Amendment 3 to INTUIT MASTER SERVICES AGREEMENT
Exhibit 10.02
Pursuant to 17 C.F.R §240.24b-2, confidential information (indicated as [*]) has been omitted and
filed separately with the SEC pursuant to an application for confidential treatment.
Amendment 3 to
This Amendment 3 (“Amendment 3”), dated as of April 1, 2008 (“Amendment Effective Date”), to the
INTUIT MASTER SERVICES AGREEMENT dated May 28, 2003 (the “Agreement”), is by and between Intuit
Inc., 0000 Xxxxxx Xxxxxx, Xxxxxxxx Xxxx, XX 00000 (“Intuit”) and Arvato Digital Services LLC,
successor in interest to Arvato Services, Inc. (“Arvato”, “ADS” or “Contractor”).
RECITALS
WHEREAS, Intuit and Contractor entered into the Agreement;
WHEREAS, Intuit and Contractor each desires to amend the terms of the Agreement as described
in this Amendment;
NOW, THEREFORE, in consideration of the mutual covenants, promises and agreements herein
contained, the Parties hereto agree as follows:
TERMS
Unless defined herein, words used in this Amendment 3 as defined terms shall have the same meanings
herein as in the Agreement.
The parties agree that the Agreement is modified and amended as follows:
1. Change of Entity.
All references in the Agreement to “Arvato Services, Inc.” are hereby amended to refer to Arvato
Digital Services LLC (“Arvato”, “ADS” or “Contractor”).
2. Section 2(f) Services is deleted and replaced in its entirety with the following:
During the term of any Statement of Work, if any change in the scope of the Services being
performed under such Statement of Work occurs, either party may propose a change or additions to
the work. Such changes may affect the scope or duration of the Services relating to any such
Statement of Work, including changes in the specifications and changes in any deliverables to be
delivered. The following procedures shall apply to any proposed change. Contractor promptly shall
assign a member of its team to define and describe the change (an “Assessment”), and to notify
Intuit of the cost and/or the impact on the schedule set forth in the applicable Statement of Work
if Contractor believes that an adjustment in the fees to be paid to
Contractor with respect to the applicable Statement of Work, or an adjustment to the applicable
performance or delivery schedule, is required. If such change is initiated or caused by Intuit,
Contractor shall invoice Intuit for the work described in the immediately preceding sentence at the
rate of the applicable team member and pre-approved in writing by Intuit, all as set forth in such
Statement of Work. In the event Contractor initiates or causes such a change, Contractor shall not
charge Intuit for such Assessment. Intuit also may request a change in the schedule without
changing the scope of the Services relating to the applicable Statement of Work. In either case,
the parties shall follow the above procedures and negotiate in good faith a reasonable and
equitable adjustment in the applicable fees, schedule and specifications. Once the scope of the
change has been determined, the parties shall determine jointly whether the change should be
implemented, deferred until a later phase or project, or abandoned. In the event the parties
tentatively agree upon a present or future implementation of a change, such agreement shall take
effect only as set forth in a written amendment to the applicable Statement of Work executed by
both parties. Contractor shall continue work pursuant to the existing Statement of Work, and shall
not be bound by any change requested by Intuit, until such change has been agreed upon in writing
by the parties as specified herein. From time to time, an email communication from Intuit to
Contractor requesting a change and an email from Contractor acknowledging and agreeing to such will
suffice as written agreement for purposes of this Section. To the extent that the agreed upon
change would result in a material adjustment of Contractor’s processes or to other long-term
aspects of the Services that may impact Contractor’s costs, the parties shall, notwithstanding such
prior email communications or subsequent actions pursuant thereto, initiate the formal change
request process described above.
3. The following is hereby made a part of the Agreement as Section 2(h) Services:
Intuit may deem it necessary that a third party auditing company perform an audit of Contractor’s
processes. Upon Intuit’s written request, which may be made once per year, Contractor agrees to,
within a commercially reasonable period of time thereafter, at Intuit’s expense, engage a reputable
outside auditing firm reasonably acceptable to Intuit and Contractor, to perform such audit.
Intuit and Contractor shall select such auditor within fifteen (15) days following Intuit’s
request. Contractor shall share the auditor’s report generated in connection with such audit with
Intuit, which report shall be in accordance with AICPA Statement of Auditing Standards No. 70,
“Service Organizations,” (SAS 70), and shall be in the form of a SAS 70 type 2 report as defined in
such standards. In the event such audit detects a material weakness in Contractor’s processes that
has been demonstrated to have resulted in adverse business impact actually suffered by Intuit,
Contractor agrees to correct such weakness(es) within a commercially reasonable period of time and
to provide Intuit with written notice that such weakness has been corrected and the measures taken
to perform such correction. To the extent that such material weakness has been demonstrated to
have adversely impacted Intuit’s business, Contractor shall [*].
4. Section 3 Testing and Acceptance shall be deleted and replaced in its entirety with the
following:
To the extent a particular Statement of Work specifically identifies Services or deliverables for
which Intuit’s acceptance is required, Intuit may, in accordance with any additional terms set
forth in an applicable Statement of Work, conduct acceptance tests to verify whether the Services
and/or the deliverables substantially conform to the applicable specifications set forth in the
applicable Statement of Work or any written documentation provided by Contractor for the Services
and/or deliverables.
