Amendment 12 To Agreement No. 53258.C between AT&T Services, Inc. and Amdocs Development Limited Proprietary and Confidential This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third...

      
     Exhibit 4.a(7)
Agreement No. 53258.A.012

CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) IS THE TYPE THAT THE REGISTRANT TREATS AS PRIVATE OR CONFIDENTIAL

Amendment 12

Agreement No. 53258.C

between

AT&T Services, Inc.

and

Amdocs Development Limited

Proprietary and Confidential

This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.

Agreement No. 53258.A.012

AMENDMENT NO.12

AGREEMENT NO. 53258.C

This Amendment No. 12, effective as of the last date signed by a Party (“Effective Date”) and amending Restated and Amended Master Services and Software License Agreement Number 53258.C, is by and between Amdocs Development Limited, a Cyprus corporation (hereinafter referred to as “Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (hereinafter referred to as “AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties.”

WITNESSETH

WHEREAS, Supplier and AT&T are parties to the Master Services Agreement No.53258.C entered into on/with the effective date of on February 28, 2017 (as previously restated and amended, the “Agreement”); and

WHEREAS, Supplier and AT&T now desire to amend the Agreement as hereinafter set forth.

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:

Section 1., AT&T Supplier Information Security Requirements (SISR) – v6.5, January 2020 of Appendix D – Security and Offshore Requirements is hereby deleted in its entirety and replaced with the following Section 1., AT&T Supplier Information Security Requirements (SISR) – v7.0, June 2023:

AT&T Supplier Information Security Requirements (SISR) – v7.0, June 2023

1.0. Introduction

1.1.

Applicability

The following AT&T Supplier Information Security Requirements (“Security Requirements”) apply to Supplier Entities’ Information Resources used when performing any action, activity, or work under this Agreement where any of the following occur (hereinafter referred to as “In-Scope Work”):

The collection, processing, storage, handling, backup, disposal, and/or access to In-Scope Information;

Providing or supporting AT&T-branded applications and/or services using non-AT&T Information Resources;

Access to AT&T’s Information Resources;

Proprietary and Confidential

Agreement No. 53258.A.012

The development or customization, outside of mere configuration changes, of any software for AT&T; or

Website hosting and/or development for AT&T.

These Security Requirements do not (i) apply to commercial off the shelf products or materials acquired from a Supplier Entity unless Supplier performs In-Scope Work, or (ii) limit more stringent obligations, if any, such as privacy or security patching as set forth elsewhere in the Agreement.

1.2.

Evidence of Compliance

1.2.1.

Supplier must provide to AT&T or its delegate, in a time and manner as reasonably requested by AT&T:

Evidence of compliance with these Security Requirements, which includes copies of policies, procedures, reports, and other documentation supporting such compliance; and

A high-level network data flow diagram depicting cloud/non-cloud Information Resources and encrypted/non-encrypted data flows where In-Scope Information is in transit or at rest.

2.0. Security Domain

Supplier Entity must:

2.1.

Corporate Policy Compliance

2.1.1.

Maintain and adhere to documented Cybersecurity and Cybersecurity awareness program(s).

2.1.2.

Maintain and adhere to documented policies for:

Any business continuity plan and/or disaster recovery plan requirements under the Agreement;

Any retention, return, and/or destruction requirements for In-Scope Information under the Agreement; and

Ensuring that In-Scope Information is only used for the performance of In-Scope Work.

2.2.

Asset Management Security

2.2.1.

Xxxxxx Information Resources by using a minimum-security baseline configuration based upon industry best practices to reduce potential ways of attack, including:

Changing default passwords, prohibiting weak passwords and exact matches to the UserID, removing unnecessary software, UserIDs, usernames, or logins, and disabling or removing unnecessary services (this requirement is not intended to apply to software that is part of a standard software configuration). Such hardening is to prevent exploits that attack flaws in the underlying code

Proprietary and Confidential

Agreement No. 53258.A.012

and must be applied to Information Resources in Supplier Entities’ networks, as well as those networks hosted by Cloud Service Providers; and

Not using Information Resources to perform In-Scope Work past the date when:

They will no longer be supported by issued security updates which includes whenever a Supplier Entity ceases to obtain and/or implement such security updates (for example, if a Supplier Entity ceases to purchase and/or extend the maintenance services under which such security updates are provided); or

ii.

