Common use of Use and Protection of State Information Clause in Contracts

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As X. Xx between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement iv.implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vixx. training xxxxxxxx to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No X. Xx Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party X. Xxxxx shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In X. Xx addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; ; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives. H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”).certain B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”).1 B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; GA0872 Town of Richmond Page: 8 of 16 vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; ; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. and upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control.subsection D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; ; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.

Use and Protection of State Information. A. As between the State and Party, “State Data” includes all data received, obtained, or generated by the Party in connection with performance under this Agreement. Party acknowledges that certain State Data to which the Party may have access may contain information that is deemed confidential by the State, or which is otherwise confidential by law, rule, or practice, or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“Confidential State Data”). B. With respect to State Data, Party shall: i. take reasonable precautions for its protection; ii. not rent, sell, publish, share, or otherwise appropriate it; and iii. upon termination of this Agreement for any reason, Party shall dispose of or retain State Data if and to the extent required by this Agreement, law, or regulation, or otherwise requested in writing by the State. C. With respect to Confidential State Data, Party shall: i. strictly maintain its confidentiality; ii. not collect, access, use, or disclose it except as necessary to provide services to the State under this Agreement; iii. provide at a minimum the same care to avoid disclosure or unauthorized use as it provides to protect its own similar confidential and proprietary information; ; iv. implement and maintain administrative, technical, and physical safeguards and controls to protect against any anticipated threats or hazards or unauthorized access or use; v. promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for Confidential State Data so that the State may seek an appropriate protective order; and vi. upon termination of this Agreement for any reason, and except as necessary to comply with subsection B.iii above in this section, return or destroy destroy, all Confidential State Data remaining in its possession or control. D. If Party is provided or accesses, creates, collects, processes, receives, stores, or transmits Confidential State Data in any electronic form or media, Party shall utilize: i. industry-standard firewall protection; ii. multi-factor authentication controls; iii. encryption of electronic Confidential State Data while in transit and at rest; iv. measures to ensure that the State Data shall not be altered without the prior written consent of the State; v. measures to protect against destruction, loss, or damage of State Data due to potential environmental hazards, such as fire and water damage; vi. training to implement the information security measures; and vii. monitoring of the security of any portions of the Party’s systems that are used in the provision of the services against intrusion. E. No Confidential State Data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the United States, except with the express written permission of the State. F. Party shall notify the State within twenty-four hours after becoming aware of any unauthorized destruction, loss, alteration, disclosure of, or access to, any State Data. G. State of Vermont Cybersecurity Standard Update: Party confirms that all products and services provided to or for the use of the State under this Agreement shall be in compliance with State of Vermont Cybersecurity Standard Update in effect at the time of incorporation of this Attachment C into this Agreement. The State of Vermont Cybersecurity Standard Update prohibits the use of certain branded products in State information systems or any vendor system, and a copy is available at: xxxxx://xxxxxxxxxxxxxxx.xxxxxxx.xxx/cybersecurity/cybersecurity-standards-and-directives. H. In addition to the requirements of this Section 12, Party shall comply with any additional requirements regarding the protection of data that may be included in this Agreement or required by law or regulation.