Data Security and Privacy Except as would not, individually or in the aggregate, reasonably be expected to be material to the business of the Company Group, taken as a whole, the Company and each of its Subsidiaries (i) is in compliance with all Data Security Requirements and (ii) has taken commercially reasonable steps consistent with standard industry practice by companies of similar size and maturity, and in compliance in all material respects with all Data Security Requirements to protect (A) the confidentiality, integrity, availability and security of its Business Systems that are involved in the Processing of Personally Identifiable Information, in the conduct of the business of the Company and its Subsidiaries as currently conducted; and (B) Personally Identifiable Information Processed by or on behalf of the Company or such Subsidiary or on their behalf from unauthorized use, access, disclosure, theft and modification. Except as would not, individually or in the aggregate, reasonably be expected to be material to the business of the Company Group, taken as a whole, (i) there are, and since January 1, 2022, have been, no pending complaints, investigations, inquiries, notices, enforcement proceedings, or Actions by or before any Governmental Authority and (ii) since January 1, 2022, no fines or other penalties have been imposed on or written claims, notice, complaints or other communications have been received by the Company or any Subsidiary, relating to any Specified Data Breach or alleging non-compliance with any Data Security Requirement. The Company and each of its Subsidiaries have not, since January 1, 2022, (1) experienced any Specified Data Breaches, or (2) been involved in any Legal Proceedings related to or alleging any violation of any Data Security Requirements by the Company Group or any Specified Data Breaches, each except as would not be material to the business of the Company Group, taken as a whole. The consummation of the transactions contemplated by this Agreement will not cause the Company Group to breach any Data Security Requirement, except as would not reasonably be expected to be material to the business of the Company Group, taken as a whole.
Data Security and Unauthorized Data Release The Requester and Approved Users, including the Requester’s IT Director, acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access dataset(s) and any Data Derivatives of controlled-access datasets according to NIH’s expectations set forth in the current NIH Security Best Practices for Controlled-Access Data Subject to the GDS Policy and the Requester’s IT security requirements and policies. The Requester, including the Requester’s IT Director, agree that the Requester’s IT security requirements and policies are sufficient to protect the confidentiality and integrity of the NIH controlled-access data entrusted to the Requester. If approved by NIH to use cloud computing for the proposed research project, as outlined in the Research and Cloud Computing Use Statements of the Data Access Request, the Requester acknowledges that the IT Director has reviewed and understands the cloud computing guidelines in the NIH Security Best Practices for Controlled-Access Data Subject to the NIH GDS Policy. The Requester and PI agree to notify the appropriate DAC(s) of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident or policy violation. Approved Users and their associates agree to support such investigations and provide information, within the limits of applicable local, state, tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.
Data Security and Privacy Plan As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows:
(a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy.
(b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement.
(c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Chazy Central Rural School District and [Name of Vendor].” Vendor’s obligations described within this section include, but are not limited to:
(i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and
(ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement.
(d) Vendor has provided or will provide training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access.
(e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.
Security and Data Transfers Party shall comply with all applicable State and Agency of Human Services' policies and standards, especially those related to privacy and security. The State will advise the Party of any new policies, procedures, or protocols developed during the term of this agreement as they are issued and will work with the Party to implement any required. Party will ensure the physical and data security associated with computer equipment, including desktops, notebooks, and other portable devices, used in connection with this Agreement. Party will also assure that any media or mechanism used to store or transfer data to or from the State includes industry standard security mechanisms such as continually up-to-date malware protection and encryption. Party will make every reasonable effort to ensure media or data files transferred to the State are virus and spyware free. At the conclusion of this agreement and after successful delivery of the data to the State, Party shall securely delete data (including archival backups) from Party’s equipment that contains individually identifiable records, in accordance with standards adopted by the Agency of Human Services. Party, in the event of a data breach, shall comply with the terms of Section 7 above.
Data Security The Provider agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. The Provider shall adhere to any applicable law relating to data security. The provider shall implement an adequate Cybersecurity Framework based on one of the nationally recognized standards set forth set forth in Exhibit “F”. Exclusions, variations, or exemptions to the identified Cybersecurity Framework must be detailed in an attachment to Exhibit “H”. Additionally, Provider may choose to further detail its security programs and measures that augment or are in addition to the Cybersecurity Framework in Exhibit “F”. Provider shall provide, in the Standard Schedule to the DPA, contact information of an employee who ▇▇▇ may contact if there are any data security concerns or questions.