TRANSITION SERVICES AGREEMENT BY AND AMONG TYCO INTERNATIONAL MANAGEMENT COMPANY, LLC, TYCO INTEGRATED SECURITY LLC, AND ADT LLC DATED AS OF JUNE 30, 2012
Exhibit 10.1
EXECUTION VERSION
BY AND AMONG
TYCO INTERNATIONAL MANAGEMENT COMPANY, LLC,
TYCO INTEGRATED SECURITY LLC,
AND
ADT LLC
DATED AS OF JUNE 30, 2012
THIS TRANSITION SERVICES AGREEMENT (this “Agreement”) is made and entered into as of June 30, 2012, (the “Effective Date”) by and among Tyco International Management Company, LLC, a Nevada limited liability company (“TIMCO”), Tyco Integrated Security LLC (f/k/a ADT Security Services, LLC), a Delaware limited liability company (“Commercial”), and ADT LLC, a Delaware limited liability company (“ADT”). Each of TIMCO, Commercial and ADT is sometimes referred to herein as a “Party” and collectively, as the “Parties”.
A. The Board of Directors of Tyco International Ltd. (“Tyco”) has determined that it is appropriate, desirable and in the best interests of Tyco and its stockholders to separate Tyco into three separate, publicly traded companies, one for each of (i) the ADT North American R/SB Business, which shall be owned and conducted, directly or indirectly, by The ADT Corporation (“ADT NA”) (the “ADT R/SB Separation”); (ii) the Flow Control Business, which shall be owned and conducted, directly or indirectly, by Tyco Flow Control International Ltd. (“Flow Control”); and (iii) the Tyco Retained Business, which shall be owned and conducted, directly or indirectly, by Tyco.
B. On the date of this Agreement and in connection with the ADT R/SB Separation, Commercial and ADT have entered into and consummated the transactions pursuant to that certain US Contribution Agreement (the “US Contribution Agreement”) pursuant to which, among other things, Commercial has contributed to ADT, and ADT has assumed and accepted from Commercial, all right, title and interest of Commercial in and to the assets and liabilities primarily used in connection with the ADT North American R/SB Business.
C. In order to provide for an orderly transition in connection with the ADT R/SB Separation, each of TIMCO, ADT and Commercial desire to provide to the other certain services for specified periods following the Effective Date, all in accordance with and subject to the terms and conditions set forth herein.
1. Agreement to Provide Transition Services.
1.1. Agreement. With respect to each Transition Service (as defined in Section 1.2), the Party required to provide such Transition Service is the “Service Provider” and
the Party receiving such Transition Service is the “Service Recipient.” When the “Service Provider” or “Service Recipient” refers to ADT, the “Service Provider’s Group” or the “Service Recipient’s Group”, as the case may be, shall mean members of the ADT North American R/SB Group; and when the “Service Provider” or “Service Recipient” refers to Commercial or Tyco, the “Service Provider’s Group” or the “Service Recipient’s Group”, as the case may be, shall mean members of the Tyco Group. The “Service Provider” and “Service Recipient” with respect to each Transition Service shall be set forth on the Schedules (as defined below). The Service Provider hereby agrees to provide, or cause one or more members of the Service Provider’s Group or a contractor, subcontractor, vendor or other third party provider (each, a “Third Party Provider”) to provide, upon the terms and subject to the conditions set forth herein, certain Transition Services to the Service Recipient, and the Service Recipient hereby agrees to pay to the Service Provider the applicable fees for such Transition Services (the “Service Fees”) set forth on the schedules attached hereto (the “Schedules”); provided, that the Service Provider shall obtain the consent of the Service Recipient (not to be unreasonably withheld, delayed or conditioned) in the event any such Transition Service is to be provided by a Third Party Provider if such Transition Service was not historically provided by such Third Party Provider to the Service Recipient and provided further that (x) any Service Fees payable hereunder shall not, subject to the requirements of Section 2.1(i), be increased as a result of any such outsourcing and (y) the Service Provider shall remain primarily responsible for the performance by any such Third Party Provider of the Service Provider’s obligations hereunder. Irrespective of whether the Service Provider, a member of the Service Provider’s Group or a Third Party Provider is providing a Transition Service, the Service Recipient may direct that any such Transition Service be provided directly to the Service Recipient or any other members of the Service Recipient’s Group.
1.2. Transition Services.
(i) As used in this Agreement, the term “Transition Services” means the services described in the Schedules (and any additional services provided pursuant to Section 1.2(iii)). Notwithstanding anything to the contrary contained herein or in any Schedule, unless otherwise agreed in writing by the Service Provider and the Service Recipient, the Service Provider shall have no obligation under this Agreement to: (A) provide or cause to be provided to the Service Recipient any services or functions that were not provided to the Service Recipient or any members of the Service Recipient’s Group by the Service Provider or members of the Service Provider’s Group in the ordinary course during the twelve-month period prior to the Effective Date (unless otherwise set forth in the Schedules); (B) operate the Service Recipient or any members of the Service Recipient’s Group or any portion thereof; (C) advance funds; (D) engage in any unlawful activity; (E) implement systems, processes, technologies, plans or initiatives developed, acquired or utilized by the Service Recipient after the Effective Date; (F) perform or cause to be performed any of the Transition Services for the benefit of any third party; or (G) expand its facilities, incur long-term capital expenses or (unless otherwise set forth in the Schedules) employ additional personnel in order to provide the Transition Services. The respective obligations of the Service Provider to provide the Transition Services are conditioned upon being provided with reasonable access during regular business hours to, and all necessary rights to utilize, the Service Recipient’s facilities, personnel, assets, systems and technologies to the extent reasonably requested by the Service Provider in connection with the performance of its obligations hereunder. The Service Provider and Service Recipient shall, and shall cause the
2
respective members of the Service Recipient’s Group, and its and their agents and representatives to, cooperate with each other and will cause their respective employees, agents and representatives to facilitate the provision of Transition Services.
(ii) The Service Recipient acknowledges that the Service Provider may be providing similar services (or services that involve the same resources as those used to provide the Transition Services) to the Service Provider’s internal organizations, members of the Service Provider’s Group and/or third parties. The Service Recipient reserves the right to modify the Transition Services in connection with changes to its internal organization in the ordinary course of business, subject to any limitations set forth in the applicable Schedule(s) and, in the case of any modification that would materially reduce the benefits provided to the Service Recipient hereunder, to a downward adjustment in the amount of the Service Fee attributable to such Transition Service, as negotiated in good faith between the Parties.
(iii) If the Service Recipient desires to have the Service Provider provide services that (A) were provided to the Service Recipient during the twelve-month period prior to the Effective Date, (B) are reasonably necessary for the operation of the business of the Service Recipient as conducted as of the Effective Date and (C) are unable to be obtained from a Third Party Provider, then the Parties hereto shall negotiate in good faith to agree on the terms upon which the Service Provider or a member of the Service Provider’s Group would provide such services. If any such services are agreed among the Parties, the Parties will enter into an amendment to this Agreement amending the Schedules to reflect such new service.
(iv) Other than as contemplated by Section 1.2(iii), the Parties may from time to time supplement the Schedules to add, remove and/or modify the Transition Services; provided, that any such supplement shall be in a writing signed by each of the Parties and at the sole discretion of each of the Parties. Without limiting the foregoing, from time to time the Service Recipient may request additional services by providing the Service Provider with reasonable prior written notice. If the Service Recipient and the Service Provider agree that such additional services shall be provided, (A) the mutually agreed upon terms of such additional services, including the cost thereof and/or fees therefor, shall be added to the applicable Schedule and (B) such revised Schedule shall be attached to and become a part of this Agreement from and after the agreed effective date thereof.
1.3. Transition Period.
(i) The Service Provider shall provide or cause to be provided each Transition Service during the period commencing on the “Activation Date” for such Transition Service, as set forth on the Schedules, and continuing for the “Duration” set forth on the Schedules with respect to such Transition Service, unless otherwise agreed in writing by the Parties (for each Transition Service, such period during which such Transition Service is to be provided being herein referred to as the “Transition Period”).
(ii) Each Transition Service provided hereunder shall be terminated at the end of its applicable Transition Period, unless otherwise terminated earlier by the Service Recipient pursuant to Section 10.14 or the terms of the applicable Schedule(s). The Service Provider shall be under no obligation to provide a Transition Service to the Service Recipient
3
after the Transition Period applicable to such Transition Service, except (a) in the case of any Transition Service designated in the Schedules as “Business Critical”, if the Service Recipient requests in writing at least 60 days prior to the end of the initial Transition Period for such Transition Service that the Service Provider continue to provide such Transition Services to the Service Recipient after the initial Transition Period, then the Service Provider shall continue to provide such Transition Services for the additional period so requested, provided that the Service Recipient continues to pay the Service Provider the Service Fees after the applicable initial Transition Period, as increased pursuant to the applicable provisions of Section 2.1; and (b) in the case of any Transition Services not designated on the Schedules as “Business Critical”, then to the extent otherwise agreed in writing by the Service Provider and the Service Recipient and subject to the applicable provisions of Section 2.1.
1.4. Transition Planning. Service Recipient shall, as promptly as reasonably practicable following the Effective Date, develop a transition plan with respect to transfer or termination of the Transition Services they are to receive (the “Cutover Plan”), which Cutover Plan shall describe Service Recipient’s proposed transition activities and any transition assistance Service Recipient requests from the Service Provider in connection with such transfer or termination. The Service Provider will review and comment on the Cutover Plan and reasonably cooperate with Service Recipient to create a final Cutover Plan. The Cutover Plan shall provide for a completion date that is no later than the end of the applicable Transition Period. Without limiting the obligations of the Service Provider under an applicable Schedule, during the applicable Transition Period, the Service Provider shall cooperate with and offer such commercially reasonable assistance to the Service Recipient as is necessary to implement the Service Recipient’s final Cutover Plan and the transfer of responsibility for the provision of the Transition Services to Service Recipient or a new provider.
1.5. Limitations on Transition Services.
(i) The Service Provider shall not be required to provide any Transition Service to the extent that the performance of such Transition Service would require the Service Provider to violate any applicable Laws.
(ii) The Service Provider’s obligations to deliver certain Transition Services may be conditional upon the Service Provider’s obtaining the consent, where necessary, of certain third parties; provided, however, that if the Service Provider is unable to obtain such consent, the Service Provider shall use its commercially reasonable efforts to arrange for alternative methods of delivering such Transition Services.