Intuit shall have fifteen (15) days after completion of the applicable Services, or such other
period as may be mutually agreed upon as set forth in the applicable Statement of Work (the
“Acceptance Period”), to perform such tests. If Intuit notifies Contractor of any material
non-conformities with such specifications in any of the Services and/or the deliverables (each, a
“Nonconformity” and collectively, the “Non-conformities”) in writing within the applicable
Acceptance Period, Contractor promptly shall either demonstrate to Intuit that no such
Non-Conformities exist or use commercially reasonable efforts to correct such Non-conformities at
its own expense and notify Intuit in writing when such corrections are complete. Intuit then shall
have the right to test the corrected Services and/or deliverables, as upon the initial completion
of the applicable Services as set forth above. If Intuit accepts the Services and/or deliverables,
as determined by Intuit as set forth above, Intuit shall notify Contractor in writing of such
acceptance. If Intuit does not notify Contractor of any material Non-conformities within the
applicable Acceptance Period, Intuit shall be deemed to have accepted the Services and/or the
deliverables. Should Contractor fail to correct a Nonconformity within ten (10) calendar days
after receiving written notice thereof from Intuit, or such time period as may be mutually agreed
upon in writing by the parties, which period must be of reasonably sufficient duration to correct
such Nonconformity, Intuit may terminate the applicable Statement of Work, without prejudice to its
rights and remedies hereunder and without any further obligation to Contractor other than the
payment to Contractor of any and all fees incurred by Contractor through the effective date of such
termination pursuant to the applicable Statement of Work.
In the event that Intuit is [*], Intuit reserves the right to [*] acceptable to Arvato to [*]. If
the [*], ADS shall [*].
5. Section 4(b) Compensation and Payment is deleted and replaced in its entirety with the
following:
Contractor will submit to Intuit monthly reports as reasonably requested by Intuit and (i) daily
invoices for cost of goods sold (materials and labor), as shipment occurs, and (ii) monthly
invoices for all other items, including management fees, fulfillment fees, additional packaging
materials, freight, and other expenses, accompanied by reasonably detailed descriptions of the
Services performed during the relevant preceding period, the fees related thereto, prior approved
disbursements and out-of-pocket expenses then due.
If permitted in a Statement of Work, Contractor shall invoice Intuit for travel expenses in
accordance with Intuit’s then-current reimbursable expenses guidelines. Unless reimbursement for
travel expenses is expressly stated in a Statement of Work, however, Contractor shall bear all
travel expenses of its employees and/or agents. The current version of such expense guidelines is
attached hereto as Exhibit G. Intuit will provide reasonable advance written notice to Contractor
of any material amendment to Exhibit G. Contractor will mail invoices to Intuit Inc., Attn:
Accounts Payable, 0000 Xxxxxx Xxxxx Xx Xx, Xxx Xxxxx, Xxxxxxxxxx 00000 or such other address as
Intuit shall designate in writing from time to time. Invoices must reference the number and date of
the relevant Statement of Work and must be received by Intuit within six (6) months after the
completion of any Statement of Work. Unless otherwise set forth in a Statement of Work or
otherwise agreed by the parties, any invoices not received within such six (6) month time period
shall be deemed forgiven by Contractor.
6. Section 4(c) Compensation and Payment is deleted and replaced in its entirety with the
following:
All undisputed payments will be made by Intuit within twenty (20) days after the receipt by Intuit
of any invoice, and mailed to Contractor at its address specified in the invoice. If Intuit pays
any invoice within ten (10) days of receipt by Intuit of such invoice, such invoice shall be
discounted by Contractor by one percent (1%) of the total amount of the invoice. This discount will
apply to all services except for Retail Freight. Any applicable discounts shall be calculated from
the later of the receipt of the invoice by Intuit or the date any deliverable is received by Intuit
at the designated Intuit location with respect to any Statement of Work executed under this
Agreement. In the event that Intuit in good faith disputes any invoice rendered or amount paid,
Intuit will notify Contractor in writing and the parties shall work together to resolve such
dispute expeditiously, all in accordance with Section 14(c) of this Agreement and the time for
payment of the disputed invoice shall be extended until resolution of the dispute.
7. Section 4(d) Compensation and Payment is deleted and replaced in its entirety with the
following:
Contractor shall detail in each invoice provided under this Agreement applicable taxes for goods
and services, and shall separately state the different types of taxes by the type of tax Intuit
shall pay on products and services, if any, sold or provided by Contractor to Intuit (sales, use,
etc.). Intuit shall bear all applicable taxes, duties, levies, and other similar charges (and any
related interest and penalties), however designated, imposed as a result of the existence or
operation of this Agreement, including but not limited to any tax which Intuit is required to
withhold or deduct from payments to Contractor unless Intuit provides a valid resale/exemption
certificate that will relieve the Contractor from all sales/use tax liabilities. Intuit will
reimburse and indemnify Contractor for any such taxes and contributions and interest and penalties
that Contractor may be compelled to pay on account of Intuit’s non-payment.
