AT&T Services, Inc. Standard Contractual Clauses Amendment
Exhibit 4.a.3
AT&T Agreement No. 53258.A.008
AT&T Services, Inc.
Standard Contractual Clauses Amendment
This Standard Contractual Clauses Amendment (SCC Amendment) amends, as applicable:
1. | any data processing addendum or similar data protection agreement(s) or schedules (the DPA) that modifies, is incorporated by reference into, or forms part of the Agreement (as defined in clause 1 below); or |
2. | where no DPA exists, the Agreement itself, |
in each case, as set out below.
Capitalized terms used in this SCC Amendment have the meaning given to them in clause 1 below.
The purpose of this SCC Amendment is to ensure that any international transfers of Personal Data are conducted in accordance with the requirements of the Data Protection Laws of the Extended EEA Countries, by applying the Standard Contractual Clauses to international transfers of Personal Data as set out in clause 2.1.
Accordingly, in consideration of the Parties’ mutual promises, the Parties agree (as applicable) that: (1) upon signature of this SCC Amendment; or (2) continued provision of services and/or products provided by the Vendor Parties:
(i) | clauses 1 to 5 of this SCC Amendment replace the clause(s) in the DPA and/or the Agreement (as applicable) that relate to the international transfer of Personal Data from a Transferring AT&T Entity established in the Extended EEA Countries, or Personal Data originating from Extended EEA Countries, to Third Countries; or |
(ii) | where the DPA and/or Agreement (as applicable) do not cover the international transfer of Personal Data from a Transferring AT&T Entity established in the Extended EEA Countries, or Personal Data otherwise originating from Extended EEA Countries, to Third Countries, clauses 1 to 5 of this SCC Amendment are hereby incorporated into the DPA and/or Agreement (as applicable). |
Except as amended by this SCC Amendment, the DPA and/or Agreement will remain in full force and effect.
To the extent that the terms of this SCC Amendment conflict with those in the DPA and/or Agreement, the terms of this SCC Amendment shall govern. Subject to clause 2.6 of this SCC Amendment, this SCC Amendment shall be governed by the laws of, and subject to the jurisdiction of the courts of, the laws and jurisdiction specified in the Agreement.
Each Vendor Party is permitted to continue to store and Process the Personal Data in the jurisdictions it currently is permitted to under the DPA and/or Agreement (as applicable): (a) only in compliance with the consents/instructions and controls set out in the DPA and/or Agreement (as applicable) and this SCC Amendment; and (b) to the extent that doing so would not be in breach of applicable Data Protection Laws.
1 | Definitions |
For the purposes of this SCC Amendment:
Affiliate means in relation to a Party, any subsidiary or parent company of that Party or any subsidiary of any such parent company at any tier.
Agreement means Amended Master Services and Software License Agreement Number 53258.C, entered into between AT&T Services, Inc. (AT&T) (and any AT&T Affiliate that is party to the Agreement) and Amdocs Development Limited (Vendor) (and any Vendor Affiliate that is party to the Agreement).
Data Controller means a person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor means a person or entity which Processes Personal Data on behalf of the Data Controller.
Data Protection Laws means all laws and regulations of the applicable Extended EEA Country that relate to the Processing of Personal Data.
Data Subject means the natural individual to whom Personal Data relates.
1
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
EU means the European Union.
Extended EEA Country means a country within the European Economic Area, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
Parties means the parties to this SCC Amendment.
Personal Data means any information originated from an Extended EEA Country relating to an identified or identifiable natural person, including any information defined as “personally identifiable information”, “personal information”, “personal data” or similar terms as such terms are defined under the Data Protection Laws of the applicable Extended EEA Country, in each case as Processed in connection with the services and/or products provided under the Agreement.
Process or Processing means any operation or set of operations performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, structuring, storage, adaption or alteration, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
Recipient Vendor Entity has the meaning given to it in clause 2.1.
Sensitive Personal Data means Personal Data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; sex life or sexual orientation; the Processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject; Personal Data relating to criminal convictions and offences or related security measures; and such similar subsets of Personal Data that require enhanced protections under the Data Protection Laws of the applicable Extended EEA Country.
Standard Contractual Clauses means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972 (available here).
Sub-Data Processor means the person or entity which Processes Personal Data on behalf of the Data Processor.
Third Country means a country not deemed adequate to receive the Personal Data under the Data Protection Laws of the applicable Extended EEA Country.
Transferring AT&T Entity has the meaning given to it in clause 2.1.
Transferred Personal Data means any Personal Data, the transfer of which by the Transferring AT&T Entity is subject to the Standard Contractual Clauses by virtue of clause 2.1.
