Common use of Access to Information Technology Systems and Data Clause in Contracts

Access to Information Technology Systems and Data. (a) If any Party or any of its Affiliates, or its or their employees, suppliers or contractors have access (either on-site or remotely) (the “Accessing Party”) to the other Party’s (the “Granting Party”) Information Technology Systems or Party Data in relation to the Transition Services, the Accessing Party shall: (i) limit such access solely to the use of such Information Technology Systems and Party Data for purposes of the Transition Services and shall not access or attempt to access Information Technology Systems other than those required for the Transition Services; (ii) use the Granting Party’s Information Technology Systems and Party Data in accordance with the Granting Party’s reasonable applicable rules, policies, and procedures, as notified to the Accessing Party from time to time, and in accordance with applicable Law. If Service Recipient is granted access to any shared platforms, software, systems or networks, Service Provider’s rules, policies and procedures will govern such Service Recipient access and use; (iii) not make any changes to the Granting Party’s Information Technology Systems or Party Data that may be reasonably expected to have an adverse effect on such systems or data or the provision of the Transition Services; (iv) not extract or share any data from the Granting Party’s Information Technology Systems other than as required to perform the Transition Services or comply with applicable Law, or as expressly permitted by the terms of the relevant Transition Service as set out in the applicable service description in the Transition Services Schedules or any other transaction document; (v) use reasonable efforts to ensure that it does not introduce into the Information Technology Systems any (a) any code, program, or sub-program whose purpose is to damage or maliciously interfere with the operation of the computer system containing the code, program, or sub-program, or to halt, disable, or maliciously interfere with the operation of the software, code, program, or sub-program, itself, (b) any code, program, device, method, or token that permits any person to circumvent the normal security of software or a computer system, and (c) any code, program, device, method, or token that permits an unauthorized individual or program to access or take control of software or a computer system; and (vi) promptly notify the Granting Party (i) of any vulnerabilities in the Accessing Party’s assets that are connected to the Granting Party’s Information Technology Systems and (ii) upon becoming aware of any vulnerability related to the Transition Services or Information Technology Systems utilized in the provision or use of the Transition Services; and (vii) Promptly terminate access to the Granting Party’s Information Technology Systems and notify the Granting Party if an employee, supplier, or contractor no longer needs access to the Granting Party’s Information Technology Systems or is no longer employed or engaged by the Granting Party (b) The Accessing Party shall limit such access to the Information Technology Systems and Party Data to: (i) only employees and contractors who had access to such Information Technology Systems and Party Data immediately prior to the Effective Date; and (ii) its or its Affiliates’ other employees and contractors with a bona fide need to have such access in connection with the Transition Services as requested in writing by the Accessing Party and approved in writing by the Granting Party as provided in the relevant schedules. Any employees and contractors of the Accessing Party granted such access shall complete any training required by the Granting Party on the permitted and proper access and use of the applicable Information Technology Systems. (c) Both, the Accessing Party and the Granting Party shall take reasonable steps to monitor and prevent inappropriate use of the Information Technology Systems. The Granting Party is permitted to monitor access to its Information Technology Systems and review access logs for the purpose of auditing compliance with the access limitations set forth in this Section 10.10. (d) The Accessing Party will promptly notify the Granting Party of the termination of any of its or its Affiliates’ employees or contractors with a user identification number for the Information Technology Systems and inform each such terminated employee or contractor that their access to and use of Information Technology Systems has been revoked. All user identification numbers and passwords disclosed pursuant to this Agreement and any information obtained by the Accessing Party or its Affiliates as a result of its or its Affiliates’ access to and use of the Granting Party’s Information Technology Systems shall be deemed to be, and treated as, Confidential Information hereunder. The Accessing Party’s and its Affiliates’ employees and contractors shall not share or disclose their user identification numbers and passwords to any other employee or contractor of the Accessing Party or its Affiliates or to any Third Party. (e) The Accessing Party is responsible for its and its Affiliates’ employees’ and contractors’ use and misuse of the Granting Party’s Information Technology Systems and Party Data. The Granting Party may revoke the access of the Accessing Party’s or its Affiliates’ employee or contractor in the event of an actual or reasonably suspected material violation of this Agreement or the Granting Party’s applicable policies or procedures by such employee or contractor, which policies and procedures have been communicated or made available to such employee or contractor before such violation. The Accessing Party shall cooperate with the Granting Party in the investigation of any actual or suspected unauthorized