8. Section 6 (a) Term/Termination is deleted and replaced in its entirety with the following:
Unless otherwise terminated in accordance with this Agreement, the term of this Agreement shall
begin on the Effective Date and will continue until 9/15/11 and shall be automatically extended to
the expiration or termination date of any SOWs then outstanding. Upon mutual written agreement of
the parties, this Agreement will be renewed for additional agreed upon periods of time.
9. The following is added to the Agreement as Section 6(g) Term/Termination:
Prior to the effective date of the termination or expiration of this Agreement, Intuit and
Contractor shall develop a mutually acceptable plan designed to permit Intuit to transition the
Services in a seamless manner to a succeeding service provider. Contractor agrees to cooperate with
the transition to another service provider and to provide reasonable assistance to Intuit [*] . The
parties agree that the costs and other terms for the above services will be mutually negotiated by
the parties in good faith at the time Intuit notifies Contractor of Intuit’s desire to transition
to a succeeding service provider. Contractor agrees that in no event [*] Intuit for [*] Contractor
[*]. In no event, however, will Contractor be required to disclose its Confidential Information to
such succeeding service provider in connection with the foregoing.
10. Section 12 Insurance is deleted and replaced in its entirety with the following:
Contractor will, at Contractor’s expense, maintain insurance policies that cover Contractor’s
activities under this Agreement and the activities of Contractor’s employees, agents and
representatives, including, but not limited to, workers compensation insurance and comprehensive
general liability with minimum limits of insurance of $[*]. In addition, Contractor will carry
commercial crime insurance (with coverage for employee dishonesty, theft / disappearance or
destruction, deposit forgery or computer fraud) with coverage of not less than $[*]. All of
Contractor’s policies will be underwritten by reputable insurers who are licensed to do business in
the State of California. Contractor will name Intuit as an additional insured on each such policy.
Upon the request of Intuit, Contractor shall provide Intuit with a certificate of insurance
evidencing such coverage. In addition, Contractor will provide Intuit ten (10) days advance
written notice of any cancellation or reduction in coverage or limits.
11. Section 13 Limitation of Liability is deleted and replaced in its entirety with the following:
EXCEPT FOR A BREACH OF CONFIDENTIALITY OR IN CONNECTION WITH A PARTY’S INDEMNIFICATION OBLIGATIONS
UNDER SECTION 11, ABOVE, IN NO EVENT WILL (i) EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, WHETHER BASED ON BREACH OF CONTRACT, TORT
(INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE, OR (ii) THE LIABILITY OF EITHER PARTY TO THE OTHER PARTY FOR DAMAGES OR ALLEGED
DAMAGES HEREUNDER, WHETHER IN CONTRACT, TORT OR ANY OTHER LEGAL THEORY, EXCEED THE GREATER OF (i)
[*] DOLLARS ($[*]) OR (ii) THE AMOUNTS PAID (OR IN THE CASE OF INTUIT, PAID AND DUE AND PAYABLE) BY
INTUIT TO CONTRACTOR HEREUNDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM.
12. Section 14(e) Notice is deleted and replaced in its entirety with the following:
Unless otherwise stated, all notices required under this Agreement shall be in writing and shall be
considered given (i) when delivered personally; (ii) five (5) days after mailing, when sent
certified mail, return receipt requested and postage prepaid; (iii) one (1) business day after
dispatch, when sent via a commercial overnight carrier, fees prepaid; or (iv) upon delivery when
sent by facsimile transmission confirmed by telephone and followed by notice sent in accordance
with clause (i), (ii) or (iii) above. All communications will be addressed as follows (unless
changed by notice):
To Contractor: | with a copy to: | |
Attn: Chief Financial Officer |
Attn: Vice President, Legal Affairs | |
Address: |
Address: | |
Arvato Digital Services LLC 00000 Xxxxxxxx Xxxxxx Xxxxx Xxxxxxxx, Xxxxxxxxxx 00000 |
Bertelsmann, Inc. 0000 Xxxxxxxx, 0xx Xxxxx |
|
Xxx Xxxx, Xxx Xxxx 00000 | ||
Phone: (000) 000-0000 |
Phone: (000) 000-0000 | |
Fax: (000) 000-0000 |
Fax: (000) 000-0000 |
To Intuit: | with a copy to: | |
Attn: Xxxx Xxxxxxx, |
Intuit Inc. |
To Intuit: | with a copy to: | |
Vendor Mgr for ADS Direct Services |
||
Address: Intuit Inc. |
0000 Xxxxx Xxxxxx | |
2632 Marine Way, M/S MPK 00-00 |
Xxxxxxxx Xxxx, Xxxxxxxxxx 00000 | |
Xxxxxxxx Xxxx, XX 00000 |
Attn: General Counsel, Legal Dept. | |
Phone: 000-000-0000 |
Phone: (000) 000-0000 | |
Fax: 000-000-0000 |
Fax: (000) 000-0000 | |
Attn: Xxxxx Xxxxxx |
||
Vendor Mgr for ADS Retail Services |
||
Address: Intuit Inc. |
||
0000 Xxxxxx Xxx, M/S MPK 01-03 |
||
Phone: 000-000-0000 |
||
Fax: 000-000-0000 |
13. The following shall be added to the Agreement as Section 14(m) Business Continuity:
(i) Contractor shall: (1) be responsible for business continuity of operations as to the products
and services to be provided under the Supply Agreement; (2) within sixty (60) days after the
Effective Date, submit to Intuit for approval Contractor’s business continuity plan (“Business
Continuity Plan”) that mitigates and minimizes Intuit service interruptions; and (3) update the
Business Continuity Plan to reflect changes in technology and industry standards no less than once
a year.
