PROFESSIONAL SERVICES AGREEMENT BETWEEN THE TRUSTEES OF INDIANA UNIVERSITY (ON BEHALF OF Insert University department) AND Insert name of Contractor THIS PROFESSIONAL SERVICES AGREEMENT (“Agreement”) is entered into by and between The Trustees of Indiana University ("University") and the individual [insert name of Contractor] ("Contractor") and provides as follows: 1. Services. a. Contractor will provide to the University the services described in Section 1.c. b. Contractor is an independent contractor. This Agreement shall not be deemed to create a relationship of employment, partnership, agency, or joint venture between Contractor and the University. Contractor will have no authority to enter into contracts binding upon the University. c. Services: Contractor will provide to the University the services listed in Exhibit A in the country of [insert name of country]. Exhibit A constitutes a part of this Agreement and is deemed incorporated by reference herein. In the event that there are any conflicts between Exhibit A and the terms of this Agreement, the terms of this Agreement shall prevail. d. Term of this Agreement: [insert date range] e. While acting as a Contractor to the University, Contractor must comply with all University policies regarding conduct and academic ethics, including but not limited to non- discrimination and sexual harassment. If Contractor provides any services on the premises of the University, Contractor must comply with all University policies, including but not limited to non-discrimination, sexual harassment, smoking, possession of weapons, illegally possessed controlled substances, and obligations to make notification of suspected child abuse or neglect. f. Contractor affirms that this Agreement was not the result of collusion with any employee or agent of the University. Contractor agrees that no right or duty may be delegated or assigned to another party without the University's prior approval. g. This Agreement is not effective until a signed Purchase Order is issued to the Contractor by the University. 2. Fees and Expenses. a. Compensation: Contractor shall be paid $_________ by the University. b. The University provides no benefits such as unemployment insurance, health insurance, or worker’s compensation insurance to Contractor. Contractor is responsible for expenses associated with vaccinations required to travel to [insert name of country]. c. Contractor shall be responsible for providing all tools and materials required for performance of the services listed in Exhibit A. d. Invoices: 1. Invoices shall be sent by mail to Indiana University Accounts Payable, 400 E 7th Street, Room 021, Bloomington, Indiana, 47405 (telephone: 812.855.4004) or by e- mail to invoice@indiana.edu. 2. Purchase Order Number must be included on the invoice(s). 3. If applicable, sufficient wire transfer information must be included on invoice(s). e. Payment terms: 1. Payment Processing Time: Net 30, upon receipt of invoice. Page 1 of 6 2. f. g. h. Payment Schedule: Payment shall be due after satisfactory completion of all services and after delivery of all deliverables. 3. Method: Wire Transfer (when payment is made outside of US); Contractor is responsible for bank/wire transfer fees. Prior to receiving any payment, Contractor is required to complete and submit all necessary tax forms as required by the University. The Contractor’s legal name on the tax forms must match the name of the party specified in Agreement. The name must also match the name of the bank account to which payments are to be wired. Contractor is responsible for obtaining the appropriate immigration status, including all visas and/or work permits required to work legally in the country of [insert name of country]. The University, through its contacts, will assist in providing documentation necessary to secure such visa(s) or work permit(s), but the University will not reimburse expenses associated with obtaining such visa(s) or work permit(s). Contractor is responsible for payment of all applicable federal, state and local income taxes in the U.S. and/or [insert name of country]. 3. University Representative. The University’s authorized representative for communicating with Contractor is: [insert name, address, phone number, and email if possible (Dept. Fiscal Officer or Faculty Project Manager will suffice. Alternate representatives are acceptable)]. Contractor shall report to this University representative and shall be entitled to rely upon instructions received from this University representative. 4. Applicable Law. This Agreement shall be governed by the laws of the State of Indiana. Contractor shall at all times comply with and observe all applicable laws and regulations which are in effect during the period of this Agreement and which in any manner affect the work or its conduct. 5. Designation of Forum. Any party bringing a legal action or proceeding against any other party arising out of or relating to this Agreement may only bring the legal action or proceeding in the United States District Court for the Southern District of Indiana or in the Monroe Circuit Court in Monroe County, Indiana. 6. Headings: Interpretation. When used in this Agreement, "University" includes all segments of the institution including all, athletic and academic departments, as defined in the legal entity "The Trustees of Indiana University." 7. Limitation on Damages. Neither party shall be liable to the other or to any third party for any consequential or incidental damages, including lost profits, alleged to arise out of the material breach of this Agreement. 8. Indemnification and Hold Harmless. Contractor shall indemnify and save harmless The Trustees of Indiana University, its officers, agents and employees from any and all claims, losses, costs, damages, liability and expenses (including costs of defense, settlement, and reasonable attorney's fees) in connection with claims or suits for damage to property and/or injury to persons, including death, alleged or claimed to have been caused, by or as a result of Contractor performing services under this Agreement, whether through Contractor’s negligence or willful act. Page 2 of 6 9. Termination. This Agreement may be terminated by either party with [insert number of days, e.g., 30 or 60] days’ notice. Notice must be made by certified mail to the signatories listed in Section 11 of this Agreement. 