Any extended security patching support ends.

2.2.2.

Have and use documented policies to:

Install and run a current industry-standard antivirus solution to scan for and promptly remove or quarantine viruses and other malware; and

Configure end user devices to ensure end users are restricted from the ability to install unauthorized software or to disable required software.

2.2.3.

Maintain and use documented policies, standards, and procedures for Portable Devices and laptop computers used to access and/or store In-Scope Information that include the following requirements:

All users must be authorized for such access and their identity authenticated;

Portable Devices and laptop computers must be physically secured and/or in the physical possession of authorized individuals;

Where technically feasible, use a remote wipe capability on Portable Devices to delete promptly and securely In-Scope Information when such devices are not in the physical possession of authorized individuals or otherwise physically secured; and

Jailbroken or rooted Portable Devices cannot be used to perform In-Scope Work.

2.2.4.

Maintain and use a documented policy that prohibits the use of any:

Supplier Entity-issued Portable Devices and laptop computers to access and/or store In-Scope Information unless the device is administered and/or managed by a Supplier Entity; and

Non-Supplier Entity-issued Portable Devices and laptop computers to access and/or store In-Scope Information unless the device is segregated and protected by using a Supplier Entity-administered and/or -managed secure container-based and/or sandbox solution.

Proprietary and Confidential

Agreement No. 53258.A.012

2.3.

Data Protection

2.3.1.

Use Strong Encryption when storing In-Scope Information:

On all computing devices located in areas accessible by the public and physically secure such devices;

On Portable Devices and laptop computers;

Within a Cloud Service; and

That is classified as AT&T’s SPI or AT&T’s SCD in all other environments.

2.3.2.

Use Strong Encryption when transmitting or remotely accessing In-Scope Information:

Via any network that is not controlled by AT&T or Supplier Entities, regardless of the technology;

Via network-aware Portable Devices and laptop computers. Examples of such access include use of browsers and email;

Via all networks to, from, and within a Cloud Service;

Using radio frequency (RF) based wireless networking technologies (e.g., Bluetooth and Wi-Fi) except for the use of RF-based wireless headsets, keyboards, microphones, and pointing devices, such as mice, touch pads, and digital drawing tablets. Encryption must use key lengths greater than or equal to 256 bits for symmetric encryption and 2048 bits for asymmetric encryption; and

That is classified as AT&T’s SPI or AT&T’s SCD, regardless of the technology, over all other networks, including Supplier Entity networks.

2.3.3.

Use encryption algorithms with the minimum key lengths of 128-bits for symmetric algorithms and 2048-bits for asymmetric algorithms and:

Rotate encryption keys for storage at least every two years; and

Renew digital certificates for transmission at least annually.

2.4.

Identity and Access Management

2.4.1.

Use Identity and access management that includes:

Enforcement of the rule of least privilege by requiring application, database, network, and system administrators to restrict access of all users to only the commands, In-Scope Information, and Information Resources necessary for them to perform authorized functions.

Proprietary and Confidential

Agreement No. 53258.A.012

Controls that are in-place to limit, protect, monitor, detect and respond to all Administrative User activities. Examples of such controls that must be enforced include:

Separation of duties;

ii.

Individual accountability; and

iii.

Authorization and approval.

2.4.2.

Restrict access to security logs to authorized individuals and protect security logs from unauthorized modification.

2.4.3.

Assign unique UserIDs to authorized individual users, Administrative Users, and Service Accounts. Assign individual ownership to Service Accounts. If Service Accounts are shared among users, individual accountability must be maintained at all times.

2.4.4.

Maintain a documented UserID lifecycle change management policy for all Information Resources across all environments that includes:

Manual and/or automated processes for approved account creation and/or modification;

Account disabling within three (3) business days of user termination or the occurrence of any other condition rendering the account as no longer needed, followed by removal of the account within ninety (90) days;

Disabling and/or removing inactive accounts assigned to individuals after no more than ninety (90) days of inactivity except in cases where the account is assigned to a customer of AT&T or used by a current or retired employee of AT&T to process their own information; and

Initiating processes to review, no less than annually, access privileges and account validity for all users including Administrative Users.

