Common use of COMPLIANCE AND MONITORING Clause in Contracts

COMPLIANCE AND MONITORING. Seller shall comply with security policies relating to the handling of Confidential Information. Prior to PG&E’s first transfer of Confidential Information to Seller, Seller shall provide PG&E with documentation satisfactory to PG&E that it has undertaken Security Measures. Xxxxxx and PG&E agree to meet periodically, if requested by PG&E, to evaluate Seller's Security Measures and to discuss, in good faith, means by which the Parties can enhance such protection, if necessary. Seller shall update its Security Measures, including procedures, practices, policies and controls so as to keep current with industry standards, including but not limited to NIST and NERC/CIP, as applicable. PG&E reserves the right to perform onsite security assessments to verify the implementation and ongoing operation and maintenance of security controls. At least annually, Seller shall assist PG&E in obtaining a copy of any report that documents Seller's Security Measures. In the event, PG&E determines Seller has not complied with Security Measures, PG&E shall provide written notice to Seller describing the deficiencies. Seller shall then have sixty (60) calendar days to cure. If Seller has not cured the deficiencies within sixty (60) calendar days, PG&E may cancel this Contract for cause in accordance with the Contract’s termination provisions. PG&E DATA: PG&E Data shall mean: all data or information provided by or on behalf of PG&E, including, but not limited to, personally identifiable information relating to, of, or concerning, or provided by or on behalf of any Customers, all data or information input, transferred, uploaded, migrated, or otherwise sent by or on behalf of PG&E to Seller as PG&E may approve of in advance and in writing (in each instance), account numbers, forecasts, and other similar information disclosed to or otherwise made available to Seller by or on behalf of PG&E and Customers, and all data provided by PG&E’s licensors, including any and all survey responses, feedback, and reports, as well as information entered by PG&E, Seller or Subcontractor, and Customers. SECURITY OF PG&E DATA: Seller agrees that Seller’s collection, management and use of PG&E Data during the Term shall comply with these security requirements and all applicable laws, regulations, directives, and ordinances.

COMPLIANCE AND MONITORING. Seller shall comply with security policies relating to the handling of Confidential Information. Prior to PG&E’s first transfer of Confidential Information to Seller, Seller shall provide PG&E with documentation satisfactory to PG&E that it has undertaken Security Measures. Xxxxxx and PG&E agree to meet periodically, if requested by PG&E, to evaluate Seller's Security Measures and to discuss, in good faith, means by which the Parties can enhance such protection, if necessary. Seller shall update its Security Measures, including procedures, practices, policies and controls so as to keep current with industry standards, including but not limited to NIST and NERC/CIP, as applicable. PG&E reserves the right to perform onsite security assessments to verify the implementation and ongoing operation and maintenance of security controls. At least annually, Seller shall assist PG&E in obtaining a copy of any report that documents Seller's Security Measures. In the event, PG&E determines Seller has not complied with Security Measures, PG&E shall provide written notice to Seller describing the deficiencies. Seller shall then have sixty (60) calendar days to cure. If Seller has not cured the deficiencies within sixty (60) calendar days, PG&E may cancel this Contract for cause in accordance with the Contract’s termination provisions. PG&E DATA: PG&E Data shall mean: all data or information provided by or on behalf of PG&E, including, but not limited to, personally identifiable information relating to, of, or concerning, or provided by or on behalf of any Customers, all data or information input, transferred, uploaded, migrated, or otherwise sent by or on behalf of PG&E to Seller as PG&E may approve of in advance and in writing (in each instance), account numbers, forecasts, and other similar information disclosed to or otherwise made available to Seller by or on behalf of PG&E and Customers, and all data provided by PG&E’s licensors, including any and all survey responses, feedback, and reports, as well as information entered by PG&E, Seller or Subcontractor, and Customers. SECURITY OF PG&E DATA: Seller agrees that Seller’s collection, management and use of PG&E Data during the Term shall comply with these security requirements and all applicable laws, regulations, directives, and ordinances. Vendor Security Review: Before receiving any PG&E