Common use of Information Security Requirements Clause in Contracts

Information Security Requirements. (a) Vidyard shall have implemented and documented appropriate administrative, technical and physical measures set forth in the Agreement, as applicable, to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access. Vidyard will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Vidyard will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Information, and ensure that these risks are addressed. (b) Vidyard shall have implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services (including restoring access to the Personal Information) in a timely manner after a disruptive event. Vidyard will regularly test and monitor the effectiveness of its business continuity and disaster recovered plans. At appropriate intervals or as otherwise requested by Customer, Vidyard will provide a copy of its written business continuity and disaster recovery plans to Customer. (c) If the Processing involves the transmission of Personal Information over a network, Vidyard shall have implemented appropriate supplementary measures to protect the Personal Information against the specific risks presented by the Processing. Personal Information may not be transmitted over any insecure network unless it has been appropriately (d) Upon request, and subject to the confidentiality obligations set forth in the Agreement, Vidyard shall provide Customer (or Customer’s independent, third-party auditor that is not a competitor of Vidyard) information regarding Vidyard’s compliance with the obligations set forth in this DPA in the form of Vidyard’s Internal Audit Report. Customer may contact Vidyard in accordance with the “Notices” Section of the Agreement to request an on-site audit of the architecture, systems and procedures relevant to the protection of Customer Personal Information. Customer shall reimburse Vidyard for any time expended by Vidyard or its third-party sub-processors for any such on-site audit at Vidyard’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Vidyard shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Vidyard, or its third-party sub-processors. Customer shall promptly notify Vidyard with information regarding any non-compliance discovered during the course of an audit. In the event that any such audit reveals material gaps or weaknesses in Vidyard’s security program, Customer shall be entitled to terminate Vidyard’s Processing of Personal Information until such issues are resolved. Such audits will be limited to once per year; provided however, that Customer may audit at any time in the event of a security breach or suspected material violation by Vidyard of its obligations under this DPA. Vidyard shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as needed to comply with Applicable Laws. In the case of Vidyard's Subprocessor, Amazon Web Services, Inc., Customer acknowledges that no on- site audit is available and that Vidyard relies on publicly available third party security reports. (e) Vidyard will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of Customer Personal Information. Vidyard will notify Customer within forty-eight (48) hours upon discovery of any Security Breach. Notifications should be sent in accordance with the “Notices” Section of the Agreement. Vidyard shall provide Customer with all information about the Security Breach reasonably needed by Customer to assess its incident response obligations. Such notification shall as a minimum (i) describe the nature of the Security Breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned; (ii) communicate the name and contact details of ▇▇▇▇▇▇▇'s data protection officer or other relevant contact from whom more information may be obtained; (iii) describe the likely consequences of the Security Breach; and (iv) describe the measures taken or proposed to be taken to address the Security Breach. (f) Vidyard shall bear all costs associated with resolving a Security Breach, including (without limitation), conducting an investigation, engaging appropriate forensic analysis, notifying individuals, regulators and others as required to by Applicable Laws and responding to individual, regulator and media inquiries. (g) When the Vidyard ceases to perform Services for Customer (and at any other time, upon request), Vidyard will either, at Customer’s option (i) return the Personal Information (and all media containing copies of the Personal Information) to Customer, or (ii) with Customer’s prior written consent, purge, delete and destroy the Customer Personal Information. Electronic media containing Customer Personal Information will be disposed of in a manner that renders the Personal Information unrecoverable. Vidyard will provide Customer with an Officer’s Certificate to certify its compliance with this provision upon request. If Vidyard is required by Applicable Laws to retain any Personal Information, Vidyard warrants that it shall (i) ensure the continued confidentiality and security of the Personal Information, (ii) securely delete or destroy the Personal Information when the legal retention period has expired, and (iii) not actively Process the Personal Information other than as needed for to comply with Applicable Laws.