2.4.5.

Limit failed login attempts to no more than six (6) consecutive attempts by locking the user account. Access to the user account can be reactivated through the use of a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.

2.4.6.

Terminate interactive sessions on an end user’s device, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes. On all other Information Resources terminate inactive interactive sessions after a period not to exceed thirty (30) minutes.

2.4.7.

Use Strong Encryption and/or one-way hashing based upon Strong Cryptography whenever authentication credentials are stored. This requirement applies to all classifications of users.

Proprietary and Confidential

Agreement No. 53258.A.012

2.4.8.

Use Password and authentication credentials that must:

Not be shared;

Be complex and meet the following password construction requirements:

Be a minimum of eight (8) characters in length;

ii.

Include characters from at least two (2) of these groupings: alpha, numeric, and special characters;

iii.

Not be the same as the UserID with which they are associated; and

iv.

Expire at regular intervals not to exceed ninety (90) calendar days with the exception of Service Accounts which must expire at least annually.

Require a password reset at first login whenever a temporary credential is used. When providing a user with a new or reset password, or other authentication credentials, use a secure method to provide this information; and

Not be embedded (e.g., hardcoded passwords and SSH keys).

2.4.9.

Require and enforce Multi-Factor Authentication:

For any remote access use of Information Resources;

For all Administrative Users of Cloud Services; and

For administrative and/or management access to Security Gateways, including any access for the purpose of reviewing log files.

2.4.10.

For SaaS providers:

Authenticate all identities used by AT&T users with AT&T-approved identity management solutions (e.g., XXXX); and

Provide or make available to AT&T, access and/or authorization logs upon request.

2.5.

Network Connectivity

2.5.1.

Install and use Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) that monitor all traffic entering and leaving Information Resources in connection with In-Scope Work. Both Network and Host IDS/IPS are acceptable solutions. At a Supplier Entity’s discretion, this requirement is optional for implementations of Host Intrusion Detection Systems (HIDS) and/or Host Intrusion Prevention Systems (HIPS) on mobile devices.

2.5.2.

Ensure that Supplier Entities’ Information Resources, when providing Internet-accessible services to AT&T, have Denial of Service (DoS/DDoS) and Security Gateway protections in place. Web servers must reside in a DMZ and Information Resources persistently storing In-Scope Information (such as application and database servers) must reside in an internal network.

Proprietary and Confidential

Agreement No. 53258.A.012

2.5.3.

Ensure that each Security Gateway rule:

Is properly authorized and is traceable to a specific business request, at least annually; and

Explicitly or implicitly ends with a “DENY ALL” statement for each set.

2.5.4.

In the event that a Supplier Entity has, or will be provided, access to AT&T’s or AT&T’s customers’ Information Resources in connection with In-Scope Work, then the Supplier Entity must not establish additional interconnections to AT&T’s and AT&T’s customers’ Information Resources without the prior consent of AT&T and must:

Use only the mutually agreed-upon facilities and connection methodologies to interconnect AT&T’s and AT&T’s customers’ Information Resources with Supplier’s Information Resources;

Limit access of AT&T’s and AT&T’s customers’ Information Resources to only Supplier Entity personnel who are designated and authorized to perform In-Scope Work; and

Disclose the intended use of and, upon AT&T’s request, allow AT&T or its delegate to scan portable external storage devices (e.g., USB drive) prior to physically attaching them to Information Resources used for In-Scope Work.

2.6.

Supplier Entity Security Compliance

2.6.1.

For all Supplier Entities performing In-Scope Work, Supplier must:

Ensure compliance with these Security Requirements, or requirements that are no less stringent;

Maintain and adhere to a documented program by which compliance to these Security Requirements is evaluated and all corrective actions are documented and implemented within no more than ninety (90) days; and

Provide documentation and/or evidence to substantiate such compliance, upon request.

2.7.