(iii) All employees and representatives of the Service Provider and members of the Service Provider’s Group shall be deemed for all purposes of this Agreement to be employees or representatives of the Service Provider or the Service Provider’s Group, as applicable, and not employees or representatives of the Service Recipient or members of the Service Recipient’s Group. In performing the Transition Services, such employees and representatives shall be under the direction, control and supervision of the Service Provider and/or members of the Service Provider’s Group, as applicable, and the Service Provider and/or members of the Service Provider’s Group, as applicable, shall have the sole right to exercise all authority with respect to the employment (including termination of employment), assignment and compensation of such employees and representatives.
4
1.6. Divestiture, Sale or Transfer of Assets. Nothing in this Agreement shall be deemed to limit the Service Provider’s ability to divest, sell or otherwise transfer any of its assets necessary to provide the Transition Services; provided, that, subject to Section 1.2(ii), the Service Provider’s obligations to provide or cause to be provided the Transition Services in accordance with this Agreement for the Duration of the applicable Transition Period shall not be abrogated or affected thereby.
2. Payment for Transition Services.
2.1. Service Fees.
(i) In consideration for each Transition Service provided by the Service Provider to the Service Recipient, the Service Recipient shall pay to the Service Provider (or any designee of Service Provider) the Service Fees for such Transition Service in an amount equal to the amount set forth in the applicable Schedule(s) in respect of such Transition Service; provided, that if a Schedule is silent regarding fees for a particular Transition Service, such amount shall be equal to the sum of (A) the Service Provider’s allocated costs (including salary, wages and benefits, but excluding severance and retention costs, which shall be handled pursuant to Section 2.1(ii)) for any of the employees of the Service Provider or Service Provider’s Group who are involved in providing such Transition Service, plus (B) other reasonable miscellaneous out-of-pocket costs and expenses incurred in connection with such Transition Service. The Service Fees for a Transition Service shall not include any severance and/or retention costs incurred by the Service Provider or the Service Provider’s Group as a result of retaining the necessary employees to supply such Service to the Service Recipient in accordance with the terms of this Agreement, which costs shall be handled pursuant to Section 2.1(ii) below. In addition, for any Transition Service (x) provided after the expiration of the initial Transition Period and prior to the three month anniversary of such date, the Service Recipient shall pay, in addition to the aforementioned Service Fees, an amount equal to 25% of such Service Fees and (y) provided after the three month anniversary of the expiration of the initial Transition Period, the Service Recipient shall pay, in addition to the aforementioned Service Fees, an amount equal to 50% of such Service Fees. Monthly fees set forth in the Schedules for Transition Services rendered for a period of less than a whole calendar month shall be determined by multiplying the monthly rate for the relevant Transition Service set forth on the applicable Schedule by the ratio of the number of days in the calendar month such Transition Service was provided over 30. Any portion of the Service Fees not paid when due will accrue interest at a rate of eight percent (8%) per annum or the maximum rate permitted by applicable Law, whichever is less, from the due date until paid. Any costs and expenses incurred in connection with retaining Third Party Providers may be billed directly to the Service Recipient; provided to the extent that the Service Provider is required to make payments on behalf of the Service Recipient to Third Party Providers in connection with the provision of Transition Services, the Service Recipient shall reimburse the Service Provider for the actual cost of such payments in addition to all applicable Service Fees.
5
(ii) The Service Provider shall use commercially reasonable efforts to retain its workforce required to provide the Transition Services and, consistent with its severance and retention policies then in effect, may make severance or retention payments to employees providing the Transition Services (“Severance Costs”). The Service Provider shall be responsible for the Service Provider’s actual Severance Costs for those individuals who are terminated as a result of the completion of any Transition Service.
2.2. Invoicing of Service Fees. Promptly after the end of each calendar month during the applicable Transition Period, the Service Provider will submit a statement of account to the Service Recipient with respect to the Service Fees for all of the Transition Services performed during such calendar month (the “Invoiced Amount”). Unless the Parties otherwise agree in writing, all payments hereunder shall be invoiced and paid in United States dollars. Subject to the requirements of the applicable Schedule(s), all invoices shall be paid by the Service Recipient to the Service Provider by wire transfer of immediately available funds not later than thirty (30) calendar days after receipt by Service Recipient of the Service Provider’s invoice in accordance with the wiring instructions provided by the Service Provider to the Service Recipient. The Service Provider agrees to afford the Service Recipient, upon reasonable written notice, access to such information, records and documentation of the Service Provider as the Service Recipient may reasonably request in order to verify the Invoiced Amount and (at Service Recipient’s expense) allow the Service Recipient to make copies of such records and documentation; provided, however that the Service Recipient shall provide the Service Provider with at least ten (10) days’ prior written notice of its desire to verify any such amounts and provided further that such verification shall not unduly interrupt the ordinary course of business operations of the Service Provider. To the extent that the Service Recipient and the Service Provider mutually determine that any amounts which have been invoiced hereunder are inaccurate, the Service Provider and the Service Recipient shall effect a “true-up” to reimburse the Service Recipient or the Service Provider, as applicable, promptly after such mutual determination (but in no event later than five (5) Business Days following such mutual determination). To the extent that one Party makes such determination and the other Party disagrees with such determination or the amount of the disputed inaccuracy, the Parties shall first comply with the dispute resolution procedures set forth in Section 10.12 below. If the Parties are unable to resolve such dispute after complying with Section 10.12, then the first Party shall provide the other Party with written notice of its proposed reimbursement and the Service Recipient and the Service Provider shall negotiate in good faith to resolve such dispute; provided, however, that if such dispute is not resolved within sixty (60) days following the receipt of notice of such proposed reimbursement, the Service Recipient and the Service Provider shall submit any such disagreement to an internationally recognized accounting firm jointly selected by the Parties (the “Accountant”) for determination. The determination of the Accountant with respect to any such dispute shall be completed within fifteen (15) days after the appointment of the Accountant (or as soon thereafter as the Accountant is able to render its determination), shall be determined in accordance with this Agreement and shall be final, binding and non-appealable upon the Service Recipient and the Service Provider (and the “true-up” payment shall be made to the other Party in accordance with the Accountant’s determination no later than five (5) Business Days following such determination). With respect to the resolution of the disputed item, the Accountant shall adopt (x) the position of the Service Recipient, (y) the position of the Service Provider or (z) a position in between (but not outside of) that of the Service Recipient or the Service Provider. The fees and expenses of the
6
Accountant shall be apportioned between the Parties in proportion to the deviation of the final position adopted by the Accountant from the position of each of the Service Provider or Service Recipient by which the greater the deviation, from a Party’s position, the greater the relative apportionment to such Party. Any claims with respect to overbilling or underbilling, as applicable, shall be made within 180 calendar days after receipt by the Service Recipient of the Service Provider’s invoice.
2.3. No Right of Setoff. The Service Recipient will have no right to set off, discount, or otherwise reduce or refuse to pay any Service Fees due to the Service Provider, whether because of: alleged payments, damages or liabilities owed by the Service Provider to the Service Recipient; alleged or actual claims against the Service Provider; or any other financial obligation of the Service Provider to the Service Recipient in each case, whether under this Agreement or otherwise.
2.4. Payment only for Services Received. The Service Recipient shall compensate the Service Provider only for Transition Services actually received. The Service Recipient shall not make, or shall receive an appropriate credit with respect to, payment for Transition Services that are not provided to the Service Recipient for any reason.
2.5. Audits. The Service Recipient shall have the right to audit the accounting records of the Service Provider with respect to the charges for any Transition Services hereunder for a period of 180 calendar days from the recipient by the Service Recipient of the Service Provider’s invoice with respect to such Transition Services (the “Audit Period”). The Service Provider’s accounting records shall be maintained in sufficient detail to enable an auditor to verify the accuracy, completeness and appropriateness of the charges for the Transition Services hereunder. The Service Provider shall retain such accounting records and make them available to the Service Recipient’s auditors for the Audit Period, provided, however, that the Service Provider may, at its option, transfer such accounting records to the Service Recipient. If an audit of the charges for a Transition Service reveals an overbilling or underbilling, as applicable, by the Service Provider and overpayment or underpayment, as applicable, by the Service Recipient not otherwise addressed in accordance with Section 2.2, the Service Provider or the Service Recipient, as applicable, shall reimburse the Service Provider or Service Recipient, as applicable, within thirty calendar (30) days.
2.6. Record Keeping. The Service Provider shall maintain true and correct records of all receipts, invoices, reports and other documents relating to the Transition Services rendered hereunder in accordance with its standard accounting practices and procedures, consistently applied. The Service Provider shall retain such accounting records and make them available to the Service Recipient’s auditors (other than for the purposes of Section 2.5) to comply with Applicable Law for a period of not less than seven (7) years from the close of each fiscal year of the Service Recipient during which Transition Services were provided, provided, however, that the Service Provider may, at its option, transfer such accounting records to the Service Recipient. The Service Provider shall notify the Service Recipient in writing no less than sixty (60) days (the “Destruction Notice Period”) prior to the destruction or disposal of any receipts, invoices, reports or other documents relating to the Transition Services rendered hereunder. The Service Recipient may, at its option, arrange to take delivery of any such documents (at the Service Recipient’s expense) during the Destruction Notice Period.
7
2.7. Taxes. Each Party shall be responsible for any taxes imposed on net income or receipts and franchise, excess profits, net worth, capital or capital gains taxes, or any payroll related taxes or costs of each Party’s personnel. Each Party shall be responsible for all ad valorem or property taxes applicable to property owned by such Party. The Service Recipient shall pay all VAT, GST, sales, use, value added, goods and services, and all other similar taxes imposed by any federal, state, or local governmental entity in connection with the provision of the Transition Services, excluding taxes based solely on Service Provider’s income or property. The Service Recipient shall pay such taxes, if any, in addition to any applicable Service Fees provided that the Service Provider itemizes such taxes on the Invoiced Amounts. If the Service Recipient is required to withhold or deduct any taxes from any payment required to be made hereunder, the Service Recipient shall not be required to “gross up” the amount of any such payment and shall pay the total amount reflected on the Invoiced Amount less any applicable withholding taxes. The Parties shall cooperate in good faith to minimize taxes to the extent legally permissible. Each Party shall provide and make available to the other Party any resale certificates, treaty certification and other exemption information reasonably requested by the other Party.
