All individuals or organizations that provide goods or services (each a "Supplier") to United Rentals, Inc., or any of its affiliates or subsidiaries (individually or collectively, "Company") must comply with these Data Processing Terms. These Data Processing Terms form part of any agreement between Company and Supplier that references these Data Processing Terms, or to which these Data Processing Terms are attached or incorporated (the "Agreement"). In the event of a conflict between these Data Processing Terms and the Agreement, these Data Processing Terms shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards (i.e., standards more protective of Company and Company's Personal Data (defined below)).
These Data Processing Terms apply to Supplier if Supplier Processes any Personal Data in connection with Supplier's performance of the Services (as such terms are defined below).
For the purposes of these Data Processing Terms, the following definitions shall apply:
- “Adequacy Decision” means a decision issued by the European Commission under Article 45 of the GDPR.
- “Applicable Law” means all applicable laws (including those arising under common law), statutes, ordinances, regulations, directives, treaties, codes and other pronouncements having the effect of law of the United States, any foreign country or any domestic or foreign state, county, city or other political subdivision, including those promulgated or enforced by any governmental authority, as amended or supplemented.
- “Cardholder Data” means: (1) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (2) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.
- “Data Transfer” means the access of Personal Data by a Person, or transfer, delivery, or disclosure of Personal Data to a Person, where such Person is located in a country other than the country from which the Personal Data originated.
- “EEA” means collectively, the member states of the European Union and Switzerland.
- “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended or supplemented.
- “PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement.
- “Personal Data Breach” means any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Data or any other unauthorized Processing of Personal Data.
- “Personal Data” means any information relating to an identified or identifiable natural person, or any information that identifies, relates to, describes or could reasonably be linked with a particular natural person or household, which Supplier accesses or acquires from Company, which Company provides to Supplier, or which Supplier collects or acquires on behalf of Company; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, without limitation: (a) name; (b) mailing address; (c) telephone or fax number; (d) email address; and (e) government identification number. Personal Data also includes any Personal Information, Personally Identifiable Information or similar terms as defined under Privacy Laws.
- “Privacy Laws” means all (1) Applicable Laws relating to the privacy, confidentiality, retention or security of Personal Data including, but not limited to, the GDPR, the UK GDPR, the California Consumer Privacy Act of 2018, as amended (“CCPA”), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy laws (including those in British Columbia, Alberta, and Quebec), and Canadian anti-spam law; the Controlling the Assault of Non- Solicited Pornography and Marketing Act (CAN-SPAM); the FTC Disposal of Consumer Report Information and Records Rule, 16 C.F.R. § 682 (2005); the Federal “Privacy of Consumer Financial Information” Regulation (12 CFR Part 30) issued pursuant to Section 504 of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §6801, et seq.); HIPAA and the HITECH Act, and all other similar international, federal, state, provincial, and local requirements, (2) all applicable industry standards concerning privacy, data protection, confidentiality or information security currently in effect and as they become effective, including the Payment Card Industry Data Security Standard, and any other similar standards, and (3) applicable provisions of all Company privacy policies, statements or notices that are provided or otherwise made available to Supplier. For the avoidance of doubt, Privacy Laws are applicable with respect to any receipt of, access to, or Processing of Personal Data, whether intentionally or unintentionally.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, alignment or combination, restriction, adaptation, retrieval, consultation, destruction, disposal, or other use of Personal Data.
- “UK GDPR” means the UK’s implementation of GDPR into national law, as defined in section 3(10) and section 205(4) of the Data Protection Act 2018.
1.3 Limitation on Use
- Scope of the Processing. Supplier will Process Personal Data in connection with the Services described in the Agreement and during the term of such Agreement, subject to compliance with Applicable Laws and the Agreement. The type of Personal Data Processed by Supplier is described in the Agreement. The Processing may involve Personal Data of employees of Company, customers of Company, and business contact information of Company customers, suppliers and other business partners, as further described in the Agreement. Under no circumstances will Supplier use, process (including specifically combine with other data), or disclose the Personal Data for its own commercial purposes, outside the direct business relationship with the Company, or for any purpose other than providing the Services.
