Confidential Treatment Requested AMENDMENT NUMBER TWO TO SECOND AMENDED AND RESTATED INFORMATION TECHNOLOGY SERVICES AGREEMENT
Exhibit 10.43
Confidential Treatment Requested
AMENDMENT NUMBER TWO TO
SECOND AMENDED AND RESTATED INFORMATION TECHNOLOGY
SERVICES AGREEMENT
This Amendment Number Two (“Amendment Two”) to the Second Amended and Restated Information Technology Services Agreement dated as of January 31, 2012 (the “Agreement”), is between HP Enterprise Services, LLC (“Provider”) and Sabre Inc., (together with its Affiliates that procure Services under the Agreement, (“Company”) and is effective as of the date of execution by both Parties.
RECITALS
WHEREAS, Company and Provider desire to amend certain terms and conditions of the Agreement and restate in their entirety the exhibits attached hereto.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, Company and Provider, hereby agree as follows:
1. | The Data Privacy and Security Procedures Schedule is hereby deleted and replaced in its entirety with Exhibit 1. |
2. | Conflicts between the Amendment and the Exhibits to the Amendment. In the event of a conflict or inconsistency between the terms of this Amendment Two and any of the exhibits attached hereto the provisions of the exhibits shall control. |
3. | Counterparts. This Amendment Two may be executed in several counterparts, all of which taken together shall constitute a single agreement between the Parties. |
4. | Defined terms. Unless otherwise defined herein, the capitalized terms used in this Amendment Two shall have the same meaning assigned to such capitalized terms in the Agreement. |
5. | Ratifications. The terms and provisions set forth in this Amendment Two shall modify and supersede all inconsistent terms and provisions set forth in the Agreement (and all prior agreements, letters, proposals, discussions and other documents) regarding the matters addressed in this Amendment Two. Except as otherwise expressly modified herein, all other terms and conditions of the Agreement shall remain in full force and effect and are ratified and confirmed as if set forth herein verbatim. |
1 of 3
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
IN WITNESS WHEREOF, Provider and Company have each caused this Amendment Two to be executed as below:
SABRE INC. | HP Enterprise Services, LLC | |||||||
Signature: | /s/ Xxxxx Xxxxxxx |
Signature: | /s/ Xxxx Xxxxxx | |||||
Name: | Xxxxx Xxxxxxx |
Name: | Xxxx Xxxxxx | |||||
Title: | Director Procurement |
Title: | Vice President | |||||
Date: | 7/2/13 |
Date: | 7/15/2013 |
2 of 3
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
Exhibit 1
3 of 3
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
DATA PRIVACY AND SECURITY PROCEDURES SCHEDULE
1.0 | Introduction |
This schedule sets forth the respective data management, data privacy and security responsibilities of Company and Provider under the Agreement (“Security Requirements”), which are in addition to those Services described in the Services and Support Responsibility Schedule. The services required under this Schedule are deemed to be an inherent part of the Services. Company will be principally responsible for applications security architecture. Provider will be, subject to review by Company, principally responsible for infrastructure security architecture. Provider will be responsible for implementing and following the written security policies and procedures approved by Company and provided by Provider, and will provide recommendations and guidance to Company as reasonably requested on security architecture.
Each Party shall comply with Data Protection Laws as set forth in Section 3.0.a.1 below. Where Provider’s compliance with such Data Protection Laws prevents compliance with the Security Requirements, Provider is responsible for notifying Company in order to determine appropriate compensating controls.
Capitalized terms used in this schedule without definition shall have the meaning ascribed to them in the Agreement.
1.1 | ATTACHMENTS |
The following Attachment is provided with this Schedule.
Attachment A: model clauses. This Attachment sets forth the model clauses associated with each model agreement executed by the Parties (and/or their Affiliates) for the import of Company data from a jurisdiction in the European Union to the [ * * * ] in connection with this Agreement (an “EU Model Contract”), including the model agreement executed by Sabre Hamburg and HP Enterprise Services, LLC for the import of data from the Company Hamburg, Germany data center to the [ * * * ] as referenced in the Transformation Schedule.
Capitalized terms used in this Attachment A to this Schedule without definition shall have the meaning ascribed to them in the Agreement.
