Common use of Transfer Format Clause in Contracts

Transfer Format. Transfers may include, but are not limited to, conversion of all Data into or from an industry standard format or providing application programmable interface. ENCRYPTION‌ Data must be encrypted at all times unless specifically outlined otherwise in the Authorized User Agreement. At a minimum, encryption must be carried out at the most current NYS Encryption Standard (NYS-S14-007), (or successor policy with key access restricted to the Authorized User only, unless with the express written permission of the Authorized User. All Data in transit must be handled in accordance with ITS Policy NYS-S14-007 (or successor) or the National Institute of Standards and Technology (NIST) Federal Institute Processing Standard (FIPS)-140-2 or Transport Layer Security (TLS) 1, or TLS2 (or successor). The Authorized User Agreement shall specify the respective responsibilities of the Authorized User and the Contractor for the encryption of Data. REQUESTS FOR DATA BY THIRD PARTIES‌ Unless prohibited by law, Contractor shall notify the Authorized User in Writing within 24 hours of any request for Data (including requestor, nature of Data requested and timeframe of response) by a person or entity other than the Authorized User, and the Contractor shall secure Written acknowledgement of such notification from the Authorized User before responding to the request for Data. Unless compelled by law, the Contractor shall not release Data without the Authorized User’s prior Written approval. SECURITY PROCESSES‌ If requested by an Authorized User as part the Request for Quote process, Contractor shall complete a Consensus Assessment Initiative Questionnaire (CAIQ) including on an annual basis thereafter, if requested by the Authorized User. The CAIQ is available at Cloud Security Alliance (xxxxx://xxxxxxxxxxxxxxxxxxxxx.xxx/). The CAIQ may be used to assist the Authorized User in building the necessary assessment processes when engaging with Contractors. In addition to a request for a CAIQ, Contractor shall cooperate with all reasonable Authorized User requests for a Written description of Contractor’s physical/virtual security and/or internal control processes. The Authorized User shall have the right to reject any Contractor’s RFQ response or terminate an Authorized User Agreement when such a request has been denied. For example, Federal, State and local regulations and/or laws may require that Contractors operate within the Authorized User’s regulatory environment. In order to ensure that security is adequate and free of gaps in control coverage, the Authorized User may require information from the Contractor’s Service Organization Controls (SOC) audit report. UPGRADES, SYSTEM CHANGES AND MAINTENANCE/SUPPORT‌ The Contractor shall give a minimum of 5 business days advance Written notice to the designated Authorized User contact of any upgrades, system changes and Maintenance/support actions that may potentially impact services described in the Authorized User Agreement. Upgrades, system changes, and Maintenance/support actions which are required by system vulnerabilities or emergency situations shall be carried out by the Contractor to protect the system. Authorized Users shall be notified by the Contractor as soon as possible after the change has taken place. Contractor shall provide documentation of upgrades, system changes and Maintenance/support actions upon request from an Authorized User. EXPIRATION, TERMINATION OR SUSPENSION OF SERVICES‌ Return of Data‌ The Contractor shall return Data in a format agreed upon within the Authorized User Agreement or as agreed to with the Authorized User. This can, if specified within the Authorized User Agreement, be carried out by providing application programmable interface or other such efficient electronic tools. The Contractor must certify all Data has been removed from its system and removed from backups within timeframes established in the Authorized User Agreement or as agreed to with the Authorized User. Suspension of Services‌ During any period of suspension of service, the Authorized User shall have full access to all Data at no charge. This can, if specified within the Authorized User Agreement, be carried out by providing an application programmable interface or other such efficient electronic tools. The Contractor shall not take any action to erase and/or withhold any Authorized User Data, except as directed by the Authorized User. Expiration or Termination of Services‌ Upon expiration or termination of an Authorized User Agreement, the Authorized User shall have full access to all Data for a period of 60 calendar days. Unless noted in the original Authorized User Agreement, this period will be covered at no charge. This can, if specified within the Authorized User Agreement, be carried out by providing application programmable interface or other such efficient electronic tools. During this period, the Contractor shall not take any action to erase and/or withhold any Data, except as directed by the Authorized User. An Authorized User shall have the right to specify a period in excess of 60 calendar days in its RFQ. SECURE DATA DISPOSAL‌ When requested by the Authorized User, the Contractor shall destroy Data in all of its forms, including all back-ups. Data shall be permanently deleted and shall not be recoverable, according ITS Policy S13-003 Sanitization/Secure Disposal or successor and S14-003 Information Security Controls or successor. Certificates of destruction, in a form acceptable to the Authorized User, shall be provided by the Contractor to the Authorized User.

