Data Security and Integrity. All facilities, whether Vendor hosted or Third-Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for City Data. Such measures, when applicable due to the presence of Protected Information, include, but are not limited to, all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) §00-00-000 et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor shall submit to Xxxxxxxx, within fifteen (15) Calendar Days of Xxxxxxxx’x written request, copies of Vendor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor has access, and if applicable, Vendor shall comply with all HIPAA requirements contained herein or attached as an exhibit. Vendor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. Vendor shall use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, anti-virus and anti-malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). Vendor shall, and shall cause its Subcontractors, to do all of the following: Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. Maintain network, system(s), and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements consistent with evolving industry standards. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. Comply with all rules, policies, procedures, and standards that are issued by Xxxxxxxx’x Technology Services Security Section. Subject to Vendor’s reasonable access security requirements and upon reasonable prior notice, Vendor shall provide Xxxxxxxx with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. Vendor shall perform current background checks in a form reasonably acceptable to Xxxxxxxx on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. Vendor will provide notice to the security and compliance representative for Xxxxxxxx indicating that background checks have been performed. Such notice will inform Xxxxxxxx of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. If Vendor will have access to Tax Information under the Agreement, Vendor shall comply with the background check requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. If applicable, Vendor shall use, hold, and maintain Confidential and Protected Information in compliance with all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. Prior to the Effective Date of this Agreement, Vendor will, at its expense, conduct or will have conducted the following, and thereafter, Vendor will, at its expense, conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: A SSAE 16/SOC 2 or other mutually agreed upon audit of Vendor’s security policies, procedures and controls; A quarterly external and internal vulnerability scan of Vendor’s Systems and facilities, to include public facing websites that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; A formal penetration test, performed by a process and qualified personnel of Vendor’s Systems and facilities that are used in any way to deliver Services under this Agreement. Vendor will provide Xxxxxxxx the reports or other Documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days of Vendor’s receipt of such results, if requested by Xxxxxxxx. Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor will, within thirty (30) Calendar Days of receipt of such results, promptly modify its security measures to meet its obligations under this Agreement and provide Xxxxxxxx with written evidence of remediation. Xxxxxxxx may require, at its expense, that Vendor perform additional audits and tests, the results of which will be provided to Xxxxxxxx within seven (7) Calendar Days of Vendor’s receipt of such results. Vendor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Party data integrity audits. Vendor will provide Xxxxxxxx the results of the above audits, if requested by Xxxxxxxx. Response to Legal Orders, Demands, or Requests for Data. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify Xxxxxxxx in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with Xxxxxxxx regarding its response; Cooperate with Xxxxxxxx’x reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide Xxxxxxxx with a copy of its response. If Xxxxxxxx receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, Xxxxxxxx will promptly provide a copy to Vendor. Vendor will supply Xxxxxxxx with copies of data required for Xxxxxxxx to respond within forty-eight (48) hours after receipt of copy from Xxxxxxxx and will cooperate with Xxxxxxxx’x reasonable requests in connection with its response.
Appears in 4 contracts
Samples: Technology Master Service Agreement, Technology Master Service Agreement, Technology Master Service Agreement
Data Security and Integrity. All facilities, whether Vendor hosted or Third-Party Hosted, used to store and process City Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to provide the requested Service(s) availability and to secure City Data from unauthorized access, destruction, use, modification, or disclosure appropriate for City Data. Such measures, when applicable due to the presence of Protected Information, include, but are not limited to, all applicable laws, rules, policies, publications, and guidelines including, without limitation: (i) the most recently promulgated IRS Publication 1075 for all Tax Information, (ii) the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy for all CJI, (iv) the Colorado Consumer Protection Act, (v) the Children’s Online Privacy Protection Act (COPPA), (vi) the Family Education Rights and Privacy Act (FERPA), (vii) §00-00-000 et seq., (viii) the Telecommunications Industry Association (TIA) Telecommunications Infrastructure Standard for Data Centers (TIA-942); (ix) the federal Health Insurance Portability and Accountability Act for all PHI and the HIPAA Business Associate Addendum attached to this Agreement, if applicable. Vendor shall submit to Xxxxxxxx, within fifteen (15) Calendar Days of Xxxxxxxx’x written request, copies of Vendor’s policies and procedures to maintain the confidentiality of protected health information to which Vendor has access, and if applicable, Vendor shall comply with all HIPAA requirements contained herein or attached as an exhibit. Vendor warrants that all City Data