Privacy and Security Requirements Clause Samples

Privacy and Security Requirements. The Parties are required to protect the CMHC Information in accordance with applicable direction and guidelines from the Treasury Board of Canada (“TBS”), or their equivalent in the case of the Contractor, with respect to the protection of “Protected B” data, including guidance from CSE (ITSG‐33) which aligns with the ISO 27001 framework. Further as a federal government institution, the Contractor acknowledges that CMHC is subject to the Access to Information Act (Canada) and the Privacy Act (Canada) and therefore the Contractor agrees to submit to whatever measures are necessary in order to ensure that CMHC can comply with these laws and their related regulations, policies, and directives (“ATIP Legislation”). As such, the Contractor agrees: (i) to protect any Personal Information that it may access from CMHC Information provided through this Agreement in a manner that is compatible with provisions of ATIP Legislation; and (ii) will ensure that it has in place appropriate privacy protection measures to safeguard all CMHC Information that it has access to under this Agreement. More specifically, Contractor shall, as required by the provisions of Article VII of this Agreement, comply with the security requirements described below at all times:

Privacy and Security Requirements. The parties to the Custodial Agreement are required to protect the Confidential Information in accordance with applicable direction and guidelines from the Treasury Board of Canada, or their equivalent in the case of the Custodian, with respect to the protection of "Protected B" data, including guidance from CSE (ITSG-33) which aligns with the ISO 27001 framework. Further as a federal government institution, the Custodian acknowledges that the Trust is subject to the Access to Information Act (Canada) and the Privacy Act (Canada) and therefore the Custodian agrees to submit to whatever reasonable measures are necessary in order to ensure that the Trust can comply with these laws and their related regulations, policies, and directives ("ATIP Legislation"). As such, the Custodian agrees: (i) to protect any Personal Information that it may access through the course of providing Custodial Services under this Custodial Agreement in a manner that is compatible with provisions of ATIP Legislation; and (ii) that it has in place appropriate privacy protection measures to safeguard all the Confidential Information that it has access to under this Custodial Agreement. More specifically, the Custodian shall, as required by the provisions of Section 11.10 of this Custodial Agreement, comply with the security requirements described below at all times.

Privacy and Security Requirements. If the Contractor is a “Business Associate” as defined at 45 C.F.R. § 160.103, it must comply with the privacy and security requirements for functioning as a “business associate” of the Department or as a “covered entity” under HIPAA and HITECH. In addition to executing this Contract, the Contractor must execute the Business Associate Agreement attached to this Contract as Attachment 6.

Privacy and Security Requirements. The Contractor and State will establish written agreements for the requirements to specify applicable systems, tools, and approach to completion of privacy and security deliverables. The Contractor shall provide the following deliverables to the State at the frequencies listed below: NIST 800-53 Task name Periodicity Due to State Delivery Schedule Definition of Deliverables Third party supported services (Included or alternative) Definition of Alternatives and Exceptions AC-2 Weekly Privileged Account review Weekly (minimum) Quarterly End of March, June, Sep, Dec Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AU-6 Audit log review Weekly (minimum) Quarterly End of March, June, Sep, Dec Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AC-2 System Access review 180 days 180 days/6 months/ bi-annually End of June, End of December Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS AC-2 Roles review forseparation of duties Annual Annual End of June Letter to state for Contractor-maintained services Alternative Separate attestation letterfor EVV SaaS AT-2 Security Awarenesstraining Annual Annual End of July Letter to state for Contractor-maintained services Alternative Separate attestation letterfor EVV SaaS Documen t- wide Security Policy review Annual Annual End of June Letter to state for Contract or-maintained services Alternative Separate attestation letter for EVV SaaS IR-2/3 Incident Response Plan review & training – participation in IR tabletop exercise Annual Annual September Review of IR Plan and documented tabletop exercise results Alternative Separate attestation letter for EVV SaaS CP-3 Contingency planreview/test – participation in Annual Annual October Review of DR/BCP documentation Alternative Separate attestation letter for EVV SaaS DR/BCP tabletopexercise CP-2 Disaster recovery presentation and Review - participation in DR/BCP tabletop exercise Annual Annual October Review of DR/BCP documentation and DR test reports for MMIS core and PMM Alternative attestation letter for EVV SaaS with DR exercise summary available on request CA-7 Continuous monitoring/Securitymetrics report Monthly Quarterly End of March, June, Sep, Dec Metrics tabin POAM workbook. Alternative Separate attestation letter for EVV SaaS PM-4 POAM Review Quarterly Quarterly End of March, June, Sep, Dec ConsolidatedP...

