Systems and Data Access Addendum
This Systems & Data Access Addendum (“Addendum”) is incorporated into and made a part of the Privacy & Security Agreement (“Agreement”), entered by and between Customer and Vendor (as such terms are defined in the Agreement). Each of Customer and Vendor may be referred to hereunder as a “Party” and collectively as the “Parties.” For clarity, references to “Agreement” herein include this Addendum.
WHEREAS, in connection with rendering Services under the Agreement, Vendor may Process Customer Data (as defined below) or, in some cases, may be permitted access to Customer Systems or Customer Facilities (each, as defined below) solely for the purpose of rendering Services in connection with the Separation Purpose, subject to the terms and conditions of the Agreement.
NOW THEREFORE, in consideration of the foregoing premises, the mutual promises set forth in the Agreement and herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
1. Definitions. The following terms shall have the meanings as set forth below. All capitalized terms not otherwise defined in this Addendum shall have the meaning set forth in the Agreement.
1.1 “Applicable Privacy and Data Security Laws” means all laws, regulations, legal obligations, and other requirements, each as updated from time to time and as applicable to Customer, Vendor, or the Processing hereunder, in the United States or internationally, that limit, restrict or otherwise govern the collection, use, disclosure, security, storage, protection, disclosure, and Processing of data or Personal Information, including, as the case may be and without limitation, EU Data Protection Law, UK Data Protection Law, Swiss Data Protection Law, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy and Online Monitoring Act, and other U.S. state data privacy laws.
1.2 “Controller to Processor Transfer Clauses” means the Standard Contractual Clauses for the transfer of personal data to third countries approved by the European Commission Decision 2021/914 of 4 June 2021.
1.3 “Customer Data” means any information Processed by Vendor in connection with the Services, including, without limitation, Personal Information and Confidential Information (as defined in the NDA) of Customer (as defined in the Agreement).
1.4 “Customer Facilities” means facilities, buildings and other physical locations which are owned, controlled or administered by or on behalf of Customer or a third party on behalf of Customer, including, without limitation, any facilities, buildings or locations in which Customer Systems are located.
1.5 “Customer Systems” means information system resources which are owned, controlled or administered by or on behalf of Customer or a third party on behalf of Customer, including without limitation, file system, device, equipment, server, website, application, network, infrastructure, computer systems, workstations, hardware, software, and databases.
1.6 “Data Subject” means the particular identified or identifiable individual that Personal Information identifies, relates to, describes, or to whom it is capable of being associated and, in the event the Personal Information is governed by the CCPA, includes households as well as individuals.
1.7 “European Data Protection Law” means EU Data Protection Law and UK Data Protection Law.
1.8 “EU Data Protection Law” means the GDPR, the Switzerland Federal Data Protection Act of 19 June 1992 (as revised by the Swiss Federal Parliament’s implementing decision dated 25 September, 2020), and any applicable European Union, European Union member state or Switzerland law, regulation, or ordinance relating to data protection or the privacy of individuals (including, without limitation, the privacy of electronic communications)
1.9 “Incident” means the attempted, successful, or suspected unauthorized Processing of Customer Data or any unauthorized access to, interference with, or disruption of Customer Systems or any information systems used by Vendor for performance of Services or Processing of Customer Data. Minor unsuccessful attempts to breach security, including pings and other broadcast attacks on Customer Systems or Vendor’s firewall, port scans, unsuccessful log-on attempts, unsuccessful phishing attempts, denials of service and any combination of the above, so long as such incidents do not result in unauthorized access, use or disclosure of Customer Data, shall not be deemed Incidents.
1.10 “Personal Information” means any information (a) that directly or indirectly identifies, or when used in combination with other information may identify, relates to, describes, or is capable of being associated with an individual, household or device; (b) is otherwise defined as personal data or other similar term for individually identifiable information under Applicable Privacy and Data Security Laws; or (c) is associated with or linked to any other Personal Information. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files.
1.11 “Process” (or derivatives thereof, such as “Processing”) means any operation or set of operations which is performed, whether or not by automatic means, such as collection, viewing, accessing, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure or destruction.
1.12 “Services” has the meaning set forth in the Agreement and includes all acts and omissions of Vendor in furtherance of the Separation Purpose (as such term is defined in the Agreement).
1.13 “Swiss Data Protection Law” means the Swiss Federal Data Protection Act of 1992 (“FADP”), as amended by the revised Swiss Federal Act on Data Protection of 25 September 2020 (“Revised FADP”).
1.14 “UK Data Protection Law” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and UK Data Protection Act 2018; “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2. Data Processing, Access, and Restrictions.
2.1 Restrictions on Use of Customer Data and Customer Systems. Customer Data and Customer Systems are the Confidential Information of Customer. Unless otherwise provided by Customer in writing, Vendor shall Process Customer Data and Customer Systems only: (a) for the benefit of Customer; (b) in accordance with all provisions of this Addendum and any relevant provisions of the Agreement; (c) to the minimum extent necessary to perform the Services in accordance with the Agreement; and (d) and in accordance with Customer’s documented instructions; provided that if Vendor is legally required by Applicable Privacy and Data Security Laws to Process Personal Information other than as instructed by Customer, Vendor shall notify the Customer before such Processing occurs, unless the Applicable Privacy and Data Security Law requiring such Processing prohibits Vendor from doing so on an important ground of public interest, in which case Vendor will notify Customer as soon as that law permits Vendor to do so. Vendor shall not use, sell, rent, share, transfer, distribute, or otherwise disclose or make available Customer Data or Customer Systems for any other purpose. If Processing of Customer Data or Customer Systems is required by law, Vendor shall inform Customer in writing of the legal requirement before such Processing unless prohibited by such law. Vendor shall not Process Customer Data for marketing purposes, and shall not sell, aggregate, re-identify, analyze, use for servicing any customer other than Customer, or otherwise use or share Customer Data unless required by the Agreement to perform the Services. Vendor shall either return or destroy any Customer Data not necessary for the performance of the Services in accordance with industry best practices, including, but not limited to, any historical or latent data retained by Vendor, except as required under applicable law. A violation of this Section 2.1 shall be considered a material breach of the Agreement.
