Vapt 381 RFP

VULNERABILITY ASSESSMENT AND PENETRATION TESTING SERVICES
REQUEST FOR PROPOSALS NUMBER #2021-381
Request for Proposals Issued On: May 10, 2021
Proponent’s Information & OTP Demonstration Session: 2:00 pm on May 13, 2021
Proponent’s Deadline to Submit Questions: 5:00 pm on May 18, 2021
Proponent’s Deadline to Submit Questions Related to

Addenda & Question and Answer Documents: 5:00 pm on May 26, 2021
Closing Date: 2:00:00 pm on June 29, 2021 local time in Toronto, Ontario, Canada
All times specified in this RFP timetable are local times in Toronto, Ontario, Canada.
Please refer to Section 5.1.1 for the complete RFP timetable.
OECM shall not be obligated in any manner to any Proponent whatsoever until a written Master Agreement has been
duly executed with a Supplier.
OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381 Page 1 of 54
TABLE OF CONTENTS
PART 1 – INTRODUCTION ........................................................................................................................................... 5

1.1 Objective of this RFP ....................................................................................................................................... 5
1.2 Project Background ......................................................................................................................................... 5
1.3 Historical Spend ............................................................................................................................................... 5
1.4 Project Advisory Committee............................................................................................................................. 5
1.5 Overview of OECM .......................................................................................................................................... 6
1.6 Use of OECM Master Agreements .................................................................................................................. 6
1.7 The Ontario Broader Public Sector Procurement Directive .............................................................................. 6
1.8 Trade Agreements ........................................................................................................................................... 6
1.9 Rules of Interpretation...................................................................................................................................... 7
PART 2 – THE DELIVERABLES................................................................................................................................... 8
2.1 Description of Deliverables .............................................................................................................................. 8
2.2 Vulnerability Assessment Services .................................................................................................................. 8
2.2.1 Vulnerability Assessment Services Reporting and Presentation ...................................................................... 8
2.3 Penetration Testing Services ........................................................................................................................... 8
2.3.1 Key Penetration Testing Services .................................................................................................................... 8
2.3.2 Application Penetration Testing Services......................................................................................................... 9
2.3.3 Network Penetration Testing Services ............................................................................................................. 9
2.3.4 Social Engineering Testing Services ............................................................................................................. 10
2.3.5 Web Application Penetration Testing Services .............................................................................................. 10
2.4 Additional Penetration Testing Services ........................................................................................................ 10
2.4.1 Payment Card Industry (“PCI”) Penetration Testing Services ........................................................................ 10
2.4.2 Wireless Penetration Testing Services .......................................................................................................... 11
2.5 Penetration Testing Methodologies and Standards ....................................................................................... 11
2.6 General Requirements on Penetration Testing Services ............................................................................... 11
2.7 Penetration Testing Services Clean Up ......................................................................................................... 12
2.8 Logs ............................................................................................................................................................ 12
2.9 Penetration Testing Services Reporting and Presentation............................................................................. 12
2.10 Optional Services ........................................................................................................................................... 12
2.11 Additional Insurance Requirements ............................................................................................................... 13
2.12 Confidentiality and Protection of Customer’s Information .............................................................................. 13
2.13 Compliance .................................................................................................................................................... 13
2.14 Data Residency ............................................................................................................................................. 13
2.15 Invoicing......................................................................................................................................................... 13
2.15.1 Payment Terms and Methods ........................................................................................................................ 14
2.15.2 Electronic Fund Transfer................................................................................................................................ 14
2.15.3 Electronic Commerce..................................................................................................................................... 14
2.16 Support to Customers .................................................................................................................................... 14
2.16.1 Incentive to Customers .................................................................................................................................. 15
2.17 Environmental and Sustainability Considerations .......................................................................................... 15
2.18 Social Procurement........................................................................................................................................ 15
2.19 Disaster Recovery and Business Continuity .................................................................................................. 15
2.20 Licences, Right to Use and Approvals ........................................................................................................... 15
2.21 Workplace Hazardous Material Information System ...................................................................................... 16
PART 3 – EVALUATION OF PROPOSALS ................................................................................................................ 16
3.1 Stages of Proposal Evaluation ....................................................................................................................... 16
3.2 Stage I – Review of Qualification Responses (Pass/Fail) .............................................................................. 17
3.3 Stage II – Technical Response ...................................................................................................................... 17
3.4 Stage III – Commercial Response ................................................................................................................. 18
3.5 Stage IV – Cumulative Score ......................................................................................................................... 19
3.6 Stage V – Tie Break Process ......................................................................................................................... 19
3.7 Stage VI – Negotiations ................................................................................................................................. 19
3.8 Stage VII – Master Agreement Finalization.................................................................................................... 20
PART 4 – MASTER AGREEMENT STRUCTURE AND MANAGEMENT ................................................................... 21
4.1 Master Agreement Structure .......................................................................................................................... 21
4.1.1 No Contract until Execution of Written Master Agreement ............................................................................. 21
4.1.2 Customer’s Usage of Master Agreements ..................................................................................................... 21
4.1.3 No Guarantee of Volume of Work or Exclusivity of Master Agreement .......................................................... 22
4.2 Rates ............................................................................................................................................................ 22
4.2.1 Expenses or Additional Charges .................................................................................................................... 22
4.2.2 Optional Rate Refresh ................................................................................................................................... 23
4.2.3 Optional Process to Add Other Services........................................................................................................ 23
4.2.4 OECM Geographical Zones ........................................................................................................................... 24
4.2.5 OECM Cost Recovery Fee ............................................................................................................................ 24
4.2.6 Financial Administration Act Section 28 ......................................................................................................... 25
4.2.7 Saving Calculation ......................................................................................................................................... 26
4.3 Supplier Management Support to OECM....................................................................................................... 26
4.3.1 Master Agreement Award and Launch........................................................................................................... 26
4.3.2 Promoting OECM Master Agreements........................................................................................................... 26
4.3.3 Supplier’s Performance Management Scorecard .......................................................................................... 27
4.3.4 OECM’s Supplier Recognition Program ......................................................................................................... 27
4.3.5 Reporting to OECM........................................................................................................................................ 27
PART 5 – TERMS AND CONDITIONS OF THE RFP PROCESS ............................................................................... 29
5.1 General Information and Instructions ............................................................................................................. 29
5.1.1 RFP Timetable ............................................................................................................................................... 29
5.1.2 Proponent’s Information and OTP Demonstration Session............................................................................ 30
5.1.3 Proponent to Follow Instructions .................................................................................................................... 30
5.1.4 OECM’s Information in RFP Only an Estimate .............................................................................................. 30
5.1.5 Proponent’s Costs ......................................................................................................................................... 30
5.2 Communication after RFP Issuance .............................................................................................................. 30
5.2.1 Communication with OECM ........................................................................................................................... 30
5.2.2 Proponent to Review RFP ............................................................................................................................. 31
5.2.3 Proponent to Notify ........................................................................................................................................ 31
5.2.4 All New Information to Proponents by way of Addenda ................................................................................. 31
5.3 Proposal Submission Requirements .............................................................................................................. 32
5.3.1 General .......................................................................................................................................................... 32
5.3.2 Proposal in English ........................................................................................................................................ 32
5.3.3 Proposal Submission Requirements .............................................................................................................. 32
5.3.4 Other Proposal Considerations ...................................................................................................................... 33
5.3.5 Proposal Receipt by OECM ........................................................................................................................... 33
5.3.6 Withdrawal of Proposal .................................................................................................................................. 33
5.3.7 Amendment of Proposal on OTP ................................................................................................................... 33
5.3.8 Completeness of Proposal ............................................................................................................................. 33
5.3.9 Proposals Retained by OECM ....................................................................................................................... 33
5.3.10 Acceptance of RFP ........................................................................................................................................ 34
5.3.11 Amendments to RFP...................................................................................................................................... 34
5.3.12 Proposals will not be Opened Publicly ........................................................................................................... 34
5.3.13 Clarification of Proposals ............................................................................................................................... 34
5.3.14 Verification of Information .............................................................................................................................. 34
5.3.15 Proposal Acceptance ..................................................................................................................................... 34
5.3.16 RFP Incorporated into Proposal ..................................................................................................................... 34
5.3.17 Exclusivity of Contract.................................................................................................................................... 35
5.3.18 Substantial Compliance ................................................................................................................................. 35
5.3.19 No Publicity or Promotion .............................................................................................................................. 35
5.4 Negotiations, Timelines, Notification and Debriefing ...................................................................................... 35
5.4.1 Negotiations with Preferred Proponent .......................................................................................................... 35
5.4.2 Failure to Execute a Master Agreement......................................................................................................... 35
5.4.3 Master Agreement ......................................................................................................................................... 35
5.4.4 Notification to Other Proponents .................................................................................................................... 36
5.4.5 Debriefing ...................................................................................................................................................... 36
5.4.6 Bid Dispute Resolution................................................................................................................................... 36
5.5 Prohibited Communications, and Confidential Information ............................................................................ 36
5.5.1 Confidential Information of OECM ................................................................................................................. 36
5.5.2 Confidential Information of the Proponent...................................................................................................... 37
5.5.3 Proponent’s Submission ................................................................................................................................ 37
5.5.4 Personal Information ...................................................................................................................................... 37
5.5.5 Non-Disclosure Agreement ............................................................................................................................ 37
5.5.6 Freedom of Information and Protection of Privacy Act ................................................................................... 37
5.5.7 Intellectual Property ....................................................................................................................................... 37
5.6 Reserved Rights and Governing Law of OECM ............................................................................................. 38
5.6.1 General .......................................................................................................................................................... 38
5.6.2 Rights of OECM – Proponent ........................................................................................................................ 39
5.6.3 No Liability ..................................................................................................................................................... 40
5.6.4 Assignment .................................................................................................................................................... 40
5.6.5 Entire RFP ..................................................................................................................................................... 40
5.6.6 Priority of Documents..................................................................................................................................... 40
5.6.7 Disqualification for Misrepresentation ............................................................................................................ 40
5.6.8 References and Past Performance ................................................................................................................ 40
5.6.9 Cancellation ................................................................................................................................................... 40
5.6.10 Competition Act ............................................................................................................................................. 41
5.6.11 Trade Agreements ......................................................................................................................................... 41
5.6.12 Governing Law ............................................................................................................................................... 41
APPENDIX A – DEFINITIONS..................................................................................................................................... 42
APPENDIX B – FORM OF MASTER AGREEMENT ................................................................................................... 46
APPENDIX C – COMMERCIAL RESPONSE AMENDED AS OF MAY 21, 2021 ....................................................... 47
APPENDIX D – OECM GEOGRAPHICAL ZONES ..................................................................................................... 48
APPENDIX E – OECM SCHOOL BOARD, COLLEGE AND UNIVERSITY CUSTOMERS IN ONTARIO .................. 49
APPENDIX F – REPORTING REQUIREMENTS......................................................................................................... 50
APPENDIX G – PERFORMANCE MANAGEMENT SCORECARD ............................................................................ 51
APPENDIX H – CODE OF CONDUCT ........................................................................................................................ 53
PART 1 – INTRODUCTION
This non-binding Request for Proposals (“RFP”) is an invitation to obtain Proposals from qualified Proponents for
Vulnerability Assessment and Penetration Testing Services as described in Part 2 – The Deliverables and Part 4 –
Master Agreement Structure and Management.
OECM intends to award up to seven (7) Master Agreements, with an initial Term of the Master Agreement (“Term”) of
three (3) years with an option in favour of OECM to extend the Term on the same terms and conditions for one (1)
additional two (2) year option for extension.
This RFP is issued by OECM.
1.1 Objective of this RFP
The objective of this RFP is to select qualified suppliers who:
(a) Actively promote professional and ethical practices in its operation;
(b) Provide Customers with high quality Services, demonstrating value for money;
(c) Provide Customers with well-defined project management support;
(d) Provide Customers professional and responsive customer support and account management; and,
(e) Work in a cooperative manner with Customers, be flexible, innovative, and professional in providing
quality Services to Customers.
1.2 Project Background
OECM’s first Vulnerability Assessment and Penetration Testing Services Request for Proposals (RFP) was
awarded in 2017. Over the span of the Agreement, there has been a cumulative spend of approximately one
million one hundred thousand dollars ($1,100,000.00) as of March 2021. This project is the second-generation
RFP for Vulnerability Assessment and Penetration Testing Services.
1.3 Historical Spend
OECM’s current IT Vulnerability Assessment and Penetration Testing Services agreement, that will expiry on
January 11, 2022, was awarded to four (4) Suppliers. Twenty eight (28) unique Customer Service Agreements
were created between Suppliers and Customers during the span of the current agreement, with the following
breakdown:
(a) Eleven (11) School Boards;
(b) Ten (10) other organizations;
(c) Five (5) Colleges; and,
(d) Two (2) Universities.
Approximate purchases through the existing agreement from January 2017 to March 2021 were approximately
one million one hundred thousand dollars ($1,100,000.00).
Customers using the current OECM IT Vulnerability Assessment and Penetration Testing Services agreement
are not, in any way, obligated to participate in any Master Agreement resulting from this RFP.
1.4 Project Advisory Committee
The following Customers were involved with the development of the requirements set out in this RFP:
(a) Cambrian College
(b) Centennial College
(c) City of Hamilton
(d) Education Computing Network of Ontario (ECNO)
(e) Hamilton Health Sciences
(f) Limestone District School Board; and,
(g) Mohawk College of Applied Arts and Technology.
The above Customers are not, in any way, committed to participating in the Master Agreement resulting from
this RFP.
1.5 Overview of OECM
OECM is a trusted not-for-profit partner for Ontario’s education sector, Broader Public Sector (“BPS”) entities,
Provincially Funded Organizations (“PFO”), Crown Corporations, and other not-for-profit organizations. OECM
offers a comprehensive choice of collaboratively sourced and competitively priced products and services
through its Marketplace, the goal of which is to generate savings, choice and service for its Customers.
Recognizing the power of collaboration, OECM is committed to fostering strong relationships with both
Customers and suppliers by:
(a) Actively sourcing products and services in an open, fair, transparent and competitive manner, compliant
with BPS Procurement Directive and applicable trade agreements;
(b) Establishing, promoting and managing product and service agreements used throughout
its Customer community;
(c) Supporting Customers’ access and use of OECM agreements through analysis, reporting and the
development of tools, guides, and other materials;
(d) Effectively managing supplier contract performance while harnessing expertise and innovative ideas, to
drive continuous improvements through a Supplier Relationship Management program;
(e) Promoting OECM’s Supplier Code of Conduct, based on its core values, to ensure that all supplier
partners adhere to a set standard when conducting business with OECM and its Customers resulting in
continuous, long-term success; and,
(f) Supporting supplier partners through a Supplier Recognition Program.
1.6 Use of OECM Master Agreements
As of March 2021, one thousand fifty-six (1056) Customers were using one (1) or more OECM agreements.
Since 2009, the cumulative spend from our Customers is approximately two-point-four billion ($2.4B).
More information about OECM is available on our website - http://www.oecm.ca/.
1.7 The Ontario Broader Public Sector Procurement Directive
OECM, and the Customers they service, follow the Ontario BPS Procurement Directive. The directive sets out
rules for designated BPS entities on the purchase of goods and services using public funds. The Procurement
Directive is available here https://www.doingbusiness.mgs.gov.on.ca/mbs/psb/psb.nsf/English/bps-
procurementdirective.
1.8 Trade Agreements
OECM procurements are undertaken within the scope of Chapter 5 of the Canadian Free Trade Agreement
(“CFTA”), Chapter 19 of the Comprehensive Economic and Trade Agreement ("CETA"), and within the scope
of the Trade and Cooperation Agreement between Quebec and Ontario and are subject to such agreements,
although the rights and obligations of the parties shall be governed by the specific terms of this RFP. For more
information, refer to the Section 5.6.11.
1.9 Rules of Interpretation
This RFP shall be interpreted according to the following provisions, unless the context requires a different
meaning:
(a) Unless the context otherwise requires, wherever used herein the plural includes the singular, the singular
includes the plural, and each of the masculine and feminine includes the other gender;
(b) Words in the RFP shall bear their natural meaning;
(c) References containing terms such as “includes” and “including”, whether or not used with the words
“without limitation” or “but not limited to”, shall not be deemed limited by the specific enumeration of items
but shall, in all cases, be deemed to be without limitation and construed and interpreted to mean “includes
without limitation” and “including without limitation”;
(d) In construing the RFP, general words introduced or followed by the word “other” or “including” or “in
particular” shall not be given a restrictive meaning because they are followed or preceded (as the case
may be) by particular examples intended to fall within the meaning of the general words;
(e) Unless otherwise indicated, time periods will be strictly applied; and,
(f) The following terminology applies in the RFP:
i. The terms “must” and “shall” relate to a requirement the Supplier will be obligated to fulfil.
Whenever the terms “must” or “shall” are used in relation to OECM or the Supplier, such terms
shall be construed and interpreted as synonymous and shall be construed to read “OECM shall”
or the “Supplier shall”, as the case may be;
ii. The term “should” relates to a requirement that OECM would like the Supplier to fulfil; and,
iii. The term “will” describes a procedure that is intended to be followed.
[End of Part 1]
PART 2 – THE DELIVERABLES
This Part of the RFP describes the Vulnerability Assessment and Penetration Testing Services Deliverables which will
be incorporated into the final Master Agreement. The Supplier shall provide all RFP requirements.
2.1 Description of Deliverables
The Supplier shall provide a broad range of quality Services to meet the requirements of Customers including
but not limited to the following:
(a) Vulnerability Assessment Services;

