Privacy and Information Security Addendum (“PISA”)
Effective 1 June 2023. Supercedes all previous versions.
- DEFINITIONS
1.1. Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in this PISA shall have the meanings ascribed to them in the Agreement.
1.2. “Personal Data” has the meaning given by Applicable Data Protection Laws and includes any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3. “Process” or “Data Processing” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processed” or “Processing” shall be construed consistent with this definition.
1.4. “Applicable Data Protection Law” means all national, state, regional and/or local laws, rules, regulations, security requirements and regulatory guidance applicable to either Party’s performance under this PISA. These may include, but are not limited to, the requirements of the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, hereinafter “HIPAA”), as well as those applicable to the Processing of Personal Data such as the General Data Protection Regulation (EU) 2016-679 (hereinafter “GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the Processing of Personal Data of natural persons, as well as the Payment Card Industry Data Security Standards and other applicable standards issued by the Payment Card Industry Security Standards Counsel, LLC, VISA, MasterCard, Discover, American Express, JCB and all other relevant credit card brands.
1.5. “Data Controller” means any natural or legal person which determines the purposes and methods for the Processing of Personal Data. Unless otherwise provided in a Services Agreement or otherwise agreed in writing by the Parties, the Data Controller for any Process is PEGUS.
1.6. “Data Processor” means any natural or legal person Processing Personal Data on behalf of the Data Controller. Contractor, as well as any of the Contractor’s Affiliates and/or subcontractors to which Contractor subcontracts all or part of the Services, shall be deemed as Processors under any Applicable Data Protection Law while they Process Personal Data in the framework of Services under Applicable Data Protection Law.
1.7. “Affiliate” means in relation to a Party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that Party. Affiliates of the Data Controller shall additionally include parties for which the Data Processor is acting as a sub-contractor or sub-processor on behalf of the Data Controller.
1.8. “Services” mean any services the performance of which the Data Processor or Data Processor Affiliates are entrusted by the Data Controller or Data Controller Affiliates to Process Personal Data.
1.9. “Service Agreement” means any agreement, statement of work, purchase order, change order, or like document by which the Data Controller entrusts the Data Processor with the performance of Services.
1.10. “Remediation” means activities related to the investigation of, response to and remediation of the unauthorized and/or unlawful Processing of Personal Data, including as may be required, without limitation, forensic investigations, breach notification, establishment and operation of toll-free phone support for affected individuals, provision of credit protection services and identity theft insurances for affected Data Subjects, cooperation with the Data Controller, regulatory authorities and the management and response to litigation and other legal or regulatory actions (if applicable) per the terms of the Agreement, including, but not limited to, engaging attorneys and the payment of fines, settlements, costs, and damages. “Remediate” or “Remediating” or “Remediated” shall be construed consistent with this definition.
- SUBJECT MATTER OF THIS PISA
2.1 This PISA applies to the Processing of Personal Data subject to Applicable Data Protection Law in the scope of the Service Agreement between the Parties for the provision of Services. Except as modified below, the terms of the Agreement and Service Agreement shall remain in full force and effect.
2.2 Insofar as the Data Processor will be Processing Personal Data subject to Applicable Data Protection Law on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller, the terms of this PISA shall apply.
- THE DATA CONTROLLER AND THE DATA PROCESSOR
3.1. Subject to the provisions of the Service Agreement, to the extent that the Data Processor’s Data Processing activities are not adequately described in the Service Agreement, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or Processed by the Data Processor. The Data Processor shall Process the Personal Data only as set forth in the Data Controller’s written instructions and no Personal Data shall be Processed unless explicitly instructed by the Data Controller.
3.2. The Data Processor shall only process the Personal Data on documented instructions of the Data Controller to the extent that this is required for the provision of the Services. Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorization from the Data Controller before undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately notify the Data Controller if, in its opinion, any instruction infringes upon any Applicable Data Protection Law. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
3.3. The Parties have entered into an Agreement in order to benefit from the capabilities of the Data Processor in securing and Processing the Personal Data for the purposes set out or yet to be set out in the Service Agreement. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this PISA, and in particular, with the Data Controller’s written instructions.
3.4. The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that a lawful bases to support the Processing exists under Applicable Data Protection Law. To the extent required by Applicable Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in Applicable Data Protection Law supports the lawfulness of the Processing, for obtaining any necessary consents from the Data Subject for the Processing. In addition, the Data Controller will also ensure that a record of such consents is maintained. Should such a consent be revoked by a Data Subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing the Data Controller’s instruction with respect to the processing of that Personal Data.
3.5. When the Data Processor collects Personal Data from Data Subjects in connection with the provision of Services, it shall provide notice and/or collect consent in the form as reasonably specified to the Data Processor by the Data Controller.
- CONFIDENTIALITY
4.1. Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its Affiliates, employees, agents and/or approved sub-processors engaged in Processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such Affiliates, persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
- SECURITY
5.1. Taking into account the state of the art and industry, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical, physical, and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the Parties in the PEGUS Baseline Security Requirements, located at https://pegus.com/baseline-security-requirements/.
5.2. Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the Processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, limiting access to Personal Data to those employees and others needed to perform the Services, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing and of their duties under this PISA and Applicable Data Protection Law.
5.3. Unless otherwise required by a supervisory authority of competent jurisdiction, the Data Controller shall be entitled, no more than once per year, to request that the Data Processor complete a security practices assessment (hereinafter “Assessment”), or to certify as to the absence of changes from any prior Assessment, and the Data Processor shall cooperate with such request. With respect to any Assessment, the Data Processor represents and warrants that for as long as the Agreement remains in effect or that the Data Processor holds or otherwise Processes Personal Information: (i) the responses provided by the Data Processor in the Assessment or as Remediated by written notice to the Data Controller in conformance with the terms of this PISA, are and shall be true, accurate and complete to the best of the Data Processor’s knowledge; (ii) the privacy, security, Processing and transfer practices adopted and maintained by the Data Processor shall be in effect and consistently applied; and (iii) the Data Processor shall notify the Data Controller in writing promptly (and in all cases within five (5) business days) in the event of any adverse material change in the Data Processor’s privacy, security, Processing or transfer practices. Following the completion of any Assessment, the Data Controller shall have the right to notify the Data Processor, in writing, of any alleged risks, threats or other material weaknesses reasonably likely to give rise to the unauthorized and/or unlawful Processing of Personal Data identified during the Assessment or any non-conformance to generally accepted trade practices in the industry.
5.4 At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Section 5 and shall allow the Data Controller to audit and test such measures. Unless otherwise required by a supervisory authority of competent jurisdiction, the Data Controller shall be entitled, no more than once per year, on giving at least 30 days’ written notice to the Data Processor to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. The Data Processor shall provide the Data Controller and/or the Data Controller´s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this PISA, and/or to ascertain the Data Processor’s compliance with any approved code of conduct or approved certification mechanism referenced in Article 5.5. The Data Controller shall bear the full costs and expense of any such audit, unless such audit discloses a material weakness reasonably likely to give rise to the unauthorized and/or unlawful Processing of Personal Data.
5.5. The Data Processor’s adherence to either an approved code of conduct or to an approved certification mechanism recognized under Applicable Data Protection Law may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Article 5.1, provided that the requirements contained in the PEGUS Baseline Security Requirements, located at https://pegus.com/baseline-security-requirements/ are also addressed by such code of conduct or certification mechanism.
5.6. To the extent that a material weakness reasonably likely to give rise to the unauthorized and/or unlawful Processing of Personal Data is identified by an Assessment, audit, or otherwise discovered by or made known to the Data Processor, the Data Processor shall immediately notify the Data Controller in writing and, within ten (10) business days thereafter, either Remediate such material weakness or provide the Data Controller with a plan acceptable to the Data Controller for the Data Processor to Remediate the material weakness. If (i) the material weakness is not Remediated within such period; or (ii) an acceptable plan for Remediating such material weakness is not agreed to by the parties during such time period, or (iii) if an acceptable plan is not executed according to the terms of such plan, then the Data Controller may, by giving the Data Processor written notice thereof, immediately terminate the Agreement and/or exercise such rights and remedies it deems appropriate under the circumstances. In connection with such termination, the Data Controller may exercise all rights and remedies available to it in the event of breach. The Data Processor shall bear all reasonable costs for re-testing performed to verify the Remediation of any material weakness.
