UNIVERSITY OF LOUISVILLE
CONTRACT ADMINISTRATION AND PROCUREMENT SERVICES
LOUISVILLE, KY 40292
PERSONAL SERVICE CONTRACT
REQUEST FOR PROPOSAL
1. January 25, 2019
2. NAME OF DEPARTMENT: College of Business
CONTACT PERSON: Ryan Quinn
3. Service: Design and development firm to provide concept testing, design, prototyping, and development for a software
application designed to facilitate and accelerate leadership development. The application would be used and sold to
instructors and learners throughout the world by the University of Louisville’s Project on Ethical Leadership Excellence.
4. Due Date:
February 12, 2019
5. Time Due:
6. Email: firstname.lastname@example.org
Proposals should be sent to the department by the following method:
7. E-mail only to: email@example.com
THE BOTTOM PORTION OF THIS FORM IS TO BE COMPLETED BY THE VENDOR AND SUBMITTED
Equal Employment Opportunity – All parties must be in compliance with executive order 11246 of September 24, 1965 as amended by
executive order 11375 of October 13, 1967.
STATEMENT OF NON-COLLUSION AND NON-CONFLICT OF INTEREST
I hereby swear (or affirm) under penalty for false swearing as provided by KRS 523.040:
1. That attached Request For Proposal has been submitted without collusion with , and without any agreement, understanding or planned
common course of action with, any other vendor of materials, supplies, equipment or services described in the Request For Quotation
designed to limit independent competition.
2. That the proposer is legally entitled to enter into the contract with the University of Louisville, an agency of the Commonwealth of
Kentucky, and is not in violation of any prohibited conflict of interest, including those prohibited by the provisions of KRS 45A.325,
to 45A.340, 45A.990 and 164.990 and 164.821 (7).
3. That I have fully informed myself regarding the accuracy of the statements made above.
In submitting this quotation, it is expressly agreed that upon proper acceptance by the University of Louisville, of any or all items bid, a
contract shall thereby be created with respect to the services accepted.
REQUEST FOR PROPOSAL COMPONENTS
1) Scope of Services:
Vendor will meet with representatives from the Project for Ethical Leadership Excellence to create a shared
understanding of objectives for the software application to achieve. Vendor will create a graphic mock-up of the
leadership development application, identify potential users from different market segments, and collect
feedback on both the product idea and market interest. Vendor will research possible competitors for similar
products. Based on data collection, vendor will brainstorm ideas for improving or adapting the original product
idea to make it maximally successful in the marketplace. Vender will then present the data and ideas to
representatives from the Project for Ethical Leadership Excellence, and representatives from the Project will
then decide whether and how to proceed.
If the design and development process continues, Vendor will iteratively create prototypes and test them with
users until they are ready to build the product. Vendor will involve representatives of the Project in this process.
When the design is complete, representatives of the Project may again choose to terminate the project or
continue to the next phase.
If we continue the process, Vendor will build the application. Vendor and representatives will also decide
whether, how much, and at what cost the maintenance and support of the application and the hosting of the data
will occur. If hosting, maintenance, and support is needed, a new contract will be developed at that point.
2) Informational Background:
The Project on Ethical Leadership Excellence is a new initiative in the College of Business at the University of
Louisville. We seek to increase ethical leadership throughout the world by developing and distributing instructional
tools, designing programs for leadership development, conducting research, and offering rewards and honors. We
aim to be the largest aggregator of learning and teaching tools, and also to develop the most cutting edge tools
and programs ourselves.
3) Required Proposal Submittals:
a. Provide your cost structure and detailed billing information for market assessment, design, and
development services. Payment will be upon receipt of deliverables/services, not in advance.
b. Provide evidence of
Proficiency in using the Lean UX process, including a history of conducting user interviews,
building prototypes, and conducting usability tests with prototypes,
In-house designers, developers, and product managers who have had success working together to
build solutions, and
Being able to come on site, and, ideally, being located within the Greater Louisville Region
c. Provide a timeframe for completion of project. The desired start date is March 1, 2019, but may need to
be adjusted based on contract processing. Desired completion dates for each stage are April 15, May 30,
and September 30, 2019.
4) Included in this RFP is a Third Party Vendor/Cloud Computing Assessment and Guidance Document
which needs to be completed and submitted with the other submittals stated above.
5) Method of Award:
a. Overall pricing structure – 20%
b. Proficiency in Lean UX process – 20%
c. In-house team with experience – 20%
d. Being able to work in person when needed – 20%
e. Proposed timeframe for completion – 20%
6) Contract Period:
Desired contract start date is March 1, 2019. No services are to be provided prior to the start date indicated on
the fully executed Personal Services Contract (sample provided). The full project completion date of September
All questions regarding this RFP are due by Thursday, January 31, 2019 at noon Eastern Daylight Time and are
to be emailed to firstname.lastname@example.org. Answers to questions will be issued as an addendum and posted to
the website location of the RFP by February 4, 2019.