Information Resource Lifecycle

2.7.1.

Segregate In-Scope Information from any other customer’s and Supplier Entities’ own information, either by using logical access controls and/or physical access controls to provide protection from unauthorized access

2.7.2.

Separate non-production Information Resources from production Information Resources and separate In-Scope Information from non-production Information Resources.

2.7.3.

Maintain a documented change control policy including back-out procedures for all production environments.

2.8.

Security Information and Event Management

2.8.1.

Maintain documented policies and controls to:

Detect and terminate unauthorized attempts to access and/or change In-Scope Information, and/or system or application configuration files;

Log all successful and unsuccessful login attempts;

Proprietary and Confidential

Agreement No. 53258.A.012

Log all logouts;

Monitor and investigate unauthorized activity and remediate any successful unauthorized activity;

Maintain logs of all sessions accessing AT&T’s Information Resources, if the agreed-upon connectivity methodology requires that Supplier Entity implement a Security Gateway. Such session logs must include origination IP address, destination IP address, ports/service protocols used, durations of access, and sufficiently detailed information to support a security incident or a forensic investigation (e.g., identification of the end user or application accessing AT&T); and

For any remote access use of Information Resources, continually log, detect, and:

Terminate unauthorized remote access attempts (e.g., anonymous VPN and known bad actors); and

ii.

Investigate for potential termination of connection any Supplier Entity user or system performing In-Scope Work from countries other than those specifically allowed under the Agreement.

2.8.2.

For applications which use a database that allows modifications to In-Scope Information, create logs:

By enabling database transaction logging features where transaction logging is supported; or

By implementing another mechanism that logs all modifications to In-Scope Information stored within the database, including timestamp, UserID, and information modified, where transaction logging is not supported.

2.8.3.

Review, on no less than a weekly basis, Administrative User activities and all anomalies from security and security-related audit logs and document and resolve logged security problems in a timely manner. Automated processes may promptly issue alarms and/or alerts that cause prompt investigation and review by responsible individuals and, if automated processes successfully resolve a logged security problem, no further action by responsible individuals is required.

2.8.4.

Retain all logs for a minimum of six (6) months either on-line or on backup media.

2.8.5.

For threats, vulnerabilities, and non-compliances:

When presented with evidence by AT&T of a threat to AT&T’s or AT&T’s customers’ Information Resources originating from the Supplier Entities’ networks (e.g., worm, virus or other malware, bot infection, Advanced Persistent Threat (APT), DoS/DDoS attack, etc.), promptly cooperate and cause any other Supplier Entities to promptly cooperate with AT&T and take all reasonable and necessary steps to isolate, mitigate, terminate, and/or remediate all known or suspected threats;

Proprietary and Confidential

Agreement No. 53258.A.012

When a Supplier Entity learns of or discovers a known threat/vulnerability impacting AT&T or AT&T’s customers (including notifications received from security researchers, industry resources, or bug bounty programs), promptly notify and cooperate with AT&T, and take all reasonable and necessary steps to isolate, mitigate, and/or remediate such known threat/vulnerability; and

In the event a Supplier Entity discovers that it is non-compliant, or AT&T finds a Supplier Entity to be non-compliant with these Security Requirements, implement corrective action promptly, but within no more than ninety (90) days after the Supplier Entity’s initial discovery or AT&T’s initial notification to the Supplier.

2.8.6.

Maintain a documented procedure that must be followed in the event of a suspected attack upon, intrusion upon, unauthorized access to, loss, including theft of, or other security breach involving In-Scope Information and/or Supplier Entity-owned, -managed, or -used Portable Devices and/or laptop computers containing In-Scope Information in which Supplier must promptly:

Investigate or cause Supplier Entities to investigate in order to determine if such an attack has occurred; and

Notify AT&T if a confirmed attack including unauthorized access of In-Scope Information has occurred by contacting:

Asset Protection by telephone at 0-000-000-0000 from within the US and at 0-000-000-0000 from elsewhere; and

ii.

Supplier’s contact within AT&T for service-related issues.

2.8.7.

