate) Page 9 of 13 tigrai CA I} ORN1.1 ATTACHMENT 3 NON -COLLUSION AFFIDAVIT FORM Must be executed by proposer and submitted with the proposal Lex Zuber (name) hereby declare as follows: I am Owner/CEO of Virtual Project Manager (Title) (Company) the party making the foregoing proposal, that the proposal is not made in the interest of, or on behalf of, any undisclosed person, partnership, company, association, organization, or corporation; that the proposal is genuine and not collusive or sham; that the proposer has not directly or indirectly induced or solicited any other proposer to put in a false or sham proposal, and has not directly or indirectly colluded, conspired, connived, or agreed with any proposer or anyone else to put in a sham proposal, or that anyone shall refrain from proposing; that the proposer has not in any manner, directly or indirectly, sought by agreement, communication, or conference with anyone to fix the proposal price of the proposer or any other proposer, or to fix any overhead, profit, or cost element of the proposal price, or of that of any other proposer, or to secure any advantage against the public body awarding the agreement of anyone interested in the proposed agreement; that all statements contained in the proposal are true; and, further, that the proposer has not, directly or indirectly, submitted his or her proposal price or any breakdown thereof, or the contents thereof, or divulged information or data relative hereto, or paid, and will not pay, any fee to any corporation, partnership, company, association, organization, proposal depository, or to any member or agent thereof to effectuate a collusive or sham proposal. I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct. Proposer Signature: Proposer Name: Proposer Title: Company Name: Address: Lex Zuber Owner/CEO Virtual Project Manager LLC PO Box 8127, Bend, Oregon, 97708 Page 10 of 13 CALIFORNIA ATTACHMENT 4 ACKNOWLEDGEMENT OF RECEIPT OF ADDENDA Must be executed by proposer and submitted with the proposal; If no addenda has been issued, mark "N/A" under Addendum No. indicating Not Applicable and sign ADDENDUM NO. SIGNATURE INDICATING RECEIPT 6e -e9-41 2 6e -e9 -4 - Page 11 of 13 OAVirtual Project Manager Security and Data Integrity Addendum to the Virtual Project Manager Service Agreement This Addendum identifies security policies and commitments of Virtual Project Manager (VPM) for its Web -based Project Management System (System). VPM's privacy policy (which applies to the information collected about Customer's employees and contractors) is separate from this Addendum and is available for reference in the online Terms of Service document. VPM may update this Addendum from time to time to document changes in security policies for the system, in accordance with Change Management below. VPM will, upon request no more than once per year, certify to its compliance with this Addendum. Customer Data means any data, information, or material that Customer processes or submits to the system or to VPM pursuant to the Services it provides. Security Management System VPM has a risk-based Information Security Management System (ISMS) designed to enable Support Services to be delivered in a secure manner and designed to protect VPM systems from threats and data loss. This Addendum describes the controls of the ISMS as of the Effective Date of the Service Agreement. VPM regularly assesses and makes improvements to the ISMS with reference to changing security threats, regulatory requirements, and industry standards. Risk Assessment VPM conducts information security risk assessments at least annually and whenever there is a material change in VPM's business or technology practices that may impact the privacy, confidentiality, security, integrity, or availability of Customer Data (as defined above). The risk assessment includes identifying reasonably foreseeable internal and external risks to privacy, confidentiality, security, integrity, or availability; assessing the likelihood of, and potential damage that can be caused by, identified risks; assessing the adequacy of personnel training concerning the ISMS; updating the ISMS to limit and mitigate identified risks as appropriate and to address material changes in relevant technology, business practices, and personal information practices and regulations; and assessing whether the ISMS is operating in a manner reasonably calculated to prevent and mitigate unauthorized access to or disclosures of Customer Data ("Security Incidents"). Data Storage All Customer Data are retained until requested to be deleted by the Customer or as described in Disposition of Data section below. Daily backups of all data are retained indefinitely. User Access Logs VPM maintains access logs to the data center and server including date, time, and User identifier. VPM can provide Customer the access logs as required to comply with governing law to assist in forensic analysis if there is a suspicion of inappropriate access. Access logs will be maintained in a secure area for a minimum of ninety (90) days during the Term and destroyed in accordance with Disposition of Data below. Passwords are not logged under any circumstances. Employees and Contractors VPM personnel that operate, or support the system receive