Information Security and Confidentiality Clause Samples

Information Security and Confidentiality. The Contractor and any of its subcontractors associated with this Contract will maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of DARS-related information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information in accordance with applicable federal and state laws, rules, and regulations and DARS policies and procedures. 1. Different requirements apply to different types of contractors. Requirements that may apply include, but are not limited to: i. State Vocational Rehabilitation Services Program at 34 C.F.R. Part 361; ii. Federal Early Intervention Program for Infants and Toddlers with Disabilities at 34 C.F.R. Part 303; iii. Texas Health and Safety Code Sections 85.113 Workplace Guidelines for State Contractors and 85.115 Confidentiality Guidelines; iv. HIPAA privacy and security rules, 45 C.F.R. parts 160, 162 and 164;

Information Security and Confidentiality. 5.1. Data Processor shall fulfil any legal obligations imposed on it regarding information security under applicable data protection laws including taking appropriate technical and organisational measures to protect the Personal Data which is processed. 5.2. Data Processor agrees to maintain a level of security for the Services that is in accordance with (i) industry practice, (ii) applicable data protection laws (including putting in place reasonable administrative, physical, technical, organisational and other security measures to protect against unauthorised access to, or loss, destruction, unavailability or alteration of any Customer Personal Data processed or stored), and (iii) the latest version of Data Processor's “Standard Policies and Procedures - Information Security Overview” available at ▇▇▇.▇▇▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇. Data Processor may update the Information Security Overview from time to time, provided however, that any changes will not degrade the overall level of security. 5.3. Data Processor undertakes not to, without Data Controller's prior written consent, disclose or otherwise make Personal Data processed under this DPA available to any third party, except for sub-processors engaged in accordance with this DPA, unless Data Processor is compelled by law so to disclose or otherwise make it available. 5.4. Data Processor shall ensure that only such staff and other Data Processor representatives that require access to Personal Data in order to fulfil the Data Processor's obligations have access to such information. Data Processor shall ensure that such staff and other Data Processor representatives are bound by a statutory or contractual confidentiality obligation concerning this information.

Information Security and Confidentiality. 8.1. The AppXite can demonstrate its compliance with the obligations in this DPA by maintaining the ISO 27001 Information Security Management certification, therefore, having an independent auditor’s note that AppXite’s information security practices are in conformity with ISO 27001 requirements. 8.2. The Processor shall, in order to assist the Controller to fulfil its legal obligations including but not limited to; security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is Processed and shall thereby follow any written information security requirements or policies communicated by the Controller from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration: i. the technical possibilities available; ii. the cost to implement the measures; iii. the special risks involved with processing of personal data; and iv. the sensitivity of the personal data. 8.3. The Processor shall maintain adequate security for the Personal Data appropriate to the risk of processing. 8.4. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Processor shall include, inter alia, as appropriate: i. the Pseudonymisation and encryption of Personal Data; ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data; iii. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 8.5. The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller. The Processor shall prepare and keep updated a description of its technical, organisational and physical measures to be and maintain compliant with the Applicable Data Protection Law. 8.6. The Processor undertakes not to, with...

Information Security and Confidentiality. 6.1 Taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, WSP shall implement appropriate technical and organizational measures (please check Anywhere365 TOMs Document) to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) If appropriate, the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 6.2 In assessing the appropriate level of security, WSP shall take into account the particular risks that are presented by Processing in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted stored or otherwise Processed. 6.3 WSP shall immediately and in any event not later than 24 hours after becoming aware of it notify the Personal Data Breach to the CUSTOMER. The notification shall at least: (i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or another contact point where more information can be obtained; (iii) describe the likely consequences of the Personal Data Breach; (iv) describe the measures taken or proposed to be taken by WSP to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; (v) include any other information available to WSP which the Controller is required by Applicable Data Protection Legislation to notify to the Data Protection Authorities and/or the Data Subjects. WSP will furthermore provide the reasonable assistance requested by the CUSTOMER in order to investigate the Personal Data Breach and notify it to the Data Protection Authorities and/or the Data Subjects as required by Applicable...

Information Security and Confidentiality. 5.1 Prior to the execution of this DPA, Participant undertakes to adopt all the necessary and appropriate technical and organizational security measures required by Applicable Law to ensure the privacy and security of CIE Data. Participant shall maintain and enforce all such technical and organizational security measures to protect the CIE Data accessed under the Agreement. Such measures shall guarantee data security and a protection level adequate to the level of risk concerning confidentiality, integrity, availability, and resilience of the systems. The measures shall at least result in a level of security which is appropriate taking into consideration: whether or not the measures can be reasonably considered to be state-of- the-art, the implementation costs, the nature, scope and purposes of processing as well as the likelihood of Security Breaches and the severity of risks to the rights and freedoms of natural persons. To the extent Participant adopts alternative adequate measures which are up to date with the changed technological environment, the security level may not be reduced and any substantial changes must be documented. 5.2 Participant shall treat CIE Data as being confidential and ensure only its authorized users shall have access to the same.

