Common use of Information Security; Compliance Clause in Contracts

Information Security; Compliance. 3.1 Supplier is responsible for the security of any Buyer Data to the extent it Processes such data. Supplier shall, at its sole cost and expense, implement Security Measures that are no less rigorous than, and shall only Process Buyer Data in such a manner so as to comply with: (a) a Security Framework; (b) Privacy and Security Laws; (c) MBN 9666 Standards (to the extent applicable to the Services), and (d) any other requirements of this Addendum or the Agreement. 3.2 At a minimum, Supplier’s Security Measures shall include: (a) access controls (including multi-factor authentication, where appropriate); (b) physical security; (c) encryption of Buyer Data at rest and in transit; (d) segregation of Buyer Data from Supplier’s other customers’ data; (e) privacy and security awareness training; (f) record maintenance, including, without limitation, incident and compliance recordkeeping consistent with the Security Framework; (g) Secure Development Practices with regard to applications that Process Buyer Data; and (i) incident response, vulnerability mitigation, and vendor management programs. 3.3 Remote access to Buyer Data or Buyer Systems is only allowed upon prior written approval by Xxxxx and must occur through access points approved by Buyer. Supplier systems used for such remote access must be protected according to the requirements of this Addendum. 3.4 If, in the course of its engagement, Supplier has access to or will Process credit, debit, or other payment card information (“PCI”), Supplier shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS. As evidence of compliance with PCI DSS, Supplier will provide a current attestation of compliance at the commencement of Services and at regular intervals thereafter. Supplier will create and maintain reasonably detailed, complete, and accurate documentation describing the systems, processes, network segments, security controls, and data flows used to receive, transmit, store, and secure PCI that it obtains in connection with the Services. Such documentation shall conform to the most current version of the PCI DSS. 3.5 Supplier shall ensure only Supplier-owned, managed, or leased end-user devices are used by Supplier to Process Buyer Data and shall promptly notify Buyer of any lost or stolen device that was used to Process Buyer Data. 3.6 Supplier shall ensure that subcontractors shall only use subcontractor-owned, managed, or leased end-user devices to Process Buyer Data and shall promptly notify Buyer of any lost or stolen subcontractor device that was used to Process Buyer Data. 3.7 Supplier shall obtain Buyer’s prior written consent before implementing any change to the Processing of Buyer Data that constitutes a material reduction in Supplier’s Security Measures. Supplier shall use commercially reasonable efforts to provide Buyer at least ninety (90) days’ notice in advance of the proposed effective date of such change. To the extent Supplier implements any such change without Buyer’s written consent, Buyer shall have the right to terminate the Agreement or the applicable SOW effective immediately upon written notice to Supplier. 3.8 Supplier shall assign an appropriate qualified security professional working for Supplier that shall act as its Security Coordinator, who will be the security liaison between Buyer and Supplier. 3.9 During the term of the Agreement, Supplier shall implement and maintain additional Security Measures, as mutually agreed upon by Supplier and Buyer, in the event of: (a) any material changes to Services; (b) any Security Breach or Security Incident; or (c) any material decreases to Supplier’s Security; provided, that the failure of Buyer to make a request of Supplier shall not impact, eliminate, or decrease Supplier’s obligations under this Addendum.