annual education on the importance of security, confidentiality, and privacy of Customer Data, VPM policies and associated data security practices, and the risks to VPM and its customers associated with Security Incidents. VPM implements measures designed to ensure that its personnel are sufficiently trained, qualified, and experienced to be able to fulfill their SDIA-1 OVirtual Project Manager functions under the ISMS and any other functions that might reasonably be expected to be carried out by the personnel responsible for safeguarding Customer Data. Incident Management VPM personnel receive regular training on standard operational procedures and tactics to minimize the impact of production incidents. Such incidents are classified according to severity of impact, with high - severity incidents triggering root cause analysis and reviews to identify areas for long-term improvement. Change Management VPM plans to enhance and maintain the System during the Term, including but not limited to changes in response to relevant technology and systems, unauthorized access to Customer Data, and the discovery of material privacy or security vulnerabilities. Security controls, procedures, policies, and features may change or be added but will deliver a level of security protection that is not materially lower than that provided as of the Effective Date. VPM maintains a change management process with separation of duties and appropriate approvals required for modification to VPM Systems. VPM uses risk- based criteria with remediation objectives for critical and high vulnerabilities. Business Continuity and Disaster Recovery Any facility housing VPM Systems is designed to withstand adverse weather and other reasonably predicable natural conditions and is also supported by on-site back-up generators in the event of a power failure. All networking components and web and application servers are configured in a redundant configuration. VPM maintains a business continuity and disaster recovery program. Policies and procedures are in place to provide System services with minimal interruptions, including disaster recovery planning and testing capabilities, recovery site management, and standard backup and recovery procedures. VPM's ISMS program is designed to meet a recovery point objective of twenty-four (24) hours and a recovery time objective of eight (8) hours. VPM maintains geographically separate failover data centers for the System with a strict backup schedule for data at those facilities. VPM's business continuity management system is aligned with ISO22301 and ISO31000 to prepare for, respond to, and recover from disruptive events. Cyber Security VPM or an authorized third party performs periodic testing, including penetration testing, against Cloud Services available to the Internet. VPM's security operations center is responsible for scanning and monitoring system activity and has pre -defined procedures for addressing or escalating vulnerabilities and events as needed. VPM Systems, including firewalls, routers, network switches, and operating systems log information to enable VPM to detect, investigate, and resolve potential Security Incidents. Customer and VPM share responsibility for cybersecurity of single -tenant environments. Customer is responsible for acts and omissions of Customer and Affiliates and their Users and agents that impact the cybersecurity of Customer environments, including but not limited to ingress, egress, network security, and high entropy credentials. Insurance VPM maintains information security liability insurance or errors & omissions insurance covering liability for Security Incidents. Upon written request, VPM will furnish to Customer a certificate of insurance evidencing required coverage and limits. In the event the policy is cancelled or modified before termination or expiration of the Agreement such that required coverage and limits are no longer met, VPM will deliver notice of such cancellation or modification to Customer in accordance with VPM's insurance policy provisions. SDIA-2 Virtual Project Manager Transition of Services Pursuant to mutually agreed upon rates, VPM shall reasonably cooperate to support an orderly transition of Customer Data to Customer's internal operations, which may include migrating Customer Data to Customer or its designee in a manner and format determined by VPM. Disposition of Data VPM's policy is to retain Customer Data for at least thirty (30) days after termination or expiration of Customer's term, and to delete Maintained Customer Data and de -identify or delete Customer -specific data within sixty (60) days of termination or expiration of Customer's term, solely except as otherwise provided herein or to the extent such data are included in backup and disaster recovery logs the integrity of which requires that they remain unmodified. VPM will promptly comply to the extent practicable with written requests to destroy Customer Data within shorter time periods than those indicated above and provide written certification of destruction of Customer Data upon Customer's written request. Destruction of data as referenced herein includes, at minimum, secure erasure of media and secure disposal of records so that the information cannot be read or reconstructed. Over 