Information Security and Confidentiality. The Data processor undertakes to implement appropriate technical and organizational measures to ensure security of personal data being processed and undertakes to comply with any written security requirements and policies provided by the Data controller. The Data processor undertakes to protect personal data from destruction, alteration, unauthorized distribution, or unauthorized access, and from any forms of unlawful processing. The appropriate technical and organisational measures are chosen to ensure a level of security appropriate to the risk, including inter alia as appropriate: pseudonymisation of Personal Data and their encryption; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. The Data processor undertakes to ensure that it shall apply at least minimal technical and organisational measures referred to in Annex No. 1 “Personal data processing instructions” in the processing of personal data. The Data processor undertakes to take the necessary actions in order to assist the Data controller in case of a personal data breach, to mitigate its adverse effects and to immediately notify the Data controller of any incident relating to personal data and of unauthorized access to personal data in accordance with clauses 3.3-3.6 of this Agreement. The Data processor undertakes to ensure confidentiality of personal data and that the Data processor’s personnel having access to personal data: are appropriately trained to comply with the Data protection laws and the requirements established for them hereunder; properly fulfil the requirements set out herein and in the Data protection laws; are informed of the duty keep the personal data confidential; and have committed themselves to confidentiality on agreed basis or are under an appropriate statutory obligation of confidentiality. The Data processor is obliged to ensure that access to the personal data is strictly limited and granted only to the Data processor’s personnel who need access to such data to perform the duties of the Data processor under this Agreement and the Main Agreement.

Information Security and Confidentiality. 6.1. To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follows from the Agreement, ▇▇▇▇ commits to the following appropriate technical and organisational measures: (a) Data Encryption: Implement strong encryption for data at rest and in transit. (b) Access Control: Enforce strict access controls, including multi-factor authentication and role-based access, to ensure only authorised personnel access personal data. (c) Data Minimisation: Process and store only necessary personal data.

Information Security and Confidentiality. 4.1. During its operation, Supplier is responsible for the security of the data and ensures that only those employees and contributors who have the task of contributing to the performance of the service provided to InnoStars have access to the data and perform data processing operations. 4.2. The Supplier shall take measures related to the security of data processing, especially be obliged to take such technical and organizational measures to protect the personal data which the Parties deem appropriate considering (i) existing technical possibilities; (ii) costs for carrying out the measures; (iii) particular risks associated with the processing of personal data; and (iv) sensitivity of the personal data which is processed. 4.3. The minimum technical and organizational conditions of InnoStars related to data process: 4.3.1. The transmission of personal data may be carried out on paper or electronically, in the latter case only through encrypted channels protected by a firewall. 4.3.2. The communication channel between the data storage devices, the server and the server-Data Processor must be protected against unauthorized intrusion at several levels. 4.3.3. Devices and servers need strong firewalls and installed software to protect them from malicious viruses. 4.3.4. Parties are obliged to store all transferred data and all copies of them in a safe place and to ensure that they are not accessible to third parties. 4.3.5. Parties shall select and operate the IT tools used to process personal data in such a way that the data processed: a) accessible to those entitled to it (availability); b) authenticity and authentication are guaranteed (authenticity); c) its invariability can be verified (data integrity); d) be protected against unauthorized access (confidentiality). 4.3.6. Parties shall take appropriate measures to protect the data and the data media containing them against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction. 4.3.7. Data stored electronically must be backed up on a weekly basis and stored on an external storage device. The parties are obliged to ensure the storage, safe storage and, if necessary, closure of the data storage devices containing the data. 4.3.8. Documents may only be printed from the storage media if necessary and handled with the utmost care, and may only be handed over to the person authorized to do so. 4.3.9. The means of protection are technical, organizational, ...

Information Security and Confidentiality. 5.1 Data Processor shall be obligated to fulfil any legal obligations imposed on it regarding information security under applicable data protection laws and shall in any case take appropriate technical and organizational measures to protect the personal data which is processed. 5.2 For the current version of Quinyx' Information Security Standard Policies and Procedures, see: ▇▇▇▇▇://▇▇▇▇▇.▇▇▇▇▇▇.▇▇▇/hubfs/iGoMoon2017/PDFs/Quinyx_Information_Security.pdf?t=1523976583623. 5.3 The Data Processor undertakes not to, without the Data Controller's prior written consent, disclose or otherwise make personal data processed under this Data Processor Agreement available to any third party, except for sub-processors engaged in accordance with this data processing agreement. 5.4 The Data Processor shall be obliged to ensure that only such staff and other Data Processor representatives that directly require access to personal data in order to fulfil the Data Processor's obligations in accordance with this data processor agreement have access to such information. The Data Processor shall ensure that such staff and other Data Processor representatives are bound by a confidentiality obligation concerning this information to the same extent as the Data Processor in accordance with this data processing agreement.