Information Security Requirements. (a) Vidyard shall have implemented and documented appropriate administrative, technical and physical measures set forth in the Agreement, as applicable, to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access. Vidyard will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Vidyard will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Information, and ensure that these risks are addressed. (b) Vidyard shall have implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services (including restoring access to the Personal Information) in a timely manner after a disruptive event. Vidyard will regularly test and monitor the effectiveness of its business continuity and disaster recovered plans. At appropriate intervals or as otherwise requested by Customer, Vidyard will provide a copy of its written business continuity and disaster recovery plans to Customer. (c) If the Processing involves the transmission of Personal Information over a network, Vidyard shall have implemented appropriate supplementary measures to protect the Personal Information against the specific risks presented by the Processing. Personal Information may not be transmitted over any insecure network unless it has been appropriatelyappropriately encrypted. (d) Upon request, and subject to the confidentiality obligations set forth in the Agreement, Vidyard shall provide Customer (or Customer’s independent, third-party auditor that is not a competitor of Vidyard) information regarding Vidyard’s compliance with the obligations set forth in this DPA in the form of Vidyard’s Internal Audit Report. Customer may contact Vidyard in accordance with the “Notices” Section of the Agreement to request an on-site audit of the architecture, systems and procedures relevant to the protection of Customer Personal Information. Customer shall reimburse Vidyard for any time expended by Vidyard or its third-party sub-processors for any such on-site audit at Vidyard’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Vidyard shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Vidyard, or its third-party sub-processors. Customer shall promptly notify Vidyard with information regarding any non-compliance discovered during the course of an audit. In the event that any such audit reveals material gaps or weaknesses in Vidyard’s security program, Customer shall be entitled to terminate Vidyard’s Processing of Personal Information until such issues are resolved. Such audits will be limited to once per year; provided however, that Customer may audit at any time in the event of a security breach or suspected material violation by Vidyard of its obligations under this DPA. Vidyard shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as needed to comply with Applicable LawsLaw. In the case of Vidyard's Subprocessor, Amazon Web Services, Inc., Customer acknowledges that no on- site audit is available and that Vidyard relies on publicly available third party security reports. (e) Vidyard will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of Customer Personal Information. Vidyard will notify Customer within forty-eight (48) hours upon discovery of any Security Breach. Notifications should be sent in accordance with the “Notices” Section of the Agreement. Vidyard shall provide Customer with all information about the Security Breach reasonably needed by Customer to assess its incident response obligations. Such notification shall as a minimum (i) describe the nature of the Security Breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned; (ii) communicate the name and contact details of ▇▇▇▇▇▇▇Vidyard's data protection officer or other relevant contact from whom more information may be obtained; ; (iii) describe the likely consequences of the Security Breach; and (iv) describe the measures taken or proposed to be taken to address the Security Breach. (f) Vidyard shall bear all costs associated with resolving a Security Breach, including (without limitation), conducting an investigation, engaging appropriate forensic analysis, notifying individuals, regulators and others as required to by Applicable Laws Law and responding to individual, regulator and media inquiries. (g) When the Vidyard ceases to perform Services for Customer (and at any other time, upon request), Vidyard will either, at Customer’s option (i) return the Personal Information (and all media containing copies of the Personal Information) to Customer, or (ii) with Customer’s prior written consent, purge, delete and destroy the Customer Personal Information. Electronic media containing Customer Personal Information will be disposed of in a manner that renders the Personal Information unrecoverable. Vidyard will provide Customer with an Officer’s Certificate to certify its compliance with this provision upon request. If Vidyard is required by Applicable Laws to retain any Personal Information, Vidyard warrants that it shall (i) ensure the continued confidentiality and security of the Personal Information, (ii) securely delete or destroy the Personal Information when the legal retention period has expired, and (iii) not actively Process the Personal Information other than as needed for to comply with Applicable Laws.