99.9% Network uptime Guarantee VPM guarantees that its System will be available 99.9% of the time over any given calendar quarter period. Uptime of the System is defined by VPM as the inverse of the downtime over the total time for a given period. The guarantee does not apply to any performance issues: (i) that result from a suspension in service by the Customer (ii) caused by factors outside of VPM's reasonable control, including without limitation any force majeure event or Internet access (iii) that result from Customer's equipment, software, or other technology and/or third party equipment, software or other technology, or (iv) arising from VPM's suspension and termination of Customer's right to use the System in accordance with the License Agreement. Support Guarantee VPM provides access to its technical support staff for system related queries. Contact the dedicated account manager/sales representative for support or (855) 487-6776. All general requests will be responded to within 24 hours. Priority Level requests will be responded to within 4 hours. Hours of Operation VPM will use commercially reasonable efforts to make the Service available to Customer 24 hours a day, 7 days a week, 365 days a year, except during Scheduled Downtime, Excluded Events, and as otherwise set forth in this Addendum. Service Access; Network Bandwidth and Latency Customer access to the Service is through the Internet. VPM is not responsible for Customer's network connections or for conditions or problems arising from or related to Customer's network connections (e.g., bandwidth issues, excessive latency, network outages) or caused by the Internet. VPM monitors Service availability 24/7/365 by utilizing its own internal monitoring systems. Emergency Maintenance VPM may periodically be required to execute emergency maintenance to protect the security, performance, availability, or stability of the Service. Emergency maintenance may include program patching and/or core system maintenance, as required. VPM will work to minimize the use of emergency maintenance and, where reasonably practicable, will endeavor to provide Customer prior notice of any emergency maintenance requiring a service interruption. Major Maintenance Changes To help ensure continuous stability, availability, security, and performance of the Service, VPM reserves the SDIA-3 0 Virtual Project Manager right to perform major changes to its hardware infrastructure, operating software, applications software, and supporting application software under its control. Each such change event is considered planned maintenance and may cause the Service to be unavailable for up to twenty-four (24) hours. VPM will endeavor to provide prior notice of the anticipated unavailability. Availability Control Protection against fire and measures in case of power outages in the data processing centers including backup. Physical Controls VPM has effective controls in place to protect against physical penetration by malicious or unauthorized people. Physical controls covering the entire facility are documented. Additional access restrictions are enforced for servers/ computer/ telecommunications room compared to the general area. Backup and Offsite Storage VPM has a defined backup policy and associated procedures for performing backup of data in a scheduled and timely manner Effective controls are established to safeguard backed up data (onsite and off-site). Data is backed up on redundant raid drives. VPM also ensures that Customer Data is securely transferred or transported to and from backup locations. Furthermore, VPM conducts periodic tests to ensure that data can be safely recovered from backup devices. Backup Process Backup and offsite storage procedures are documented. Procedures encompass ability to fully restore applications and operating systems. Periodic testing of successful restoration from back up media is demonstrated. The on-site staging area has documented and demonstrated environmental controls (e.g., humidity, temperature). The main data center is located in Ontario, CA. Backup Media Destruction Procedures are defined for instructing personnel on the proper methods of backup media destruction. Back up media destruction by a third party is accompanied by documented procedures (e.g., certificate of destruction) for destruction confirmation. Offsite Storage Physical security plan for the offsite facility is documented. Access controls is enforced at entry points and in storage rooms. Access to the off-site facility is restricted and there is an approval process to obtain access. Electronic transmission of data to off-site location is performed over encrypted channel. VPM has one offsite backup data center with redundant raid drives. Data is securely transferred daily to this site. The offsite data center is located in Los Angeles, CA. SDIA-4 Virtual Project Manager Security Incident Response Plan Introduction Purpose This document outlines the plan for responding to information security incidents at Virtual Project Manager, including defining the roles and responsibilities of participants, the overall characterization of incident response, relationships to other policies and procedures and guidelines for reporting requirements. Due to the wide variety of incidents that could