(b) Penetration Testing Services; and,
(c) Optional Services.
2.2 Vulnerability Assessment Services
The Supplier shall provide vulnerability assessment Services including but not limited to the following:
(a) Catalogue Customer’s Information Technology (“IT”) assets and resources (e.g., applications, database,
end point devices, network and servers), as requested;
(b) Assess current network security measures to identify any vulnerability exists in Customer’s network
architecture;
(c) Conduct external and/or internal vulnerability scans to identify any security vulnerability exists in
Customer’s asset and resources;
(d) Conduct web application security assessment;
(e) Conduct website security assessment;
(f) Conduct wireless security assessment;
(g) Conduct personal security awareness assessment; and,
(h) Report security issues that pose an imminent threat are to be reported to Customer as they are being
identified.
2.2.1 Vulnerability Assessment Services Reporting and Presentation
Upon completion of each Service, the Supplier shall provide the Customer with a vulnerability
assessment report which should include the following information at a minimum:
(a) Executive summary;
(b) Scope of Service;
(c) Detailed results of identified vulnerabilities;
(d) Detailed explanation of the implications of the identified vulnerabilities, business impact and
potential risks;
(e) Detailed steps of immediate mitigation;
(f) Recommended high risk areas for Customer’s immediate attention, as applicable; and,
(g) Deliver presentation to Customer in person or remotely, as requested.
The Supplier shall confirm detailed reporting requirements with the Customer for each Service prior
to commencement.
2.3 Penetration Testing Services
2.3.1 Key Penetration Testing Services
The Supplier shall provide the following quality penetration testing Services as further described
below:
(a) Application penetration testing Services;
(b) Network penetration testing Services;
(c) Social engineering testing Services; and
(d) Web application testing Services.
2.3.2 Application Penetration Testing Services
The Supplier shall provide application penetration testing Services including but not limited to the
following:
(a) Manual probing of application interfaces;
(b) Authentication process testing;
(c) Automated fuzzing;
(d) Development of test datasets and harnesses;
(e) Encryption usage testing (e.g., applications’ use of encryption);
(f) Forming manual or automatic code review for sensitive information of vulnerabilities in the code;
(g) Testing of the application functionality including but not limited to:
i. Input validation (e.g., bad or over-long characters, URLs);
ii. Transaction testing (e.g., ensuring desired application performance);
(h) Testing systems for user session management to see if unauthorized access can be permitted
including but not limited to:
i. Input validation of login fields;
ii. Cookie security;
iii. Lockout testing; and,
(i) User session integrity testing.
The Supplier shall also perform the application penetration test Services on mobile applications as
requested.
2.3.3 Network Penetration Testing Services
The Supplier shall provide network penetration testing Services including but not limited to the
following:
(a) Provide penetration testing from both inside and outside of Customer’s network;
(b) Identify targets and map attack vectors (i.e., threat modelling);
(c) Internet Protocol (“IP”) address mapping of network devices;
(d) Logical location mapping of network devices;
(e) Transmission Control Protocol (“TCP”) scanning, connect scan, SYN scan, RST scan, User
Datagram Protocol (“UDP”) scan, Internet Control Message Protocol (“ICMP”) scan, and Remote
Procedure Call (“RPC”) port scan;
(f) Operating System (“OS”) fingerprinting (OS fingerprinting is the combination of passive research
and active scanning tools to generate an accurate network map);
(g) Banner grabbing;
(h) Brute force attacks;
(i) Denial of Service (“DDoS”) testing;
(j) Network sniffing;
(k) Spoofing;
(l) Trojan attacks; and,
(m) War dialing.
2.3.4 Social Engineering Testing Services
The Supplier shall provide human centric social engineering testing Services including but not limited
to the following:
(a) Pretexting;
(b) Voice calls;
(c) Phishing campaigns (e.g., email, phone); and,
(d) Physical tests (e.g., tailgating, entry into controlled facility areas).
2.3.5 Web Application Penetration Testing Services
The Supplier shall provide web application penetration testing Services that cover the vulnerabilities
listed below at a minimum:
(a) Injection;
(b) Broken Authentication and Session Management;
(c) Cross Site Scripting (“XSS”);
(d) Insecure direct object references;
(e) Security misconfiguration;
(f) Sensitive data exposure;
(g) Missing function level access control;
(h) Cross Site Request Forgery (“CSRF”);
(i) Using components with known vulnerabilities; and,
(j) Unvalidated redirects and forwards.
2.4 Additional Penetration Testing Services
The Supplier should provide the following quality penetration testing Services as further described below, but
not limited to:
a) Payment Card Industry (“PCI”) penetration test; and,

b) Wireless penetration test.
2.4.1 Payment Card Industry (“PCI”) Penetration Testing Services
The Supplier should provide the following Payment Card Industry (“PCI”) penetration testing Services
that meet the minimum requirements and guidance as set out in PCI DDS v3.2.1 May 2018 or its
latest version:
(a) Provide penetration testing from both inside and outside of Customer’s network in compliance
with PCI DSS requirement 11.3 upon approval by the Customer;
(b) Application layer penetration testing that includes the vulnerabilities; and,
(c) Web application penetration testing that includes the vulnerabilities.
2.4.2 Wireless Penetration Testing Services
The Supplier should provide wireless penetration testing Services including but not limited to the
following: Provide penetration testing from both inside and outside of Customer’s network;
(a) Wireless network testing / war driving;
(b) Wireless, Wired Equivalent Privacy (“WEP”) / Wi-Fi Protected Access (“WPA”) cracking; and,
(c) Telephony or Voice Over Internet Protocol (“VoIP”) testing, as requested.
2.5 Penetration Testing Methodologies and Standards
The Supplier shall provide automated, manual or hybrid penetration testing Services, as requested.
Customers may request the Supplier to perform various types of penetration testing Services e.g White Box,
Black Box or Grey Box testing.
The Supplier should provide penetration test Services following appropriate industry wide, highly recognized
methodologies and standards such as:
a) Open Source Security Testing Methodology Manual (“OSSTMM”) v3;

b) National Institute of Standards and Technology (“NIST”) SP 800-42;
c) Open Web Application Security Project (“OWASP”);
d) Penetration Testing Execution Standard (“PTES”);
e) Payment Card Industry (“PCI”) Data Security Standard (“DSS”) Guidance: PCI Information Supplement:
Penetration Testing Guidance v3.2.1 May 2018; and,
f) Federal Risk and Authorization Management Program (“FedRAMP”): FedRAMP Penetration Test
Guidance 1.0.1.
The Supplier shall follow the most recent version of the methodologies and standards when providing
Services.
2.6 General Requirements on Penetration Testing Services
The Supplier shall ensure the following Services are covered in each individual request for Service:
a) Review Customer’s current systems infrastructure and conduct a gap analysis;

b) Confirm and obtain Customer’s approval on scope of Service including a test plan in writing prior to
Service commencement;
c) Communicate with third party organization and obtain third party authorization as required;
d) Engage Customer prior to actual test to confirm logistics arrangement, understand test goals and
objective Customer would like to achieve as a result of the test;
e) Discuss and confirm with Customer on its risk tolerance and culture to ensure Customer approve the test
approach;
f) Establish a communication plan as to who at the Customer’s organization will know about the test;
g) Establish an incident and escalation management process to handle issues that may happen during the
test;
h) Identify information to be provided by Customer based on the nature of test being performed (e.g., White
Box, Black Box, Grey Box);
i) Identify targets and map attack vectors;
j) Identify the exploitable vulnerabilities;
k) Exploitation (e.g., elevating privileges) within the scope; and,
l) Provide reporting to Customer as required.
The Supplier shall provide Services at Customer’s location as requested, where travel expense may occur,
see Section 4.2.1 Expenses or Additional Charges for details.
The Supplier shall ensure all reasonable precautions will be taken to avoid any negative impact on the
Customer’s system being tested (i.e., put Customer system at risk or impact Customer system’s stability) as
the result of the testing, unless with Customer’s prior written approval.
2.7 Penetration Testing Services Clean Up
The Supplier shall clean up properly after penetration testing Services completion ensuring Customer’s
environments are not impacted as a result of the penetration testing Services, the cleanup activities include
but are not limited to the following:
a) Update and/or removal of test accounts added or modified during testing;