Provide AT&T with regular status updates whenever there is a successful attack upon, intrusion upon, unauthorized access to, loss of, including theft of, or other breach of In-Scope Information and/or Supplier Entity-owned, -managed or -used Portable Devices and/or laptop computers containing In-Scope Information. These status updates must include the actions taken to resolve the incident and must be provided at mutually agreed upon intervals for the duration of the incident. Within seven (7) calendar days of the closure of the incident, provide AT&T with a written report describing the incident, actions taken by the Supplier Entity during its response, and Supplier Entity’s plans for future actions to prevent a similar incident from occurring.

2.9.

Vulnerability Management

2.9.1.

Maintain and adhere to a documented vulnerability management policy for all Information Resources to:

Monitor industry resources (e.g., xxx.xxxx.xxx, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), pertinent software vendor mailing lists and websites, and information from subscriptions to automated notifications) for timely notification and current statuses of all applicable security alerts and vulnerability reports that pertain to Information Resources;

Proprietary and Confidential

Agreement No. 53258.A.012

Perform as follows:

At least [***], host-based or network-based scans;

ii.

For all software developed or customized, outside of mere configuration changes, for AT&T and intended to run on AT&T’s Information Resources under the Agreement:

Static Analysis Security Testing (SAST) including Software Composition Analysis (SCA) must be performed prior to initial deployment, upon code changes, and at least [***];

Dynamic Analysis Security Testing (DAST) must be performed for all web applications prior to initial deployment, upon code changes, and at least every [***] months;

Penetration testing at least [***]; and

Upon request, make scan results and remediation plans available to AT&T.

iii.

For all other software used to perform and/or support In-Scope Work, review and scan such software prior to initial deployment, upon code changes, and at least [***]; and

iv.

For all internet-accessible applications used to support In-Scope Work, perform penetration testing at least [***].

Apply appropriate security patches or otherwise render the vulnerability not exploitable for all security vulnerabilities with a risk or severity rating of critical, high, or medium identified on Supplier Entities’ Information Resources, within the following risk-based timeframe:

Critical – within [***] days, unless the risk requires an accelerated schedule

ii.

High – within [***] days

iii.

Medium – within [***] days

Promptly provide a patch that renders the vulnerability non-exploitable upon discovery or notification of an exploitable vulnerability of software developed or customized, outside of mere configuration changes, for AT&T and installed on AT&T Information Resources, within the following risk-based timeframe:

Critical – within [***] days, unless the risk requires an accelerated schedule

ii.

High – within [***] days

iii.

Medium – within [***] days

iv.

Low – within an agreed-upon timeframe

Proprietary and Confidential

Agreement No. 53258.A.012

2.10.

Physical Security

2.10.1.

Ensure all Information Resources intended for use by multiple users and any areas where In-Scope Information is accessible are located in secure physical facilities with access restricted to authorized individuals only. For audit purposes, monitor and record access to such areas.

3.0. Definitions

Capitalized terms used within these Security Requirements but not defined herein shall have the meaning set forth in the Agreement.

“Administrative User” means a user with super user or elevated/enhanced security rights and permission for configuring, controlling, installing, or managing Information Resources, regardless of the types of devices and environments managed, including within any Supplier Entity’s facilities, such as within Cloud Service Provider (CSP) cloud environments.

“Cloud Service” means a service delivered via an “as a Service” cloud service model (e.g., Software as a Service (SaaS), Storage as a Service (XXxxX), Database as a Service (DBaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)).

“Cloud Service Provider” or “CSP” means a Supplier Entity providing cloud-based computing services.

“Cybersecurity” means the protection of Information Resources and In-Scope Information from attacks, data theft, breaches, unauthorized access, social engineering, credential sharing, and other similar security threats.

“Demilitarized Zone” or “DMZ” means a physical or logical network or sub-network that separates an internal network from an outside network, such as the public Internet.

“In-Scope Information” means AT&T’s confidential and proprietary data, including AT&T Customer Information, which Supplier Entities collect, process, store, handle, or access in any manner while fulfilling their obligations under this Agreement, irrespective of the format and means of transmission.