face Virtual Project Manager and the rapid advancement of threats against Virtual Project Manager, its data and systems, this document is designed to provide guidance in reacting to data security incidents, determination of their scope and risk, and ensuring an appropriate response to information security incidents, including communication of incidents to the appropriate stakeholders, and reducing the incident from re -occurring. This protocol is not to be considered as policy due to the varied nature of incidents that can occur within the Virtual Project Manager environment. This variation in incidents may cause deviations from this protocol that are meant to provide the company's ability to respond to incidents in an optimal manner. Anyone suspecting an exposure of Virtual PM data or systems should immediately contact: Technology Support Center - (855) 487-6776 or info@virtual-pm.com Information Security Office — dirk@virtual-pm.com Scope This plan applies to all information systems, institutional data, and networks of Virtual Project Manager and any person or device accessing these systems or data. The Information Security Office (ISO) acts on behalf of Virtual Project Manager and will request cooperation and assistance in investigating incidents from customers as required. The ISO will also work closely with other groups such as General Counsel, Human Resources, Privacy, and Public Safety in the investigation of incidents as necessary Maintenance Virtual Project Manager's Information Security Office (ISO) is responsible for the maintenance and revision of this document. Definitions Event An event is an exception to the normal operation of IT infrastructure, systems or services. Events may be identified through the use of automated systems; reported violations to the ISO, Compliance/Privacy or other customer; or in the course of normal system reviews including system degradation/outage. It is important to note that not all events become incidents. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Pa Virtual Project Manager Incident An incident is an event that, as assessed by ISO staff, violates the Acceptable Use Policy, Access Control Policy, Confidential Data Policy, or other Virtual PM policy, or standard or threatens the confidentiality, integrity, or availability of Information Systems or Institutional Data. Regulated Data Classification Regulated Data may have additional reporting and regulatory requirements when dealing with incidents. Examples of the various types of regulated data that may reasonably be found in the Virtual Project Manager environment are further detailed in Appendix C. Roles and Responsibilities Chief Operating Officer (COO) Throughout the course of the protocol, the COO is broadly responsible for: 1. Coordinating efforts to manage an information security incident; 2. Ensuring the prompt investigation of a security incident; 3. Determining what data may have been exposed; 4. Securing any compromised systems to prevent further damage; 5. Providing guidance to the institutional stakeholders Privacy Officer Throughout the course of the protocol, the Privacy Officer is broadly responsible for: 1. Coordinating efforts to manage regulatory requirements and notifications; 2. With assistance from General Counsel, reviewing applicable federal and state laws and developing appropriate course of action to comply with such laws in the event a data exposure occurred; 3. Ensuring all aspects of a data exposure management plan are completed Executive Response Team The Executive Response Team (ERT) consists of the CEO with the authority to make key decisions in managing an incident related to data with regulatory requirements for reporting. The ERT shall be comprised of the following standing members (note: other members may be asked to collaborate where appropriate): • CEO • COO • Privacy Officer • General Counsel Incident Response Coordinator Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 0 Virtual Project Manager Throughout the course of the protocol, the Incident Response Coordinator is broadly responsible for: 1. Directing efforts to gather appropriate information 2. Providing expertise in the procedural aspects of gathering information and documentation of process 3. Updating COO and other leadership as necessary Incident Response Handler Throughout the course of the protocol, Incident Response Handlers are broadly responsible for: 1. Gathering data from systems 2. Providing specific expertise in technology and data 3. Entering appropriate data for Incident Management including procedural information Incident Response Methodology This plan outlines the general tasks for Incident Response. Due to the ever-changing nature of incidents and attacks upon Virtual Project Manager this incident response plan may be supplemented by specific internal guidelines, standards, and procedures as they relate to the use of security tools, technology, and techniques used to investigate incidents. Scope The Information Security Office represents all provided Information System(s) and Institutional Data including data residing in cloud -based services. Specific actions and resources utilized in the investigation of an incident will be in alignment with the type, scope, and risk of the threat to systems