Common use of Security Compliance Clause in Contracts

Security Compliance. Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s then-current security procedures as are pertinent to Supplier’s operation and which have been supplied to Supplier by such Authorized User. Supplier shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. Supplier does not require or intend to access and possess VITA’s or the applicable Authorized User’s data (the “VITA Data”) in its performance of the Services included in this Agreement. Any exposure by Supplier to the VITA Data will be infrequent and incidental to Supplier’s provision of the Services. Supplier agrees that it will not, except as is strictly necessary to comply with all provisions perform the Services, access, alter, use, copy, retain, store, transmit, publish, destroy, or transfer to any third party VITA Data. If Supplier accesses VITA Data, Supplier shall treat such VITA Data actually accessed as VITA confidential information. Supplier shall not be deemed to have possessed, accessed, used, received or obtained VITA Data or VITA confidential information solely by virtue of the fact that VITA or the applicable Authorized User transmits such information through its use of Supplier’s Services. Supplier shall establish and maintain safeguards against the destruction, loss, misuse or alteration of VITA Data actually accessed by Supplier that are no less rigorous than those set forth in the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized UserSubscriber’s then-current security procedures as are pertinent to consistent with Supplier’s operation and which have been supplied to Supplier by such Authorized UserSubscriber and as are otherwise required by Privacy Laws applicable to Supplier as the provider of the Service. Supplier shall also comply with all applicable federal, state and local laws and regulationsregulations applicable to Supplier as the provider of the Service. For any individual Authorized User locationSupplier will limit access and configuration capability to personnel in the Supplier NOC that will take first call on trouble tickets on the VITA Juniper equipment. Supplier will use commercially reasonable efforts to cause all employees that will have access and configuration capability on the VITA Juniper equipment to be subject to the finger-print background check. If employees refuse and Supplier is unable to staff the support of VITA with employees that have had the check performed, Supplier will negotiate in good faith with VITA to resolve the issue. Supplier does not anticipate that this background check will be refused by the group of employees targeted to support the VITA account. VITA and/or Subscriber has in effect and will maintain (i) reasonable security procedures may include but not be limited to: background checksmeasures appropriate for the protection of its own computing infrastructure and VITA Data, records verification(ii) measures as required by Privacy Laws applicable to VITA and/or Subscriber as the user of a Service, photographing(iii) VITA’s and/or Subscriber’s own network security policy (including applicable firewall and NAT policies) and security response procedures, and fingerprinting (iv) reasonable information security safeguards or mechanisms appropriate for VITA Data that VITA and/or Subscriber will transmit through its use of Supplier’s employees or agentsServices. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Without limiting Supplier’s employees express obligations as set forth in the Agreement, VITA acknowledges that encryption services or agents acknowledging that all ongoing security services specific to VITA’s or Subscriber’s Services (such as managed security services or intrusion detection services) are not inherent in the Services included in this Agreement, except as set forth in Exhibit B “Service Requirements.” Supplier shall notify VITA, Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized Userand/or Subscriber, if applicable, of any confirmed Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or VITA, Authorized User or Subscriber to SupplierSupplier in accordance with Supplier processes. Supplier shall provide VITA the opportunity to participate in the investigation of the Breach and to exercise control Supplier shall reasonably cooperate with VITA, Authorized User or Subscriber over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. ‌ Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at at: (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGsxxxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s 's then-current security procedures as are pertinent to Supplier’s 's operation and which have been supplied to Supplier by such Authorized User. Supplier shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s 's employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s 's employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. ‌ Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at at: (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGsxxxxx://xxxx.xxxxxxxx.xxx/default.aspx?id=537) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s DMAS’ then-current security procedures as are pertinent to Supplier’s 's operation and which have been supplied to Supplier by such Authorized UserDMAS. Supplier shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s 's employees or agents acknowledging that all Authorized User DMAS information with which such employees and agents come into contact while at the Authorized User DMAS site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized UserDMAS, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User DMAS to Supplier. Supplier shall provide VITA DMAS the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserDMAS, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserDMAS, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section. DMAS shall have the right to review Supplier's information security program prior to the commencement of Licensed Services and from time to time during the term of this Agreement. During the performance of the Licensed Services, on an ongoing basis from time to time, DMAS, at its own expense, shall be entitled to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by DMAS, Supplier agrees to complete, within forty-five (45 days) of receipt, an audit questionnaire provided by DMAS regarding Supplier's information security program. Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier Contractor agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a any successor URL(s), as are pertinent to SupplierContractor's operation. Supplier Contractor further agrees to comply with all provisions of the relevant Authorized User’s then-then current security procedures as are pertinent to SupplierContractor’s operation and which have been supplied to Supplier Contractor by such Authorized User. Supplier Contractor shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of SupplierContractor’s employees or agents. Supplier Contractor may, at any time, be required to execute and complete, for each individual Supplier Contractor employee or agent, additional forms which may include non-disclosure agreements to be signed by SupplierContractor’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier Contractor or an employee or agent of Supplier Contractor shall constitute a breach of its obligations under this Section and the Contract. Supplier Contractor shall immediately notify VITA DGS and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA DGS or Authorized User to SupplierContractor. Supplier Contractor shall provide VITA DGS the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. Supplier agrees to shall comply with all provisions of the then-current Commonwealth of Virginia security procedurespolicies, standards, and guidelines published by the Virginia Information Technologies Agency (VITA) VITA and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) at: xxxxx://xxx.xxxx.xxxxxxxx.xxx/policy--governance/itrm-policies-standards/, or a any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier further agrees to shall comply with all applicable provisions of the relevant Authorized User’s DMAS’ then-current security procedures as are pertinent to Supplier’s 's operation and which that have been supplied provided to Supplier by such Authorized UserDMAS. Supplier shall also comply with all applicable federal, state state, and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or Personal information personal information, by the Supplier or an employee or agent of Supplier shall constitute Personnel constitutes a breach of its Supplier’s obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized UserDMAS within 24 hours of discovery of, if applicableor when Supplier should have discovered, any breach of any Breach of Unencrypted “unencrypted” and Unredacted Personal Information“unredacted” personal information, as those terms are defined in Virginia Code 18.2- § 18.2-186.6, and other confidential or personal identifying informationinformation provided to the Supplier by DMAS. To the extent permitted by law, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA DMAS the opportunity to participate in the investigation of the Breach breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, to Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the extent permitted then-current standards set forth by lawthe American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserDMAS, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessmentsClaims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserDMAS, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Sectionsection. DMAS reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Term of this Contract. During the performance of the Licensed Services, and on an annual basis, DMAS will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by DMAS, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier agrees to shall comply with all provisions of the then-current Commonwealth of Virginia security procedurespolicies, standards, and guidelines published by the Virginia Information Technologies Agency (VITA) VITA and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) at: xxxxx://xxx.xxxx.xxxxxxxx.xxx/policy--governance/itrm-policies-standards/, or a any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier further agrees to shall comply with all applicable provisions of the relevant Authorized User’s ELECT's then-current security procedures as are pertinent to Supplier’s 's operation and which that have been supplied provided to Supplier by such Authorized UserELECT. Supplier shall also comply with all applicable federal, state state, and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or Personal information personal information, by the Supplier or an employee or agent of Supplier shall constitute Personnel constitutes a breach of its Supplier’s obligations under this Section and the Contract. Supplier shall immediately notify VITA ELECT within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information“unredacted” personal information, as those terms are defined in Virginia Code 18.2- § 18.2-186.6, and other confidential or personal identifying informationinformation provided to the Supplier by ELECT. To the extent permitted by law, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA ELECT the opportunity to participate in the investigation of the Breach breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, to Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the extent permitted then-current standards set forth by lawthe American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserELECT, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessmentsClaims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserELECT, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Sectionsection. ELECT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Contract Term. During the performance of the Licensed Services, and on an annual basis, ELECT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by ELECT, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier agrees to shall comply with all provisions of the then-current Commonwealth of Virginia security procedurespolicies, standards, and guidelines published by the Virginia Information Technologies Agency (VITA) VITA and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) at: xxxxx://xxx.xxxx.xxxxxxxx.xxx/policy--governance/itrm-policies-standards/, or a any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier further agrees to shall comply with all applicable provisions of the relevant Authorized User’s Agency's then-current security procedures as are pertinent to Supplier’s 's operation and which that have been supplied provided to Supplier by such Authorized UserAgency. Supplier shall also comply with all applicable federal, state state, and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or Personal information personal information, by the Supplier or an employee or agent of Supplier shall constitute Personnel constitutes a breach of its Supplier’s obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized UserAgency within 24 hours of discovery of, if applicableor when Supplier should have discovered, any breach of any Breach of Unencrypted “unencrypted” and Unredacted Personal Information“unredacted” personal information, as those terms are defined in Virginia Code 18.2- § 18.2-186.6, and other confidential or personal identifying informationinformation provided to the Supplier by Agency. To the extent permitted by law, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA and Agency the opportunity to participate in the investigation of the Breach breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, to Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the extent permitted then-current standards set forth by lawthe American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserAgency, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessmentsClaims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserAgency, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Sectionsection.