Information Security; Compliance. 3.1 Supplier Agency is responsible for the security Security of any Buyer Company Data to the extent it Processes such data. Supplier Agency shall, at its sole cost and expense, implement Security Measures that are is no less rigorous than, and shall only Process Buyer Company Data in such a manner so as to comply with: (a) a Security Framework; (b) Privacy and Security Laws; and (c) MBN 9666 Standards (to the extent applicable to the Services), and (d) any other requirements of this Addendum or the Agreement. 3.2 At a minimum, SupplierAgency’s Security Measures shall include: (a) access controls (including multi-factor authentication, where appropriate); (b) physical security; (c) encryption of Buyer Company Data at rest and in transit; (d) segregation of Buyer Company Data from SupplierAgency’s other customers’ data; (e) privacy and security awareness training; (f) record maintenance, including, without limitation, incident and compliance recordkeeping consistent with the Security Framework; (g) Secure Development Practices with regard to applications that Process Buyer Company Data; and (i) incident response, vulnerability mitigation, and vendor management programs. 3.3 Remote access to Buyer Company Data or Buyer Company Systems is only allowed upon prior written approval by Xxxxx Company, and must occur through access points approved by BuyerCompany. Supplier Agency systems used for such remote access must be protected according to the requirements of this Addendum. 3.4 If, in the course of its engagement, Supplier Agency has access to or will Process credit, debit, or other payment card information (“PCI”), Supplier Agency shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS. As evidence of compliance with PCI DSS, Supplier Agency will provide a current attestation of compliance at the commencement of Services and at regular intervals thereafter. Supplier Agency will create and maintain reasonably detailed, complete, and accurate documentation describing the systems, processes, network segments, security controls, and data flows used to receive, transmit, store, and secure PCI that it obtains in connection with the Services. Such documentation shall conform to the most current version of the PCI DSS. 3.5 Supplier Agency shall ensure only SupplierAgency-owned, managed, or leased end-user devices are used by Supplier Agency to Process Buyer Company Data and shall promptly notify Buyer Company of any lost or stolen device that was used to Process Buyer Company Data. 3.6 Supplier Agency shall ensure that subcontractors shall only use subcontractor-owned, managed, or leased end-user devices to Process Buyer Company Data and shall promptly notify Buyer Company of any lost or stolen subcontractor device that was used to Process Buyer Company Data. 3.7 Supplier Agency shall obtain BuyerCompany’s prior written consent before implementing any change to the Processing of Buyer Company Data that constitutes a material reduction in SupplierAgency’s Security Measures. Supplier Agency shall use commercially reasonable efforts to provide Buyer Company at least ninety (90) days’ notice in advance of the proposed effective date of such change. To the extent Supplier Agency implements any such change without BuyerCompany’s written consent, Buyer Company shall have the right to terminate the Agreement or the applicable SOW effective immediately upon written notice to SupplierAgency. 3.8 Supplier Agency shall assign an appropriate qualified security professional working for Supplier Agency that shall act as its Security Coordinator, who will be the security liaison between Buyer Company and SupplierAgency. 3.9 During the term of the Agreement, Supplier Agency shall implement and maintain additional Security MeasuresSecurity, as mutually agreed upon by Supplier Agency and BuyerCompany, in the event of: (a) any material changes to Services; (b) any Security Breach or Security Incident; or (c) any material decreases to SupplierAgency’s Security; provided, that the failure of Buyer Company to make a request of Supplier Agency shall not impact, eliminate, or decrease SupplierAgency’s obligations under this Addendum.

Information Security; Compliance. 3.1 Supplier is responsible for the security Security of any Buyer Data to the extent it Processes such data. Supplier shall, at its sole cost and expense, implement Security Measures that are no less rigorous than, and shall only Process Buyer Data in such a manner so as to comply with: (a) a Security Framework; (b) Privacy and Security Laws; (c) MBN 9666 Standards (to the extent applicable to the Services), and (d) any other requirements of this Addendum or the Agreement. 3.2 At a minimum, Supplier’s Security Measures shall include: (a) access controls (including multi-factor authentication, where appropriate); (b) physical security; (c) encryption of Buyer Data at rest and in transit; (d) segregation of Buyer Data from Supplier’s other customers’ data; (e) privacy and security awareness training; (f) record maintenance, including, without limitation, incident and compliance recordkeeping consistent with the Security Framework; (g) Secure Development Practices with regard to applications that Process Buyer Data; and (i) incident response, vulnerability mitigation, and vendor management programs. 3.3 Remote access to Buyer Data or Buyer Systems is only allowed upon prior written approval by Xxxxx Xxxxx, and must occur through access points approved by Buyer. Supplier systems used for such remote access must be protected according to the requirements of this Addendum. 3.4 If, in the course of its engagement, Supplier has access to or will Process credit, debit, or other payment card information (“PCI”), Supplier shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS. As evidence of compliance with PCI DSS, Supplier will provide a current attestation of compliance at the commencement of Services and at regular intervals thereafter. Supplier will create and maintain reasonably detailed, complete, and accurate documentation describing the systems, processes, network segments, security controls, and data flows used to receive, transmit, store, and secure PCI that it obtains in connection with the Services. Such documentation shall conform to the most current version of the PCI DSS. 3.5 Supplier shall ensure only Supplier-owned, managed, or leased end-user devices are used by Supplier to Process Buyer Data and shall promptly notify Buyer of any lost or stolen device that was used to Process Buyer Data. 3.6 Supplier shall ensure that subcontractors shall only use subcontractor-owned, managed, or leased end-user devices to Process Buyer Data and shall promptly notify Buyer of any lost or stolen subcontractor device that was used to Process Buyer Data. 3.7 Supplier shall obtain Buyer’s prior written consent before implementing any change to the Processing of Buyer Data that constitutes a material reduction in Supplier’s Security Measures. Supplier shall use commercially reasonable efforts to provide Buyer at least ninety (90) days’ notice in advance of the proposed effective date of such change. To the extent Supplier implements any such change without Buyer’s written consent, Buyer shall have the right to terminate the Agreement or the applicable SOW effective immediately upon written notice to Supplier. 3.8 Supplier shall assign an appropriate qualified security professional working for Supplier that shall act as its Security Coordinator, who will be the security liaison between Buyer and Supplier. 3.9 During the term of the Agreement, Supplier shall implement and maintain additional Security Measures, as mutually agreed upon by Supplier and Buyer, in the event of: (a) any material changes to Services; (b) any Security Breach or Security Incident; or (c) any material decreases to Supplier’s Security; provided, that the failure of Buyer to make a request of Supplier shall not impact, eliminate, or decrease Supplier’s obligations under this Addendum.