Common use of Platform and Services Clause in Contracts

Platform and Services. Licensor represents and warrants that the platform and services have been designed, developed, tested, and maintained according to generally accepted industry standards and practices (meaning those reasonably expected of a diligent licensor providing similar platform and services to Fortune 500 companies) to appropriately safeguard the platform and services (including any K-C Information and personal information posted, transmitted, displayed, submitted, or generated by or through the platform or services) against accidental or unauthorized access and/or interference by third parties, intrusion, theft, destruction, loss or alteration. Licensor abides by a policy of least privilege for granting logical access to systems and for employees by granting access only to the systems they are required for their job functions. This includes operating system permissions, file access, user accounts, application to application communications, APIs, and other relevant authorization components. Licensor shall ensure proper data segregation of K-C Information from that of other Licensor’s customer data. Application instances and data stores shall be architected with appropriate measures to prevent unauthorized access to K-C data. This involves hardening the data store as well as the application to ensure data segregation. Both Licensor and K-C agree to promptly notify each other about any litigation, eDiscovery, or preservation hold activities regarding K-C-owned data. Both Licensor and K-C will reasonably cooperate under the governing law and regulations with regard to any litigation, eDiscovery, or preservation hold activities. Licensor shall protect the confidentiality and integrity of K-C’s Information in regard to data in transit, data in use, and data at rest so that it is not altered or tampered with thus preserving the integrity of the data. Licensor will also promptly notify K-C of any circumstances where K- C data may be accessed or seized due to local laws and regulations or applicable reasons and provide K-C with the opportunity to intervene where possible. Licensor will notify K-C of any geographical changes for hosting and storage of K-C-owned data at least ninety (90) days prior to making such change and at least one hundred eighty (180) days prior to making such change if the change includes a change in country. K-C shall have the right, on an annual basis and at its sole expense, to have a qualified third party perform an audit of Licensor’s security practices and controls; the scope of which shall measure standard operating procedures and software design, development and testing practices against relevant criteria such as those outlined by ISO 27001/27002, NIST, CIS Critical Security Controls, COBIT, MITRE Corporation Common Weakness Enumeration (“CWE”), Software Engineering Institute’s Computer Emergency Response Team (“CERT”) Secure Coding Standards, or other acceptable industry standards. Following completion of such audit, K-C shall notify Licensor in writing of any deficiencies in comparison to such standards (“Deficiencies”). Licensor shall, within thirty (30) days of such written notification, either correct such Deficiencies or provide K-C with a plan reasonably acceptable to K-C for remediating the Deficiencies. Unless and until (i) the Deficiencies are remediated, or (ii) an acceptable plan for remediating such Deficiencies is agreed to by the parties, K-C may exercise such rights and remedies it deems appropriate under the circumstances, including, without limitation, offsetting the cost of the subject audit against payments otherwise due Licensor. Further, such Deficiencies that have not remediated shall be deemed a material breach of the Agreement. Licensor shall bear all reasonable costs for retesting performed to verify the remediation of any Deficiencies.