Data Modeling Software

The vendor is required to provide data modeling software by purchasing a new or upgraded solution to improve performance, enhance user experience, and support advanced data analytics capabilities by the end of Q2 2025 that will assist with the following high-level business objectives for employee use:
• Integration with and automation of target databases based on models;
• Collaboration between developer personas including data architects, data scientists, software developers; and
• Creation of supporting documentation for data products to support data analysts, data scientists and other users of the data.
- Operating system compatibility:
• The solution must be compatible with supported operating systems used by the board where on-premises or board cloud hosts are required.
• We support windows server 2022 (v2009), ubuntu server, or red hat enterprise Linux 9.x deployments.
• Vendor specific appliances running other Linux versions, may be supported.
- Batch scheduling and workflow dependencies
the solution must support exclusive use of control-m for batch job scheduling and orchestration of workflows when there are dependencies on external systems/jobs.
- Database compatibility
• The solution must be compatible with SQL server 2022, where board -hosted (either on-premises or cloud) SQL servers are required.
• Vendor-specific SQL server instances running other versions may be supported.
- Virtualization compatibility
• The solution must be compatible with VMware ESX 7.0 update 3 or newer.
- Defect inventory and testing
• The vendor must maintain and communicate an up-to-date list of existing and new defects, and ensure all updates, patches and migrations are tested prior to release to board.
- Logging and alerting
• The solution must be capable of integrating with established alerting and incident management tools and leverage existing operational and on-call support processes to ensure continuous system availability.
- POC environment lifespan
• The solution must not attempt to reuse an environment created for POC purposes and are to be fully decommissioned upon completion of the POC.
• These environments are not designed for long-term use or to support production-level workloads and services.
• All resources created for POC purposes must be labelled/named as such.
- Product lifecycle
• The vendor must provide a solution roadmap/lifecycle to allow for future planning and objectives.
- Separate development and production environments
• The solution must provide or support segregated development and production environments (at minimum).
- Scalability
• The solution must be able to increase or decrease capacity to scale with the demands without service disruption.
- Latency requirements
• The solution must not introduce significant amount of latency to the existing infrastructure or change system performance.
- Bandwidth requirements
• The solution must clearly define bandwidth requirements and response times to meet expected performance requirements.
• As well, the solution must not cause intermittent spikes in traffic usage on the network that were not documented in the requirements.
- Data and configuration migration
• The solution must provide the capability and support to migrate data and configuration from one environment to another.
- Data extract requirements
• The solution must be capable of providing a full copy of board data, on-demand, in a common and portable format.
- No configuration data in registry
• The solution must not store any system configuration data in the windows registry.
- No credit card data
• The solution must not accept or store credit card or any other data that is covered by PCI regulations.
• Solutions that accept payments by redirecting to a non- board service are acceptable.
- Board data ownership
• The solution must ensure that the board retains exclusive ownership over all data residing on the vendor's systems and that this ownership includes all copies of the data, including backup copies.
• The vendor must not use the data for advertising or any other unauthorized secondary purpose.
- Data residency
• The solution must prioritize data residency within country.
• The event that country data residency options are not available, data residency within the country or other countries compliant with the general data protection regulation (GDPR) will be considered acceptable, in that order of preference.
• Data that resides outside of country will require approval from the board CTO.
- Security attestations
• The vendor must provide a soc 2 (preferred) or soc 3 report. this report will be required on a yearly basis.
• ISO 27001 certification may be considered as an acceptable alternative.
- Fault tolerance
• The solution must have fault tolerance capabilities to ensure constant service and uptime.
- Scheduled outage notifications
• The vendor must communicate scheduled outages to board with at least 3 days advance notice. email notification is acceptable.
- Major release testing
• The vendor must provide board the opportunity to test major releases and changes to integrations prior to implementation in production.
• This is optional if components are implemented on-premises, as the onus for testing updates and upgrades is within internal staff.
- Dependency isolation and resiliency
• The solution must minimize reliance on external system availability to ensure uninterrupted functionality.
• It must achieve this by isolating dependent functionalities, ensuring that the system remains operational even in the absence of certain external systems.
- Batch jobs and report reconciliation
• The solution must be responsible for managing its own batch job or report reconciliation requirements, without requiring control-m or similar orchestration tools.
- Referential integrity
• The solution must enforce referential integrity, via either database or business rules.
- Distinguishable environments
• The solution must be clearly distinguishable across different environments to avoid confusion for users and administrators who work in multiple environments, including board naming conventions and color coding.
- Accessibility standards
• The solution must comply with the latest version of the w3c accessibility standards, referenced in the board digital playbook - accessibility section.
- Data modeling tool cybersecurity requirements
1. Application audit logging
• The solution must provide the ability, on-demand, to audit actions that occurred in the system.
• The audit tool must be accessible through the user interface and provide the ability to filter by date, event type and user, at minimum.
2. Authorized-access-only for sensitive data
• The solution must ensure sensitive data is only available to authorized users, including vendor staff.
3. Data breach requirements
• The solution must provide notification to the board for data that is confirmed to have been breached. this notification must occur within 24 hours of discovery.
4. Data deletion requirements
• The solution must be capable of deleting board data on-demand and provide evidence of that deletion.
5. Data encryption in transit
• The solution must use tls1.2 or tls1.3 to exchange or transmit data, regardless of the protocol (i.e., https, ftp).
6. Data separation from other clients
• The solution must provide data segregation capabilities that ensure a physical (preferred) or logical separation of board data from other client data.
7. Avoid using PII or sensitive information as a primary key
• The solution must ensure that PII or other sensitive information is not used as a primary key in any database.
• Instead, a non-sensitive, unique identifier, such as a surrogate key, should be used as the primary key to maintain database integrity and security.
8. No access to internal board systems
• The solution must not establish direct connections from the internet to board internal computing services, including network, windows active directory, servers or workstations.
9. No anonymous access
• The solution must not allow anonymous access or alternatively be configurable to disable anonymous access.
10. No sensitive information in logs
• The solution must not, under any circumstances, store any sensitive, encrypted, PII or confidential information in any of its logs.
11. No vendor access or only time-restricted vendor access to board resources
• The vendor must not require unfettered, constant access to the board network or computing resources to support or maintain the solution. short-term access, paired with board resources, may be granted for implementation.
12. Security advisories
• The vendor must communicate any security advisory and provide appropriate remediation solutions in a timely manner.
13. Security audit logging
• The solution must provide a dedicated security log separate from the application log.
14. Segmentation or access requirements
• "The solution must take into consideration existing or new network segmentations to separate different components (web front end, application, database, internal user)
15. Separate user and admin permissions
• The solution must provide controls that permit the differentiation of administrative accounts from regular user accounts and the assignment of role-based permissions within the application or service.
16. Session termination
• The solution must be capable of automatically terminating a user session after a configurable period of time.
17. Limited access for users
• The solution must support access restrictions based on geolocation or IP address.
• Enforcement via azure conditional access policies is acceptable.
18. Multi-factor authentication (MFA)
• The solution must provide multi-factor authentication (MFA) login services for all users and administrators.
19. Segmented tenant
• The solution must ensure cross-tenant access to board data is strictly prohibited for a cloud implementation.
20. Authentication via entra id using SSO
• The solution must allow single sign-on using entra id.
21. Administrator permissions not required
• The solution must not require administrator privileges on the client workstation for operation.
22. Database audit logging
• The solution must support SQL server audit logging.
- Contract Period/Term: 3 years
- Questions/Inquires Deadline: April 11, 2025