THIS DATA SECURITY AGREEMENT (“DSA”) is made as of [date] (the “Effective Date”) between Cayster Inc. (the “Company”) and [Party name] (the “Vendor”). Each of Company and Vendor is a “Party” and jointly they are the “Parties.”
WHEREAS, Vendor acknowledges and agrees that it shall be subject to the privacy and data security requirements set forth below.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows.
- Definitions
- “Affiliate” of any specified Person means and includes any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified Person. For purposes of this definition, “control,” “controlling,” and “controlled,” when used with respect to such other Person means the power to direct the management and policies of such other Person, directly or indirectly, whether through the ownership of voting securities, by contract, or otherwise.
- “Authorized Party” means an employee or Affiliate of the Vendor or a Third Party engaged by Vendor who has a need to know or otherwise access Personal Information to enable Vendor to perform its obligations under this DSA, and who is bound in writing by obligations of confidentiality sufficient to protect the Personal Information or other Company Group information in accordance with the terms of this DSA, which shall be no less stringent than those set forth in this DSA. Vendor shall, in all instances, be fully responsible and liable for any breaches of the terms of this DSA by an Authorized Party.
- “Person” means any individual, partnership, limited liability company, corporation, trust, estate, association, or any other legal or commercial entity.
- “Personal Information” means information provided by or at the direction of Company, or to which access was provided in the course of Vendor’s performance of the MSA, that (i) identifies an individual (by name, signature, address, telephone number, email address, or other unique identifier such as a user account or device); (ii) can be used to authenticate that individual (including, without limitation, employee identification number, a government-issued identification number, passwords or PINs, user identification (such as email address or username) and account access credentials or passwords, financial account numbers, credit, debit, or gift card number, credit report information, full birth date, biometric or health data, internet browsing history, geolocation data, answers to security questions, or other personal identifiers); or (iii) constitutes “nonpublic personal information” as defined in 12 CFR § 1016.3(p) and 16 CFR § 313.3(n). Company Group business contact information is not by itself Personal Information. Personal Information qualifies as “Confidential Information” under the MSA (or, if such term is not defined therein, under a binding non-disclosure or confidentiality agreement between the Parties).
- “Process” means performing any operation or set of operations upon Personal Information, whether or not by automatic means, such as collection, access, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- “DSA Term” or “Data Security Agreement Term” means the period beginning on the Effective Date and lasting until the Vendor (including its agents and employees) no longer possesses any Personal Information.
- “Securely Dispose of” means burn, pulverize, or shred papers or to destroy or erase electronic files or media so that the information on such papers, files, and media cannot be read or reconstructed as per industry accepted frameworks such as NIST Special Publication 800-53 or ISO/IEC 27000.
- “Security Incident” means (1) the unauthorized access to or acquisition of, Personal Information, or the (2) impermissible disclosure, loss, theft, destruction, or use of Personal Information.
- “Third Party” means anyone outside Vendor including, without limitation, subcontractors, agents, outsourcers, auditors, and Affiliates.
- Ownership and Standard of Care
- Vendor acknowledges and agrees that all Personal Information, in whatever form, is either the property of Company or is property whose use(s) Company has the right or obligation to specify, whether by contract, license, or otherwise. Vendor acknowledges that it has no ownership interest in the Personal Information. Company will be responsible for compliance with applicable law, including data protection law, with respect to the Personal Information it provides to Vendor or to which Vendor gains access as part of the Services under the MSA; provided, however, that Vendor shall be responsible for compliance with applicable law with respect to any Processing performed by Vendor or an Authorized Party of such Personal Information provided by Company or to which Company granted access. This includes, where applicable, providing adequate notice and acquiring consent, where needed to the processing to be conducted by Vendor. In recognition of the foregoing and Vendor’s receipt of or access to Personal Information, Vendor covenants and agrees that at all times during the DSA Term:
- Vendor will strictly maintain the confidentiality of the Personal Information, using such degree of care as is appropriate for the type of Personal Information to avoid unauthorized access, use, or disclosure and in compliance with applicable law;
- Unless otherwise required by applicable laws and subject to Section 2.1(c) below, Vendor will Process Personal Information solely and exclusively for the purposes for which such information, or access to it, is provided pursuant to the terms of this DSA and for which Company has obtained consent by the end users where required under applicable law, and will not use, sell, rent, transfer, barter, exchange, assign, distribute, or otherwise Process or make available Personal Information for Vendor’s own purposes or for the benefit of anyone other than Company without Company’s express prior written consent;
- Vendor will not, directly or indirectly, disclose Personal Information to a Third Party except as permitted herein or unless, and to the extent, required by law enforcement or government bodies or as otherwise to the extent expressly required by applicable law or regulations; provided, however, that, in the event such information is requested by a law enforcement authority or governmental authority (or is required to be divulged by law or regulation), Vendor shall give advance notice of such disclosure requirement to Company, to the extent legally permitted, and shall give Company a reasonable opportunity to object to and contest such disclosure, including by seeking a protective order or other appropriate remedy;
- To the extent Vendor discloses or makes Personal Information available to a Third Party, such Third Party must be an Authorized Party and Vendor shall remain liable to Company for the actions and omissions of the Third Party concerning the treatment of the Personal Information, in accordance with the terms herein. Vendor shall only disclose to a Third Party the minimum amount of Personal Information necessary to provide the Services to Company.