Transfer Format. Transfers may include, but are not limited to, conversion of all Data into or from an industry standard format or providing application programmable interface. ENCRYPTION‌ Data must be encrypted at all times unless specifically outlined otherwise in the Authorized User Agreement. The RFQ must specify whether encryption is to be done by the Contractor or by the Authorized User. At a minimum, encryption must be carried out at in accordance with the most current NYS Encryption Standard (NYS-S14-007)NIST FIPS-140 standard, (or successor policy with key access restricted to the Authorized User only, unless with the express written permission of the Authorized User. All Data in transit For Authorized Users subject to NYS security policies/standards (see Section 1.2), encryption must be handled in accordance with ITS Policy NYS-S14-007 (or successor) or the National Institute of Standards and Technology (NIST) Federal Institute Processing Standard (FIPS)-140-2 or Transport Layer Security (TLS) 1, or TLS2 (or successor)Encryption Standard. The Authorized User Agreement shall specify the respective responsibilities of the Authorized User and the Contractor for the encryption of Data. REQUESTS FOR DATA BY THIRD PARTIES‌ Unless prohibited by law, Contractor shall notify the Authorized User in Writing within 24 hours of any request for Data (including requestor, nature of Data requested and timeframe of response) by a person or entity other than the Authorized User, and the Contractor shall secure Written acknowledgement of such notification from the Authorized User before responding to the request for Data. Unless compelled by law, the Contractor shall not release Data without the Authorized User’s prior Written approval. SECURITY PROCESSES‌ If requested by an Authorized User as part the Request for Quote process, Contractor shall complete a Consensus Assessment Initiative Questionnaire (CAIQ) including on an annual basis thereafter, if requested by the Authorized User. The CAIQ is available at Cloud Security Alliance (xxxxx://xxxxxxxxxxxxxxxxxxxxx.xxx/). The CAIQ may be used to assist the Authorized User in building the necessary assessment processes when engaging with Contractors. In addition to a request for a CAIQ, Contractor shall cooperate with all reasonable Authorized User requests for a Written description of Contractor’s physical/virtual security and/or internal control processes. The Authorized User shall have the right to reject any Contractor’s RFQ response or terminate an Authorized User Agreement when such a request has been denied. For example, Federal, State and local regulations and/or laws may require that Contractors operate within the Authorized User’s regulatory environment. In order to ensure that security is adequate and free of gaps in control coverage, the Authorized User may require information from the Contractor’s Service Organization Controls (SOC) audit report. RESERVED RESERVED‌‌‌ UPGRADES, SYSTEM CHANGES AND MAINTENANCE/SUPPORT‌ The Contractor shall give a minimum of 5 five (5) business days advance Written notice to the designated Authorized User contact of any upgrades, system changes and Maintenance/support actions that may potentially impact availability or functionality of the services described in the Authorized User Agreement. This notice can be carried out through announcement on a website, provided the Authorized User is aware of and provided access to said website. Upgrades, system changes, and Maintenance/support actions which are required by system vulnerabilities or emergency situations shall be carried out by the Contractor to protect the system. Authorized Users shall be notified by the Contractor as soon as possible after the change has taken place. Contractor shall provide documentation of upgrades, system changes and Maintenance/support actions upon request from an Authorized User. EXPIRATION, TERMINATION OR SUSPENSION OF SERVICES‌ Return of Data‌ The Contractor shall return Data in a format agreed upon within the Authorized User Agreement or as agreed to with the Authorized User. This can, if specified within the Authorized User Agreement, be carried out by providing an application programmable interface or other such efficient electronic tools. The Contractor must certify that all Data has been removed from its system and removed from backups within timeframes established in the Authorized User Agreement or as agreed to with the Authorized User. Suspension of Services‌ During any period of suspension of service, the Authorized User shall have full access to all Data at no charge. This can, if specified within the Authorized User Agreement, be carried out by providing an application programmable interface or other such efficient electronic tools. The Contractor shall not take any action to erase and/or withhold any Authorized User Data, except as directed by the Authorized User. Expiration or Termination of Services‌ Upon expiration or termination of an Authorized User Agreement, the Authorized User shall have full access to all Data for a period of 60 calendar days. Unless noted in the original Authorized User Agreement, this period will be covered at no charge. This can, if specified within the Authorized User Agreement, be carried out by providing application programmable interface or other such efficient electronic tools. During this period, the Contractor shall not take any action to erase and/or withhold any Data, except as directed by the Authorized User. An Authorized User shall have the right to specify a period in excess of 60 calendar days in its RFQ. SECURE DATA DISPOSAL‌ When requested by the Authorized User, the Contractor shall destroy Data in all of its forms, including all back-ups. Data shall be permanently deleted and shall not be recoverable, according ITS Policy S13-003 Sanitization/Secure Disposal or successor and S14-003 Information Security Controls or successor. Certificates of destruction, in a form acceptable to the Authorized User, shall be provided by the Contractor to the Authorized User.RESERVED RESERVED‌‌‌