“Information Resource(s)” means systems, applications, websites, networks, network elements, and other computing and information storage devices, along with the underlying technologies and delivery methods (e.g., social networks, mobile technologies, laptop computers, Portable Devices, Cloud Services, data analytics, call and voice/video recording, and Application Program Interfaces (APIs)).

“Multi-Factor Authentication” (also known as “MFA,” “Two-Factor Authentication,” and “Strong Authentication”) means the use of at least two of the following three types of authentication factors:

•

A physical or logical credential the user has, such as an electronically readable badge, a token card, or a digital certificate;

•

A knowledge-based credential, such as a password or PIN; and

•

A biometric credential, such as a fingerprint or retina image.

Proprietary and Confidential

Agreement No. 53258.A.012

“Portable Devices” means media and systems, with the exception of laptop computers, capable of being easily carried, moved, transported, or conveyed that are used in connection with In-Scope Work. Examples of such devices include tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), and mobile phones (e.g., smartphones).

“Security Gateway” means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.

“SCD” or “Sensitive Customer Data” means customer data that has been assessed as requiring a higher level of protection. SCD refers to the data elements listed in the Table 2 - AT&T SCD Data Elements located at the end of these Security Requirements. All data elements in Table 2 are considered In-Scope Information.

“SPI” or “Sensitive Personal Information” means private, personal information that, if compromised or exposed, could present a risk to individuals and would legally require AT&T to disclose the exposure. SPI refers to the data elements listed in the Table 1 - AT&T SPI Data Elements located at the end of these Security Requirements. All data elements in Table 1 are considered In-Scope Information.

“Service Account” means a UserID used for installing, executing, or administering an application or system. Service Accounts manage the local events/processes of an application or system.

“Strong Cryptography” means the use of cryptography based on industry-tested, accepted, and uncompromised algorithms and proper key management practices which incorporate a documented policy for the management of the encryption keys, and associated processes adequate to protect the confidentiality and privacy of the keys and credentials used as inputs to the cryptographic algorithm.

“Strong Encryption” means the use of encryption technologies based upon Strong Cryptography.

“Supplier Entity” or “Supplier Entities” means the Supplier, its affiliates, and their respective Subcontractors (including Cloud Service Providers).

Proprietary and Confidential

Agreement No. 53258.A.012

4.0. Table 1 - AT&T SPI Data Elements

Data elements in the following tables must be treated as SPI when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.

4.1.

Individual Identification and Familial Information


Data Element	Description
Government Issued Identification Number	Includes: 1. Driver’s License Number 2. Taxpayer Identification Number - In an individual’s name. Excludes those in a company name. 3. U.S. Social Security Number 4. National/State/Region issued identity number 5. Government Identity Card 6. Government identifiers for professionals 7. Government-sponsored health or food plan identifier 8. Passport Number 9. Alien Registration Number 10. Birth Certificate Number 11. Other government issued identification number Excludes: 1. Customer Application Identification Number (Application ID), and 2. Representative Accountability Database (RAD) ID, and 3. Any such numbers that are issued on the understanding that they must be a matter of public record, e.g., U.S. FCC Radio License.
Date of Birth (DOB)	An individual’s full and complete date of birth (DOB), i.e., including month, day, and year. Excludes partial DOB.

Proprietary and Confidential

Agreement No. 53258.A.012

4.2.

Financial Data


Data Element	Description
Payment Card Number	Primary Account Number (PAN) for all types of payment cards. Includes: 0. XX&T corporate payment card number 2. Consumer payment card number
Payment Card Security Data	The security data used in association with a payment card (corporate, personal, etc.) to confirm legitimate use. Includes: 1. Card Security Codes (CSC) 2. Personal Identification Numbers (PINs) used with payment cards but excludes PINs used to authenticate access to AT&T systems (see “Customer Authentication Credentials” data element).
Financial Institution Account Number	Includes: All types of financial institution accounts (savings, checking, investments, pensions, etc.) both personal and business in an individual’s name. Excludes: Bank routing number.

4.3.