8) PCI Compliance: The selected vendor will be required to comply with the following and submit a
response to the Yes/No question below:
To the extent Second Party has access to, stores, processes, transmits, redirects10 or executes transactions with
or containing Cardholder11 Data12 or Sensitive Authentication Data13 or could impact the security of the
Cardholder Data technical environment, Second Party acknowledges its responsibility for the security of
Cardholder Data or Sensitive Authentication Data it has access to, stores, processes, transmits, redirects or
executes transactions on behalf of the University of Louisville and its affiliates and ensuring that Second
Party’s subcontractors/agents/representatives/affiliates ensures that security as well (the preceding hereinafter
collectively referred to as “uses/using Cardholder Data”)); Second Party represents and warrants that software,
hardware, and services provided, supplied, or used by Second Party14 for using Cardholder Data shall be
compliant with and will maintain compliance with throughout the term of the Agreement the then-current
version of the following laws and standards, each as updated from time to time by the responsible entity: (1)
applicable laws and regulations, (2) the standards established by the PCI Security Standards Council (PCISSC)
(see https://www.pcisecuritystandards.org/security_standards/index.php) and (3) such other applicable
standards/policies of the University of Louisville (“laws and standards”). Second Party agrees to provide proof
of compliance at the signing of this Agreement, by submitting a compliance document such as a PCI DSS
Attestation of Compliance (AOC) or another similar compliance document certifying compliance by a third
party against the current DSS version in effect and have aligned any mobile application, if applicable, to NIST
development lifecycle guidelines and agrees to provide an updated proof of compliance of such compliance
resulting from changes of laws and standards occurring after this Agreement was executed. Second Party shall
promptly notify the First Party of any lapse in its obligations resulting in non-compliance issues or security data
breach of these provisions within seventy-two hours (72 hours) at http://louisville.edu/security/incident-
reporting-and- response/vendor-external-party-incident-reporting/ pertaining to their operation (or that of their
subcontractors/agents/ representatives/affiliates as applicable) and shall undertake immediate remediation of
such incident within established timeframes and assume responsibility for informing such individuals in
accordance with applicable laws. Furthermore Second Party agrees, as needed, to assist First Party in
determining the extent and/or the nature of the loss of Cardholder Data or Sensitive Authentication Data should
First Party need to notify individuals and/or the processor entity of such loss of Cardholder Data or Sensitive
Authentication Data and paying all costs, including but not limited to, notification, investigation, mitigation,
any fines or penalties, or card replacement, brand penalties in the event of a security breach of Cardholder Data
or Sensitive Authentication Data caused by the actions or inactions of Second Party (or that of their
subcontractors/agents/representatives/affiliates as applicable) (referred to collectively as “PCI Costs”). Second
Party further agrees to indemnify, hold harmless and defend the University of Louisville and its affiliates and
representatives from any claims damages or other harm connected to said breach. Further the Second Party
hereby agrees that the First Party may withhold payment(s) owed to the Second Party for any violation of these
security/reporting requirements or failure to pay PCI Costs. Second Party will provide proof of appropriate
insurance (with UofL listed as an additional insured) to cover its obligations for compliance and/or breach
under this Agreement.
Unless the box above is checked NO, Second Party shall be the merchant of record for all transactions
associated with this Agreement, solely bears all responsibility for such transactions as is normally borne by the
merchant of record, and hereby represents and warrants that it shall fully comply with all such responsibilities.
If the box above is checked YES, First Party may provide one network connection to the Internet for a Second
Party approved for connection to the University of Louisville network, if applicable to the relationship. All
Second Party equipment will be placed into a virtual LAN with no connectivity to any other network. No
additional access, wired or wireless, will be granted to the University’s network for processing Cardholder Data
or Sensitive Authentication Data upon the date of this Agreement or in the future. It is up to the Second Party
to provide equipment and labor to secure and connect their virtual LAN to the one network Internet connection
and ensure a system for disaster recovery providing continuity of its business and security of all Cardholder
Data and Sensitive Authentication Data should a major disruption or failure occur. Second Party must abide by
all network security policies of the University and its network providers. Second Party agrees that it will not
(1) a University provided network connection, or
(2) other non-cellular wireless transmission method (e.g. Bluetooth)
for transmission of any information that the University has defined as Sensitive Information unless such use has
received prior written approval by First Party. Any information stored (i.e. servers, backups) during the term of
the Agreement must adhere to proper disposal methods per PCI standards upon termination of this Agreement.
Second Party further agrees to indemnify, hold harmless and defend the University of Louisville and its
affiliates and representatives from any claims damages or other harm connected to any breach of the warranties
or representations set forth in the PCI Compliance section above.
10 E.g. Sends the web user to a third party which collects or processes the Cardholder Data and associated payment
11 Customer/individual to whom a payment card is issued to or any individual authorized to use the payment (e.g. debit/credit)
12 Cardholder data minimally consists of the full Primary Account Number (PAN) – the unique payment card number
(typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Cardholder data may also
include the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive
Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment
13 Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic
stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card
14 Which includes its subcontractors/agents/representative/affiliates by the reference to “using Cardholder Data.”
9) Reciprocal References:
In accordance with KRS 45A.490 to 45A.494, a resident Offeror of the Commonwealth of Kentucky shall be
given a preference against a nonresident Offeror. In evaluating proposals, the University will apply a reciprocal
preference against an Offeror submitting a proposal from a state that grants residency preference equal to the
preference given by the state of the nonresident Offeror. Residency and nonresidency shall be defined in
accordance with KRS 45A.494(2) and 45A.494(3), respectively. Any Offeror claiming Kentucky residency
status shall submit with its proposal a notarized affidavit affirming that it meets the criteria as set forth in the
above referenced statute. Forms can be found at: http://louisville.edu/purchasing/forms.
10) Contracts with Foreign (Out-of-State Corporations):
Pursuant to KRS 271B.15-010, any Out-of-State corporate contractor must be properly registered with the
Kentucky Secretary of State, before transacting any business within the state of Kentucky. The statute states
“(a) foreign corporation…shall not transact business in this state until it obtains a certificate of authority from
the Secretary of State.”. The application form and instructions are found at http://www.sos.ky.gov/bus/business-