Information Security Requirements. (a) Vidyard Seller shall have implemented (and will provide reasonable assistance to Boeing and the other members of the Boeing Group to implement) and shall have documented appropriate administrative, technical technical, organisational and physical measures set forth in the Agreement, as applicable, to protect Agreement Personal Information Data against accidental or unlawful destruction, alteration, unauthorized compromise, or unlawful disclosure or access, and ensure a level of security appropriate to the risk presented by Processing the Agreement Personal Data, in particular from a Data Breach. Vidyard Seller will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Vidyard Seller will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Agreement Personal InformationData, and ensure that these risks are addressed. (b) Vidyard . Seller shall have implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services (including restoring access to the Agreement Personal InformationData) in a timely manner after a disruptive event. Vidyard Seller will regularly test and monitor the effectiveness of its business continuity and disaster recovered recovery plans. At appropriate intervals or as otherwise requested by CustomerBoeing, Vidyard Seller will provide a copy of its written business continuity and disaster recovery plans to Customer. (c) Boeing. If the Processing involves the transmission of Agreement Personal Information Data over a network, Vidyard Seller shall have implemented appropriate supplementary measures to protect the Agreement Personal Information Data against the specific risks presented by the Processing. Personal Information may not be transmitted over any insecure network unless it has been appropriately appropriately protected, such as with encryption. Personal Information and any European Personal Data may not be stored on any portable computer devices or media (dincluding, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless it is encrypted. Any employees of Seller who handle Sensitive Personal Information are required to follow a clean desk policy by clearing their desk of all papers with Sensitive Personal Information when they leave their desk at any time during the day or at the end of the day. Upon request, and subject to the confidentiality obligations set forth in the Agreement, Vidyard Seller shall provide Customer (or CustomerBoeing with information about the Seller’s independentinformation security program. Notwithstanding the provisions in clause 5(f), third-party auditor that is not a competitor of Vidyard) information regarding Vidyard’s compliance with the obligations set forth in this DPA in the form of Vidyard’s Internal Audit Report. Customer may contact Vidyard in accordance with the “Notices” Section of the Agreement to request an on-site audit of the architecture, systems and procedures relevant to the protection of Customer Personal Information. Customer Seller shall reimburse Vidyard also submit its data processing facilities for any time expended by Vidyard or its third-party sub-processors for any such on-site audit at Vidyard’s then-current professional services ratesaudit, which shall be made available to Customer upon carried out by Boeing (or by an independent auditor designated by Boeing) in a mutually-agreeable manner no more than ten (10) days after any such request. Before the commencement of Seller shall reasonably cooperate with any such on-site audit, Customer and Vidyard shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Vidyard, or its third-party sub-processors. Customer shall promptly notify Vidyard with information regarding any non-compliance discovered during the course of an audit. In the event that any such audit reveals material gaps or weaknesses in VidyardSeller’s security program, Customer Boeing shall be entitled to terminate VidyardSeller’s Processing of Agreement Personal Information Data until such issues are resolved. Such audits will be limited to once per year; provided however, that Customer may audit at any time in the event of a security breach or suspected material violation by Vidyard of its obligations under this DPA. Vidyard Seller shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as Boeing’s needed to comply with Applicable Lawsapplicable law. In respect of any European Personal Data Seller will, and will procure that Subprocessors will: make available to Boeing and the case other members of Vidyard's the Boeing Group all information necessary to demonstrate compliance with the obligations set out in this [Schedule/Agreement]; and allow for and contribute to audits, including inspections, conducted by Boeing or another auditor mandated by Boeing. In respect of European Personal Data, Seller will prepare and securely maintain a record of all categories of Processing activities carried out on behalf of Boeing and other members of the Boeing Group in relation to the