Common use of Data Privacy and Information Security Clause in Contracts

Data Privacy and Information Security. 10.1 To the extent that Company provides to Consultant, or Consultant otherwise accesses Personal Data (as defined below) about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant represents and warrants that: (i) Consultant will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant will not disclose or otherwise process such Personal Data except upon Company’s instructions in writing; (ii) Consultant will notify Company in writing and obtain Company’s consent before sharing any Personal Data with any government authorities or other third parties; and (iii) Consultant agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. 10.2 In the event that (i) any Personal Data is disclosed by Consultant (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred (“Privacy Incident”), Consultant shall notify Company immediately in writing of any such Privacy Incident. Consultant shall cooperate fully in the investigation of the Privacy Incident, indemnify Company for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such incident. To the extent that a Privacy Incident gives rise to a need, in Company’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Consultant shall, at Consultant’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion. 10.3 To the extent that Company provides to Consultant, or Consultant otherwise accesses Personal Data about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal Data. The Information Security Program shall also include policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed. 10.4 Personal Data means individually identifiable information from or about an individual including, but not limited to (i) social security number; (ii) credit or debit card information, including card number, expiration date, and data stored on the magnetic strip of a credit or debit card; (iii) financial account information, including the ABA routing number, bank account number, retirement account number; (iv) driver’s license, passport, taxpayer, military, or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints, biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.

Data Privacy and Information Security. 10.1 4.1. To the extent that Company provides to ConsultantContractor, or Consultant Contractor otherwise accesses Personal Data (as defined below) about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant Contractor represents and warrants that: (i) Consultant Contractor will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant Contractor will not disclose or otherwise process such Personal Data except upon Company’s instructions in writing; (ii) Consultant Contractor will notify Company in writing and obtain Company’s consent before sharing any Personal Data with any government authorities or other third partiesparties outside the provision of Services; and (iii) Consultant Contractor agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. 10.2 4.2. In the event that (i) any Personal Data is disclosed by Consultant Contractor (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant Contractor (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred (“Privacy Incident”), Consultant Contractor shall notify Company immediately in writing of any such Privacy Incident. Consultant Contractor shall cooperate fully in the investigation of the Privacy Incident, indemnify Company for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such incident. 4.3. To the extent that a Privacy Incident gives rise to a need, in Company’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s requestrrequest, Consultant Contractor shall, at ConsultantContractor’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion. 10.3 4.4. To the extent that Company provides to ConsultantContractor, or Consultant Contractor otherwise accesses Personal Data about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant Contractor shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal Data. The In particular, the Contractor’s Information Security Program shall also include policies and procedures regarding include, but not be limited, to the disposal following safeguards where appropriate or necessary to ensure the protection of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed. 10.4 Personal Data means individually identifiable information from or about an individual including, but not limited to (i) social security number; (ii) credit or debit card information, including card number, expiration date, and data stored on the magnetic strip of a credit or debit card; (iii) financial account information, including the ABA routing number, bank account number, retirement account number; (iv) driver’s license, passport, taxpayer, military, or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints, biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.:

Data Privacy and Information Security. 10.1 12.1 To the extent that Company COMPANY Customer or COMPANY Customer’s Affiliates provides to ConsultantService Provider, or Consultant Service Provider otherwise accesses Personal Data (as defined below) about CompanyCOMPANY Customer’s employees, customers, or other individuals in connection with this Agreement, Consultant Service Provider represents and warrants that: (i) Consultant Service Provider will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant Service Provider will not disclose or otherwise process such Personal Data except upon CompanyCOMPANY Customer’s instructions in writing; (ii) Consultant Service Provider will notify Company COMPANY Customer in writing and obtain CompanyCOMPANY Customer’s consent before sharing any Personal Data with any government authorities or other third parties. Service Provider will handle all COMPANY Customer Personal Data in accordance with the terms of this Agreement and any instructions received from COMPANY Customer with regard to such data, and maintain technical and organizational security measures in accordance with the laws laid down by the Government of India to protect COMPANY Customer Personal Data from unauthorized access, use, disclosure or other processing; and (iii) Consultant Service Provider agrees to adhere to additional contractual terms and conditions related to Personal Data as Company COMPANY Customer may instruct in writing that Company COMPANY Customer deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. 10.2 12.2 In the event that (i) any Personal Data or Confidential Information is disclosed by Consultant Service Provider (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant Service Provider (including its agents or subcontractorsSubcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data or Confidential Information has occurred (“Privacy Incident”), Consultant Service Provider shall notify Company COMPANY Customer immediately in writing of any such Privacy Incident. Consultant Service Provider shall cooperate fully in the investigation of the Privacy Incident, indemnify Company COMPANY Customer for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, incident and remedy any harm or potential harm caused by such incident. Privacy Incident. 12.3 To the extent that a Privacy Incident gives rise to a need, in Company’s sole judgment, need to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s requestif required by applicable law, Consultant shall, at Consultant’s cost, Service Provider shall undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company COMPANY Customer in its sole discretion. 10.3 12.4 To the extent that Company COMPANY Customer provides to ConsultantService Provider, or Consultant Service Provider otherwise accesses Personal Data about CompanyCOMPANY Customer’s employees, customers, or other individuals in connection with this AgreementAgreement or Confidential Information, Consultant Service Provider shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal DataData and Confidential Information, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal DataData and Confidential Information, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal DataData or Confidential Information. The In particular, the Service Provider’s Information Security Program shall also include policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed. 10.4 Personal Data means individually identifiable information from or about an individual includinginclude, but not limited be limited, to (i) social security number; (ii) credit the following safeguards where appropriate or debit card information, including card number, expiration date, and data stored on necessary to ensure the magnetic strip protection of a credit Personal Data or debit card; (iii) financial account information, including the ABA routing number, bank account number, retirement account number; (iv) driver’s license, passport, taxpayer, military, or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints, biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.Confidential Information:

Data Privacy and Information Security. 10.1 5.1 To the extent that Company Customer provides to ConsultantVendor, or Consultant Vendor otherwise accesses Personal Data (as defined below) about CompanyCustomer’s employees, customers, or other individuals in connection with this Agreement, Consultant Vendor represents and warrants that: (i) Consultant Vendor will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant Vendor will not disclose or otherwise process such Personal Data except upon CompanyCustomer’s instructions in writing; (ii) Consultant Vendor will notify Company Customer in writing and obtain CompanyCustomer’s consent before sharing any Personal Data with any government authorities or other third parties; and (iii) Consultant Vendor agrees to adhere to additional contractual terms and conditions related to Personal Data as Company Customer may instruct in writing that Company Customer deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. 10.2 5.2 In the event that (i) any Personal Data or Confidential Information (as defined below) is disclosed by Consultant Vendor (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant Vendor (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data or Confidential Information has occurred (“Privacy Security Incident”), Consultant Vendor shall notify Company Customer immediately in writing of any such Privacy Security Incident. Consultant Vendor shall cooperate fully in the investigation of the Privacy Security Incident, indemnify Company Customer for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such incident. To the extent that a Privacy Security Incident gives rise to a need, in CompanyCustomer’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at CompanyCustomer’s request, Consultant Vendor shall, at ConsultantVendor’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company Customer in its sole discretion. 10.3 5.3 To the extent that Company Customer provides to ConsultantVendor, or Consultant Vendor otherwise accesses Personal Data about CompanyCustomer’s employees, customers, or other individuals in connection with this AgreementAgreement and/or any Confidential Information, Consultant Vendor shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal DataData and Confidential Information, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal DataData and Confidential Information, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal DataData and Confidential Information. The Information Security Program shall also include policies and procedures regarding the disposal of Personal DataData and Confidential Information, and tangible property containing Personal DataData or Confidential Information, taking into account available technology so that Personal Data and Confidential Information cannot be practicably read or reconstructed. 10.4 5.4 Personal Data means individually identifiable information from or about an individual including, but not limited to (i) social security numberfirst name and last name, address, email address; (ii) any form of device identifier; (iii) credit or debit card information, including card number, expiration date, and data stored on the magnetic strip of a credit or debit card; (iiiiv) financial account information, including the ABA routing number, bank account number, retirement account number; (ivv) driver’s license, passport, taxpayer, social security number, military, or state identification number; (vvi) medical, health or disability information, including insurance policy numbers, or (vivii) passwords, fingerprints, biometric data. 5.5 Company may request upon ten days written notice to Service Provider access to facilities, systems, records and supporting documentation in order to audit Service Provider’s compliance with its obligations under or (vii) related to the Information Security Program. Audits shall be subject to all applicable confidentiality obligations agreed to by Company and Service Provider, and shall be conducted in a manner that minimizes any disruption of Service Provider’s performance of services and other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone numbernormal operations.