3. Service Standards and Warranty Disclaimer.
3.1. Service Standard. Subject to Section 1.2(ii) and any requirements set forth in the applicable Schedule(s), the Service Provider shall, and shall cause the respective members of the Service Provider’s Group or other Persons to, perform the Transition Services in compliance with applicable Law and with the same degree of care, skill and diligence and in substantially the same manner as corresponding services were provided to the Service Recipient during the twelve month period immediately prior to the Effective Date.
3.2. Disclaimer of Warranty. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICE PROVIDER AND THE SERVICE RECIPIENT HEREBY EXPRESSLY DISCLAIM ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, SUITABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE, WITH RESPECT TO THE TRANSITION SERVICES. UNLESS OTHERWISE EXPRESSLY SET FORTH IN THIS AGREEMENT, ALL TRANSITION SERVICES ARE PROVIDED ON AN “AS IS, WHERE IS” BASIS WITHOUT WARRANTY OF ANY KIND.
4. Force Majeure. Except for the obligation to pay for Transition Services provided, no Party shall be liable for any failure of performance attributable to acts, events or causes (including war, riot, rebellion, civil disturbances, capital markets disruptions, terrorism, power failures, failures of telephone lines and equipment, strikes, lockouts, labor disputes, flood, storm, fire and earthquake or other acts of God or conditions or events of nature, or any Law, demand or requirement of any Governmental Entity, each, a “Force Majeure Event”) beyond its reasonable control. Subject to the foregoing, the affected provisions and other requirements of this Agreement shall be suspended during the period of such Force Majeure Event and the affected Party shall have no liability to any other Party in connection therewith. The affected Party shall use commercially reasonable efforts to remove such Force Majeure Event as soon as and to the extent reasonably possible.
8
5. Limitation of Liability. IN NO EVENT SHALL THE SERVICE PROVIDER, MEMBERS OF THE SERVICE PROVIDER’S GROUP OR ANY OF THEIR SHAREHOLDERS, OWNERS, DIRECTORS, OFFICERS, EMPLOYEES, AGENTS OR REPRESENTATIVES BE LIABLE FOR ANY PUNITIVE, SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR LOSS OF BUSINESS OPPORTUNITY, BUSINESS INTERRUPTION LOSS, LOSS OF FUTURE REVENUE, PROFITS OR INCOME, LOSS OF BUSINESS REPUTATION, LOSS OF CUSTOMERS OR OPPORTUNITY OR SIMILAR DAMAGES THAT IN ANY WAY ARISE OUT OF, RELATE TO OR ARE A CONSEQUENCE OF ITS PERFORMANCE OR NONPERFORMANCE HEREUNDER, OR THE PROVISION OF OR FAILURE TO PROVIDE ANY OF THE TRANSITION SERVICES HEREUNDER, EXCEPT TO THE EXTENT SUCH DAMAGES RESULT FROM FRAUD, GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT. THE AGGREGATE DAMAGES FOR WHICH THE SERVICE PROVIDER, MEMBERS OF THE SERVICE PROVIDER’S GROUP AND ANY OF THEIR RESPECTIVE SHAREHOLDERS, OWNERS, DIRECTORS, OFFICERS, EMPLOYEES, AGENTS OR REPRESENTATIVES, TAKEN TOGETHER, SHALL BE LIABLE IN CONNECTION WITH OR AS A RESULT OF THIS AGREEMENT OR THE TRANSITION SERVICES SHALL NOT EXCEED AN AMOUNT EQUAL TO THE LESSER OF (X) THE AMOUNT OF SERVICE FEES (INCLUDING ANY INTEREST) PAID OR TO BE PAID WITH RESPECT TO THE TRANSITION SERVICE GIVING RISE TO THE LIABILITY BY THE SERVICE RECIPIENT TO THE SERVICE PROVIDER UNDER THIS AGREEMENT (EXCLUDING FOR THIS PURPOSE SERVICE FEES THAT ARE CHARGED TO THE SERVICE PROVIDER FOR REIMBURSEMENT OF DIRECT THIRD PARTY COSTS) FOR A TWO YEAR PERIOD, WITH SUCH AMOUNT CALCULATED BASED ON THE FEES SET FORTH IN THE SCHEDULES IN RESPECT OF SUCH TRANSITION SERVICE OR (Y) ONE MILLION DOLLARS.
6. Access to Service Providers. The Service Provider shall, and shall cause the Service Provider’s Group to, (i) give the Service Recipient’s employees and agents access during regular business hours to individuals of the Service Provider and the Service Provider’s Group who are responsible for the Transition Services, and (ii) provide to the Service Recipient’s employees and agents information, materials, data and records as they may reasonably request and that are necessary for the purposes of allowing such Persons to exercise general oversight and to monitor the performance of the Transition Services. The Service Recipient shall bear all of the out-of-pocket costs and expenses (including attorneys’ fees, but excluding reimbursement for general overhead, salaries and employee benefits) reasonably incurred by the Service Provider and the Service Provider’s Group in connection with the foregoing.
7. Confidentiality. Each Party acknowledges that each other Party possesses, and will continue to possess, information that has been created, discovered or developed by such other Party and/or in which Intellectual Property rights have been assigned or otherwise conveyed to such other Party, which information has commercial value and is not in the public domain. The proprietary information and Intellectual Property of each Party will be and remain the sole property of such Party and its assigns and nothing in this Agreement is to be construed as an assignment or grant of any right, title or interest in any such proprietary information or Intellectual Property. All proprietary information shall be considered “confidential information” and shall be held by the other Party hereto in strict confidence in the same manner as if it were its
9
own confidential information, and otherwise in accordance with the applicable confidentiality provisions of the separation agreement to be entered into by and between ADT NA and Tyco in connection with the ADT R/SB Separation attached as Exhibit A to the US Contribution Agreement (as such agreement may be amended from time to time, the “ADT Separation Agreement”), and such confidential information will be used only for the purposes of this Agreement and in connection with performing the Transition Services.
8. Intellectual Property.
8.1. Unless expressly agreed otherwise in the ADT Separation Agreement , in any contract or other documents to effect the transfer of assets and the assumption of liabilities in the manner contemplated by the ADT Separation Agreement and the ADT R/SB Separation, in any ancillary agreement entered into in connection with the ADT Separation Agreement, in this Agreement or in a Schedule hereto, the Service Recipient agrees that any Intellectual Property of the Service Provider and the Service Provider’s Group or licensors that make Intellectual Property available to the Service Recipient and/or the Service Recipient’s Group in connection with the Transition Services, and any derivative works, additions, modifications, translations or enhancements thereof created by the Service Provider or the Service Provider’s Group pursuant to this Agreement, are and shall remain the sole property of the Service Provider and the Service Provider’s Group.
8.2. Unless otherwise agreed at the time or expressly set forth in the applicable Schedule(s), all Intellectual Property created by the Service Provider during the Transition Period at the request and solely for the benefit of any of the Service Recipient and paid for by the Service Recipient shall be the property of the Service Recipient, and, to the extent title to any such Intellectual Property vests in the Service Provider by operation of law, the Service Provider hereby assigns and shall cause the members of the Service Provider’s Group to assign to the Service Recipient or any member of the Service Recipient’s Group, all right, title and interest in such Intellectual Property and agrees to provide such assistance and execute such documents as the Service Recipient may reasonably request to vest in the Service Recipient all right, title and interest in such Intellectual Property.
9. Insurance. During the provision of Transition Services, the Service Provider shall maintain appropriate insurance customarily carried in connection with the provision of the Transition Services including, without limitation, general liability insurance, including for personal injury, bodily injury and property damage liability, wrongful death and coverage for contractual liability that may arise from any of the Transition Services being performed by the Service Provider hereunder. Effective as of the ADT NA Distribution Date, the Service Recipient shall be named an additional insured on the Service Provider’s policy. Upon written request, the Service Provider shall provide the Service Recipient with certificates of insurance evidencing the insurance coverage required by this Agreement.
10. General Provisions.
10.1. Assignment. This Agreement shall not be assignable, in whole or in part, directly or indirectly, by any Party without the prior written consent of the other Parties (not to be unreasonably withheld or delayed), and any attempt to assign any rights or obligations
10
arising under this Agreement without such consent shall be void; provided, that a Party may assign this Agreement in whole in connection with a merger transaction in which such Party is not the surviving entity or the sale by such Party of all or substantially all of its assets; provided, that the surviving entity of such merger or the transferee of such assets shall agree in writing, reasonably satisfactory to the other Parties, to be bound by the terms of this Agreement as if named as a “Party” hereto.
10.2. Successors and Assigns. The provisions of this Agreement and the obligations and rights hereunder shall be binding upon, inure to the benefit of and be enforceable by (and against) the Parties and their respective successors and permitted transferees and assigns.
10.3. Other Definitional and Interpretative Provisions. The headings contained in this Agreement are for reference purposes only and will not affect in any way the meaning or interpretation of this Agreement. The use of the masculine, feminine or neuter gender or the singular or plural form of words herein shall not limit any provision of this Agreement. The use of the terms “including” or “include” shall in all cases herein mean “including, without limitation” or “include, without limitation,” respectively. The use of the term “ordinary course of business” shall in all cases herein mean “ordinary course of business consistent with past practices.” Reference to any Person includes such Person’s successors and assigns to the extent such successors and assigns are permitted by the terms of any applicable agreement, and reference to a Person in a particular capacity excludes such Person in any other capacity or individually. Reference to any agreement (including this Agreement), document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and, if applicable, the terms hereof. Reference to any Law means such Law as amended, modified, codified, replaced or re-enacted, in whole or in part, including rules, regulations, enforcement procedures and any interpretations promulgated thereunder, all as in effect on the date hereof. Underscored references to Articles, Sections, Subsections or Schedules shall refer to those portions of this Agreement. The use of the terms “hereunder,” “hereof,” “hereto” and words of similar import shall refer to this Agreement as a whole and not to any particular Article, Section or clause of or Schedule to this Agreement. Capitalized terms used but not defined herein shall have the respective meanings set forth in the ADT Separation Agreement.
10.4. Amendments. This Agreement may not be amended or modified except by an instrument in writing signed by each of the Parties against whom the amendment is to be effective.
10.5. Counterparts; Effectiveness. This Agreement may be executed in one or more counterparts, and by the different Parties in separate counterparts, each of which will be deemed to be an original copy of this Agreement and all of which, when taken together, will be deemed to constitute one and the same agreement. The exchange of copies of this Agreement and of signature pages by facsimile or electronic mail transmission shall constitute effective execution and delivery of this Agreement as to the Parties and may be used in lieu of the original Agreement for all purposes.
