This Data Security Addendum (“Addendum”) is made a part of and pursuant to that certain Agreement which includes the eOriginal Master Terms and Conditions Agreement (the “Agreement”) in which it is referenced. Unless otherwise defined in this Addendum, capitalized terms will have the meaning assigned to them in the Agreement.
This Addendum set forth eOriginal’s commitments for the protection of Customer Data. eOriginal will use commercially reasonable technical and organizational measures designed to protect against unlawful or unauthorized access, use, alteration, or disclosure of Customer Data on the Production Environment as more fully described in this Addendum.
GENERAL SECURITY PROVISIONS
ISP. eOriginal has established a written eOriginal Information Security Program (“ISP”) that includes policies, procedures and controls governing the use, disclosure and processing of Customer Data. Customer is responsible for implementing proper access and use controls and configuring the Platform Services and Vault. It is Customer’s responsibility to determine the appropriate security, protection, deletion and retention settings applicable to Customer Data. The ISP is designed to be compliant with ISO 27001 standards, is reviewed under Service Organization Controls (“SOC”) 2 Type 2 standards. eOriginal will not modify the ISP in any manner that materially decreases the level of protection of Customer Data that is provided in the ISP or the Agreement as of the Order Start Date.
General System Security. eOriginal employs reasonable, industry standard techniques to ensure the security and privacy of Customer Data, including: (i) encryption for all transmissions dependent upon the user’s browser; (ii) automatic user session termination upon expiration of a time period established by eOriginal; (iii) assignment and selection of unique user names and passwords for restricted access to the Platform Services; (iv) redundant hardware firewalls for system network isolation from unauthorized requests; (v) isolation of the application data from the eOriginal’s application servers; and (vi) industry standard disaster recovery procedures and file security procedures, including active intrusion detection systems. eOriginal maintains access control processes and regularly reviews the access rights of authorized employees and Personnel.
Data Encryption. . Customer Data will be logically separated in the Production Environment from data of other customers, and all Documents and customer selected custom data fields will be encrypted using industry standard techniques (AES 256-bit). The application encryption key and its corresponding password are separately maintained. The application’s unique access credentials are required to access Customer Data. All access and transfer of data to and from the Platform Services will be via HTTPS. eOriginal will dispose of Customer Data, equipment and media using industry recognized processes and procedures.
No Disclosure or Use. eOriginal will not use or disclose Customer Data other than as permitted or required by the Agreement, and otherwise to comply with Applicable Law.
Data Center. The data centers containing eOriginal’s servers for eCore and SmartSign are reviewed and tested under SOC 2 Type 2 standards, and ISO/IEC 27001:2013 certified. These data centers are located in the United States, in secure facilities which have card-key controlled access 24 hours a day. Only authorized personnel are given access to the data centers, which are staffed 24 hours a day. The data centers each have a dispatch/alarm monitoring center which monitors the status of the network and servers 24x7x365. The data centers are equipped with redundant power supplies, and other industry standard disaster prevention measures.
The SmartSign Plus service utilizes Amazon Web Services (AWS) to process and store customer information. All AWS servers utilized by eOriginal in the provision of this service are located in the United States.
System Monitoring. The Production Environment is isolated using commercial grade network management controls, including load balancers, firewalls, intrusion detection systems and malware protections, with monitoring of all activity generated and risk-based alerts sent to applicable security groups.
Virus Scanning. eOriginal employs commercially available and up-to-date hardware and software systems that are designed to detect and warn eOriginal of any malware or virus in the databases of the Platform Services. eOriginal monitors these systems on a regular basis and will remediate, patch, correct and otherwise maintain the Software and Platform Services in such a manner as to be free of malware and viruses that are detectable by such systems.
Software Development. eOriginal engages in security-first software development techniques in its software development lifecycle that includes secure coding practices against OWASP identified threats, targeted to meet best practices in software development for avoiding software code security vulnerabilities.
Vulnerability Scanning. eOriginal utilizes an independent third party service to perform periodic penetration and vulnerability scanning of the Software and Platform Services, and eOriginal promptly remediates any critical or highly urgent errors and vulnerabilities found during such tests. To maintain the security and integrity of the Production Environment, Customer is not permitted to conduct any vulnerability scans or penetration testing on the Production Environment.
Backup and Disaster Recovery. eOriginal has established a separate Business Continuity and Disaster Recovery Policy (the “BCP Policy”). The BCP is designed to be compliant with ISO 27001 standards and is reviewed under Service Organization Controls (SOC) 2 Type 2 standards and tested. eOriginal performs annual tests of the BCP Policy. eOriginal will not modify the BCP Policy in any manner that materially decreases the current backup, continuity and disaster recovery obligations of eOriginal that is provided in the BCP Policy as of the Order Start Date.
DATA BREACH DETECTION AND RESPONSE
Security Breach Notification. eOriginal shall notify Licensee in accordance with the notification schedule below following eOriginal’s determination of the occurrence of any breach or compromise of the security, confidentiality, or integrity of any Customer Data or Customer Confidential Information, in each case that is in the possession of eOriginal or its Personnel, (a “Security Breach”) including (A) any circumstance pursuant to which applicable law requires notification of such breach to be given to Affected Persons or other activity in response to such circumstance (a “Personal Information Breach”); or (B) any circumstance that compromises, or could reasonably be expected to compromise, either physical security or systems security in a fashion that either does or could reasonably be expected to permit unauthorized processing, use, disclosure, destruction or acquisition of or access to any un-encrypted Customer Data. As used herein “Affected Persons” means those consumers to which Customer Data relates. For the avoidance of doubt, information and data stored on the systems of Customer or its Affiliates, or their Personnel, is not deemed to be in the possession of eOriginal and eOriginal is not responsible for Customer security over its own data and information while in the possession of Customer, its Affiliates or their Personnel, or other third parties under Customer’s control. eOriginal’s obligation to report a Security Breach under this Addendum will not be construed as an acknowledgment by eOriginal of any fault or liability of eOriginal with respect to such Security Breach.