2.2 Authorized Processing. Where Personal Information is transferred from one Party to another, the Parties shall Process the Personal Information in accordance with any additional provisions that are required by Applicable Privacy and Data Security Laws related to the transfer where the Party that is the recipient of the transfer acts as a Processor of that Personal Information.
2.3 Employees and Third Parties. Unless compelled by government authority pursuant to a subpoena or legal document of similar force, Vendor shall not disclose, transmit, or make available Customer Data or access to Customer Systems to third parties (including subcontractors), unless such disclosure, transmission, or access has been explicitly authorized by Customer in writing and then only if the third party also certifies in writing to be bound by the terms of this Addendum. Without limiting the foregoing, Vendor shall make Customer Data and Customer Systems available only to its employees or third parties who need to access Customer Data and Customer Systems, and shall limit such access to the minimum necessary, in order to perform the Services. Vendor shall inform its employees and third parties having access to Customer Data and Customer Systems of the confidentiality and security requirements set out in the Agreement. Vendor’s employees and third parties may handle Customer Data and Customer Systems only if they are bound by legally enforceable confidentiality obligations in writing consistent with the terms of the Agreement, and are qualified and trained to protect Customer Data and Customer Systems. Vendor is solely responsible for, and shall remain liable to, Customer for the actions and omissions of all employees and third parties to whom Vendor provides access, concerning the treatment of Customer Data and Customer Systems (including subcontractors and data sub-processors), as if they were Vendor’s own actions or omissions. Upon Customer’s written request, Vendor shall promptly provide Customer with a complete and up-to-date list of any third parties with which it has previously or currently grants access to, transmits or otherwise discloses Customer Data. Customer also retains the option to object to third party processors retained by the Vendor.
2.4 Return and Destruction. Upon Customer’s request or upon termination of the Agreement, Vendor shall deliver to Customer in a mutually agreed format and transfer mechanism, or, at Customer’s option, shall have an officer of Vendor certify the destruction of (which destruction shall be in accordance with industry best practices), all Customer Data, and terminate access to all Customer Systems, including all memoranda, notes, records, reports, media, and other documents, and all copies thereof, regarding or including Customer Data or Customer Systems, which Vendor may then possess or have under its control. Without limiting the foregoing, in the event of termination, Customer Data required to be retained by law shall remain subject to the applicable confidentiality, privacy, and security provisions of the Agreement.
2.5 Customer Data Accessibility and Location. Vendor shall ensure that Customer has uninterrupted electronic access to all Customer Data at all times during the term of the Agreement. Unless previously authorized by Customer in writing, all work performed by or on behalf of Vendor related to the Agreement shall be performed in the locations specified in the Agreement. Vendor shall not and shall not permit any third party to (a) transfer Customer Data to any location outside of such locations, (b) access Customer Data or Customer Systems from outside of such locations, or (c) engage personnel outside of such locations for any Services.
2.6 Data Subject Rights. Vendor shall promptly, and in any event within seventy-two (72) hours of receipt, notify Customer of any requests to Vendor by Data Subjects to exercise data subject rights under Applicable Privacy and Data Security Laws with respect to Customer Data. At no additional charge to Customer, Vendor will cooperate in the Processing of any valid data subject rights requests in a timely manner.
2.7 Service Provider / Processor. Vendor agrees that it shall act solely as a “Service Provider” as that term is defined under the CCPA and a “Processor” as that term is defined under European Data Protection Law and other Applicable Privacy and Data Security Laws, unless agreed to in writing under the Agreement or a statement of work thereunder, and Vendor shall not take any action that would result in Vendor not acting as a Service Provider under the CCPA or Processor under such laws. Vendor agrees to comply with the CCPA and other Applicable Privacy and Data Security Laws and their respective regulations, including without limitation all requirements imposed by such laws and regulations on processors and service providers.
2.8 Access to Customer Facilities and Customer Systems. In the event that representatives of Vendor (each a “Vendor Representative”) require access to Customer Systems and/or Customer Facilities in connection with the provision of the Services, Vendor agrees that each proposed Vendor Representative with that access shall have a strict business need to access Customer Systems and/or Customer Facilities. Vendor shall provide the names, titles and responsibilities of each Vendor Representative for whom Vendor requests access to Customer Systems or Customer Facilities for Customer’s prior approval. Vendor acknowledges that Customer shall have sole discretion to designate those of Customer Systems and Customer Facilities to which the Vendor Representative will have access. Vendor shall require and cause each Vendor Representative to comply with all policies and procedures adopted by Customer relating to access or use of Customer Systems and/or Customer Facilities and to access Customer Systems and Customer Facilities only as minimally necessary to perform the Services. Vendor shall not, and shall take all actions necessary to cause Vendor Representatives to not, take any action or inaction that would create any vulnerability in, or otherwise negatively affect, the security or operation of Customer Systems and Customer Facilities. Upon completion of performing the Services or termination of the Agreement, Vendor shall ensure that any access to Customer Systems and/or Customer Facilities by any Vendor Representative shall be immediately and irrevocably terminated. Vendor shall immediately notify Customer in the event the Vendor knows or suspects, or has any reasonable basis to know or suspect, that Vendor or a Vendor Representative has breached Vendor’s obligations under this section. Vendor shall not and shall cause each Vendor Representative not to violate or attempt to violate the security of Customer Systems, or any third party network, system, server, website, application or account using Customer Data or Customer Systems.