- Processing Pursuant to Company’s Instructions. Supplier acknowledges that, with respect to the Personal Data, Company is the controller and Supplier is a data processor as defined under applicable Privacy Laws. Supplier will Process Personal Data only on behalf of Company as necessary to provide the Services in accordance with the Agreement (including these Data Processing Terms) and in accordance with Company’s instructions issued from time to time in writing (collectively, the “Instructions”). Supplier will Process the Personal Data and perform the Services at all times in compliance with Applicable Law, including providing the same level of privacy protection as required of the Company by Privacy Laws. Supplier may not: (1) use Personal Data for any purpose other than as provided in Section 1.3.a; (2) sell, assign or lease to third parties any Personal Data; (3) share any Personal Data with third parties for the purposes of cross-context behavioral advertising; or (4) commercially exploit Personal Data or otherwise Process Personal Data for Supplier’s own purposes. If Applicable Law requires Supplier to conduct Processing that is or could be construed as inconsistent with the Instructions, then Supplier must notify Company immediately and prior to commencing the Processing, unless Applicable Law prohibits such notice on important grounds of public interest. Supplier must notify Company immediately if Supplier believes that any Instruction from Company violates or would result in Processing in violation of Applicable Law.
1.4 Limitation on Disclosure
Supplier will not disclose Personal Data to any third party without first obtaining Company’s written consent, except as provided in Section 1.7 (Data Subject Requests) or Section 1.11 (Production Requests). Supplier will impose enforceable written obligations on all employees, contractors and agents that Process Personal Data on Supplier’s behalf to protect the confidentiality of the Personal Data (during the term of their employment or engagement and thereafter).
1.5 Technical and Organizational Measures; Security Requirements
- Security Requirements. Supplier shall comply with Company’s requirements for administrative, technical and physical control measures applicable to Supplier’s delivery of the Services and Company’s requirements for physical security at the facilities set forth herein, in the Agreement, and as otherwise provided by Company to Supplier in writing (the “Security Requirements”). Company shall notify Supplier in writing of any changes, updates, modifications or amendments of the Security Requirements. Supplier will comply, and will ensure that Supplier’s agents and subcontractors comply, with the Security Requirements, as amended by Company from time to time.
- Safeguards. In addition to any specific requirements set forth in the Security Requirements, Supplier shall establish a written information security program with respect to Personal Data (and provide a copy of same to Company) (“WISP”) which must substantially conform to the framework set forth by the International Standards Organization in a standards document entitled “Code of practice for information security management” (ISO/IEC 27002:2013, and as may be amended from time to time) and which, consistent with Section 1.5(c) below: (1) ensures the security, confidentiality, integrity and availability of Personal Data; (2) protects against any anticipated threats or hazards to the security, confidentiality, availability or integrity of Personal Data; (3) protects against any unauthorized access to, use or disclosure of Personal Data; and (4) ensures the proper and secure disposal of Personal Data. Supplier will, in accordance with the WISP and Privacy Laws, take all necessary technical and organizational security measures against the unauthorized or unlawful Processing of Personal Data and against the loss, alteration or destruction of, or damage to, Personal Data. In assessing the appropriate level of security, Supplier shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- Documentation. During the term of this Agreement and for a period of seven years thereafter, Supplier shall maintain, and provide for the Company’s review, at the Company’s request: (a) the WISP and (b) other applicable security program documents, including its incident response policies, encryption standards and/or other computer security protection policies or procedures, that constitute compliance with Privacy Laws. Supplier shall provide the Company with any amendments to such policies or programs, and any new policies or programs related to information privacy and security as may be adopted by Supplier from time to time, within 30 days after the adoption of any such amendment, policy or program.