2.0 | Definitions |
“Active Directory” means Microsoft’s proprietary directory that serves as an authentication/authorization mechanism for Windows 2000 and other applications.
“Agent Sine Security Application” means Company’s proprietary authentication/ authorization mechanism which controls access to the Real Time Systems.
“Data Protection Laws” means all laws (including those arising under common law), statutes, codes, rules, regulations, reporting or licensing requirements, ordinances and other pronouncement having the effect of law of the United States, any foreign country or any domestic or foreign state, county, city or other political subdivision, including those promulgated, interpreted or enforced by any governmental or regulatory authority that address data privacy, transborder data flow, data protection and security related to the provision or the receipt of Services.
[ * * * ]
[ * * * ]
Page 1 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
[ * * * ]
“Focal Point” means, with respect to either Provider or Company, the person designated by a Party with responsibility for day-to-day security management for such Party.
[ * * * ]
“Personal Data” means any data relating to an identified or identifiable individual that Provider [ * * * ]
[ * * * ]
[ * * * ]
3.0 | Data Management |
a. | Obligations with Respect to Data Protection Laws. |
1. | Provider and Company are each responsible for complying with their respective obligations under the Data Protection Laws. [ * * * ] Company shall comply with its obligations as a “data controller” of any such Personal Data under Data Protection Laws. |
2. | Either Party may take reasonable steps it deems necessary to comply with Data Protection Laws; provided, however, that such Party shall use commercially reasonable efforts to minimize the impact of such steps on the other Party. |
3. | Company may request Provider, and Provider agrees to assist and cooperate fully, (at Company’s expense) on one or more occasions from time-to-time following the parties’ execution of this Agreement: (i) to execute, additional documentation to permit the transfer and processing of Personal Data outside of a jurisdiction, including the safe harbor requirements established by the United States Department of Commerce with respect to the European Union Data Directive, or any similar safe harbors or exemptions to Data Protection Laws as such relate to the Services; (ii) to assist Company in fulfilling registration requirements under Data Protection Laws, including without limitation, providing requested information and registering with data protection authorities as requested by Company in order to permit Company and Provider to achieve the purposes of the Agreement; or (iii) to assist Company with responding to any data protection authority, governmental agency, or other third party requests to the extent necessary to comply with Data Protection Laws (collectively, “Data Protection Filings”). Provider shall work with Company to execute Data Protection Filings designated by Company within timeframes reasonably required to meet deadlines imposed by the authority, agency or other third party. |
Provider shall not refuse to sign any Data Protection Filings based upon information Company includes relating to Company Data or the Services; or based upon Company’s inclusion of this Data Privacy and Security Procedures Schedule (as hereafter amended by the parties, if applicable) or [ * * * ]
Page 2 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
[ * * * ] Further, at Company’s expense, Provider will cooperate in good faith with any request by Company to response to a Data Protection Filing request, and upon receipt of such a request, will: (i) do so in a complete and accurate manner, and (b) work with Company to provide the response to Company in writing [ * * * ] to meet deadlines imposed by the authority, agency or other third party. Provider acknowledges and agrees that each copy of the Data Protection Filings executed pursuant to this Schedule shall constitute Confidential Information of Company. |
4. | In accordance with the Audit Procedures Schedule, Provider will support Company’s review of Provider data protection practices as part of the Company’s annual Payment Card Industry (“PCP”) assessment. If Provider is required to perform an additional function, responsibility or task other than the Services being provided by Provider as of the Effective Date to comply with the data protection requirements of the Payment Card Industry Data Security Standards (PCI DSS), upon reasonable request from Company, Provider will perform such additional function, responsibility or task [ * * * ] pursuant to Section 2.14(a) of the Agreement. |
b. | Data Usage and Management. |
1. | Provider shall access and use the Personal Data only for the purposes of providing the Services under this Agreement. Provider shall treat all Personal Data as Confidential Information in accordance with the Confidentiality Schedule. Provider shall not disclose any such Personal Data to any third party except as expressly authorized under the Agreement; and any such third parties that access Personal Data shaft be required by Provider to comply with these Security Requirements. Provider shall not disclose any Personal Data for any purpose other than providing the Services or use or disclose the Personal Data for the purpose of marketing products or services to individuals whose names are contained in the Personal Data. |