and data. Evidence Preservation The primary goals of incident response are to contain the scope of an incident and reduce the risk to systems and data and to return affected systems and data back to an operational state as quickly as possible. The ability to quickly return systems to operation may at times be hampered by the collection of data necessary as evidence in the event of an exposure of data. Operational -Level Agreements In today's technology centered world many individuals have expectations about the availability of systems and data for themselves and the customers they serve. The interruption of services can cause a hardship and the ISO will cooperate with the affected customers to ensure downtime is minimized. However, leadership supports the priority of investigation activities where there is significant risk, and this may result in temporary outages or interruptions. Training The continuous improvement of incident handling processes implies that those processes are periodically reviewed, exercised, and evaluated for process improvement. Virtual PM staff will be periodically trained on procedures for reporting and handling incidents to ensure there is familiarity with the process and with the responsibilities of the Incident Response Team. These exercises may take the form of either external or internal training including tabletop exercises. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Virtual Project Manager Incident Response Phases The Incident Response process encompasses six phases including preparation, detection, containment, investigation, remediation, and recovery. These phases are defined in NIST SP 800-61 (Computer Security Incident Handling Guide). In the execution of responding to an incident, the Incident Response Team will focus on the detection, containment, investigation, remediation, and recovery of the specific incident. Preparation Preparation for incident response includes those activities that enable the organization to respond to an incident and include the creation and review of policies, standards, and guidelines supporting incident response; security and technology related tools; effective communication plans and governance. As preparation happens outside the official incident process, process improvements from prior incidents should form the basis for continuous improvement at this stage. Detection Detection is the identification of an event or incident whether through automated means with security tools or notification by an inside or outside source about a suspected incident. This phase includes the declaration and initial classification of the event/incident. Containment Containment of an incident includes the identification of affected hosts or systems and their isolation or mitigation of the immediate threat. Communication with affected parties is established at this phase of incident response. Investigation Investigation is the phase where ISO/ITS personnel determine the priority, scope, risk, and root cause of the incident. Remediation Remediation includes the repair of affected systems and services, addressing residual attack vectors against other systems, communication, and instructions to affected parties and an analysis that confirms the threat has been contained. If the COO or Privacy Officer reasonably believe that an exposure of regulated data may have occurred, the COO or Privacy Officer will contact the Office of the General Counsel to provide situational information in determining a proper response at this stage. Apart from any formal reports, the after -action analysis will be completed at this stage. Recovery Recovery is the analysis of the incident for possible procedural and policy implications. Recovery also includes the incorporation of any "lessons -learned" from the handling of the incident into future exercises and/or training initiatives. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 ElVirtual Project Manager Appendix A — Executive Response Team The Executive Response Team is responsible for actions such as communication, information sharing, and minimizing impact from exposure of regulated data. As responses to each incident may vary, this section provides an overview of those actions that the Executive Response Team may take in responding to an incident in which regulatory data has been exposed. 1. Once it is determined that enough information about the situation and the extent of the exposure has been collected, the Privacy Officer and COO will collaborate with the CEO to determine if the incident rises to the level of a security breach. In the event that this is determined, appropriate members of the ERT should work together to determine what, if any, level of notification is required, how individuals impacted by the exposure should be notified and what, if any, services should be offered to the individuals impacted by the data exposure to help protect themselves from potential or actual identity theft. As part of this analysis, the Privacy Officer will coordinate with the CEO to review applicable state and federal privacy, data security, and breach notification laws and a plan of action to comply with applicable requirements of such laws. 2. When applicable, Virtual Project Manager may engage with our cyber -liability insurance carrier for assistance. Unless an exception is determined to be appropriate by the ERT, the customer responsible for the data that was lost or exposed shall be responsible for the costs associated with remediating the exposure, including but not limited to notification services. 