- IMPROVEMENTS TO SECURITY
6.1. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Section 5 on an on-going basis in order to maintain compliance with the requirements set out in Section 5. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Data Protection Law.
6.2. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in Applicable Data Protection Law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.
- DATA TRANSFERS
7.1. Unless specifically authorized in the Agreement or Service Agreement, the Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to another country and shall only perform such a transfer after obtaining written authorization from the Data Controller, which may be refused at its own discretion.
7.2. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to suspend promptly the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
- INFORMATION OBLIGATIONS AND INCIDENT MANAGEMENT
8.1. When the Data Processor becomes aware of an Incident (as defined in Article 8.2) that has a material impact on the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller about the Incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such Incidents, in order to enable the Data Controller to perform a thorough investigation into the Incident, to formulate a correct response, and to take suitable further steps in respect of the Incident.
8.2. The term “Incident” used in Section 8 shall be understood to mean, in any case:
(a) a complaint or a request with respect to the exercise of a Data Subject’s rights under Applicable Data Protection Law;
(b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is likely or imminent;
(c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
(d) any breach of the confidentiality and/or security as set out in Sections 4 and 5 of this PISA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or likely to take place; or
(e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate Applicable Data Protection Law.
8.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an Incident. Where the Incident is reasonably likely to require a data breach notification by the Data Controller under Applicable Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify promptly the Data Controller without undue delay after the Data Processor becomes aware of such an Incident. In all cases, the Data Processor shall notify the Data Controller (in writing) within 24 hours of its first learning of an Incident.
8.4. Any notifications made to the Data Controller pursuant to this Section 8, in order to assist the Data Controller in fulfilling its obligations under Applicable Data Protection Law, should contain:
(a) a description of the nature of the Incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained;
(c) a description of the likely consequences of the Incident;
(d) a description of the measures taken or proposed to be taken by the Data Processor to address the Incident including, where appropriate, measures to mitigate its possible adverse effects; and
(e) a delineation of the timing for all measures taken or to be taken pursuant to this Section.
8.5. The Data Processor shall not respond to any complaints or requests relating to any Data Subject unless the Agreement or Service Agreement provide otherwise; the Data Processor is explicitly authorized by the Data Controller to do so; or where the Data Processor has a mandatory obligation under Appliable Data Protection Law to respond directly, in which case the Data Processor shall notify the Data Controller as soon as possible (at a minimum, at the same time as making the initial notification under this Section 8). The Data Processor shall comply with the Data Controller’s reasonable requests in responding to, and dealing with, any third-party complaints or requests, and shall only disclose the minimum amount of Personal Data necessary to comply with law or judicial process.
8.6. The Data Processor shall preserve the accuracy and integrity of Personal Data. The Data Processor shall update, amend, correct, or delete Personal Data that is inaccurate or incomplete at the request of the Data Controller or the Data Subject, consistent with the provision set forth in Article 8.5.
- CONTRACTING WITH SUB-PROCESSORS
9.1. The Data Processor shall not subcontract any of its Service-related activities consisting (partly) of the Processing of the Personal Data or requiring Personal Data to be Processed by any third party without the prior written notification to the Data Controller.
9.2. The Data Controller authorizes the Data Processor to engage the sub-processors listed in the Service Agreement for the service-related Data Processing activities described in the Service Agreement. The Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. If the Data Controller sends the Processor a written objection notice within 21 days, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve the Data Controller’s objection. In the absence of a resolution, the Data Processor will make commercially reasonable efforts to provide the Data Controller with the same level of service described in the Service Agreement, without using the sub-processor to Process the Data Controller’s Personal Data. If the Data Processor’s efforts are not successful within a reasonable time, each Party may terminate the portion of the Services which cannot be provided without the sub-processor, and the Data Controller will be entitled to a pro-rated refund of the applicable service fees.
9.3. Notwithstanding any authorization by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable to the Data Controller for its own performance and the performance of any such sub-processor that fails to fulfill its data protection obligations, including for all acts and/or omissions.
9.4. The Data Processor shall ensure that the sub-processor is bound by data protection obligations no less protective of Personal Data than those of the Data Processor under this PISA, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical, physical, and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Law.
9.5. The Data Controller may request that the Data Processor audit a third-party sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist the Data Controller in obtaining a third-party audit report concerning the third-party sub-processor’s operations), or that the third-party sub-processor complete an Assessment, or to certify as to the absence of changes from any prior Assessment, to ensure compliance with its obligations imposed by the Data Processor in conformity with this PISA.
- RETURNING OR DESTRUCTION OF PERSONAL DATA
10.1. Upon termination of this PISA, upon the Data Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further Processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the Data Controller and destroy or return any existing copies. Proof of any destruction of Personal Data by the Data Processor must contain a certificate documenting the manner, means, location, date and time of the destruction, and must be signed by a duly authorized officer of the Data Processor.
10.2. The Data Processor shall notify all third parties supporting its own Processing of the Personal Data of the termination of the PISA and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller. Proof of any destruction of Personal Data by the third party must contain a certificate documenting the manner, means, location, date and time of the destruction, and must be signed by a duly authorized officer of the third party.
- ASSISTANCE TO DATA CONTROLLER
11.1. The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Applicable Data Protection Law.
11.2. Taking into account the nature of Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 5 (Security), as well as other Data Controller obligations under Applicable Data Protection Law that are relevant to the Data Processing described in the Service Agreement, including notifications to a supervisory authority or to Data Subjects, Remediation efforts, the process of undertaking a data protection impact assessment as my be required under Applicable Data Protection Law, and with prior consultations with supervisory authorities.
11.3. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to Assessments and audits, including inspections, conducted by the Data Controller or another auditor designated by the Data Controller.
- LIABILITY AND INDEMNITY
12.1. The Data Processor shall defend, indemnify, and hold the Data Controller harmless against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Data Controller arising out of a negligent acts, omissions, or breach of this PISA and/or Applicable Data Protection Law by the Data Processor.
12.2. The Data Controller shall defend, indemnify, and hold the Data Processor harmless against all claims, actions, third party claims, losses, damages, and expenses incurred by the Data Processor arising out of a negligent acts, omissions, or breach of this PISA and/or Applicable Data Protection Law by the Data Controller.
12.3. A Party entitled to be indemnified by the other Party pursuant to Section 12.1 or Section 12.2, as applicable, shall be referred to herein as an “Indemnified Party.” Upon learning of any claim for which an Indemnified Party may be entitled to be indemnified by the other Party (“Indemnifying Party”), the Indemnified Party shall promptly give written notice to the Indemnifying Party. If the Indemnified Party seeks indemnification from the Indemnifying Party for any claim, the Indemnifying Party shall assume the defense of the claim with counsel reasonably satisfactory to the Indemnified Party; provided that the Indemnifying Party shall not settle any claim without the Indemnified Party’s written consent. In addition, the Indemnifying Party shall provide timely written notice to the Indemnified Party of any material developments related to any such claim. In any event, the Indemnified Party shall cooperate with the Indemnifying Party, at the Indemnifying Party’s expense, as the Indemnifying Party may reasonably request in connection with the investigation or defense of any such claim. Where there are reasonable differences of opinion between the Parties as to the alleged cause of the indemnity event, the Parties agree to work together in good faith and to join in the co-conduct of the claim through their own legal counsel or otherwise. This provision, however, shall not preclude the duty to defend or indemnify should one Party be found to be the majority of the cause of the indemnity event. Nothing in this Section 12 shall preclude either Party from working on issues, problems, complaints, or indemnity events with a sponsor, regulator, and/or other third parties in an effort to mitigate damages, follow contractual obligations, or comply with applicable regulations.