3. Information Security.
3.1 Information Security Program. Vendor shall implement and maintain a comprehensive information security program that meets best industry standards and complies with Applicable Privacy and Data Security Laws to protect Customer Data against accidental, unauthorized or unlawful Processing and shall have documented those measures in a written information security program. Without limiting the foregoing, such safeguards shall conform, at a minimum, to the International Organization for Standardization’s 27000 standards, NIST 800-53, the Control Objectives for Information and related Technology (COBIT), CIS Top 20, and HITRUST.
3.2 Minimum Safeguards. Without limitation to the generality of the foregoing subsection 3.1, Vendor represents, warrants and covenants that it shall, and has adopted and implemented, and shall continue to maintain, physical, administrative and technical safeguards and other security measures to: (i) maintain the security, integrity, availability, and confidentiality of Customer Data and protect it from threats or hazards to its security and integrity, as well as accidental loss, alteration, disclosure and all other unlawful and unauthorized forms of Processing; (ii) prevent, detect, contain, recover, remediate and respond to Incidents; (iii) enforce the use of secure authentication protocols and devices consistent with best industry standards on any of Vendor’s systems that protect, defend, secure or Process Customer Data, including, without limitation, through the requiring of multi-factor authentication for every system or network that protects, defends, secures or Processes Customer Data that is accessible from the public Internet, and the use of industry-standard password complexity requirements or password complexity auditing; (iv) enforce secure access control measures consistent with current leading industry standards for access to logical and physical resources on any of Vendor’s systems that protect, defend, secure or Process Customer Data; (v) require the use of then-current best industry standard encryption for all storage and transmission of Customer Data at a minimum of 256-bit encryption; (vi) include industry standard intrusion detection and prevention tools; (vii) apply all security-related patches and updates promptly; (viii) when necessary or appropriate, pseudonymize Personal Information; and (ix) include automated security measures, including but not limited to current leading industry standard auditing systems, firewalls, and endpoint protection software capable of detecting and mitigating threats from viruses, spyware, and other malicious code on any of Vendor’s systems that protect, defend, secure or Process Customer Data or access Customer Systems and all deliverables sent to Customer. Vendor’s safeguards for the protection of Customer Data shall also include strictly segregating Customer Data from information of Vendor or its other customers so that Customer Data is not commingled with any other information. Vendor shall conduct penetration testing and vulnerability scans and promptly implement, at Vendor’s sole cost and expense, a corrective action plan to correct the issues that are reported as a result of the testing. In any event, such issues must be corrected within fifteen (15) days of identification.
3.3 PCI DSS. To the extent Vendor has access to or will collect, access, use, store, process, dispose of or disclose credit, debit or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including but not limited to the following:
(a) Being responsible for the security of all Cardholder Data that it processes, transmits, or stores in connection with providing the Services. “Cardholder Data” means all credit card account numbers, cardholder names, service codes, expiration data, full magnetic stripe data, CAV2/CVC2/CVV2/CID information, and PIN/PIN Block information.
(b) Vendor represents and warrants that, as of the Effective Date, it has complied with all applicable requirements of the current version of the PCI DSS, and it has performed the necessary steps to validate its compliance under the PCI DSS. Vendor shall also meet any additional industry standards with respect to the credit card information it processes, transmits, or stores in connection with providing the Services.
(c) On the Effective Date, and annually thereafter, Vendor shall give Customer (i) written evidence of Vendor’s most recent PCI DSS Attestation of Compliance (AOC), signed by a qualified security assessor (QSA) where required, and (ii) written confirmation that Vendor is in full compliance with all applicable requirements of the then-current version of the PCI DSS.
(d) Vendor shall give Customer immediate written notice if Vendor learns that it is no longer PCI DSS compliant, along with a list of steps Vendor will take to obtain compliance.
3.4 Data Hosting. If Vendor has been engaged specifically to host Customer Data (whether itself or via a third-party service), Vendor shall ensure that:
(a) such hosting complies with the AICPA’s Statement on Standards for Attestation Engagements No. 18 (“SSAE No. 18”), that an annual “SOC2” audit of the applicable datacenter’s compliance with SSAE No. 18 is conducted by an independent third party at least once every twelve (12) months, and that all reports generated from such audits are provided to Customer upon request;
(b) Customer Data is hosted in a datacenter physically located in the U.S. unless expressly permitted otherwise, and Vendor shall not move Customer Data across national borders without Customer’s prior written consent;
(c) all Customer Data shall be deemed to remain solely in the possession, custody, and control of Customer for all purposes, and shall not be modified by Vendor in any way unless explicitly approved in writing by Customer;
(d) all Customer Data is stored in industry-standard encrypted format; and
(e) it complies fully with any litigation hold request issued by Customer, including by initiating a timely, comprehensive, and effective litigation hold immediately upon receipt of the request from Customer (which shall include, but not be limited to, suspending any auto-delete functionality or routine deletion of backup tapes).
4. Oversight of Privacy and Security Compliance.
4.1 Audit. Upon Customer’s reasonable advance written request, Vendor shall submit its systems and/or data processing facilities involved in providing the Services for assessment or audit of privacy and/or security compliance, which shall be carried out by Customer (or by an independent inspection company designated by Customer, which has signed Vendor’s standard confidentiality agreement covering Vendor’s services and data processing facilities). Vendor also agrees, if requested, to certify its compliance with this Addendum in writing within fifteen (15) business days.
