Information Security Terms
Last updated 15 June 2023
1. Introduction
These Information Security Terms (“IST”) set forth Supplier’s commitments with respect to Supplier’s compliance with applicable Data Protection Laws and Supplier’s administrative, technical and physical safeguards designed to protect the Personal Information it Processes on Customer’s behalf.
The IST is incorporated into the Agreement pursuant to the General Terms and Conditions. Except where the context requires otherwise, capitalized words used in the IST shall have the meaning given to them in the General Terms and Conditions or elsewhere in the Agreement and the rules of interpretation in the General Terms and Conditions shall apply.
2. Scope
The security of data and information that is accessed, stored, shared, or otherwise Processed via the Services are shared responsibilities between Supplier and Customer. Supplier is responsible for the implementation and operation of an ISM Program and the protective measures that are described in the IST. Customer is responsible for properly implementing such access and use controls and configuring such features and functionalities of the Services as Customer may elect in order to use the Services in a manner that Customer deems adequate to maintain appropriate security, protection, deletion and backup of Customer Data.
The IST applies specifically to Customer Data Processed via the Services and does not extend to data held on Customer’s systems or environments.
3. Consumer data
Customer Data forms a part of the data that is maintained by or on behalf of Supplier in accordance with Supplier’s ISM Program.
Any transfer, extraction, or recovery of Customer Data pursuant to this Section 3 is conducted entirely at Customer’s own risk, and Supplier is not liable – whether in contract or in tort, for: breach of statutory duties; misrepresentation; deliberate, willful or intentional conduct or breaches; or otherwise – if any action on the Customer Data including extraction, provision, deletion, destruction or anonymization, that is undertaken in accordance with Applicable Laws and the
Agreement results in loss of, corruption of, or loss of availability to Customer Data.
Customer Data may be disclosed by Supplier and used by Supplier, its Affiliates and their authorized representatives in accordance with and as permitted under the IST, the General Terms and Conditions, and the Agreement. Customer undertakes to enable such disclosure and use to occur, including by providing all necessary notices and obtaining all necessary consents.
4. Personal Information
Each party may Process Personal Information of the other party’s personnel information and the manner in which such Personal Information may be processed by Supplier can be found in Supplier’s privacy notice, which is publicly available on its website.
The provision of the Services is predicated on each party materially complying with applicable Data Protection Laws.
Customer:
- Undertakes to ensure that Customer Personal Information it provides to Supplier – or that Supplier otherwise obtains in the course of providing Services – shall at all times be collected and Processed in accordance with Data Protection Laws, and may be Processed by Supplier in accordance with and as permitted under the IST and the Agreement;
- Represents and warrants that it has satisfied itself that:
- Supplier’s Processing operations are suitable for the purposes for which Customer proposes to use the Services; and
- Supplier has sufficient expertise, reliability and resources to implement technical and organizational measures that meet the requirements of the Data Protection Laws and the terms of the IST and the Agreement;
- Agrees that it is responsible for taking all necessary actions to order, enable and use the features of the Services which are designed to assist compliance with applicable Data Protection Laws, to the extent such features are available as part of the Services, and accepts responsibility for its failure to take such actions;
- Shall not perform any of its obligations under this Section 4 in such a way as to cause Supplier to breach any of its applicable obligations under the Data Protection Laws; and
- Will inform Supplier of any Data Subject Rights request made that Supplier must assist with under the CCPA and will provide the information necessary for Supplier to assist with the request.
Supplier shall Process Customer Personal Information in accordance with the IST and the Agreement and as necessary to deliver the Services.
Supplier shall reasonably assist Customer, at Customer’s request and cost:
- To fulfil Customer’s obligations under the Data Protection Laws, including, to respond to Data Subjects Rights requests exercising their rights (to the extent that the relevant Customer Personal Information is not accessible to Customer or the Data Subjects through the Services);
- To respond to the requirements of relevant regulatory organizations; and
- To inform Customer of any communication addressed to Customer from a third party in respect of Customer Personal Information.
Customer agrees that for the purpose of providing the Services, Supplier may provide access to, transfer and disclose Customer Personal Information to a third party including Supplier’s Affiliates or Sub-contractors within or outside of the United States.
