Common use of Confidentiality and Data Access Clause in Contracts

Confidentiality and Data Access. Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. Prior to allowing any employee, subcontractor, representative, agent, subprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.

Confidentiality and Data Access. (a) Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. . (b) Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policyxxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information- resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. . (c) Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. . (d) Prior to allowing any employee, subcontractor, representative, agent, subprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. . (e) Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. . (f) Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.

Confidentiality and Data Access. Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. Prior to allowing any employee, subcontractor, representative, agent, subprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-mutually agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.

Confidentiality and Data Access. (a) Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. . (b) Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policyxxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information- resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. . (c) Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. . (d) Prior to allowing any employee, subcontractor, representative, agent, subprocessorSubprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. . (e) Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. . (f) Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.

Confidentiality and Data Access. (a) Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. . (b) Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policyxxxx://xxx.xxxxxxxx.xxx/board- of-regents/policy-library/policies/uts165-information-resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. . (c) Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. . (d) Prior to allowing any employee, subcontractor, representative, agent, subprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.and

Confidentiality and Data Access. (a) Personal Information is considered Confidential Information of University. Contractor will not use or disclose Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement, (including any Personal Information provided by a University student directly to Contractor), except as permitted or required by the Underlying Agreement or this Addendum. If Contractor discloses any Personal Information to a Subprocessor Contractor will require the Subprocessor to comply with the same restrictions and obligations that are imposed on Contractor by the Underlying Agreement and this Addendum, including requiring each Subprocessor to agree to the same restrictions and obligations in writing. . (b) Contractor will use the administrative, technical and physical security measures, including secure encryption in the case of electronically maintained or transmitted Personal Information, approved by University and that are at least as stringent as the requirements of UT System Information and Resource Use & Security Policy, UTS 165 at xxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information-resources-use-and-security-policyxxxx://xxx.xxxxxxxx.xxx/board-of-regents/policy-library/policies/uts165-information- resources-use-and-security-policy, to preserve the confidentiality and security of all Personal Information received from or on behalf of University, its students, faculty, or staff, or any third party pursuant to the Underlying Agreement. . (c) Contractor has implemented and will maintain documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in accordance with the Underlying Agreement in the event of any disaster or other adverse event affecting the University and/or Contractor. . (d) Prior to allowing any employee, subcontractor, representative, agent, subprocessor, or other individual to process Personal Information, Contractor will (i) conduct an appropriate background check of the individual as permitted by law and in compliance with the Underlying Agreement, (ii) require the individual to execute an enforceable confidentiality agreement, and (iii) provide the individual with appropriate privacy and security training. Contractor will also continually monitor its employees, subcontractors, representatives, agents, subprocessors, or other individuals it provides or engages for compliance with the privacy and security program requirements. . (e) Contractor, within 24 hours after discovery, will report to University any use or disclosure of Personal Information not authorized by this Addendum or the Underlying Agreement. Contractor’s report will identify: (i) the nature of the unauthorized use or disclosure, (ii) the Personal Information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future similar unauthorized use or disclosure. Contractor will provide such other information, including written reports, as reasonably requested by University. . (f) Upon request, Contractor will provide University with information about the Contractor’s information security program. Contractor will also submit its data processing facilities for audit, during Contractor’s reasonable business hours, which will be carried out in a mutually-mutually agreeable manner no more than ten (10) days after such request. In the event that such audit reveals material gaps or weaknesses in Contractor’s security program, University will be entitled to terminate Contractor’s Processing of Personal Information, including, termination of this Addendum and the Underlying Agreement permanently, or until such issues are resolved. Contractor agrees that no later than 30 days after expiration or termination of the Underlying Agreement or this Addendum for any reason, or within thirty (30) days after University’s written request, Contractor will halt all access, use, or processing of Personal Information and will return to University all records, including any copies created by Contractor or any Subprocessor, subcontractor, representative, agent, or other individual or entity that it provides or engages; and Contractor will certify in writing to University that all records have been returned to University.