Terms and Conditions for Purchase Orders

Acceptance - This purchase order is subject to the following terms and conditions and no others unless there is prior written consent of both parties.

The laws of the Commonwealth of Kentucky shall apply in all disputes.

All shipments are to be made F.O.B. Destination, freight prepaid, to receiving point at The University of Louisville, Louisville, Ky., unless otherwise indicated on this form.

The University of Louisville is exempt from Federal Excise Taxes, Kentucky Sales and Use Taxes. Do not include taxes when submitting invoices. Tax Exemption Certificates will be furnished upon request.

All vendors are subject to and must comply with all applicable State and Federal Laws to include but not limited to compliance with: Anti-Discrimination Laws & Requirements, Federal, State and Local Minimum Wage and/or Prevailing Wage Requirements including full compliance with Davis Bacon Act requirements for all work and service performed.

All items procured under this Purchase Order shall be packaged and packed best commercial pack at no additional charge to the University. Such procedure shall require the inclusion of a packaging list in each box shipped which indicates the contents thereof.

Buyer may cancel an order, in whole or in part, without liability to Buyer, if deliveries are not made at the time and in the quantities specified or in the event of a breach or failure of any of the terms or conditions hereof. Buyer may terminate an order in whole or in part at any time for its convenience, by notice to Seller in writing. On receipt by seller of such notice, Seller shall, and to the extent specified therein, stop work hereunder and the placement of subcontract, terminate work under subcontracts outstanding hereunder, and take any necessary action to protect property in Seller's possession in which Buyer has or may acquire an interest. Any termination claim must be submitted to Buyer within Sixty (60) days after the effective date of the termination. Any cancellation or termination by Buyer, whether for default or otherwise, shall be without prejudice to any claims for damages or other rights of Buyer against Seller. Buyer shall have the right to audit all elements of any termination claim and Seller shall make available all books, records, and papers related thereto.

Risk of loss or damage to goods shall be on the Seller until such goods have been delivered to and accepted by Buyer, notwithstanding any other terms contained herein. All goods will be received by Buyer subject to its right of inspection and rejection. Buyer shall be allowed a reasonable period of time to inspect the goods and to notify Seller of any nonconformance with the terms and conditions of this order. Goods so rejected may be returned to the Seller, or held by the Buyer at Seller's risk and expense.

The Seller expressly warrants that all goods supplied hereunder shall be merchantable within the meaning of Article 2-314(2) of the Uniform Commercial Code in effect on the date of this order in the Commonwealth of Kentucky. In addition to all warranties which may be prescribed by law, the goods shall conform to specifications, drawings, and other description and shall be free from defects in materials and workmanship. Seller also warrants that to the extent the goods are not manufactured pursuant to detailed designs furnished by Buyer, they will be free from defects in design. Such warranties, including warranties prescribed by law, in design. Such warranties, including warranties prescribed by law, shall run to Buyer, for a period of one year after delivery.

To the extent the goods are not manufactured in accordance with Buyer's designs, Seller shall defend, indemnify and hold harmless Buyer, Buyer's assignees, and other users of the goods from and against any claim of infringement of any Letters Patent, Trade names, Trademark, Copyright or Trade secrets by reason of sale or use of any articles purchased hereunder. Buyer shall promptly notify Seller of any such claim.

In filling this order, Seller shall warrant and guarantee to Buyer that the articles are in compliance with Sections 5 and 12 of the Federal Trade Commission Act, the Fair Packaging and Labeling Act, the Federal Food, Drug, and Cosmetic Act, the Consumer Product Safety Act of 1972, The Federal Insecticide, Fungicide and Rodenticide Act, The Federal Hazards and Substances Act, The Fair Labor Standards Act, The Wool Products Labeling Act, The Flammable Fabrics Act, The Occupational Safety and Health Act of 1970, and any applicable Act not specifically referred to herein by name.

Seller shall not assign this order of any interest herein including any performance or any amount which may due or may become due hereunder, without Buyer's prior written consent.