Vendor Party means the Vendor and any applicable Vendor Affiliate that is party to the Agreement.
2 | Application of the Standard Contractual Clauses |
2.1 | Where AT&T, or where applicable, an AT&T Affiliate acting as a Data Controller or a Data Processor (as applicable) of the Personal Data: |
(a) | is established in an Extended EEA Country; or |
(b) | is not established in an Extended EEA Country, but Processes Personal Data originating from an Extended EEA Country and: (i) is directly subject to the Data Protection Laws of the Extended EEA Country in relation to such Processing; or (ii) is contractually obliged to impose safeguards that are equivalent to those safeguards required under the Data Protection Laws of the Extended EEA Country on any third parties with whom they share the Personal Data, |
2
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
and AT&T or the AT&T Affiliate transfers Personal Data it Processes to a Vendor Party located in a Third Country (each of such AT&T or AT&T Affiliate referred to in this section as the Transferring AT&T Entity and each such Vendor Party referred to in this section as the Recipient Vendor Entity), the Standard Contractual Clauses shall apply to the Recipient Vendor Entity’s Processing of such Personal Data as set out in clause 3 and clause 4 below, except to the extent that the Transferring AT&T Entity agrees in writing that the Recipient Vendor Entity is entitled to Process such Personal Data in that Third Country by virtue of: (i) adherence to another framework recognized by the relevant data protection authorities or courts in the Extended EEA Country as providing an adequate level of protection for the Personal Data; or (ii) an export derogation recognized by the applicable Data Protection Law. Where the Transferring AT&T Entity agrees in writing, such alternative framework or derogation shall apply. If the Transferring AT&T Entity does not agree to this in writing, the Standard Contractual Clauses shall apply to the Recipient Vendor Entity’s Processing as set out in clause 3 and clause 4 below.
2.2 | Where the Standard Contractual Clauses apply to a transfer pursuant to clause 2.1 above, the Standard Contractual Clauses shall supersede and replace “the standard contractual clauses approved by Commission Decision of 5 February 2010 (2010/87/EU)” or “the standard contractual clauses approved by Commission Decision of 27 December 2004 amending Decision 2001/497/EC (2004/915/EC)” (as applicable) where either of these are currently being used by the Transferring AT&T Entity and the Recipient Vendor Entity for the particular transfer. |
2.3 | Where AT&T or an AT&T Affiliate transfers Personal Data referred to in clauses 2.1(a) or 2.1(b) above to a Vendor Party located in an Extended EEA Country, the Vendor Party shall enter into the Standard Contractual Clauses with any third party located in a Third Country (including any Vendor Affiliate) to whom the Vendor Party transfers such Personal Data before making such transfer, unless AT&T or the relevant AT&T Affiliate agrees otherwise in writing, and in all cases the Vendor Party shall comply with applicable Data Protection Law in relation to such transfer. Where this clause 2.3 applies: |
(i) | the Vendor Party warrants that it has provided AT&T or any AT&T Affiliate that transfers the Personal Data to it with relevant information about: (i) which third parties the Vendor Party will transfer the Personal Data to and where those third parties are located, (ii) the Third Countries to which the Vendor Party transfers the Personal Data; and (iii) the contractual, technical and organisational safeguards that are in place to protect the Personal Data when the Vendor Party or a relevant Data Processor or Sub-Data Processor (as applicable) transfers the Personal Data to a Third Country; |
(ii) | to the extent permitted by Law, no less than every six (6) months, the Vendor Party shall provide details of the number of legally binding requests that it or any Data Processor or Sub-Data Processor (as applicable) has received from a public authority in a Third Country; and |
(iii) | Annex II of the Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) shall be deemed populated by the technical and organisational security measures agreed between AT&T and the Vendor and in Appendix 1 of this SCC Amendment (and reference to “Transferring AT&T Entity” in Appendix 1 shall be construed as AT&T or the relevant AT&T Affiliate, and reference to “Recipient Vendor Entity” shall be construed as the relevant Vendor Party). |
Conflict and precedence
2.4 | Subject to clause 2.5 below, in the event of a conflict between the Standard Contractual Clauses and the DPA and/or Agreement (including any addenda) (as applicable), the Standard Contractual Clauses shall prevail. |
Liability
2.5 | Notwithstanding clause 2.4 above, AT&T and the Vendor agree that all liabilities between them and/or any other Transferring AT&T Entities acting as data exporter or Recipient Vendor Entity acting as data importer under the Standard Contractual Clauses, will be subject to the limitations and exclusions of liability set out in the DPA and/or Agreement (as applicable), except to the extent prohibited by applicable law. |
Governing law, jurisdiction, Supervisory Authority, and interpretation
3
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