access by any of the Accessing Party’s or its Affiliates’ employees or contractors to any of the Granting Party’s Information Technology Systems or Party Data. (f) From the Closing Date, each Party acknowledges that the personnel assigned to Global, System Administrator, or Power User roles for an Information Technology System provided as part of a Transition Service has the ability to access both Parties’ data. Each Party shall ensure that its personnel with such roles complies with all of Service Provider’s security policies, standards and guidelines (including confidentiality and personal data security requirements) and does not tamper with, compromise, or circumvent any security or audit measures employed by Service Provider. Each Party shall ensure that its personnel: (i) uses such access only for the purposes contemplated by this Agreement; and (ii) uses reasonable best efforts to prevent unauthorized access, use, dissemination, destruction, alteration, or loss of information contained within such Information Technology Systems. (g) Service Provider shall, and shall ensure that its Service Affiliates and the relevant Third Party Providers will, implement, maintain, and comply with reasonable information security measures, that include appropriate physical, technical, organizational, administrative, environmental and other data security safeguards designed to protect Service Recipient Data, and Service Provider Party’s Information Technology Systems Processing Service Recipient Data, against Cybersecurity Incidents. Such program shall also contain any other minimum requirements set forth in applicable Law. After confirmation of a Cybersecurity Incident in a Service Provider Party’s Information Technology Systems that impacts Service Recipient Data or Service Recipient’s use of a Transition Service, Service Provider shall: (i) promptly take actions reasonably designed to prevent or mitigate the effects of the Cybersecurity Incident; (ii) within seventy-two (72) hours, report the Cybersecurity Incident to Service Recipient via the TSA Sub-Committee and provide a reasonable description of such incident; and (iii) promptly identify and implement appropriate steps reasonably designed to prevent the Cybersecurity Incident from re-occurring. (h) Notwithstanding anything in this Agreement to the contrary (including the exclusions of liability in Section 8.3 of this Agreement), or an Ancillary Agreement to the contrary, the Service Provider’s maximum liability for Damages of any kind whatsoever to Service Recipient or any of its Affiliates hereunder relating to, or in connection with any Cybersecurity Incident (whether based on breach of warranty, breach of contract, negligence, strict liability in tort, or any other legal or equitable theory), including any inability to provide any Transition Services, Migration Support or any services to be provided under any Ancillary Agreement, shall not exceed the liability cap in Section 8.2 of this Agreement.

Access to Information Technology Systems and Data. (a) If any Party or any of its Affiliates, or its or their employees, suppliers or contractors have access (either on-site or remotely) (the “Accessing Party”) to the other Party’s (the “Granting Party”) Information Technology Systems or Party Data in relation to the Transition Services, the Accessing Party shall: (i) limit such access solely to the use of such Information Technology Systems and Party Data for purposes of the Transition Services and shall not access or attempt to access Information Technology Systems other than those required for the Transition Services; (ii) use the Granting Party’s Information Technology Systems and Party Data in accordance with the Granting Party’s reasonable applicable rules, policies, and procedures, as notified to the Accessing Party from time to time, and in accordance with applicable Law. If Service Recipient is granted access to any shared platforms, software, systems or networks, Service Provider’s rules, policies and procedures will govern such Service Recipient access and use; (iii) not make any changes to the Granting Party’s Information Technology Systems or Party Data that may be reasonably expected to have an adverse effect on such systems or data or the provision of the Transition Services; (iv) not extract or share any data from the Granting Party’s Information Technology Systems other than as required to perform the Transition Services or comply with applicable Law, or as expressly permitted by the terms of the relevant Transition Service as set out in the applicable service description in the Transition Services Schedules or any other transaction document; (v) use reasonable efforts to ensure that it does not introduce into the Information Technology Systems any (a) any code, program, or sub-program whose purpose is to damage or maliciously interfere with the operation of the computer system containing the code, program, or sub-program, or to halt, disable, or maliciously interfere with the operation of the software, code, program, or sub-program, itself, (b) any code, program, device, method, or token that permits any person to circumvent the normal security of software or a computer system, and (c) any code, program, device, method, or token that permits an unauthorized individual or program to access or take control of software or a computer system; and (vi) promptly notify the Granting Party (i) of any vulnerabilities in the Accessing Party’s assets that are connected to the Granting Party’s Information Technology Systems and (ii) upon becoming aware of any vulnerability related to the Transition Services or Information Technology Systems utilized in the provision or use of the Transition Services; and (vii) Promptly terminate access to the Granting Party’s Information Technology Systems and notify the Granting Party if an employee, supplier, or contractor