b) Update and/or removal of database entries added or modified during testing;
c) Uninstall test tools or other artefacts as applicable;
d) Restoring security controls that have been altered for testing;
e) Provide Customers with necessary information and/or guidance on how to verify Customer’s
environments have been restored; and,
f) Approval and confirmation from the Customer that all environments have been cleaned and restored.
In situations where Customer find issues after Services have been completed, the Supplier shall return and
fix the issue for Customer ensuring Customer satisfaction.
2.8 Logs
The Supplier shall log and trace each activity and information sent and received between the Supplier’s and
Customer environments as it pertains to the Service activities. This log shall be provided to Customer upon
request in a format that is approved by Customer.
2.9 Penetration Testing Services Reporting and Presentation
The Supplier shall provide Customer with a report for each Service completed, the report shall include the
following information at a minimum:
a) Executive Summary;
b) Scope of Service;
c) Identification of critical components and explanation of why these components were tested;
d) Methodologies and tools used to conduct the testing;
e) Any constraints that impacted the testing (e.g., specific testing hours, bandwidth, special requirements);
f) Description of the progression of the test and issues encountered during the testing with timelines;
g) Findings from the tests (e.g., exploitation, severity) with details;
h) Affected targets in Customer’s environments; and,
i) Recommendation on remediation.
From time to time, Customer may require the Supplier to meet in person and/or via teleconference and webinar
to explain the findings and/or present the report. The Supplier shall support Customer with such request.
2.10 Optional Services
The Supplier may provide optional Services to Customer upon request such as the following but not limited
to:
a) Cloud assessment and penetration testing Services (e.g., environments, Application Program Interfaces
(“APIs”);
b) Compromise assessment (e.g., data forensics, confirmation on security breaches);
c) Device penetration testing Services (e.g., laptops, phones, servers, tablets, workstations);
d) DevSecOps (integration of security into the development stages of code);
e) Dynamic application security testing (DAST);
f) Penetration testing Services on Customer’s Heat, Air Ventilation, and Cooling (“HVAC”) and Closed-
circuit Television (“CCTV”) systems;
g) Privacy impact assessment;
h) Security architecture review;
i) Security awareness training;
j) Security policy review and update;
k) Source code review as it pertains to security;
l) Static application security testing (SAST);
m) System hardening assessment;
n) Threat risk assessment; and,
o) Verification of third party assessment results.
2.11 Additional Insurance Requirements
Customers during the Term may require additional insurance and/or coverage, the Supplier shall meet
Customer requirements and mutually agreed on any costs associated.
2.12 Confidentiality and Protection of Customer’s Information
The Supplier shall ensure that all personnel providing Services and have access to information related to
Services will protect Customer information by:
a) Signing Non-Disclosure Agreement (“NDA”) prior to the provision of any Services and receiving Customer
confidential information;
b) Provide appropriate security clearance to Customer, as requested; and,
c) Meeting other requirements requested by Customer.
The Supplier shall provide assurance to Customer that the storage and transmission of sensitive information
related to previous and current vulnerabilities and incident reports is safe and protected. Any release of the
information shall be approved by Customer in writing.
2.13 Compliance
The Supplier shall ensure Services are compliant with various regulations including, but not limited to:
a) Freedom of Information and Protection of Privacy Act (“FIPPA”); Municipal Freedom of Information and
Protection of Privacy Act (“MFIPPA”); the Personal Health Information Protection Act (“PHIPA”); and the
PIPEDA;
b) Accessibility for Ontarians with Disabilities Act (“AODA”) Web Content Accessibility Guidelines (“WCAG”
2.0 and 2.1);
c) Federal and Provincial (Ontario) regulations; and,
d) Customer’s established information security policies and controls for protecting sensitive data, without the
need for significant workarounds or complexity.
The supplier will support the Customers’ provincial compliance requirements on an ongoing basis and stay
current with these requirements. Customers may request to review assessments completed for the Services
from the Supplier.
2.14 Data Residency
The Suppliers’ host servers and backup servers shall be located on North American soil in a secure data
centre. The Supplier shall follow the Personal Information Protection and Electronic Documents Act
(“PIPEDA”) and Health Insurance Portability and Accountability Act (HIPAA) requirements and adhere to
encryption standards mentioned in section 2.5.5. of this Act.
2.15 Invoicing
Flexibility in invoicing processes is required. The Customer and Supplier can mutually agree to invoicing details
when executing a Customer-Supplier Agreement (“CSA”).
The Supplier shall, for Customers using Jaggaer, support cXML and/or portal invoicing functionality.
The invoices, in either paper or electronic format, as detailed in the Customer’s CSA shall be itemized and
contain, at a minimum, the following information:
(a) Customer name and location;
(b) Customer purchase order number (if applicable) and order date;
(c) Description of Products and/or Services provided, quantities and Rates; and,
(d) HST and total cost.
2.15.1 Payment Terms and Methods
The Customer’s common payment terms are net thirty (30) days.
The Supplier shall accept payment from Customers by cheque, Purchasing Card, Visa Payables
Automation (via ghost card) or Electronic Funds Transfer (“EFT”) at no additional cost to the
Customer.
Different payment terms may be agreed to when executing a CSA (e.g. 2%/10 early payment
discount for Customers).
Note – Customer’s payment terms will not be in effect until the Supplier provides an accurate invoice.
2.15.2 Electronic Fund Transfer
The Supplier shall provide the Customer with the necessary banking information to enable EFT, at
no additional cost to the Customer, for any related invoice payments including, but not limited to:
(a) A void cheque;
(b) Financial institution’s name;
(c) Financial institution’s transit number;
(d) Financial institution’s account number; and,
(e) Email address for notification purposes.
2.15.3 Electronic Commerce
Customers currently use a variety of ERP, e-Procurement or financial systems (e.g. PeopleSoft,
Jaggaer) for processing orders and payments. To support these processes, the Supplier will provide
reasonable technology and implementation support, at any time during the Term, at no additional
cost to the Customer.
2.16 Support to Customers
The Supplier shall provide effective support to Customers including, but not limited to:
(a) Providing a responsive account executive (with applicable back-up) assigned to the Customer to support
their needs by providing day-to-day and ongoing administrative support, and operational support;
(b) Managing issue resolution in a timely manner;
(c) Complying with agreed upon escalation processes to resolve outstanding issues;
(a) Responding to Customer’s inquiries (e.g. to day-to-day activities) within one (1) Business Day;
(b) Ensuring minimal disruption to the Customer;
(c) Providing easy access to the Supplier (e.g. online, toll free telephone number, email, voicemail, chat or
fax);
(d) Providing training/demonstrations, knowledge transfer, and no-cost educational events (e.g. webinars), if
available;
(e) Establishing an ongoing communications program with the Customer (e.g. new initiatives, innovation,
sustainability);
(f) Adhering to the Customer’s confidentiality and privacy policies (e.g. related to student’s private
information);
(g) Providing written notice to Customers on any scheduled shut down that would impact services (e.g.
inventory count, relocation of warehouse, website maintenance);
(h) Provide Customer reporting;
(i) Attending meetings with Customers, as requested.; and,
(j) Additional project specific requirements.
2.16.1 Incentive to Customers
Where feasible, the Supplier should offer incentives to Customers to promote additional cost savings
and value-adds resulting from better operational efficiencies that may include, but are not limited to:
(a) Use of Purchasing Card (“P-Card”) for immediate payment;
(b) Early payment discount for Customers;
(c) Recurring services discounts based on frequency per year;
In consultation with OECM, the Customer may negotiate specific details related to one (1) or more
financial incentive.
The financial incentives the Supplier and Customer agree to shall be incorporated into the CSA and
reviewed and adjusted (e.g. annually) as required and reported to OECM as part of the sales
reporting.
The financial incentive to Customers can be reviewed and adjusted annually as required.
2.17 Environmental and Sustainability Considerations
OECM and its Customers are committed to reducing their carbon footprint. The Supplier should keep
Customers informed about any environmentally friendly processes, Products, new technologies and/or green
initiatives. The Supplier should, in consultation with OECM, make any environmentally friendly processes,
Products, new technologies and/or green initiatives, related to the RFP Deliverables, available to Customers
as required.
2.18 Social Procurement
OECM and its Customers are committed to social procurement. The Supplier should keep OECM and
Customers informed about social procurement processes.
2.19 Disaster Recovery and Business Continuity
The Supplier shall possess and provide to OECM and/or Customers upon request, information about disaster
recovery and business continuity programs including processes, policies, and procedures related to safety
standards, preparing for recovery or continuation of Product and Service availability critical to Customers.
2.20 Licences, Right to Use and Approvals
The Supplier shall obtain all licences, right to use and approvals required in connection with the supply of the
Services and provide them at Customer and OECM request. The costs of obtaining such licences, right to use
and approvals shall be the responsibility of, and shall be paid for by, the Supplier.
Where a Supplier is required by Applicable Law to hold or obtain any such licence, right to use and approval
to carry on an activity contemplated in its Proposal or in the Master Agreement, neither acceptance of the
Proposal nor execution of the Master Agreement by OECM shall be considered an approval by OECM for the
Supplier to carry on such activity without the requisite licence, right to use or approval.
2.21 Workplace Hazardous Material Information System
The Supplier shall ensure Workplace Hazardous Materials Information System (“WHMIS”) Safety Data Sheets
(“SDS”) are onsite as required. Additionally, the Supplier should provide the Customer’s personnel WHMIS
training, as it relates to the Products and equipment, in accordance with the Ontario Occupational Health and
Safety Act.
The Supplier shall provide the Customer with online access to SDSs. If there are any changes or updates to
the SDS, the Supplier shall update the documents within twenty-four (24) hours and provide notification to the
Customer that the SDS has been update.
[End of Part 2]
PART 3 – EVALUATION OF PROPOSALS
3.1 Stages of Proposal Evaluation
OECM will conduct the evaluation of Proposals in the following stages:
Refer to Scoring Methodology Minimum Threshold
Stage Type of Evaluation RFP and Maximum Points Requirement
Section (if applicable) (if any)
Stage I Qualification Response 3.2 Pass/Fail Pass
Stage II Technical Response 3.3 700 385
Stage III Commercial Response 3.4 300 Not Applicable
Stage IV Cumulative Score 3.5 1000 Not Applicable
Stage V Tie Break Process 3.6 No Point Allocation Not Applicable
Stage VI Negotiations 3.7 No Point Allocation Not Applicable
Master Agreement
Stage VII 3.8 No Point Allocation Not Applicable
Finalization
3.2 Stage I – Review of Qualification Responses (Pass/Fail)
Stage I will consist of a review to determine which Proposals comply with all qualification requirements.
The Proponent must complete the following forms in (“Ontario’s Tenders Portal (“OTP”) to qualify and proceed
to the next stage of evaluation.
Title OTP Envelope
Form of Offer Qualification

Compliance with Form of Master Agreement Qualification
Commercial Response Commercial
If the Proponent fails to insert information contained in the above forms, OECM may provide an opportunity to
rectify such deficiency within a period of two (2) Business Days from notification thereof. Only Proponents
satisfying the identified deficiencies within allotted time will proceed to Stage II.
3.3 Stage II – Technical Response
Stage II will consist of an evaluation and scoring of the Technical Response of each Eligible Proposal.
The Technical Response includes a series of questions the Proponent is required to respond to in order to
demonstrate the Proponent’s ability to fulfill the RFP Deliverables. Only information contained within the
Technical Response will be evaluated in Stage II.
Only Proposals that meet or exceed the minimum threshold of fifty-five percent (55%) or three hundred eighty-
five points (385), will receive a pass in this stage and proceed to Stage III of the evaluation process.
Point allocations for the Technical Response sections are as follows:
Available Minimum Threshold,

Technical Response Sections
Points if any
- Proponent’s Capabilities and Experience 50 N/A
- Project Work Plan 300 N/A
- Project and Resource Management 200 N/A
- Customer Support and Management 150 N/A
TOTAL POINTS: 700 385
Detailed sub-point allocations and minimum thresholds are set out in the Technical Response on OTP.
In the case that contradictory information or information that contains conditional statements is provided,
OECM will determine whether the response complies with the requirements, and may seek clarification from
the Proponent.
A Proposal that does not respond to a particular question (e.g. is left blank) or contains a response of N/A or
not applicable will receive a zero (0) score.
Stage II resulting scores per Proposal will be used when determining the cumulative score as described below
in Section 3.5.
3.4 Stage III – Commercial Response
The Proponent must complete and upload Appendix C – Commercial Response - Amended as of May 21,
2021 into the OTP Commercial Envelope for this stage of evaluation.
Upon the completion of Stage III of the evaluation, the Commercial Response will be opened for all Eligible
Proposals.
Point allocations for the Commercial Response sections are as follows:
Commercial Response Sections Available Points
- Scenario Based Pricing 200

- Vulnerability Assessment IP Based Pricing 50
- Professional Services 50
- Additional Role-Based Resources and Other Services
N/A
(Not Evaluated)
TOTAL POINTS: 300
Detailed sub-point allocations are set out in the Appendix C – Commercial Response - Amended as of May
21, 2021 on OTP.
Rates will be evaluated using a relative formula. See example below:
EXAMPLE OF COMMERCIAL RESPONSE EVALUATION
Resulting
Proposed Rates Calculation
Points
If Proponent 1 proposes the lowest Rate of $100.00, it
$100 ÷ $100 x 200 Points 200
would receive 100% of the points allocated.
If Proponent 2 proposes the second lowest Rate of

$100 ÷ $200 x 200 Points 100
$200.00, it would receive 50% of the points allocated.
If Proponent 3 proposes the third lowest Rate of $400.00, it

$100 ÷ $400 x 200 Points 50
would receive 25% of the points allocated.
Where $0.00 is entered in any Rate cell, it is deemed to mean that the particular Service will be provided to
Customers at no additional cost. Therefore, when evaluating and scoring the Rates, a Proposal specifying
$0.00 in a Rate cell in the Commercial Response shall receive the maximum point allocation for that particular
Service. The remaining Proposals will be evaluated using a relative formula based on the remaining
percentage of available points regardless of the Proposals of $0.00 Rate as per below example.
EXAMPLE – WHERE FIVE (5) PROPOSALS WERE RECEIVED WITH $0.00 RATE PROPOSED
Number of Proposals with a The percentage (%) of the sub-

