THIS ADDENDUM (“Addendum”) is made as of 15th April, 2020 (the “Effective Date”) (the “Licensor/Company”), for itself and “Licensee”. Each of Company and Licensee is a “Party” and jointly they are the “Parties.” Company and Licensee include their respective Affiliates.
WHEREAS the Parties have entered into one or more agreements (such agreement(s), the “Agreement”) pursuant to which Licensee provides, or may in the future provide, services (the “Services“) to or on behalf of Company or its customers and/or employees or otherwise may receive or have access to Personal Information and/or have use of or access to Company’s computer network (defined below);
AND, WHEREAS, Licensee acknowledges and agrees that it shall be subject to the privacy and data security requirements set forth below.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the Parties agree as follows.
1.1 “Affiliate” of any specified Person means and includes any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified Person. For purposes of this definition, “control,” “controlling,” and “controlled,” when used with respect to such other Person means the power to direct the management and policies of such other Person, directly or indirectly, whether through the ownership of voting securities, by contract, or otherwise.
1.2 “Authorized Party” means an employee or Affiliate of the Licensee or a Third Party engaged by Licensee who has a need to know or otherwise access Personal Information or Company’s computer network to enable Licensee to perform its obligations under this Addendum, and who is bound in writing by obligations of confidentiality sufficient to protect the Personal Information or other Company information available through Company’s computer network in accordance with the terms of this Addendum. Licensee shall, in all instances, be fully responsible and liable for any breaches of the terms of this Addendum by an Authorized Party.
1.3 “Person” means any individual, partnership, limited liability company, corporation, trust, estate, association, or any other legal or commercial entity.
1.4 “Personal Information” means information provided by or at the direction of Company, or to which access was provided in the course of Licensee’s performance of the Agreement, that (i) identifies an individual (by name, signature, address, telephone number, email address, or other unique identifier such as a user account or device); (ii) that can be used to authenticate that individual (including, without limitation, employee identification number, a government-issued identification number, passwords or PINs, user identification (such as email address or username) and account access credentials or passwords, financial account numbers, credit, debit, or gift card number, credit report information, full birth date, biometric or health data, answers to security questions, or other personal identifiers). Personal Information qualifies as “Confidential Information” under the Agreement.
1.5 “Process” means performing any operation or set of operations upon Personal Information, whether or not by automatic means, such as collection, access, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.6 “PSA Term” or “Privacy and Security Addendum Term” means the period beginning on the Effective Date and lasting until the Licensee (including its agents and employees) no longer possesses any Personal Information.
1.7 “Securely Dispose of” means burn, pulverize, or shred papers or to destroy or erase electronic files or media so that the information on such papers, files, and media cannot be read or reconstructed as per industry accepted frameworks.
1.8 “Security Incident” means (a) any act or omission that materially compromises either Personal Information or the physical, technical, administrative, or organizational safeguards put in place by Licensee (or its agents or subcontractors), or by Company should Licensee have access to Company’s systems, that relate to the protection of Personal Information, or (b) receipt of a complaint in relation to the privacy practices of Licensee or a breach or alleged breach of this Addendum. Without limiting the foregoing, materially compromises shall include unauthorized access to or disclosure or acquisition of Personal Information.
1.9 “Third Party” means anyone outside Licensee including without limitation subcontractors, agents, outsourcers, auditors, and Affiliates.
- OWNERSHIP AND STANDARD OF CARE
2.1 Licensee acknowledges and agrees that all Personal Information, in whatever form, is either the property of Company or is property whose use(s) Company has the right or obligation to specify, whether by contract, license or otherwise. Licensee acknowledges that it has no ownership interest in the Personal Information. In recognition of the foregoing and Licensee’s receipt of or access to Personal Information, Licensee covenants and agrees that at all times during the PSA Term:
a) Licensee will strictly maintain the confidentiality of the Personal Information, using such degree of care as is appropriate for the type of Personal Information to avoid unauthorized access, use, or disclosure;
b) Licensee will Process Personal Information solely and exclusively for the purposes for which such information, or access to it, is provided pursuant to the terms of this Addendum, and will not use, sell, rent, transfer, barter, exchange, assign, distribute, or otherwise Process or make available Personal Information for Licensee’s own purposes or for the benefit of anyone other than Company without Company’s express written consent;
c) Licensee will not, directly or indirectly, disclose Personal Information to a Third Party without express written consent from Company unless and to the extent required by law enforcement or government bodies or as otherwise to the extent expressly required by applicable law or regulations; provided, however, that in the event such information is requested by a law enforcement authority or governmental authority (or is required to be divulged by law or regulation) Licensee shall give advance notice of such disclosure requirement to Company and shall give Company a reasonable opportunity to object to and contest such disclosure, including by seeking a protective order or other appropriate remedy; and
d) To the extent Licensee discloses or makes Personal Information available to a Third Party, such Third Party must be an Authorized Party and Licensee shall remain liable to Company for the actions and omissions of the Third Party concerning the treatment of the Personal Information, in accordance with the terms herein. Licensee shall only disclose to a Third Party the minimum amount of Personal Information necessary to provide the Services to Company.