- DURATION AND TERMINATION
13.1. This PISA shall come into effect on the effective date of the Agreement.
13.2. Termination or expiration of this PISA shall not discharge the Parties from their confidentiality obligations pursuant to Section 4.
13.3. The Data Processor shall Process Personal Data until the date of expiration or termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed by instruction from the Data Controller.
- RECORD RETENTION
14.1. The Data Processor shall maintain all necessary documentation to evidence its compliance with this PISA for a period of six (6) years after the expiration or termination of the Agreement, or for such longer period as otherwise may be required by Applicable Data Protection Law, whichever occurs latest. The Data Processor shall provide the Data Controller with access to such documentation upon request.
14.2. The Data Processor shall record and retain for a minimum of two (2) years after the expiration or termination of the Agreement the notice provided to, and the written, electronic or verbal consent obtained from, each Data Subject, pursuant to Article 3.5. The Data Processor shall provide such records to the Data Controller upon request and upon the expiration or termination of the Agreement.
- MISCELLANEOUS
15.1. Method of Notice. Notice shall be given in accordance with the Agreement.
15.2. Precedence. In the event of any inconsistency between the provisions of this PISA and the provisions of the Agreement or Service Agreement, the provisions which provide greater protection for Personal Data shall take precedence.
15.3. Governing Law and Jurisdiction. This PISA is governed by the laws of the state of Utah, USA. Any disputes arising from or in connection with this PISA shall follow the provisions of the Agreement with any allowable court action being brought exclusively before a competent court in Salt Lake County, Utah, USA.
15.4. Authority to Execute. The Parties represent and warrant to each other that each has the legal power and authority to enter into this PISA.
15.5. Entire Agreement. Except as expressly set forth in this PISA, the terms, provisions and conditions of the Agreement are hereby ratified and confirmed and shall remain unchanged and in full force and effect without interruption or impairment of any kind.
15.6. Severability. If any provision of this PISA shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions of this PISA or the Agreement.
15.7. Amendment. This PISA cannot be modified, amended, or changed except in writing and signed by the Parties.
15.8. Assignment. Neither the rights nor the obligations of either Party may be assigned or delegated in whole or in part without the prior written consent of the other Party unless otherwise expressly permitted under the Agreement. Any delegation without written permission shall be null and void and of no effect unless otherwise expressly permitted under the Agreement.
15.9. Third Party Beneficiaries. Subject to Article 15.10, nothing in this PISA shall confer any benefits or rights on any person or entity other than the Parties to this PISA.
15.10. Where the Services include the Processing by or on behalf of the Data Processor of the Personal Data of Data Controller Affiliates, each such Data Controller Affiliate may enforce the terms of this PISA as a third-party beneficiary against the Data Processor in respect to its Personal Data as if it were a party to this PISA and Agreement.
15.11. No Waiver. A waiver by a Party of any term or condition of this PISA in any instance shall not be deemed or construed to be a waiver of such term or condition for the future, or of any subsequent breach thereof.
15.12. Further Assurance. The Data Processor acknowledges that one or more Data Controller Affiliates may, pursuant to Applicable Data Protection Law, be required to enter into a direct Processing agreement with the Data Processor to address the indirect Processing of its Personal Information by the Data Processor as facilitated by the Data Controller. The Data Processor agrees that in the aforementioned circumstances and where requested by the Data Controller, the Data Processor shall enter into a Processing agreement with such Data Controller Affiliate on terms equivalent to this PISA, modified as necessary to comply with Applicable Data Protection Law as soon as is reasonably possible.
***************************************
PEGUS PRIVACY AND INFORMATION SECURITY ADDENDUM
Effective: 1 August 2023. Superceded.
This Privacy and Information Security Addendum (“Addendum”), is attached as Exhibit B to the Independent Contractors Agreement (the “Agreement”) between PEGUS Research, Inc. (“PEGUS”) and the independent contractor. (“Contractor”).
WHEREAS, PEGUS and Contractor have entered into the Agreement pursuant to which Contractor performs certain Services (as such term is defined in the Agreement) for or on behalf of PEGUS and/or other PEGUS Affiliates;
WHEREAS, in performing such Services, Contractor may “Process” (defined below) “Personal Information” (defined below) from or on behalf of PEGUS and/or other PEGUS Affiliates;
WHEREAS, the parties wish to set forth in this Addendum the additional requirements applicable to Personal Information Processed by Contractor in connection with providing the Services;
NOW, THEREFORE, in consideration of the mutual covenants contained herein and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, and intending to be legally bound, the parties agree as follows:
1. DEFINITIONS
Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in this Addendum shall have the meanings ascribed to them in the Agreement:
“Affiliate” means in relation to a party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that party. Affiliates of PEGUS shall additionally include parties for which Contractor is acting as a sub-contractor for on behalf of PEGUS.
“Event” means the unauthorized and/or unlawful Processing of Personal Information whether in electronic, hard copy or other form including but not limited to interference with information system operations; provided, however that trivial attempts to penetrate Contractor’s networks or systems that occur on a daily basis, such as scans, and “pings,” will not be considered an Event.
“Laws” means all national, state, regional and/or local laws, rules, regulations, security requirements and regulatory guidance applicable to the either party’s performance under the Agreement (including, without limitation the requirements of the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”), which may include but are not limited to those applicable to the Processing of Personal Information such as the Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, as well as the Payment Card Industry Data Security Standards and other applicable standards issued by the Payment Card Industry Security Standards Council, LLC, VISA, MasterCard, Discover, American Express, JCB and all other relevant credit card brands.
“Personal Information” has the meaning given by the applicable Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Contractor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s health, opinions or beliefs.
“Process” means any operation which is performed upon Personal Information, whether or not by automatic means, including but not limited to the access, acquisition, collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, combination, “Transfer” (defined below), blocking, return or destruction of Personal Information. “Processed”, or “Processing” shall be construed accordingly.
“Remediation Efforts” means activities related to the investigation of, response to and remediation of an Event including, without limitation, forensic investigations, breach notification, establishment and operation of toll-free phone support for affected individuals, provision of credit protection services and identity theft insurances for affected individuals, cooperation with regulatory authorities and management and response to litigation and other legal or regulatory actions including but not limited to engaging attorneys and the payment of fines, settlements and damages.
“Security Issue” means any material weakness reasonably likely to give rise to an Event.
“Transfer” means both (a) the moving of Personal Information from one location or person to another, whether by physical or electronic means and (b) the granting of access to Personal Information by one location or person to another, whether by physical or electronic means. “Transferred”, or “Transferring” shall be construed accordingly.
“Vendor Assessment” means any Privacy and Security Practices Vendor Assessment or similar document or process completed or performed by Contractor at PEGUS’s request. No more than one Vendor Assessment may be competed in a given 365-day period.
GENERAL OBLIGATIONS
1.1 Limitations on Contractor’s use of Personal Information
Contractor shall maintain all Personal Information in strict confidence and shall only Process the Personal Information to perform the Services and for no other purpose unless otherwise provided in the Agreement or authorized in advance in writing by PEGUS.
1.2 Notice and Consent
1.2.1 Provided by PEGUS. PEGUS shall be solely responsible for providing and obtaining any legally-required notice and consent from individuals with respect to Personal Information supplied by or on behalf of PEGUS to Contractor
1.2.2 Provided by Contractor. When Contractor collects Personal Information from Data Subjects in connection with the provision of the Services it shall provide notice and/or collect consent in the form set forth in the Agreement or applicable Exhibit A to the Agreement (a “Statement of Work” or “SOW”) or in such other form as reasonably specified to Contractor by PEGUS. Contractor shall record and retain for a minimum of two (2) years after the expiration or termination of the Agreement the notice provided to, and the written, electronic or verbal consent obtained from, each individual. Contractor shall provide such records to PEGUS upon request and upon the expiration or termination of the Agreement.
