Common use of PRIVACY, CONFIDENTIALITY AND SECURITY Clause in Contracts

PRIVACY, CONFIDENTIALITY AND SECURITY. Supplier will ensure that it provides the services under this agreement in accordance with the following requirements: (a) Supplier will hold in strict confidence any and all Personal Information. (b) Supplier will Process Personal Information only on behalf of Northrop Grumman and in accordance with Northrop Grumman’s written instructions, and only in connection with the services it provides for Northrop Grumman and to fulfill its obligations to Northrop Grumman. (c) Supplier will comply with all applicable laws and regulations relating to the privacy, confidentiality or security of Personal Information and applicable provisions of Northrop Grumman’s privacy policies, statements or notices that are attached hereto (collectively, “Privacy Requirements”). (d) In the event a Privacy Requirement, enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Supplier’s ability to fulfill its obligations under this agreement, Supplier will promptly notify Northrop Grumman in writing and Northrop Grumman may, in its sole discretion and without penalty of any kind to Northrop Grumman, suspend the transfer or disclosure of Personal Information to Supplier or access to Personal Information by Supplier, terminate any further Processing of Personal Information by Supplier, and terminate Supplier’s agreement to provide services to Northrop Grumman, if doing so is necessary to comply with applicable Privacy Requirements. (e) Subject to applicable law, in the event Supplier is required by law or legal process to disclose Personal Information, it will give prior written notice of the disclosure to Northrop Grumman, so that Northrop Grumman may, in its discretion, seek to block the disclosure. Northrop Grumman will have the right to defend such action in lieu of and on behalf of Supplier. Northrop Grumman may, if it so chooses, seek a protective order. Supplier will reasonably cooperate with Northrop Grumman in such defense. (f) Supplier may disclose Personal Information to a third party if, and only if, it obtains the written consent of Northrop Grumman and (1) the disclosure is made to a party that performs services on behalf of Northrop Grumman and the disclosure is made in order to perform the Supplier’s services to Northrop Grumman; or (2) the disclosure is made to a third party performing clerical, administrative, technical, or security-related services for Supplier, and such disclosure is incidental to the performance of such services. In either case, Supplier will enter into a written agreement with such third party under which the third party agrees it will (i) maintain the confidentiality of the disclosed Personal Information;

PRIVACY, CONFIDENTIALITY AND SECURITY. Supplier will ensure that it provides the services under this agreement in accordance with the following requirements: (a) Supplier Seller will hold in strict confidence any and all Personal Information. (b) Supplier Seller will provide at least the same level of privacy protection for Personal Information as is required by the relevant U.S.-EU Safe Harbor Framework (“Safe Harbor”) Principles. (c) Seller will Process Personal Information only on behalf of Northrop Grumman and in accordance with Northrop Grumman’s written instructions, and only in connection with the services it provides for Northrop Grumman and to fulfill its obligations to Northrop Grumman. (cd) Supplier Seller will comply with all applicable laws and regulations relating to the privacy, confidentiality or security of Personal Information and applicable provisions of Northrop Grumman’s privacy policies, statements or notices that are attached hereto (collectively, “Privacy Requirements”). (de) In the event a Privacy Requirement, enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect SupplierSeller’s ability to fulfill its obligations under this agreement, Supplier Seller will promptly notify Northrop Grumman in writing and Northrop Grumman may, in its sole discretion and without penalty of any kind to Northrop Grumman, suspend the transfer or disclosure of Personal Information to Supplier Seller or access to Personal Information by SupplierSeller, terminate any further Processing of Personal Information by SupplierSeller, and terminate SupplierSeller’s agreement to provide services to Northrop Grumman, if doing so is necessary to comply with applicable Privacy Requirements. (ef) Subject to applicable law, in the event Supplier Seller is required by law or legal process to disclose Personal Information, it will give prior written notice of the disclosure to Northrop Grumman, so that Northrop Grumman may, in its discretion, seek to block the disclosure. Northrop Grumman will have the right to defend such action in lieu of and on behalf of SupplierSeller. Northrop Grumman may, if it so chooses, seek a protective order. Supplier Seller will reasonably cooperate with Northrop Grumman in such defensedefense at Northrop Grumman’s reasonable cost. (fg) Supplier Seller may disclose Personal Information to a third party if, and only if, it obtains the written consent of Northrop Grumman and (1) the disclosure is made to a party that performs services on behalf of Northrop Grumman and the disclosure is made in order to perform the SupplierSeller’s services to Northrop Grumman; or (2) the disclosure is made to a third party performing clerical, administrative, technical, or security-related services for SupplierSeller, and such disclosure is incidental to the performance of such services. In either case, Supplier Seller will enter into a written agreement with such third party under which the third party agrees it will (i) maintain the confidentiality of the disclosed Personal Information; (ii) provide at least the same level of privacy protection as is required by the relevant Safe Harbor Principles (unless such third party has certified to the Safe Harbor, or is subject to the European Union Directive on Data Protection (Directive 95/46/EC) or another adequacy finding by the European Commission, in which case the third party is not required to make the representation contained in (ii));