2.6 | The parties to Standard Contractual Clauses agree that their respective obligations under the Standard Contractual Clauses shall be governed by the law(s) of, and subject to the jurisdiction of the courts of: |
(a) | where the Transferring AT&T Entity is established in the EU, the Netherlands; |
(b) | where the Transferring AT&T Entity is established outside the EU and clause 2.1(b) above applies and the Transferred Personal Data originates from the EU, the Netherlands; |
(c) | where the Transferring AT&T Entity is established outside the EU, but within an Extended EEA Country, the Extended EEA Country in which the Transferring AT&T Entity is established; and |
(d) | subject to clause 2.6(b) above, where the Transferring AT&T Entity is established outside an Extended EEA Country and clause 2.1(b) above applies, the Extended EEA Country from which the Personal Data originated. |
2.7 | Annex I, Part C (Competent Supervisory Authority) of the Standard Contractual Clauses is hereby deemed to be completed as follows: |
(a) | where clause 2.6(a) of this SCC Amendment applies, the supervisory authority shall be the supervisory authority of the EU member state in which the Transferring AT&T Entity is established; |
(b) | where clause 2.6(b) of this SCC Amendment applies, the supervisory authority shall be the supervisory authority of the EU member state in which the Transferring AT&T Entity has appointed an EU representative under Article 27(2) of the GDPR (an EU Representative). Where an EU Representative has not been appointed, the supervisory authority shall be the supervisory authority of the Netherlands; |
(c) | where clause 2.6(c) of this SCC Amendment applies, the supervisory authority shall be the supervisory authority of the Extended EEA Country in which the Transferring AT&T Entity is established; and |
(d) | where clause 2.6(d) of this SCC Amendment applies, the supervisory authority shall be the supervisory authority of the Extended EEA Country from which the Personal Data originated. |
2.8 | Where the applicable Extended EEA Country in which the Transferring AT&T Entity is established or from where the Transferred Personal Data originated is not a member state of the EU, references in the Standard Contractual Clauses to: |
(a) | “Member States of the European Union” shall refer to the applicable Extended EEA Country in which the Transferring AT&T Entity is established or from where the Transferred Personal Data originated (as applicable); |
(b) | “the GDPR” shall refer to the applicable Data Protection Laws of the Extended EEA Country in which the Transferring AT&T Entity is established or from where the Transferred Personal Data originated (as applicable); and |
(c) | “supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined by reference to clause 2.7 above. |
3 | Transferring AT&T Entity as Data Controller or a Data Processor and Recipient Vendor Entity as Data Processor or Sub-Data Processor (as applicable) |
Incorporation and interpretation of the Standard Contractual Clauses
3.1 | Where a Transferring AT&T Entity Processes Personal Data as a Data Controller or a Data Processor and a Recipient Vendor Entity Processes the Transferred Personal Data as a Data Processor or Sub-Data Processor (as applicable), the applicable Recipient Vendor Entity agrees to comply with the obligations of a data importer as set out in the Standard Contractual Clauses which are incorporated herein by reference and construed as follows: |
(a) | the Standard Contractual Clauses shall be binding upon each Transferring AT&T Entity acting as a data exporter and each Recipient Vendor Entity, acting as data importer; |
4
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
(b) | where the applicable sections of the Standard Contractual Clauses require the data exporter and the data importer to select a module, the Vendor, on behalf of the Recipient Vendor Entity, acknowledges that: |
(i) | Module Two of the Standard Contractual Clauses (Transfer controller to processor) shall apply where the Recipient Vendor Entity, as data importer, is acting as the Transferring AT&T Entity’s Data Processor; and |
(ii) | Module Three of the Standard Contractual Clauses (Transfer processor to processor) shall apply where the Recipient Vendor Entity, as data importer, is acting as the Transferring AT&T Entity’s Sub-Data Processor. |
(c) | for the purposes of Section II, Clause 8.1 (Module Two) and Section II, Clause 8.1 (Module Three) (as applicable) of the Standard Contractual Clauses, the instructions to the Recipient Vendor Entity shall be an instruction to Process Personal Data strictly as is necessary to perform the services and/or provide the products provided by the Recipient Vendor Entity under the Agreement, which in the case of Module Three constitute the instructions of the relevant Data Controller(s); |
(d) | for the purposes of Section II, Clause 8.5 (Module Two) and Section II, Clause 8.5 (Module Three) (as applicable) of the Standard Contractual Clauses, the Recipient Vendor Entity’s storage, erasure and return of Personal Data shall be construed by reference to the provisions regarding deletion and return of Personal Data in the DPA and/or Agreement. In the absence of any such provision, the Transferring AT&T Entity agrees that the Recipient Vendor Entity may delete the Transferred Personal Data in accordance with Section II, Clause 8.5 (Module Two) and Section II, Clause 8.5 (Module Three) of the Standard Contractual Clauses (as applicable); and |