1.3 Access and Other Requests
1.3.1 Notification of Requests
Contractor shall, where not legally prohibited from doing so, notify PEGUS as soon as reasonably practicable, and in any event within three (3) business days, of receiving any request or complaint related to any Personal Information.
1.3.2 Responses to Requests
Contractor shall not respond to any requests described above in Section 1.3, unless this Agreement, including any applicable Statement of Work, provides otherwise; Contractor is explicitly authorized by PEGUS in writing to do so; or where Contractor has a mandatory obligation under applicable Laws to respond directly, in which case Contractor shall notify PEGUS as soon as possible and, at a minimum, at the same time as making the initial notification under Section 1.3.1 and shall comply with PEGUS’s reasonable requests in responding to, and dealing with, such request.
1.3.3 Assistance with requests
With respect to requests from governmental or regulatory bodies, Contractor shall cooperate fully with PEGUS, at PEGUS’s cost, in any effort led by PEGUS to intervene and quash or limit such requests or respond to a governmental authority in the course of any investigation or claim by any governmental authority relating to the Personal Information Processed by Contractor under the Agreement. Should Contractor be legally required to respond to a request from governmental or regulatory bodies, Contractor, after consultation with PEGUS, shall only disclose the minimum amount of Personal Information necessary to comply with law or judicial process.
1.4 Data Quality
Contractor shall preserve the accuracy and integrity of Personal Information, Contractor shall update, amend, correct or delete Personal Information that is inaccurate or incomplete at the request of PEGUS or the Data Subject, consistent with the provisions set forth in Section 1.3.
1.5 International Transfers
1.5.1 Unless specifically authorized in the Agreement or applicable SOW, Contractor shall not Process, nor permit any Subcontractor (as defined in Section 1.7), to Process Personal Information across any national borders without PEGUS’s prior written consent. In any event, Contractor shall be responsible for ensuring that any Processing of Personal Information across national borders (whether performed by itself or a Subcontractor) complies with all applicable Laws including but not limited to any cross-border data transfer requirements or prohibitions.
1.5.2 Where requested by PEGUS to do so, Contractor shall, and shall compel its Subcontractors to, enter into additional data transfer or data processing agreements or contractual clauses (including where applicable the EC approved standard clauses for international transfer of personal data or, where applicable, contractual clauses required by other countries for international transfers of personal data), in connection with any international transfers of Personal Information approved by PEGUS pursuant to Section 1.5.1.
1.6 Contractor Employees
1.6.1 Contractor shall take all reasonable steps to ensure the reliability of its employees or other personnel having access to the Personal Information, including the conducting of appropriate background and/or verification checks.
1.6.2 Contractor will ensure that access to, and use of, the Personal Information is limited to those of its employees or personnel who require access to it to perform the Services and that such individuals:
1.6.2.1 have undertaken training in relation to data protection principles and the applicable Laws that apply to their handling of Personal Information;
1.6.2.2 are aware of Contractor’s duties and their personal duties under all applicable Laws and the Agreement (including this Addendum); and
1.6.2.3 are permitted access to the Personal Information only to the extent necessary to perform their role in providing the Services.
1.7 Subcontractors and Other Third Parties
1.7.1 Contractor shall not engage any third parties or non-employees (“Subcontractors”) to Process Personal Information unless PEGUS has expressly consented in writing in advance to the use of such Subcontractor(s).
1.7.2 Where PEGUS has provided such prior written consent Contractor shall:
1.7.2.1 carry out adequate due diligence on each Subcontractor to ensure that it is capable of providing the level of protection for the Personal Information that is required by the Agreement (including this Addendum), and provide evidence of such due diligence to PEGUS where requested by PEGUS;
1.7.2.2 execute a written agreement with each Subcontractor that includes provisions that are no less protective of Personal Information than the level of protection required by the obligations set forth in this Agreement (including this Addendum); and
1.7.2.3 remain liable for all the acts and/or omissions of the Subcontractor.
1.8 General Cooperation
Contractor shall cooperate fully with, and assist, PEGUS and the PEGUS Affiliates, at PEGUS and such PEGUS Affiliate’s expense, in relation to any notifications or prior approvals that PEGUS or the PEGUS Affiliates may be required to effect or obtain from a governmental or regulatory body in connection with the Personal Information, including without limitation the preparation of supporting documentation to be submitted to the relevant governmental or regulatory body and provision of supporting documentation sufficient to evidence that Contractor is legally bound by the terms of this Agreement.
1.9 Return of Personal Information
To the extent not otherwise prohibited by applicable Laws, the Agreement or this Addendum, at any time upon PEGUS’s request, including at termination of the Agreement, Contractor shall immediately return or securely destroy all originals and copies of Personal Information (whether in electronic or hard copy form) in its, or its Subcontractor’s, possession, custody, or control or in accordance with the requirements of the Agreement, this Addendum and applicable Laws. Contractor shall provide a certification confirming that all Personal Information Processed under the Agreement has been returned or securely destroyed within ten (10) business days of PEGUS’s request.
1.10 Security Standards
Contractor shall ensure that appropriate technical, physical and organizational measures, commensurate with the sensitivity of the Personal Information to be Processed by Contractor hereunder, are taken against unauthorized or unlawful Processing, acquisition, access, or accidental loss, destruction, alteration, or damage to the Personal Information. Without limiting the generality of the foregoing, Contractor shall implement the measures specified in Appendix A to this Addendum (“PEGUS Baseline Third Party Security Requirements”) and incorporated herein by this reference thereto, binding on Contractor and PEGUS, as well as any other minimum-security requirements of the applicable Laws and/or generally accepted industry standards and best practices communicated to Contractor from time to time.
Due Diligence
1.10.1 Vendor Assessment
1.10.1.1 Contractor acknowledges and agrees that PEGUS shall have the right, no more than once in a given 365-day period during the term of the Agreement, including any renewal thereof, and for as long as Contractor holds or otherwise Processes Personal Information, to request that Contractor complete a security practices Vendor Assessment and Contractor will cooperate with such request.
1.10.1.2 With respect to any Vendor Assessment, Contractor represents and warrants that for as long as the Agreement remains in effect or Contractor holds or otherwise Processes Personal Information: (i) the responses provided by Contractor in the Vendor Assessment (or as remediated in conformance with the terms of this Addendum and with written notice of such remediation to PEGUS) are and shall be true, accurate and complete to the best of the Contractor’s knowledge; (ii) the privacy, security, Processing and Transfer practices adopted and maintained by Contractor as stated in the Vendor Assessment shall be in effect and consistently applied; (iii) Contractor shall notify PEGUS in writing promptly (and in all cases within five (5) business days) in the event of any adverse material change in Contractor’s privacy, security, Processing or Transfer practices from those represented by Contractor in the Vendor Assessment; and (iv) upon written request from PEGUS no more than once in a given 365 day period during the term of the Agreement, Contractor shall complete a new Vendor Assessment or certify as to the absence of changes from any prior Vendor Assessment.
1.10.1.3 Following the completion of any Vendor Assessment, PEGUS shall have the right to notify Contractor, in writing, of any alleged risks, threats or Security Issues identified during any Vendor Assessment or any non-conformance to generally accepted trade practice in the industry.
1.10.2 Audits
1.10.2.1 Contractor shall maintain all necessary documentation to evidence its compliance with this Addendum for a period of six (6) years after the expiration or termination of this Agreement, or for such longer period as otherwise may be required by applicable Laws, whichever occurs latest. Contractor shall provide PEGUS with access to such documentation upon request.
