Use of Issuing Entity PII. The Issuing Entity does not grant the Asset Representations Reviewer any rights to Issuing Entity PII except as provided in this Agreement. The Asset Representations Reviewer will use Issuing Entity PII only to perform its obligations under this Agreement or as specifically directed in writing by the Issuing Entity and will only reproduce Issuing Entity PII to the extent necessary for these purposes. The Asset Representations Reviewer must comply with all laws applicable to PII, Issuing Entity PII and the Asset Representations Reviewer’s business, including any legally required codes of conduct, including those relating to privacy, security and data protection. The Asset Representations Reviewer will protect and secure Issuing Entity PII. The Asset Representations Reviewer will implement privacy or data protection policies and procedures that comply with applicable law and this Agreement. The Asset Representations Reviewer will implement and maintain reasonable and appropriate practices, procedures and systems, including administrative, technical and physical safeguards to (i) protect the security, confidentiality and integrity of Issuing Entity PII, (ii) ensure against anticipated threats or hazards to the security or integrity of Issuing Entity PII, (iii) protect against unauthorized access to or use of Issuing Entity PII and (iv) otherwise comply with its obligations under this Agreement. These safeguards include a written data security plan, employee training, information access controls, restricted disclosures, systems protections (e.g., intrusion protection, data storage protection and data transmission protection) and physical security measures.
