Vendor warrants that it will comply with all applicable laws and regulations protecting the privacy, confidentiality, and/or security of any individually identifiable information about customers, clients, employees (including employees of customers), applicants and any other individuals about whom Vendor has access to individually identifiable information in connection with the Services, including, but not limited to Massachusetts General Laws Chapter 93H and the regulations at 201 CMR 17.00 concerning the standards for protection of personal information of residents of Massachusetts (“Personal Information”), including applying protective security measures to Personal Information consistent with the requirements of such regulations.
Furthermore, if Vendor receives any information relating to natural persons located outside of the U.S. and which can individually or collectively lead to directly or indirectly identifying such individual (“Personal Data”), Vendor agrees to abide by the provisions of the data privacy laws applicable to such Personal Data (e.g., the European Union’s Directive 95/46/EC and any amendments thereto for Personal Data relating to an EU Member State resident, the Federal Act on Data Protection of Switzerland and any amendments thereto for Personal Data relating to a Swiss resident). In particular, Vendor undertakes to provide at least the same level of privacy protection as is required under the relevant principles of the applicable data privacy law.
Vendor agrees that it shall act only on instructions received from Company under the applicable SOW regarding the processing i.e. any operation or set of operations performed upon Personal Data or Personal Information, (e.g. collection, organization, adaptation, deletion, storage, use, recording, disclosure) of any such Personal Data or Personal Information and shall process such Personal Data or Personal Information solely for the purposes of carrying out its obligations under this Agreement.
Vendor shall promptly report to Company any unauthorized access, use, disclosure, modification, or destruction of Personal Data or Personal Information or any other breach of privacy or security involving data received from Company or collected on Company’s behalf, including the nature and impact of the incident and the steps taken to mitigate its impact. Vendor agrees to cooperate with Company as reasonably requested in order to further investigate and resolve any such incident. Vendor agrees to make available to Company any and all information necessary to demonstrate compliance with the terms of this Agreement and the safeguarding of the Personal Data and Personal Information.
Personal Data and Personal Information shall be deemed the Confidential Information of Company under Section 7 of this Agreement and subject to the protections therein.
Vendor shall take appropriate physical, technical and organizational measures to preserve the confidentiality and security of Personal Data or Personal Information and in particular, implement all measures necessary to protect Personal Data or Personal Information against unauthorized or unlawful access and/or processing and against accidents or loss, alteration, disclosure, destruction or damage of such Personal Data and Personal Information.
Vendor shall maintain and enforce safety and security procedures in operating the hosting and/or processing environment that are at least: (a) equal to generally recognized industry standards and (b) as rigorous as those in effect for other similar environments that are owned or controlled by Company.
Vendor shall maintain network security that has the following minimum requirements: network firewall provisioning, intrusion detection, and regular third party vulnerability assessments. Vendor agrees to maintain a secure processing and/or hosting environment through measures including, but not limited to, the timely application of patches, fixes and updates to operating systems and applications. Vendor agrees that all electronic transmission or exchange of Personal Data, Personal 2 Information and any other Confidential Information with Company and/or any other parties expressly designated by Company in writing shall take place via secure means. Vendor agrees that Personal Data, Personal Information and any other Confidential Information shall not be stored or processed on any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the Vendor's designated backup and recovery processes and the backup data is stored in encrypted form, using a commercially supported encryption solution.