Data Security Addendum
This Data Security Addendum (“Addendum”) is made a part of and pursuant to that certain Agreement which includes the eOriginal Master Terms and Conditions Agreement (the “Agreement”) in which it is referenced. Unless otherwise defined in this Addendum, capitalized terms will have the meaning assigned to them in the Agreement.
This Addendum set forth eOriginal’s commitments for the protection of Customer Data. eOriginal will use commercially reasonable technical and organizational measures designed to protect against unlawful or unauthorized access, use, alteration, or disclosure of Customer Data on the Production Environment as more fully described in this Addendum.
GENERAL SECURITY PROVISIONS
ISP. eOriginal has established a written eOriginal Information Security Program (“ISP”) that includes policies, procedures and controls governing the use, disclosure and processing of Customer Data. Customer is responsible for implementing proper access and use controls and configuring the Platform Services and Vault. It is Customer’s responsibility to determine the appropriate security, protection, deletion and retention settings applicable to Customer Data. The ISP is designed to be compliant with ISO 27001 standards, is reviewed under Service Organization Controls (“SOC”) 2 Type 2 standards. eOriginal will not modify the ISP in any manner that materially decreases the level of protection of Customer Data that is provided in the ISP or the Agreement as of the Order Start Date.
General System Security. eOriginal employs reasonable, industry standard techniques to ensure the security and privacy of Customer Data, including: (i) encryption for all transmissions dependent upon the user’s browser; (ii) automatic user session termination upon expiration of a time period established by eOriginal; (iii) assignment and selection of unique user names and passwords for restricted access to the Platform Services; (iv) redundant hardware firewalls for system network isolation from unauthorized requests; (v) isolation of the application data from the eOriginal’s application servers; and (vi) industry standard disaster recovery procedures and file security procedures, including active intrusion detection systems. eOriginal maintains access control processes and regularly reviews the access rights of authorized employees and Personnel.
Compliance with Data Security Applicable Law. eOriginal will comply with all Applicable Law regarding data security and data breach notification. Customer Data will be logically separated in the Production Environment from data of other customers, and all Documents and customer defined data fields will be encrypted using industry standard techniques (AES 256-bit). The application encryption key and its corresponding password are separately maintained. The application’s unique access credentials are required to access Customer Data. All access and transfer of data to and from the Platform Services will be via HTTPS. eOriginal will dispose of Customer Data, equipment and media using industry recognized processes and procedures.
No Disclosure or Use. eOriginal will not use or disclose Customer Data other than as permitted or required by the Agreement, and otherwise to comply with Applicable Law.
Data Center. The data centers containing eOriginal’s servers for the Platform Services are reviewed and tested under SOC 2 Type 2 standards, and ISO/IEC 27001:2013 certified. These data centers are located in the United States, in secure facilities which have card-key controlled access 24 hours a day. Only authorized personnel are given access to the data centers, which are staffed 24 hours a day. The data centers each have a dispatch/alarm monitoring center which monitors the status of the network and servers 24x7x365. The data centers are equipped with redundant power supplies, and other industry standard disaster prevention measures.
System Monitoring. The Production Environment is isolated using commercial grade network management controls, including load balancers, firewalls, intrusion detection systems and malware protections, with monitoring of all activity generated and risk-based alerts sent to applicable security groups.
Virus Scanning. eOriginal employs commercially available and up-to-date hardware and software systems that are designed to detect and warn eOriginal of any malware or virus in the databases of the Platform Services. eOriginal monitors these systems on a regular basis and will remediate, patch, correct and otherwise maintain the Software and Platform Services in such a manner as to be free of malware and viruses that are detectable by such systems.
Software Development. eOriginal engages in security-first software development techniques in its software development lifecycle that includes secure coding practices against OWASP identified threats, targeted to meet best practices in software development for avoiding software code security vulnerabilities.
Vulnerability Scanning. eOriginal utilizes an independent third party Personnel to perform periodic penetration and vulnerability scanning of the Software and Platform Services, and eOriginal promptly remediates any critical or highly urgent errors and vulnerabilities found during such tests. To maintain the security and integrity of the Production Environment, Customer is not permitted to conduct any vulnerability scans or penetration testing on the Production Environment.
Backup and Disaster Recovery. eOriginal has established a separate Business Continuity and Disaster Recovery Policy (the “BCP Policy”). The BCP is designed to be compliant with ISO 27001 standards and is reviewed under Service Organization Controls (SOC) 2 Type 2 standards and tested. eOriginal performs annual tests of the BCP Policy. eOriginal will not modify the BCP Policy in any manner that materially decreases the current backup, continuity and disaster recovery obligations of eOriginal that is provided in the BCP Policy as of the Order Start Date.