1.10.2.2 Contractor shall provide PEGUS, PEGUS’s authorized representatives and/or applicable regulatory authorities having the right to carry out an audit of PEGUS or PEGUS Affiliates, on reasonable notice no more than once every year, the right to audit Contractor’s business processes and practices involving the privacy, security and/or Processing of Personal Information in the performance of the Services, on at least an annual basis and following each occurrence of an Event. PEGUS shall bear the full cost and expense of any such audit, unless such audit discloses a Security Issue or was triggered by an Event, in which case Contractor shall bear the full cost and expense of such audit or re-audit (if reasonably required).
1.10.3 Security Issues
To the extent that a Security Issue is identified by a Vendor Assessment, audit or otherwise discovered by or made known to Contractor, Contractor shall immediately notify PEGUS in writing and, within ten (10) business days thereafter, either remediate such Security Issue or provide PEGUS with a plan acceptable to PEGUS for Contractor to remediate the Security Issue. If (i) the Security Issue is not remediated within such period; or (ii) an acceptable plan for remediating such Security Issue is not agreed to by the parties during such time period, or (iii) if an acceptable plan is not executed according to the terms of such plan, then PEGUS may, by giving Contractor written notice thereof, immediately terminate the Agreement and/or exercise such rights and remedies it deems appropriate under the circumstances. In connection with such termination, PEGUS may exercise all rights and remedies available to it in the event of breach. Contractor shall bear all reasonable costs for re-testing performed to verify the remediation of any Security Issue.
1.11 Events
1.11.1 Notice
Contractor shall notify PEGUS in writing of an Event in the most expedient time possible under the circumstances, and in any event within two (2) days of discovery of the Event. An Event shall be deemed discovered by Contractor or its Subcontractors as of the first day on which the Event is known to Contractor or Subcontractor (including an individual employee or officer or other agent of Contractor or Subcontractor) or should reasonably have been known to have occurred. Such notice shall summarize in reasonable detail the timing and nature of the Event, the impact on PEGUS, PEGUS Affiliates and/or the Data Subjects affected by such Event and the corrective action taken or proposed to be taken by Contractor.
1.11.2 Consultation
As soon as reasonably practicable after any Event, PEGUS and Contractor shall consult in good faith regarding Remediation Efforts and Contractor shall cooperate fully with PEGUS in all reasonable and lawful efforts to prevent, mitigate or rectify such Event. However, Remediation Efforts required by applicable Laws must be carried out and are not dependent upon the completion of the consultation process, provided however that to the extent the circumstances and timeframe permit, the parties shall use good faith efforts to discuss and coordinate Remediation Efforts required by applicable Laws during the consultation process. Failure by Contractor to engage in substantive or meaningful discussions regarding an Event reasonably believed by PEGUS to have occurred or failure by Contractor to take Remediation Efforts shall be deemed an immediate and material breach of the Agreement.
1.11.3 Remediation
Pursuant to the consultation described in Section 1.11.2 immediately above, Contractor shall undertake Remediation Efforts at its sole expense, or reimburse PEGUS for PEGUS’s reasonable costs and expenses incurred in connection with Remediation Efforts.
1.11.4 Cooperation
Contractor shall keep PEGUS apprised of, and cooperate reasonably with PEGUS in connection with, Contractor’s, PEGUS’s or any regulatory or government authority’s investigation of any Event. Contractor shall not make any public announcement (including, without limitation, website postings and press releases) or notify affected individuals regarding such Event without PEGUS’s prior written approval (which approval shall not be unreasonably withheld, conditioned or delayed) unless it is required to do so pursuant to applicable Laws in which such case it shall provide PEGUS reasonable prior notice where not prohibited by Laws from doing so.
2. WARRANTIES
Without limitation to the other provisions of this Agreement, Contractor represents and warrants that it shall, at all times, comply with all laws applicable to Contractor in relation to its processing of Personal Information including but not limited to Laws.
3. INDEMNITY AND LIABILITY
3.1 Indemnification
Contractor shall indemnify, defend and hold harmless PEGUS and/or relevant PEGUS Affiliates from and against any and all liability, loss, claim, injury, damage, penalty, fine, settlement or expense (including, without limitation, fines, damage awards, costs of Remediation Efforts and reasonable attorneys’ fees and costs arising from or relating to any action, claim or allegation of a third party (including, without limitation, any regulatory or government authority)) of or with respect to any Event or breach of this Addendum.
3.2 Liability and Remedies
Contractor’s indemnification obligations under Section 3.1 shall be in addition to any indemnification or similar obligations Contractor may have under the Agreement, including, without limitation, the obligation to pay for Remediation Efforts as provided in Section 1.11.3). The rights and remedies of PEGUS pursuant to this Addendum shall not be subject to any limitation of actions, arbitration provisions or any other similar limiting provisions stated in the Agreement. Without limiting the foregoing: (i) PEGUS shall not be precluded from immediately pursuing any rights or remedies it may have under or relating to this Addendum and (ii) Contractor shall be liable for all indemnification obligations under Section 3.1 and for reimbursement of costs and expenses for Remediation Efforts under Section 1.11.3 regardless of whether such amounts are characterized by any party, regulatory or government body or other third party as direct, indirect, consequential, special, punitive or other damages or as contractually-agreed preventative measures designed to limit future damages.
4. MISCELLANEOUS PROVISIONS
4.1 Method of Notice.
Notice shall be given in accordance with the Agreement.
4.2 Conflicts with Obligations Under the Agreement
In the event Contractor believes that it cannot satisfy its other obligations under the Agreement while complying fully with this Addendum, Contractor must notify PEGUS immediately and shall not proceed with any act that would violate this Addendum until the issue is resolved to PEGUS’s reasonable satisfaction.
4.3 Survival
Notwithstanding anything to the contrary in the Agreement, the obligations pursuant to this Addendum shall survive termination of the Agreement.
4.4 Authority to Execute
The parties represent and warrant to each other that each has the legal power and authority to enter into this Addendum.
4.5 Entire Agreement
Except as expressly set forth in this Amendment, the terms, provisions and conditions of the Agreement are hereby ratified and confirmed and shall remain unchanged and in full force and effect without interruption or impairment of any kind.
4.6 Precedence
In the event of any conflict between the provisions of the Agreement and the provisions of this Addendum, the provisions which provide greater protection for Personal Information shall take precedence.
4.7 Severability
If any provision of this Addendum shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions of this Addendum or the Agreement.
4.8 Amendment
This Addendum cannot be modified, amended, or changed except in writing and signed by the parties.
4.9 Assignment
Neither the rights nor the obligations of either party may be assigned or delegated in whole or in part without the prior written consent of the other party unless otherwise expressly permitted under the Agreement. Any delegation without written permission shall be null and void and of no effect unless otherwise expressly permitted under the Agreement.
4.10 Third Party Beneficiaries
4.10.1 Subject to Section 4.10.2, nothing in this Addendum shall confer any benefits or rights on any person or entity other than the parties to this Addendum.
4.10.2 Where the Services include the Processing by or on behalf of Contractor of the Personal Information of PEGUS Affiliates, each such PEGUS Affiliate may enforce the terms of this Addendum as a third-party beneficiary against Contractor in respect its Personal Information as if it were a party to this Addendum and the Agreement.
4.11 No Waiver
A waiver by a Party of any term or condition of this Addendum in any instance shall not be deemed or construed to be a waiver of such term or condition for the future, or of any subsequent breach thereof.
4.12 Further Assurance
Contractor acknowledges that one or more PEGUS Affiliates may, pursuant to applicable Laws, be required to enter into a direct Processing agreement with Contractor, to address the indirect Processing of its Personal Information by Contractor as facilitated by PEGUS. Contractor agrees that in the aforementioned circumstances and where requested by PEGUS, Contractor shall enter into a Processing agreement with such PEGUS Affiliate on terms equivalent to this Addendum modified as necessary to comply with local Laws as soon as is reasonably possible.
Appendix A
BASELINE THIRD PARTY SECURITY REQUIREMENT
SECTION 1
REQUIREMENTS INTRODUCTION AND BACKGROUND
1. SUMMARY
1.1. These Baseline Third Party Security Requirements (“Requirements”) shall be applied by all external entities that Process PEGUS Information on behalf of PEGUS and its Affiliates.