10.6. Severability. If any term or other provision of this Agreement is held invalid, illegal or incapable of being enforced by any rule of law or public policy, all other terms
11
and provisions of this Agreement will nevertheless remain in full force and effect and there shall be deemed substituted for the provision at issue a valid, legal and enforceable provision that effects the original intent of the Parties as closely as possible in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
10.7. Governing Law; Jurisdiction.
(i) This Agreement will be governed by, and construed in accordance with, the Laws of the State of New York.
(ii) Subject to the provisions of Section 10.12, each of the Parties irrevocably submits to the exclusive jurisdiction of (a) the Supreme Court of the State of New York, New York County, or (b) the United States District Court for the Southern District of New York (the “New York Courts”), for the purposes of any suit, action or other proceeding arising out of or relating to this Agreement and to the non-exclusive jurisdiction of the New York Courts for the enforcement of any award issued thereunder. Each of the Parties further agrees that service of any process, summons, notice or document by U.S. registered mail to such Party’s respective address set forth below shall be effective service of process for any action, suit or proceeding in the New York Courts with respect to any matters to which it has submitted to jurisdiction in this Section 10.7. Each of the Parties irrevocably and unconditionally waives any objection to the laying of venue of any action, suit or proceeding arising out of this Agreement or the transactions contemplated hereby in the New York Courts, and hereby further irrevocably and unconditionally waives and agrees not to plead or claim in any such court that any such action, suit or proceeding brought in any such court has been brought in an inconvenient forum.
10.8. Waiver of Jury Trial. EACH OF THE PARTIES HEREBY WAIVES TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY WITH RESPECT TO ANY LITIGATION DIRECTLY OR INDIRECTLY ARISING OUT OF, UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE TRANSACTIONS CONTEMPLATED BY THIS AGREEMENT. EACH OF THE PARTIES HEREBY (A) CERTIFIES THAT NO REPRESENTATIVE, AGENT OR ATTORNEY OF ANY OTHER PARTY HAS REPRESENTED, EXPRESSLY OR OTHERWISE, THAT SUCH OTHER PARTY WOULD NOT, IN THE EVENT OF LITIGATION, SEEK TO ENFORCE THE FOREGOING WAIVER AND (B) ACKNOWLEDGES THAT IT HAS BEEN INDUCED TO ENTER INTO THIS AGREEMENT AND THE TRANSACTIONS CONTEMPLATED BY THIS AGREEMENT, AS APPLICABLE, BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS AND CERTIFICATIONS IN THIS SECTION 10.8.
10.9. Conflicts. In the case of a conflict between the terms and conditions of this Agreement and any Schedule to this Agreement, the terms and conditions of such Schedule shall control and govern as it relates to the Transition Services to which such terms and conditions apply.
10.10. No Agency, Authority or Franchise. The Service Provider will perform the Transition Services in its capacity of an independent contractor. Neither the Service Recipient nor the Service Provider shall act or represent or hold itself out as having authority to
12
act as an agent or partner of the other, or in any way bind or commit the other to any obligations. Nothing contained in this Agreement shall be construed as creating a partnership, joint venture, agency, trust or other association of any kind, each Party being individually responsible only for its obligations as set forth in this Agreement. Furthermore, nothing contained in this Agreement, or any Party’s performance under this Agreement, shall be construed as creating a franchisee/franchisor relationship. Except as expressly otherwise provided in this Agreement or the ADT Separation Agreement, the Service Provider shall have no obligation to provide any assistance of any kind or character to the Service Recipient in connection with the Service Recipient’s conduct of its business or affairs or otherwise, including the applicable business of the Service Recipient.
10.11. Administrative Contacts; Transition Managers. TIMCO and Commercial each designates Xxxx Main as its administrative contact for purposes of this Agreement and ADT designates Xxxxxxx Xxxxxxx as its administrative contact for purposes of this Agreement. All initial contacts between the Parties regarding issues and matters arising under this Agreement or any other administrative matters in connection with the transactions contemplated hereby shall be directed to each Party’s administrative contact. The administrative contact for each Party shall be authorized by the applicable Party to provide verbal or written consent to approve any changes to the Schedules. Any Party may from time to time change its administrative contact by providing written notice thereof to the other Parties.
10.12. Dispute Resolution. Prior to initiating any legal action in accordance with Section 10.7 or the dispute resolution procedures outlined in Section 2.2 with respect to invoiced Service Fees, any dispute, controversy or claim arising out of, relating to or in connection with this Agreement, or the breach, termination or validity thereof (a “Dispute”), shall be resolved by submitting such Dispute first to the service managers of the Parties most immediately responsible for the issue giving rise to the Dispute who shall seek to resolve such Dispute through informal good faith negotiation. If the Dispute is not resolved at that level of management within seven (7) Business Days after the claiming party verbally notifies the other party of the Dispute, then the Dispute shall be escalated to the applicable Parties’ administrative contact set forth in Section 10.11 for resolution. In the event such contacts fail to meet or, if they meet, fail to resolve the Dispute within an additional seven (7) Business Days, then the claiming Party will provide the other Party with a written “Notice of Dispute”, describing the nature of the Dispute, and the Dispute shall be escalated to a joint management board (the “Joint Management Board”) consisting of the Chief Financial Officer and/or Controller of each Party. The members of the Joint Management Board shall meet within seven (7) Business Days after such Notice of Dispute is provided by the claiming Party to the other Party and confer in a good faith effort to resolve the Dispute. If the members of the Joint Management Board fail to resolve the Dispute within seven (7) Business Days after they begin meeting, then the Dispute (other than Disputes pursuant to invoiced Service Fees, which shall be finally settled in accordance with Section 2.2) shall be finally settled in accordance with Section 10.7 (and subject to Section 10.8). A Party’s failure to comply with this Section 10.12 shall constitute cause for dismissal without prejudice of any legal proceeding. For the avoidance of doubt, the Parties shall continue to provide Transition Services as required under this Agreement during the resolution of any Disputes hereunder.
13
10.13. Specific Performance. Either Party may seek relief in the form of specific performance to enforce any payment or performance due hereunder of the Parties from and after the date hereof in connection with any non-performance, of any term, provision, covenant, or agreement contained herein and, along with the right to seek injunctive relief.
10.14. Term of Agreement. This Agreement will terminate and be of no further force or effect immediately upon the date that the last Transition Period ends (as such Transition Period may be extended pursuant to the provisions hereof); provided, however, that the Service Recipient may, by giving 180 days (or such other period as agreed by the Parties (acting reasonably in consideration of the nature of the Transition Service in question) in writing) notice to the Service Provider, terminate this Agreement with respect to a particular Transition Service effective immediately upon the expiration of such period, except as otherwise expressly provided in the applicable Schedule(s) or, if such Transition Service is being provided by a Third Party Provider, the timing of the effectiveness of such early termination shall be mutually agreed upon by the Service Provider and the Service Recipient so that there is no material disruption to, or additional costs to be incurred with respect to, any services provided by such Third Party Provider (including services provided by such Third Party Provider that are outside of the scope of this Agreement); provided further that any termination of this Agreement with respect to a particular Transition Service may be on a location by location basis if so indicated on the applicable Schedule(s). The Service Provider and the Service Recipient acknowledge and agree that after partial termination of this Agreement with respect to any particular Transition Service, the Service Recipient shall no longer have any payment obligations pursuant to Section 1 or Section 2 hereof with respect to such Transition Service and that a partial termination of this Agreement with respect to any particular Transition Service will in no event affect the Service Provider’s obligation to perform any other Transition Services hereunder. Additionally, any Party may terminate this Agreement in its entirety if the other Party commits a material breach of any of the provisions of the Agreement and does not cure such breach within sixty (60) days after receipt of written notice thereof. Upon termination or expiration of this Agreement, Sections 2 (as to (i) any unpaid amounts for Transition Services rendered prior to the termination or expiration of this Agreement or (i) audit rights), 3, 5, 7 and 10 will survive any termination or expiration of this Agreement.
10.15. Schedules. All Schedules annexed hereto or referred to herein are hereby incorporated in and made a part of this Agreement as if set forth in full herein.
10.16. No Third-Party Beneficiaries. This Agreement is not intended to, and will not, confer any rights or remedies upon any Person other than the Parties and their respective successors and permitted assigns.
10.17. Entire Agreement. This Agreement (including the Schedules hereto), together with the US Contribution Agreement and the ADT Separation Agreement when entered into, constitute the entire agreement of the Parties hereto with respect to the subject matter hereof and supersede all prior agreements and undertakings with respect to the subject matter hereof, both written and oral. None of the US Contribution Agreement or this Agreement nor the ADT Separation Agreement shall be deemed to contain or imply any restriction, covenant, representation, warranty, agreement or undertaking of any Party with respect to the transactions contemplated hereby or thereby other than those expressly set forth herein or therein, and none shall be deemed to exist or be inferred with respect to the subject matter hereof.
14
10.18. Time Periods. Unless specified otherwise, any action required hereunder to be taken within a certain number of days shall be taken within that number of calendar days (and not Business Days); provided, however, that if the last day for taking such action falls on a weekend or a holiday in the United States, the period during which such action may be taken shall be automatically extended to the next Business Day.
10.19. Data Security Addendum. Each Party shall comply with the Data Security Addendum set forth on Annex A to this Agreement.