2. | Provider’s Focal Point, or his or her designee (as identified to Company in an advance writing), will be responsible for supervising [ * * * ] Provider shall insure that Provider’s Focal Point is properly trained and otherwise familiar with applicable data management, data privacy and data security requirements and issues worldwide. |
3. | [ * * * ] |
c. | Data Transfer. |
1. | [ * * * ] Company acknowledges and agrees that Provider employees may view Persona! Data from the countries listed in the Off-Shore Facilities Schedule to the extent required to provide the Services related to such Personal Data. [ * * * ] |
Page 3 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [***]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
2. | The Parties agree that, notwithstanding any other provisions of the Agreement to the contrary, that the other Party and Affiliates of the other Party may store, access and use its business contact information (the names, business phone and facsimile number, business office and email addresses) of its employees anywhere they do business for purpose of our business relationship as it relates to this Agreement and the delivery and/or receipt and use of the Services. Each Party may also share such business contact information relating to employees of the other Party with contractors, business partners, assignees and others acting on such Party’s behalf (the “Authorized Third Parties”) subject to it having obtained from the Authorized Third Parties their written commitment to use the business contact information only with respect to the performance of the Services and this Agreement and to otherwise hold such information in strict confidence. |
d. | Information Requests. |
1. | If Company is required to provide information regarding Personal Data, Provider will respond promptly to Company’s inquiries concerning such Personal Data and will reasonably cooperate with Company in providing such information. Company will reimburse Provider for its reasonable charges for such assistance. If Provider receives a direct request for Personal Data, Provider shall promptly direct the request to Company. |
2. | Upon Provider’s or Company’s reasonable written request, Company or Provider will provide the other with such information that it has regarding Personal Data and its processing that is necessary to enable the requester to comply with its obligations under this Section. |
3. | Provider consents to Company providing information relating to Provider’s obligations under this schedule to Company’s customers and potential customers. and agrees to cooperate and provide reasonable assistance to Company in responding to requests from its customers and potential customers relating to this schedule. Such customers and potential customers shall be required to maintain the confidentiality of this information consistent with Company’s obligations under the Confidentiality Schedule. |
e. | Audit Rights. |
1. | [ * * * ] |
2. | Provider Audits. Provider’s audit obligations shall be as provided in the Audit Procedures Schedule. If Company requires additional audit reports from Provider, e.g. |
[ * * * ] upon reasonable request from Company, Provider will provide such reports at Company’s expense. Notwithstanding, if Provider [ * * * ]
4.0 | Security Management |
a. | Information Security Program. |
Page 4 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
1. | Provider will update the [ * * * ] |
2. | Provider shall provide Company with a copy of its written information security policies and standards upon request. |
3. | Company shall retain responsibility for establishing, implementing and maintaining security protocols required by any software applications that are to be provided by Company under this Agreement. |
b. | Provider Obligations. |
1. | Provider will: |
(i) | provide a Provider Focal Point with responsibility for day-to-day security management; |
(ii) | [ * * * ] |
(iii) | [ * * * ] |
(A) | can be implemented; and |
(B) | if implemented, an estimate of the time and materials charges Company would incur. |
c. | Company Obligations. |
1. | Company will: |
(i) | provide a Company Focal Point with responsibility for day-to-day security management for Company; and |
(ii) | periodically review Provider’s security policies and standards to evaluate if they remain appropriate and applicable for Company’s business requirements. If Company determines the Provider’s security policies and standards are no longer appropriate and applicable for Company’s business requirements, Company will inform Provider thereof and Provider will, subject to Company approval, promptly implement changes to such policies and standards as they relate to Company in a manner so as to address Company’s concerns provided that Company shall compensate Provider on a time and materials basis for any such implementation changes pursuant to the Charges Schedule. [ * * * ] |
Page 5 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
[ * * * ] |
d. | Event Management. |
1. | [ * * * ] Such process shall be documented in the Procedures Manual. [ * * * ] |