no longer needs access to the Granting Party’s Information Technology Systems or is no longer employed or engaged by the Granting Party (b) The Accessing Party shall limit such access to the Information Technology Systems and Party Data to: (i) only employees and contractors who had access to such Information Technology Systems and Party Data immediately prior to the Effective Date; and (ii) its or its Affiliates’ other employees and contractors with a bona fide need to have such access in connection with the Transition Services as requested in writing by the Accessing Party and approved in writing by the Granting Party as provided in the relevant schedules. Any employees and contractors of the Accessing Party granted such access shall complete any training required by the Granting Party on the permitted and proper access and use of the applicable Information Technology Systems. . (c) Both, the Accessing Party and the Granting Party shall take reasonable steps to monitor and prevent inappropriate use of the Information Technology Systems. The Granting Party is permitted to monitor access to its Information Technology Systems and review access logs for the purpose of auditing compliance with the access limitations set forth in this Section 10.10. (d) The Accessing Party will promptly notify the Granting Party of the termination of any of its or its Affiliates’ employees or contractors with a user identification number for the Information Technology Systems and inform each such terminated employee or contractor that their access to and use of Information Technology Systems has been revoked. All user identification numbers and passwords disclosed pursuant to this Agreement and any information obtained by the Accessing Party or its Affiliates as a result of its or its Affiliates’ access to and use of the Granting Party’s Information Technology Systems shall be deemed to be, and treated as, Confidential Information hereunder. The Accessing Party’s and its Affiliates’ employees and contractors shall not share or disclose their user identification numbers and passwords to any other employee or contractor of the Accessing Party or its Affiliates or to any Third Party. (e) The Accessing Party is responsible for its and its Affiliates’ employees’ and contractors’ use and misuse of the Granting Party’s Information Technology Systems and Party Data. The Granting Party may revoke the access of the Accessing Party’s or its Affiliates’ employee or contractor in the event of an actual or reasonably suspected material violation of this Agreement or the Granting Party’s applicable policies or procedures by such employee or contractor, which policies and procedures have been communicated or made available to such employee or contractor before such violation. The Accessing Party shall cooperate with the Granting Party in the investigation of any actual or suspected unauthorized access by any of the Accessing Party’s or its Affiliates’ employees or contractors to any of the Granting Party’s Information Technology Systems or Party Data. (f) From the Closing Date, each Party acknowledges that the personnel assigned to Global, System Administrator, or Power User roles for an Information Technology System provided as part of a Transition Service has the ability to access both Parties’ data. Each Party shall ensure that its personnel with such roles complies with all of Service Provider’s security policies, standards and guidelines (including confidentiality and personal data security requirements) and does not tamper with, compromise, or circumvent any security or audit measures employed by Service Provider. Each Party shall ensure that its personnel: (i) uses such access only for the purposes contemplated by this Agreement; and (ii) uses reasonable best efforts to prevent unauthorized access, use, dissemination, destruction, alteration, or loss of information contained within such Information Technology Systems. (g) Service Provider shall, and shall ensure that its Service Affiliates and the relevant Third Party Providers will, implement, maintain, and comply with reasonable information security measures, that include appropriate physical, technical, organizational, administrative, environmental and other data security safeguards designed to protect Service Recipient Data, and Service Provider Party’s Information Technology Systems Processing Service Recipient Data, against Cybersecurity Incidents. Such program shall also contain any other minimum requirements set forth in applicable Law. After confirmation of a Cybersecurity Incident in a Service Provider Party’s Information Technology Systems that impacts Service Recipient Data or Service Recipient’s use of a Transition Service, Service Provider shall: (i) promptly take actions reasonably designed to prevent or mitigate the effects of the Cybersecurity Incident; (ii) within seventy-two (72) hours, report the Cybersecurity Incident to Service Recipient via the TSA Sub-Committee and provide a reasonable description of such incident; and (iii) promptly identify and implement appropriate steps reasonably designed to prevent the Cybersecurity Incident from re-occurring. (h) Notwithstanding anything in this Agreement to the contrary (including the exclusions of liability in Section 8.3 of this Agreement), or an Ancillary Agreement to the contrary, the Service Provider’s maximum liability for Damages of any kind whatsoever to Service Recipient or any of its Affiliates hereunder relating to, or in connection with any Cybersecurity Incident (whether based on breach of warranty, breach of contract, negligence, strict liability in tort, or any other legal or equitable theory), including any inability to provide any Transition Services, Migration Support or any services to be provided under any Ancillary Agreement, shall not exceed the liability cap in Section 8.2 of this Agreement.