(ii) Contractor shall provide Intuit reasonable assistance in Intuit’s assessment of Intuit’s
business continuity requirements and provide, for Intuit’s approval at Intuit’s expense, a set of
alternatives for the development of a viable Intuit business continuity program, and the estimated
fees associated with each alternative.
(iii) Contractor shall immediately provide Intuit with written notice of any service failure under
this Agreement due to any of the events specified in Section 14(f) of this Agreement and shall use
commercially reasonable efforts to immediately implement the Business Continuity Plan with regard
to such failure.
(iv) In the event of a Force Majeure, Contractor shall not charge Intuit any fees in excess of the
fees set forth in the applicable Statement of Work.
(iv) Whenever a Force Majeure requires that Contractor allocate limited resources between or among
its customers, Intuit shall receive no less priority in respect to such allocation than any of
Contractor’s other customers.
(v) Upon request by Intuit, Contractor shall provide a copy of its Business Continuity Plan,
Disaster Recovery Plan, and a copy of its annual Business Continuity and Disaster Recovery
exercises.
14. Exhibit E — Intuit Service Provider Privacy Exhibit is deleted and replaced in its entirety
with Exhibit E attached hereto.
15. Exhibit F — Intuit Security Requirements is deleted and replaced in its entirety with Exhibit F
attached hereto.
16. Counterparts and Facsimile Delivery.
This Amendment 3 may be executed in two or more identical counterparts, each of which shall be
deemed to be an original and all of which taken together shall be deemed to constitute Amendment 3
when a duly authorized representative of each party has signed and delivered to the other party a
counterpart.
17. Effectiveness of Agreement.
Except as expressly provided herein, nothing in this Amendment 3 shall be deemed to waive or modify
any of the provisions of the Agreement, which otherwise remains in full force and effect. In the
event of any conflict between the Agreement and this Amendment 3, this Amendment 3 shall prevail
with respect to the subject matter hereof.
IN WITNESS WHEREOF, the undersigned have executed this Amendment 3 as of the Amendment Effective
Date.
INTUIT INC. | ARVATO DIGITAL SERVICES LLC | |||||||
By:
|
/s/ XXXXX XXXX | By: | /s/ Jan Icking | |||||
Name: Xxxxx Xxxx | Name: Jan Icking | |||||||
Title: VP, Procurement | Title: CFO | |||||||
Date: April 4, 2008 | Date: April 7, 2008 |
Exhibit E
Intuit 3rd Party Privacy Exhibit
Intuit 3rd Party Privacy Exhibit
1. | INTRODUCTION |
1.1. | This Intuit Privacy Exhibit governs the manner in which specified customer-related information may be handled or processed by the 3rd Party. Intuit may impose different or additional restrictions as identified according to country of origin, transmission, or processing; type of data; or type of processing. |
2. | DEFINITIONS |
2.1. | “Affiliate Companies” shall mean any companies controlling, being controlled by, or under common control with another company. | ||
2.2. | “Individual” shall mean, unless otherwise indicated, any natural person. | ||
2.3. | “Intuit” shall mean Intuit Inc. and its Affiliate Companies. | ||
2.4. | “Opt-out” shall mean the opportunity afforded to individuals to decline to have their Personal Information used for purposes other than as necessary to provide the product or service for which the Personal Information is collected. | ||
2.5. | “Opt-in” shall mean the active, affirmative permission granted by individuals to have their Personal Information used for specified purposes. | ||
2.6. | “3rd Party” shall mean the party entering into an agreement with Intuit, into which this Exhibit has been incorporated by reference, as well as all Affiliate Companies of said 3rd Party. | ||
2.7. | “Personal Information” (“PI”) shall mean any factual or subjective information the, by itself or in combination, (i) identifies or can be used to identify, contact, or locate an individual, (ii) pertains to an individual, or (iii) is defined as personal information under applicable personal data protection laws . PI includes, but is not limited to: name, address, phone number, fax number, email address, financial profile, medical information or profile, social security number, credit card information, personal profile, age, income, credit information, unique identifier, biometric information, and IP address associated with PI, an individual. PI. For the purposes of this Exhibit, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information. | ||
2.8. | “Sensitive Personal Information” shall mean any information that identifies or suggests an individual’s health, trade union membership, religion or philosophy, race, ethnicity, politics, or sex life; or that could be misused in such a way as to jeopardize the financial or legal position of its owner or cause personal embarrassment. Examples of sensitive personal information include but are not limited to: social security or services number, national ID number, credit card information, bank account information, physical or mental health status, genetic information. |
3. | 3RD PARTY RESPONSIBILITIES — GENERAL |
3.1. | Intuit maintains a compilation of internal privacy policies that govern how Intuit and its 3rd Parties handle Intuit Personal Information. These policies follow Safe Harbor principles. The 3rd Party shall apply each of these Safe Harbor principles as applicable when handling Intuit Personal Information: |
3.1.1. | Notice — Offer clear, conspicuous notice before collection of Personal Information from any individual. | ||
3.1.2. | Choice — Provide individuals choice regarding secondary uses of personal information, including but not limited to marketing-related uses; and before sharing Personal Information with other 3rd Parties not acting as agent. | ||
3.1.3. | Security — Provide adequate protections against unauthorized access and exposure of Personal Information, commensurate with the sensitivity of the Personal Information. | ||
3.1.4. | Data Integrity — Take reasonable steps to ensure that Personal Information is relevant, reliable for its intended use, accurate, complete, and current. | ||
3.1.5. | Access — Take reasonable measures to provide individuals the ability to view, and in some cases, amend or correct, Personal Information. | ||