Data, Seller shall undergo PG&E's Vendor Security Review process. Seller may receive PG&E Data if the security review reveals no high-risk security control deficiencies. If Seller’s security review reveals high-risk security control deficiencies, Seller may not receive PG&E Data until such xxxx Xxxxxx mitigates the risk(s). USE OF PG&E DATA: License: PG&E may provide PG&E Data to Seller to perform its obligations hereunder. Subject to the terms of the Contract, PG&E grants Seller a personal, non-exclusive, non-assignable, non-transferable limited license to use the PG&E Data solely for the limited purpose of performing the Work or services during the Term, but not otherwise. Limited Use of PG&E Data: Seller agrees that PG&E Data will not be (a) used by Seller for any purpose other than that of performing Seller’s obligations under this Contract, (b) disclosed, sold, assigned, leased or otherwise disposed of or made available to third parties by Seller, (c) commercially exploited by or on behalf of Seller, nor (d) provided or made available to any other party without written authorization, subject to this Agreement and this Appendix XXI (Confidentiality and Data Security), and Appendix XXII, Non-Disclosure and Use of Information Agreement. Application Development: Seller agrees that it will not engage in any application development without or until it has demonstrated compliance with the Agreement provisions and this Appendix XXI and Appendix XXII. SECURITY BREACH: Seller shall immediately notify PG&E in writing of any unauthorized access or disclosure of Confidential Information and/or PG&E Data. Seller shall take reasonable measures within its control to immediately stop the unauthorized access or disclosure of Confidential Information and/or PG&E Data to prevent recurrence and to return to PG&E any copies. Seller shall provide PG&E (i) a brief summary of the issue, facts and status of Seller’s investigation; (ii) the potential number of individuals affected by the security breach; (iii) the Confidential Information and/or PG&E Data that may be implicated by the security breach; and (iv) any other information pertinent to PG&E’s understanding of the security breach and the exposure or potential exposure of Confidential Information and/or PG&E Data. Seller shall investigate such breach or potential breach, and shall inform PG&E, in writing, of the results of such investigation, and assist PG&E (at Seller’s sole cost and expense) in maintaining the confidentiality of such Confidential Information and/or PG&E Data. Seller agrees to provide, at Seller’s sole cost and expense, appropriate data security monitoring services for all potentially affected persons for one (1) year following the breach or potential breach, subject to PG&E’s prior approval. If requested in advance and in writing by PG&E, Seller will notify the potentially affected persons regarding such breach or potential breach within a reasonable time period determined by PG&E and in a form as specifically approved in writing by PG&E. In addition, in no event shall Seller issue or permit to be issues any public statements regarding the security breach involving Confidential Information and/or PG&E Data unless PG&E requests Seller to do so in writing. RIGHT TO SEEK INJUNCTION: Xxxxxx agrees that any breach of this Appendix XXI (Confidentiality and Data Security) would constitute irreparable harm and significant injury to PG&E. Accordingly, and in addition to PG&E’s right to seek damages and any other available remedies at law or in equity in accordance with this Agreement, Seller agrees that PG&E will have the right to obtain, from any competent civil court, immediate temporary or preliminary injunctive relief enjoining any breach or threatened breach of this Agreement, involving the alleged unauthorized access, disclosure or use of any Confidential Information and/or PG&E Data. Seller hereby waives any and all objections to the right of such court to grant such relief, including, but not limited to, objections of improper jurisdiction or forum non convenient. CPUC and IOU DISCLOSURE: Notwithstanding anything to the contrary contained herein, but without limiting the general applicability of the foregoing, Seller understands, agrees and acknowledges as follows. PG&E hereby reserves the right in its sole and absolute discretion to disclose any and all terms of this Agreement and all exhibits, attachments, and any other documents related thereto to the CPUC, and that the CPUC may reproduce, copy, in whole or in part or otherwise disclose the Agreement to the public. PG&E may be required or may deem it to be in the best interest of the Work being performed under this Agreement that Work related information be disclosed to other IOUs (excluding any pricing information).