4.2 Vendor Audits and Records. Vendor shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity and ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Vendor hereby represents, warrants, and covenants that: (a) Vendor shall undergo annual (or more frequent) audits of Vendor’s systems, facilities, policies, practices, controls and practices conducted by an independent third party auditor (“Vendor Audit”) and that audit shall include in its scope all systems and facilities that Vendor uses to protect, secure, defend or Process Customer Data and all of Vendor’s practices, controls, policies and procedures relating to the protection, security, defense or Processing of Customer Data; (b) the Vendor Audits shall include, at a minimum, annual penetration testing and risk assessments, and quarterly vulnerability scans; and (c) Vendor shall provide Customer with the results of the most recent such Vendor Audits prior to the Effective Date of this Addendum and each subsequent Vendor Audit within fifteen (15) days of completion of that audit (including whether that audit revealed any material vulnerability in
Vendor’s systems, facilities, policies, practices, controls or practices). Upon Customer’s written request, Vendor shall provide Customer with the results of any audit performed by or on behalf of Vendor that assesses Vendor’s privacy and/or information security program as it relates to Customer Data or Customer Systems.
4.3 Vulnerability Management. The Vendor agrees to perform regular vulnerability scanning of its network and application (where applicable) and resolve identified vulnerabilities commensurate with assessed risk as outlined below. Vendor also agrees to perform penetration testing of its environment and application on at least an annual basis. Evidence that vulnerability scans and annual penetration tests have occurred shall be provided at a summary level to Customer upon request. At a minimum, any vulnerabilities identified as critical or high risk by a Common Vulnerability Scoring System (“CVSS”) score must be resolved within fifteen (15) days of identification. Refer to Section 4.6 Remediation for further guidance.
4.4 Hardware. If Vendor supplies hardware or equipment as part of the Agreement, Vendor shall be responsible for ensuring that any software or operating system updates or patches related to such hardware or equipment, are maintained at a level conducive to preventing the introduction of security vulnerabilities into Customer Systems. Where the need for such updates or patches is discovered, either by the Vendor or by Customer, Vendor agrees to facilitate and provide said updates or patches as part of this Addendum.
4.5 Software Development. If the Vendor’s Services involve the provision of software to Customer, Vendor warrants that identified vulnerabilities or flaws in the software have either been resolved and/or disclosed to Customer prior to installation on Customer Systems. Vendor agrees that its software development and coding standards align to best industry security standards and shall provide evidence of such methodology upon request.
4.6 Remediation. If during any audit, inspection, or other assessment, any material privacy or security vulnerability is discovered, Vendor shall notify Customer in writing of such vulnerabilities and remediate those vulnerabilities promptly and within fifteen (15) days of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time not to exceed sixty (60) days. If any vulnerability cannot be remedied, and such vulnerability directly impacts Customer Data or Customer Systems, Vendor shall immediately notify Customer and the parties shall work together to determine appropriate solutions.
4.7 Costs. Vendor and Customer shall each bear their own costs associated with such assessments or audits. However, if Services are found to be non-compliant, Vendor shall pay the expenses associated with such audit. Customer shall not disclose any information learned by Customer in the course of performing any such inspection or examination except as may be reasonably necessary for Customer to comply with obligations relating to the protection of Customer Data or Customer Systems or as required by law.
5. No License or Rights Transferred. Any access provided to Vendor under this Addendum is limited to Customer Data and Customer Systems expressly authorized by Customer, and unless otherwise expressly provided by Customer, Customer is not granting Vendor a license to use software programs contained within Customer Systems. Vendor shall not attempt to reverse engineer or otherwise obtain copies of any such software programs. No right, title, license or interest in or to any of Customer Data or Customer System, other than the express licenses hereunder, are provided to Vendor or any other person or entity.
6. Incident Response Procedures.
6.1 Notification. Vendor shall notify Customer in writing as soon as practicable, but in any event no later than within twenty-four (24) hours of any Incident which results in, or which Vendor reasonably believes may result in, unauthorized access to, modification of, disclosure of, compromise of, or other Processing of Customer Data or Customer Systems. The notification to Customer shall include, to the extent known by Vendor, and shall be supplemented on an ongoing basis: (i) the general circumstances and extent of any unauthorized Processing of Customer Data or intrusion into systems that are used by Vendor to protect or Process Customer Data; (ii) the types and volume of Customer Data that were involved; (iii) Vendor’s plans for corrective actions to respond to the Incident; (iv) the identities of all individuals whose Personal Information was or may have been affected; and (v) any other related information requested by Customer.
6.2 Investigation. Immediately following Vendor’s notification to Customer of an Incident, the Parties shall coordinate with each other to investigate the Incident. Vendor agrees to reasonably cooperate with Customer in Customer’s handling of the matter, including, without limitation, promptly: (a) assisting with any investigation; (b) providing Customer with access to the facilities, systems, and operations affected; (c) facilitating interviews with Vendor’s employees and others involved in the matter; and (d) making available all relevant records, logs, files, data reporting and other materials, including but not limited to forensic reports, required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Customer. Upon Customer’s request, Vendor shall provide in-depth supplementary reports regarding its investigation of the Incident and results of findings.
6.3 Containment and Remediation. Vendor shall at its own expense take necessary steps to immediately contain and remedy any Incident and prevent any further Incident, including, but not limited to, taking any and all action necessary to comply with Applicable Privacy and Data Security Laws.
6.4 Notifications. Vendor agrees that it shall not inform any third party of any Incident without first obtaining Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel or to make public announcements required by law that do not name Customer. Further, Vendor agrees that Customer shall have the sole right to determine: (a) whether notice of the Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Customer’s discretion, and whether Vendor shall provide notice to Data Subjects whose Personal Information was affected; and (b) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
6.5 Preservation of Records. Vendor agrees to maintain and preserve all documents, records and other data related to the Incident. Vendor agrees to reasonably cooperate with Customer in any litigation, investigation or other action deemed reasonably necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Customer Data or Customer Systems.