The number of remaining
proposed Rate of $0.00 for a point allocation for the remaining
Proposals
particular Service Proposals will be:
1 4 80%
2 3 60%
3 2 40%
4 1 20%
Where N/A or not applicable is entered in a Commercial Response cell or a Commercial Response cell is left
blank for the Service, it is deemed to mean that the particular Service will not be provided to Customers.
Therefore, when evaluating and scoring the Rates, a Proposal specifying N/A or not applicable, or left blank
in Appendix C – Commercial Response - Amended as of May 21, 2021 will receive a zero (0) point allocation
for that particular pricing section.
3.5 Stage IV – Cumulative Score
At this stage, the scores from Stages II and III will be combined for each Eligible Proposal.
Subject to the express and implied rights of OECM; the Proponents with the highest scoring Proposals or all
Proponents may become the Preferred Proponents, and be invited to negotiations, as further described below.
Reference checks will be performed to confirm or clarify information provided within the Proposal. The
reference checks themselves will not be scored, however, OECM may adjust Technical Response scores
related to the information obtained during the reference check.
3.6 Stage V – Tie Break Process
At this stage, where two (2) or more of the highest scoring Eligible achieve a tie score on completion of the
Stage IV, OECM may invite all Proponents to negotiations or break the tie by selecting the Proposal with the
highest score in Stage III – Commercial Response.
3.7 Stage VI – Negotiations
Concurrent negotiations, with the Preferred Proponents, will be based on the RFP requirements, and the
Proposals, understanding that OECM is seeking the best overall solution and value for money for Customers.
The negotiations may include:
(a) Services;
(b) Master Agreement management (e.g. performance, KPIs, penalties, reporting);
(c) Master Agreement terms and conditions;
(d) Additional references, if required;
(e) Rates; and,
(f) Best and Final Offer.
OECM may also request supplementary information from a Preferred Proponent to verify, clarify or supplement
the information provided in its Proposal or confirm the conclusions reached in the evaluation and may include
requests by OECM for improved Rates.
OECM intends to complete negotiations within fifteen (15) calendar days after notification. If, for any reason,
OECM and a Preferred Proponent fail to reach an agreement within the aforementioned timeframe, OECM
may (a) request the Preferred Proponent to submit its Best and Final Offer; (b) terminate negotiations with that
particular Preferred Proponent; (c) extend the negotiation timeline; or (d) publish one (1) or some of the
Suppliers, who have executed Master Agreements, within our promotional marketing launch. Other Master
Agreements, if successfully negotiated with other Preferred Proponents would be added to OECM’s website
at a later date.
Upon successful negotiations, the Preferred Proponent will be invited to execute a Master Agreement.
3.8 Stage VII – Master Agreement Finalization
The Preferred Proponent will be given five (5) Business Days to execute the Master Agreement, unless
otherwise specified by OECM. Once the Master Agreement has been executed, Customers may execute a
CSA.
OECM shall at all times be entitled to exercise its rights under Section 5.6.
[End of Part 3]
PART 4 – MASTER AGREEMENT STRUCTURE AND MANAGEMENT
4.1 Master Agreement Structure
OECM may, through this RFP process, enter into Master Agreements with up to seven (7) Suppliers for the
provision of the Services to offer Customers choice and Service coverage to ensure Customer’s requirements
are met.
The Term is intended to be for three (3) years, with an option in favour of OECM to extend the Term on the
same terms and conditions for one (1) additional two (2) year option for extension. Performance as set out in
Appendix G – Performance Management Scorecard and, if applicable, Supplier Recognition Program
evaluation results will be considered when contemplating a Master Agreement extension and supplier refresh,
if necessary.
Customers participating in the Master Agreements will execute a CSA with a Supplier as attached in Appendix
B – Form of Master Agreement. The Supplier shall provide a copy of every CSA to OECM within thirty (30)
days of execution.
The Master Agreement must be fully executed before the provision of any Deliverables commences.
4.1.1 No Contract until Execution of Written Master Agreement
This RFP process is intended to identify Proponents for the purpose of negotiation of potential Master
Agreements. The negotiation process is further described in Part 3 – Evaluation of Proposals, and in
Section 3.8 of this RFP.
No legal relationship or obligation regarding the procurement of any Services shall be created
between the Proponent and OECM by this RFP process until the successful completion of negotiation
and execution of a written Master Agreement for the provision of the Services has occurred.
4.1.2 Customer’s Usage of Master Agreements
The establishment and use of the Master Agreement consists of a two (2) part process.
Part One, which is managed by OECM, is the creation of the Master Agreement through the issuance
of this RFP, the evaluation of Proposals submitted in response to it and the negotiation and execution
of the Master Agreement.
Part Two, the Optional Second Stage Selection Process (“Second Stage”) is managed by the
Customer or by OECM on the Customer’s behalf and is focused on the Customer’s specific needs.
Depending on the Customer’s internal policies, and potential dollar value of the Services a Customer
may:
(a) Sign a CSA with a Supplier and then immediately obtain Services based on the Master
Agreement terms, conditions, and Rates (which are maximum Rates); or,
(b) Obtain Rates through the Optional Second Stage Selection Process (“Second Stage”) which is
managed by the Customer or by OECM on the Customer’s behalf. The Second Stage is a
request (e.g. a non-binding request via a Second Stage tool (e.g. Request for Services (“RFS”),
Quick Quote (“QQ”), or Customer’s process (e.g. directly or via an online e.tendering platform))
to the Supplier from the Customer for their specific Services requirements. If selected by the
Customer, the Supplier shall provide the Services in accordance with the specifications stated
in the Master Agreement and in the Customer’s CSA including Rates (which may be lower than
the Master Agreement maximum Rates).
When a Second Stage request is issued, which does not constitute a contract A, contract B situation,
it will identify the required Services or it may request the Supplier to propose appropriate Services to
fulfill the Customer’s requirements and any other applicable information. The Customer may
negotiate their unique requirements with the Supplier and mutually agree to additional terms and
conditions (e.g. reporting, Rates, payment terms) ensuring the additional terms and conditions are
not in any way inconsistent with the Master Agreement.
The Supplier must respond to a Optional Second Stage Selection Process request and, at minimum,
the response should set out the following:
(a) Proposed Services;
(b) Scope of Work;
(c) Timelines for Services; and,
(d) Final, net Rates. The Rates should be valid for a period of not less than ninety (90) days. Limited
time offer Rates and/or promotional Rates must be specified by the Supplier, if applicable to the
specific Second Stage request.
Customers are not obligated to sign a CSA to obtain specific Services Rates. However, a CSA must
be signed before the provision of any Services commences.
4.1.3 No Guarantee of Volume of Work or Exclusivity of Master Agreement
Nothing in this RFP is intended to relieve the Proponent from forming its own opinions and
conclusions with respect to the matters addressed in this RFP. Volumes are an estimate only and
may not be relied on by the Proponent.
OECM makes no guarantee of the value or volume of work to be assigned to the Supplier.
The Master Agreement executed with the Supplier may not be an exclusive Master Agreement for
the provision of the Deliverables. Customers may contract with others for the same or similar
Deliverables to those described in this RFP.
4.2 Rates
The proposed Service Rates shall be firm for the first year of the Master Agreement and shall be:
(a) Maximum Rates applicable to all Customers;
(b) In Canadian funds and shall include all applicable costs, including, but not limited to overhead, materials,
fuel, fuel surcharge, duties, tariffs, delivery, office support, profit, permits, licences, labour, insurance, and
Workplace Safety Insurance Board costs; and,
(c) Exclusive of the HST, or other similar taxes.
The Supplier may, however, lower its Rates for specific Services when the Customer and Supplier mutually
agree without affecting the Rates in the Master Agreement.
In extenuating circumstances, OECM may consider a Rate adjustment substantially effecting the provision of
Services resulting from new or changed municipal, provincial, or federal regulations, by-laws and fluctuations
in foreign exchange rates as published by the Bank of Canada, tariffs, or ordinances. Any such request from
the Supplier must be accompanied and supported by documentation deemed appropriate by OECM. OECM
may use a third-party index (e.g. Consumer Price Index (“CPI”)) in its Rates review. The Supplier must submit
documentation (i.e. Rate impact analysis) demonstrating how the request affects the delivery of Products in
this Master Agreement. OECM will not consider any fixed costs or overhead adjustments in its review of the
Supplier’s documentation.
4.2.1 Expenses or Additional Charges
There shall be no expenses or other charges payable to the Supplier under the Contract other than
the Rates established under the Contract. Applicable expenses incurred for travel, meals and/or
accommodation, if any, to perform Services must be approved by the Customer in advance. Any
such expenses must be charged in accordance with the Customer’s travel policy, as may be
amended from time to time. All such pre-approved expenses, where applicable, must be itemized
separately on invoices.
Customers shall not be responsible for expenses incurred by the Supplier and the Supplier’s
resource/personnel while travelling or otherwise, including, but not limited to:
(a) Gratuities;
(b) Laundry or dry cleaning;
(c) Valet services;
(d) Dependent care;
(e) Home management;
(f) Personal telephone calls; and,
(g) Other hospitality and incidental expenses.
4.2.2 Optional Rate Refresh
OECM’s goal is to maintain Rates as low as possible for Customers. However, the Supplier may
request a Rate refresh by providing a written notice to OECM at least one-hundred-and-twenty (120)
days prior to the anniversary of the Master Agreement.
As part of any review OECM will consider Rate adjustments that reflect changes in operation,
adjustments due to new or changed municipal, provincial, or federal regulations, by-laws, and
fluctuations in foreign exchange rates as published by the Bank of Canada, tariffs, or ordinances.
Any such requests from the Supplier must be accompanied and supported by documentation
deemed appropriate by OECM. OECM may use a third-party index (i.e. Consumer Price Index “CPI”
and/or Commercial Software Price Index provided by Statistics Canada) in its Rates review. The
Supplier must submit documentation (i.e. Rate impact analysis) demonstrating how the request
affects the delivery of Services in this Master Agreement. OECM will not consider any fixed costs or
overhead adjustments in its review of the Supplier’s documentation.
Volumes and Supplier performance (i.e. Supplier’s Performance Management Scorecard and/or
Supplier Recognition Program evaluation results) will be considered when contemplating a Rate
refresh.
If a proposed Rate refresh was agreed upon between OECM and the Supplier, the new Rates would
only be applicable to Services ordered after the effective date of the new Rates. The effective date
of the Rate change must allow Customers a minimum of thirty (30) days’ prior notice from OECM. If,
however, a proposed Rate increase is not accepted by OECM the Master Agreement may be
terminated within one-hundred and twenty (120) days unless the Supplier agrees to withdraw its
request for a Rate increase and continue the provision of the Services at the existing agreed upon
Rates.
If a Rate refresh is not requested, the existing Rates shall remain in effect until the next Rate refresh
opportunity.
Decreases to the Rates shall be accepted at any time during the Term.
Based on above, the Master Agreement will be amended, if needed.
4.2.3 Optional Process to Add Other Services
During the Term, if mutually agreed by OECM and the Supplier, other Services (e.g. newly available
Products, new technology and Services) may be added to the Master Agreement at any time to align
with Customer needs.
The Supplier shall provide written notice to OECM of at least one hundred and twenty (120) days if
requesting a Service refresh.
Additional Product and Service requests from the Supplier must be accompanied by appropriate
documentation (e.g. Service description, and rationale for the addition).
Volumes and Supplier’s performance (i.e. as described in Appendix G – Performance Management

Scorecard and/or Supplier Recognition Program evaluation results) will be considered when
contemplating adding Services. In the event the Supplier’s performance is poor and/or unacceptable,
OECM may not agree to the Supplier’s Service refresh request. All other Services shall remain
unchanged.
Rates, for newly added Services, will be negotiated at the time ensuring Rate alignment with similar
Services currently available on the Master Agreement.
Based on above, the Master Agreement will be amended, if needed.
4.2.4 OECM Geographical Zones
OECM Customers are located in five (5) geographical Zones (as set out below and detailed in
Appendix D – OECM Geographical Zones) throughout the Province of Ontario.
(a) Central Zone;
(b) East Zone;
(c) North East Zone;
(d) North West Zone; and,
(e) West Zone.
Also refer to Appendix E – OECM School Board, University and College Customers in Ontario
illustrating OECM’s educational Customers by Zone.
4.2.5 OECM Cost Recovery Fee
As a not-for-profit/non-share capital corporation, OECM recovers its operating costs from its
agreements through a Cost Recovery Fee (“CRF”). CRFs from the resulting Master Agreement from
this RFP and other OECM agreements are structured to support OECM’s financial model, while
providing savings to Customers.
The Supplier shall pay to OECM a CRF of two percent (2%) on all Services invoiced by the Supplier
to the Customers throughout the Term.
CRF will be calculated as follows:
EXAMPLE OF HOW CRF WILL BE CALCULATED FOR THE SECOND CALENDAR

QUARTER WITH A CRF = 2%
Total CRF
Sales per Month Calculation CRF HST Payment to
OECM
If Supplier has $100,000
$100,000 x 2% CRF $2000 $260 $2260
total sales in April

$200,000 x 2% CRF $4000 $520 $4520
total sales in May

$100,000 x 2% CRF $2000 $260 $2260
total sales in June
The CRF shall be paid to OECM, via EFT, on a quarterly basis based on the calendar year by the
tenth (10) Business Day of the applicable quarter.
CRF payment dates, for the first year of the Master Agreement, will be as follows:
CRF Payments Payment Date
The first CRF, including any Customer purchases made

between the Master Agreement execution date and October 14, 2021
September 30, 2021 shall be paid to OECM by:
The next CRF, including any Customer purchases made

between October 1, 2021 to December 31, 2021, shall be January 14, 2022
paid to OECM by:
The next CRF, including any Customer purchases made

between January 1, 2022 to March 31, 2022, shall be paid April 14, 2022
to OECM by:.
Tenth (10) Business Day in

Subsequent CRF payments shall be paid to OECM on the
January, April, July, October of
tenth (10) Business Day following each calendar quarter.
each year
HST is applicable to the CRF payments made to OECM.
The CRF will be reviewed (e.g. annually) and may, at OECM’s sole discretion, be adjusted
downwards.
During the Term, OECM may implement other CRF methodologies. Should this take place, the
maximum CRF noted above shall not increase.
The Supplier shall be responsible for paying interest, as specified in Article 4.08 of the Master
Agreement, for late CRF payments.
Upon termination or expiry of the Master Agreement, the Supplier will submit all outstanding CRF
payments within thirty (30) days of the Master Agreement termination or expiry date.
4.2.6 Financial Administration Act Section 28
In accordance with the requirements of the Financial Administration Act (“FAA”), notwithstanding
anything else in the CSA, or in any other agreement between the Customer and the Supplier
executed to carry out the Services provided for herein, the remedies, recourse or rights of the
Supplier shall be limited to the Customer and to the right, title and interest owned by the Customer
in and to all of its real or personal property, whether now existing or hereinafter arising or acquired
from time to time. The Supplier unconditionally and irrevocably waives and releases all other claims,
remedies, recourse or rights against the Crown in right of Ontario in respect of the CSA, and agrees
that it shall have no remedies, recourse or rights in respect of the CSA against the Crown in right of
Ontario, any Ontario Ministry, Minister, agent, agency, servant, employee or representative of the
Crown or any director, officer, servant, agent, employee or representative of a Crown agency or a
corporation in which the Crown holds a majority of the shares or appoints a majority of the directors
or members, other than against the Customer and its assets.
If the Supplier and the Customer agree that a CSA is exempt from the application of subsection 28(1)
of the Financial Administration Act pursuant to Ontario Regulation 376/18: Section 28 Exemptions –
Colleges, the Customer represents and warrants that the CSA (i) complies with all applicable policies
of the Customer; (ii) complies with all applicable laws and Ontario government directives applicable
to it; and, (iii) relates to activities of the Customer that are permitted under its objects and that are
undertaken within Canada. The Supplier represents and warrants that the CSA complies with all
Applicable Laws and Ontario government directives applicable to it.
4.2.7 Saving Calculation
OECM tracks, validates, and reports on savings on all of its agreements. Collaborative procurement
processes enables several types of savings including direct and indirect savings (e.g. process
improvement, lead time reduction, standardization, economies of scale, cost avoidance).
The Supplier shall report Customer savings Master Agreement Rate versus Rate invoiced to
Customer, total cost of Services, cost avoidance and/or other savings.
4.3 Supplier Management Support to OECM
OECM will oversee the Master Agreement, and the Supplier shall provide appropriate Master Agreement
management support including, but not limited to:
(a) Assigning to OECM a Supplier Account Executive and team responsible for supporting and overseeing
all aspects of the Master Agreement;
(b) Working and acting in an ethical manner demonstrating integrity, professionalism, accountability,
transparency and continuous improvement;
(c) Promoting the Master Agreement within the Customer community;
(d) Maintaining OECM’s and Customer’s confidentiality by not disclosing Confidential Information without the
prior written consent of OECM and/or the Customer, as the case may be, as further described in Appendix
B – Form of Master Agreement;
(e) Attending business review meetings with OECM to review such information as:
i. CSAs and upcoming opportunities; and,
ii. Review and monitor performance management compliance;
(f) Complying with Appendix H – Code of Conduct requirements as described on the OECM website at
https://oecm.ca/oecm-advantage/our-supplier-partners/supplier-code-of-conduct;
(g) Managing issue resolution in a timely manner;
(h) Complying with agreed upon escalation processes to resolve outstanding issues;
(i) Timely submission of reports as described in Appendix F – Reporting Requirements; and,
(j) Complying with Master Agreement close out processes (e.g. ensuring all Master Agreement obligations
have been fulfilled, such as submission of final reporting and CRF payments to OECM).
4.3.1 Master Agreement Award and Launch
Once the Master Agreement is awarded, the Supplier will meet with OECM to discuss an effective
launch strategy, and shall provide:
(a) Supplier profile and logo;
(b) Supplier contact information;
(c) Customer engagement strategy;
(d) Access to knowledge sharing materials (e.g. webinars);
(e) Marketing materials, and,
(f) Other relevant materials.
4.3.2 Promoting OECM Master Agreements
To support Customers, OECM and the Supplier will work together to encourage the use of the Master
Agreement resulting from this RFP.
The Supplier will actively promote the Master Agreement to Customers by:
(a) Conducting sales and marketing activities directly to onboard Customers;
(b) Executing CSAs with interested Customers;
(c) Providing excellent and responsive Customer support;
(d) Gathering and maintaining Customer and market intelligence, including contact information;
(e) Identifying Customer savings; and,
(f) Identifying improvement opportunities (e.g. new Services).
OECM will promote the use of the Master Agreement with Customers by:
(a) Using online communication tools to inform and educate;
(b) Holding information sessions and webinars, as required;
(c) Attending, where appropriate, Customer and Supplier events;
(d) Facilitating CSA execution, where appropriate;
(e) Facilitating Second Stage requests, as required;
(f) Providing effective business relationship management;
(g) Managing and monitoring Supplier performance;
(h) Facilitating issue resolution; and,
(i) Marketing Supplier promotions.
4.3.3 Supplier’s Performance Management Scorecard
To ensure Master Agreement requirements are met, the Supplier’s performance will be measured
and tracked by OECM as described in Appendix G – Performance Management Scorecard.
4.3.4 OECM’s Supplier Recognition Program
OECM’s suppliers play a fundamental role in ensuring Customers’ needs are met with consistent and
exceptional service. As part of OECM’s efforts to provide greater value to Customers and support
their Supplier selection process across OECM agreements, OECM has implemented a Supplier
Recognition Program (“SRP”). Through the SRP, OECM will objectively assess supplier’s
performance using an open, fair and transparent framework to recognize and reward top-performing
Suppliers on an annual basis.
The following four (4) key areas of focus that suppliers will be measured upon include:
(a) Supplier performance;
(b) Master Agreement performance (see Section 4.3.3 and Appendix G (Performance Management
Scorecard));
(c) Generated savings and value; and,
(d) Technical Response scores from the Supplier’s Proposal for this RFP.
Further details will be provided to the Suppliers.
4.3.5 Reporting to OECM
The Supplier shall be responsible for providing reports as further described in Appendix F – Reporting
Requirements.
Report details will be discussed and established at the Master Agreement finalization stage between
OECM and the Preferred Proponent. Other reports may be added, throughout the Term, if mutually
agreed upon between OECM and the Supplier, and/or the Customer and Supplier.
[End of Part 4]
PART 5 – TERMS AND CONDITIONS OF THE RFP PROCESS
5.1 General Information and Instructions
Procurement Process Non-Binding
This RFP process is non-binding, and it does not intend to create, and shall not create, a formal legally-binding
procurement process, and shall not give rise to the legal rights or duties applied to a formal legally-binding
procurement process. This procurement process shall instead be governed by the law applicable to direct
commercial negotiations. For greater certainty and without limitation:
(a) This RFP shall not give rise to any contract A – based tendering law duties or any other legal obligations
arising out of any process contract or collateral contract; and,
(b) Neither the Proponent nor OECM shall have the right to make any breach of contract, tort or other claims
against the other with respect to the award of a Master Agreement, failure to award a Master Agreement
or failure to honour a response to this RFP.
Non-Binding Rates
While the Proposal Rates will be non-binding prior to the execution of a written Master Agreement, such
information will be assessed during the evaluation and ranking of the Proposals, as further described in Part
3 – Evaluation of Proposals. Any inaccurate, misleading, or incomplete information, including withdrawn or
altered Rates, could adversely impact any such evaluation, ranking, or Master Agreement award.
5.1.1 RFP Timetable
The following is a summary of the key dates for this RFP process:
RFP Timetable
Event Time/Date
OECM’s Issue Date of RFP: May 10, 2021
Proponent’s Information and OTP Demonstration Session: 2:00 pm on May 13, 2021
Proponent’s Deadline to Submit Questions: 5:00 pm on May 18, 2021
OECM’s Deadline for Issuing Answers: May 21, 2021
Proponent’s Deadline to Submit Questions Related to