Agreement Personal Data, including as a minimum: (i) its name and contact details and details of its Data Protection officer or other person with responsibility for Data Protection compliance; (ii) the categories of Processing it carries out on behalf of Boeing and other members of the Boeing Group; (iii) any transfers of Agreement Personal Data outside the European Economic Area (as it is made up from time to time) and/or international organisations; (iv) a general description of the technical and organisational security measures referred to in clause 5(a); and (v) the same information in relation to any Subprocessor, Amazon Web Services, Inc., Customer acknowledges that no on- site audit is available together with its name and that Vidyard relies on publicly available third party security reports. contact details (e) Vidyard together the “Data Record”). Seller will promptly upon request securely supply a copy of the Data Record to Boeing. Seller will promptly and thoroughly investigate all allegations actual, potential, or suspicions of unauthorized access to, use or disclosure of Customer Agreement Personal InformationData and of Data Breaches of systems containing, transmitting or otherwise Processing Agreement Personal Data. Vidyard Seller will notify Customer within forty-eight Boeing without undue delay (48and in any event no later than 24 hours) hours upon discovery becoming aware of any Security reasonably suspected, “near miss” or actual Data Breach. Notifications should be sent in accordance with , including the “Notices” Section nature of the AgreementData Breach, the categories and approximate number of Data Subjects and Agreement Personal Data records concerned and any measure proposed to be taken to address the Data Breach and to mitigate its possible adverse effects. Vidyard Seller shall provide Customer Boeing with all information about the Security Data Breach reasonably needed by Customer Boeing to assess its incident response obligations. Such notification shall as a minimum (i) describe Where, and in so far as, it is not possible to provide all the nature of relevant information at the Security Breachsame time, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned; (ii) communicate the name and contact details of ▇▇▇▇▇▇▇'s data protection officer or other relevant contact from whom more information may be obtained; provided in phases without undue further delay, but Seller (iiiand Subprocessors) describe may not delay notification under this clause 5(i) on the likely consequences basis that an investigation is incomplete or ongoing. Seller will not, and will procure that Subprocessors will not, make or permit any announcement in respect of the Security Breach; and (iv) describe the measures taken or proposed Data Breach to be taken to address the Security Breach. (f) Vidyard any person without Boeing’s prior written consent. Seller shall bear all costs associated with resolving a Security Data Breach, including (without limitation), conducting an investigation, engaging appropriate forensic analysis, notifying individuals, regulators relevant government entities and others as required to by Applicable Laws law or the Payment Card Industry Data Security Standard, providing individuals with credit monitoring (or other appropriate remediation service), and responding to individual, regulator and media inquiries. (g) . When the Vidyard Seller ceases to perform Services for Customer Boeing (and at any other time, upon request), Vidyard Seller will promptly either, at Customer’s the option of Boeing, (i) securely return the all Agreement Personal Information Data (and all media containing copies of the Agreement Personal InformationData) to CustomerBoeing, or (ii) with Customer’s prior written consent, securely purge, delete and destroy the Customer Agreement Personal InformationData and securely delete any remaining copies and promptly certify (via a director or officer) when this exercise has been completed. In the event that Agreement Personal Data cannot be returned, the controls stipulated in this Agreement will remain in effect until such data can be destroyed. Electronic media containing Customer Agreement Personal Information Data will be disposed of in a manner that renders the Agreement Personal Information Data unrecoverable. Vidyard Seller will provide Customer Boeing with an Officer’s Certificate to certify its compliance with this provision upon requestprovision. If Vidyard Seller is required by Applicable Laws applicable law to retain any Agreement Personal InformationData, Vidyard Seller warrants that it shall shall (i) ensure the continued confidentiality and security of the Agreement Personal InformationData, (ii) securely delete or destroy the Agreement Personal Information Data when the legal retention period has expired, and and (iii) not actively Process the Agreement Personal Information Data other than as needed for to comply with Applicable Lawslaw.