PRIVACY, CONFIDENTIALITY AND SECURITY. Supplier will ensure that it provides the services under this agreement in accordance with the following requirements: (a) Supplier will hold in strict confidence any and all Personal Information. (b) Supplier will Process Personal Information only on behalf of Northrop Grumman and in accordance with Northrop Grumman’s written instructions, and only in connection with the services it provides for Northrop Grumman and to fulfill its obligations to Northrop Grumman. (c) Supplier will comply with all applicable laws and regulations relating to the privacy, confidentiality or security of Personal Information and applicable provisions of Northrop Grumman’s privacy policies, statements or notices that are attached hereto (collectively, “Privacy Requirements”). (d) In the event a Privacy Requirement, enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Supplier’s ability to fulfill its obligations under this agreement, Supplier will promptly notify Northrop Grumman in writing and Northrop Grumman may, in its sole discretion and without penalty of any kind to Northrop Grumman, suspend the transfer or disclosure of Personal Information to Supplier or access to Personal Information by Supplier, terminate any further Processing of Personal Information by Supplier, and terminate Supplier’s agreement to provide services to Northrop Grumman, if doing so is necessary to comply with applicable Privacy Requirements. (e) Subject to applicable law, in the event Supplier is required by law or legal process to disclose Personal Information, it will give prior written notice of the disclosure to Northrop Grumman, so that Northrop Grumman may, in its discretion, seek to block the disclosure. Northrop Grumman will have the right to defend such action in lieu of and on behalf of Supplier. Northrop Grumman may, if it so chooses, seek a protective order. Supplier will reasonably cooperate with Northrop Grumman in such defense. (f) Supplier may disclose Personal Information to a third party if, and only if, it obtains the written consent of Northrop Grumman and (1) the disclosure is made to a party that performs services on behalf of Northrop Grumman and the disclosure is made in order to perform the Supplier’s services to Northrop Grumman; or (2) the disclosure is made to a third party performing clerical, administrative, technical, or security-related services for Supplier, and such disclosure is incidental to the performance of such services. In either case, Supplier will enter into a written agreement with such third party under which the third party agrees it will (i) maintain the confidentiality of the disclosed Personal Information;; (ii) not disclose the Personal Information to other third parties without the prior written agreement of Northrop Grumman; (iii) use the Personal Information only in connection with performing its obligations under its agreement with Supplier; (iv) disclose the Personal Information only to its own personnel who need the information to perform the obligations under the agreement with Supplier, and who have been fully advised as to the confidentiality requirements set forth herein; (v) promptly notify Supplier of any Information Security Incident (as defined below); and (vi) return to Supplier all copies of Personal Information Processed in connection with the relevant services for which the third party was retained or, upon Supplier’s written request (provided that Supplier receives Northrop Grumman’s prior written approval), securely destroy or, at the option of Northrop Grumman, render unreadable or undecipherable, all such Personal Information, including all hard-copy and electronic versions. (g) Supplier will develop, implement and maintain a comprehensive written information security program that complies with applicable Privacy Requirements. Supplier’s information security program will include appropriate administrative, technical, physical, organizational and operational measures designed to (i) ensure the security and confidentiality of Personal Information; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Information; and (iii) protect against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and any other unlawful forms of Processing (hereinafter “Information Security Incident”). Supplier’s information security program will contain standards that are at least as stringent as those set forth in Supplier’s attached “Information Security-Supplier Hosting Requirements”. If the Processing involves the transmission of Personal Information over a network, Supplier will implement appropriate measures to protect Personal