3.1.6. | Enforcement — Provide specific mechanisms for ensuring compliance with principles, recourse, and consequences for non-compliance. |
3.2. | Each party shall comply with this Exhibit and all applicable laws, rules and regulations relating to the collection or use of Intuit Personal Information. The 3rd Party agrees to [*] of this Exhibit [*] with access to Intuit Personal Information. | ||
3.3. | The 3rd party shall document in writing Personal Information handling procedures designed to implement technical and organization measures to protect Intuit Personal Information as required by applicable laws and this Exhibit. The 3rd Party will train employees/contractors/vendors on and implement said procedures in a way that produces the same degree of care, but never less than a reasonable degree of care, to prevent the unauthorized collection, use, sharing, retention/destruction, and other inappropriate or prohibited Personal Information handling practices. These written and actual Personal Information handling procedures are subject to approval by Intuit. Any substantive deviation from said procedures must by approved by Intuit in writing. | ||
3.4. | The 3rd Party shall provide access to Intuit Personal Information to only those employees, contractors, vendors or authorized agents who (i) have a need to view them in order to performance of authorized work, (ii) are trained in the proper handling of Intuit Personal Information, and (iii) are subject to an obligation to handle Intuit Personal Information in ways at least as restrictive as those practices outlined in this Exhibit. The 3rd Party and its authorized agents and vendors shall never sell, rent, or lease Intuit Personal Information to any individual or organization. | ||
3.5. | The 3rd Party shall under no circumstances collect, access, use, store, destroy, reproduce, disclose, or otherwise handle or process Intuit Personal Information other than as specifically authorized by this or the agreement into which this Exhibit is incorporated. Should the 3rd Party become legally obligated to handle Intuit Personal Information other than as permitted by this Exhibit or the associated agreement, it shall, unless legally prohibited from doing so, first provide notice to Intuit. |
3.6. | The 3rd Party shall maintain such records as are applicable to demonstrate its compliance with this Exhibit and shall permit Intuit, or a third party chosen by Intuit and reasonably acceptable to the 3rd Party, to audit 3rd Party’s records and practices relating to its obligations under this Exhibit upon reasonable notice and during regular business hours, and at Intuit’s expense, at the locations where such records and data are maintained, for purposes of verifying the 3rd Party’s compliance. Intuit shall be provided with a description of all data flows, practices and uses, and names of individuals with access to the Intuit Personal Information. All such data flows, practices, uses of Personal Information, and categories of individuals with access to that Personal Information are subject to approval by Intuit. | ||
3.7. | The 3rd Party shall immediately report to Intuit any failure to treat or protect — including specifically any actual or suspected accidental exposure or unauthorized use or disclosure of — Intuit Personal Information as set forth in this Exhibitor the agreement into which it is incorporated, including any related complaints about 3rd Party’s information and collection practices, and to consult with Intuit as to correction thereof. The 3rd Party agrees that Intuit shall have the right to participate in the breach investigation, and control and direct any response and/or correction of any such breach. | ||
3.8. | The 3rd Party designates the following person as its Privacy Exhibit Coordinator. This Privacy Exhibit Coordinator will (i) maintain responsibility for applying adequate protections to Intuit Personal Information, (ii) oversee application of 3rd Party compliance with Exhibit requirements, and (iii) serve as a single point of contact for internal communications and communications with Intuit pertaining to this Exhibit and compliance with or any breaches thereof. |
COMPANY: Arvato Digital Services LLC | |||
Designated Privacy Exhibit Coordinator: | |||
Title: | |||
Phone: | |||
Email: | |||
Mailing Address: |
3.9 | Intuit may propose Amendments of this Exhibit from time to time, with reasonable notice, as may be required by law or updated Intuit policies, and as promptly as practicable, Intuit will provide notice to the 3rd Party of any such requirements of which Intuit becomes aware. 3rd Parties not willing or able to change practices that are required by law in accordance with such Amendments may be given sixty (60) days written notice prior to the date of effectiveness of the lawful requirements of termination of the Agreement. 3rd Parties not willing or able to change practices that are required by Intuit policies in accordance with such Amendments may be given reasonable advance written notice by Intuit to comply or terminate the Agreement. Any Amendments shall be signed by both Intuit and the 3rd Party and may entail reasonable and commensurate additional costs, if applicable, for upholding the increased Privacy requirements, as required by law or by Intuit. |
4. | 3RD PARTY RESPONSIBILITIES — SPECIFIC. |
The following provisions shall not be applicable except to the extent that Intuit and the 3rd Party execute a Statement of Work requiring that the 3rd Party handles Personal Information of residents of the relevant jurisdiction listed below. The parties shall jointly determine the precise requirements applicable to Intuit and the 3rd Party as to such jurisdiction based on the Reference Laws and Requirements referred to below: |
a. | Italy |
i. | The 3rd Party recognizes that some Intuit personal data may pertain to residents of the Italian Republic, and may be governed by Italian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements. | ||
ii. | Reference Laws and Requirements: The Italian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to: |
Constitutional requirements (Italian Constitution, Articles 14, 15)
pertaining to:
Limits on inspection and search of personal domicile.