- Information Security
- Vendor has implemented or, prior to receiving Personal Information, will implement and maintain appropriate measures to safeguard Personal Information and comply with the Information Security Requirements (defined below). Such measures shall be designed to (i) ensure the security and confidentiality of Personal Information, (ii) protect against any anticipated threats or hazards to the security or integrity of Personal Information, and (iii) protect against unauthorized access to or use of Personal Information (including after disposal). Vendor will comply with the Information Security Requirements throughout the DSA Term.
- “Information Security Requirements” include the following, as applicable:
- Such State, Federal or local law, regulation, or business guidance published by applicable federal or state regulators, as well as other applicable international laws and/or regulations, prescribing information security standards as may be applicable to the Processing of Personal Information for Company, including, but not limited to, Section 5 of the Federal Trade Commission (“FTC”) Act and Mass. Regs. Code tit. 201, § 17.00 et seq. and the General Data Protection Regulation (GDPR) In the event the information of EU data subjects is processed or any processing activities take place in the EU, we recommend that this agreement be also reviewed by EU privacy counsel.
- FTC Standards for Safeguarding Customer Information, 16 CFR Part 314; and
- If Vendor is Processing payment card information, the then-current version of the Payment Card Industry (“PCI”) Data Security Standard (“PCI DSS”), Payment Application Data Security Standard (“PA-DSS”) (as applicable), and/or any other similar industry standard to which Company Group may become bound to, as may be applicable with respect to the Processing of Personal Information for Company Group (all collectively “Industry Standards”), including remaining aware at all times of changes to Industry Standards and implementing such changes as necessary to remain in compliance at Vendor’s expense. No less frequently than annually, Vendor shall send Company evidence of compliance with such standards, such as an Attestation of Compliance signed by a valid PCI Qualified Security Assessor, or a self-attestation, as applicable.
- Without limiting the foregoing, Vendor will (at all times during the DSA Term) implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is Processed, comply with applicable data protection and privacy laws and comply with the terms of this DSA.
- Prior to receiving any Personal Information, Vendor shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the DSA Term.
- At a minimum, if Processing any Personal Information, Vendor’s information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) strictly segregating Personal Information from information of Company Group’s competitors so that both types of information are not commingled on any one system; (h) personnel security and integrity including, but not limited to, training and background checks consistent with applicable law; (i) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (j) conducting external and internal penetration testing and vulnerability scans and promptly implementing, at Vendor’s sole cost and expense, a corrective action plan to correct the issues that are reported as a result of the testing; and (k) limiting access of Personal Information, and providing privacy and information security training, to Vendor’s Authorized Parties.
- Upon Company’s written request, Vendor will promptly identify all Authorized Parties in writing as of the date of the request. During the term of each Authorized Parties’ employment or engagement by Vendor, Vendor will at all times cause such Authorized Parties to strictly abide by its obligations under this DSA. Vendor further agrees that it will maintain a disciplinary process to address any unauthorized Processing of Personal Information by any Authorized Parties.
- In the event Vendor disposes of Personal Information during the DSA Term, Vendor shall Securely Dispose of such Personal Information and provide Company with documentary evidence thereof.