Privacy and Security Requirements. The Company (and to the Knowledge of the Sellers, any third parties having authorized access to Personal Data or User Data) has complied with all Privacy and Security Requirements. The Company has all necessary rights and permissions from third parties (whether contractually, by law, or otherwise) to disclose and transfer all Personal Data or User Data to Parent and for Parent to use such Personal Data or User Data as contemplated under this Agreement in connection with the sale, use and/or operation of the products, services and businesses. The Company has not received any, nor are there any pending, written or oral complaints, claims, demands, inquiries, proceedings, or other notices, including any notices of any investigation, regarding the Company, initiated by any Person or any Governmental Authority alleging that any activity of the Company is in violation of Privacy and Security Requirements, including any Data Laws. None of the Personal Data is subject to the European Union’s General Data Protection Regulation.

Privacy and Security Requirements. While in possession of such information, GemCloud shall apply all applicable privacy and security requirements set forth in this Agreement to maintain the confidentiality, security, integrity, and availability of such data. Notwithstanding any other provision in this Agreement, in case of non-permitted use or disclosure, GemCloud shall immediately take all reasonable and legal actions to retrieve such information if disclosed to any non-permitted individual or entity.

Privacy and Security Requirements. (a) ▇▇▇▇▇▇+Gyr, including its staff or any individual otherwise acting on behalf of the company, shall access and Process Customer’s Personal Data only on a need-to-know basis and only to the extent necessary to perform this Support Agreement or Customer’s further written instructions. (b) ▇▇▇▇▇▇+Gyr shall use technical and organizational measures that meet industry standards to ensure the security and confidentiality of Customer’s Personal Data in order to prevent, among other things, accidental, unauthorized or unlawful destruction, modification, disclosure, access or loss. (c) ▇▇▇▇▇▇+Gyr shall notify Customer no later than 72 hours after being made aware of any suspected or actual Security Breach involving any Customer’s Personal Data. ▇▇▇▇▇▇+Gyr shall also provide Customer with a description of the Security Breach, the type of data that was the subject of the Security Breach, the identity of each affected person, and any other information Customer may reasonably request concerning such affected persons and the details of the breach, as soon as such information can be collected or otherwise becomes available. ▇▇▇▇▇▇+▇▇▇ agrees to promptly to take action, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of any such Security Breach, and to carry out any recovery or other action (e.g., mailing statutory notices) necessary to remedy the Security Breach. The content of any filings, communications, notices, press releases, or reports related to any Security Breach (“Notices”) will be approved by ▇▇▇▇▇▇+Gyr prior to any publication or communication thereof to any third party. ▇▇▇▇▇▇+Gyr shall pay for or reimburse Customer for all costs, losses and expenses relating to any Security Breach, including without limitation, the cost of Notices, legal fees and any credit monitoring services if applicable. (d) Upon termination of this Support Agreement, for whatever reason, ▇▇▇▇▇▇+Gyr shall stop the Processing of Customer’s Personal Data, unless instructed otherwise by Customer, and these undertakings shall remain in force until such time as ▇▇▇▇▇▇+Gyr no longer possesses Customer’s Personal Data.

Privacy and Security Requirements. Each Party agrees: (a) that it will handle any Personal Information collected, disclosed, transferred, received or otherwise used by it under this Agreement in accordance with all applicable Privacy Laws; (b) to take all reasonable steps to mitigate, and establish and maintain safeguards against and respond to, Security Incidents that relate to the data, systems, software (including the Software) used in relation to this Agreement which is under its possession or control; and (c) to immediately notify the other Party if it becomes aware of any facts or circumstances which means it reasonably suspects or believes that data used under this Agreement, or the repository in which the data is or was stored in, has been or has likely been the subject of a Security Incident. (For the avoidance of doubt, given Shared Data is De- Identified Data, the requirement under this clause is additional to any requirements under the Privacy Laws for the PHN.)

Privacy and Security Requirements. Contractor and its employees, agents and subcontractors shall comply with laws, regulations, and plicies governing access to and use of Agency Data, Privacy and Security Requirements, as they are stated elsewhere in this Contract, and as such laws, regulations, and policies are updated or otherwise made available to Contractor.