5:00 pm on May 26, 2021
Addenda & Question and Answer Documents:
OECM’s Deadline for Issuing Final Documents: June 1, 2021
Closing Date: 2:00:00 pm on June 29, 2021
Anticipated Master Agreement Start Date: September 2021
Note – all times specified in this RFP timetable are local times in Toronto, Ontario, Canada.
OECM may amend any timeline, including the Closing Date, without liability, cost, or penalty, and
within its sole discretion.
In the event of any change in the Closing Date, the Proponent may thereafter be subject to the
extended timeline.
5.1.2 Proponent’s Information and OTP Demonstration Session
The Proponent should participate in the Proponent’s Information and OTP Demonstration Session,
which will take place at the time set out in Section 5.1.1.
Prior to the Proponent’s Information and OTP Demonstration Session, OECM will send a Message
via OTP with the teleconference and webinar information to the Proponents who expressed interest
on OTP.
The Proponent’s Information and OTP Demonstration Session is an opportunity for the Proponent to
enhance its understanding of the RFP process and to learn how to use OTP to submit its Proposal.
Any changes to the Proponent’s Information and OTP Demonstration Session meeting date will be
issued in an addendum on OTP.
Information provided during this session will be posted on OTP.
In the event of a conflict or inconsistency between the Proponent’s Information and OTP
Demonstration Session and the RFP, the RFP shall prevail.
The Proponent can contact OTP technical support directly for further assistance, using the contact
details set out in Section 5.3.1.
5.1.3 Proponent to Follow Instructions
The Proponent should structure its Proposal in accordance with the instructions in this RFP. Where
information is requested in this RFP, any response made in the Proposal should reference the
applicable section numbers of this RFP where that request was made.
5.1.4 OECM’s Information in RFP Only an Estimate
OECM makes no representation, warranty or guarantee as to the accuracy of the information

contained in this RFP or issued by way of addenda. Any data contained in this RFP or provided by
way of addenda are estimates only and are for the sole purpose of indicating to Proponents the
general size of the work.
It is the Proponent's responsibility to avail itself of all the necessary information to prepare a Proposal
in response to this RFP.
5.1.5 Proponent’s Costs
The Proponent will bear all costs and expenses incurred relating to any aspect of its participation in
this RFP process, including all costs and expenses relating to the Proponent’s participation in:
(a) The preparation, presentation and submission of its Proposal;
(b) The Proponent’s attendance at any meeting in relation to the RFP process, including any
presentation and/or interview;
(c) The conduct of any due diligence on its part, including any information gathering activity;
(d) The preparation of the Proponent’s own questions; and,
(e) Any discussion and/or finalization, if any, in respect of the Form of Master Agreement.
5.2 Communication after RFP Issuance
5.2.1 Communication with OECM
All communications regarding any aspect of this RFP must be sent to OECM as a Message in OTP.
If the Proponent fails to comply with the requirement to direct all communications to OECM through
OTP, it may be disqualified from this RFP process. Without limiting the generality of this provision,
Proponents shall not communicate with or attempt to communicate with the following as it relates to
this RFP:
(a) Any employee or agent of OECM;
(b) Any member or advisor of the Project Advisory Committee;
(c) Any member of OECM’s governing body (such as Board of Directors, or advisors);
(d) Any employee, consultant or agent of OECM’s Customers; and,
(e) Any elected official of any level of government, including any advisor to any elected official.
5.2.2 Proponent to Review RFP
The Proponent shall promptly examine this RFP and all Appendices, including the Form of Master
Agreement and:
(a) Shall report any errors, omissions or ambiguities; and,
(b) May direct questions or seek additional information on or before the Proponent’s Deadline to
Submit Questions to OECM.
All questions submitted by Proponents shall be deemed to be received once the Message has
entered into OECM’s OTP inbox.
In answering a Proponent’s questions, OECM will set out the question, without identifying the
Proponent that submitted the question and OECM may, in its sole discretion:
(a) Edit the question for clarity;
(b) Exclude questions that are either unclear or inappropriate; and,
(c) Answer similar questions from various Proponents only once.
Where an answer results in any change to the RFP, such answer will be formally evidenced through
the issue of a separate addendum for this purpose.
To ensure the Proponent clearly understand issued addenda, OECM allows Proponents to ask
questions related to addenda, and question and answer documents. Refer to Section 5.1.1 for
timelines.
OECM is under no obligation to provide additional information but may do so at its sole discretion.
It is the responsibility of the Proponent to seek clarification, by submitting questions to OECM through
OTP, on any matter it considers to be unclear. OECM shall not be responsible for any
misunderstanding on the part of the Proponent concerning this RFP or its process.
5.2.3 Proponent to Notify
In the event the Proponent has any reason to believe that an error, omission, uncertainty or
ambiguity, as set out in Section 5.2.2 exists, the Proponent must notify OECM through OTP prior to
submitting a Proposal.
If appropriate, OECM will then clarify the matter for the benefit of all Proponents.
The Proponent shall not:
(a) After submission of a Proposal, claim that there was any misunderstanding or that any of the
circumstances set out in Section 5.2.2 were present with respect to the RFP; and,
(b) Claim that OECM is responsible for any of the circumstances listed in Section 5.2.2 of this RFP.
5.2.4 All New Information to Proponents by way of Addenda
This RFP may only be amended by an addendum in accordance with this section.
If OECM, for any reason, determines that it is necessary to provide additional information relating to
this RFP, such information will be communicated to all Proponents by addenda on OTP. Each
addendum shall form an integral part of this RFP.
Any amendment or supplement to this RFP made in any other manner will not be binding on OECM.
Such addenda may contain important information including significant changes to this RFP. The
Proponent is responsible for obtaining all addenda issued by OECM.
The Proponent who intends to respond to this RFP is requested not to cancel the receipt of addenda
or amendments option provided by OTP, since it must obtain all information and documents that are
issued on OTP.
In the event that a Proponent chooses to cancel the receipt of addenda or amendments, its Proposal
may be rejected.
5.3 Proposal Submission Requirements
5.3.1 General
The Proponent shall submit its Proposal through OTP at

https://ontariotenders.app.jaggaer.com/esop/nac-host/public/web/login.html.
The Proponent should contact OTP technical support if it experiences technical difficulties or to seek
support about the use of OTP via:
(a) Email at etenderhelp_CA@jaggaer.com;
(b) By phone at 866-722-7390; or,
(c) Accessing website information at https://ontariotenders.app.jaggaer.com/esop/nac-

host/public/attach/eTendering_responding_to_tender_guide.pdf.
To be considered in the RFP process, a Proposal must be submitted and received before the Closing
Date as set out in Section 5.1.1 and on OTP.
The Proponent is strongly encouraged to become familiar with the use of OTP well in
advance of the Closing Date.
The Proponent will not be able to submit a Proposal after the Closing Date, as OTP will close the
access to the RFP on the Closing Date.
A Proposal sent by, email, facsimile, mail and/or any other means other than stated in this RFP shall
not be considered. Notwithstanding anything to the contrary contained in any applicable statute
relating to electronic documents transactions, including the Electronic Commerce Act, 2000, S.O.
2000, c. 17, any notice, submission, statement, or other instrument provided in respect of the RFP
may not be validly delivered by way of electronic communication, unless otherwise provided for in
this RFP.
5.3.2 Proposal in English
All Proposal submissions are to be in English only. Any Proposal received by OECM that is not
entirely in the English language may be disqualified.
5.3.3 Proposal Submission Requirements
The Proponent is solely responsible for submitting its Proposal on OTP prior to the Closing Date.
The Proposal should be submitted in accordance with the instructions set out on OTP and in this
RFP as set out below.
Complete
Complete
OTP Appendix
Appendix/Form Title Form within
Envelope and Upload
OTP
to OTP
Form of Offer Qualification √
Compliance with Form of Master Agreement Qualification √
Technical Response Technical √
Appendix C – Commercial Response Commercial √
5.3.4 Other Proposal Considerations
In preparing its Proposal, the Proponent should adhere to the following:
(a) Information contained in any embedded link will not be considered part of a Proposal, and will
not be evaluated or scored;
(b) Completely address, on a point-by-point basis, each Technical Response question in Technical
Response. Technical Responses left blank and/or unanswered will receive a score of zero (0).
Refer to Section 3.3;
(c) Information attached as part of the Commercial Envelope in OTP will not be considered as part
of the evaluation of Stage II - Technical Response. Refer to Section 3.3; and,
(d) The Proposal should be complete in all respects. Proposal evaluation and scoring applies only
to the information contained in the Proposal, or accepted clarifications as set out in Section
5.3.13 Clarification of Proposals.
5.3.5 Proposal Receipt by OECM
Every Proposal received will be date/time stamped by OTP.
A Proponent should allow sufficient time in the preparation of its Proposal to ensure its Proposal is
received on or before the Closing Date.
5.3.6 Withdrawal of Proposal
A Proponent may withdraw its Proposal by deleting its submission on OTP before the Closing Date
or at any time throughout the RFP process until the execution of a Master Agreement. To withdraw
a Proposal after the Closing Date, the Proponent should send a Message to OECM through OTP.
5.3.7 Amendment of Proposal on OTP
A Proponent may amend its Proposal after submission through OTP, but only if the Proposal is
amended and resubmitted before the Closing Date.
5.3.8 Completeness of Proposal
By submitting a Proposal, the Proponent confirms that all components required to use and/or manage
the Services have been identified in its Proposal or will be provided to OECM or its Customers at no
additional cost. Any requirement that may be identified by the Proponent after the Closing Date or
subsequent to signing the Master Agreement shall be provided at the Proponent’s expense.
5.3.9 Proposals Retained by OECM
All Proposals submitted by the Closing Date shall become the property of OECM and will not be
returned to the Proponent.
5.3.10 Acceptance of RFP
By submitting a Proposal, a Proponent agrees to accept the terms and conditions contained in this
RFP, and all representations, terms, and conditions contained in its Proposal.
5.3.11 Amendments to RFP
Subject to Section 5.1.1 and Section 5.2.4, OECM shall have the right to amend or supplement this
RFP in writing prior to the Closing Date. No other statement, whether written or oral, shall amend this
RFP. The Proponent is responsible to ensure it has received all addenda.
5.3.12 Proposals will not be Opened Publicly
The Proponent is advised that there will not be a public opening of this RFP. OECM will open
Proposals at a time subsequent to the Closing Date.
5.3.13 Clarification of Proposals
OECM shall have the right at any time after the Closing Date to seek clarification from any Proponent
in respect of the Proposal, without contacting any other Proponent.
OECM will exercise this right in a similar manner for all Proponents.
Any clarification sought shall not be an opportunity for the Proponent to either correct errors or to
change its Proposal in any substantive manner. Subject to the qualification in this provision, any
written information received by OECM from a Proponent in response to a request for clarification
from OECM may be considered, if accepted, to form an integral part of the Proposal.
OECM shall not be obliged to seek clarification of any aspect of any Proposal.
5.3.14 Verification of Information
OECM shall have the right, in its sole discretion, to:
(a) Verify any Proponent’s statement or claim made in its Proposal or made subsequently in a
clarification, interview, site visit, oral presentation, demonstration, or discussion by whatever
means OECM may deem appropriate, including contacting persons in addition to those offered
as references, and to reject any Proponent statement or claim, if such statement or claim or its
Proposal is patently unwarranted or is questionable, which may result in changes to the scores
for the Proponent’s Technical Response; and,
(b) Access the Proponent’s premises where any part of the work is to be carried out to confirm
Proposal information, quality of processes, and to obtain assurances of viability, provided that,
prior to providing such access, the Proponent and OECM shall have agreed on access terms
including pre-notification, extent of access, security and confidentiality. OECM and the
Proponent shall each bear its own costs in connection with access to each other’s premises.
The Proponent shall co-operate in the verification of information and is deemed to consent to OECM
verifying such information, including references.
5.3.15 Proposal Acceptance
The lowest price Proposal or any Proposal shall not necessarily be accepted. While price is an
evaluation criterion, other evaluation criteria as set out in Part 3 will form a part of the evaluation
process.
5.3.16 RFP Incorporated into Proposal
All provisions of this RFP are deemed to be accepted by each Proponent and incorporated into each
Proposal.
5.3.17 Exclusivity of Contract
The Master Agreement, if any, with the Preferred Proponent will not be an exclusive agreement for
the provision of the described Deliverables.
5.3.18 Substantial Compliance
OECM shall be required to reject Proposals, which are not substantially compliant with this RFP.
5.3.19 No Publicity or Promotion
No Proponent, including the Preferred Proponent, shall make any public announcement or distribute
any literature regarding this RFP or otherwise promote itself in connection with this RFP or any
arrangement entered into under this RFP without the prior written approval of OECM.
In the event that a Proponent, including the Preferred Proponent, makes a public statement either in
the media or otherwise in breach of this requirement, in addition to any other legal remedy it may
have in law, in equity or within the context of this RFP, OECM shall be entitled to take all reasonable
steps as may be deemed necessary by OECM, including disclosing any information about a
Proposal, to provide accurate information and/or to rectify any false impression which may have been
created.
5.4 Negotiations, Timelines, Notification and Debriefing
5.4.1 Negotiations with Preferred Proponent
OECM reserves the right to accept or reject any Proposals in whole or in part; to waive irregularities
and omissions, if doing so is in the best interests of OECM and its Customers.
The Preferred Proponent shall execute the Master Agreement in the form attached to this RFP with
negotiated changes, if any, and satisfy any other applicable conditions of this RFP within twenty (20)
days of invitation to enter into negotiations. This provision is solely to the benefit of OECM and may
be waived by OECM at its sole discretion.
If the Preferred Proponent and OECM cannot execute the Master Agreement within the allotted
twenty (20) days, OECM will, as described in Section 3.7 and 3.8, be at liberty to extend the timeline,
request the Preferred Proponent to submit its Best and Final Offer, terminate
discussions/negotiations with the Preferred Proponent, or publish one (1) or some of the Suppliers,
who have executed Master Agreements within OECM’s promotional marketing launch. Other Master
Agreements, if successfully negotiated with other Preferred Proponents would be added to OECM’s
website at a later date.
5.4.2 Failure to Execute a Master Agreement
When the Preferred Proponent successfully reaches an agreement with OECM at the end of the
negotiation process in accordance with the evaluation set out in this RFP, the Preferred Proponent
will be allotted five (5) Business Days to execute the Master Agreement unless otherwise specified
by OECM.
If the Preferred Proponent cannot execute the Master Agreement within the allotted timeframe,
OECM may rescind the invitation to execute a Master Agreement or publish one (1) or some of the
Suppliers, who have executed Master Agreements within OECM’s promotional marketing launch.
Other Master Agreements, if successfully negotiated with other Preferred Proponents would be
added to OECM’s website at a later date.
In accordance with the process rules in this Part 5 – Terms and Conditions of the RFP Process, there
will be no legally binding relationship created with any Proponent prior to the execution of a written
agreement.
5.4.3 Master Agreement
If a Master Agreement is subsequently negotiated and awarded to a Preferred Proponent as a result