Computer Identification and Authentication

    Data Element

    Description

    Biometric Data

    Measures of human physical and behavioral characteristics used for authentication purposes, for example DNA, fingerprint, voiceprint, retina, or iris image.
Includes: Full biometric data.
Excludes:
1.Templates (e.g., “vector” equivalents) that contain discrete data points derived from biometric data (i.e., templates that do not hold the complete biometric image, where the template cannot be reverse engineered back to the original biometric image), and genetic test information.
2.Signature.

   

Proprietary and Confidential

Agreement No. 53258.A.012


Customer Authentication Credentials Applies to Customers only	Values used by customers to authenticate and permit access to: 1. The customer’s personal information, including Customer Proprietary Network Information (CPNI) and XX&X Proprietary Information (SPI) — or — 2. An application enabling the customer to subscribe to, or unsubscribe from, AT&T services — or — 3. An AT&T service to which the customer is subscribed Includes: 1. Personal Identification Numbers (PINs), passwords, and passcodes 2. Templates (e.g., “vector” equivalents) of biometrics, photographs, or signatures Excludes: 1. Card Security Codes (CSCs) and PINs used in association with payment cards. 2. Full biometrics 3. Full photograph 4. Full signature
Customer Authentication Credential Hints Applies to Customers only	Answers to questions used to retrieve customer authentication credentials.
Work Vehicle Location	Information that identifies the current or past location of an AT&T work vehicle that is directly associated with a personal identifier for an AT&T Employee or Non-Payroll Worker (NPW) which allows for Location-Based Information tracking of such individual. The work vehicle’s location (e.g., a map address, or latitude and longitude together with altitude where known) may be determined because it is a connected vehicle or has some other Satellite Navigation (SatNav) capable device assigned to that vehicle, or by some other means such as network connectivity.
Location-Based Information (LBI)	Information that identifies the current or past location of a specific individual’s mobile device. A mobile device’s location (e.g., a map address, or latitude and longitude together with altitude where known) derived from the mobile device through activities such as GPS or network connectivity rather than as a result of user action (e.g., revealing location in the content of an email or SMS).

Proprietary and Confidential

Agreement No. 53258.A.012

4.4.

Background and Other Related Data


Data Element	Description
Criminal History	Information about an individual’s criminal history, e.g., criminal check portion of a background check.
Background Checks	Third party (non-AT&T) checks including credit history, employment history, and driving records. Excludes criminal history (see Criminal History).
Racial or Ethnic Origin Subject to non-U.S. Jurisdiction*	Data specifying and/or confirming an individual’s racial or ethnic origin.
Trade Union Membership Subject to non-U.S. Jurisdiction*	Data specifying and/or confirming that an individual is a member of a trade union.
Information Related to an Individual’s Political Affiliation or Religious Belief	Data specifying and/or confirming an individual’s political affiliation or religious or similar beliefs.
Information Related to an Individual’s Sexual Orientation Subject to non-U.S. Jurisdiction*	Data specifying and/or confirming an individual’s sexual life or orientation.

4.5.

Health Data

    Data Element

    Description

    U.S. Protected Health Information (PHI)

    Includes:
1.Any U.S. health information used in AT&T’s Group Health Care plans or belonging to AT&T’s customers that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individuals that includes information about:
•The individual’s past, present, or future physical or mental health or condition;
•The provision of health care to the individual;
— or —
•The past, present, or future payment for the provision of health care to the individual.

   

Proprietary and Confidential

Agreement No. 53258.A.012


	0. Xxxxxx information of retirees, employees, or employee beneficiaries used by AT&T for purposes other than a group health plan is not PHI. For medical and health information not related to AT&T’s Group Health Care plans, see "Medical and Health Information."
Medical and Health Information	Any information concerning physical or mental health conditions or disabilities. Includes: 1. Medical record xxxxxx 0. Xxxxxx plan beneficiary number 3. Medical device identifiers and serial numbers 4. Prescription (Rx) xxxxxx 0. Xxxxxx insurance identification or account number 6. Medical treatment – Information about the management and care of a patient or the combating of disease or disorder. 7. Medical diagnosis 8. Medical history 9. Medical payment information 10. Medical claims data 11. Medical images and metadata 12. Drugs, therapies, or medical products or equipment xxxx 00. Xxxxxx health or morbidity history - an account of all medical events and problems experienced by members of the individual’s family 14. Other medical and health information
Genetic Information	Includes: Information about an individual’s genetic tests. Excludes: Full DNA (see Biometric Data).