1.2. These Requirements aim to ensure that the Processor of PEGUS Information maintains the confidentiality, integrity and security of PEGUS Information in accordance with the requirements imposed by Data Protection Laws and applicable industry standards and best practices.
1.3. These Requirements aim to provide for a minimum level of information security, however, information security threats come from a wide range of sources and are continually developing; therefore, security measures shall be reviewed regularly.
1.4. Where necessary, having regard to the state of the art, industry best practice and cost of their implementation, measures that compensate for or are additional to those detailed in these Requirements may be needed. Such compensating measures shall be subject to the prior written approval of PEGUS. In any event such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the information to be protected.
2. DEFINITIONS
2.1. Within these Requirements the following terms have the following meanings:
2.1.1. “Affiliate” means in relation to a party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that party. Affiliates of PEGUS shall additionally include parties for which Contractor is acting as a sub-contractor for on behalf of PEGUS.
2.1.2. “Data Protection Laws” means all Laws applicable to the Processing of Personal Information (including but not limited to Data Privacy or Data Security Laws) used or obtained by the Contractor in the performance of the Services including, without limitation to, those national, state, regional and/or local laws and regulations governing privacy, security, confidentiality and protection of Personal Information.
2.1.3. “Information Systems” means all systems, including, but not limited to, electronic, equipment, and storage media, used by the Processor to access, store or otherwise Process PEGUS Information.
2.1.4. “Intellectual Property” means and include patents, trademarks, service marks, trade dress, logos, trade names, domain names and corporate names, copyrights, trade secrets, know-how, and all other intangible, industrial and intellectual property rights, by whatever name known, and all registrations thereof and applications to register the same.
2.1.5. “Financial Personal Information” means Personal Information consisting of financial information including but not limited to bank account numbers, credit card numbers and debit card numbers (whether with or without expiry dates and pin numbers), income and credit histories.
2.1.6 “Government Identifier Personal Information” means Personal Information consisting of national insurance numbers, social security numbers, tax identifications, passport numbers, drivers license numbers or other equivalent government issued identifiers.
2.1.7. “Personal Information” has the meaning given by the relevant Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Contractor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s health, opinions or beliefs.
2.1.8. “PEGUS” the PEGUS entity, including Affiliate entities, that decides the purposes for which the PEGUS Information is Processed.
2.1.9. “PEGUS Information” means any information disclosed by or on behalf of PEGUS to the Processor, including Intellectual Property, PEGUS Confidential Information, Personal Information, Sensitive Personal Information, Financial Personal Information and Government Identifier Personal Information.
2.1.10. “Processing” means any operation or set of operations which is performed upon PEGUS Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, and “Process” and “Processed” shall have the appropriate corresponding meanings.
2.1.11. “Processor” means the entity Processing the PEGUS Information on behalf of PEGUS and may include a PEGUS entity where it Processes PEGUS Information under the instructions of another PEGUS entity.
2.1.12. “Security Incident” means the unauthorized and/or unlawful access, acquisition, use, disclosure, modification, processing, destruction or loss of PEGUS Information or Information Systems Processing PEGUS Information whether in electronic or hard copy form, or interference with system operations in an information system, that compromises or which reasonably is anticipated would compromise the privacy, security, confidentiality, integrity or availability of PEGUS Information, including but not limited to (i) incidents resulting from or arising out of Processor’s internal use, Processing, or Transfer of PEGUS Information, whether between or among Contractor’s subsidiaries and affiliates, subcontractors or any other person or entity acting on behalf of Processor; (ii) any other similar incident as may be so defined by relevant data protection laws that apply to PEGUS; provided that trivial attempts to penetrate Processor’s networks or systems that occur on a daily basis, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or systems maintained by Processor, will not be considered a Security Incident.
2.1.13. “Sensitive Personal Information” means Personal Information pertaining to the racial or ethnic origin, physical or mental health condition or sexual life, offences and/or criminal convictions, trade union membership, religious or similar beliefs or political or ideological opinions of an identified or identifiable individual.
2.1.14. “Trusted Connection” means PEGUS, in its absolute discretion, has determined that unrestricted access to the PEGUS network through a PEGUS firewall for a specific Processor facility or location (hereinafter referred to as secured Processor facility) is required.
3. INFORMATION CLASSIFICATION AND SECURITY LEVELS
3.1. These Requirements are categorized into those that are Basic Level Requirements and Enhanced Level Requirements.
3.2. Basic Level Requirements shall be applied to all PEGUS Information.
3.3. Enhanced Level Requirements shall be applied in addition to the Basic Level Requirements for Personal Information, Sensitive Personal Information, Financial Personal Information, and Government Identifier Personal Information, and where otherwise specifically indicated in these Requirements.
3.4. Where PEGUS has agreed to specific additional security measures with a relevant Processor in addition to those set out herein, generally or in relation to a specific service or platform, those measures providing the highest level of protection to PEGUS Information shall be applied by the Processor.
SECTION 2
MINIMUM SECURITY REQUIREMENTS
1. MANAGEMENT OF INFORMATION SECURITY
Basic Level Requirements
1.1. The Processor shall ensure that senior management of the Processor accepts ultimate responsibility for ensuring that information security is properly managed and that these Requirements are implemented and adhered to by the Processor and its staff.
1.2. The Processor shall put into place a management structure to oversee the effective implementation and continuing development of security procedures. At a minimum, this shall consist of an individual from senior management with the necessary authority to implement these Requirements and other necessary security procedures (“Information Security Officer” (or other Processor staff duly authorized in the security document(s))).
1.3. The Information Security Officer’s responsibilities shall include:
1.3.1. reviewing implementation and adherence to these Requirements; and
1.3.2. acting as a point of contact in relation to information security issues raised by PEGUS.
2. DOCUMENTED SECURITY POLICY
Basic Level Requirements
2.1. The Processor shall document its security policy and procedures which address all the activities relating to the handling and management of data. Security policies and procedures shall be reviewed and/or updated at reasonable intervals and/or whenever there are material changes to the Information Systems, including those Processing PEGUS Information.
2.2. The security documents shall clearly identify those technical and organizational measures and practices to be implemented and followed by the Processor to adequately protect the security of information Processed by the Processor.
2.3. The security documents and/or guidance stipulating the procedures to be followed and measures to be implemented to satisfy the requirements contained therein, shall be published and communicated as relevant to the Processor’s employees and relevant external parties directly or indirectly involved in the Processing of PEGUS Information.
2.4. The Processor shall, on request, provide PEGUS with access to copies of the security documents and any future updated versions of such documents.
3. HUMAN RESOURCE SECURITY
Basic Level Requirements
3.1. Processor will conduct and complete appropriate background and/or verification checks of its employees, contractors and/or third parties to ensure their suitability for handling PEGUS Information prior to their Processing of any such PEGUS Information.
3.2. Responsibilities and instructions in relation to protecting the confidentiality, integrity and security of PEGUS Information shall be defined and communicated in writing to employees/contractors/third parties.
3.3. Employment contracts, contracts with contractors and contracts with third party users shall contain terms setting out obligations and responsibilities in relation and appropriate to maintaining the confidentiality, integrity and security of PEGUS Information.
3.4. A formal disciplinary process shall be in place for employees who violate Processor policy and procedures relating to the Processing of PEGUS Information.
3.5. Upon termination of employment/engagement, an employee/contractor/third party shall return all PEGUS Information in his/her possession on whatever medium it is stored, and access rights to Information Systems Processing PEGUS Information shall be terminated.
4. TRAINING AND AWARENESS
Basic Level Requirements
4.1. Regular information security awareness, education and training suitable to an individual’s role and responsibility shall be undertaken. This shall begin with a formal induction to security procedures and policies and continue throughout employment.