Information against the specific risks presented by the Processing. Supplier will immediately, but in no event later than 72 hours after Supplier’s discovery of the Information Security Incident, notify Northrop Grumman in writing of any Information Security Incident. Such notice will summarize in reasonable detail the effect on Northrop Grumman, if known, of the Information Security Incident and the corrective action taken or to be taken by Supplier. Supplier will promptly take all necessary and advisable corrective actions, and will cooperate fully with Northrop Grumman in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Northrop Grumman prior to any publication or communication thereof. (h) Supplier will exercise the necessary and appropriate supervision over its relevant Personnel to maintain appropriate privacy, confidentiality and security of Personal Information. Supplier will restrict access to Personal Information to those Personnel who need the information to perform obligations under Supplier’s agreement with Northrop Grumman and who have explicitly agreed to legally enforceable and sound confidentiality obligations. Supplier will ensure that Personnel with access to Personal Information are periodically trained regarding privacy and security and the limitations on Processing of Personal Information as provided in this agreement. (i) Supplier will engage an independent third-party to conduct a security evaluation/certification of Supplier’s systems that host Personal Information. Supplier will provide Northrop Grumman copies of the audit report(s). Northrop Grumman reserves the right to conduct site surveys of Supplier’s hosting site and review its physical and information security policies, practices, and procedures on an annual or biennial basis, in Northrop Grumman’s reasonable discretion. (j) Supplier agrees that any Processing of Personal Information in violation of this agreement, Northrop Grumman’s instructions or any applicable Privacy Requirement, or any Information Security Incident, may cause immediate and irreparable harm to Northrop Grumman for which money damages may not constitute an adequate remedy. Therefore, Supplier agrees that Northrop Grumman may obtain specific performance and injunctive or other equitable relief for any such violation or incident, in addition to its remedies at law, without proof of actual damages. (k) Supplier will not transfer Personal Information outside the country to which it originally was delivered to Supplier for Processing (or, if it was originally delivered to a location inside the European Union, outside the European Union) without the explicit written consent of Northrop Grumman. (l) Supplier will cooperate with Northrop Grumman if a data subject wants to access or amend Personal Information pertaining to him or her. (m) Supplier will immediately inform Northrop Grumman in writing of any requests, complaints or investigations regarding Supplier’s Processing of Personal Information. Supplier will respond to such requests, complaints or investigations in accordance with Northrop Grumman’s instructions and Supplier will fully cooperate with Northrop Grumman in responding to any such request, complaint or investigation. (n) Supplier will enter into any further privacy or information security agreement requested by Northrop Grumman for purposes of compliance with applicable Privacy Requirements. In case of any conflict between this agreement and any such further privacy or information security agreement, such further agreement will prevail with regard to the Processing of Personal Information covered by it. (o) Supplier agrees, within 30 days of termination, cancellation, expiration, or other conclusion of this agreement, Supplier shall return to Northrop Grumman all copies of Personal Information Processed in connection with this agreement, or, upon Northrop Grumman’s written request or receipt of Northrop Grumman’s written approval in response to Supplier’s request, to securely destroy or, at the option of Northrop Grumman, render unreadable or undecipherable, all such Personal Information, including all hard-copy and electronic versions. Supplier will provide an appropriate Certificate of Return/Destruction at Northrop Grumman’s request. (p) Supplier agrees to indemnify and hold harmless Northrop Grumman and its officers, employees, directors and agents from, and at Northrop Grumman’s option defend against, any and all claims, losses, liabilities, costs and expenses, including without limitation third-party claims, reasonable attorneys’ fees, consultants’ fees and court costs (collectively, “Claims”), to the extent that such Claims arise from, or may be in any way attributable to (i) any violation of this agreement; (ii) the negligence, gross negligence, bad faith, or intentional or willful misconduct of Supplier or its Personnel in connection with the obligations set forth in this agreement; (iii) Supplier’s use of any contractor providing services in connection with or relating to Supplier’s performance under this agreement; or (iv) any Information Security Incident involving Personal Information in Supplier’s possession, custody or control, or for which Supplier is otherwise responsible. (q) Supplier’s obligations under this agreement will survive the termination of Supplier’s agreement to provide services to Northrop Grumman and the completion of all services subject thereto.