Proprietary and Confidential

Agreement No. 53258.A.012

4.6.

Customer Privacy


Data Element	Description
Customer Web Browsing and Search History	Includes: 1. Information about what searches AT&T customers perform 2. Web sites AT&T customers visit 3. Web pages AT&T customers view 4. Applications AT&T customers use on an AT&T Network (wireline and wireless including Wi-Fi) Excludes: 1. Searching, browsing, and activities associated with customers’ use of official AT&T corporate web sites (e.g., any web sites that resolve directly to, or redirect to, xxx.xxx, xxxxxxxxxxxxxxx.xxx). Note: Exclusion from this row does not preclude potential pre-classification in another data element (e.g., customer viewing history). 2. History captured at the network level prior to processing (e.g., raw data streams not associated with a customer).
Customer Viewing History	Information about programs watched or recorded, games and applications used, etc.
Customer Web Communications Payload - AT&T Use	When captured as part of service analysis, e.g., Deep Packet Inspection (DPI) data.

*Footnotes:

Where a data element has the term “Subject to non-U.S. jurisdiction” associated with it, that data element is to be classified as AT&T Proprietary (SPI) when applied to data elements subject to the non-U.S. jurisdiction, irrespective of whether the data is created, handled, processed, destroyed, or sanitized inside or outside of the United States.

Proprietary and Confidential

Agreement No. 53258.A.012

5.0. Table 2 - AT&T SCD Data Elements

Data elements in the following table must be treated as SCD when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.

5.1.

SCD (Customer Privacy) – Involving Personally Identifiable Information


Data Element	Description
Customer “messaging” content	Includes: Email, text messages, conference call recordings, and voice mail call recordings. Excludes: “Messaging” between customers and AT&T.
Customer Telemetry Data Customer Use	Automated communications for monitoring by the customer (rather than AT&T). Including all data that is generated by AT&T’s customers’ use of the Digital Life® service or any other Internet of Things (IOT) service that is used by the customer to monitor or control the service. For example, video files.

Table 3.24.g is hereby deleted and replaced with the following Table 3.24.g to add additional approved locations:

Table 3.24.g


	Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)	Cities where services will be performed for AT&T	Services to be performed at approved Physical Location	Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs

Proprietary and Confidential

Agreement No. 53258.A.012


	Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)	Cities where services will be performed for AT&T	Services to be performed at approved Physical Location	Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Development, Testing, Operations Support	Amdocs

Proprietary and Confidential

Agreement No. 53258.A.012


	Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)	Cities where services will be performed for AT&T	Services to be performed at approved Physical Location	Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
[***]	[***]	[***]	Monitoring & Alerting, Security and Compliance Support, Infrastructure and Stability Support, Program Status & Governance, Development, Testing, Operations Support	Amdocs
[***]	[***]	[***]	Solution Design Creation: process description, APIs description, deployment diagrams, Development, Testing, Operations Support	Amdocs

Original signatures transmitted and received via facsimile or other electronic transmission of a scanned document, (e.g., .pdf or similar format) are true and valid signatures for all purposes hereunder and shall bind the Parties to the same extent as that of an original signature. This Amendment may be executed in multiple counterparts, each of which shall be deemed to constitute an original but all of which together shall constitute only one document.

Proprietary and Confidential

Agreement No. 53258.A.012

IN WITNESS WHEREOF, the Parties have caused this Amendment to Agreement No. 53258.C to be executed, as of the date the last Party signs.


Amdocs Development Limited	AT&T Services, Inc.

By:	By:

Name:	Name:	Xxxxx Xxxxx

Title:	Title:	Principal Technical Sourcing Management

Date:	Date:	3/28/2024

Proprietary and Confidential

Document Metadata

Table of Contents

Amendment 12 To Agreement No. 53258.C between AT&T Services, Inc. and Amdocs Development Limited Proprietary and Confidential This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third...

Document Metadata