(e) | for the purposes of Section II, Clause 9 (Module Two) and Section II, Clause 9 (Module Three) (as applicable) of the Standard Contractual Clauses, the Recipient Vendor Entity’s ability to engage subcontractors shall be construed by reference to the provisions regarding the engaging of Sub-Data Processors in the DPA and/or Agreement. In the absence of any such provision, the Recipient Vendor Entity and the Transferring AT&T Entity agree that Option 1 shall apply. Where the DPA and/or Agreement do not specify a time period for the Recipient Vendor Entity to submit requests to authorise or amend new Sub-Data Processors, this time period shall be thirty (30) calendar days. |
Completion of the Annexes of the Standard Contractual Clauses
3.2 | Annex I, Part A (List of parties) of the Standard Contractual Clauses is hereby deemed to be completed with: (i) the details of the exporting Transferring AT&T Entity (as data exporter and Data Controller or Data Processor (as applicable)); and (ii) the details of the applicable Recipient Vendor Entity (as data importer and Data Processor or Sub-Data Processor (as applicable)), in each case as set out in the Agreement. |
3.3 | Annex I, Part B (Description of the transfer) of the Standard Contractual Clauses is hereby deemed to be completed with the following information: |
(a) | Categories of Data Subjects whose Personal Data is transferred: such Data Subjects whose Transferred Personal Data is strictly required by the Recipient Vendor Entity (as data importer) to provide the services and/or products; |
(b) | Categories of Transferred Personal Data: such Transferred Personal Data as is strictly required by the Recipient Vendor Entity (as data importer) to provide the services and/or products; |
(c) | Special categories of Personal Data transferred (if applicable): such special categories of Transferred Personal Data as is strictly required by the Recipient Vendor Entity (as data importer) to provide the services and/or products. The applied restrictions or safeguards are described at clause 4.4 below; |
(d) | Frequency of the transfer: regular as required in connection with the provision and receipt of the services and/or products; |
(e) | Nature and purpose(s) of the data transfer and further Processing: strictly to provide the services and/or products in accordance with applicable Data Protection Laws and the Transferring AT&T Entity’s (as data exporter) instructions; |
(f) | The period for which the Transferred Personal Data will be retained, or if that is not possible, the criteria used to determine that period: for no longer than is necessary to provide the services and/or products (unless otherwise agreed with the Transferring Customer Entity); and |
5
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
(g) Subject matter, nature and duration of the Processing in relation to any transfers to (sub-)processors: as per clause 4.3(e) above,
in each case in accordance with applicable Data Protection Laws and the data exporter’s instructions.
3.4 | Annex II of the Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed as follows: the Recipient Vendor Entity shall implement and maintain the technical and organisational security measures specified in (i)the DPA and/or Agreement; and (ii) Appendix 1 of this SCC Amendment. |
3.5 | The Recipient Vendor Entity agrees to execute additional documents (including updates to the Annexes of the Standard Contractual Clauses) and apply additional protections, as may be required by the Data Protection Laws. |
4 | Additional country requirements |
4.1 | If a Vendor Party at any time Processes Personal Data originating from AT&T or an AT&T Affiliate in any country which restricts the Processing, export, or use of the Personal Data outside that country (including an Extended EEA Country), the relevant Vendor Party will, on the relevant AT&T or AT&T Affiliate’s instructions, take all necessary actions and execute such agreements as may be required under applicable data protection law in such country to legitimise any Processing or data transfer of Personal Data to the Vendor Party and to ensure an adequate level of protection for the relevant Personal Data. |
4.2 | In the event that any competent authority holds that a data transfer mechanism relied on by the Parties (including pursuant to clause 5.1 above) is invalid, or any supervisory authority requires transfers of Personal Data made pursuant to such mechanism to be suspended, then AT&T may, at its discretion, require the Vendor Party to cease Processing Personal Data, or co-operate with it to facilitate use of an alternative transfer mechanism, provided, however, that any such instruction of AT&T to cease the Processing Personal Data shall not be construed as a breach of the Vendor’s obligations under the DPA or the Agreement. |
How to Execute
If e-signatures are accepted in your jurisdiction and you elect to execute this SCC Amendment through Adobe (or other e-sign application), follow the prompts to provide the required information and e-signature. Alternatively, this SCC Amendment may be printed, completed and signed as indicated above, and returned to AT&T via email at: xx0000@xxx.xxx.
