Common use of Data Security and Integrity Clause in Contracts

Data Security and Integrity. All HRTec facilities used to store and process Participating Entity and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTec’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of FedHIVE Cloud Computing Services to the Participating Entity in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in the NASPO Master Agreement, and Participating Addendum which is incorporated herein by reference. Without limiting the foregoing, HRTec warrants that all Participating Entity Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256-bit level encryption. HRTec shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods in providing Services under this Agreement. HRTec will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the Participating Entity as legitimate. Prior to the Effective Date of this Agreement, HRTec will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) audit of Supplier’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A vulnerability scan, performed by a HRTec and FedRAMP approved Third Party scanner, of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement (d) A formal penetration test, performed by the process and qualified personnel approved by HRTec and the Participating Entity, of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement. HRTec will provide the Participating Entity the reports or other documentation resulting from the above audits, certifications, scans and tests. Based on the results of the above audits, certifications, scans and tests, HRTec will promptly modify its security measures in order to meet its obligations under this Agreement and provide the Participating Entity with written evidence of remediation. The Participating Entity may require, at its expense, that HRTec perform additional audits and tests, the results of which will be provided to the Participating Entity within seven (7) business days of receipt of such results. HRTec shall protect the Participating Entity and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the Participating Entity the results of the above audits, along with a plan for addressing or resolving any shortcomings identified by such audits.

Data Security and Integrity. 6.1. All HRTec facilities used to store and process Participating Entity [Customer/Agency] and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTec’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. 6.2. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of FedHIVE the Cloud Computing Services to the Participating Entity [Customer/Agency] in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in the NASPO Master AgreementExhibit , and Participating Addendum which is incorporated herein by reference. 6.3. Without limiting the foregoing, HRTec warrants that all Participating Entity [Customer/Agency] Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256-bit level encryption 6.4. HRTec shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. 6.5. HRTec will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the Participating Entity [Customer/Agency] as legitimate, as specified in Exhibit . 6.6. Prior to the Effective Date of this Agreement, HRTec will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) audit of Supplier’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A vulnerability scan, performed by a HRTec and FedRAMP approved [Customer/Agency]-approved Third Party scanner, of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement (d) A formal penetration test, performed by the process and qualified personnel approved by HRTec and the Participating Entity[Customer/Agency], of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement. 6.7. HRTec will provide the Participating Entity [Customer/Agency] the reports or other documentation resulting from the above audits, certifications, scans and teststests within seven (7) business days of HRTec’s receipt of such results. 6.8. Based on the results of the above audits, certifications, scans and tests, HRTec will will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement Agreement, and provide the Participating Entity [Customer/Agency] with written evidence of remediation. 6.9. The Participating Entity [Customer/Agency] may require, at its expense, that HRTec perform additional audits and tests, the results of which will be provided to the Participating Entity [Customer/Agency] within seven (7) business days of Supplier’s receipt of such results. 6.10. HRTec shall protect the Participating Entity [Customer/Agency] and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the Participating Entity [Customer/Agency] the results of the above audits, along with a Supplier’s plan for addressing or resolving any shortcomings identified by such audits., within seven (7) business days of HRTec’s receipt of such results