Security Compliance. Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s then-current security procedures as are pertinent to Supplier’s operation and which have been supplied to Supplier by such Authorized User. It shall be the responsibility of the Authorized Users, using best efforts, to provide Supplier with updated security procedures after publication. Supplier shall also comply with all applicable federal, state and local laws and regulations. For IBM will conduct background checks on those employees of IBM who provide Services under this Agreement on a full time basis at any individual Authorized User locationof your United States facilities (a "Resident IBM Employee"). Background checks will (a) identify federal and county felony and misdemeanor arrest and convictions, security procedures may including sentences of deferred adjudication; (b) include a search of a national criminal database, (c) include a search of government sanction registries, such as OFAC and (d) and a Social Security Number Death Master Search. The Resident IBM Employee will be asked for their last seven (7) years of addresses. If a Resident IBM Employee is removed or reassigned from any of your United States facilities as a result of information obtained from a background screening, IBM will notify you that such Resident IBM Employee has been removed or reassigned. We will both cooperate reasonably on addressing those issues (if any) created by the removal or reassignment or a request to remove or reassign a Resident IBM Employee, including (by way of illustration but not be limited to: background checks, records verification, photographing, limitation) compliance with applicable law and fingerprinting any impact to IBM's ability to provide the Service as provided in applicable Statements of Supplier’s employees or agentsWork. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include nonNon-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the this Contract. Supplier shall immediately notify VITA and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. Supplier agrees to shall comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) VITA and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) at: xxxxx://xxx.xxxx.xxxxxxxx.xxx/policy--governance/itrm- policies-standards/ or a any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier further agrees to shall comply with all applicable provisions of the relevant Authorized UserVDOT’s then-current security procedures as are pertinent to Supplier’s 's operation and which that have been supplied provided to Supplier by such Authorized UserVDOT. Supplier shall also comply with all applicable federal, state state, and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or Personal information personal information, by the Supplier or an employee or agent of Supplier shall constitute Personnel constitutes a breach of its Supplier’s obligations under this Section and the Contract. Supplier shall immediately notify VITA VDOT within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information“unredacted” personal information, as those terms are defined in Virginia Code 18.2- § 18.2-186.6, and other confidential or personal identifying informationinformation provided to the Supplier by VDOT. To the extent permitted by law, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA VDOT the opportunity to participate in the investigation of the Breach breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, to Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the extent permitted then-current standards set forth by lawthe American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessmentsClaims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Sectionsection. VDOT reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Term of this Contract. During the performance of the Licensed Services, and on an annual basis, VDOT will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by VDOT, Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s then-current security procedures as are pertinent to Supplier’s operation and which have been supplied to Supplier by such Authorized User. Supplier shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized User, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized User, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section.