Information Security Requirements. (a) Vidyard SnapApp shall have implemented and documented appropriate administrative, technical and physical measures set forth in the Agreement, as applicable, to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access. Vidyard SnapApp will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Vidyard SnapApp will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Information, and ensure that these risks are addressed. (b) Vidyard SnapApp shall have implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services (including restoring access to the Personal Information) in a timely manner after a disruptive event. Vidyard SnapApp will regularly test and monitor the effectiveness of its business continuity and disaster recovered plans. At appropriate intervals or as otherwise requested by Customer, Vidyard SnapApp will provide a copy of its written business continuity and disaster recovery plans to Customer. (c) If the Processing involves the transmission of Personal Information over a network, Vidyard SnapApp shall have implemented appropriate supplementary measures to protect the Personal Information against the specific risks presented by the Processing. Personal Information may not be transmitted over any insecure network unless it has been appropriatelyappropriately encrypted. (d) Personal Information may not be stored on any portable computer devices or media (including, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless it is encrypted. (e) Upon request, and subject to the confidentiality obligations set forth in the Agreement, Vidyard SnapApp shall provide Customer (or Customerwith information about SnapApp’s independent, third-party auditor that is not a competitor of Vidyard) information regarding Vidyardsecurity program. SnapApp shall also submit its owned data processing facilities for annual audit during SnapApp’s compliance with the obligations set forth in this DPA in the form of Vidyard’s Internal Audit Report. Customer may contact Vidyard in accordance with the “Notices” Section of the Agreement to request an on-site audit of the architecture, systems and procedures relevant to the protection of Customer Personal Information. Customer shall reimburse Vidyard for any time expended by Vidyard or its third-party sub-processors for any such on-site audit at Vidyard’s then-current professional services ratesreasonable business hours, which shall be made available to carried out by Customer upon (or by an independent auditor designated by Customer) in a mutually-agreeable manner no more than ten (10) day after any such request. Before the commencement of SnapApp shall fully cooperate with any such on-site audit, Customer and Vidyard shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Vidyard, or its third-party sub-processors. Customer shall promptly notify Vidyard with information regarding any non-compliance discovered during the course of an audit. In the event that any such audit reveals material gaps or weaknesses in VidyardSnapApp’s security program, Customer shall be entitled to terminate VidyardSnapApp’s Processing of Customer Personal Information until such issues are resolved. Such audits will be limited to once per year; provided however, that Customer may audit at any time in the event of a security breach or suspected material violation by Vidyard SnapApp of its obligations under the Agreement or this DPA. Vidyard SnapApp shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as needed to comply with Applicable Laws. In the case of Vidyard's Subprocessor, Amazon Web Services, Inc., Customer acknowledges that no on- site audit is available and that Vidyard relies on publicly available third party security reportsapplicable law. (ef) Vidyard SnapApp will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of Customer Personal Information. Vidyard SnapApp will notify Customer within fortytwenty-eight four (4824) hours upon discovery of any Security Breach. Notifications should be sent in accordance with the “Notices” Section of the Agreementvia e-mail to . Vidyard SnapApp shall provide Customer with all information about the Security Breach reasonably needed by Customer to assess its incident response obligations. Such notification shall as a minimum (i) describe the nature of the Security Breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned; (ii) communicate the name and contact details of ▇▇▇▇▇▇▇SnapApp's data protection officer or other relevant contact from whom more information may be obtained; (iii) describe the likely consequences of the Security Breach; and (iv) describe the measures taken or proposed to be taken to address the Security Breach. (fg) Vidyard SnapApp shall bear all costs associated with resolving a Security Breach, including (without limitation), conducting an investigation, engaging appropriate forensic analysis, notifying individuals, regulators and others as required to by Applicable Laws and responding to individual, regulator and media inquirieslaw. (gh) When the Vidyard SnapApp ceases to perform Services for Customer (and at any other time, upon request), Vidyard SnapApp will either, at Customer’s option (i) return the Personal Information (and all media containing copies of the Personal Information) to Customer, or (ii) with Customer’s prior written consent, purge, delete and destroy the Customer Personal Information. Electronic media containing Customer Personal Information will be disposed of in a manner that renders the Personal Information unrecoverable. Vidyard SnapApp will provide Customer with an Officer’s Certificate to certify its compliance with this provision upon requestprovision. If Vidyard SnapApp is required by Applicable Laws applicable law to retain any Personal Information, Vidyard SnapApp warrants that it shall shall (i) ensure the continued confidentiality and security of the Personal Information, (ii) securely delete or destroy the Personal Information when the legal retention period has expired, and and (iii) not actively Process the Personal Information other than as needed for to comply with Applicable Lawslaw. (i) SnapApp shall carry appropriate insurance to address the risks from its Processing of the Personal Information, including risks of cyber-attacks and security breaches.