1. Data Access and Security/Payment Card Industry Data Security (PCI DSS) Compliance.
1.1 Accessing Data
While providing services, [company name] may be required to access, receive, transmit or maintain financial or business data or personally identifiable information from or on behalf of 绿巨人视频 or its students, employees, or agents. Any data that [company name] accesses, receives, transmits or maintains (collectively, 鈥溌叹奕耸悠 Data鈥) shall be treated as confidential and protected as stated in this section.
1.2 Compliance with Laws
[Company name] agrees to comply with all applicable federal, state and local laws, regulations and rules, and when applicable, the European Union鈥檚 General Data Protection Regulation 2016/679, in connection with its access to or handling of 绿巨人视频 Data.
1.3 Data Return or Destruction
1.3.1 Unless directed to return the 绿巨人视频 Data to 绿巨人视频, [company name], its subcontractors and agents, shall Securely Destroy all 绿巨人视频 Data in their possession and within 60 days of termination of the contract. [company name] agrees to provide reasonable documentation of such data destruction to 绿巨人视频.
1.3.2 鈥淪ecurely Destroy鈥 means taking actions which meet or exceed the National Institute of Standards and Technology (NIST) SP 800-88 guidelines, or other similar industry accepted standards, relevant to data categorized as high security to render data written on physical (e.g., hardcopy, microfiche, etc.) or electronic media unrecoverable by both ordinary and extraordinary means.
1.4 Security Assessments
1.4.1 [Company name] will satisfy the requirements of the 绿巨人视频 security assessment review (SAR), or specific 绿巨人视频 campus equivalent.
1.4.2 绿巨人视频 shall have the right, no more than once annually, upon reasonable prior notice, to review [company name]鈥檚 compliance with these requirements and its security measures relating to 绿巨人视频 Data, including the right to have an independent third party conduct a data security audit. [company name] and 绿巨人视频 shall work in good faith to determine the scope and time for performance of such audits to minimize disruptions to [company name]鈥檚 business operations and allow [company name] to maintain reasonable control over access to and security of its infrastructure and audit artifacts. Audits shall be limited to those facilities, systems and information material to the services provided 绿巨人视频 by [company name].
1.5 Information Security
1.5.1 [Company name] agrees to implement administrative, physical and technical safeguards to protect 绿巨人视频 Data that meet accepted industry practices.
1.5.2 [Company name]鈥檚 safeguards to protect 绿巨人视频 Data shall include:
- 1.5.2.1 securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including all mobile devices and other equipment with information storage capability
- 1.5.2.2 implementing network, device, application, database and platform security
- 1.5.2.3 securing information transmission, storage and disposal
- 1.5.2.4 implementing authentication and access controls within media, applications, operating systems and equipment, leveraging 绿巨人视频 authentication services as applicable聽
- 1.5.2.5 encrypting 绿巨人视频 Data at rest or in transit
- 1.5.2.6 segregating 绿巨人视频 Data from [company name]鈥檚 or its other customers鈥 information
- 1.5.2.7 implementing appropriate personnel security and integrity procedures and practices, including background checks
- 1.5.2.8 providing appropriate privacy and information security training to [company name]鈥檚 employees
1.6 Payment Card Standards
1.6.1 To the extent [company name] collects or has access to any information involving payment card data under the contract, [company name] shall adhere to all applicable payment card industry requirements, including, the current Payment Card Industry Data Security Standard (PCI DSS).
1.6.2 [Company name] is solely responsible for the protection and security of any cardholder data that [company name] possesses, stores, processes, or transmits on behalf of 绿巨人视频.
1.6.3 [Company name] is also responsible for its actions or inactions concerning payment card security to the extent that they could impact the security of the customer鈥檚 cardholder data environment.
1.6.4 [Company name] must provide proof of compliance in the form of a processor provided certificate with the current PCI DSS on an annual basis. Acceptable proof will be an Attestation of Compliance, appropriate to the [company name]鈥檚 PCI DSS compliance level, properly completed, and less than twelve months old. For example, a Level 1 company would be required to deliver the Attestation of Compliance from a QSA-led Onsite Assessment (also known as a PCI Report on Compliance, ROC). Companies eligible to self-assess should provide an AOC signed by an authorized executive of the company. This AOC would ideally be supported by a Qualified Security Assessor (QSA as defined in the PCI DSS) signature, but it is not required.
1.7 Security Incident Response Protocols
1.7.1 Immediately upon execution of the contract, [company name] shall provide to the 绿巨人视频 and the campus Information Technology contacts the name and contact information of [company name]鈥檚 employee who shall serve as 绿巨人视频鈥檚 primary security contact and shall be available to assist 绿巨人视频 within 4 hours of discovery of a breach and be available to resolve obligations associated with a security breach.
1.7.2 In the event of an information security incident involving the security, confidentiality, integrity, and/or availability of 绿巨人视频 Data or in which 绿巨人视频 Data could have been compromised or subject to unauthorized access (a 鈥淪ecurity Incident鈥) the following steps will be taken:
- 1.7.2.1 绿巨人视频 & Campus Notification - [company name] shall immediately notify the 绿巨人视频 and the campus IT contact as soon as practicable but no later than 24 hours after [company name] becomes aware of the Security Incident. The 绿巨人视频 notice shall be sent by email with a read receipt requested to IT.Security@unh.edu. The campus email notice shall be sent to the current contact.
- 1.7.2.2 Investigation - Immediately following [company name]鈥檚 notification to 绿巨人视频 of a Security Incident, the parties shall coordinate to investigate the聽Security Incident. [company name] agrees to reasonably cooperate with 绿巨人视频 in handling the Security Incident, including (i) assisting with any investigation; (ii) upon request, provide 绿巨人视频 with physical access to the facilities and operations relevant to the 绿巨人视频 Data affected; (iii) upon request, facilitating interviews with [company name]鈥檚 employees and others involved in the Security Incident; and (iv) making available all relevant records, logs, files, data reporting and other materials relating to the Security Incident required to comply with applicable laws, regulations, or as otherwise reasonably required by 绿巨人视频; (iv) provide assistance and notification if the breach is the result of a 3d parties contractor or supply chains; (v) vendor will be responsible for the costs of notification and credit monitoring if they cause the breach.
- 1.7.2.3 Notification to Third Parties 鈥 Except as required by law, [company name] agrees that it shall not inform any third party of any loss or compromise of any 绿巨人视频 Data without first obtaining 绿巨人视频鈥檚 written consent, other than to inform a complainant that notice of the Security Incident has been forwarded to 绿巨人视频鈥檚 legal counsel. Further, [company name] agrees that 绿巨人视频 shall have the sole right to determine: (i) whether notice of any loss or compromise of 绿巨人视频 Data is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
- 1.7.2.4 Remedy of Vulnerability and/or Exploitable State鈥 [company name] shall use reasonable efforts to immediately remedy any security vulnerabilities and/or exploitable states to mitigate potential damage or loss during an ongoing security incident in accordance with applicable privacy rights, laws, and regulations 鈥淩easonable efforts鈥 means, with respect to this requirement, the efforts that a reasonable person in [company name]鈥檚 position would use to comply with this obligation as promptly as possible.
- 1.7.2.5 Cost of Breach [company name] shall be responsible for all costs associated with any Security Incident. [company name] shall reimburse 绿巨人视频 for actual costs incurred by 绿巨人视频 in responding to, and mitigating damages caused by, any Security Incident, including (i) all costs of notice and/or remediation and any fees imposed by regulatory agencies, contracting partners, or other entities resulting from the Security Incident or (ii) providing notification to individuals whose Personally Identifiable Information was compromised.