Where the Processing of Customer Personal Information is subject to the CCPA:
- Customer (or a Customer Affiliate) (as Business) has appointed Supplier (as Service Provider) and disclosed Customer Personal Information to Supplier for a Business Purpose pursuant to the IST or the Agreement and for Supplier to Process on Customer or Customer Affiliate’s behalf in compliance with the CCPA.
- The Parties acknowledge and agree that disclosure of Customer Personal Information to Supplier (or a Supplier Affiliate) shall not constitute a Sale of Customer Personal Information to Supplier (or to a Supplier Affiliate).
- Supplier shall:
- Process (and shall ensure that any Sub-contractor Processes) Personal Information only for the following Business Purposes: providing access to, monitoring, and supporting the Services identified in the relevant Order Form under the Agreement.
- Not: Sell or Share Customer Personal Information; or retain, use, or disclose Customer Personal Information outside of the direct business relationship between Supplier and Customer, such as by combining or updating Customer Personal Information with Personal Information that it receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject. Consistent with the above, Supplier may use Personal Information as reasonably necessary to detect a Security Breach and to protect against fraudulent or illegal activity.
- Maintain on its publicly available website a list of Sub-contractors that it has engaged in connection with the provision of the Services, it being understood that Supplier’s agreements with such Sub-contractors shall include data protection terms that are compliant with the CCPA and are no less protective than those set out in the IST, and that Supplier shall be liable for the compliance of such Sub-contractors with the CCPA and the IST.
- Notify Customer within five (5) Business Days after Supplier determines that Supplier can no longer meet its obligations under the CCPA or the IST. Pursuant to such notice to Customer under this Section, Customer shall be permitted to take appropriate steps with Supplier to ensure that Supplier uses Customer Personal Information in a manner that is consistent with Customer’s obligations under the CCPA, and to remediate unauthorized use of Customer Personal Information.
- Supplier shall be permitted to Process Customer Personal Information in order to improve the Services.
5. Information security management
Supplier maintains a written information security management program that includes appropriate administrative, physical and technical measures to protect the confidentiality, integrity, and availability of the Processing of Customer Personal Information through the Services, including protection of Customer Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (“ISM Program”). Supplier may update or modify the ISM Program from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Supplier conducts reasonable and appropriate background investigations on personnel in accordance with Applicable Laws prior to them Processing Customer Personal Information on behalf of Customer. Supplier conducts periodic training to inform personnel on procedures and policies relevant to the ISM Program. Supplier has adopted and implemented written policies reasonably designed to have personnel Process Customer Personal Information only in a manner permitted or required by the IST or the Agreement and for no other purpose. Supplier provides access to Customer Personal Information to personnel who are reasonably required to know that information in order to perform their job duties or to enable Supplier to comply with Applicable Laws. Supplier ensures that personnel who are required to access Customer Personal Information are subject to confidentiality obligations in respect thereof. Supplier requires Sub-contractors to maintain adequate administrative, physical, and technical safeguards based on risk tiers appropriate to subcontracted services that support Supplier’s compliance with the requirements of the IST and the Agreement, and to maintain disaster recovery and business continuity plans. Supplier ensures that Sub-contractors accessing Customer Personal Information are subject to confidentiality obligations with respect to such Customer Personal Information.
Supplier ensures the security of its facilities, networks and devices that store or enable access to Customer Personal Information in order to seek to prevent unauthorized access or use by implementing such safeguards as: having access controls at facilities that process Customer Personal Information; securely transporting and disposing physical media that contain Customer Personal Information; and having controls that are designed to protect against environmental hazards (e.g., water or fire damage).
Supplier has implemented technical safeguards that include encrypting Customer Personal Information while in transit and at rest, using industry standard encryption controls; logically separating Customer Personal Information from other customers’ records, including when stored on backup media; monitoring systems for attacks, intrusions, exfiltration, unauthorized access, or transmissions; prohibiting any connection to Customer’s network that allows cross-network access between Customer’s network and other networks; and limiting access to any Customer Personal Information by verifying the identity of those with access, providing unique user IDs, making available the use of strong passwords and multifactor authentication for users who have access to Customer Personal Information (“Authentication Credentials”). Supplier does not allow more than one user to have the same Authentication Credentials and encrypts passwords stored by it in line with industry standards.