- USE OF COMPANY COMPUTER NETWORK AND INCIDENTAL ACCESS TO COMPANY INFORMATION
3.1 Licensee agrees that it may have: (a) access to Company’s computer network in performing the Services, and (b) incidental access to Company information through the computer network. Licensee will permit access to Company’s computer network only to Authorized Parties. Licensee is responsible for any unauthorized access to Company’s computer network by Licensee’s employees, Affiliates, or Third Parties.
3.2 Licensee represents, warrants and covenants that any Authorized Party who accesses Company’s computer network:
a) Does so only for the purpose of providing services to Company and not for any other purpose;
b) Will not allow or enable any other Person to access the Company computer network or Process other Company information available through the computer network;
c) Will not knowingly introduce any viruses, worms, time bombs, time locks, drop dead devices, traps, access codes, trap door devices, or any other malicious software that is designed to disrupt, disable, erase, alter, harm, or otherwise impair Company, Company information available through the computer network, or Company’s computer network.
d) Will Process Company information for the sole purpose of providing Services to Company and not for any other purpose;
e) Will maintain the confidentiality of access credentials to the Company computer network and any Confidential Information;
f) Will promptly notify Company of any actual or potential loss, disclosure, or unauthorized access of or to Licensee’s or the Authorized Party’s access credentials to the Company computer network or any Company information available through the computer network
3.3 Licensee acknowledges that all Company Information accessible through Company’s computer network constitutes Confidential Information
3.4 Company may terminate access and use of the computer network by Licensee and/or some or all of the Authorized Parties at any time for any reason or no reason at all.
- INFORMATION SECURITY
4.1 Licensee has implemented, or prior to receiving Personal Information will implement and maintain appropriate measures to safeguard Personal Information and comply with the Information Security Requirements (defined below). Such measures shall be designed to (i) ensure the security and confidentiality of Personal Information, (ii) protect against any anticipated threats or hazards to the security or integrity of Personal Information, and (iii) protect against unauthorized access to or use of Personal Information (including after disposal). Licensee will comply with the Information Security Requirements throughout the PSA Term.
4.2 “Information Security Requirements” include the following, as applicable:
a) Such State or Federal law, regulation, or business guidance published by applicable federal regulators, as well as other applicable international laws and/or regulations, prescribing information security standards as may be applicable to the Processing of Personal Information for Company
4.3 If Licensee is Processing payment card information, the then Licensee has to take all reasonable care and in order to protect such onformatiopn and/or any other similar industry standard to which Company may become bound to, as may be applicable with respect to the Processing of Personal Information for Company (all collectively “Industry Standards”), including remaining aware at all times of changes to Industry Standards and implementing such changes as necessary to remain in compliance at Licensee’s expense. No less frequently than annually, Licensee shall send Company evidence of compliance with such standards,
4.4 Without limiting the foregoing, Licensee will (at all times during the PSA Term) implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices, and will ensure that all such safeguards, including how Personal Information is Processed, comply with applicable data protection and privacy law and comply with the terms of this Addendum.
4.5 Prior to receiving any Personal Information or obtaining access to Company computer networks, Licensee shall implement and maintain a written information security program including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the PSA Term.
4.6 At a minimum, if Processing any Personal Information or accessing Company computer networks, Licensee’s information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information in, (f) encryption of Personal Information when transmitted over public or wireless networks, (g) strictly segregating Personal Information from information of Company competitors so that both types of information are not commingled on any one system, (h) personnel security and integrity including, but not limited to, background checks consistent with applicable law; (i) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (j) conducting external and internal penetration testing and vulnerability scans and promptly implementing, at Licensee’s sole cost and expense, a corrective action plan to correct the issues that are reported as a result of the testing; and (k) limiting access of Personal Information, and providing privacy and information security training, to Licensee’s Authorized Parties.
4.7 Upon Company’s written request, Licensee will promptly identify all Authorized Parties in writing as of the date of the request. During the term of each Authorized Parties’ employment or engagement by Licensee, Licensee will at all times cause such Authorized Parties to strictly abide by its obligations under this Addendum and any Company information security policies provided to Licensee (which are hereby incorporated into this Addendum). Licensee further agrees that it will maintain a disciplinary process to address any unauthorized Processing of Personal Information by any Authorized Parties.
- DESTRUCTION AND RETURN OF PERSONAL INFORMATION
5.1 In the event Licensee disposes of Personal Information during the PSA Term, Licensee shall Dispose of such Personal Information.