6.6 Equitable Relief. Vendor acknowledges that any breach of its covenants or obligations set forth in this Addendum may cause Customer irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Customer is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which Customer may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this Addendum.
6.7 Costs. In addition to any indemnification obligations outlined in the Agreement and in Section 12 below, Vendor shall pay for all costs and expenses reasonably incurred by Customer as a result of a Incident, including but not limited to, the administrative cost of opening and closing accounts, notices, print and mailing costs, call center services, forensics services, costs associated with investigating and responding to investigations and inquiries related to the Incident from federal and state regulatory authorities and others, and the costs to obtain two (2) years of credit monitoring services and identity theft insurance for the subjects of any Personal Information that has or may have been compromised in the Incident. The remedies set forth herein shall be in addition to any other remedies available to Customer at law or in equity, including but not limited to Vendor’s indemnification obligations set forth elsewhere in the Agreement.
7. Compliance with Laws. Vendor shall comply with all laws and regulations relating to the confidentiality, integrity, availability, or security of Customer Data and Customer Systems applicable to Vendor’s obligations under the Agreement, including but not limited to Applicable Privacy and Data Security Laws. Vendor shall promptly make available to Customer all reasonable information and assistance requested by Customer for its compliance with such laws, including but not limited to reasonably assisting Vendor in responding to requests, inquiries, complaints, demands, and notices from Data Subjects, supervisory authorities, and other third parties, and demonstrating Customer’s compliance with such laws. If Vendor receives a request or demand from any party for information regarding Customer Data or any provision in this Addendum, Vendor shall provide Customer a copy of the request immediately, and in no event more than twenty-four (24) hours after receiving the request, subject to applicable law, and inform the requester that some or all of the information sought is the subject of a nondisclosure agreement with Customer. Vendor shall enter into all additional terms required by any such Applicable Privacy and Data Security Laws upon request by Customer.
8. International Transfers of Personal Information. If in the performance of the Services, Customer transfers Personal Information to Vendor in, or Vendor otherwise accesses Personal Information from, a jurisdiction other than the jurisdiction of the Data Subject’s residence, the parties acknowledge that steps must be taken to ensure that such data transfers comply with Applicable Privacy and Data Security Laws.
8.1 Roles of the Parties. Customer shall be considered the “Data Transferor” and the “Data Exporter” under Applicable Privacy and Data Security Laws. Vendor shall be considered the “Data Transferee,” “Data Recipient,” and the “Data Importer” under Applicable Privacy and Data Security Laws.
8.2 EU Data Transfers. The Parties agree that the applicable Module of the Standard Contractual Clauses for the Transfer of Personal Data to Third Parties issued by the European Commission on 4 June 2021 apply to transfers of Personal Information, with the following modifications:
(a) Unless otherwise agreed to in writing by the parties, Controller to Processor Transfer Clauses Module 2 shall apply between Customer (as the Controller) and Vendor (as the Processor). All references to Annex I.A. shall refer to Exhibit 1 of this Addendum. All references to Annex I.B. shall refer to Exhibit 1 of this Addendum. All references to Annex II shall refer to Exhibit 2 to this Addendum. All references to Annex III are references the written subprocessor list provided by Vendor to Customer, if applicable.
(b) Clause 7 (Docking) is hereby included. Clause 9 (Use of sub-processors), subsection (a), Option 1 (Specific Prior Written Authorization) is chosen, and the time period is thirty (30) days. The optional language in Clause 11(a) (Redress) is hereby included. The supervisory authority in Clause 13(a) (Supervision) shall be the Autorité de protection des données, Belgique. The governing law in Clause 17 (Governing Law) shall be the laws of Belgium. The forum in Clause 18 shall be the courts of Belgium.
8.3 UK Data Transfers. For transfers of Personal Information where Customer is located in the United Kingdom, or UK Data Protection Law applies to the Personal Information, the Controller to Processor Transfer Clauses Module 2 (as amended in Section 8.2 above) apply to the transfers of Personal Information, except that they shall be further amended as follows:
(a) The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022, issued by the UK Information Commissioner’s Office (the “Approved Addendum”), is hereby appended to the applicable Module of the Controller to Processor Transfer Clauses Module 2 described in Section 8.2 above, as though such addendum were more fully set forth herein. For the avoidance of doubt, Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, is incorporated into this Addendum by reference, as it may be further revised under Section 18 of the Approved Addendum.
(b) The Table Information of the Approved Addendum is as follows. The Start Date is the Effective Date of this Addendum. Customer is the Data Exporter, and Customer’s information is provided in Exhibit 1 to this Addendum. Vendor is the Data Importer, and Vendor’s information is provided in Exhibit 1 to this Addendum. The Approved Addendum is appended to the version of the Approved EU SCCs described in/amended by Section 8.2 above. Annex 1A (List of Parties) is set forth in Exhibit 1 to this Addendum. Annex 1B (Description of Transfer) is set forth in Exhibit 1 to this Addendum. Annex II (Technical and Organizational Measures) is set forth in Exhibit 2 to this Addendum. Annex III (List of sub-processors) has been separately provided by Vendor to Customer in writing, if applicable.