Guarantees of liberty and secrecy of correspondence of every form of
communication.
Italian Data Protection Code, enforced by the Garante
Defines “personal data” as “any information relating to natural or
legal persons, bodies, or associations that are or can be
identified, even indirectly, by reference to any other information
including a personal identification number.
Unless noted, follows the European Union Data Protection Directive
(95/46/EC) and European Union Directive on Privacy and Electronic
Communication (2002/58/EC) guidelines.
Provides special protections for health information.
Provides special protections for health information.
Considers unsolicited commercial email to be an act of “theft” and
prohibits the sending of unsolicited email.
Provides for especially harsh criminal and civil penalties for
non-compliance.
b. | One or more Member States of the European Union |
i. | The 3rd Party recognizes that some Intuit personal data may pertain to residents of one or more European Union Member States, and may be governed by European Union privacy and data protection laws. The 3rd Party recognizes that Intuit privacy policies are based around the Safe Harbor framework, a set of principles that form the basis of an “adequacy” determination that predicates legal transmission from any European Union Member State to a non-European Union country. The 3rd Party agrees to apply these Safe Harbor principles in a way that at least meets and can exceed Safe Harbor requirements. | ||
ii. | Reference Laws and Requirements: The European Union legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to: |
Safe Harbor, as established by the US Department of Commerce and overseen by
the US Federal Trade Commission and Department of Transportation.
European Union Data Protection Directive (95/46/EC)
European Union Directive on Privacy and Electronic Communication (2002/58/EC)
c. | Australia |
i. | The 3rd Party recognizes that some Intuit personal data may pertain to residents of Australia and may be governed by Australian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements. | ||
ii. | Reference Laws and Requirements: The Australian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to: |
Privacy Act of 1988
Applies the National Privacy Principles.
Imposes special considerations for credit reporting.
Imposes special considerations for tax information.
Spam Act of 2003: Prohibits unsolicited electronic messages, including email, SMS, IM, and MMS; requires opt-out, and requires accurate sender address
State Laws — some Australian states have also enacted privacy laws, including but not limited to the Privacy and Personal Information Protection Act (1998) of New South Wales.
Applies the National Privacy Principles.
Imposes special considerations for credit reporting.
Imposes special considerations for tax information.
Spam Act of 2003: Prohibits unsolicited electronic messages, including email, SMS, IM, and MMS; requires opt-out, and requires accurate sender address
State Laws — some Australian states have also enacted privacy laws, including but not limited to the Privacy and Personal Information Protection Act (1998) of New South Wales.
d. | Canada |
i. | The 3rd Party recognizes that some Intuit personal data may pertain to residents of Canada and may be governed by Canadian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements and abide by the Canadian Model Code for the Protection of Personal Information: accountability, purpose specification, use limitation, data quality, security safeguards, openness, and individual participation. | ||
ii. | Reference Laws and Requirements: The Canadian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to: |
PIPEDA, PIPA, and the Act Respecting the Protection of Personal Information
in the Private Sector.
Applies the Model Code for the Protection of Personal Information
(CAN/CSA-Q830-96).
Limits Personal Information collection, use, or disclosure only for
purposes that a reasonable person would consider are appropriate to the
circumstances.
Requires notice and opt-out before collecting, using, or disclosing
personal information.
Requires consent for communication or use of personal information for
specific purposes and for a defined period of time.
e. | United Kingdom |
i. | The 3rd Party recognizes that some Intuit personal data may pertain to residents of the United Kingdom and may be governed by United Kingdom privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements and the associated eight data protection principles. | ||
ii. | Reference Laws and Requirements: The United Kingdom legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to: |
Data Protection Act of 1998 and the Employment
Practices Data Protection Code of 2004.
Unless noted, follows the European Union Data Protection Directive
(95/46/EC) and European Union Directive on Privacy and Electronic
Communication (2002/58/EC) guidelines.