For good cause and as consideration for (executing the contract) (submitting this bid), the Contractor, through its duly authorized agent, conveys, sells, assigns, and transfers to the University of Louisville all rights, title, and interest in and to all causes of action it may now or hereafter acquire under the antitrust laws of the United States and the Commonwealth of Kentucky, relating to the particular goods or services purchased or acquired by the University of Louisville.

Vendor warrants that the goods procured hereunder are free from all liens, claims or encumbrances.


To the extent Company has access to, stores, processes, transmits, redirects1or executes transactions with or containing Cardholder2 Data3 or Sensitive Authentication Data4 or could impact the security of the Cardholder Data technical environment, Company  acknowledges its responsibility for the security of Cardholder Data or Sensitive Authentication Data it has access to, stores, processes, transmits, redirects or executes transactions on behalf of the University of Louisville and its affiliates and ensuring that Company’s  subcontractors/agents/representatives/affiliates ensures that security as well (the preceding hereinafter collectively referred to as “uses/using Cardholder Data”)); Company represents and warrants that software and services provided or supplied by Company5 for using Cardholder Data shall be compliant with and will maintain compliance with throughout the term of the Agreement with (1) applicable laws and regulations, (2) the standards established by the PCI Security Standards Council (PCISSC)  (see  https://www.pcisecuritystandards.org/security_standards/index.php) and (3) such other applicable standards/policies of the University  (“laws and standards”).  As such Company will maintain compliance with the then current DSS version release within the time periods established by the PCISSC6.  Company agrees to provide proof of compliance at the signing of this Agreement, by submitting a compliance document such as a PCI DSS Attestation of Compliance (AOC) or another similar compliance document certifying compliance by a third party against the current DSS version in effect and have aligned any mobile application, if applicable, to NIST development lifecycle guidelines and agrees to provide an updated proof of compliance of such compliance resulting from changes of laws and standards occurring after this Agreement was executed.  Company shall promptly notify the University of any lapse in its obligations resulting in non-compliance issues or security data breach of these provisions within seventy-two hours (72 hours) at http://louisville.edu/security/incident-reporting-and-response/vendor-external-party-incident-reporting/ pertaining to their operation (or that of their subcontractors/agents/representatives/affiliates as applicable) and shall undertake immediate remediation of such incident within established timeframes and assume responsibility for informing such individuals in accordance with applicable laws. Furthermore Company agrees, as needed, to assist University in determining the extent and/or the nature of the loss of Cardholder Data or Sensitive Authentication Data should University need to notify individuals and/or the processor entity of such loss of Cardholder Data or Sensitive Authentication Data and paying all costs, including but not limited to, notification, investigation,  mitigation, any fines or penalties, or card replacement, brand penalties in the event of a security breach of Cardholder Data or Sensitive Authentication Data caused by the actions or inactions of Company (or that of their subcontractors/agents/representatives/affiliates as applicable)  (referred to collectively as “PCI Costs”).  Company further agrees to indemnify, hold harmless and defend the University of Louisville and its affiliates and representatives from any claims damages or other harm connected to said breach.  Further the Company hereby agrees that the University may withhold payment(s) owed to the Company for any violation of these security/reporting requirements or failure to pay PCI Costs. Company will provide proof of appropriate insurance (with UofL listed as an additional insured) to cover its obligations for compliance and/or breach under this Agreement.

University may provide one network connection to the Internet for a Company approved for connection to the University network, if applicable to the relationship.   All Company equipment will be placed into a virtual LAN with no connectivity to any other network.  No additional access, wired or wireless, will be granted to the University’s network for processing Cardholder Data or Sensitive Authentication Data upon the date of this Agreement or in the future.  It is up to the Company to provide equipment and labor to secure and connect their virtual LAN to the one network Internet connection and ensures a system for disaster recovery providing continuity of its business and security of all Cardholder Data and Sensitive Authentication Data should a major disruption or failure occur. Company must abide by all network security policies of the University and its network providers.  Company agrees that it will not use:

(1) a University provided network connection, or

(2) other non-cellular wireless transmission method (e.g. Bluetooth)

for transmission of any information that the University has defined as Sensitive Information unless such use has received prior written approval by University.  Any information stored (i.e. servers, backups) during the term of the Agreement must adhere to proper disposal methods per PCI standards upon termination of this Agreement.