- Security Assessment. Without limiting the generality of the foregoing, Supplier’s WISP shall provide for: (a) regular assessment and re-assessment of the risks to the confidentiality, integrity and availability of Personal Data and systems acquired or maintained by Supplier and its agents and contractors, including (x) identification of internal and external threats that could result in a Personal Data Breach, (y) assessment of the likelihood and potential damage of such threats, and (z) assessment of the sufficiency of policies, procedures, and information systems of Supplier and Subcontractors (defined below), and other arrangements in place, to control risks; and (b) protection against such risks.
- Media. Supplier shall remove all Personal Data from any media taken out of service and shall destroy or securely erase such media in accordance with current industry standards such as NIST 800-88 or an equivalent superseding standard, Privacy Laws and otherwise in a manner designed to protect against unauthorized access to or use of any Personal Data in connection with such destruction or erasure. No media on which Personal Data is stored may be used or re-used to store data of any other customer of Supplier or to deliver data to a third party, including another Supplier customer, unless securely erased.
Supplier may subcontract the Processing of Personal Data only with the prior written permission of Company. Prior to any disclosure of Personal Data to a subcontractor or other Processing of Personal Data by a subcontractor (each, a “Subcontractor”), Supplier must have entered into an agreement that requires the Subcontractor to comply with Privacy Laws and the same obligations and restrictions as provided in these Data Processing Terms. Supplier will provide the agreement to Company promptly upon request. Supplier will remain accountable and responsible for the Processing of Personal Data by, and for all actions and omissions of, such Subcontractors.
1.7 Data Subject Requests
Supplier will promptly notify Company in writing (and in any event within 2 business days of receipt), unless specifically prohibited by Applicable Law, if Supplier receives: (1) any requests from an individual with respect to Personal Data Processed including, but not limited to, opt-out requests, requests for access, rectification, erasure, restriction or data portability, requests involving an objection to Processing or automated decision-making, and all similar requests; or (2) any complaint, inquiry or notice of investigation under Applicable Law relating to the Processing of Personal Data including, but not limited to, allegations that the Processing infringes an individual’s rights under Applicable Law. Supplier will at no additional charge: (a) implement appropriate processes (including technical and organizational measures) to assist Company in responding to such requests or complaints from individuals; and (b) cooperate fully with Company with respect to, and facilitate Company’s authentication, recording, investigation, processing, execution and resolution of, all such requests, complaints, inquiries or notices of investigation. Supplier will not respond to any such request, complaint, inquiry or notice of investigation unless authorized to do so in writing by Company, or required to do so by Applicable Law.
1.8 Personal Data Breaches
- Supplier shall notify Company in writing immediately (and in any event within 24 hours) whenever Supplier reasonably believes that there has been a Personal Data Breach, including the presence of malware. Supplier’s notice to Company of a Personal Data Breach must contain the following: (1) a description of the categories and approximate number of data subjects, as well as the categories and approximate number of Personal Data records affected by the Personal Data Breach; (2) the name and contact details of any Data Protection Officer appointed by Supplier; (3) Supplier’s assessment, developed through reasonable diligence, of the likely consequences of the Personal Data Breach with respect to the affected Personal Data and data subjects; and (4) any additional information required pursuant to Privacy Laws applicable to Supplier or Company.
- In the event of any Personal Data Breach, Supplier will investigate the Personal Data Breach, take all necessary steps to eliminate or contain the exposure of Personal Data, and keep Company advised of the status of the Personal Data Breach and Supplier’s investigation and steps taken to remedy same. Supplier further agrees to provide, at Supplier’s sole cost, reasonable and appropriate assistance and cooperation requested by Company, in the furtherance of any correction, remediation, or investigation of such Personal Data Breach by Company and/or the mitigation of any damages resulting from such Personal Data Breach, including any notification that Company may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Company deems appropriate to provide to affected individuals. In addition, within 30 days of identifying or being informed of a Personal Data Breach, Supplier shall develop and execute a plan that reduces the likelihood of a recurrence of a Personal Data Breach.