The following notifications are subject to any specific requirements of Applicable Law:
Notification One (1): eOriginal shall notify Customer promptly but no later than one (1) business day following the discovery of any Security Breach. Notification to Customer of a Security Breach shall precede notifications to any third party except eOriginal Personnel and relevant law enforcement, to the extent permitted by Applicable Law.
Notification Two (2): eOriginal shall provide updates to Customer on the current status of any Security Breach at relevant times that new information becomes available until the Security Breach is substantially remediated or there is a workaround that substantially mitigates the effect of the Security Breach.
Notification Three (3): eOriginal shall provide a final notification to Customer once the Security Breach has been remedied, and, in the case of a Security Breach that impacted delivery of Services, after restoration of the Services.
All notifications described above shall be through the means and methods identified in the ISP, and, subject to the Agreement and Applicable Law, all such communications regarding the Security Breach are Confidential Information of eOriginal. Both parties reserve the right in their sole discretion to make its own appropriate privacy breach notifications to Affected Persons and regulators as applicable pursuant to Applicable Law.
Provision of Information Regarding Security Breach. To assist Customer in such notifications required in the event of a Personal Information Breach, eOriginal shall include a brief summary of the available facts, the status of any investigation, the scope of Documents impacted by such Security Breach, and, if known, the potential number of Affected Persons. Due to the configuration and operation of the Platform Services, eOriginal may not have access to or knowledge of the information contained within the impacted Documents and may not be able to provide Customer with any information contained therein, such as the identities of Affected Persons or their contact information. eOriginal agrees that it shall not communicate with any third party other than its Personnel, including, but not limited to the media, vendors, consumers, and Affected Persons regarding any Security Breach without the express written consent of Customer, unless eOriginal’s attorneys advise it that it has a legal obligation to do so, and then eOriginal may take any action it reasonably determines it is legally obligated to take. For the avoidance of doubt, eOriginal’s actions taken in good faith and in reliance on advice from counsel to comply with Applicable Law shall not constitute a violation of this Addendum.
Cooperation. eOriginal shall take all reasonable measures to mitigate the cause of any Security Breach and shall take reasonable corrective measures to protect against future Security Breaches of a similar nature. Both parties shall cooperate fully with each other in security investigation and remediation activities related to any Security Breach. eOriginal shall maintain all records and logs of that portion of eOriginal’s network that stores or processes Customer Data or Customer Confidential Information. Following a Security Breach, eOriginal shall maintain such records and logs for such time as required by Applicable Law.
INFORMATION DESTRUCTION AND RETURN REQUIREMENTS
Overall Requirements. Unless eOriginal is directed to return Customer Confidential Information and Customer Data, subject to the provisions below permitting certain data retention, eOriginal shall destroy all Customer Confidential Information and Customer Data at all locations where it is stored after it is no longer needed for performance under the Agreement or to satisfy regulatory or retention requirements. eOriginal has developed and has in place data retention and destruction policies incorporated into the ISP. eOriginal will upon written request from Customer, confirm data destruction in writing.
Access to and return of Confidential Information. During the Term, Customer may download its applicable Documents and Customer Data stored on the Platform Services through the Software functionality. eOriginal may provide Services to assist Customer with Document or data extraction pursuant to the terms of a fully executed Order Form including a Task Order describing the scope of such Services.
Backup Storage. eOriginal may maintain Customer Data and Customer Confidential Information and data in encrypted backup storage, which shall not be deleted or removed except in the ordinary course of overwriting such storage areas as new backups are stored.
AUDIT / VENDOR ASSESSMENT RIGHTS
Customer Portal. At all times during the Term, eOriginal shall maintain the ISP, BCP Policy, recent audit reports, and other current and available compliance information, data and reports regarding eOriginal and the Platform Services available for access by Customer on the eOriginal online customer portal.
Audit / Vendor Assessment Services. Customer shall be provided with the level of Audit / Vendor Assessment Services purchased in an Order Form. Should Customer seek additional assistance, information or participation in Customer’s audit, review, or vendor assessment activities, eOriginal may provide such assistance, information or participation under a Task Order at eOriginal’s current time and materials rates.
Conditions of Audit / Assessment. All audits and assessments performed with respect to eOriginal, the Platform Services or eOriginal Personnel shall be conducted during business hours, during reasonable times and for reasonable duration, shall not interfere with eOriginal’s regular business operations, and shall be conducted under mutually agreeable terms and in accordance with eOriginal’s policies and procedures. Customer’s audit and assessment rights do not include any penetration testing or vulnerability testing of the Production Environment, and eOriginal may limit disclosure of information or documents if eOriginal reasonably believes that such disclosure will negatively impact the security or integrity of the Platform Services, Customer Data, or the data or information of other customers of eOriginal. In the event Customer uses its Personnel to perform such audits or assessments, eOriginal will require that such Personnel enter into a Non-Disclosure Agreement with eOriginal containing confidentiality obligations similar to those of the Agreement. Customer must provide to eOriginal a copy of the draft report of any Customer audit or assessment and its findings for comment and response by eOriginal prior to such report being made final or otherwise being distributed to a third party.
Third Party Audits. eOriginal engages a third party independent auditor to perform an annual SOC 2 Type 2 review of eOriginal, its ISP and the Platform Services.