8.4 Swiss Data Transfers. For transfers of Personal Information where Customer is located in Switzerland, or any Swiss Data Protection Law applies to the Personal Information, the Controller to Processor Transfer Clauses Module 2 (as amended in Section 8.2 above) apply to the transfers of Personal Information, except that they shall be further amended as follows:
(a) All references to GDPR or EU data protection regulations in the Controller to Processor Transfer Clauses shall be construed as references to: (i) for matters related to data transfers before
December 31, 2022, the FADP, and (ii) from January 1, 2023 onwards, Revised FADP. Until December 31, 2022, these clauses shall also protect the data of legal entities in the scope of FADP.
(b) For transfers subject to FADP or Revised FADP (as applicable), the competent supervisory authority under Clause 13 of the SCCs shall instead be the Federal Data Protection and Information Commissioner of Switzerland. For Swiss data subjects, the governing law under Clause 17 of the SCCs shall either be Swiss law or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfer pursuant to the FADP. For the purposes of these Clauses, the term ‘member state’ shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
8.5 Additional Transfer Clauses. Any amending or superseding clause approved for the same purpose as the Controller to Processor Transfer Clauses by the relevant data protection supervisory authority is hereby deemed effective, unless another adequacy mechanism for the transfer is in place. Vendor agrees to enter into such other instruments as reasonably requested by Customer for the transfer of Personal Information as required by Applicable Privacy and Data Security Laws.
9. Conflicts; Amendments. To the extent any provision of this Addendum conflicts with (as opposed to supplements) any provision of the Agreement, the provision of this Addendum shall control. All terms and conditions of the Agreement not modified by this Addendum shall remain unchanged and in full force and effect. Where Vendor has entered into separate agreements governing its use of Customer Data under Applicable Privacy and Data Security Laws, the terms of such separate agreement shall control to the extent there is a conflict with the provisions of this Addendum, except the terms of this Addendum will control to the extent they are more protective of the privacy or security of Customer Data than such other agreement. This Addendum may only be modified by a written agreement executed by Vendor and Customer. Notwithstanding anything herein to the contrary, Customer may amend this Addendum by providing thirty (30) days advance written notice of such amendment if Customer reasonably determines that such amendment is necessary for Customer to comply with HIPAA or any other Applicable Privacy and Data Security Laws pertaining to Customer Data.
10. Insurance. Without limiting any of the obligations or liabilities of Vendor, Vendor shall carry and maintain, at its own expense including any applicable deductibles or retentions, as long as respective applicable statute(s) of limitation or repose are in effect relating to the specific purposes of this Agreement, a policy of Cyber Liability insurance with limits of not less than $10 million for each occurrence and an annual aggregate of $10 million. At a minimum this insurance covers claims involving privacy violations, information theft, damage to or destruction of electronic information, intentional and/or unintentional release of private information, alteration of electronic information, extortion and network security, data restoration, event response and network interruption. Vendor shall name Customer as an additional insured under such Cyber Insurance policy.
11. Noncompliance. Vendor shall promptly (and within 5 days) notify Customer in writing if Vendor believes Vendor or any third party performing the Services cannot (or will not in the future be able to) comply with its obligations under this Addendum. In such case, Vendor shall use its best efforts to remedy the situation. Customer may, in its sole discretion and without penalty of any kind to Customer, suspend the transfer or disclosure of Customer Data or access to Customer Systems to Vendor or its third party, or terminate the Agreement if necessary to comply with its legal obligations, Applicable Privacy and Data Security Laws, or if requested by a regulator or other governmental body. Vendor agrees to assist Customer in taking steps to stop and remediate the Vendor’s, or its sub-processor’s, unauthorized use of Personal Information.
12. Failure to Comply. Vendor shall defend (or at Customer’s election, reimburse Customer for defense costs, including legal and other fees) indemnify, and hold harmless Customer from and against all losses, costs, expenses, damages and liabilities resulting from, arising out of, or related to the failure of Vendor, or third parties to whom Vendor has made Customer Data or Customer Systems available, to comply with the terms of in this Addendum or related to any Incident. Notwithstanding the foregoing, Customer expressly reserves the sole right, at Customer’s option, to control the defense and/or settlement of any third-party claims, actions, investigations, enforcement proceedings or assertions by non-affiliated third parties (including government third parties) against Customer in connection with this Agreement (a “Claim”) and, if applicable, in addition to Vendor’s other obligations under this Agreement, Vendor agrees to assist Customer, at Vendor’s expense, in the defense of any such Claim. Vendor shall not settle any Claim without the prior written consent of Customer. Claims by Customer under this Section 12 or in Section 6.7 shall not be subject to any limitation of liability in the Agreement.
13. Ongoing Obligation. At all times while Customer Data is in the care, custody or control of Vendor or third parties to whom Vendor has made available Customer Data, Vendor agrees to comply with all of the provisions of this Addendum and shall ensure that Customer Data is used and disclosed only in furtherance of the purposes of the Agreement.
Exhibit 1 to Systems & Data Access Addendum
A. LIST OF PARTIES
Data exporter(s):
Name: Laboratory Corporation of America Holdings acting on behalf of itself and its subsidiaries
Address: 531 South Spring St., Burlington, NC 27215
Contact Person for this Addendum
Global Data Privacy Office
Contact details: GlobalDataPrivacy@labcorp.com with a copy to GDPRContracting@labcorp.com
Activities relevant to the data transferred under these Clauses: Customer is a global life sciences company that Processes Personal Data in its role as Data Controller. Activities relevant to the transfer include the provision of products and Services by Data Importer to Data Exporter pursuant to the Agreement (as defined in the main body of the Addendum to which this Exhibit 1 is attached).
Role: Controller
Data importer(s):
Name: Set forth in the Agreement.
Corporate Registration Number: Set forth in the Agreement.
Address: Set forth in the Agreement.
Contact Person for this Addendum:
Name: Set forth in the Agreement.
Position: Set forth in the Agreement.