of this RFP process:
(a) Any such Master Agreement will commence upon signature by the duly authorized
representatives of OECM and the Preferred Proponent; and,
(b) May include, but not be limited to, the general Master Agreement terms contained in Appendix
B – Form of Master Agreement.
5.4.4 Notification to Other Proponents
Once the Master Agreement is executed, other Proponents will be notified directly in writing and shall
be notified by public posting in the same manner that the RFP was originally posted of the outcome
of the procurement process and the award of the contract.
5.4.5 Debriefing
Any Proponent may request a debriefing after receipt of a notification of award. All requests must be
in writing to OECM and should be made within sixty (60) days of notification of award. The intent of
the debriefing information session is to aid the Proponent in presenting a better proposal in
subsequent procurement opportunities. Any debriefing provided is not for the purpose of providing
an opportunity to challenge the procurement process.
5.4.6 Bid Dispute Resolution
In the event that the Proponent wishes to review the decision of OECM in respect of any material
aspect of the RFP process, and subject to having attended a debriefing, the Proponent shall submit
a protest in writing to OECM within ten (10) days from such a debriefing.
Any request that is not timely received will not be considered and the Proponent will be notified in
writing.
A protest in writing should include the following:
(a) A specific identification of the provision and/or procurement procedure that is alleged to have
been breached;
(b) A specific description of each act alleged to have breached the procurement process;
(c) A precise statement of the relevant facts;
(d) An identification of the issues to be resolved;
(e) The Proponent’s arguments and supporting documentation; and,
(f) The Proponent’s requested remedy.
For the purpose of a protest, OECM will review and address any protest in a timely and appropriate
manner. OECM will engage an independent and impartial third party should the need arise.
5.5 Prohibited Communications, and Confidential Information
5.5.1 Confidential Information of OECM
All correspondence, documentation, and information of any kind provided to any Proponent in
connection with or arising out of this RFP or the acceptance of any Proposal:
(a) Remains the property of OECM and shall be removed from OECM’s premises only with the prior
written consent of OECM;
(b) Must be treated as confidential and shall not be disclosed except with the prior written consent
of OECM;
(c) Must not be used for any purpose other than for replying to this RFP and for the fulfillment of
any related subsequent agreement; and,
(d) Must be returned to OECM upon request.
5.5.2 Confidential Information of the Proponent
Except as provided for otherwise in this RFP, or as may be required by Applicable Laws, OECM shall
treat the Proposal and any information gathered in any related process as confidential, provided that
such obligation shall not include any information that is or becomes generally available to the public
other than as a result of disclosure by OECM.
During any part of this RFP process, OECM or any of its representatives or agents shall be under no
obligation to execute a confidentiality agreement.
In the event that a Proponent refuses to participate in any required stage of the RFP because OECM
has refused to execute any such confidentiality agreement, the Proponent shall receive no points for
that particular stage of the evaluation process.
5.5.3 Proponent’s Submission
All correspondence, documentation, and information provided in response to or because of this RFP
may be reproduced for the purposes of evaluating the Proposal.
If a portion of a Proposal is to be held confidential, such provisions must be clearly identified in the
Proposal.
5.5.4 Personal Information
Personal Information shall be treated as follows:
(a) Submission of information – The Proponent should not submit as part of its Proposal any
information related to the qualifications or experience of persons who will be assigned to provide
Services unless specifically requested. OECM shall maintain the information for a period of
seven (7) years from the time of collection. Should OECM request such information, OECM will
treat this information in accordance with the provisions of this section;
(b) Use – Any personal information as defined in the Personal Information Protection and Electronic
Documents Act, S.C. 2005, c.5 that is requested from a Proponent by OECM shall only be used
to select the qualified individuals to undertake the Services and to confirm that the work
performed is consistent with these qualifications; and,
(c) Consent – It is the responsibility of the Proponent to obtain the consent of such individuals prior
to providing the information to OECM. OECM will consider that the appropriate consents have
been obtained for the disclosure to and use by OECM of the requested information for the
purposes described.
5.5.5 Non-Disclosure Agreement
OECM reserves the right to require any Proponent to enter into a non-disclosure agreement
satisfactory to OECM.
5.5.6 Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Act (Ontario), applies to information provided
by the Proponent. A Proponent should identify any information in its Proposal, or any accompanying
documentation supplied in confidence for which confidentiality is to be maintained by OECM and its
Customers. The confidentiality of such information will be maintained by OECM, except as otherwise
required by law or by order of a court, tribunal, or the Ontario Privacy Commissioner.
By submitting a Proposal, including any Personal Information requested in this RFP, the Proponent
agrees to the use of such information for the evaluation process, for any audit of this procurement
process, and for contract management purposes.
5.5.7 Intellectual Property
The Proponent shall not use any intellectual property of OECM or Customers including, but not limited
to, logos, registered trademarks, or trade names of OECM or Customers, at any time without the
prior written approval of OECM and the respective Customer.
5.6 Reserved Rights and Governing Law of OECM
5.6.1 General
In addition to any other express rights or any other rights, which may be, implied in the circumstances,
OECM reserves the right to:
(a) Make public the names of any or all Proponents;
(b) Request written clarification or the submission of supplementary written information from any
Proponent and incorporate such clarification or supplementary written information, if accepted,
into the Proposal, at OECM’s discretion, provided that any clarification or submission of
supplementary written information shall not be an opportunity for the Proponent to correct errors
in its Proposal or to change or enhance the Proposal in any material manner;
(c) Waive formalities and accept Proposals that substantially comply with the requirements of this
RFP;
(d) Verify with any Proponent or with a third party any information set out in a Proposal;
(e) Check references other than those provided by Proponents;
(f) With supporting evidence, disqualify any Proponent on grounds such as:
i. Bankruptcy or insolvency;
ii. False declarations;
iii. Significant or persistent deficiencies in performance of any substantive requirement or
obligation under a prior agreement or agreements;
iv. Final judgments in respect of serious crimes or other serious offence; or,
v. Professional misconduct or acts or omissions that adversely reflect on the commercial
integrity of the Proponent;
(g) Disqualify any Proponent whose Proposal contains misrepresentations or any other inaccurate
or misleading information;
(h) Disqualify any Proponent whose Proposal is determined by OECM to be non-compliant with the
requirements of this RFP;
(i) Disqualify a Proposal based upon the past performance or on inappropriate conduct in a prior
procurement process, or where the Proponent has or the principals of a Proponent have
previously breached an agreement with OECM, or has otherwise failed to perform such
agreement to the reasonable satisfaction of OECM (i.e. has not submitted required reporting
and/or Cost Recovery Fees to OECM);
(j) Disqualify any Proponent, who, in relation to this RFP or the evaluation and selection process,
has engaged directly or indirectly in any form of political or other lobbying whatsoever to
influence the selection of the Supplier.
(k) Disqualify the Proponent who has been charged or convicted of an offence in respect of an
agreement with OECM, or who has, in the opinion of OECM, engaged in any illegal business
practices, including activities such as bid-rigging, price-fixing, bribery, fraud, coercion or
collusion, unethical conduct, including lobbying as described above or other forms of
deceitfulness, or other inappropriate communications offering gifts to any employees, officers,
agents, elected or appointed officials or other representatives of OECM, or where the Proponent
reveals a Conflict of Interest or Unfair Advantage in its Proposal or a Conflict of Interest or
evidence of any Unfair Advantage is brought to the attention of OECM;
(l) Disqualify any Proposal of any Proponent who has breached any Applicable Laws or who has
engaged in conduct prohibited by this RFP, including where there is any evidence that the
Proponent or any of its employees or agents colluded with any other Proponent, its employees
or agents in the preparation of the Proposal;
(m) Make changes, including substantial changes, to this RFP provided that those changes are
issued by way of addenda in the manner set out in this RFP;
(n) Accept or reject a Proposal if only one (1) Proposal is submitted;
(o) Reject a Subcontractor proposed by a Proponent within a Consortium;
(p) Select any Proponent other than the Proponent whose Proposal reflects the lowest cost to
OECM;
(q) Cancel this RFP process at any stage and issue a new RFP for the same or similar requirements,
including where:
i. OECM determines it would be in the best interest of OECM not to award a Master
Agreement,
ii. the Proposal prices exceed the bid prices received by OECM for Services acquired of a
similar nature and previously done work,
iii. the Proposal prices exceed the costs OECM or its Customers would incur by doing the
work, or most of the work, with its own resources,
iv. the Proposal prices exceed the funds available for the Services, or,
v. the funding for the acquisition of the proposed Services has been revoked, modified, or
has not been approved,
and where OECM cancels this RFP, OECM may do so without providing reasons, and OECM
may thereafter issue a new request for proposals, request for qualifications, sole source, or do
nothing;
(r) Discuss with any Proponent different or additional terms to those contained in this RFP or in any
Proposal;
(s) Accept any Proposal in whole or in part;
(t) If OECM receives a Proposal from a Proponent with Rates that are abnormally lower than the
Rates in other Proposals, OECM may verify with the Proponent that the Proponent satisfies the
conditions for participation and is capable of fulfilling the Master Agreement; or,
(u) Reject any or all Proposals in its absolute discretion, including where a Proponent has launched
legal proceedings against OECM and/or its Customers or is otherwise engaged in a dispute with
OECM and/or its Customers;
and these reserved rights are in addition to any other express rights or any other rights which may
be implied in the circumstances and OECM shall not be liable for any expenses, costs, losses or any
direct or indirect damages incurred or suffered by any Proponent or any third party resulting from
OECM exercising any of its express or implied rights under this RFP.
By submitting a Proposal, the Proponent authorizes the collection by OECM of the information set
out under (d) and (e) in the manner contemplated in those subparagraphs.
5.6.2 Rights of OECM – Proponent
In the event that the Preferred Proponent fails or refuses to execute the Master Agreement within
allotted time from being notified, OECM may, in its sole discretion:
(a) Extend the period for concluding the Master Agreement, provided that if substantial progress
towards executing the Master Agreement is not achieved within a reasonable period of time from
such extension, OECM may, in its sole discretion, terminate the discussions;
(b) Exclude the Preferred Proponent from further consideration and begin discussions with the next
highest scoring Proponent without becoming obligated to offer to negotiate with all Proponents;
or,
(c) Exercise any other applicable right set out in this RFP including, but not limited to, cancelling the
RFP and issuing a new RFP for the same or similar Services.
OECM may also cancel this RFP in the event the Preferred Proponent fails to obtain any of the
permits, licences, and approvals required pursuant to this RFP.
5.6.3 No Liability
The Proponent agrees that:
(a) Any action or proceeding relating to this RFP process shall be brought in any court of competent
jurisdiction in the Province of Ontario and for that purpose the Proponent irrevocably and
unconditionally attorns and submits to the jurisdiction of that Ontario court;
(b) It irrevocably waives any right to and shall not oppose any Ontario action or proceeding relating
to this RFP process on any jurisdictional basis; and,
(c) It shall not oppose the enforcement against it, in any other jurisdiction, of any judgement or order
duly obtained from an Ontario court as contemplated by this RFP.
The Proponent further agrees that if OECM commits a material breach of OECM’s obligations
pursuant to this RFP, OECM’s liability to the Proponent, and the aggregate amount of damages
recoverable against OECM for any matter relating to or arising from that material breach, whether
based upon an action or claim in contract, warranty, equity, negligence, intended conduct, or
otherwise, including any action or claim arising from the acts or omissions, negligent or otherwise, of
OECM, shall be no greater than the Proposal preparation costs that the Proponent seeking damages
from OECM can demonstrate. In no event shall OECM be liable to the Proponent for any breach of
OECM’s obligations pursuant to this RFP, which does not constitute a material breach thereof. The
Proponent acknowledges and agrees that the provisions of the Broader Public Sector Accountability
Act, 2010 shall apply notwithstanding anything contained herein.
5.6.4 Assignment
The Proponent shall not assign any of its rights or obligations hereunder during this RFP process
without the prior written consent of OECM. Any act in derogation of the foregoing shall be null and
void.
5.6.5 Entire RFP
This RFP and all Appendices form an integral part of this RFP.
5.6.6 Priority of Documents
In the event of any inconsistencies between the terms, conditions, and provisions of the main part of
the RFP and the Appendices, the RFP shall prevail over the Appendices during this RFP process.
5.6.7 Disqualification for Misrepresentation
OECM may disqualify the Proponent or rescind a Master Agreement subsequently entered if the
Proponent’s Proposal contains misrepresentations or any other inaccurate, misleading or incomplete
information.
5.6.8 References and Past Performance
The evaluation may include information provided by the Proponent’s references and may also
consider the Proponent’s past performance with OECM and/or its Customers.
5.6.9 Cancellation
OECM may cancel or amend the RFP process without liability at any time.
5.6.10 Competition Act
Under Canadian law, a Proposal must be prepared without conspiracy, collusion, or fraud. For more
information, refer to the Competition Bureau website at
http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/home, and in particular, part VI of the
Competition Act, R.S.C. 1985, c. C-34.
5.6.11 Trade Agreements
The Proponent should note that procurements coming within the scope of either Chapter 5 of the
Canadian Free Trade Agreement, Chapter 19 of the Comprehensive Economic and Trade
Agreement ("CETA") or within the scope of the Trade and Cooperation Agreement between Quebec
and Ontario are subject to such agreements, although the rights and obligations of the parties shall
be governed by the specific terms of this RFP.
For more information, refer to the following:
(a) Canadian Free Trade Agreement website at https://www.cfta-alec.ca/;
(b) Trade and Cooperation Agreement between Quebec and Ontario at https://www.cfta-
alec.ca/wp-content/uploads/2017/07/OQTCA-Consolidated-Jan-24-2017.pdf; and,
(c) Comprehensive Economic and Trade Agreement at http://www.international.gc.ca/gac-

