Common use of General Security Procedures Clause in Contracts

General Security Procedures. 1.1 Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor will designate an individual to be responsible for the information security program. Such individual shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein. 1.2 Processor shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed. 1.3 Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request. 1.4 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 2 business days following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller’s request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller. 1.5 Processor will not transmit any unencrypted Personal Data over the internet or any unsecured network, and will not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.

General Security Procedures. 1.1 Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor will shall designate an individual to be responsible for the information security program. Such individual shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein. 1.2 Processor shall conduct formal privacy and security awareness training for all personnel and contractors its employees as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed. 1.3 Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request. 1.4 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 2 business days following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller’s request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller. 1.5 Processor will not transmit any unencrypted Personal Data over the internet or any unsecured network, and will shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols. 1.5 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and without undue delay and within 72 hours following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller.

General Security Procedures. 1.1 Processor Data Importer shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of ProcessorData Importer, if any, comply with all of the foregoing. Processor will Data Importer shall designate an individual to be responsible for the information security program. Such individual shall respond to Controller Data Exporter inquiries regarding computer security and to be responsible for notifying ControllerData Exporter-designated contact(s) if a breach or an incident occurs, as further described herein. 1.2 Processor Data Importer shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by ProcessorData Importer, confirming that this training and subsequent annual recertification process have been completed. 1.3 Controller Data Exporter shall have the right to review an overview of ProcessorData Importer’s information security program prior to the commencement of Service and annually thereafter upon Controller Data Exporter request. 1.4 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor Data Importer shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 2 one (1) business days day following confirmation of any such event, provide Controller Data Exporter notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller’s Data Exporter request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to ControllerData Exporter. 1.5 Processor will Data Importer shall not transmit any unencrypted Personal Data over the internet or any unsecured network, and will shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor Data Importer shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.

General Security Procedures. 1.1 1.1. Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor will designate an individual to be responsible for the information security program. Such individual shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein. 1.2 1.2. Processor shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed. 1.3 1.3. Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request. 1.4 1.4. In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 2 business days following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller’s request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller. 1.5 1.5. Processor will not transmit any unencrypted Personal Data over the internet or any unsecured network, and will not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.