Data Security and Integrity. 6.1 All HRTec facilities used to store and process Participating Entity University and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTecSupplier’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. HRTec . 6.2 Supplier shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of FedHIVE Cloud Computing the Services to the Participating Entity University in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in the NASPO Master AgreementExhibit , and Participating Addendum which is incorporated herein by reference. . 6.3 Without limiting the foregoing, HRTec Supplier warrants that all Participating Entity University Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256128-bit level encryption. HRTec . 6.4 Supplier shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. HRTec . 6.5 Supplier will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the Participating Entity University as legitimate. , as specified in Exhibit . 6.6 Prior to the Effective Date of this Agreement, HRTec Supplier will at its expense conduct or have conducted the following, and thereafter, HRTec Supplier will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) SSAE 16/SOC 2 audit of Supplier’s security policies, procedures and controls; (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification[ENTER “NIST FIPS 200 AND SP 800-53”, “ISO 27001/27002”, OR OTHER ACCEPTABLE STANDARD CLOUD COMPUTING SERVICES CERTIFICATION HERE]. (c) A vulnerability scan, performed by a HRTec and FedRAMP University-approved Third Party scanner, of HRTecSupplier’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement; (d) A formal penetration test, performed by the a process and qualified personnel approved by HRTec and the Participating EntityUniversity, of HRTecSupplier’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement. HRTec . 6.7 Supplier will provide the Participating Entity University the reports or other documentation resulting from the above audits, certifications, scans and tests. tests within seven (7) business days of Supplier’s receipt of such results. 6.8 Based on the results of the above audits, certifications, scans and tests, HRTec will Supplier will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement Agreement, and provide the Participating Entity University with written evidence of remediation. The Participating Entity . 6.9 University may require, at its expense, that HRTec Supplier perform additional audits and tests, the results of which will be provided to the Participating Entity University within seven (7) business days of Supplier’s receipt of such results. HRTec . 6.10 Supplier shall protect the Participating Entity University and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Third Party Data integrity audits. HRTec Supplier will provide the Participating Entity University the results of the above audits, along with a Supplier’s plan for addressing or resolving any shortcomings identified by such audits, within seven (7) business days of Supplier’s receipt of such results.

Data Security and Integrity. [under review by IT security personnel] a. All HRTec facilities used to store and process Participating Entity Customer and End User Data data will implement and maintain employ commercial best practices, including appropriate administrative, physical, technicaland technical safeguards, and procedural safeguards and best practices at a level sufficient to secure such Data data from unauthorized access, destructiondisclosure, alteration, and use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTecVendor’s own Data data of a similar type, and in no event less than reasonable in view of the type and nature of the Data data involved. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of FedHIVE Cloud Computing Services to the Participating Entity in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in the NASPO Master Agreement, and Participating Addendum which is incorporated herein by reference. Without limiting the foregoing, HRTec Vendor warrants that all Participating Entity Customer Data and End User Data will be encrypted in transmission (including via web interface) and in storage at no less than 128‐bit level encryption [or cite NIST, ISO, or FIPS standards], and that Vendor will comply with all other technical specifications of Customer provided in Exhibit ___, which is incorporated herein by reference. [Tech specs are where any other NIST etc. standards or other specific standards a level equivalent to or stronger than 256-bit level encryption. HRTec shall at all times school wants, e.g. HIPAA security standards, would go] b. Vendor will use industry-standard industry‐standard and up-to-date up‐to‐date security tools, tools and technologies and procedures including, but not limited to anti-virus and anti-malware such as anti‐virus protections and intrusion detection and reporting methods in providing Services under this Agreement. HRTec . c. [for outsourced email services] Vendor will configure the Services to filter spam while permitting communications from Third Party third‐party Internet Protocol addresses identified by the Participating Entity Customer as legitimate. Prior to the Effective Date of this Agreement, HRTec as specified in Exhibit ___. d. Vendor will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) annually: • A Third-Party Assessment Organization (3PAO) SAS 70 audit of SupplierVendor’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A controls resulting in the issuance of a Service Auditor’s Report Type II; • a vulnerability scan, performed by a HRTec and FedRAMP scanner approved Third Party scannerby Customer, of HRTecVendor’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services services under this Agreement (d) A ; and • a formal penetration test, performed by the a process and qualified personnel approved by HRTec and the Participating EntityCustomer, of HRTecVendor’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services services under this Agreement. HRTec . e. Vendor will provide the Participating Entity the reports or other documentation resulting from the above audits, certifications, scans and tests. Based on Customer upon request the results of the above audits, certifications, scans and tests, HRTec and will promptly modify its security measures as needed based on those results in order to meet its obligations under this Agreement and provide the Participating Entity with written evidence of remediationAgreement. The Participating Entity Customer may require, at its expense, that HRTec Vendor to perform additional audits and tests, the results of which will be provided promptly to the Participating Entity within seven (7) business days of receipt of such results. HRTec shall protect the Participating Entity and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the Participating Entity the results of the above audits, along with a plan for addressing or resolving any shortcomings identified by such auditsCustomer.