10. Confidentiality of Data: Contractor shall treat all data that it receives from University, is otherwise exposed to within UNIVERSITY data systems, or that is provided by an individual user of Contractor’s service under this Agreement (collectively, “UNIVERSITY data”), with the highest degree of confidentiality and in compliance with all applicable federal and state laws and regulations and UNIVERSITY policies. Contractor shall employ commercial best practices for ensuring the security of all UNIVERSITY data, whether in electronic or paper form, which it accesses, uses, creates, maintains, disposes of, or otherwise handles (hereafter “data activities”) in the course of Contractor’s performance under this Agreement. Contractor’s responsibility for ensuring the security of UNIVERSITY data in the course of its data activities extends to any subcontractors or other contractors, including but not limited to web hosts or other service providers, who may, in the course of such data activities, view, process, or otherwise have access to UNIVERSITY data. Without limiting the foregoing, Contractor represents and warrants that all machines, systems, and networking equipment that receive, process, interact with, transmit, or store UNIVERSITY data shall meet or exceed the physical, network, and system security requirements specified in UNIVERSITY’s University-wide IT Policies: IT-12, Security of IT Resources; IT-12.1, Mobile Device Security Standard; and DM-01, the Data Management Policy for Management of Institutional Data (http://protect.iu.edu/cybersecurity/policies); or otherwise conform to the standards identified by the National Institute of Standards and Technology (NIST) applicable to the type of data and activities covered by the Agreement (available at http://csrc.nist.gov/publications/PubsByLR.html). In the event of conflict between the requirements of UNIVERSITY’s policies and NIST’s standards, Contractor agrees to comply with UNIVERSITY’s requirements. Significant deviation from these standards or requirements must be approved by UNIVERSITY’s University Information Security Office. Contractor will notify UNIVERSITY promptly of any nonconformity of its machines, systems, or networking equipment to applicable standards and requirements, whether such nonconformity exists at the time of execution of this Agreement or arises thereafter. Contractor represents and warrants that it shall only use UNIVERSITY data for the purpose of fulfilling its duties under this Agreement and shall not further disclose UNIVERSITY data to any third party without the prior written consent of UNIVERSITY or as otherwise required by law. Contractor shall not use UNIVERSITY data provided or made available to Contractor in the course of its data activities under this Agreement for targeted marketing purposes; however, Contractor may use aggregated and anonymized data that it derives from UNIVERSITY data within the course and scope of its data activities to enhance the quality of its performance under this Agreement or the functionality of the service Contractor provides, provided that such UNIVERSITY data does not constitute protected health information (“PHI”), as that term is defined and used in the Health Insurance Portability and Accountability Act (“HIPAA”). Contractor acknowledges and agrees that all UNIVERSITY data provided or made available to it by UNIVERSITY or individual users of Contractor’s service under this Agreement is and remains the property of UNIVERSITY or the individual user, as determined by law and UNIVERSITY policy. Upon termination or expiration of the contract, Contractor will either return or confirm the destruction of all UNIVERSITY data provided or made available to Contractor under this Agreement, at UNIVERSITY’s election and in accordance with specifications for return or destruction that UNIVERSITY shall provide at the time. Without limiting the foregoing, in the course of performing its duties under this Agreement, Contractor may engage in data activities involving the following types of UNIVERSITY data: student education records; financial information as that term is defined and used in the Financial Modernization Act of 1999; protected health information as that term is defined and used in the Health Insurance Portability and Accountability Act; genetic information as that term is defined and used in the Genetic Information Nondiscrimination Act of 2008; and various items of personal identifying information, including but not limited to Social Security Numbers, payment card numbers, financial account numbers and corresponding security or access codes and passwords, drivers license numbers, and Indiana state identification card numbers. Contractor represents and warrants that it shall employ sufficient administrative, physical, and technical data security measures to meet the requirements under the specific federal and state laws and credit card industry standards applicable to all such types of UNIVERSITY data that Contractor receives, which may include but are not limited to: a. b. c. Student Education Records: The Family Education Rights and Privacy Act (FERPA), 20 USC 1232g et seq., and related regulations at 34 CFR Part 99; Financial Information, including payment card and financial account numbers: The Financial Modernization Act of 1999, 15 USC 1681 et seq.; the Safeguards Rule at 16 CFR Part 314; and Indiana Code 4-1-11 and 24-4-9; Protected Health Information (PHI): The Health Insurance Portability and Accountability Act (HIPAA), 42 USC 1320d-2 (note); implementing privacy and security regulations at 45 CFR Parts 160 and 164, and related agency guidance. If Contractor will access PHI to