Please note that if you do not sign this SCC Amendment within thirty (30) days receipt but continue to provide your products or services to AT&T and/or AT&T’s Affiliates under the Agreement, such continued provision of products or services will constitute your acceptance of this SCC Amendment and signify your agreement that the DPA and/or the Agreement (as applicable) is deemed to be amended as provided by this SCC Amendment.
6
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
IN WITNESS WHEREOF, the Parties by their duly authorized representatives, agree to the terms set forth in this SCC Amendment.
Amdocs Development Limited | AT&T Services, Inc. (for itself and for and on behalf of any AT&T Affiliate that is party to the Agreement) | |
(for itself and for and on behalf of any Vendor | ||
Affiliate that is party to the Agreement) |
By: | /s/ Xxxxxx Xxxxxxx | By: |
/s/ Xxxxxx Xxxxx | |||||
(Authorized Signature) | (Authorized Signature) | |||||||
Name: | Xxxxxx Xxxxxxx | Name: | Xxxxx Xxxxx | |||||
Title: | Authorized Signatory | Title: | Lead Sourcing Manager | |||||
Date: | May 10, 2022 | Date: | May 2, 2022 |
7
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
Appendix 1 – Security Measures supporting the Standard Contractual Clauses
The Recipient Vendor Entity shall apply the following:
Technical:
1. | Strong encryption that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Data in order to engage in Processing or, wherever practicable, such key access is limited solely to the Transferring AT&T Entity; |
2. | Wherever practicable with respect to Processing, pseudonymization sufficient to cause Personal Data to no longer be attributable to a specific individual, provided safeguards are in place to prevent re-identification and the algorithmic process or key to re-establish identity is held only by the Transferring AT&T Entity; |
3. | If already the case as at the date of receipt of this SCC Amendment or otherwise practicable, physical locations in which Sensitive Personal Data are Processed will be limited to the applicable Extended EEA Country or countries deemed adequate to receive such Personal Data under the Data Protection Laws of the applicable Extended EEA Country; |
4. | Restrictions to prevent Processing any Personal Data on devices or systems not protected by the Recipient Vendor Entity’s firewall; |
5. | Access restrictions to limit Processing to authorized Recipient Vendor Entity workforce and devices authorized explicitly by the Recipient Vendor Entity through proper separation of duties, role-based access, on a need-to-know and least privilege basis; |
6. | Multi-factor authentication and use of a virtual private network for any remote access to Recipient Vendor Entity systems or Personal Data; |
7. | Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any Recipient Vendor Entity or other Vendor Affiliate’s facility where Personal Data is Processed; |
8. | Secure disposal of equipment and physical and electronic media that contain Personal Data; |
9. | Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by the Recipient Vendor Entity to Process Personal Data; |
10. | Logging and monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions for the Recipient Vendor Entity or other Vendor Affiliate network (e.g., firewalls, IDS/IPS, authentication servers) intended to identify actual or attempted access by unauthorized individuals and anomalous behavior by authenticated users; |
11. | Monitoring, detecting, and restricting the flows of Personal Data on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, denial of service protections; |
12. | Remote work procedures that require “clean desk” standards in place and a remote work management program that limits use to only devices authorized pursuant to Vendor’s security program; and |
13. | Recipient Vendor Entity shall, at the request of data Transferring AT&T Entity, promptly provide a copy of its most recent Recipient Vendor Entity SOC2 Type II report, PCI Attestation of Compliance and/or industry certification such as ISO/IEC 27001 or any successor standards for information security management. If Recipient Vendor Entity does not hold such certification, it must conduct, at its own expense no less than annually, an independent third-party audit of Recipient Vendor Entity’s security program and systems, and facilities used to Process Personal Data, with a detailed summary of the report to be provided to the Transferring AT&T Entity. |
8
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.
AT&T Agreement No. 53258.A.008
The foregoing are without prejudice to other measures identified by the Parties in the DPA and/or Agreement (as applicable), including any relevant addendum or exhibit specifying security requirements, which shall take precedence to the extent they require Recipient Vendor Entity to implement more protective measures.
9
Proprietary and Confidential
This Agreement is not for use or disclosure outside of AT&T, its Affiliates, and its and their third-party representatives, and Supplier except under written agreement by the contracting Parties.