- If Company determines that any Personal Data Breach must be disclosed to a third party, including but not limited to, data subjects, governmental authorities, or data protection authorities, then Supplier shall fully cooperate with and assist Company in fulfilling Company’s reporting and disclosure obligations. Unless required by Applicable Law, Supplier shall not notify any individual or any third party other than law enforcement of any potential Personal Data Breach without first consulting with, and obtaining the written permission of, Company.
1.9 Information Return or Deletion
Upon termination or expiration of the Agreement for any reason, or upon Company’s request (and without regard to the default status of the Parties under the Agreement), Supplier shall within 10 days return, in a manner and format reasonably requested by Company, or, at Company’s direction, destroy, all Personal Data in Supplier’s possession or control, except to the extent otherwise required by Applicable Law. If Supplier has a legal obligation to retain Personal Data beyond the period otherwise specified by the Agreement, Supplier will notify Company in writing of that obligation (unless precluded from doing so pursuant to Applicable Law), and will return or destroy Personal Data in accordance with these Data Processing Terms as soon as possible after that legally required retention period has ended. Supplier will perform any destruction of Personal Data pursuant to these Data Processing Terms in such a manner as to permanently and securely destroy the Personal Data in accordance with Privacy Laws and industry standards so that the information cannot be read or reconstructed as a practicable matter through forensic or other means. Upon Company’s request, Supplier will provide a written explanation of the method used for data disposal/destruction, along with a written certification that such that Personal Data has been returned or securely destroyed in accordance with these Data Processing Terms.
Upon notice to Supplier, Supplier shall assist and support Company in the event of an investigation by any regulator, including a data protection regulator or similar authority, if and to the extent such investigation relates to Personal Data handled by Supplier on behalf of Company. Such assistance shall be at Company’s expense, except where such investigation was required due to Supplier’s acts or omissions, in which case such assistance shall be at Supplier’s sole expense.
Supplier hereby certifies that Supplier understands, and will comply with, the restrictions set forth in these Data Processing Terms with respect to Personal Data.
2.1 Annual Audit
In addition to any other audit rights under the Agreement, once every 12 months, subject to any contrary provisions of Section 2.3 of these Data Processing Terms, Supplier will provide to Company, or an independent third party chosen by Company and reasonably acceptable to Supplier, on reasonable notice: (1) access to Supplier’s information, Processing premises, and records; (2) reasonable assistance and cooperation of Supplier’s relevant staff; and (3) reasonable facilities at Supplier’s premises, for the purpose of Company’s audit of Supplier’s compliance with these Data Processing Terms. Company may, instead of conducting an on-site audit, request a copy of Supplier’s most recent third party assessment, such as an ISO 27001, SSAE 18 SOC 2, ISAE 3402 or similar assessment. Supplier will provide a copy of such assessment to Company promptly upon request. Company has the right to conduct an audit as described in this paragraph, even if such a certificate is provided. Each party will bear its own expenses in connection with an audit pursuant to this Section 2.1.
2.2 Personal Data Breach Audit
If Supplier gives notice of a Personal Data Breach as described in Section 1.8, then Company shall have the following audit rights, without regard to the frequency limitation in Section 2.1. Subject to Section 2.3 of these Data Processing Terms, Company will have the right to perform, by an independent third party chosen by Company and reasonably acceptable to Supplier, or through Company’s own personnel, a follow-up audit to ensure all reasonably necessary corrective actions have been taken. If such an audit concludes that Supplier has not adequately taken corrective action to remedy the problems, then (1) Supplier will promptly take whatever corrective actions are reasonably necessary to remedy the problems; and (2) Supplier will reimburse Company for all reasonable costs of the audit.