6. Business continuity and disaster recovery
Supplier maintains a Business Continuity and Disaster Recovery Policy (“Continuity Policy”) that it periodically reviews for suitability, adequacy and efficacy.
7. Security incident response and reporting
Supplier maintains an Incident Management and Response Policy that it periodically reviews for suitability, adequacy and efficacy, which is managed by trained security professionals.
Supplier notifies Customers in the event Supplier becomes aware of any Security Breach and takes reasonable steps to address the Security Breach. A Security Breach does not include unsuccessful attempts, everyday security alerts, or other events that do not materially compromise the security or availability of Customer Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Supplier’s notification of a Security Breach under this Section is not an acknowledgement by Supplier of any fault or liability for such Security Breach.
Supplier has implemented reasonable measures to mitigate the cause of any Security Breach and undertakes reasonable corrective measures to prevent the same Security Breach from occurring in the future. As information is collected or otherwise becomes available to Supplier and unless prohibited by Applicable Laws, Supplier undertakes to provide information regarding the nature and consequences of the Security Breach that are reasonably requested to allow Customers to notify affected individuals, government agencies and/or credit bureaus. Where Supplier may not have access to or know the nature of the information that is contained within Customer Personal Information, it may not be possible for Supplier to provide Customer with a description of the type of information or the identity of individuals who may be affected by a Security Breach. Customer is solely responsible for determining whether to notify impacted individuals, providing such notice, and determining if regulatory organizations or enforcement commissions applicable to Customer or Customer’s use of the Services need to be notified of a Security Breach.
In the event there is a security breach of Customer Systems or another security risk to Supplier, Supplier’s Affiliates or Supplier Resources that could reasonably impose liability on Supplier or its Affiliates resulting from any Customer System or the actions of Customer or Authorized User (“Customer Security Incident”), Supplier may immediately suspend access to and use of the Services without liability to Customer until such Customer Security Incident has been reasonably mitigated, provided that Supplier will use reasonable efforts to promptly notify Customer of and mitigate such Customer Security Incident. Customer will promptly notify Supplier if it becomes aware of any Customer Security Incident and reasonably cooperate with Supplier in mitigating and responding to such Customer Security Incident.
8. Definitions
In the IST the following expressions have these meanings:
- CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., as amended including by the California Privacy Rights Act of 2020, and their implementing regulations.
- Business, Business Purpose, Commercial Purpose, Sell, Selling, Sale, Sold, Sensitive Personal Information, Service Provider, and Share, Shared, or Sharing have the meaning given to them in the CCPA.
- Customer Data means all data that: is provided by Customer or an Authorized User to Supplier; is otherwise uploaded by Customer or an Authorized User or hosted on any part of the Services; and is information about or results from Customer or an Authorized User’s use of the Services, excluding Supplier Resources.
- Customer Personal Information means the Personal Information made available to Supplier by Customer or any Customer Affiliate, or otherwise obtained by Supplier pursuant to the Agreement which Supplier Processes in the course of providing the Services or for other legitimate business purposes.
- Data Protection Laws means the data protection and privacy legislation in force from time to time which are applicable to Supplier, Customer or the provision of the Services, including the CCPA.
- Data Protection Regulator means an independent public authority which is responsible for monitoring and enforcing the Data Protection Laws.
- Data Subject means an identified or identifiable natural person.
- Data Subject Rights means all rights granted to Data Subjects by Data Protection Laws, including the right to know, access, correct, delete, opt-out and limit the use and disclosure of Sensitive Personal Information.
- ISM Program has the meaning set forth in Section 5.
- Personal Information means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular Data Subject or household and includes “Personal Information” as defined in the Data Protection Laws.
- Processing means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means, and “Processed”, “Processes” and “Process” shall each be construed accordingly.
- Security Breach means a breach of security leading to the unauthorized disclosure of or access to Customer Personal Information that Supplier Processes on Customer’s behalf in the course of providing the Services.
- Sub-contractor means an entity to whom its obligations are subcontracted as permitted in accordance with the IST and the Agreement (including the Processing of Personal Information) and “Sub-contract” and “Sub-contracting” shall each be construed accordingly.