Applies the eight data protection principles: Personal Information should be:
Applies the eight data protection principles: Personal Information should be:
1. | Fairly and lawfully processed | |
2. | Processed for limited purposes | |
3. | Adequate, relevant and not excessive | |
4. | Accurate and up to date | |
5. | Not kept for longer than is necessary | |
6. | Processed in line with individuals’ rights | |
7. | Secure | |
8. | Not transferred to other countries without adequate protection |
Provides for rights of individuals to access information about their
Personal Information, and the right to change inaccurate Personal
Information.
• | Note that the Scottish Parliament has approved a stronger Freedom of Information Act, and that territories (Isle of Man, Bailiwick of Guernsey, and Jersey) have also approved additional data protection acts. |
EXHIBIT F
Intuit Comprehensive Security Requirements
Definitions
For the purposes of this Exhibit, the following definitions shall apply.
Confidential Information: Information which (i) is proprietary to, about, or created by a specific
person or company; (ii) gives the specified person or company some competitive business advantage
or the opportunity of obtaining such advantage, or the disclosure of which could be detrimental to
the interests of the specified person or company; (iii) is designated as Confidential Information
by the specified person or company, or from all the relevant circumstances should reasonably be
assumed by the receiving party to be confidential and proprietary to the specified person or
company.
The following subcategories of Confidential Information are also defined:
• | Secret Information: Information that is used to protect other Confidential Information. Generally, Secret Information is not disclosed to outside parties under any circumstances. | ||
• | Sensitive Information: Any information that could be misused in such a way as to jeopardize the financial or legal position of its owner, or of the person or company described by the information. | ||
• | Restricted Information: Information that is not secret or Sensitive, but whose permissible use has been restricted by its owner. |
Confidential Information includes, but is not limited to, the following types of information and
other information of a similar nature (whether or not reduced to writing or designated as
Confidential):
a | Personally-Identifiable Information. Information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. It includes, without limitation, the following information: |
• | Secret Information: Customer passwords, private encryption keys, and private signature keys. | ||
• | Sensitive Information: Customer account numbers, Social Security numbers, taxpayer identification numbers, account balances, account activity, financial information, medical records, legal records, and records of customer services and other data relating to the products and services offered, received, or purchased by customers of Intuit or the Company. | ||
• | Restricted Information: Customer names, customer street or e-mail addresses, customer telephone numbers. |
b | Confidential Corporate Information, consisting of any of the following: |
• | Secret Information: Computer account IDs, passwords for computer or database systems, private encryption keys, SSL keys, computer source code relating to encryption / decryption, special access privileges, known security vulnerabilities, the results of security audits and reviews, and any information explicitly designated Secret by Intuit or by Company. | ||
• | Sensitive Information: Any of the following: |
(i) | Work Products: Work product resulting from or related to work or projects performed or to be performed for Intuit or the Company, or for customers of Intuit or the Company (including all media on which such information is contained); | ||
(ii) | Business Operations: Internal Intuit or Company personnel and financial information, names and other information about Service Providers (including without limitation Service Provider characteristics, services and agreements), purchasing and internal cost information, internal services and operational manuals, and the manner and methods of conducting Intuit’s or the Company’s business; |
(iii) | Marketing and Development Operations: Marketing and development information regarding Intuit’s or the Company’s operations (including without limitation marketing and development plans, price and cost data, price and fee amounts, pricing and billing policies, quoting procedures, marketing techniques and methods of obtaining business, forecasts and forecast assumptions and volumes, and future plans and potential strategies of Intuit or the Company which have been or are being discussed); | ||
(iv) | Other Proprietary Data: Information relating to Intuit’s or the Company’s proprietary business information (including without limitation information pertaining to business transactions and financial performance) or proprietary rights prior to any public disclosure thereof, and information regarding acquiring, protecting, enforcing and licensing proprietary rights (including without limitation patents, copyrights and trade secrets). | ||
(v) | Designated Information: Notwithstanding the above, any information explicitly designated as Sensitive by Intuit or by Company. |
• | Restricted Information: Aggregated or anonymous customer information (any customer information other than Personally Identifiable Customer Information), contractual information or obligations not designated as Sensitive, and any information explicitly designated as Restricted by Intuit or by Company |
A. Controlling Access to Confidential Information
1. | Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, Sub Suppliers, or other agents, unless the following conditions are met: |
a) | The staff member, Sub Supplier, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; | ||
b) | The staff member, Sub Supplier, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he / she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (i.e., 8 characters minimum length, required use of special- and / or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. | ||
c) | In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, Sub Supplier, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. | ||
d) | The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file. |
2. | Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. | |
3. | Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s |
password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. | ||
4. | Passwords used to control Company’s staff, Sub Suppliers, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. | |
5. | Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company or when their job responsibilities change. | |
6. | Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed Sub Supplier should be implemented. |
B. Transmitting Confidential Information