2.3 Audit Confidentiality
The parties agree that if Supplier’s pre-existing written policies, provided to Company upon request, do not permit Company’s own personnel to perform any audit or security review required or permitted under these Data Processing Terms, Company will conduct such audit or security review through a third-party auditor selected by Company and reasonably acceptable to Supplier, and Supplier will reimburse Company’s cost of conducting any such audit or security review. Company agrees that any third-party auditor or security firm will enter into a written agreement with Supplier and Company that requires such firm to (1) use any Supplier confidential information solely for purposes of the inspection or audit, and (2) keep Supplier’s confidential information confidential in accordance with any applicable provisions of the Agreement. The parties further agree that if Supplier policies also prohibit Company’s third-party auditors from performing any audit or security review, Supplier will, upon Company’s request, engage Supplier’s independent auditing firm, acting with a duty to Supplier, to conduct such audit or security review, at Supplier’s expense, and such firm will provide Company with a management representation letter certifying to Company the results of such audit or review, including all findings, comments and recommendations for further action.
Data Transfers made pursuant to the Agreement or the Services must comply with this Section 3. If any Data Transfer mechanism identified herein is invalidated or repealed by a court of competent jurisdiction or competent governmental authority, then Supplier must immediately adopt and comply with one of the other Data Transfer mechanisms set forth below.
3.1 Transfers by Company
Data Transfers made by a Company affiliate established in the EEA or the UK to Supplier (including any Subcontractor of Supplier) in a location that is outside the EEA or the UK and not covered by an Adequacy Decision must be in accordance with one or more of the approved means set forth below:
- BCR-P. Binding Corporate Rules for Processors implemented by Supplier and approved by all applicable supervisory authorities pursuant to Article 47 of the GDPR and other applicable Privacy Laws (“BCR-Ps”), in which case Supplier represents, warrants, and covenants that it will: (i) maintain such BCR-Ps for the duration of the Agreement; (ii) promptly notify Company of any subsequent material changes in such authorization; and (iii) downstream any of its obligations Binding Corporate Rules for Processors implemented by Supplier and approved by all applicable supervisory authorities pursuant to Article 47 of the GDPR and other applicable Privacy Laws (“BCR-Ps”), in which case Supplier represents, warrants, and covenants that it will: (i) maintain such BCR-Ps for the duration of the Agreement; (ii) promptly notify Company of any subsequent material changes in such authorization; and (iii) downstream any of its obligations accordance with one or more of the approved means set forth below: under its BCR-Ps by entering into an appropriate onward transfer agreement with any Subcontractor.
- Model Clauses for transfers from the UK. In all cases not covered by Section 3.1.a above, the relevant Data Transfer from the UK will be governed by the Standard Contractual Clauses (Controller to Processor) (the “C2P Model Clauses”) for transfers from the UK. Supplier must abide by C2P Model Clauses, which shall be incorporated in the approved form in their entirety into these Data Processing Terms when Company enters into an agreement with Supplier. The C2P Model Clauses apply to Supplier as the data importer, and by executing the Agreement, Supplier is also executing the C2P Model Clauses as the data importer. Supplier agrees also to execute the C2P Model Clauses directly upon request.
- Model Clauses for transfers from the EEA. In all cases not covered by Section 3.1.a or 3.1.b above, the relevant Data Transfer from the EEA will be governed by the Standard Contractual Clauses (Controller to Processor modules) (the “2021 Model Clauses”) for transfers from the EEA. Supplier must abide by 2021 Model Clauses, which shall be incorporated in the approved form in their entirety into these Data Processing Terms when Company enters into an agreement with Supplier. The 2021 Model Clauses apply to Supplier as the data importer, and by executing the Agreement, Supplier is also executing the 2021 Model Clauses as the data importer. Supplier agrees also to execute the 2021 Model Clauses directly upon request.
3.2 Transfers by Supplier
Supplier will not transfer any Personal Data across national borders, except upon the prior written consent of Company. Supplier will not export outside the EEA any Personal Data collected, stored or otherwise Processed by Supplier in the EEA, except pursuant to Company Instruction. Supplier must ensure that all Data Transfers comply with Privacy Laws at all times.