5.2 Upon expiration or termination of the Agreement, Licensee will stop Processing Personal Information and return or Securely Dispose of such Personal Information, as directed by Company. Licensee will contact Company (by sending an email to the Vice President or Senior Vice President overseeing the Services) to determine whether the Personal Information (regardless of how stored by Licensee) must be: (a) returned to Company; or (b) Securely Disposed of (with such method elected by Licensee or as may be required by the Information Security Requirements, as applicable). In the event that Company does not respond to such inquiry within sixty (60) days of receipt thereof, Licensee shall Securely Dispose of all such Personal Information in its possession. Notwithstanding the foregoing, Licensee may retain a copy of such Personal Information as Licensee is required to retain for its regulatory purposes (but only the Personal Information necessary for compliance and only for as long as it is so required), provided that such copy must be safeguarded by Licensee consistent with the terms of this Addendum. At such time as the Personal Information is no longer required to be maintained by Licensee for its regulatory purposes, Licensee shall Securely Dispose of said information.
- OVERSIGHT OF SECURITY COMPLIANCE
6.1 Upon Company’s request, Licensee shall grant Company, or a third party on Company’s behalf, permission to perform (at Company’s cost) an assessment, audit, examination, or review of controls in Licensee’s environment in relation to the Personal Information being Processed, Company computer networks accessed, and/or services being provided to confirm compliance with the Addendum, as well as any applicable laws, regulations, and industry standards. Licensee shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that Processes Personal Information for Company pursuant to the Addendum. Any assessment, audit, examination, or review of controls under this Section 6.1 must be preceded by reasonable prior written notice of the audit and shall be designed to assess compliance with applicable law and the Addendum obligations.
6.2 Upon Company’s request, Licensee shall promptly and accurately complete an information security questionnaire provided by Company or a third party on Company’s behalf regarding Licensee’s environment in relation to the Personal Information being Processed, Company computer networks accessed, and/or services being provided to confirm compliance with the Addendum, as well as any applicable laws, regulations, and industry standards. Licensee shall fully cooperate with such inquiry. Company shall treat the information provided by Licensee in the security questionnaire as confidential.
6.3 Upon Company’s request, Licensee shall provide Company with the results of any audit performed that assesses the effectiveness of Licensee’s information security program as relevant to the security and confidentiality of Personal Information Processed or Company computer networks accessed during the course of this Addendum.
- SECURITY NOTICE
7.1 If there is a known or suspected Security Incident at any time during the PSA Term:
a) Licensee will notify Company within seventy two(72) hours after it becomes aware of such known or suspected Security Incident.
a) Licensee will provide Company with the name and contact information for a primary security contact within Licensee who will be available to assist Company 24-hours per day, 7-days per week as a contact in resolving obligations associated with the Security Incident. Licensee shall notify Company of any Security Incidents by e-mailing ……………………………with a read receipt with a copy to Company under the notice provisions of the Agreement.
b) Immediately following such discovery and notification to Company, the parties will coordinate with each other to investigate the Security Incident. Licensee agrees to fully cooperate with Company in Company’s handling of the matter, including without limitation any investigation, providing Company with physical access to the facilities and operations affected, facilitating interviews with Licensee’s employees and others involved in the matter, and making available all relevant records, logs, files, and data reporting or other obligations required by applicable law, regulation, standard, or as otherwise required by Company.
c) Licensee shall take immediate steps to remedy the Security Incident at Licensee’s expense, with such remedy to include actions necessary to comply with all applicable privacy and data security rights, laws, and standards. Licensee shall reimburse Company for actual costs incurred in responding to and/or mitigating damages caused by a Security Incident.
d) Except as may be expressly required by applicable law, Licensee agrees that it will not inform any third party of any Security Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel. Further, Licensee agrees that Company shall have the sole right to determine (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or in Company’s discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. Any such notice or remediation shall be at Licensee’s sole cost and expense.
e) Licensee agrees to cooperate with Company in any litigation or other formal action against third parties deemed necessary by Company to protect its rights.
f) Licensee will promptly use its best efforts to prevent a recurrence of any such Security Incident.
- PRIVACY BY DESIGN
8.1 Licensee acknowledges and agrees that privacy and data security shall be incorporated into the design and operation of the products or Services provided to Company. Licensee acknowledges and agrees that its products or Services shall dynamically respond to changes in legal obligations, regulatory guidance, industry best practices, and known and foreseeable risks to Personal Information and Company data. At a minimum, and without limiting any express obligations under this Addendum, Licensee shall incorporate privacy and data security protections into its products, Services, and operations to protect and manage against
8.2 8.1 shall apply at all times during the PSA Term.
9.1 Licensee acknowledges that all Personal Information is considered to be proprietary and of competitive value, and constitutes in many instances trade secrets. Because of the unique nature of the Personal Information, Licensee acknowledges that any breach of this Addendum by Licensee would cause Company irreparable harm and money damages, and other remedies available at law in the event of a breach would not be adequate to compensate Company for any such breach.
9.2 Accordingly, Company will be entitled, without the requirement of posting a bond or other security, to seek to obtain equitable relief, including immediate injunctive relief and specific performance, as a remedy for any such breach, and Licensee shall not oppose such relief. Such relief will be in addition to, and not in lieu of, all other remedies available at law or in equity to Company.
10.1 In the event of a conflict between this Addendum and the Agreement, the Addendum shall control.
10.2 This Addendum may be executed in one or more counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument. A pdf or emailed version of this Addendum shall be deemed an original.