will be encrypted in transmission (including via web interface) and in storage by a mutually agreed upon National Institute of Standards and Technology (NIST) approved strong encryption method and standard. Vendor shall use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to, anti-virus and anti-malware protections and intrusion detection and reporting in providing Services under this Agreement. Vendor shall ensure that any underlying or integrated software employed by the Service(s) is updated on a regular basis and does not pose a threat to the security of the Service(s). Vendor shall, and shall cause its Subcontractors, to do all of the following: Provide physical and logical protection for all hardware, software, applications, and data that meets or exceeds industry standards and the requirements of this Agreement. Maintain network, system(s), and application security, which includes, but is not limited to, network firewalls, intrusion detection (host and network), annual security testing, and improvements or Enhancements consistent with evolving industry standards. Comply with State and federal rules and regulations related to overall security, privacy, confidentiality, integrity, availability, and auditing. Provide that security is not compromised by unauthorized access to workspaces, computers, networks, software, databases, or other physical or electronic environments. Promptly report all Data Incidents, including Data Incidents that do not result in unauthorized disclosure or loss of data integrity. Comply with all rules, policies, procedures, and standards that are issued by Xxxxxxxx’x Technology Services Security Section. Subject to Vendor’s reasonable access security requirements and upon reasonable prior notice, Vendor shall provide Xxxxxxxx with scheduled access for the purpose of inspecting and monitoring access and use of City Data, maintaining City systems, and evaluating physical and logical security control effectiveness. Vendor shall perform current background checks in a form reasonably acceptable to Xxxxxxxx on all of its respective employees and agents performing services or having access to City Data provided under this Agreement, including any Subcontractors or the employees of Subcontractors. A background check performed within thirty (30) Calendar Days prior to the date such employee or agent begins performance or obtains access to City Data shall be deemed to be current. Vendor will provide notice to the security and compliance representative for Xxxxxxxx indicating that background checks have been performed. Such notice will inform Xxxxxxxx of any action taken in response to such background checks, including any decisions not to take action in response to negative information revealed by a background check. If Vendor will have access to Tax Information under the Agreement, Vendor shall comply with the background check requirements defined in IRS Publication 1075 and § 24-50-1002, C.R.S. If applicable, Vendor shall use, hold, and maintain Confidential and Protected Information in compliance with all applicable laws and regulations only in facilities located within the United States, and shall maintain a secure environment that ensures confidentiality of all Confidential and Protected Information. Prior to the Effective Date of this Agreement, Vendor will, at its expense, conduct or will have conducted the following, and thereafter, Vendor will, at its expense, conduct or will have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Incident: A SSAE 16/SOC 2 or other mutually agreed upon audit of Vendor’s security policies, procedures and controls; A quarterly external and internal vulnerability scan of Vendor’s Systems and facilities, to include public facing websites that are used in any way to deliver Services under this Agreement. The report must include the vulnerability, age and remediation plan for all issues identified as critical or high; A formal penetration test, performed by a process and qualified personnel of Vendor’s Systems and facilities that are used in any way to deliver Services under this Agreement. Vendor will provide Xxxxxxxx the reports or other Documentation resulting from the above audits, certifications, scans and tests within seven (7) Calendar Days of Vendor’s receipt of such results, if requested by Xxxxxxxx. Based on the results and recommendations of the above audits, certifications, scans and tests, Vendor will, within thirty (30) Calendar Days of receipt of such results, promptly modify its security measures to meet its obligations under this Agreement and provide Xxxxxxxx with written evidence of remediation. Xxxxxxxx may require, at its expense, that Vendor perform additional audits and tests, the results of which will be provided to Xxxxxxxx within seven (7) Calendar Days of Vendor’s receipt of such results. Vendor shall protect data against deterioration or degradation of data quality and authenticity, including, but not limited to annual Third Party data integrity audits. Vendor will provide Xxxxxxxx the results of the above audits, if requested by Xxxxxxxx. Response to Legal Orders, Demands, or Requests for Data. Except as otherwise expressly prohibited by law, Vendor will: If required by a court of competent jurisdiction or an administrative body to disclose City Data, Vendor will notify Xxxxxxxx in writing immediately upon receiving notice of such requirement and prior to any such disclosure; Consult with Xxxxxxxx regarding its response; Cooperate with Xxxxxxxx’x reasonable requests in connection with efforts by City to intervene and quash or modify the legal order, demand or request; and Upon request, provide Xxxxxxxx with a copy of its response. If Xxxxxxxx receives a subpoena, warrant, or other legal order, demand or request seeking data maintained by Vendor, Xxxxxxxx will promptly provide a copy to Vendor. Vendor will supply Xxxxxxxx with copies of data required for Xxxxxxxx to respond within forty-eight (48) hours after receipt of copy from Xxxxxxxx and will cooperate with Xxxxxxxx’x reasonable requests in connection with its response.
Appears in 1 contract