Supplier represents, warrants and covenants that no Personal Data has been collected by Supplier or transferred by Supplier to third parties in violation of any Privacy Laws. There are no notices, claims, investigations or proceedings pending, or, to the knowledge of Supplier, threatened, by state or federal agencies, or private parties involving notice or information to individuals that Personal Data held or stored by Supplier has been compromised, lost, taken, accessed or misused. Supplier has not received any notice regarding any violation of any Privacy Laws, and Supplier has no reason to believe that the security of any Personal Data Processed by Supplier has been breached or potentially breached.
All consumer-facing websites and mobile applications operated by Supplier on Company’s behalf must contain a link to a privacy statement that complies with Privacy Laws and that Company has approved in writing. Notwithstanding any such privacy statement, Supplier may Process Personal Data only in accordance with this Agreement and only as necessary to provide the Services to Company. Web sites and mobile applications that would appear to a consumer as being provided by Company must post a Company privacy statement and must be approved prior to launch by Company.
Supplier shall indemnify Company and its officers, directors, employees and agents (“Indemnitees”), and hold Indemnitees harmless, from and against, any and all losses, damages and expenses, including any and all incidental and consequential losses, damages and expenses, which shall include without limitation costs of (1) investigation, including forensic computer services or assistance, (2) notification to individuals and governmental authorities, (3) credit monitoring or restoration, and (4) reasonable attorneys’ fees, related to or arising from (5) Supplier’s breach of these Data Processing Terms or (6) any Personal Data Breach involving Personal Data Processed by Supplier.
Company can change these Data Processing Terms in its sole discretion at any time and from time to time. Any changes to these Data Processing Terms will be binding upon Supplier when posted at https://www.unitedrentals.com/legal/msa-data-processing-terms; provided, however, that Supplier will have a reasonable period of time to implement any change in the Data Processing Terms (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Supplier is obligated to check this URL regularly for any changes. The most recent changes to the Data Processing Terms will appear at the bottom of the Data Processing Terms in the section entitled “Material Revisions to Data Processing Terms.”
Supplier’s obligations under these Data Processing Terms will survive the termination or expiration of its Services or any related agreements and will continue for so long as Supplier, or any of its affiliates or subcontractors retain or have access to Personal Data. Supplier acknowledges and agrees that each entity referenced in the definition of “Company” above is an intended third party beneficiary of Supplier’s obligations and liabilities under these Data Processing Terms, including without limitation Supplier’s obligations with respect to Personal Data, and as such, each will have a right of its own to enforce these Data Processing Terms.
6.2 Further Assurances
Supplier shall comply with the Privacy Laws throughout the term of this Agreement. If Supplier makes a determination that it can no longer meet its obligations under any Privacy Laws, it shall immediately notify Company of such determination. Supplier at any time may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including suspending access to or disclosure of Personal Data until such unauthorized use is remedied. Supplier will provide relevant information and assistance requested by Company to demonstrate Supplier’s compliance with its obligations under these Data Processing Terms and Privacy Laws and to assist Company in meeting Company’s obligations under applicable Privacy Laws with respect to Supplier’s Processing of Personal Data. If any change in Processing is required by a modification in Privacy Laws, or to ensure ongoing compliance with Privacy Laws, then Company will have the right to require Supplier to implement the requested change.
If any part of these Data Processing Terms are held unenforceable, the validity of all remaining parts will not be affected.
Supplier will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Data. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Data Processing Terms, and the Privacy Laws.
