8-2 Legal Requirements

The contract must address the following:

  1. All CPs must be FedRAMP certified.
  2. The CP’s headquarters must be located in the United States (or U.S. territories).
  3. The CP’s infrastructure must be located in the United States (or U.S. territories).
  4. If the CP uses other companies to provide services (i.e., subcontracted out or outsourced), the infrastructure associated with those services must be located in the United States (or U.S. territories).
  5. Postal Service data, including backups, must be physically located in the United States or U.S. territories).
  6. Jurisdiction over contract terms must not be divided.
  7. Jurisdiction over Postal Service data must not be divided.
  8. CP subcontractors, including outsourcing providers, must comply with contract terms established between the Postal Service and the CP.
  9. Data provided by the Postal Service and their customers must be collected, processed, and transferred in accordance with the contract terms established between the Postal Service and the CP.
  10. Data sent to the CP must be returned to the Postal Service upon request, termination of the contract, or declaration of bankruptcy by the CP.
  11. Information must be provided by the CP about the jurisdictions in which data may be stored and processed and any risks resulting from the location of those jurisdictions must be evaluated.
  12. The contract must respect Postal Service rights to any intellectual property or original works without compromising the quality of service offered.
  13. Backups must be provided as part of the service offering.
  14. The contract must delineate how costs and responsibilities will be apportioned for containing and mitigating a breach.
  15. The contract must define the procedures and payment responsibilities for notification to individuals if a breach of sensitive or sensitive-enhanced information occurs.
  16. The contract must define how the costs for credit monitoring will be apportioned.
  17. The disposition of Postal Service data and software if the provider declares bankruptcy. Postal Service data could become an asset in the bankruptcy proceedings.
    1. Procedures for the transfer of Postal Service data must be defined.
    2. The current version and all subsequent versions of the software implemented by the CP must be escrowed in the United States at the CP’s expense to protect the code in the event the CP declares bankruptcy.
  18. The disposition of Postal Service data and software if the provider is sold to or acquired by another entity.
    1. Procedures for the transfer of Postal Service data must be defined.
    2. The current version and all subsequent versions of the software implemented by the CP must be escrowed in the United States at the CP’s expense to protect the code in the event the CP is sold to or acquired by another entity.
    3. Procedures for removal of data remnants must be defined.