4.2. Where PEGUS network account and/or PEGUS email access is granted, PEGUS’s applicable policies and procedures shall be followed by Processor personnel. Applicable policies, procedures, and training will be provided as part of the provisioning process.
5. INVENTORY OF INFORMATION
Basic Level Requirements
5.1. Media, servers, and equipment containing PEGUS Information shall be labeled in a way that protects the confidentiality of PEGUS Information and does not expressly expose the actual content.
5.2. An inventory shall be maintained in a way that provides traceability to those media, servers, and equipment containing PEGUS Information.
5.3. When PEGUS Information and/or media containing it are being transferred between parties, a system for recording incoming and outgoing media containing PEGUS Information shall be set up which permits direct or indirect identification of the kind of media, the date and time, the sender, the number of media, the kind of PEGUS Information contained, how they are sent and the authorized person responsible for receiving them.
6. PORTABLE MEDIA DEVICES
Basic Level Requirements
6.1. The Processor shall only use portable devices where there is a genuine business need and where the PEGUS Information on the device is appropriately erased or destroyed when the defined business need has expired.
6.2. PEGUS Information stored on portable devices (including laptops and PDAs, external hard drives, flash drives, CDs, DVDs, tapes and other mass storage devices) shall be adequately protected from unauthorized access, loss and destruction using industry recognized mechanisms, such as encryption, inactivity timeout, or power on passwords.
6.3. Policies and procedures for using portable devices shall be maintained by the Processor and training on these procedures shall be provided to all Processor staff.
Enhanced Level Requirements
6.4. Any portable device containing PEGUS Information shall be encrypted.
7. TESTS WITH REAL PEGUS INFORMATION
Basic Level Requirements
7.1. Testing prior to the implementation or modification of a relevant Information System shall not use real or ‘live’ PEGUS Information unless there is no reasonable alternative and such use has been approved by PEGUS. Where real or ‘live’ PEGUS Information is used, it shall be limited to the extent necessary for the purposes of testing and provide evidence that the level of security corresponding to the type of PEGUS Information Processed is implemented.
8. ELECTRONIC STORAGE AND TRANSFER OF PEGUS INFORMATION
Basic Level Requirements
8.1. Controls shall be in place to ensure that PEGUS Information transmitted by the Processor across any unsecured network is transferred between authorized Information Systems and resources only, and is only exchanged through industry recognized secure transfer mechanisms.
8.2. Procedures and policies shall be in place to prevent the unauthorized transfer of PEGUS Information by email and web-based applications.
8.3. All remote access and access via non-trusted networks (e.g. ISPs, cable, application service Contractors, DSL connections, etc.) to Information Systems Processing PEGUS Information, shall use at least two-factor authentication methods (e.g. Remote Access Server (RAS), SecureID, etc.) and only take place where there is a justifiable business need.
8.4. Wireless LAN products (e.g. NIC cards and access point devices) shall not be attached to networks permitting access to Information Systems Processing PEGUS Information or to a device connected to Information Systems Processing PEGUS Information without appropriate approvals from the Information Security Officer, or other Processor staff duly authorized in the security document(s). All wireless LAN products shall:
8.4.1. use secure identification, authentication, and encryption mechanisms; and
8.4.2. where feasible, have “peer” networking connectivity settings disabled.
Enhanced Level Requirements
8.5. PEGUS Information, when at rest, in transit, and/or when stored on portable media or portable devices shall be encrypted so that data elements are rendered unusable, unreadable or indecipherable to unauthorized individuals.
9. BACK-UP AND RECOVERY
Basic Level Requirements
9.1. Processes and procedures shall be in place to ensure copies of PEGUS Information are retained to facilitate retrieval or reconstruction following loss or destruction of primary production information. Such processes and procedures shall be conducted on a regular basis and at least weekly.
9.2 The correct functioning of the back-up system must be tested periodically to confirm that it performs an accurate and complete reconstruction of the Information Systems Processing PEGUS Information.
9.3. Backed-up PEGUS Information or Information Systems Processing PEGUS Information held off the Processor’s premises shall be appropriately protected from unauthorized access following documented policy and procedures.
9.4. Back-up copies shall be kept at a different secure location from the site of the equipment housing Information Systems Processing PEGUS Information.
Enhanced Level Requirements
9.5. Backed-up PEGUS Information or Information Systems Processing PEGUS Information held on tapes, disks or other media off PEGUS’s or the Processor’s premises shall be encrypted.
10. DISPOSAL OF INFORMATION
Basic Level Requirements
10.1. When Processor equipment, physical documents and files, and physical media are disposed of or reused, recognized industry or government standard measures shall be taken to prevent subsequent retrieval of PEGUS Information originally stored in them.
10.2. The procedures for ensuring the secure destruction/erasure of PEGUS Information held on Processor equipment, in physical documents and files, and in physical media shall be formally documented and implemented.
10.3. The Processor shall identify the roles of the persons disposing of PEGUS Information, including third party services, and shall provide evidence of destruction.
11. PHYSICAL AND ENVIRONMENTAL SECURITY
Basic Level Requirements
11.1. Equipment and/or media used for Processing PEGUS Information shall be protected from physical and environmental threats to prevent interruption to the Processor’s activities and loss of PEGUS Information. For example, this can be achieved by considering the following: citing equipment; physically securing power and telecommunications cabling; ensuring equipment is properly maintained and protected from power failures.
11.2. Equipment and/or media containing PEGUS Information shall be placed in secure areas to prevent unauthorized physical access, damage, and interference to the information. Measures corresponding with the nature of PEGUS Information being Processed shall be taken to limit physical access to that information. For example, this may include access control, CCTV, and intrusion detection systems; implementing visitor entry control procedures; securing offices, rooms, and facilities; protecting against external and environmental threats; and controlling all access points including delivery and loading areas.
11.3. Equipment and media (including printed materials) containing PEGUS Information shall only be removed from PEGUS’s or the Processor’s premises following prescribed a procedure/plan that prevents unauthorized access to or retrieval of PEGUS Information.
11.4. Where hardcopy records containing PEGUS Information are to be retained in manual filing systems, they shall be stored and filed according to appropriate criteria which enable the Processor to locate the relevant records where necessary to facilitate the access, amendment or destruction of the relevant records and facilitate the exercise of the data subject rights at the request of PEGUS or the individual to who those records relate. The making of copies of such documents must be under the control of persons authorized in accordance with the relevant security document(s).
Enhanced Level Requirements
11.5. Containers with locks or equivalent devices to prevent tampering and/or unauthorized access shall be used to store or transport hardcopy records.
11.6. Tracking of back-up and/or mass storage media containing PEGUS Information during transport (for example by Radio Frequency Identification (RFID) or GPS) and/or bonded courier services shall be used.
12. PHYSICAL AND LOGICAL ACCESS
Basic Level Requirements
12.1. Processor shall not make PEGUS Information publicly available without PEGUS’s prior written consent.
12.2. Processor shall not make any PEGUS Information available via a publicly available, restricted access website (i.e. URL available from outside of the PEGUS network), without providing evidence of successful completion of a security vulnerability test acceptable to PEGUS.
12.3. Further technical measures shall be put in place to prevent unauthorized electronic access to PEGUS Information. Expectations are that these measures include, but are not limited to, firewalls, logical separation (no co-mingled data) and/or intrusion prevention and detection systems.
12.4. Authorization to access Information Systems Processing PEGUS Information shall be granted on a need to know or do basis, authorized users shall only have access to that PEGUS Information necessary for them to perform their duties.
12.5. Processor shall restrict access to Information Systems Processing PEGUS Information through use of adequate and appropriate identification, authentication and authorization mechanisms.
12.6. Formal procedures to control the authorization of access rights to Information Systems and services shall be developed. The procedures shall cover:
12.6.1. user registration and revocation;
12.6.2. privilege management;
12.6.3. user password management; and
12.6.4. review of user access rights.