Security Compliance. ‌ Supplier agrees to comply with all provisions of the then-current Commonwealth of Virginia security procedures, published by the Virginia Information Technologies Agency (VITA) and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) or a successor URL(s), as are pertinent to Supplier's operation. Supplier further agrees to comply with all provisions of the relevant Authorized User’s then-current security procedures as are pertinent to Supplier’s operation and which have been supplied to Supplier by such Authorized User. Supplier shall also comply with all applicable federal, state and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User Commonwealth and VDH information with which such employees and agents come into contact while at the Authorized User site during performance of this Contract is confidential and proprietary. Any unauthorized release of proprietary or Personal information by the Supplier or an employee or agent of Supplier shall constitute a breach of its obligations under this Section and the Contract. Supplier shall immediately notify VITA and Authorized User, if applicable, VDH of any Breach of Unencrypted and Unredacted Personal Information, as those terms are defined in Virginia Code 18.2- 18.2-186.6, and other personal identifying information, such as insurance data or date of birth, provided by VITA or Authorized User VDH to Supplier. Supplier shall provide VITA VDH the opportunity to participate in the investigation of the Breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserVDH, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessments, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserVDH, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Section. If, Supplier is authorized to provide Supplier’s Application and Licensed Services in performance of this Contract, VDH shall have the right to review Supplier’s information security program prior to the commencement of Licensed Services and from time to time during the term of the Contract. During the performance of the Licensed Services, on an ongoing basis from time to time, VDH, at its own expense, shall be entitled to perform, or to have performed, an on-site audit of Supplier’s information security program. In lieu of an on-site audit, upon request by VDH, Supplier agrees to complete, within forty-five (45 days) of receipt, an audit questionnaire provided by VDH regarding Supplier’s information security program. Supplier shall implement any reasonably required safeguards as identified by any program audit.

Security Compliance. Supplier agrees to shall comply with all provisions of the then-current Commonwealth of Virginia security procedurespolicies, standards, and guidelines published by the Virginia Information Technologies Agency (VITA) VITA and which may be found at (xxxx://xxx.xxxx.xxxxxxxx.xxx/library/default.aspx?id=537#securityPSGs) at: xxxxx://xxx.xxxx.xxxxxxxx.xxx/it-governance/itrm-policies-standards/, or a any successor URL(s), as are pertinent to Supplier's operation. Further, Supplier further agrees to shall comply with all applicable provisions of the relevant Authorized UserVADOC’s then-current security procedures as are pertinent to Supplier’s 's operation and which that have been supplied provided to Supplier by such Authorized Userthe VADOC. Supplier shall also comply with all applicable federal, state state, and local laws and regulations. For any individual Authorized User location, security procedures may include but not be limited to: background checks, records verification, photographing, and fingerprinting of Supplier’s employees or agents. Supplier may, at any time, be required to execute and complete, for each individual Supplier employee or agent, additional forms which may include non-disclosure agreements to be signed by Supplier’s employees or agents acknowledging that all Authorized User information with which such employees and agents come into contact while at the Authorized User site is confidential and proprietary. Any unauthorized release of any Confidential Information, or Commonwealth proprietary or Personal information personal information, by the Supplier or an employee or agent of Supplier shall constitute Personnel constitutes a breach of its Supplier’s obligations under this Section and the Contract. Supplier shall immediately notify VITA VADOC within 24 hours of discovery of, or when Supplier should have discovered, any breach of “unencrypted” and Authorized User, if applicable, of any Breach of Unencrypted and Unredacted Personal Information“unredacted” personal information, as those terms are defined in Virginia Code 18.2- § 18.2-186.6, and other confidential or personal identifying informationinformation provided to the Supplier by VADOC. To the extent permitted by law, such as insurance data or date of birth, provided by VITA or Authorized User to Supplier. Supplier shall provide VITA VADOC the opportunity to participate in the investigation of the Breach breach and to exercise control over reporting the unauthorized disclosure. Supplier shall ensure performance of an audit of Supplier’s environment at least annually to provide assurance of “Controls Relevant to Security, to Availability, Processing Integrity, Confidentiality or Privacy” in accordance with the extent permitted then-current standards set forth by lawthe American Institute of CPAs. Supplier shall indemnify, defend, and hold the Commonwealth, VITA, the Authorized UserVADOC, their officers, directors, employees and agents harmless from and against any and all fines, penalties (whether criminal or civil), judgments, damages and assessmentsClaims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from the Commonwealth, VITA, the Authorized UserVADOC, their officers, directors, agents or employees, on account of the failure of Supplier to perform its obligations pursuant this Sectionsection. VADOC reserves the right to review Supplier's information security program prior to the commencement of Licensed Services and at least once annually during the Term of this Contract. During the performance of the Licensed Services, and on an annual basis, VADOC will be entitled, at its own expense, to perform, or to have performed, an on-site audit of Supplier's information security program. In lieu of an on-site audit, upon request by VADOC, Supplier shall implement any reasonably required safeguards as identified by any program audit.