Contact details: Set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: Activities relevant to the transfer include the provision of products and Services by Data Importer to Data Exporter pursuant to the Agreement (as defined in the main body of the Addendum to which this Exhibit 1 is attached).
Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects (current or former) whose personal data is transferred may include: Data Exporter’s employees and their beneficiaries, dependents, or family members, contractors, temporary or casual workers, directors or officers, job candidates or applicants, clinical staff of institutions, clinics, or research hospitals, health care or medical practitioners, clinical trial investigators, customer, client, or sponsor employees, agents, advisers, consultants, or vendor employees, patients, volunteers or participants in clinical research trials, next of kin of volunteers or participants in clinical research trials, minors, and/or website users.
Categories of personal data transferred may include: Personal identifiers (e.g., name, initials, date of birth, nationality/citizenship, marital status); government identification number (e.g., SSN, passport, driver’s license, national identification); demographics (e.g., age, gender, location, place of birth); contact data (e.g., address, phone number, email); employment data (e.g., employee ID, benefits, performance history, CV, work history, job title, office location, work permits); education data (e.g., academic history, professional qualifications); financial data (e.g., salary, bank account, Tax/VAT No., credit/debit card number, account balance); internet protocol (IP) address, mobile device ID, cookie data, login credentials, logging history; and/or social media (e.g. account, history, contact).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Sensitive data may include: medical data and ethnicity/race relating to subjects participating in clinical trials; data relating to potential adverse and safety events arising from the use of products by subjects involved in clinical trials; race/ethnicity; sexual orientation or sex life; health information (e.g., medical history, physiological condition, lab test results); genetic data; biometric data (photograph, facial recognition, fingerprints, iris scans); trade union membership; political, religious or philosophical beliefs; and/or criminal history, criminal record, or driving citations.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the term of the Agreement and during the provision of Services.
Nature of the processing: The types of processing activities required for Vendor to provide the applicable products or services to Customer pursuant to the Agreement (as defined in the main body of the Addendum to which this Exhibit 1 is attached).
Purpose(s) of the data transfer and further processing: For the purpose of Vendor’s provision the applicable products or services to Customer, as further described in the Agreement (as defined in the main body of the Addendum to which this Exhibit 1 is attached).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: During the term of the Agreement, and, if Vendor is required to retain personal data following termination of the Agreement in order to comply with applicable law or because the personal data has become permanently embedded in Vendor’s electronic storage systems, for so long as such personal data is retained. All such retained personal data shall remain subject to all provisions of this Addendum for so long as it is retained.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See Exhibit 2 to the Addendum below.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: Autorité de protection des données, Belgique.
Exhibit 2 to Systems & Data Access Addendum
In addition to the minimum safeguards described in the main body of the Addendum to which this Exhibit 2 is attached, Data Importer shall implement the following technical and organisational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
A. TECHNICAL SECURITY MEASURES
1. Data Storage Site Security. The sites where the data exporter’s data is stored, including data centres, offices, and off-site storage facilities, will have appropriate physical security controls. Data center spaces are continually monitored by on-site security teams and remotely by data center staff using recording webcams trained at all ingress/egress locations and numerous internal and external viewpoints, and have controls in place to restrict and monitor physical access, requiring either multifactor or biometric authentication to enter.
2. Network Security. The networks on which the data exporter’s data will be transmitted will be protected from unauthorized access or infiltration, either internally or externally. The measures that will be taken to ensure this will include: (i) running periodic external and internal vulnerability scanning and informing the relevant data exporter of any issues arising; (ii) maintaining perimeter defences such as firewalls, intrusion prevention / detection systems and data loss prevention solution. Firewalls and related network security devices are hardened to meet standards-based industry best practices, and maintained in a change-controlled state to ensure that only minimum ports are opened for communications; (iii) maintaining internal defences such as security information event management to analyse log files to identify anomalous behaviour and other threats, as well as network segmentation coupled with IP packet-level traffic monitoring; and (iv) inventory and change-control of network security devices within a configuration management database, including periodic discovery and confirmation of hardware devices.
3. Platform Security. The technology on which the data exporter’s data is stored, including servers, workstations and laptops, cloud service and other portable media will be protected from known threats by: (i) ensuring anti-virus or anti-malware systems are implemented and kept current for all operating systems; (ii) ensuring server and endpoint operating systems have secure configurations to meet standards-based industry best practices, and maintained in a change-controlled state; (iii) ensuring vendor recommended security patches for both applications and operating systems are applied in a timely period, encrypting laptop hard drives and portable media; (iv) ensuring risk assessments are performed on cloud providers using industry accepted methodologies such as Cloud Security Alliance or equivalent. SSAE16, ISO 27001 or other independent reports provide assurance on security controls and must be assessed when available; (v) ensuring mobile device management software is used to administer security controls on corporate supplied and bring your own devices; (vi) user endpoints (workstations, laptops, mobile devices) are encrypted, and data backups are encrypted in transit and in storage at the secondary data center; (vii) new systems are required to consider encryption of data at rest where appropriate (AES 256, SHA 2 standard) (viii) key legacy systems have either already been retrofitted for encryption at rest, or are in progress for retrofit; (ix) storage subsystems are architecturally segregated from the application layer in the vast majority of systems; (x) clinical and diagnostics applications are designed and tested to ensure appropriate application technical controls to protect data. Clinical (GxP) systems are validated for intended use to comply with 21 CFR Part 11 and predicate FDA rules and analogous global regulations; validation affords an extra layer of assurance of security controls, including the protection and audit trail of sensitive data; (xi) use of GxP Periodic Review procedures to verify that clinical systems are maintained in a validated state over their lifespan; (xii) a secure software development lifecycle and supporting processes, that require a security architecture review and vulnerability scanning to verify secure coding practices for web applications (OWASP Top 10); (xiii) host-based and application vulnerability scanning that require scheduled and/or pre-release testing to identify vulnerabilities; (xiv) vulnerabilities must be remediated within a procedurally defined time period based on criticality; and (xv) patch management practices to ensure firmware/OS/DB patches are applied in a timely manner; timeframes procedurally defined based on patch criticality.