10.20. Notices. All notices, requests, claims, demands and other communications hereunder will be in writing and will be given or made (and will be deemed to have been duly given or made upon receipt, if delivered by hand, one Business Day after being sent, if sent by a reputable, overnight courier service, three (3) Business Days, if sent by registered or certified mail and at the time when confirmation of successful transmission is received by the sending facsimile machine, if sent by facsimile) by delivery in person, by courier service, by confirmed telecopy, or by registered or certified mail (postage prepaid, return receipt requested) to the Parties at the following addresses (or at such other address for a Party as will be specified by like notice):
(i) if to Commercial or TIMCO:
Tyco International Ltd.
c/o Tyco International Management Company, LLC
0 Xxxxxx Xxxx
Xxxxxxxxx, XX 00000
Attn: General Counsel (with a copy to Xxxx Main, Vice President Finance)
Fax: (000) 000-0000
(ii) if to ADT:
ADT LLC
0000 Xxxxxx Xxxx
Xxxx Xxxxx, XX 00000
Attn: Law Department (with a copy to Xxxx Xxxxx, Senior Vice President Business Operations)
Fax: (000) 000-0000
15
[SIGNATURE PAGE FOLLOWS THIS PAGE]
16
| TYCO INTERNATIONAL MANAGEMENT COMPANY, LLC | ||
| By: |
| |
| Name: |
|
| Title: |
|
| TYCO INTEGRATED SECURITY LLC | ||
| By: |
| |
| Name: |
|
| Title: |
|
| ADT LLC | ||
| By: |
| |
| Name: |
|
| Title: |
|
| Annex A
Data Security Addendum |
1. Provider’s Use of U.S. Resources.
1.1 Use Permitted. Subject to any other requirements and/or approvals set forth hereunder, Recipient acknowledges that Provider may, from time to time, perform the Transition Services using Provider personnel working outside the United States of America (at the locations that have been previously approved in writing by Recipient) who are either U.S. Citizens or U.S. Nationals, and Provider personnel working in the United States of America who are not American citizens (collectively, “U.S. Resources”); provided, however, that Provider will only use U.S. Resources to perform services that does not involve access to Classified Information or Technology1, Controlled Unclassified Information or Technology2, and non-Controlled Government Contract-related Information pertaining to U.S. Government contracts (collectively “U.S. Government Data”). If Provider’s Transition Services involve accessing, or the potential to access, U.S. Government Data Provider shall use all reasonable efforts to use Provider personnel who meet individual eligibility requirements for access to U.S. Government Data (“Government Resources”) as defined herein. Provider will not use Provider Personnel who are non-Resident Aliens (“Visa Holder” or “Work Authorizations”) for any Transition Service involving access to U.S. Government Data. For Transition Services involving access to U.S. Government Controlled Unclassified Information or Technology, Provider will use Provider personnel who are resident citizens of the United States, and have an active U.S. Government Public Trust background investigation of NAC-I, which has been adjudicated and approved through the Recipient’s respective U.S. Government Central Adjudication Facility (“CAF”) Authority (collectively, “CUI Resources”). For Transition Services involving access to U.S. Government Classified Information or Technology, Provider will use Provider personnel who are will be resident citizens of the United States, and have an active U.S. Government security clearance investigation of NACLC/SECRET or SSBI/TOP SECRET, where determined by Recipient FSO, which can be verified through the Joint Personnel Adjudication System (collectively, “Cleared Resources”). . If Provider cannot reasonably use Government Resources when accessing U.S. Government Data, Provider will obtain advance written approval to use non-Government Resources from Recipient’s FSO. The term “Personnel” when used in this Agreement in relation to Provider, shall refer to the employees, subcontractors and independent contractors of Provider, as well as the employees and independent contractors of Provider’s subcontractors. Except as
| 1 | Any information or technology that has been determined pursuant to Executive Order 13526 (or any predecessor or successor thereof) to require protection against unauthorized disclosure and is so designated. The classifications TOP SECRET, SECRET, and CONFIDENTIAL are used to designate such information. |
| 2 | Controlled Unclassified Information or Technology, the export of which is controlled by the International Traffic in Arms Regulations (“ITAR”) or the Export Administrative Regulations (“EAR”). The export of technical data, which is inherently military in nature, is controlled by the ITAR. The export of technical data, which has both military and commercial uses, is controlled by the EAR. Controlled Unclassified Information includes other forms information or technology that is (i) pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. |
expressly agreed to in writing, Provider agrees to present to Recipient only those personnel who are eligible to work in the United States (or in the case of personnel working in another country, only personnel who are eligible to work in the respective country (or political subdivision thereof) where they are working, pursuant to relevant statutes and regulations. All personnel assigned by Provider to perform any of its obligations shall be fully qualified to perform the tasks assigned them. Provider shall provide Recipient with such information regarding proposed Provider personnel to be assigned to perform Transition Services as Recipient may reasonably request. Recipient shall have the right, in its reasonable discretion, to reject the assignment of any such personnel, and upon such rejection Provider shall propose alternate personnel.
2. Protection of Recipient Data & Personal Information
2.1 The following subsets of Recipient Confidential Information are subject to additional protections as described herein.
(a) “Recipient Data” will mean all Recipient Confidential Information entered in documentation, software or equipment by or on behalf of Recipient: i) that is data supporting or derived from the provision of Transition Services to Recipient end users or ii) relating to Recipient’s customers, dealers and vendors, and information derived from such information, including as stored in or processed through the equipment or software.
(b) “Personal Information” means any personally identifiable information or data concerning or relating to a Recipient’s employees, customers or prospective customers that may be used to uniquely identify or contact such employees, customers or prospective customers. Personal Information includes the sub-category “Personal Sensitive Information” or “PSI”. PSI is the following Recipient Designated Personal Information that requires additional control and protection: credit cards, debit cards, bank account numbers, social security numbers/social insurance numbers, passwords, security challenge information, driver’s license numbers, unique biometric data and Personal Identification Codes (“PIC”). PSI also includes Personal Health Information (“PHI”) and Non-Public Personal Information (“NPPI”), as such terms are defined under any applicable privacy law of the United States or any other country if applicable, including by not limited to the Health Information Portability and Privacy Act, if applicable (collectively, the “Privacy Laws”); and any other information that Recipient may identify in writing as Personal Sensitive Information.
2.2 Ownership and Treatment of Recipient Data.
(a) Recipient Data will be and remain, as between the Parties, the property of Recipient. Provider will not possess or assert any lien or other right against or to Recipient Data. No Recipient Data, or any part thereof, will be commercially exploited by or on behalf of Provider. Recipient shall own and retain all right, title and interest, including all intellectual property rights, in and to all Recipient Data and any information submitted to the applications by its users that is not otherwise Provider’s Confidential Information. Provider acknowledges and agrees that notwithstanding any reformatting, modification, reorganization or adaptation of the Recipient Data (in whole or in part) during its incorporation, storage or processing, or the creation of derivative works from the Recipient Data, the Recipient Data will remain as such and will be subject to the terms and conditions of this Agreement. This Agreement does not grant to
Provider any license or other rights, express or implied, in the Recipient Data, except that Recipient grants to Provider , a limited, non-transferable, non-exclusive, non-sub-licensable license to Recipient Data for the sole purpose of performing the Transition Services and Provider obligations under this Agreement.
(b) Provider will use commercially reasonable efforts to correct any errors occurring in any Recipient Data and restore any losses of any Recipient Data to the extent that such errors or losses are caused by Provider’s failure to comply with the terms of this Agreement.
2.3 Protection of Recipient Data & Personal Information. Provider shall manage Recipient Data and Personal Information in its control subject to the requirements of Appendix 1 to this Annex A Data Security Requirements, as amended by Recipient upon written notice to Provider from time to time, provided that any resulting change to the Transition Service will be undertaken only as permitted pursuant to the Agreement.
(a) Provider employees, agents and/or subcontractors will not attempt to access, or allow access to, any Recipient Data or Personal Information which they are not permitted to access under this Agreement. If such access is attained, Provider will follow the reporting process described in Appendix 1 to this Annex A Data Security Requirements.
(b) Unless Recipient’s Vice President, CIO, or their delegate of authority approves in writing the provision of certain Transition Services from a location outside of the United States, or unless previously approved via a written Amendment to this Agreement that has been mutually executed by an authorized representative of each party, in no event will Provider store any Personal Information on any server or other equipment located outside of the United States or Canada or allow access to any to Recipient Data from outside of the United States or Canada.
(c) Provider is expressly prohibited from using any Personal Information obtained under this Agreement, to contact or market to employees, customers or prospects of any Recipient through any means and/or for any other purpose. Provider agrees that such Personal Information will not be given to any third party for any use whatsoever.
2.4 Additional Data Privacy for PCI. Without limiting any prohibitions regarding the treatment of Personal Information, at all times during and after the Term of this Agreement, Provider shall use, handle, collect, maintain, and safeguard all Personal Sensitive Information in accordance with a Privacy Policy reasonably acceptable to Recipient and consistent with the requirements articulated in this Agreement, Appendix 1 to this Annex A and with all applicable Canadian and United States federal, provincial, and state consumer privacy laws, regulations and rules (collectively, “Privacy Rules”) which may be in effect during the Term of this Agreement as it concerns the subject matter of this Agreement. Provider further acknowledges that it alone is responsible for understanding and complying with its obligations under the Privacy Rules. If the Personal Sensitive Information includes any credit card information Provider shall be responsible for complying with all applicable information security practices promulgated by the applicable federal, provincial, state, and municipal laws, regulations, and statutes pertaining to
the acquisition, handling, and disposition of all such credit card information, and also by industry associations, including, but not limited to, the applicable standards of the Payment Card Industry (“PCI”) Data Security Standard.
2.5 Transition Service Continuity. At all times during the Term, Provider shall maintain and manage a Service Continuity Plan as described in Appendix 1 to this Annex A. Provider further agrees not to make any material changes to its Service Continuity Plan that will result in a reduction of Provider’s level of support for its Transition Service continuity.
2.6 Security Requirements.
(a) Provider shall implement minimum security measures as specified in herein, and specifically as set forth in Appendix 1 to this Annex A, The Provider Information Security Requirements, to protect Provider’s computer systems, networks and databases, and the data processed, transmitted or stored thereon (including, without limitation, Recipient Data and Personal Information) against the risk of penetration by, or exposure to, a third party via any system or feature utilized by Provider in performing such work or accessing such systems. Unless otherwise specified in the security requirements set forth herein, such protections will include, but not be limited to: (i) protecting against intrusions, including but not limited to intrusions of operating systems or software, (ii) encrypting Recipient Confidential Information, and (iii) securing the computer systems and network devices.
(b) Provider shall employ the highest industry standard of encryption mechanisms as is customary in the industry to protect Recipient Confidential Information which is transmitted over any wireless connection or across any untrusted connection (including, but not limited to, the public Internet). Without limiting the generality of the foregoing, Provider shall ensure that (i) all transmissions of Recipient Data and Personal Information between the Applications and an Authorized User are transmitted using HTTPS and 128-bit or higher Secure Sockets Layer encryption, (ii) Personal Sensitive Information, including back-up copies thereof, stored by Provider at Provider’s data center are encrypted using 128-bit or higher encryption, and (iii) Recipient Data and Personal Information, including backup copies thereof, that are removed from Provider’s facility or stored off-site are encrypted using 128-bit or higher encryption.