1. | Unless restricted by law, Company must not electronically transmit Secret or Sensitive Information over publicly accessible networks without using 128-bit SSL or another mechanism that affords similar or greater security and confidentiality. If legal restrictions limit the use of 128-bit SSL encryption technology, Company must use the strongest encryption technology permitted. | |
2. | Confidential Information must never be passed in a URL (e.g., using a Get method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files. |
C. Maintaining a Secure Environment
1. | To protect the accuracy and integrity of Confidential Information, all such data must be backed up regularly (no less often than weekly), and the backups stored in secure, environmentally-controlled, limited-access facilities. | |
2. | Company must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). | |
3. | Company must promptly install any security-related fixes identified by its hardware or software Suppliers, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Confidential Information covered by this Agreement. Such upgrades must be made as soon as they can safely be installed and integrated into Company’s existing architecture and systems. | |
4. | Intuit may, from time to time, advise Company of recent security threats that have come to its attention, and require Company to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Company must implement these modifications within a mutually-agreeable time, or must obtain written permission from Intuit to take some other course of action to ensure that the privacy and integrity of any Confidential Information is preserved. | |
5. | Company must immediately notify Intuit if it knows or suspects that Confidential Information has been compromised or disclosed to unauthorized persons, or if there has been any meaningful or substantial deviation from the |
requirements contained in the Agreement or this Exhibit. See Section F for contact information. Company agrees that Intuit shall have the right to control and direct any response and / or correction of any such compromise or disclosure. |
6. | Notwithstanding the minimum standards set forth in this Exhibit, Company should monitor and periodically incorporate reasonable industry-standard security safeguards. |
D. Electronic Mail
1. | Company shall not send any Secret or Sensitive Information in an e-mail message over publicly-accessible networks unless the e-mail is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by Intuit and Company. | |
2. | Company and its Sub Suppliers and agents must not reveal the Personally-Identifiable Information of one customer to any other customer or other third party, in any e-mail or other communication, except as permitted in writing by the affected person, as deemed appropriate in light of the interests of the affected person, or as otherwise required by law. |
E. Reviews, Audits, and Remedies
1. | Company agrees that Intuit shall have a right to verify Company’s compliance with this Exhibit. Upon no less than 14 days’ prior written notice to Company, Intuit (or its agent) may enter Company’s premises and inspect such of Company’s books, records, facilities and computer systems as Intuit and Company shall mutually agree is necessary to ensure that Company complies with the terms, covenants and conditions of this Exhibit. Intuit or its agent shall comply with Company’s standard policies and procedures that apply to third party companies that have access to Company’s premises, and Intuit or its agent shall access Company’s premises during normal business hours (Monday through Friday, 8:00 AM to 5:00 PM), subject to Company’s standard security and confidentiality procedures and without disruption to Company’s business. Notwithstanding the foregoing, if Intuit in good faith believes that a threat to security exists that could affect Confidential Information, Company must provide Intuit or its agent access to its premises immediately upon request by Intuit. | |
2. | Intuit may inspect or employ third parties to conduct studies of Company’s operational processes, systems, vulnerability scan results and computer network security to determine Company’s compliance with this Exhibit. Intuit agrees to coordinate the scheduling of any such study with Company to minimize disruption to Company’s business. Company agrees to cooperate with Intuit to commence such a study within thirty (30) days from Company’s receipt of written notice of Intuit’s intent to conduct, or to employ a third party reasonably acceptable to Company to conduct, such a study. At Company’s request, Intuit will require any such third party it employs to conduct such a study to sign a nondisclosure agreement pursuant to which it agrees not to disclose any Confidential Information. Intuit will make the results of any such study available to Company and, depending on the seriousness of any problems found, may require Company to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be [*], and Company shall only be responsible for [*]. | |
3. | Notwithstanding any time-to-cure provision in this Agreement to the contrary, it shall be completely within Intuit’s discretion to require correction of any demonstrated security-related problem within a shorter period of time, subject to the procedures set forth in this Section E.3. Intuit shall provide written notice of the problem to Company, and Company must immediately take appropriate steps to correct the problem. If Company fails to correct any |
demonstrated security problem within a commercially reasonable time, factoring in the work
that must be completed to address the problem, and resulting in the material disclosure or
threatened disclosure of Intuit’s Confidential Information, Intuit may instruct Company to
take such interim measures as are necessary to protect Intuit’s Confidential Information.
If Company fails or refuses to take those interim and / or permanent measures which are
necessary to prevent the material disclosure of Intuit’s Confidential Information within a
commercially-reasonable time, Intuit may terminate any and all affected agreements between
Intuit and Company for cause.
F. Compliance with U.S. Laws and Regulations
Each of Intuit and Company shall comply with federal, state, and local laws and regulations as the
same are applicable to the Services.
G. Changes to Requirements
Intuit may, in its sole discretion, amend these requirements from time to time, as required by law.
Any amendments to these requirements not expressly required by law shall be subject to written
amendment signed by both Intuit and Company and may entail additional costs.
H. Contact Information
The primary business contact person for each party under this Agreement shall designate a primary
and an alternate single point of contact for security issues for such party (a “Security SPOC”) and
provide mail, email, telephone, home telephone, and pager or portable telephone contact information
for such persons. Both parties agree that either the primary or alternate Security SPOC will be
available at all times (“24/7/365”). Such designation and information must be given in writing to
the other party within ten (10) business days after the effective date of the Agreement. Any
updates to the same shall be given promptly in writing to the other party.