amc/campaign-campagne/ceta-aecg/index.aspx?lang=eng.
5.6.12 Governing Law
The terms and conditions in this Part 5:
(a) Are included for greater certainty and are intended to be interpreted broadly and separately (with
no particular provision intended to limit the scope of any other provision);
(b) Are non-exhaustive (and shall not be construed as intending to limit the pre-existing rights of the
parties to engage in pre-contractual discussions in accordance with the common law governing
direct commercial negotiations); and,
(c) Are to be governed by and construed in accordance with the laws of the province or territory
within which the Customer is located and the federal laws of Canada applicable therein.
[End of Part 5]
APPENDIX A – DEFINITIONS
Definitions
Unless otherwise specified in this RFP, capitalized words and phrases have the meaning set out in Appendix B – Form
of Master Agreement attached to this RFP.
“Accredited College” means a college of applied arts and technology established under the Ontario Colleges of
Applied Arts and Technology Act, 2002 or a subsidiary of such a college;]
“Applicable Law” means any common law requirement and all applicable and enforceable statutes, regulations,
directives, policies, administrative interpretations, orders, by-laws, rules, guidelines, approvals and other legal
requirements of any government and/or regulatory authority in effect from time to time;
“Best and Final Offer” or “BAFO” means a process during the negotiation stage in which a Preferred Proponent may
be invited by OECM to submit a best and final offer on a process or section of the RFP to improve on their original
Proposal submission. BAFO cannot be requested by a Proponent;
“Broader Public Sector” or “BPS” means:
(a) Select classified, non-classified and hydro entities (referred to as Other Included Entities in the Management
Board of Cabinet Procurement Directive);
(b) The Legislative Assembly;
(c) Every municipality in Ontario as defined in the Municipal Affairs Act and the Municipal Act;
(d) Every regional municipality in Ontario as defined in the Regional Municipalities Act;
(e) The District Municipality of Muskoka as described in the District Municipality of Muskoka Act;
(f) Every local board in Ontario as defined in the Municipal Affairs Act and the Municipal Act;
(g) Every university in Ontario;
(h) Every college of applied art and technology in Ontario;
(i) Every post-secondary institution in Ontario, the enrollments of which are used to calculate annual operating grant
entitlement;
(j) Every school board in Ontario as defined in the Education Act;
(k) Every hospital listed in the Schedule to the Classification of Hospitals Regulations made under the Public
Hospitals Act; and,
(l) Every private hospital operated under the authority of a licence issued under the Private Hospitals Act including:
i. Community Health Centres; and,
ii. Community Care Access Locations;
See https://www.ontario.ca/page/broader-public-sector-accountability;
“Business Day” or “Day” means Monday to Friday between the hours of 9:00 a.m. to 5:00 p.m., except when such a
day is a public holiday, as defined in the Employment Standards Act (Ontario), or as otherwise agreed to by the parties
in writing;
“Closing Date” means the Proposal submission date and time as set out in OTP and in Section 5.1.1 and may be
amended from time to time in accordance with the terms of this RFP;
“Commercial Envelope” means an area in OTP where the Proponent would upload its completed Commercial
Response;
“Commercial Response” means the Rates the Proponent uploads to OTP within Appendix C – Commercial Response
- Amended as of May 21, 2021 as part of the Commercial Envelope;
“Confidential Information” means confidential information of OECM and/or any Customer (other than confidential
information which is disclosed to the Preferred Proponent in the normal course of the RFP) where the confidential
information is relevant to the Deliverables required by the RFP, its pricing or the RFP evaluation process, and includes
all information concerning the business or affairs of the party or its directors, governors, trustees, officers or employees
that is of a confidential nature, which information if in written or other tangible form, is clearly designated as confidential,
or if disclosed orally, is designated as confidential in a written memorandum delivered by the disclosing party promptly
following such disclosure. For the purposes of greater certainty, Confidential Information shall:
(a) Include:(i) all new information derived at any time from any such Confidential Information whether created by
OECM, the Customer, the Proponent or any third-party; (ii) all information (including Personal Information) that
OECM or the Customer is obliged, or has the discretion, not to disclose under provincial or federal legislation; and,
(iii) pricing under this RFP;
(b) not include information that: (i) is or becomes generally available to the public without fault or breach on the part
of the disclosing party of any duty of confidentiality owed by it hereunder; (ii) the disclosing party can demonstrate
to have been rightfully obtained it, without any obligation of confidence, from a third-party who had the right to
transfer or disclose it to the disclosing party free of any obligation of confidence; (iii) the disclosing party can
demonstrate to have been rightfully known to or in the possession of it at the time of disclosure, free of any
obligation of confidence when disclosed; or (iv) is independently developed by the disclosing party; but the
exclusions in this subparagraph shall in no way limit the meaning of Personal Information or the obligations
attaching thereto under the Contract or at law;
“Conflict of Interest” includes, but is not limited to, any situation or circumstance where:
(a) in relation to the RFP process, the Proponent has an unfair advantage or engages in conduct, directly or indirectly,
that may give it an unfair advantage, including, but not limited to (i) having or having access to information in the
preparation of its Proposal that is confidential to OECM and not available to other respondents; (ii) communicating
with any person with a view to influencing preferred treatment in the RFP process; or (iii) engaging in conduct that
compromises or could reasonably be seen to compromise the integrity of the open and competitive RFP process
and render that process non-competitive and unfair; or,
(b) in relation to the performance of its contractual obligations in an OECM contract, the Proponent’s other
commitments, relationships or financial interests (i) could or could reasonably be seen to exercise an improper
influence over the objective, unbiased and impartial exercise of its independent judgement; or (ii) could or could
reasonably be seen to compromise, impair or be incompatible with the effective performance of its contractual
obligations;
“Consortium” means when more than one (1) business entities (i.e. Consortium members) agree to work together
and submit one (1) Proposal to satisfy the requirements of the RFP. One (1) of the Consortium members shall identify
itself as the Proponent and assume full responsibility and liability for the work and actions of all Consortium members;
“Cost Recovery Fee” or “CRF” means a fee, which contributes to the recovery of OECM’s operating costs as a not-
for-profit/non share capital corporation, which is based on the before tax amount invoiced by the Supplier to Customers
for Deliverables acquired through OECM’s competitively sourced agreements. Once Customer-Supplier Agreements
have been executed, this fee is remitted by the Supplier to OECM on a quarterly basis;
“Customer” means an organization such as educational entities (e.g. school boards or authorities, Provincial and
Demonstration Schools Branch with the Ontario Ministry of Education, colleges, and universities, and may also include
Private Schools and Private Career Colleges), Crown corporations, First Nations federal agencies, health and social
service entities, municipalities, not-for-profit organizations, provincially funded organizations (“PFO”), shared service
organizations, utilities and local boards, any other Ontario Public Sector and Broader Public Sector agencies, boards
or commissions or similar entities not mentioned here
“Customer-Supplier Agreement” or “CSA” means a schedule attached to the Master Agreement, which is executed
between Customers and a Supplier for the provision of the Deliverables in the RFP;
“Deliverable” means all Services to be provided or performed by the Supplier, under the Master Agreement, and
includes everything that is necessary to be supplied, provided or delivered by the Supplier within scope of the resulting
Master Agreement;
“Eligible Proposal” means a Proposal that meets or exceeds the prescribed requirement, proceeding to the next
stage of evaluation;
“Master Agreement” or “Agreement” means the agreement to be made between the Preferred Proponent and OECM
based on the template attached as Appendix B – Form of Master Agreement with negotiated changes, together with all
schedules and appendices attached thereto and all other documents incorporated by reference therein, as amended
from time to time by agreement between OECM and the Supplier;
“OECM” means the Ontario Education Collaborative Marketplace;
“OECM’s Deadline for Issuing Final Addenda” means the date and time as set out in Section 5.1.1 of this RFP and
may be amended from time to time in accordance with the terms of this RFP;
“Ontario Tenders Portal” or “OTP” means the electronic tendering platform

https://ontariotenders.app.jaggaer.com/esop/nac-host/public/web/login.html through which a Proponent’s Proposal
must be submitted by the Closing Date;
“Optional Second Stage Selection Process” or “Second Stage” means a request from one (1) or more Suppliers
via a Second Stage tool (e.g. Request for Services (“RFS”), Quick Quote (“QQ”), or Customer’s process (e.g. directly
or via an online e.tendering platform) from a Customer or from OECM on behalf of a Customer, seeking Rates and
relevant Services specific to a Customer’s organization;
“PFO” means a provincially funded organization;
“Personal Information” has the same definition as in subsection 2(1) of FIPPA and in subsection 2(1) of MFIPPA,
that is, recorded information about an identifiable individual or that may identify an individual and includes all such
information obtained by the Proponent from OECM or the Customer or created by the Proponent pursuant to the RFP;
“Preferred Proponent” means the Proponent that is invited into negotiations in accordance with the evaluation
process set out in this RFP;
“Project Advisory Committee” or “PAC” means the individuals providing input into the development of this RFP, and
may also evaluate Proposals received in response to this RFP;
“Proponent” means an entity that submits a Proposal in response to this RFP and, as the context suggest, refers to
a potential Proponent;
“Proposal” means all documentation and information submitted by a Proponent in response to the RFP;
“Purchasing Card" or “P-Card” means the corporate charge cards used by the Customer, as may be changed from
time to time;
“Rates” means the maximum hourly rates or maximum net rates, in Canadian funds, for the Services as set out in the
Proponent’s submitted Appendix C - Commercial Response - Amended as of May 21, 2021;
“Request for Proposals” or “RFP” means this Request for Proposals RFP#2021-381 issued by OECM, including all
appendices and addenda thereto;
“Service” means all Services to be provided or performed by the Supplier, under the Master Agreement, and includes
everything that is necessary to be supplied, provided or delivered by the Supplier;
“Subcontractor” includes the Supplier’s subcontractors or third-party providers or their respective directors, officers,
agents, employees or independent contractors, who shall fall within the meaning of Supplier for the purposes of the
Master Agreement as mutually agreed upon by the Customer;
“Supplier” means a Preferred Proponent who has fully executed a Master Agreement with OECM and has assumed
full liability and responsibility for the provision of Deliverables pursuant to the Master Agreement either as a single
Supplier or a lead Supplier engaging other suppliers or Subcontractors;
“Technical Envelope” means an area in OTP where the Proponent would complete Technical Response;
“Technical Response” means the information, which will be evaluated and scored, the Proponent submits within OTP
as part of the Technical Envelope;
“Term” has the meaning set out in Section 4.1 of this RFP;
“Unfair Advantage” means any conduct, direct or indirect, by a Proponent that may result in gaining an unfair
advantage over other Proponents, including, but not limited to (i) possessing, or having access to, information in the
preparation of its Proposal that is confidential to OECM and which is not available to other Proponents, (ii)
communicating with any person with a view to influencing, or being conferred preferred treatment in, the RFP process,
or (iii) engaging in conduct that compromises or could be seen to compromise the integrity of the RFP process and
result in any unfairness; and,
“Zone” means the OECM geographical boundaries within the Province of Ontario as identified in Appendix D – OECM
Geographical Zones.
APPENDIX B – FORM OF MASTER AGREEMENT
This appendix is posted as a separate PDF document.
APPENDIX C – COMMERCIAL RESPONSE AMENDED AS OF MAY 21, 2021
The Proponent should complete this appendix, posted as a separate Microsoft Excel document, and upload it into OTP.
APPENDIX D – OECM GEOGRAPHICAL ZONES
OECM Customers are located in one (1) or more of the following five (5) geographical Zones in Ontario.
APPENDIX E – OECM SCHOOL BOARD, COLLEGE AND UNIVERSITY CUSTOMERS IN ONTARIO
APPENDIX F – REPORTING REQUIREMENTS
Once CSAs have been executed, the Supplier must provide the following reports to OECM for the Term. Reports shall
be submitted via email in Microsoft Excel format according to the frequency set out below.
Supplier Reporting Requirements
Reports Frequency Due Date
Integrated Reporting Template
1. Sales Report including, but not limited to:
(a) Customer’s name;