(c) Provider shall immediately notify Recipient, through Recipient’s designated contact and any other designated security escalation channel, if Provider knows of, or has reasonable belief of, a breach of security of a Provider system or database that contains Personal Information or any other Recipient Confidential Information, or the knowledge or reasonable belief of actual loss or theft of any such data, or access by any unauthorized party to such data, and will cooperate, work with Recipient and provide necessary information concerning such breach sufficient for Recipient to evaluate the likely consequences and any legal or regulatory requirements arising out of the event unless the sharing of such data would compromise the security or confidentiality of Provider or of Provider’s other customers. Provider shall use its best efforts to immediately terminate any security breaches or suspicious activity. Provider shall not allow any security breach or suspicious activity to persist for any amount of time or for any reason except as required by law, or as deemed reasonably necessary by Provider to determine the identity of the perpetrator and to stop such breach or suspicious activity. If any breach of the security, confidentiality, or privacy of the Recipient Data or Personal Information requires notification by Recipient to any party under any of the Privacy Laws, Recipient shall have sole control over the timing, content, and method of such notification and Provider shall reimburse Recipient for its out-of-pocket costs in providing the notification.
2.7 Occurrence Reports. Within five (5) days following Provider’s discovery of the occurrence of a security breach or suspicious activity, Provider shall provide Recipient written documentation of the cause, remedial steps and future plans to prevent a recurrence of the same or similar breach or suspicious activity. If such remedial plan is acceptable to Recipient, Provider shall immediately implement the proposed remedial plan or in a mutually agreed upon timeframe. If such remedial plan is unacceptable, based on Recipient’s reasonable judgment, Provider shall promptly but in any event no later than ten (10) days enter into good faith negotiations to address the proposed remedial plan. Provider shall reasonably cooperate with Recipient security investigation activities and with the preparation and transmittal of any notice or any action, which Recipient in its sole discretion may deem appropriate or required by law, to be sent or done for customers or other affected third parties regarding any known or suspected security breach.
2.8 Security Review.
(a) Recipient or Recipient’s authorized agent may, no more than once annually, at its reasonable advanced request perform a security review. Initially the security review will be performed by means of a security questionnaire. If Recipient deems the response to the security questionnaire insufficient, then, and, to the extent reasonably necessary to provide reasonable assurance thereafter, Recipient may expand the review to verification of the controls through observation, and inquiry, (which may, at a minimum, include the items described in Appendix 1 to this Annex A) of the facilities from which the Transition Services and computer applications used therein are provided for, operated or hosted. Provider agrees to meet with Recipient to discuss the security review and the results of such review and Provider shall take reasonable corrective action to remedy any deficiencies identified by such review at Recipient’s discretion.
2.9 Recipient Networks.
(a) “Recipient Networks” means collectively, computers, computer systems and networks of Recipient. If access to Recipient’s Networks is required in order for Provider to fulfill its obligations to Recipient, then Recipient shall determine the nature and extent of such access. If remote access to Recipient’s Networks is given to Provider, then any and all information relating to such remote access shall be considered Recipient’s Confidential Information. In addition, any and all access to Recipient Networks shall be subject to the following:
Access to Recipient Networks will be restricted to Provider’s Personnel who need access in order for Provider to fulfill its obligations under this Agreement; and no access rights will be transferred to any other individuals without the prior written consent of Recipient; and
Provider shall use commercially reasonable efforts to ensure that its Personnel do not attempt to break any security systems related to the Recipient Networks, or attempt to obtain access to any programs or data beyond the scope of the access granted, in writing, by Recipient.
Without limiting any of its other rights, Recipient shall have the right to restrict and monitor the use of the Recipient Network, and to access, seize, copy and disclose any information, data or files developed, processed, transmitted, displayed, reproduced or otherwise accessed on Recipient Networks. Recipient may exercise its rights reserved hereunder: (i) to verify the performance of Transition Services; (ii) to ensure compliance by Provider’s Personnel with Recipient’s policies and procedures while on Recipient Networks; (iii) to work with Provider to investigate conduct that may be illegal or may adversely affect Recipient; and (iv) to prevent inappropriate or excessive personal use of Recipient Networks. Provider will advise its Personnel concerning the rights stated hereunder
2.10 Export Compliance and Security Classifications.
(a) Provider understands that certain Recipient Data may be subject to: (i) U.S. and other export control laws and regulations, or (ii) U.S. Defense Department (“DoD”) procedures such as those governing release of “Controlled” or “Uncontrolled Technical Data,” Classified or Controlled Unclassified Information or Technology, and non-Controlled Government Contract-related Information, or (as defined in any applicable regulation) to certain foreign nationals. The Parties agree not to transfer or otherwise export or re-export (and to cooperate to prevent such transfers of) any such Recipient Data except in compliance with the applicable laws and use restrictions. For Recipient Data, regulated transfers may include those made to foreign nationals in the United States or another country. The Parties will work together to create policies and procedures, regarding the access to and transferring of such materials. Provider agrees not to allow any access to any such identified Recipient Data by any personnel that Provider employs who are on the U.S. Treasury Department’s list of Specially Designated Nationals, on the U.S. Commerce Department’s Denied Persons List, Entity List or Unverified List, or who are nationals of Cuba, Iran, Sudan, or Syria, or any other countries that may be added to the list of U.S. embargoed countries from time to time. Provider agrees not to allow access by any personnel that Provider employs that are not U.S. nationals to Recipient Data identified in advance subject to DoD restrictions, ITAR, (Title 22 of the U.S. Code of Federal Regulations, Parts 120– 130, as amended,) and the EAR (Title 15 of the U.S. Code of Federal Regulations, Subtitle B, Parts 730 – 774, as amended), or similar restrictions. The Parties acknowledge that Provider is not registered as an Arms Manufacturer with the Directorate of Defense Trade Controls. Recipient agrees not to engage Provider in any activity that would require registration under ITAR regulations. Provider and Recipient shall cooperate to restrict access to any other Recipient Data to such nationals and personnel as may lawfully receive it without an export license unless and until any and all required licenses are obtained. Provider agrees to abide by U.S. law, rules and/or regulations in the performance of the Services under this Agreement or any SOW, including but not limited to, those related to exports as defined in both the ITAR and EAR.
(b) Recipient represents that software provided by Recipient and used as part of the Services contains no encryption or, to the extent that it contains encryption, the software is approved for export without a license. If Recipient cannot make the preceding representation, Recipient agrees to provide Provider with all of the information needed for Provider to obtain
export licenses from the United States government and to provide Provider with such additional assistance as may be necessary to obtain such licenses. Recipient is solely responsible for obtaining any specific licenses relating to the export of such software if a license is needed. Provider’s acceptance of any order for Transition Services for such software is contingent upon the issuance of any applicable export license required by the United States Government.
2.11 Government Clauses
This Agreement incorporates certain U.S. Government provisions by reference with the same force and effect as if they were given in full text. The FAR, DFAR, and DEAR may be obtained at the following Government Web sites: xxxx://xxx.xxxxx.xxx/xxx/ for FAR: xxxx://xxx.xxx.xxx.xxx/xxxx/xxxx/xxxxx.xxxx for DFAR; and xxxx://xxx.xx.xxx.xxx/xxxx.xxxx for DEAR.
Whenever necessary to make the context of the U.S. Government Clauses set forth below applicable to this Agreement, the term “Contractor” shall mean Provider, the term “Contracting Officer” or “Cognizant Security Office” shall mean Recipient’s FSO, the term “Contract” shall mean this Agreement, the term “Subcontract” shall mean any lower-tiered subcontract issued by Provider. The Provider shall comply with the National Industry Security Program Operating Manual (DoD 5220.22-M) and any revisions to that manual (“NISPOM”); UL Standard for National Industrial Security Systems (“UL 2050”), UL Standard for Central Station Alarm Services (“UL 827”), Intelligence Community Directive 700 through 705 (“ICD 700 series”), Physical Security of Arms Ammunition and Explosives (“AAE”), Physical Security Standards for Sensitive Compartmented Information Facilities (“DCID 6-9”); and Physical Security Standards for Special Access Program Facilities (“JAFAN 6-9”), where applicable to Recipient Data.
The following clauses are hereby incorporated by reference:
| FAR 52-204-2 | Security Requirements | |
| DFAR 252.204-7000 | Disclosure of Information | |
| DFAR 252.223-7007 | Safeguarding Sensitive Conventional Arms, Ammunition and Explosives | |
| DEAR 000-000-0 | Security Requirements | |
| DEAR 000-000-00 | Public Affairs | |
| E.O. 13556 | Controlled Unclassified Information | |
| E.O. 13526 | Classified National Security Information |
2.12 Federal Information Security Management Act
(a) For Transition Services involving U.S. Government Data, Provider will deliver services in compliance with the Federal Information Security Management Act (“FISMA”) with a SC Sensitive Government Data type = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, NOT APPLICABLE)}. ViaWest will construct and maintain the Tyco Space in accordance with such construction and maintenance requirements.
(b) For Transition Services involving Classified Information or Technology, Provider will deliver services in compliance with the National Industry Security Program Operating Manual (DoD 5220.22-M) and FISMA, with a SC Classified Information type = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}.
3. Security Requirements
Provider shall adhere to the Security Requirements described in Appendix 1 to this Annex A.
4. Required Background Checks. Following is a list of specific background checks that must be performed and documented prior to the start date of all Provider personnel, including all Provider subcontracted personnel. Provider is responsible for obtaining and maintaining documentation substantiating that all items listed have been performed. Audits may be performed by Recipient upon reasonable notice to Provider and during normal business hours.
| TYPE OF CHECK |
| Social Security Number Verification (Includes Trace) |
| Criminal Search - Minimum 7 years (County Criminal; residence, school, & employment) – all counties provided or developed |
| US Department of Treasury’s Office of Foreign Assets Control (OFAC) Specially Designated National or a Blocked Persons |
| Employment Verification - last 3 employers or past 7 years whichever comes first |
| Education Verification (highest level obtained post high school) |
| Professional License or Certificate Verification (if appropriate) |
Appendix 1
SERVICE PROVIDER INFORMATION SECURITY REQUIREMENTS
The following items are considered Recipient’s minimum security requirements. This exhibit is not meant to be a comprehensive list of security requirements. Provider agrees to include the requirements of this Exhibit as a part of the Agreement. These requirements apply to Provider operations as well as any third-party that may provide services on behalf of Provider.
| 1.0 | Definitions. |
“Recipient Production Data” means Recipient Confidential information that resides in a production environment. Data that is masked and in development and/or test environments is not included.