Consistent with the foregoing, Supplier shall:
- 7.2.1(x) physically or logically segregate Personal Data from all other data held by Supplier and prevent any commingling thereof; (y) ensure that portable devices that Process Personal Data, such as laptops, tablet computers, iPads, personal digital assistants, cellular phones, smart phones, iPods, e-readers, USB devices/external drives, CDs, diskettes, wearable or wearaputic devices, and other similar portable devices are configured to make use of industry standard encryption and, if applicable, mobile device management technology that fully protects these devices’ storage, installation, privilege assignment and transmission capabilities from unauthorized access at a level which meets regulatory compliance requirements, as they may be updated from time to time and otherwise use industry standard encryption technologies for transmitting and storing all Personal Data; and (z) store and otherwise Process all Personal Data solely from the United States and such other designated locations indicated as approved Processing locations in the Agreement.
- 7.2.2 take reasonable steps to ensure the reliability of all Supplier employees, personnel and Subcontractors who will be provided with access to Personal Data;
- 7.2.3 ensure that its information security program includes industry standard password, firewall, operating system, and anti-virus and malware protections to protect Personal Data stored or otherwise handled on computer systems;
- 7.2.4 encrypt, using industry standard encryption tools, all records and files (A) containing Personal Data that Supplier transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Data that Supplier: (x) stores on laptops or storage media; (y) stores on portable devices; and (z) stores on any device that is transported outside of the physical or logical controls of Supplier. Supplier will safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Data. "Sensitive Personal Data" is Personal Data, which due to its nature has been classified by applicable Privacy Laws as deserving additional privacy and security protections, including (without limitation): (1) an individual's name in combination with the individual's: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver's license number, or other identification number issued by a government or public body; or (B) financial account number; (2) an individual's username in combination with password, PIN, or access code that would grant access to an online account; (3) Cardholder Data; (4) racial or ethnic origin; (5) political opinions, religious or philosophical beliefs, or trade union membership; (6) genetic data; (7) biometric data; (8) health data; (9) data concerning a natural person's sex life or sexual orientation; (10) precise geolocation; (11) data concerning a natural person's citizenship or immigration status; and (12) the contents of mail, email, or text messages where the Supplier is not the intended recipient;
- 7.2.5 maintain an incident response program that specifies the actions to be taken by Supplier when it has reason to believe that a Personal Data Breach may have or has occurred;
- 7.2.6 where Supplier Processes Cardholder Data in connection with the Services, comply with the PCI Standards with respect to Cardholder Data. Consistent with Supplier’s obligations as set forth in the Agreement, Supplier hereby acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Supplier further represents and warrants that it will not take any actions that will compromise Company’s ability to comply with the PCI Standards.
- 7.2.7 where Supplier, directly, or through any of its affiliates or Subcontractors, connects to Company’s computing systems and/or networks, ensure that: (1) all Supplier interconnectivity to Company’s computing systems and/or networks and all attempts at same will be only through Company’s security gateways/firewalls; (2) Supplier will not access, and will not permit any other person or entity to access, Company’s computing systems and/or networks without Company’s authorization, and any such actual or attempted access will be consistent with any such authorization; and (3) Supplier’s systems connecting to Company’s systems or networks, and those Supplier systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Company’s computing systems or networks, will be actively protected by an industry standard malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Company’s computing systems and/or networks. Supplier agrees that Company may perform periodic network assessments, and should any such assessment reveal inadequate security by Supplier or its affiliates, or Subcontractors, Company, in addition to other remedies it may have, may suspend access to Company’s computing systems and/or networks until such security issue has been resolved.
Supplier agrees that: (1) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Data in Supplier’s possession or otherwise acquired by or accessible to Supplier; (2) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Data, will receive appropriate training relating to the protection of Personal Data; (3) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Data to the minimum number of Supplier employees and agents who require such access for purposes of providing goods and/or services to Company; and (4) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
Supplier shall, as further specified in its WISP, conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks. Supplier shall conduct such reviews and, as appropriate, revise its WISP: (1) at least annually or whenever there is a material change in Supplier’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Data; (2) in accordance with prevailing industry practices; (3) in accordance with any new, amended, or re-interpreted Privacy Laws, and (4) as reasonably requested by Company. Supplier agrees not to alter or modify its WISP or its security safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Data.