perform a service on behalf of UNIVERSITY under this Agreement, then Contractor and UNIVERSITY must also enter into a Business Associate Agreement (BAA) in a form approved by UNIVERSITY. In the event of any conflict between the BAA and this Addendum with respect to the security or privacy of data that contains PHI, the terms of the BAA shall control; Page 3 of 6 d. e. f. g. Genetic Information: The Genetic Information Nondiscrimination Act of 2008 (GINA), 42 USC 2000ff and implementing regulations. Contractor must not collect any genetic information unless otherwise permitted by GINA and must otherwise comply with its terms and regulations promulgated pursuant to GINA; Nonpublic Personal and Financial Information: Gramm-Leach-Bliley Act (Title 15, USC, Sections 6801(b) and 6805(b)(2)); Social Security Numbers: Indiana Code 4-1-10, 4-1-11, and 24-4-9; and Payment Card Numbers: Indiana Code 4-1-11 and 24-4-9, as well as the Payment Card Industry Data Security Standards. If receiving payment card numbers, Contractor shall be PCI-DSS compliant as per the requirements indicated according to the PC Security Standards Council, which can be found at https://www.pcisecuritystandards.org/, and shall provide to UNIVERSITY annually a certificate of compliance from a PCI-DSS Qualified Security Assessor (QSA). As applicable, Contractor shall also have a program in place, documented in writing, to identify, detect, and address warning signs of identity theft, pursuant to the FACT Act, 15 USC 1681 et seq., and corresponding “Red Flag Rules.” Immediately upon becoming aware of an exposure of University Data, Contractor shall notify UNIVERSITY at IT-Incident@iu.edu and shall cooperate fully with UNIVERSITY’s investigation of and response to the incident. Except as otherwise required by law, Contractor shall not provide notice of the incident directly to the persons whose UNIVERSITY data were involved without prior written permission from UNIVERSITY. To facilitate the investigation of security incidents, Contractor will retain and provide to UNIVERSITY, upon request, all authentication and other relevant system logs, including relevant logs from any contractors or subcontractors, for a minimum of 60 days from the creation of such logs. Contractor acknowledges and agrees that UNIVERSITY is subject to Indiana’s Access to Public Records Act (APRA), I.C. 5-14-3 et seq., and that disclosure of some or all confidential information provided pursuant to this Agreement, or the Agreement itself, may be compelled pursuant to that law. University agrees that, upon receipt of a request for confidential information made pursuant to APRA, it shall a) promptly notify Contractor of the fact and content of the request, b) consult with Contractor regarding any legitimate basis on which it might resist or narrow its response to the request, and c) disclose only information that the University, in the opinion of its legal counsel, is legally compelled to disclose. Notwithstanding any other provision of this Agreement, and provided that the University has not modified the Contractor’s software in any manner, Contractor shall reimburse the University in full for all direct costs, expenses, and liabilities incurred by the University as a result of Contractor’s failure to comply with the above data confidentiality and security requirements. This obligation shall include reimbursing the costs or expenses incurred by University in providing any notices to parties whose data may have been subject to unauthorized access as a result of Contractor’s failure to comply with the above data confidentiality and security requirements, as well as defending, indemnifying, and holding the University harmless from any third-party claims or causes of action of any kind arising from or relating to the Contractor’s use, maintenance, or handling of UNIVERSITY data received in connection with its performance under this Agreement. These remedies shall be in addition to any other remedies provided within this Agreement or otherwise available under law. Contractor will ensure that employees who perform work under this Agreement have read, understood, and received appropriate instruction to as to comply with the foregoing data protection provisions of this Agreement. Any subcontractors used by Contractor to perform work under this Agreement that involves access to or use, processing, maintenance, transmission, storage, or disposal of UNIVERSITY data, must be approved in advance by UNIVERSITY, and their subcontracts must contain the same data protection provisions for UNIVERSITY data specified above. UNIVERSITY reserves the right to require the Contractor to provide the results of: a. b. c. an audit of security policies, practices, and procedures on an annual or biennial basis, to be performed by a third party approved by UNIVERSITY; a vulnerability scan, performed by a scanner approved by UNIVERSITY, of the Contractor’s systems that are used in any way, or that interact with systems used in any way, to provide service(s) under this Agreement and/or receive, use, process, maintain, transmit, store, or dispose of UNIVERSITY data; a formal penetration test, performed by a process and qualified personnel approved by UNIVERSITY, of the Contractor’s systems that are used in any way, or that interact with systems used in any way, to provide service(s) under this Agreement and/or receive, use, process, maintain, transmit, store, or dispose of UNIVERSITY data. Page 4 of 6 11 Signatures. University Contractor Signature: Signature: Printed Name: Matt Estell Title: Purchasing Contract Manager e-Mail: mestell@iu.edu Phone: 812.855.4284 Date: (included in digital signature) Printed Name: Title: e-Mail: Phone: Date: Page 5 of 6 EXHIBIT A Statement of Work Please provide a detailed description of services to be performed. List specific tasks to be performed by Contractor, deliverables, and any applicable deadlines for completion of the work. Do not address payment terms here. Payment terms will be address in Section 2 of the agreement. Page 6 of 6