1 E.g. Sends the web user to a third party which collects or processes the Cardholder Data and associated payment information.
2 Customer/individual to whom a payment card is issued to or any individual authorized to use the payment (e.g. debit/credit) card.
3 Cardholder data minimally consists of the full Primary Account Number (PAN) – the unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Cardholder data may also include the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
4 Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
5 which includes its subcontractors/agents/representative/affiliates by the reference to “using Cardholder Data.”
6 E.g. at time of agreement execution, version 2 is effective but version 3 is to be implemented by one year of version 3’s being issued as a new standard, the Company is to be compliant with version 3 by one year following version 3’s release as a new standard.


To the extent Company receives Personal Information7 as defined by and in accordance with Kentucky’s Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931-934  (the “Act”), Company  shall secure and protect the Personal Information (and ensure the same of its agents or subcontractors having  access to the Personal Information)  by, without limitation: (i) complying with all requirements applicable to non-affiliated third parties8 set forth in the Act; (ii) utilizing security and breach investigation procedures that  are  appropriate  to  the  nature  of the Personal Information disclosed, at least as stringent as University’s  and reasonably designed to protect the Personal Information from unauthorized access, use, modification, disclosure, manipulation, or destruction or that meet industry standard practices for protecting Personal Information from unauthorized access, use, modification, disclosure, manipulation, or destruction; (iii) notifying University of a security breach as specified at http://louisville.edu/security/incident-reporting-and-response/vendor-external-party-incident-reporting/ relating to Personal Information in the possession of Company  or its agents or subcontractors within seventy-two (72) hours of discovery of an actual or suspected breach unless the exception set forth in KRS 61.932(2)(b)2 applies and Company  abides by the requirements set forth in that exception; (iv) paying all costs of notification, investigation and mitigation in the event of a security breach of Personal Information caused by the actions or inactions of Company  (“NIM Costs”);  (v) cooperate with University in complying with the response, mitigation, correction, investigation and notification requirements of  the Act including undertaking a prompt and reasonable investigation of any security breach; and (vi) at University’s discretion and direction, handling all administrative functions  associated with notification, investigation and mitigation,  in accordance with the Act’s requirements. The Company hereby agrees that the University may withhold payment(s) owed to the Company for any violation of these identity theft prevention reporting requirements or failure to pay NIM Costs.

7“Personal Information” is defined in accordance with KRS 61.931(6) as “an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
a)         An account, credit card number, or debit card number that, in combination with any required security code, access code or password, would permit access to an account;
b)         A Social Security number;
c)         A taxpayer identification number that incorporates a Social Security number;
d)         A driver’s license number, state identification card number or other individual identification number issued by an agency;
e)             A passport number or other identification number issued by the United States government; or
f)             Individually Identifiable Information as defined in 45 C.F.R. sec. 160.103 (of the Health Insurance Portability and Accountability Act), except for education records covered by the Family Education Rights and Privacy Act, as amended 20 U.S.C. sec 1232g.”
8Per KRS 61.931(5), a “non-affiliated third party” means “any person or entity that has a contract or agreement with the Commonwealth and receives (accesses, collects or maintains) personal information from the Commonwealth pursuant to the contract or agreement.”


Equal Employment Opportunity - Sub-contractors and vendors agree that, unless exempted by rules, regulations, or orders of the Secretary of Labor issued pursuant to Section 204 of Executive Order No. 11246 of September 24, 1965, as amended by Executive Order No. 11375 of October 13, 1967, during the performance of this Purchase Order they will comply with the provisions of paragraphs 1 through 7 of Section 202 of E.G. No. 11246, and as such will submit an executed "Certificate of Nonsegregated Facilities" for procurements having a dollar value of $10,000 or more. Procurements having a dollar value of $2500 or more shall adhere to the "Listing or Employment Opening" clause and "Employment of the Handicapped" clause.