12.7. As part of the user registration procedures, the Processor shall:
12.7.1. Ensure every authorized user is issued a unique user identification code prior to accessing PEGUS Information or Information Systems Processing PEGUS Information.
12.7.2. Maintain a list of all individuals authorized to access Information Systems Processing PEGUS Information that includes the unique user identification code and the level of information to which the individual has access.
12.7.3 The Processor may disable but shall not delete or reassign such user identification codes so long as a historical list of user identification code assignments is maintained for the life of the underlying Information System.
12.8. At yearly intervals, the Processor shall review those individuals that it has authorized to access Information Systems Processing PEGUS Information and verify whether the individual still requires access and the present access level.
12.9. Only the Information Security Officer, or other Processor staff duly authorized in the security document(s), shall be permitted to grant, alter or cancel authorized access to PEGUS Information.
12.10. Authorized users shall only be allowed to access Information Systems Processing PEGUS Information after completing authentication procedures. Authentication procedures for access to electronic PEGUS Information shall be based on a password, or other authentication method (such as biometrics, passphrases, PINs, etc.) associated with the user identification code but only known to the authorized user.
12.11. Passwords shall meet prevailing legal and/or industry standards for strength and complexity, and confidentiality.
12.11.1. Password strength and complexity shall include a length not less than 6 characters and numbers, with password composition allowing upper and lower-case letters, numbers or special characters.
12.11.2. Password must be changed by the user upon first access to the Information System and shall be changed at regular intervals appropriate to the information accessible via the systems to which they relate, and in accordance with Processor security documents, prevailing industry standards and with any legal requirements applicable to the Processor in the country in which the PEGUS Information is Processed.
12.11.3. Passwords shall be maintained in a location and/or format that do not compromise the security of the data they protect. Passwords will be rendered unreadable or unusable by unauthorized individuals, i.e., encrypted, when stored and transmitted electronically.
12.11.4. Access of a user identification code shall be blocked after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. Prior to reactivation of access or replacement of lost/forgotten authentication credentials, user identity must be verified.
13. ACCESS RECORDS
Basic Level Requirements
13.1. An audit trail of access, or access logs, to Information System Processing PEGUS Information shall be maintained for a minimum period of one (1) year. At minimum, the audit trail shall be able to reasonably determine the files/databases accessed, user ID of the individual accessing the files/databases, the date, time and type (e.g. remote, local etc.) of access, and whether access was authorized or denied.
13.2. Access record mechanisms for producing the audit trail shall be under the direct control of the Information Security Officer, or other Processor staff duly authorized in the security document(s), and under no circumstances can they be de-activated or manipulated.
13.3 The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall ensure that procedures are in place to detect suspicious and irregular access and requests for access to Information Systems (“Irregular Access”). Irregular Access shall be reviewed periodically and any action arising from that review shall be documented. Any Irregular Access issues affecting PEGUS Information or services shall be reported to PEGUS.
Enhanced Level Requirements
13.4. Audit trails of access to Information System housing PEGUS Information shall be retained for a minimum period of two (2) years, and shall include any Sensitive Personal Information categories accessed.
14. SOFTWARE AND VIRUS PROTECTION
Basic Level Requirements
14.1. Anti-virus software shall be installed on all Information Systems Processing PEGUS Information and updated on a regular basis, having regard to the state of the art and relevant industry best practice.
14.2. Processor shall follow a documented security patching policy, process, and schedule for the infrastructure and layered application products that includes the assessment of security vulnerabilities and deployment of updates or upgrades in accordance with industry best practice.
14.3. Only licensed copies of commercial software which comply with and do not compromise security standards shall be used.
14.4. The Processor shall notify PEGUS promptly (and in any event within 24 hours of becoming aware) of the actual or potential transmission of any identified computer virus by the Processor to PEGUS.
14.5. No newly acquired discs/media/programs/executables from whatever source shall be loaded on to Information Systems Processing PEGUS Information unless they have been previously vulnerability scanned and virus checked by a suitable vulnerability scanning and virus checking package.
14.6. Appropriate controls to prohibit the download and use of file sharing (e.g. peer- to-peer) and other software that can open security vulnerabilities to Information Systems shall be implemented by the Processor.
15. SECURITY INCIDENT RECORDING AND RESPONSE
Basic Level Requirements
15.1. The Processor shall have a documented procedure for identifying, reporting, responding to and managing Security Incidents that affect PEGUS Information or Information Systems Processing PEGUS Information.
15.2. Recovery of PEGUS Information or Information Systems Processing PEGUS Information following a Security Incident shall adhere to documented procedures.
16. AUDIT
Basic Level Requirements
16.1. The Processor shall carry out periodic audits to ensure the ability to comply with these Requirements.
Enhanced Level Requirements
16.2. Information Systems or non-automated means of (i.e. hardcopy filing systems) Processing PEGUS Information constituting Personal Information, Sensitive Personal Information, Financial Personal Information, or profiling or depicting the personality or behavior of one or more individuals, shall undergo an internal or external audit at least once every two (2) years to assess their compliance with these Requirements, and the findings delivered in the form of an audit report.
16.3. In addition to this bi-annual audit, extraordinary audits must be carried out whenever material changes to the Processing are introduced which may affect PEGUS Information or Information Systems Processing PEGUS Information. The carrying out of any such extraordinary audit will reset the period of two years until the following audit.
16.4. An audit report shall include: a compliance assessment; identify any shortcomings; propose corrective or supplementary measures; and include the information upon which the recommendations are based.
16.5. The Information Security Officer, or other Processor staff duly authorized in the security document(s), shall analyze the audit report and refer any conclusions to PEGUS and the Processor so that appropriate corrective steps can be taken.
16.6. PEGUS shall be permitted access to the audit report and it will be permitted to disclose it to relevant authorities with jurisdiction upon their request where legally required to do so.
SECTION 3
MINIMUM REQUIREMENTS FOR TRUSTED CONNECTIONS
1. TRUSTED CONNECTION
In addition to the requirements set forth in Section 2, the following requirements must be met in order to be granted a Trusted Connection and would only apply if triggered by this type of connection. These requirements must continue to be met as long as the Trusted Connection remains in effect. PEGUS reserves the right to terminate the Trusted Connection if the Processor fails to meet the minimum requirements.
1.1. A Trusted Connection shall only be established with a specific Processor facility. A Trusted Connection established at one secured Processor facility is not transferable to other Contractor locations or facilities without subsequent approval.
1.2. Physical access to the secured Processor facility must be restricted to those individuals working for the Processor on PEGUS contracts supported by the Trusted Connection. Any other individuals requiring entry to the facility must be escorted at all times by one of the individuals described above.
1.3. The secured Processor facility shall provide an isolated network that connects directly to PEGUS and does not connect back to the Processor’s own internal network or any other network including the Internet. Internet access will be provided via the PEGUS Internet gateways.
1.4. End user computing devices used in the secured Processor facility shall be either PEGUS provided devices with a PEGUS Desktop Management Services (DMS) image or Processor provided devices with a PEGUS DMS image. Said devices will be managed and supported in accordance with PEGUS supplied processes.
1.5. The Contractor agrees to an initial site survey at the secured Processor facility and subsequent assessments conducted by PEGUS, which includes, but is not limited to, monitoring of the following:
1.5.1. Restricted physical and logical access to devices connecting to the PEGUS network;
1.5.2. Connectivity between secured Processor facility and other networks (including supplier network and the Internet) to ensure that there is no additional connectivity outside of the established Trusted Connection;
1.5.3. End user computing devices to ensure that all are either PEGUS machines with PEGUS DMS images or Processor machines with PEGUS DMS image, and that all devices will be managed and supported in accordance with PEGUS supplied processes.
1.6. The Processor agrees that PEGUS may employ Intrusion Prevention Systems (IPS) or other tools to monitor network traffic or the flow of sensitive intellectual property between the secured Processor facility and PEGUS, specifically to detect malicious traffic on the wire.