(b) Invoice number and date;
(c) Service provided (or Service Category provided);
(d) Service description;
(e) Quantity purchased;
(f) Rate;
(g) Total Rate per Service/hour;
(h) Savings (i.e. list Rate minus discount, net Rate, savings); and,
(i) Cost Recovery Fees. 8th Business
Monthly
Day
2. CSA Status Report including, but not limited to:

(a) The number of executed CSAs; and,
(b) CSAs pending execution.
3. Optional Second Stage Status Report including, but not limited to:
(a) Customer’s name;
(b) Reference number;
(c) Number of requests received and submitted;
(d) Service requirement (e.g. type, committed volume);
(e) Resulting savings; and,
(f) Status (e.g. complete, due date to return to Customer).
Performance Reporting
8th Business
1. Key Performance Indicators (“KPIs”) Report - As set out in Appendix G – Quarterly
Day following
Performance Management Scorecard. (calendar)
each quarter
2. Performance results specific to Customer’s KPIs.
Other Reports
1. Specific Customer Reports - As requested (e.g. spend, back order,

As requested As requested
delivery)
2. OECM Ad Hoc Reports - As requested and mutually agreed upon As requested As requested
Final reporting requirements will be determined during negotiations.
APPENDIX G – PERFORMANCE MANAGEMENT SCORECARD
Master Agreement performance means the Supplier aligns with OECM’s three (3) pillars of Savings, Choice and
Service, supporting the growth of the Master Agreement among Customers, and providing quality Services at
competitive Rates.
Supplier performance means the Supplier meets or exceeds the performance requirements described below and
adheres to all the other contractual requirements.
As part of OECM’s efforts to provide greater value to Customers, OECM has implemented a Supplier Recognition
Program (“SRP”). Through the SRP, OECM will objectively assess Supplier’s performance using an open, fair and
transparent framework to recognize and reward top-performing suppliers on an annual basis.
To ensure Master Agreement requirements are met, the Supplier’s performance will be measured and tracked by
OECM to ensure:
(a) On time delivery of high-quality Resources at the Master Agreement Rates or lower;
(b) Customer satisfaction;
(c) On-time Master Agreement activity reporting to OECM;
(d) On-time Cost Recovery Fee remittance; and,
(e) Continuous improvement.
Reporting, as described in Appendix F – Reporting Requirements is mandatory for the Supplier to submit as they
provide evidence and justification of adherence to the Master Agreement. Through consolidation of reporting
information, OECM provides Customers a thorough understanding of the Supplier’s performance aiding the adoption
of the Master Agreement.
By providing the reports, OECM is able to analyze and maintain the integrity of the Supplier’s performance.
Failure, by the Supplier, to provide accurate reports by the due dates set out in Appendix F – Reporting Requirements
may be deemed poor performance and will reflect on the Supplier’s Performance Management Scorecard and SRP
results.
During the Term of the Master Agreement, the Supplier shall collect and report the agreed upon results of the
performance measures as requested by OECM. The Performance Management Scorecard and other performance
indicators will be used to measure the Supplier’s performance throughout the Term of the Master Agreement, ensuring
Customers receive appropriate Services on time. The Supplier’s performance score will be considered when OECM
contemplates Master Agreement decisions such as:
(a) The approval or rejection, in whole or in part, of the Supplier’s Rate refresh requests;
(b) The approval or rejection of the Supplier’s request to add other related Resources to the Master Agreement;
(c) Master Agreement extensions; and,
(d) Master Agreement termination.
The Supplier shall maintain accurate records to facilitate the required performance management reporting requirements
related to OECM and Customer KPIs.
During the business review, OECM will review the KPIs with the Supplier. The KPIs include but are not limited to the
following:
Supplier Provided Customer Performance Measures
Key Performance Indicator Performance Measurement Performance Goal
Percentage of on-time completion

Project Management Controls
of project based on timelines
(scope, schedule, change 100% on-time completion
mutually agreed upon with the
requests)
customer
Percentage of positive customer
Customer Satisfaction 98% or greater
satisfaction level
To be mutually agreed upon with To be mutually agreed upon with
Time to resolution/remediation
the Proponent the Proponent
OECM Evaluation of Supplier’s Performances
Key Performance Indicator Performance Measurement Performance Goal
Executed CSAs received within

On time 98% of the time
30 days of execution
Integrated Reporting Template

On time 98% of the time
Remittance
Cost Recovery Fee Payment

Day of 98% of the time
Remittance
Response Time to OECM

24 Hours 98% of the time
Inquiries
Other KPIs, as mutually agreed upon between the Supplier and OECM, may be added during the Term of the Master
Agreement.
Customer may, when executing a Customer-Supplier Agreement, seek other KPIs.
Penalties and Rewards
The Supplier shall be responsible for all liquidated damages incurred by the Customers as a result of Supplier’s failure
to perform according to the Master Agreement and/or Customer-Supplier Agreement. Additional penalties for failure to
meet or rewards for exceeding the Master Agreement and/or Customer-Supplier Agreement requirements may be
mutually agreed upon between the Customer and the Supplier, at the time of Customer-Supplier Agreement execution.
Any penalty and/or reward shall be reported to OECM.
APPENDIX H – CODE OF CONDUCT
The Supplier will take every measure to comply with OECM’s Supplier Code of Conduct (“SCC”) principles set out
below and to adopt behaviours and practices that are in alignment with these principles or those of OECM’s Customers
as mutually agreed upon between the Customer and Supplier. OECM’s core values are in alignment with and
entrenched within the key principles of the SCC. The SCC applies to the Supplier’s owners, employees, agents,
partners and subcontractors who provide Services to OECM and/or Customers.
The Supplier will manage their operations according to the most stringent standards of ethical business, integrity and
equity. The Supplier must therefore:
(a) Refrain from engaging in any form of non-competitive or corrupt practice, including collusion, unethical bidding
practices, extortion, bribery and fraud;
(b) Ensure that responsible business practices are used, including ensuring that business continuity and disaster
recovery plans are developed, maintained and tested in accordance with applicable regulatory, contractual and
service level requirements, and that healthy and safe workplaces that comply with relevant health and safety laws
are provided;
(c) Ensure the protection of the confidential and personal information they receive from OECM, and only use this
information as part of their business relations with OECM;
(d) Comply with intellectual property rights relating to the Services provided to OECM and its Customers;
(e) Never place an OECM employee in a situation that could compromise his/her ethical behaviour or integrity or
create a conflict of interest;
(f) Divulge all actual and potential conflicts of interest to OECM; and,
(g) Disclose to OECM any behaviour deemed unethical on the part of an OECM employee.
Also, the Supplier shall:
(a) Comply with all foreign and domestic applicable federal/provincial/municipal laws and regulations including, but
not limited to the environment, health and safety, labour and employment, human rights and Product safety and
anti-corruption laws, trade agreements, conventions, standards, and guidelines, where the Services are provided
to OECM Customers. Fair competition is to be practised in accordance with applicable laws. All business activities
and commercial decisions that restrict competition or may be deemed to be uncompetitive are to be avoided;
(b) Not try to gain improper advantage or engage in preferential treatment with OECM employees and Customers.
The Supplier must avoid situations that may adversely influence their business relationship with OECM or can be
directly or indirectly perceived as a conflict of interest and interfere with the provision of the Services to OECM or
its Customers. The Supplier must disclose any actual or potential conflicts of interest promptly to OECM;
(c) Never offer to OECM staff bribes, payments, gifts of entertainment or any type of transactions, inducements,
services, discounts and/or benefits that may compromise or appear to compromise an OECM’s employees’ ability
to make business decisions in the best interest of OECM and its Customers. If a Supplier is unsure whether a gift
or entertainment offer to an OECM employee complies with OECM’s SCC, the Supplier should consult with the
intended recipient’s manager;
(d) Not engage in any improper conduct to gain influence or competitive advantage especially that which would put
OECM or its Customers at risk of violating anti-bribery and/or anti-corruption laws. The Supplier must ensure that
the requirements of all these applicable laws are met, and not engage in any form of corrupt practices including
extortion, fraud or bribery;
(e) Ensure that any outsourcing and/or subcontracting used to fulfill Services are identified and approved by the
Customer and monitored to ensure compliancy with contractual obligations and adherence to OECM’s SCC.
Supplier’s employees, subcontractors and other service providers must adhere to the requirements of the SCC,
which must be made available as necessary. The Supplier must also ensure that its subcontractors and other
service providers are paid properly and promptly to avoid any disruption in the provision of Services by the Supplier
to OECM or its Customers;
(f) Maintain workplace professionalism and respect for the dignity of all employees, Customers, and individuals. The
Supplier must never exercise, tolerate or condone harassment, discrimination, violence, retaliation and any other
inappropriate behaviour;
(g) Abide by applicable employment standards, labour, non-discrimination and human rights legislation. Where laws
do not prohibit discrimination, or where they allow for differential treatment, the expectation of the Supplier is to be
committed to non-discrimination principles and not to operate in an unfair manner. The Supplier must be able to
demonstrate that their workplaces operate under the following principles:
i. Child labour is not accepted;
ii. Discrimination and harassment are prohibited, including discrimination or harassment based on any
characteristic protected by law;
iii. Employees are free to raise concerns and speak up without fear of reprisal;
iv. Appropriate and reasonable background screenings, including investigations for prior criminal activity,
have been completed to ensure integrity and character of the Supplier’s employees; and,
v. Clear and uniformly applied employment standards are used that meet or exceed legal and regulatory
requirements;
(h) Provide healthy and safe workplaces for their employees. These workplaces must comply with applicable health
and safety laws, statutes and regulations to ensure a safe and healthy work environment. Employers must also
ensure that their employees are properly trained and that they have easy access to information and instructions
pertaining to health and safety practices; and,
(i) Give high priority to environmental issues and implement initiatives to foster sound environmental management
through practices that prevent pollution and preserve resources. The Supplier must conduct business in an
environmentally responsible and sustainable manner. The Supplier must comply with all applicable environmental
laws, statutes and regulations, including, but not limited to, waste disposal (proper handling of toxic and hazardous
waste), air emissions and pollution, to ensure that they meet all legal requirements and strive to prevent or mitigate
adverse effects on the environment with a long-term objective of continual improvement.
The Supplier is expected to:
(a) Abide by OECM’s SCC;
(b) Report violations of the SCC or identify any Customer requests that might constitute violations; and,
(c) Cooperate and collaborate with OECM and bring about the resolution of SCC compliance issues.
Compliance with SCC principles is a criterion that is taken into consideration in OECM’s supplier selection process and
ongoing performance and relationship management.
The practices adopted by the Supplier must be verifiable. Such verification may be conducted by way of a Supplier’s
self-evaluation and/or an audit completed by OECM at its discretion. The Supplier must provide, upon request, OECM
with documents attesting to their compliance with the SCC.
In addition, OECM may elect to visit the Suppliers' facilities if OECM so chooses. Appropriate notice will be provided to
the Supplier. Whenever a situation of non-compliance is identified, OECM will endeavor to work with the Supplier in
order to develop a corrective plan to resolve the non-compliant issues in a timely manner.
Failure to comply with OECM’s SCC may result in termination of this Master Agreement.
For more information, visit OECM’s website at https://oecm.ca/oecm-advantage/our-Supplier-partners/Supplier-code-

of-conduct.

Vapt 381 RFP

Uploaded by

Copyright:

Available Formats

Vapt 381 RFP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vapt 381 RFP

Uploaded by

Copyright:

Available Formats

VULNERABILITY ASSESSMENT AND PENETRATION TESTING SERVICES

REQUEST FOR PROPOSALS NUMBER #2021-381

Request for Proposals Issued On: May 10, 2021

Proponent’s Deadline to Submit Questions: 5:00 pm on May 18, 2021

Proponent’s Deadline to Submit Questions Related to

PART 1 – INTRODUCTION ........................................................................................................................................... 5

This RFP is issued by OECM.

1.1 Objective of this RFP

The objective of this RFP is to select qualified suppliers who:

(a) Actively promote professional and ethical practices in its operation;

(c) Provide Customers with well-defined project management support;

1.2 Project Background

1.3 Historical Spend

(a) Eleven (11) School Boards;

(b) Ten (10) other organizations;

(c) Five (5) Colleges; and,

(d) Two (2) Universities.

1.4 Project Advisory Committee

(a) Cambrian College

(b) Centennial College

(d) Education Computing Network of Ontario (ECNO)

(e) Hamilton Health Sciences

(f) Limestone District School Board; and,

(g) Mohawk College of Applied Arts and Technology.

1.5 Overview of OECM

(f) Supporting supplier partners through a Supplier Recognition Program.

1.6 Use of OECM Master Agreements

More information about OECM is available on our website - http://www.oecm.ca/.

1.7 The Ontario Broader Public Sector Procurement Directive

1.8 Trade Agreements

(b) Words in the RFP shall bear their natural meaning;

(f) The following terminology applies in the RFP:

iii. The term “will” describes a procedure that is intended to be followed.

2.1 Description of Deliverables

(a) Vulnerability Assessment Services;

2.2 Vulnerability Assessment Services

2.2.1 Vulnerability Assessment Services Reporting and Presentation

(a) Executive summary;

(b) Scope of Service;

(c) Detailed results of identified vulnerabilities;

(e) Detailed steps of immediate mitigation;

(g) Deliver presentation to Customer in person or remotely, as requested.

2.3 Penetration Testing Services

2.3.1 Key Penetration Testing Services

(b) Network penetration testing Services;

(c) Social engineering testing Services; and

(d) Web application testing Services.

2.3.2 Application Penetration Testing Services

(a) Manual probing of application interfaces;

(b) Authentication process testing;

(c) Automated fuzzing;

(d) Development of test datasets and harnesses;

(e) Encryption usage testing (e.g., applications’ use of encryption);

i. Input validation (e.g., bad or over-long characters, URLs);

ii. Transaction testing (e.g., ensuring desired application performance);

i. Input validation of login fields;

ii. Cookie security;

iii. Lockout testing; and,

(i) User session integrity testing.