Common use of Information Security and Confidentiality Clause in Contracts

Information Security and Confidentiality. 4.1. During its operation, Supplier is responsible for the security of the data and ensures that only those employees and contributors who have the task of contributing to the performance of the service provided to InnoStars have access to the data and perform data processing operations. 4.2. The Supplier shall take measures related to the security of data processing, especially be obliged to take such technical and organizational measures to protect the personal data which the Parties deem appropriate considering (i) existing technical possibilities; (ii) costs for carrying out the measures; (iii) particular risks associated with the processing of personal data; and (iv) sensitivity of the personal data which is processed. 4.3. The minimum technical and organizational conditions of InnoStars related to data process: 4.3.1. The transmission of personal data may be carried out on paper or electronically, in the latter case only through encrypted channels protected by a firewall. 4.3.2. The communication channel between the data storage devices, the server and the server-Data Processor must be protected against unauthorized intrusion at several levels. 4.3.3. Devices and servers need strong firewalls and installed software to protect them from malicious viruses. 4.3.4. Parties are obliged to store all transferred data and all copies of them in a safe place and to ensure that they are not accessible to third parties. 4.3.5. Parties shall select and operate the IT tools used to process personal data in such a way that the data processed: a) accessible to those entitled to it (availability); b) authenticity and authentication are guaranteed (authenticity); c) its invariability can be verified (data integrity); d) be protected against unauthorized access (confidentiality). 4.3.6. Parties shall take appropriate measures to protect the data and the data media containing them against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction. 4.3.7. Data stored electronically must be backed up on a weekly basis and stored on an external storage device. The parties are obliged to ensure the storage, safe storage and, if necessary, closure of the data storage devices containing the data. 4.3.8. Documents may only be printed from the storage media if necessary and handled with the utmost care, and may only be handed over to the person authorized to do so. 4.3.9. The means of protection are technical, organizational, programming and legal measures in accordance with the current technical development, which facilitate or ensure the protection of the subject of protection against the harmful effects and intentions of various sources of protection and provide a level of protection appropriate to data management risks. 4.3.10. The Supplier during data management • maintains (i) confidentiality: protects information so that only those who have access to it can access it; (ii) integrity: protects the accuracy and completeness of the information and the method of processing; • ensures availability: ensures that when an authorized user needs it, they can actually access the information they need and have the tools to do so. 4.3.11. The data is stored and managed using Microsoft office applications, which are protected by access passwords and a screen saver. The computer systems and other data storage locations of the Parties shall be located at their headquarters, premises or branches, or on computer equipment and other devices owned or lawfully in their possession, no data processing shall take place elsewhere. 4.4. The Supplier shall notify InnoStars of any accidental or unauthorized access to the personal data processed on behalf of InnoStars or any other data protection incidents involving personal data processed on behalf of InnoStars within 24 (twenty-four) hours of becoming aware of such incidents. 4.5. The notification related to the data protection incident shall to the extent the information is available to the Supplier: (i) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the personal data breach; (iv) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; (v) include any other information available to the Supplier which InnoStars is required to notify to the data protection authorities and/or the data subjects. 4.6. Parties intend to record that a data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise handled or processed. 4.7. Supplier will provide reasonable assistance requested by InnoStars in order to investigate security breach. 4.8. Supplier shall ensure that staff who have access to the data is bound by a confidentiality statement or are under an appropriate statutory obligation of confidentiality. 4.9. Duties of confidentiality related to data processing shall survive the term of this DPA.