Background Checks and Training. eOriginal conducts reasonable and appropriate background investigations on all its employees in accordance with Applicable Law. Employees must pass eOriginal’s background checks prior to being appointed to positions that may allow access to unencrypted Customer Data. Upon Customer’s written request, eOriginal will provide a certification of the background check process that has been applied to such employees and confirm the current status thereof. eOriginal will take appropriate action if any background check of eOriginal employees implicates security issues over Customer Data. eOriginal further conducts mandatory employee security awareness training on policies and procedures regarding the protection of security, integrity and confidentiality of Customer Data.
Use of Certain Personnel. eOriginal uses a limited number of third party contractors that manage certain aspects of its service infrastructure, which contractors are relied upon by eOriginal to ensure eOriginal’s continued provision of the Platform Services (collectively, the “Subcontractors”). Subcontractors include the contractors that manage the data center where Customer Data is stored, and vendors that monitor data center status and provide external security review and monitoring. eOriginal will evaluate all Subcontractors to ensure such Subcontractors maintain adequate physical, technical, organizational and administrative controls, based on the level of services provided by such Subcontractors and the level of access such Subcontractors may have to unencrypted Customer Data. Subcontractors must maintain and provide an independent audit assessment which conforms to eOriginal’s SOC 2 Type 2 audit, or an equivalent standard. All Subcontractors have signed written agreements with eOriginal that contain provisions regarding the protection of Customer Data and data security that are not materially less protective than those provisions herein, and that require such Subcontractors to comply with Applicable Law and cooperate with eOriginal in the event of a Security Breach. Employees of Subcontractors generally do not have access to unencrypted Customer Data, provided however that if such access is required, eOriginal shall require that such contractor also have engaged in reasonable background checks of such employees and shall require that such Subcontractor also provide at least the same level of verification of background check status as is required of eOriginal herein. eOriginal remains responsible for the acts and omissions of all its Personnel as such relates to the performance of the Agreement, as though eOriginal had directly performed all such Services.
DATA BREACH DETECTION AND RESPONSE
Security Breach Notification. eOriginal shall notify Licensee in accordance with the notification schedule below following eOriginal’s determination of the occurrence of any breach or compromise of the security, confidentiality, or integrity of any Customer Data or Customer Confidential Information, in each case that is in the possession of eOriginal or its Personnel, (a “Security Breach”) including (A) any circumstance pursuant to which applicable law requires notification of such breach to be given to Affected Persons or other activity in response to such circumstance (a “Personal Information Breach”); or (B) any circumstance that compromises, or could reasonably be expected to compromise, either physical security or systems security in a fashion that either does or could reasonably be expected to permit unauthorized processing, use, disclosure, destruction or acquisition of or access to any un-encrypted Customer Data. As used herein “Affected Persons” means those consumers to which Customer Data relates. For the avoidance of doubt, information and data stored on the systems of Customer or its Affiliates, or their Personnel, is not deemed to be in the possession of eOriginal and eOriginal is not responsible for Customer security over its own data and information while in the possession of Customer, its Affiliates or their Personnel, or other third parties under Customer’s control. eOriginal’s obligation to report a Security Breach under this Addendum will not be construed as an acknowledgment by eOriginal of any fault or liability of eOriginal with respect to such Security Breach.
The following notifications are subject to any specific requirements of Applicable Law:
Notification One (1): eOriginal shall notify Customer promptly but no later than one (1) business day following the discovery of any Security Breach. Notification to Customer of a Security Breach shall precede notifications to any third party except eOriginal Personnel and relevant law enforcement, to the extent permitted by Applicable Law.
Notification Two (2): eOriginal shall provide updates to Customer on the current status of any Security Breach at relevant times that new information becomes available until the Security Breach is substantially remediated or there is a workaround that substantially mitigates the effect of the Security Breach.
Notification Three (3): eOriginal shall provide a final notification to Customer once the Security Breach has been remedied, and, in the case of a Security Breach that impacted delivery of Services, after restoration of the Services.
All notifications described above shall be through the means and methods identified in the ISP, and, subject to the Agreement and Applicable Law, all such communications regarding the Security Breach are Confidential Information of eOriginal. Both parties reserve the right in their sole discretion to make its own appropriate privacy breach notifications to Affected Persons and regulators as applicable pursuant to Applicable Law.
Provision of Information Regarding Security Breach. To assist Customer in such notifications required in the event of a Personal Information Breach, eOriginal shall include a brief summary of the available facts, the status of any investigation, the scope of Documents impacted by such Security Breach, and, if known, the potential number of Affected Persons. Due to the configuration and operation of the Platform Services, eOriginal will not have access to or knowledge of the information contained within the impacted Documents and will not be able to provide Customer with any information contained therein, such as the identities of Affected Persons or their contact information. eOriginal agrees that it shall not communicate with any third party other than its Personnel, including, but not limited to the media, vendors, consumers, and Affected Persons regarding any Security Breach without the express written consent of Customer, unless eOriginal’s attorneys advise it that it has a legal obligation to do so, and then eOriginal may take any action it reasonably determines it is legally obligated to take. For the avoidance of doubt, eOriginal’s actions taken in good faith and in reliance on advice from counsel to comply with Applicable Law shall not constitute a violation of this Addendum.