4. Data Confidentiality. The confidentiality of the data exporter’s data will be maintained by protecting such data wherever it is stored, and whenever it is transmitted. These processes and procedures include: (i) maintaining separate databases for different types of data, and limiting access to each database to those who may have a business need for such access; (ii) the use of industry accepted strong encryption and pseudonymization; (iii) the secure disposal of paper, equipment, media and data; (iv) the security of data in transmission by means of encryption; (v) segregation of environments (e.g., production/test/development environments are controlled and maintained separately; production data is not permitted in lower environments; code migration responsibilities are isolated to preserve change control).
5. Data Access. The data exporter’s data will be accessed only by the authorized personnel of the data importer through such means as: (i) the use of unique user names and passwords to access the IT systems that host the data exporter’s data. Use multiple factors of authentication to access IT systems remotely; (ii) implementing security policies to ensure that passwords are not shared and that systems’ passwords are changed periodically in line with recommended best practice; (iii) ensuring access to the data exporter’s data is authorised and approved; (iv) ensuring there is a clear segregation of duties between users; (v) ensuring access is granted on a least privilege basis; (vi) terminating access where appropriate; (vii) segregation of duties (e.g., use of security role assignments to ensure that data access is restricted based on employee responsibilities to the minimum required; separation of administrator/super user/end user roles); (viii) centralized onboarding, job change, and off-boarding procedures to promptly add, modify, remove access to both the company network and individual applications; (ix) periodic user access reviews to ensure effectiveness of the user add/modify/removal processes at the network and application levels; and (x) standards-based IT network, server, database, and application hardening practices that enforce and document the configuration of equipment and software that provide access to company data.
6. Data Processing. The data importer will ensure that appropriate aspects of good security practice are enforced when processing any of the data exporter’s data. These processes include: (i) maintaining and enforcing policies on the secure handling and care of data, and taking steps to ensure that such policies are known to all employees through awareness training; (ii) ensuring that developers are trained and kept up to date in security coding techniques; and (iii) use of a configuration management database and configuration/change management processes to control the network, server, application and storage environments.
7. Data Backup, Disaster Recovery and Business Continuity. The continuity of access to the data exporter’s data will be maintained by ensuring standardized backup and recovery practices are in place, secured appropriately in transit and at rest, and supported by technical and organizational continuity plans and testing to ensure recoverability without compromising the security of sensitive data. These practices include:(i) maintaining standardized IT backup practices, using defined processes and configured tools to produce incremental and full backups of file shares, databases, applications and storage media containing company and client data; (ii) ensuring that backup records are encrypted in transit and at rest while stored within a geographically distant secondary location secured to the same standards as the primary location; (iii) periodically testing the restore function to ensure that backup files are and remain usable throughout their retention; (iv) maintaining appropriate IT disaster recovery plans and recovery systems, and periodically testing these plans with supporting documentation to ensure that these plans are adequate to restore/recover/failover IT systems to an operational state, with data restored to pre-failure state, within appropriate recovery time and recovery point objectives (RTO / RPO) that are appropriate for the business criticality and sensitivity of the data in question; and (v) maintaining appropriate business continuity plans for critical business functions, and periodically testing these plans with supporting documentation to ensure that these contingency plans are adequate to ensure continuance of business while recovering from catastrophic loss of normal business operations
B. ORGANIZATIONAL SECURITY MEASURES.
The data importer will ensure and maintain the integrity of personnel accessing the data exporter’s data by: (i) performing background checks on potential employees who will have access to personal data; (ii) maintaining and enforcing policies on the secure handling and care of data, and taking steps to ensure that such policies are known to all employees; (iii) provide regular training to employees on privacy and security policies and security awareness; (iv) ensure employees and contractors sign confidentiality agreements, or otherwise be under an obligation of confidentiality, prior to accessing the data exporter’s data; (v) reviewing any subprocessors which the data importer will use, to ensure appropriate security measures are in place; and (vi) ensuring the third party adheres to the minimum set of controls prescribed by the data importer’s information security policies.
C. DATA SUBJECT RIGHTS.
The data importer has established a set of data subject right procedures that include the following rights: (i) the right to be informed as to the data that we possess relative to that individual and to understand how we are using that data: (ii) the right to amend inaccurate data that is in our possession; (iii) the right to request restriction of the use of Personal Information previously provided to us; (iv) the right to not be subject to automated decision-making with legal or similarly significant effects; (v) the right to receive Personal Information in a usable electronic format and transmit it to a third party; (vi) the right to lodge a complaint with the individual’s local data protection authority, if one exists; (vii) the right to object to the use of Personal Information previously provided to us; and (viii) the right to deletion, or the right to be forgotten in certain circumstances.
D. DATA BREACH PROCEDURES.
The data importer has established a set of data breach security procedures that include the following elements:
1. Detection: Establishing the facts of the incident and creating a diagnostic, containment and communications plan with respect to those whose data has been affected.
2. Containment: Limiting the extent of the data compromise.
3. Eradication: Removing all aspects of the hostile code/configuration, if applicable.
4. Recovery: Restoring data and system to a known good state, without vulnerability.
5. Review: Assessment of how to avoid similar incidents in future.
6. Notification: Informing relevant interested parties of the data breach within legal and industry acceptable obligations and timeframes.