3. Where required by state and or federal law, the Privacy Officer will coordinate to ensure that appropriate state and/or federal government entities (e.g., state attorneys general, other state agencies, FTC, DH HS) are notified of the exposure, who has been impacted, and Virtual Project Manager's course of action related to managing the exposure of data. 4. Where appropriate, the Executive Response Team will contact appropriate State Officials to inform them about the data exposure. 5. Where necessary or appropriate, the ERT will expeditiously collaborate to develop press releases, letters to affected individuals (by email and/or U.S. post). Where appropriate, the COO will coordinate to create web page(s) with information regarding the exposure and how individuals can take steps to protect themselves. 6. The ERT will also designate a single point of contact to address questions/concerns of individuals concerned about the exposure. The Privacy Officer will ensure that appropriate customers are made aware of the single point of contact to whom questions/concerns should be directed. 7. In the course of managing and remediating the exposure, as expeditiously as possible: 1. The Privacy Officer will work with appropriate staff to draft notification letters, and where appropriate, FAQ's regarding the incident. 2. The Privacy Officer and/or COO will work with appropriate staff to collect the names and last known addresses of individual who will need to be notified. 3. Notification letters will be sent to impacted individuals or organizations by First Class Mail, email and/or other methods required by law. 4. Press releases will be finalized and issued where appropriate. The main website(s), will include a link to the news release. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Virtual Project Manager 5. A special website, containing information regarding the exposure and how to get more information may be posted as appropriate. 6. Once proper notifications have been sent and posted and the matter has been contained and handled, debriefing meeting(s) should be held with all the individuals involved in the incident investigation, management, and remediation. Additional follow-up activities should occur as appropriate. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 Virtual Project Manager Appendix B — Guidelines for Incident Response Each incident presents a unique set of challenges and problems. This section provides some common guidelines for preferred actions in these types of events. For any issues outside of these guidelines, the Chief Operating Officer should be consulted. Incidents within Chain of Command In incidents where a member of the incident response team, their leadership or the leadership of Virtual Project Manager is being investigated, appropriate resources will be selected to remove any conflicts of interest. Interactions with Law Enforcement All communications with external law enforcement agencies are made after consulting with the General Counsel. Communications Plans All public communications about an incident or incident response to external parties outside of Virtual Project Manager are made in consultation with General Counsel. Private communications with other affected or interested parties should contain the minimum information necessary as determined by the Incident Response Coordinator or COO. Privacy Virtual Project Manager respects the privacy of all individuals, and wherever possible the incident response process should be executed without knowledge of any individual identities until necessary. Documentation, Tracking, and Reporting All incident response activities will be documented to include artifacts obtained during any investigation. As any incident could require proper documentation for law enforcement action, all actions should be documented, and data handled in an appropriate manner to provide a consistent chain of custody for the validity of the data gathered. Escalation At any time during the incident response process, the Incident Response Commander or the COO may be called upon to escalate any issue regarding the process or incident. The COO in consultation with the CEO will determine if and when an incident should be escalated to external authorities. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708 0 Virtual Project Manager Appendix C — Primary Types of Regulated Data Personally Identifiable Information (PII) PII is defined as a person's first name or first initial and last name in combination with one or more of the following data elements: • Social security number • State -issued driver's license number • State -issued identification card number • Financial account number in combination with a security code, access code or password that would permit access to the account • Medical and/or health insurance information Currently, Virtual PM does not collect nor retain this information within its data. Virtual Project Manager 855.487.6776 1 www.virtual-pm.com 1 PO Box 8127, Bend, OR 97708