Costs and Expenses in Security Breach. Subject to any provisions in the Agreement which shall control over this provision, in connection with a Security Breach which was caused by eOriginal or its Personnel, eOriginal agrees to pay for all appropriate damages and costs for which it is liable under Applicable Law (which eOriginal acknowledges may include credit monitoring for Affected Persons required in any settlement thereof, or in connection with any regulatory order in connection with, such Security Breach). To the extent a Security Breach was caused partially by eOriginal or its Personnel, and partially by Customer or a Customer Affiliate or either of their Personnel, then the above-mentioned costs shall be equitably apportioned among eOriginal and Customer in the relative proportion that each party’s actions or inaction caused such claims, losses or expenses.
Cooperation. eOriginal shall take all reasonable measures to mitigate the cause of any Security Breach and shall take reasonable corrective measures to protect against future Security Breaches of a similar nature. Both parties shall cooperate fully with each other in security investigation and remediation activities related to any Security Breach. eOriginal shall maintain all records and logs of that portion of eOriginal’s network that stores or processes Customer Data or Customer Confidential Information. Following a Security Breach, eOriginal shall maintain such records and logs for such time as required by Applicable Law.
INFORMATION DESTRUCTION AND RETURN REQUIREMENTS
Overall Requirements. Unless eOriginal is directed to return Customer Confidential Information and Customer Data, subject to the provisions below permitting certain data retention, eOriginal shall destroy all Customer Confidential Information and Customer Data at all locations where it is stored after it is no longer needed for performance under the Agreement or to satisfy regulatory or retention requirements. eOriginal has developed and has in place data retention and destruction policies incorporated into the ISP. eOriginal will upon written request from Customer, confirm data destruction in writing.
Access to and return of Confidential Information. Licensee may always download its Documents and Customer Data stored on the Platform Services through the Software functionality. eOriginal may provide Services to assist Customer with Document or data extraction pursuant to the terms of a fully executed Order Form including a Task Order describing the scope of such Services.
Backup Storage. Notwithstanding anything else in the Agreement or other schedule, exhibit, addendum or order, eOriginal may maintain Customer Data and Customer Confidential Information and data in encrypted backup storage in accordance with the Agreement, which shall not be deleted or removed except in the ordinary course of overwriting such storage areas as new backups are stored.
AUDIT / VENDOR ASSESSMENT RIGHTS
Customer Portal. At all times during the Term, eOriginal shall maintain the ISP, BCP Policy, recent audit reports, and other current and available compliance information, data and reports regarding eOriginal and the Platform Services available for access by Customer on the eOriginal online customer portal.
Audit / Vendor Assessment Services. Customer shall be provided with the level of Audit / Vendor Assessment Services purchased in an Order Form. Should Customer seek additional assistance, information or participation in Customer’s audit, review, or vendor assessment activities, eOriginal may provide such assistance, information or participation under a Task Order at eOriginal’s current time and materials rates.
Conditions of Audit / Assessment. All audits and assessments performed with respect to eOriginal, the Platform Services or eOriginal Personnel shall be conducted during business hours, during reasonable times and for reasonable duration, shall not interfere with eOriginal’s regular business operations, and shall be conducted under mutually agreeable terms and in accordance with eOriginal’s policies and procedures. Customer’s audit and assessment rights do not include any penetration testing or vulnerability testing of the Production Environment, and eOriginal may limit disclosure of information or documents if eOriginal reasonably believes that such disclosure will negatively impact the security or integrity of the Platform Services, Customer Data, or the data or information of other customers of eOriginal. In the event Customer uses its Personnel to perform such audits or assessments, eOriginal will require that such Personnel enter into a Non-Disclosure Agreement with eOriginal containing confidentiality obligations similar to those of the Agreement. Customer must provide to eOriginal a copy of the draft report of any Customer audit or assessment and its findings for comment and response by eOriginal prior to such report being made final or otherwise being distributed to a third party.
Third Party Audits. eOriginal engages a third party independent auditor to perform an annual SOC 2 Type 2 review of eOriginal, its ISP and the Platform Services.
Regulatory Audits. If a governmental entity or agency with regulatory authority over Customer (a “Regulator”) desires to audit eOriginal or its Personnel, eOriginal shall be responsible to obtain the consent, permission and participation of such Personnel in such audit. eOriginal will fully cooperate with all information and document requests submitted by Regulators and will make its books, records, and operations relating to all products and services provided to Customer available for audit or inspection by Regulators.
Security Breach. Following a Security Breach, upon Customer’s written request, eOriginal will select and engage at its expense a third party auditor to perform an additional audit to confirm the security of Customer Data.
Remediation. Upon receipt of a copy of an audit or assessment report which indicates non-compliance with the Agreement, eOriginal shall promptly investigate and initiate work to correct such non-compliance and shall diligently continue such work until the non-compliance is remediated. eOriginal shall provide regular updates to Customer with respect to the progress of such remediation efforts.