- Upon expiration or termination of the MSA, Vendor will stop Processing Personal Information and return or Securely Dispose (with documentary evidence thereof) of such Personal Information, as directed by Company. Vendor will contact Company (by sending an email to the individual overseeing the Services) to determine whether the Personal Information (regardless of how stored by Vendor) must be: (a) returned to Company; or (b) Securely Disposed of (with such method elected by Vendor or as may be required by the Information Security Requirements, as applicable), with documentary evidence of such disposal to be provided to the Company. In the event that Company does not respond to such inquiry within sixty (60) days of receipt thereof, Vendor shall Securely Dispose of all such Personal Information in its possession. Notwithstanding the foregoing, Vendor may retain a copy of such Personal Information as Vendor is required to retain for its regulatory purposes under applicable law (but only the Personal Information necessary for compliance and only for as long as it is so required), provided that such copy must be safeguarded by Vendor consistent with the terms of this DSA. At such time as the Personal Information is no longer required to be maintained by Vendor for its regulatory purposes, Vendor shall Securely Dispose of said information in accordance herewith.
- Oversight of Security Compliance
- Vendor shall grant Company, or a third party on Company’s behalf, permission to perform (at Company’s cost) an assessment, audit, examination, or review of controls in Vendor’s environment in relation to the Personal Information being Processed, and/or Services being provided to confirm compliance with the DSA. If Vendor objects to such third party selected by Company on reasonable grounds, Company will select a different one in its sole discretion. Vendor shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that Processes Personal Information for Company pursuant to the DSA. Any assessment, audit, examination, or review of controls under this Section 4.1 must be preceded by reasonable prior written notice of the audit that allows for appropriate personnel to be made available to assist and shall be designed to assess compliance with applicable law and the DSA obligations. Company Group shall only be granted access during Vendor’s regular business hours.
- As part of the audit or assessment right, Vendor shall promptly and accurately complete an information security questionnaire provided by Company or a third party on Company’s behalf regarding Vendor’s environment in relation to the Personal Information being Processed, and/or Services being provided to confirm compliance with the DSA. Vendor shall fully cooperate with such inquiry. Company shall treat the information provided by Vendor in the security questionnaire as confidential.
- Security Notice
- If there is a known or suspected Security Incident at any time during the DSA Term:
- Vendor will notify Company as soon as possible but in any event within twenty-four (24) hours after it becomes aware of it, or, if sooner, no later than the statutory reporting period prescribed in any applicable data breach law. Written notice shall include, at a minimum: (a) a description of the breach or loss, including the date it occurred; (b) to the extent known, the number of individuals affected and their place of residence; (c) the data and/or information accessed, acquired, lost and/or misused; (d) whether such data was encrypted or unencrypted; (e) whether encryption keys or passwords may have been compromised; and (f) a description of the steps taken to investigate and remedy the incident, secure systems or recover lost information, and prevent the use of the Personal Information and the recurrence of further security breaches or losses of the same type.
- Vendor will provide Company with the name and contact information for a primary security contact within Vendor who will be available to assist Company 24-hours per day, 7-days per week as a contact in resolving obligations associated with the Security Incident. Vendor shall notify Company of any Security Incidents by e-mailing [email] with a read receipt with a copy to Company under the notice provisions of the MSA.
- Immediately following such discovery and notification to Company, the parties will cooperate with each other and any applicable regulatory authorities to investigate the Security Incident, further assess risk associated with such unauthorized use or disclosure of personal information or other data, the nature and scope of any such event and review all pertinent records. Vendor agrees to provide reasonable assistance and cooperate with Company in Company’s handling of the matter, including, without limitation, any investigation, providing Company with physical access to the facilities and operations affected, facilitating interviews with Vendor’s employees and others involved in the matter, and making available all relevant records, logs, files, and data reporting or other obligations required by applicable law, regulation, standard, or as otherwise required by Company. Vendor shall be responsible for all costs arising from Vendor’s provision of such assistance if such Security Incident was caused by Vendor or any Authorized Party or entity who obtained the information from Vendor.
