Data Privacy Standards

Cookie Policy Privacy Policy


Vendor Data Protection Requirements


Vendor agrees to maintain at all times reasonable and appropriate physical, technical and administrative safeguards that meet the terms of this Agreement and comply with federal, state, and local legal and regulatory requirements applicable to the Personal Information and its confidentiality and protection and to protect the Personal Information from unwarranted, accidental or unauthorized access, disclosure, use, modification or destruction (“Safeguards”). For purposes of this Agreement, “reasonable and appropriate” Safeguards are industry standards and best practices standards. Vendor will do the following, as may be updated or supplemented from time to time as set forth in the Safeguarding Data section of the Vendor Data Protection Requirements:

  1. Data Encryption. Vendor agrees to comply with encryption standards and procedures provided in writing by Vendor.
  2. Mobile Device Policy. Vendor agrees to comply with the mobile device standards and procedures provided in writing by Vendor, including limitations on placement of Personal Information on removable media (such as, by way of example only, an external USB Drive, magnetic tape, CD or DVD).
  3. Data Storage. All data centers and infrastructure used by or on behalf of Vendor for the receipt, storage, or processing of Personal Information “at rest” must be located in the continental United States.
  4. Business Continuity for Data. To the extent that Vendor is designated in the Services Agreement as the primary custodian of Personal Information, Vendor will store all such Personal Information in at least two (2) facilities in such different physical locations that loss of Personal Information at one such facility is not reasonably likely also to impact the other facility/ies or compromise the Personal Information stored at such other facilities. Vendor shall, upon Company’s request, identify the location of all data centers at which Personal Information is stored, including data at rest and backup data. Upon request by Company, Vendor shall promptly respond to concerns expressed by Company that such storage locations have, over time, become subject to proximity, climate or other vulnerabilities that require relocation.
  5. Background Checks. Vendor will conduct, or require Third Party Vendors to conduct, background checks on employees or other personnel with administrative access to Vendor’s hosting platform or network through which Personal Information can be viewed, used or downloaded, based on background check criteria provided by Company.
  6. Data Backup. Vendor will submit to Company for Company’s approval its plans regarding on-going data backup to avoid loss of Personal Information.
  7. Access Restrictions. Access by personnel of Vendor or Third Party Vendors will be limited to those persons who directly need such access to support the Service Agreement. Vendor will submit to Company for Company’s approval its procedures for issuance and changes to user IDs and passwords. Vendor shall generate and maintain detailed logs of (i) each access or attempted access to the Personal Information by users or others; (ii) activity by users or others relating to the Personal Information; and (iii) intrusions or attempted intrusions into any data center or other infrastructure used to receive, store, process or transmit Personal Information. Such logs shall be maintained by Vendor for at least twelve (12) months, and copies of such logs will be provided by Vendor to Company on demand.
  8. Litigation Hold. Upon written notice from Company stating that any data or records of Company, including Personal Information, may be relevant to reasonably anticipated litigation or threats of litigation and therefore is subject to a “litigation hold,” Vendor shall immediately institute procedures agreed to with Company so that destruction or deletion of such data or records is suspended.
  9. SOC-2 Type II Report. At the commencement of this Agreement and annually at each anniversary of this Agreement, Vendor shall provide to Company a SOC-2 Type II report on the effectiveness of security controls of Vendor relevant to the services being supplied to Company and dated within twelve (12) months of the commencement of or respective anniversary date of this Agreement. If the Report notes exceptions to the controls in place to protect Personal Information, Vendor agrees to remedy such exceptions at Vendor’s expense immediately, unless otherwise agreed in writing by Company, and if Vendor does not do so, Company may, in addition to all other remedies, terminate the Services Agreement.