Data Privacy and Information Security. 10.1 5.1 To the extent that Company Customer provides to ConsultantVendor, or Consultant Vendor otherwise accesses Personal Data (as defined below) about CompanyCustomer’s employees, customers, or other individuals in connection with this Agreement, Consultant Vendor represents and warrants that: (i) Consultant Vendor will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant Vendor will not disclose or otherwise process such Personal Data except upon CompanyCustomer’s instructions in writing; (ii) Consultant Vendor will notify Company Customer in writing and obtain CompanyCustomer’s consent before sharing any Personal Data with any government authorities or other third parties; and (iii) Consultant Vendor agrees to adhere to additional contractual terms and conditions related to Personal Data as Company Customer may instruct in writing that Company Customer deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. 10.2 5.2 In the event that (i) any Personal Data or Confidential Information (as defined below) is disclosed by Consultant Vendor (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant Vendor (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data or Confidential Information has occurred (“Privacy Security Incident”), Consultant Vendor shall notify Company Customer immediately in writing of any such Privacy Security Incident. Consultant Vendor shall cooperate fully in the investigation of the Privacy Security Incident, indemnify Company Customer for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such incident. To the extent that a Privacy Security Incident gives rise to a need, in CompanyCustomer’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at CompanyCustomer’s request, Consultant Vendor shall, at ConsultantVendor’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company Customer in its sole discretion. 10.3 5.3 To the extent that Company Customer provides to ConsultantVendor, or Consultant Vendor otherwise accesses Personal Data about CompanyCustomer’s employees, customers, or other individuals in connection with this AgreementAgreement and/or any Confidential Information, Consultant Vendor shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal DataData and Confidential Information, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal DataData and Confidential Information, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal DataData and Confidential Information. The Information Security Program shall also include policies and procedures regarding the disposal of Personal DataData and Confidential Information, and tangible property containing Personal DataData or Confidential Information, taking into account available technology so that Personal Data and Confidential Information cannot be practicably read or reconstructed. 10.4 5.4 Personal Data means individually identifiable information from or about an individual including, but not limited to (i) social security numberfirst name and last name, address, email address; (ii) any form of device identifier; (iii) credit or debit card information, including card number, expiration date, and data stored on the magnetic strip of a credit or debit card; (iiiiv) financial account information, including the ABA routing number, bank account number, retirement account number; (ivv) driver’s license, passport, taxpayer, social security number, military, or state identification number; (vvi) medical, health or disability information, including insurance policy numbers, or (vivii) passwords, fingerprints, biometric data. 5.5 Company may request upon ten days written notice to Service Provider access to facilities, systems, records and suppo11ing documentation in order to audit Service Provider's compliance with its obligations under or (vii) related to the Information Security Program. Audits shall be subject to all applicable confidentiality obligations agreed to by Company and Service Provider, and shall be conducted in a manner that minimizes any disruption of Service Provider's performance of services and other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone numbernormal operations.

Data Privacy and Information Security. 10.1 To the extent that Company provides to Consultant, or Consultant otherwise accesses Personal Data (as defined below) about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant represents and warrants that: (i) Consultant will only use Personal Data for the purposes of fulfilling its obligations under the Agreement, and Consultant will not disclose or otherwise process such Personal Data except upon Company’s instructions in writing, unless required otherwise by law; (ii) Consultant will notify Company in writing and obtain Company’s consent before sharing any Personal Data with any government authorities or other third parties; and (iii) Consultant agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in its sole discretion, mutually agreed upon by the parties to address applicable data protection, privacy, or information security laws or requirements. 10.2 In the event that (i) any Personal Data is disclosed by Consultant (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Consultant (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred (“Privacy Incident”), Consultant shall notify Company immediately as soon as practical in writing of any such Privacy Incident. Consultant shall reasonably cooperate fully in the investigation of the Privacy IncidentIncident and, indemnify Company for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of a third party claim regarding such incident, and remedy any harm or potential harm caused by such incident. To the extent that a Privacy Incident gives rise to a need, in Company’s sole judgment, need to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Consultant shall, at Consultant’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices the parties shall be determined by Company work in its sole discretiongood faith to address the situation. 10.3 To the extent that Company provides to Consultant, or Consultant otherwise accesses Personal Data about Company’s employees, customers, or other individuals in connection with this Agreement, Consultant shall implement a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal Data. The Information Security Program shall also include policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed. 10.4 Personal Data means individually identifiable information from or about an individual including, but not limited to (i) social security numberfirst name and last name, address, email address; (ii) any form of device identifier; (iii) credit or debit card information, including card number, expiration date, and data stored on the magnetic strip of a credit or debit card; (iiiiv) financial account information, including the ABA routing number, bank account number, retirement account number; (ivv) driver’s license, passport, taxpayer, social security number, military, or state identification number; (vvi) medical, health or disability information, including insurance policy numbers, or (vivii) passwords, fingerprints, biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.