- Vendor shall take prompt and reasonable steps to remedy the Security Incident, with such remedy to include actions necessary to comply with all applicable privacy and data security rights, laws, and standards, at Vendor’s cost. If the Security Incident was caused by Vendor or any Authorized Party or entity who obtained the information from Vendor, Vendor shall reimburse Company for actual costs incurred in responding to and/or mitigating damages caused by a Security Incident.
- Except as may be expressly required by applicable law, Vendor agrees that it will not inform any third party of any Security Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel. Further, Vendor agrees that Company shall have the sole right to determine (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or in Company’s discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. Notwithstanding the foregoing, Vendor shall assume the responsibility of providing notifications to individuals affected by the Security Incident, as required by law and agreed to with Company. Any such notice or remediation shall be at Vendor’s sole cost and expense if such Security Incident was caused by Vendor or any Authorized Party or entity who obtained the information from Vendor.
- Vendor agrees to cooperate with Company in any litigation or other formal action against third parties deemed necessary by Company to protect its rights at Vendor’s sole cost.
- Vendor will promptly use its best efforts to prevent a recurrence of any such Security Incident.
- Privacy By Design
- Vendor acknowledges and agrees that privacy and data security shall be incorporated into the design and operation of the products or Services provided to Company. Vendor acknowledges and agrees that its products or Services shall respond to changes in legal obligations, regulatory guidance, industry best practices, and known and foreseeable risks to Personal Information and Company Group data. At a minimum, and without limiting any express obligations under this DSA, Vendor shall incorporate privacy and data security protections into its products, Services, and operations to protect and manage against foreseeable risks to Personal Information and Company Group data. The provisions of this Section 6.1 shall apply at all times during the DSA Term.
- Remedies
- Vendor acknowledges that all Personal Information is considered to be proprietary and of competitive value, and constitutes in many instances trade secrets. Because of the unique nature of the Personal Information, Vendor acknowledges that any breach of this DSA by Vendor would cause Company irreparable harm and money damages, and other remedies available at law in the event of a breach would not be adequate to compensate Company for any such breach.
- Accordingly, Company will be entitled, without the requirement of posting a bond or other security, to equitable relief, including, without limitation, immediate injunctive relief and specific performance, as a remedy for any such breach, and Vendor shall not oppose such relief. Such relief will be in addition to, and not in lieu of, all other remedies available at law or in equity to Company.
- Indemnification
- Vendor will, at its own cost and expense, defend, indemnify, and hold harmless Company, its Affiliates and its and their respective employees, officers, directors, members, and agents as well as Company’s successors (each an “Indemnitee”) from and against all third party claims, actions, lawsuits, inquiries, investigations, and proceedings (each a “Claim”), and the resulting damages, fines, fees, assessments, penalties, losses, liabilities, and costs (including without limitation the cost of judgments and settlements and attorneys’ fees for defense of the claims, actions, lawsuits, and proceedings and to recover from Vendor all amounts due Company in accordance with this Section), arising out of or caused by a Security Incident or any violation, breach, or non-performance of any of the terms of this DSA by the Vendor, including without limitation Vendor’s and/or an Authorized Party’s noncompliance with applicable law and/or the Information Security Requirements in performing the Services or when otherwise Processing Personal Information.
- Indemnitee shall provide Vendor with prompt written notice of the existence of any Claim; non-financial assistance at Vendor’s request and expense to the extent reasonably necessary for the defense of such Claim; and control over the defense or settlement of such Claim, provided that no settlement requiring any financial payment from Indemnitee, admission of liability by Indemnitee, or equitable or injunctive relief shall be made without Indemnitee’s prior written consent. Indemnitee shall have the right to participate in the defense of any such Claim at its expense and through counsel of its choosing.
- MISCELLANEOUS
- In the event of a conflict between this DSA and the MSA, the provision that is most protective of the Company’s interests shall control.
- This DSA may be executed in one or more counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument. A pdf or emailed version of this DSA shall be deemed an original.
- Notices and all other communications which may or must be given under this DSA shall be in writing and shall be deemed to have been duly given when delivered by hand or mailed by United States registered mail, return receipt requested, postage prepaid, or delivered by recognized overnight courier, charges prepaid, or delivered by hand, to the address set forth on the first page hereof or to such other address as shall be designated by like notice. All notices to Company shall be sent to the attention of:
Cayster Inc.
Attn: General Counsel
509 Madison, 18th Flr
New York, NY 10022