“Confidential Information” means any proprietary information of a party or any information disclosed by or on behalf of a party (the “Discloser”) to the other party (the “Recipient”) during the term of this Agreement, except information that Recipient can demonstrate:
(a) is or becomes generally available to the public other than as a result of disclosure by the Recipient;
(b) is already known by or in the possession of the Recipient at the time of disclosure by the Discloser as evidenced by written documentation in the Recipient’s possession prior to receipt of the Confidential Information;
(c) is independently developed by the Recipient without use of or reference to the Confidential Information of the Discloser; or
(d) is obtained by the Recipient from a third party that has not breached any obligations of confidentiality.
For greater certainty, ADT’s Confidential Information shall include information transferred by Commercial to ADT pursuant to the ADT R/SB Separation.
“Data Masking” means the process of modifying records to conceal Recipient Production Data, especially when such records are copied from a production environment to a non-production environment.
“Information Processing System(s)” means the individual and collective electronic, mechanical, or software components of Provider operations that store and/or process Recipient Confidential Information.
“Information Security Event” is defined as any situation where it is suspected or confirmed that Recipient Confidential Information is lost; is subject to unauthorized or inappropriate access, use, or misuse; the security, confidentiality, or integrity of the information is compromised; or the availability of Provider Information Processing Systems is compromised by external attack.
“Provider” means any third party with access to Recipient Confidential Information including Recipient Production Data by, through or under Provider including sub-contractors
and sub-subcontractors of whatever tier. Nothing contained in this provision shall constitute a waiver by Recipient of any requirements set forth in the Agreement for Provider to obtain Recipient’s prior written consent to utilize a third party to provide any portion of the Transition Services.
“Security Breach” is defined as an unauthorized access to Provider’s or a Provider’s facilities, Information Processing Systems or networks used to service, store, or access Recipient Confidential Information.
“Personal Sensitive Information” includes but is not limited to credit cards, debit cards, bank account numbers, social security numbers/social insurance numbers, passwords, PHI, driver’s license numbers, or Personal Identification Code (PIC).
| 2.0 | Security and Confidentiality. |
Before receiving, or continuing to receive, Recipient Data, Provider will implement and maintain an information security program that ensures: 1) Confidential Information and Provider’s Information Processing Systems are protected from internal and external security threats; and 2) that Recipient Confidential Information is protected from unauthorized access and disclosure
| 3.0 | Security Policy. |
| 3.1 | Formal Security Policy. Consistent with the requirement of this Attachment, Provider will create and provide to Recipient an information security policy that is approved by Provider’s management, published and communicated to all Provider’s employees and relevant Providers. |
| 3.2 | Security Policy Review. Provider will review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. |
| 4.0 | Organizational Security. |
| 4.1 | Provider Access. |
| 4.1.1 | Prior to allowing Providers to access Recipient Confidential Information, Provider will require Providers to agree in writing to appropriate binding obligations to maintain the confidentiality of Recipient Confidential Information. |
| 4.1.2 | In addition, prior to allowing Providers to access Recipient Production Data, including Provider Information Processing Systems or media containing Recipient Production Data, Provider will: |
| 4.1.2.1 | Submit a written request for the access to Recipient and receive consent for the access. |
| 4.1.2.2 | Identify and mitigate risks to Recipient Production Data from this access. |
| 4.1.3 | Provider will include as part of its contracts with Providers having access to Recipient Confidential Information provisions requiring such Providers to maintain the confidentiality obligations of this Agreement. |
| 4.1.4 | In addition, Provider will include as part of their contracts with Providers having access to Recipient Production Data substantially similar security requirements as contained in this document and make this a requirement for all new subsequent parties receiving Recipient Confidential Information. |
| 5.0 | Asset Management. |
| 5.1 | Asset Inventory. Provider will maintain an inventory of all Provider Information Processing Systems and media containing Recipient Confidential Information. |
| 5.2 | Acceptable Use. Provider will implement rules for the acceptable use of information and assets which is no less restrictive than industry best practice and consistent with the requirements of this exhibit. |
| 5.3 | Equipment Use While on Recipient Premises. While on Recipient’s premises, Provider will not connect hardware (physically or via a wireless connection) to Recipient systems unless necessary for Provider to perform Transition Services under this Agreement. Recipient has the right to inspect or scan such hardware before or during use. |
| 5.4 | Portable Devices. - The following restrictions apply to storing Recipient Confidential Information on portable devices: |
| 5.4.1 | Recipient Production Data, may not be stored on portable devices including, but not limited to, laptops, Personal Digital Assistants, mobile devices, MP3 devices, and USB devices unless the Recipient Production Data on the Devices is encrypted and secured from unauthorized access. |
| 5.4.2 | All other Recipient Confidential Information may not be stored on portable devices including, but not limited to, laptops, Personal Digital Assistants, and MP3 devices unless the devices are password protected to secure them from unauthorized access. |
| 5.5 | Personally-owned Equipment. Recipient Confidential Information may not be stored on personally-owned equipment not controlled by Provider. |
| 5.6 | Protection of Data at Rest. Provider shall use and employ a high standard of data protection mechanisms as is customary in the industry to protect Recipient Production Data. |
| 5.6.1 | All Recipient Personal Sensitive Information at rest, including back-up copies thereof, stored by Provider at Provider’s data center are encrypted using at least 128-bit AES encryption, or encryption mechanisms providing equal or higher protection than 128-bit AES. |
| 5.6.2 | Any Recipient Production Data, including backup copies thereof that are removed from Provider’s facility or stored off-site are encrypted using 128-bit AES or encryption mechanisms providing equal or higher protection than 128-bit AES. |
| 5.6.3 | Any Recipient Confidential Information may not be stored within a file or database in the DMZ. |
| 5.6.4 | All keys used for encryption must be handled in accordance with documented key management processes and procedures. |
| 6.0 | Human Resources Security. |
| 6.1 | Security Awareness Training. Prior to Provider employees and Providers receiving access to Recipient Confidential Information, they will receive security awareness training appropriate to their job function. Entities will also ensure that recurring security awareness training is performed. |
| 6.2 | Removal of Access Rights. The access rights of all Provider employees and Provider users to Provider Information Processing Systems or media containing Recipient Confidential Information will be removed rapidly, and within 24 hours of termination of their employment, contract or agreement, or adjusted upon change. |
| 6.3 | Screening. Employ background verification checks on all candidates for employment, contractors, and third party users carried out in accordance with relevant laws, regulations and proportional to the classification of the information to be accessed |
| 7.0 | Physical and Environmental Security. |
| 7.1 | Secure Areas. Provider will secure all areas, including loading docks, holding areas, telecommunications areas, cabling areas and off-site areas that contain Information Processing Systems or media containing Recipient Confidential Information by the use of appropriate security controls in order to ensure that only authorized personnel are allowed access and to prevent damage and interference. The following controls will be implemented: |
| 7.1.1 | Access will be controlled and restricted by use of a defined security perimeter, appropriate security barriers, entry controls and authentication controls. Records of access will be maintained. |
| 7.1.2 | All personnel will be required to wear some form of visible identification to identify them as employees, contractors, visitors, et cetera. |
| 7.1.3 | Visitors to secure areas will be supervised, or cleared for non-escorted accessed via an appropriate background check. Their date and time of entry and departure will be recorded. |
| 7.1.4 | Physically secure and maintain control over all paper and electronic media (e.g., computers, electronic media, paper receipts, paper reports, and faxes) that contain Recipient Production Data. |
| 7.2 | Environmental Security. Provider will protect equipment from power failures and other disruptions caused by failures in supporting utilities that would adversely impact the Transition Services provided in this agreement. |
| 8.0 | Communications and Operations Management. |
| 8.1 | Protections Against Malicious Code. Provider will implement detection, prevention, and recovery controls to protect against malicious software (malware), which is no less than current industry best practice and perform appropriate employee and Provider training on the prevention and detection of malicious software. |
| 8.1.1 | Ensure anti-malware mechanisms are deployed on all systems commonly affected by malware (e.g. PC’s and servers) and are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. |
| 8.1.2 | Ensure anti-malware mechanisms are current, actively running, and capable of generating audit logs. |
| 8.2 | Back-ups. Provider will perform appropriate back-ups of Provider Information Processing Systems and media containing Recipient Production Data as required to ensure Transition Services and Service Levels described in this Agreement. |
| 8.2.1 | Store media back-ups in a secure off-site facility, which may be either an alternate third-party or a commercial storage facility. |
| 8.3 | Media Handling. Provider will protect against unauthorized access or misuse of Recipient Confidential Information contained on media. |
| 8.4 | Media and Information Disposal. Provider will securely and safely dispose of media (including but not limited to hard copies, disks, CDs, DVDs, optical disks, USB devices, hard drives) containing Recipient Confidential Information when no longer required by the establishment of procedures, but in no event any longer than to include, but not be limited to: |
| 8.4.1 | Disposing of media containing Recipient Confidential Information so that it is rendered unreadable or undecipherable, such as by physical destruction, burning, shredding, or pulverizing. |
| 8.4.2 | Maintaining a secured disposal log that provides an audit trail of Recipient Confidential Information media disposal activities. |
| 8.4.3 | Providing proof to Recipient certifying that all Recipient Confidential Information was purged. Upon request, the proof will be provided to Recipient within thirty (30) business days after the information was purged. |
| 8.5 | Exchange of Information. To protect confidentiality and integrity of Recipient Data in transit, Provider will: |
| 8.5.1 | Data exchange channels are established in a manner to mitigate risks to Recipient Production Data. |
| 8.5.2 | Monitor and inspect data exchange channels where appropriate to detect unauthorized information releases. |
| 8.5.3 | Ensure that appropriate security controls using approved data exchange channels are employed when exchanging Recipient Confidential Information. |
| 8.5.4 | Employ industry standard enhanced security measures (at a minimum 128-bit AES or equivalent level of encryption) to encrypt Recipient data transmitted via the Internet. |
| 8.5.5 | Ensure Recipient Personal Sensitive Information is not sent via unencrypted e-mail. |
| 8.5.6 | Ensure that information (including persistent cookies) about Recipient Productions or employees is not harvested by Provider and Provider web pages except for purposes of this Agreement. |
| 8.6 | Monitoring. To protect against unauthorized access or misuse of Recipient Confidential Information residing on Provider Information Processing Systems, Provider will: |
| 8.6.1 | Employ current industry best practice security controls and tools to monitor Information Processing Systems and log user activities, exceptions, unauthorized information processing activities, suspicious activities and information security events. Logging facilities and log information will be protected against tampering and unauthorized access. Logs will be kept for at least 90 days online. |
| 8.6.2 | Perform frequent reviews of logs and take necessary actions to protect against unauthorized access or misuse of Recipient Confidential Information. |
| 8.6.3 | At Recipient’s request, make logs available to Recipient to assist in investigations to the extent that such log disclosures do not place the data or systems of other Provider customers at risk or expose other Provider customer confidential information. |
| 8.6.4 | Comply with all relevant legal requirements applicable to monitoring and logging activities. |
| 8.6.5 | Ensure that the clocks of all relevant information processing systems are synchronized using an authoritative national or international time source. |
| 8.6.6 | Employ, monitor and keep up to date network intrusion detection systems, host-based intrusion detection systems, or intrusion prevention systems to monitor network traffic and alert personnel to suspected compromises. |
| 9.0 | Access Control. |
| 9.1 | User Access Management. To protect against unauthorized access or misuse of Recipient Confidential Information residing on Provider Information Processing Systems, Provider will: |
| 9.1.1 | Employ a formal user registration and de-registration procedure for granting and revoking access and access rights to all Provider Information Processing Systems. |
| 9.1.2 | Employ a formal password management process. |
| 9.1.3 | Where appropriate perform recurring reviews of users’ access and access rights to ensure that they are appropriate for the users’ role. |
| 9.2 | User Responsibilities. To protect against unauthorized access or misuse of Recipient Confidential Information residing on Provider Information Processing Systems, Provider will: |
| 9.2.1 | Ensure access to systems and applications storing or transmitting Recipient Data is limited to only those individuals whose job requires such access based on a need-to-know. |
| 9.2.2 | Ensure that Provider Information Processing Systems users follow current security practices in the selection and use of strong passwords. |
| 9.2.3 | Ensure that unattended equipment has appropriate protection to prohibit access and use by unauthorized individuals. |
| 9.2.4 | Ensure that Recipient Confidential Information contained at workstations, including but not limited to paper and on display screens is protected from unauthorized access. |
| 9.3 | Network Access Control. Access to internal, external, Provider and public network services that allow access to Provider Information Processing Systems shall be controlled. Provider will: |
| 9.3.1 | Ensure that current industry best practice standard authentication mechanisms for network users and equipment are in place and updated as necessary. |
| 9.3.2 | Ensure electronic perimeter controls are in place to protect Provider Information Processing Systems from unauthorized access. |
| 9.3.3 | Ensure a stateful firewall is in place for each Internet connection and between any DMZ and the Intranet. |
| 9.3.4 | Firewalls shall be configured to deny all traffic except the traffic that is required for business reasons. |
| 9.3.5 | Ensure authentication methods are used to control access by remote users. |
| 9.3.6 | Ensure physical and logical access to diagnostic and configuration ports is controlled. |
| 9.3.7 | Ensure wireless implementations are only used if required for business reasons, put into practice WPA, WPA2, 802.11i or a superseding standard and must not use WEP. |
| 9.4 | Operating System Access Control. To protect against unauthorized access or misuse of Recipient Confidential Information residing on Provider Information Processing Systems, Provider will: |
| 9.4.1 | Ensure that access to operating systems is controlled by a secure log-on procedure. |
| 9.4.2 | Ensure that Provider Information Processing System users have a unique identifier (user ID) or that a documented and approved exception request exists. |
| 9.4.3 | Ensure that the use of utility programs that are capable of overriding system and application controls are highly restricted and tightly controlled. |
| 9.4.4 | Ensure that inactive sessions are shut down after a defined period of inactivity. |
| 9.5 | Mobile Computing and Remote Working. To protect Recipient Confidential Information residing on Provider Information Processing Systems from the risks inherent in mobile computing and remote working, Provider will: |
| 9.5.1 | Identify and mitigate risks to Recipient Confidential Information from mobile computing and remote working. |
| 9.5.2 | Develop policy and procedures for managing mobile computing and remote working Recipient. |
| 9.6 | Off-shore Capabilities. Provider agrees that during the term of this Agreement, except as Recipient shall agree otherwise in writing, |
| 9.6.1 | All Recipient Data, that has not been masked per this Agreement, shall remain within the United States or Canada, and |
| 9.6.2 | All Transition Services involving access to Recipient Data that has not been masked per this Agreement, shall take place within the United States or Canada. Provider shall impose the same restrictions on its Providers and shall remain fully responsible for Providers’ compliance with such restrictions. |
| 10.0 | Information Systems Acquisition, Development and Maintenance. |
| 10.1 | Security of System Files. To protect Provider Information Processing Systems and system files containing Recipient Confidential Information, Provider will ensure that access to source code is restricted to authorized users who have a direct need to know. |
| 10.1.1 | Ensure that systems and software have the latest vendor-supplied security patches. |
| 10.1.2 | Establish a process to identify newly discovered security vulnerabilities and update system and application standards to address new vulnerability issues. |
| 10.1.3 | Ensure internal and external network vulnerability scans are conducted at least quarterly and network and application layer penetration testing at least once a year |
| 10.2 | Security in Development and Support Processes. To protect Provider Information Processing Systems and system files containing Recipient Confidential Information, Provider will: |
| 10.2.1 | Ensure that the implementation of changes is controlled by the use of formal change control procedures. |
| 10.2.2 | Employ appropriate industry best practice security controls to minimize information leakage. |
| 10.2.3 | Employ oversight quality controls of software development. |
| 10.2.4 | Employ system, application and source code analysis framework for remediation of findings |
| 10.2.5 | Develop configuration standards for system components that address security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Institute (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). |
| 11.0 | Information Security Incident Management. |
| 11.1 | Reporting Information Security Events and Weaknesses. To protect Provider Information Processing Systems and system files containing Recipient Confidential Information, Provider will: |
| 11.1.1 | Implement a process to ensure that Information Security Events and Security Breaches are reported through appropriate management channels as quickly as possible. |
| 11.1.2 | Train employees and contractors of information systems and services how to report any observed or suspected Information Security Events and Security Breaches. |
| 11.1.3 | Following any such event or breach, Provider will promptly provide notification Recipient whether or not Recipient Confidential Information was compromised or released to unauthorized parties, the Recipient Confidential Information affected and the details of the event or breach. |
| 12.0 | Business Continuity Management. |
| 12.1 | Business Continuity Management Program. In order to ensure existing levels of service continuity can be maintained during the Agreement the parties shall |
| enhance existing plans and procedures to incorporate aspects related to management of continuity events which have potential to simultaneously impact both companies. This includes emergency response and management associated with shared facility, disaster recovery of systems shared by both entities and business continuity processes, tools and procedures that are also shared. |
| 13.0 | Security Assessments. |
| 13.1 | Initial and Recurring Security Assessments. Provider will permit Recipient representatives to perform an on-site physical and logical Security Assessment of Provider’s data processing and business facilities prior to the release of Recipient Confidential Information and each year thereafter. Security Assessments will be performed during regular business hours, at a date and time agreed to by both parties. |
| 13.2 | Security Assessments Following Information Security Events and Security Breaches. Following the occurrence of an Information Security Event or Security Breach, Provider will permit Recipient representatives to perform an on-site physical and logical Security Assessment of Provider’s data processing and business facilities to assess the impact of the event or breach even if a Security Assessment has been completed within the year. |
| 13.3 | Security Assessment Findings. Upon completion of a Security Assessment, Recipient will provide Provider will provide a Security Assessment completion letter that summarizes Provider’s Security Assessment findings. These findings may identify critical security deficiencies identified as “Mandatory” that require correction before Recipient can release, or continue to release, Recipient Confidential Information to Provider. Provider will implement and continue to maintain all mutually agreed upon “Mandatory” security findings within a mutually agreed upon timeframe. If mutual agreement to “Mandatory” security findings and/or timeframe cannot be reached, then these issues may be escalated using the dispute resolution provisions within this Agreement. |
| 14.0 | Data Masking. |
| 14.1 | Applicability. This section details the technology security requirements for masking personally identifiable Recipient customer and employee data (“Recipient Production Data”). Data masking procedures employed by Provider must meet or exceed the requirements established herein and apply them to: |
| 14.1.1 | All activities performed within a Provider’s non-production environments that use Recipient Production Data. |
| 14.1.2 | Temporaries, contractors, consultants, Provider’s, external business alliances or anyone using Recipient Production Data. |
| 14.1.3 | The requirement to mask Recipient Production Data applies to non-production Information Processing Systems, including those of Provider’s Providers. |
| 14.1.4 | Upon request, Provider will provide information affirming that its data masking efforts meet the requirements of this Agreement. |
| 14.2 | When to Mask Recipient Data. Provider will mask Recipient Production Data if the data is moved outside of its production environment (such as quality control, test and development environments). If a business need exists to use Recipient Production Data for non-production activities the Provider will obtain written permission from Recipient. Masking may be accomplished as follows: |
| 14.2.1 | Provider may develop its own tools to mask Recipient Production Data as long as the masking meets or exceeds the specifications contained herein. |
NOTE – BECAUSE MASKED DATA RECORDS MAY STILL CONTAIN INFORMATION THAT IS CLASSIFIED AS RECIPIENT CONFIDENTIAL (E.G. NAMES, CREDIT CARD NUMBERS, BANK ACCOUNT INFORMATION, SOCIAL SECURITY NUMBERS, PASSWORDS, BIRTH DATES, ETC.) THE MASKED DATA FILE MUST BE HANDLED AND PROTECTED ACCORDINGLY.
| 14.3 | Masking Requirements. The following fields are currently identified as sensitive and require special handling including masking. |
| 14.3.1 | Names (includes any name field and user ID or account name). |
| 14.3.2 | Addresses (includes any address field, property location, garage location, et cetera). |
| 14.3.3 | Email Address (includes any Email address field). |
| 14.3.4 | Phone Number (includes any Phone Number Field including Home Phone, Personal Phone, Business Phone, et cetera). |
| 14.3.5 | Date of Birth. |
| 14.3.6 | Driver’s License Number. |
| 14.3.7 | Social Security or Social insurance Number |
| 14.3.8 | Financial information (includes, Credit Card, Bank Account, FICO or Beacon score, or other sensitive financial information) |
| 14.3.9 | Passwords or security codes (e.g., application passwords, PIC, etc.) |
| 14.4 | Disposing of Masked Data. Provider will remove masked records and excluded production data from non-production environments as soon as the non-production activities are complete. Recipient considers Non-production activities to be complete when the production data is no longer required to accomplish the activity or produce documentation. |
Schedules
37