2. | If Provider discovers or is notified of a Data Incident, in accordance with the requirements of the Services and Support Responsibilities Schedule, [ * * * ] |
5.0 | Physical/Service Locations Security |
a. | Company Facilities. |
1. | When present at a Company facility, Provider personnel shall abide by all Company security policies and any additional security requirements which are identified in advance by the Company Focal Point to the Provider Focal Point. |
b. | Provider Facilities. |
1. | [ * * * ] |
2. | Physical Security Controls. In connection with any Facilities, Provider shall. |
Page 6 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
(i) | [ * * * ] |
(ii) | [ * * * ] |
(iii) | [ * * * ] |
(iv) | [ * * * ] |
(v) | [ * * * ] |
(vi) | [ * * * ] |
(vii) | [ * * * ] |
3. | Third Parties required to access Equipment (e.g., copiers, printers) that stores or accesses Company Data or the Service Infrastructure in order to provide maintenance services shall be escorted and monitored in accordance with Provider’s security guidelines. Provider shall ensure that such Third Parties comply with the confidentiality requirements of this Agreement with regard to Company Data. |
c. | Company will: |
1. | provide physical security controls at the Service Locations, including providing any additional or unique resources (e.g., hardware, software or other components or personnel) and performing any site modifications required to enable Provider to implement Company’s security requirements; |
2. | perform a physical security audit on at least an annual basis at Company Service Locations, which audit Provider will review; and |
3. | protect Distributed Infrastructure and infrastructure devices on Company premises from unauthorized access. |
6.0 | Logical Access Control |
a. | Service Infrastructure. |
1. | [ * * * ] |
Page 7 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
[ * * * ]
b. | Security Administration. |
1. | [ * * * ] |
2. | [ * * * ] |
3. | [ * * * ] |
4. | [ * * * ] |
c. | System and Network Security. |
1. | [ * * * ] |
2. | Provider will notify Company if aware of a virus in data exchanges that affects more than [ * * * ] |
3. | Provider must document and maintain adequate network intrusion capabilities in accordance with the Services and Support Responsibilities Schedule. |
d. | Encryption. |
1. | [ * * * ] |
2. | [ * * * ] |
3. | [ * * * ] |
e. | Operations Procedures. |
1. | In accordance with Provider’s standard security policies, [ * * * ] |
Page 8 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
[ * * * ]
f. | Record Keeping. |
1. | In accordance with the Services and Support Responsibilities Schedule, Provider shall log activities by Provider personnel in regards to [ * * * ] This audit data must be retained as set forth in the data retention section of the Procedures Manual to be jointly developed by the Parties. |
2. | [ * * * ] |
3. | [ * * * ] |
4. | [ * * * ] |
g. | Provider Personnel. |
1. | Provider shall maintain policies that require its personnel to report suspected violations of the Confidentiality Schedule, the terms of this Schedule, and suspected violations of Provider’s data security policies to Provider management for investigation and action. |
2. | Provider must cooperate fully with Company in any investigations of possible fraudulent or unauthorized use of or access to Company Data or access to the Service Infrastructure or Company Applications by Provider’s employees or third parties. |
3. | Provider must implement and document consequence management policies for violations of the confidentiality requirements in the Agreement, the terms of this schedule and for violations of Provider’s data security policies. |
4. | In accordance with Provider’s security policies, Provider will require that Provider’s personnel who access Company data and the Service Infrastructure receive data privacy and security awareness training, and are fully informed of, restrictions on use of Company data, Provider’s data security policies, and Provider’s code of Ethics and Compliance. |
5. | Provider shall perform Provider’s standard employment screening procedures on all Provider personnel who will perform any of the Services, including any follow-up checking called for by Provider’s employment screening procedures. In the event Provider performs the criminal background check, Provider shall not permit any personnel which such check indicates has a criminal record to perform Services under the Agreement. |
h. | Company will: |
1. | notify Provider to delete or deactivate the IDs of those individuals who no longer have a business need and/or are no longer authorized by management to access the Service Infrastructure |
Page 9 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.
2. | review and approve Provider’s protection requirements for End User data [ * * * ] |
3. | [ * * * ] |
4. | timely respond to exception requests submitted by Provider pursuant to Section 6.0.b.2. |
7.0 | Network infrastructure Security |
a. | Provider will: |
1. | [ * * * ] |
2. | [ * * * ] |
8.0 | Additional Obligations |
a. | Provider will comply with all additional safeguards and obligations reasonably required by Company to [ * * * ] |
b. | [ * * * ] |
Page 10 of 10
CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION.