Data Security Obligations
1.DATA SECURITY OBLIGATIONS
“Applicable Law” means any applicable (a) Federal, state, or local statute, regulation, regulatory requirement, by law, ordinance, subordinate legislation or other (regardless of its source) or mandatory guidance or code of practice (including in each case any judicial or administrative interpretation of it), in force from time to time in any applicable jurisdiction, including, but not limited to, Data Protection Laws; or (b) judgment of a relevant court of law, or sanction, directive, order or requirement of any regulatory authority
”Authorized Persons” means tvScientific’s employees (to the extent tvScientific has employees), contractors, and agents, who have a need to know or otherwise access Personal Information to enable tvScientific to perform its obligations under this Order, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Information (defined below), in accordance with the terms and conditions of this Order.
“Data Protection Laws” means any and all Federal, state, local, or provincial privacy and data security laws, regulations, guidance, or codes of practice, including but not limited to: (i) guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. §45; (ii) U.S. state data breach notification laws; (iii) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq.; (iv) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); and (v) any other applicable Federal, state, local, or provincial laws or regulations regarding privacy and data security that are in effect or will come into effect during the term of the Order.
”Highly-Sensitive Personal Information” means an (i) individual’s government-issued identification number (including Social Security number, driver’s license number, or state-issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health, medical, or medical insurance data.
”Personal Information” means information provided to tvScientific by or at the direction of Client, or information which is created or obtained by tvScientific on behalf of Client, or information to which access was provided to tvScientific by or at the direction of Client, in the course of tvScientific’s performance under this Order that: (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses, online identifier, and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, and other personal identifiers), in case of both sub-clauses (i) and (ii), including, without limitation, all Highly-Sensitive Personal Information.
”Security Breach” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by tvScientific, or by Client should tvScientific have access to Client’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of tvScientific or a breach or alleged breach of this Order relating to such privacy and data security practices. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information.
B. Standard of Care:
tvScientific acknowledges and agrees that, in the course of its engagement by Client, tvScientific may create, receive, or have access to Personal Information. tvScientific shall comply with the terms and conditions set forth in this Order in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Information and be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information under its control or in its possession by all Authorized Persons. tvScientific shall be responsible for, and remain liable to, Client for the actions and omissions of all Authorized Persons concerning the treatment of Personal Information as if they were tvScientific’s own actions and omissions. Personal Information is deemed to be Confidential Information of Client and is not Confidential Information of tvScientific. In the event of a conflict or inconsistency between this Exhibit A and the Order, the terms and conditions set forth in this Exhibit A shall govern and control. In recognition of the foregoing, tvScientific agrees and covenants that it shall:
1. keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure;
2. not create, collect, receive, access, or use Personal Information in violation of Applicable Law;
3. use and disclose Personal Information solely and exclusively for the purposes for which the Personal Information, or access to it, is provided pursuant to the terms and conditions of this Order, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Information for tvScientific’s own purposes or for the benefit of anyone other than Client, in each case, without Client’s prior written consent; and
4. not, directly or indirectly, sell Personal Information to any third party; and
5. except for disclosures to Authorized Persons as necessary to provide the Services, not directly or indirectly, disclose any Personal Information to any third party, without Client’s prior written consent.
C. Information Security:
1. tvScientific represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all Applicable Laws, as well as all other applicable regulations and directives.
2. tvScientific shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually.
3. Without limiting tvScientific’s obligations under the Order, tvScientific shall implement administrative, physical, and technical safeguards to protect Personal Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices (including, without limitation, the International Organization for Standardization’s standards and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or other applicable industry standards for information security), and shall ensure that all such safeguards, including the manner in which Personal Information is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with Applicable Laws, as well as the terms and conditions of this Order.
4. If, in the course of its engagement by Client, tvScientific has access to or will collect, access, use, store, process, dispose of, or disclose credit, debit, or other payment cardholder information, tvScientific shall at all times remain in compliance with the Payment Card Industry Data Security Standard (”PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at tvScientific’s sole cost and expense.
5. At a minimum, tvScientific’s safeguards for the protection of Personal Information shall include: (A) securing business facilities, data centers, paper files, servers, back-up systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (B) implementing network, application, database, and platform security; (C) securing information transmission, storage, and disposal; (D) implementing authentication and access controls within media, applications, operating systems, and equipment; (E) encrypting Highly-Sensitive Personal Information stored on any media; (F) encrypting Highly-Sensitive Personal Information transmitted over public or wireless networks; (G) strictly segregating Personal Information from information of tvScientific or its other customers so that Personal Information is not commingled with any other types of information; (H) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at tvScientific’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (I) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with Applicable Laws; and (J) providing appropriate privacy and information security training to tvScientific’s employees.
6. During the term of each Authorized Person’s employment by, or contract with, tvScientific, tvScientific shall at all times cause such Authorized Persons to abide strictly by tvScientific’s obligations under this Order.
7. If Client so requests, tvScientific shall provide Client with a network diagram that outlines tvScientific’s information technology network infrastructure and all equipment used in relation to fulfilling its obligations under this Order, including, without limitation: (A) connectivity to Client and all third parties who may access tvScientific’s network to the extent the network contains Personal Information; (B) all network connections, including remote access services and wireless connectivity; (C) all access control measures (for example, firewalls, packet filters, intrusion detection and prevention services, and access-list-controlled routers); (D) all back-up or redundant servers; and (E) permitted access through each network connection.
D. Security Breach Procedures:
1. tvScientific shall: (A) provide Client with the name and contact information for an employee of tvScientific who shall serve as Client’s primary security contact and shall be available to assist Client twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; (B) notify Client of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after tvScientific becomes aware of it; and (C) notify Client of any Security Breaches by telephone and by email to: security@Client.com.
2. Immediately following tvScientific’s notification to Client of a Security Breach, the Parties shall coordinate with each other to investigate the Security Breach. tvScientific agrees to fully cooperate with Client in Client’s handling of the matter, including, without limitation: (A) assisting with any investigation; (B) providing Client with physical access to the facilities and operations affected; (C) facilitating interviews with tvScientific’s employees and others involved in the matter; and (D) making available all relevant records, logs, files, data reporting, and other materials required to comply with Applicable Law, regulation, industry standards, or as otherwise required by Client.
3. tvScientific shall at its own expense use best efforts to immediately contain and remedy any Security Breach and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with Applicable Laws, privacy rights, regulations, and standards. tvScientific shall reimburse Client for all actual costs incurred by Client in responding to, and mitigating damages caused by, any Security Breach, including all costs of notice and/or remediation.
4. tvScientific agrees that it shall not inform any third party of any Security Breach without first obtaining the prior written consent of Client’s legal counsel. Further, tvScientific agrees that Client shall have the sole right to determine: (A) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by Applicable Law or regulation, or otherwise in Client’s discretion; and (B) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
5. tvScientific agrees to maintain and preserve all documents, records, and other data related to any Security Breach.
6. tvScientific agrees to fully cooperate with Client in any litigation, investigation, or other action deemed necessary by Client to protect its rights relating to the use, disclosure, protection, and maintenance of Personal Information.
7. In the event of any Security Breach, tvScientific shall promptly use its best efforts to prevent a recurrence of any such Security Breach.
E. Oversight of Security Compliance:
1. Upon Client’s written request, to confirm tvScientific’s compliance with this Order, as well as any Applicable Laws, regulations, and industry standards, tvScientific grants Client or, upon Client’s election, a third party on Client’s behalf, permission to perform an assessment, audit, examination, or review of all controls in tvScientific’s physical and/or technical environment in relation to all Personal Information being handled and/or services being provided to Client pursuant to this Order. tvScientific shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for Client pursuant to this Order. In addition, upon Client’s request, tvScientific shall provide Client with the results of any audit by or on behalf of tvScientific performed that assesses the effectiveness of tvScientific’s information security program as relevant to the security and confidentiality of Personal Information shared during the course of this Order.
2. Upon Client’s written request, to confirm compliance with this Order, as well as any Applicable Laws and industry standards, tvScientific shall promptly and accurately complete a written information security questionnaire provided by Client, or a third party on Client’s behalf, regarding tvScientific’s business practices and information technology environment in relation to all Personal Information being handled and/or services being provided by tvScientific to Client pursuant to this Order. tvScientific shall fully cooperate with such inquiries.
F. Return or Destruction of Personal Information:
At any time during the term of this Order at Client’s request or upon the termination or expiration of this Order for any reason, tvScientific shall, and shall instruct all Authorized Persons to, promptly return to Client all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to Client that such Personal Information has been returned to Client or disposed of securely. tvScientific shall comply with all directions provided by Client with respect to the return or disposal of Personal Information.
tvScientific certifies that it understands and will comply with the requirements and restrictions set forth in this Exhibit A.
tvScientific shall defend, indemnify, and hold harmless Client and its subsidiaries, affiliates, and their respective officers, directors, employees, agents, successors, and permitted assigns (each, a "Client Indemnitee") from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any Client Indemnitee arising out of or resulting from tvScientific's failure to comply with any of its obligations under Order, or tvScientific’s intentional, willful, or negligent acts or omissions.