Common use of Right of Review and Audit Clause in Contracts

Right of Review and Audit. Upon request by the District, the Contractor will provide the District with copies of its policies and related procedures that pertain to the protection of PII and District Data. The policies and procedures may be made available in a manner that does not violate Contractor’s own information security policies, confidentiality obligations, and applicable laws. In addition, Contractor may be required by the District to undergo an audit of Contractor’s privacy and security safeguards, measures and controls as they pertain to alignment with the requirements of applicable New York, federal and local laws, rules and regulations, the District policies applicable to the Contractor, and alignment with the NIST Cybersecurity Framework performed by an independent third party at the Contractor’s expense, and provide the written audit report to the District. The Contractor may provide the District with a recent industry standard audit report performed by an independent third party on the Contractor’s privacy and security practices as an alternative to undergoing an audit. The determination of whether the previously prepared audit report is “recent” will be determined by the District in its sole judgment. Access to/Disclosure of District Data The Contractor agrees that it will limit the Contractor’s internal access to and only Disclose PII to the Contractor’s officers, employees and Subcontractors who need to access the PII in order to provide the Services and that the disclosure of PII will be limited to the extent necessary to provide the Services pursuant to the Service Agreement. The Contractor must take all actions necessary to ensure that all its officers, employees and Subcontractors comply with the terms of this DPA. The Contractor must ensure that each Subcontractor performing functions pursuant to the Service Agreement where the Subcontractor will receive or have access to District Data must be contractually bound by a written agreement that includes confidentiality and data security obligations equivalent to, consistent with, and no less protective than, those found in this DPA. The Contractor must examine the data security and privacy measures of its Subcontractors prior to utilizing the Subcontractor to ensure compliance with this DPA. If at any point a Subcontractor fails to materially comply with the requirements of this DPA, the Contractor must: notify the District and prevent the Subcontractor’s continued access to District Data; and, as applicable, retrieve all District Data received or stored by Subcontractor and/or ensure that District Data has been securely deleted and destroyed in accordance with this DPA. In the event there is an incident in which the Subcontractor compromises PII, the Contractor must follow the Data Breach reporting requirements set forth herein. The Contractor will take full responsibility for the acts and omissions of its officers, employees and Subcontractors. The Contractor must not Disclose District Data to any other party (a party other than the Contractor’s officers or employees or Subcontractors who does not need access to the District Data to provide the Services pursuant to the Service Agreement) without the prior written consent of the District (if necessary, the District will obtain the required consent(s) from third parties) unless the disclosure is required by statute, court order or subpoena, and the Contractor makes a reasonable effort to notify the District of the court order or subpoena in advance of compliance but in any case, provides notice to the District no later than the time the District Data is disclosed, unless such disclosure to the District is expressly prohibited by the statute, court order or subpoena. Except as prohibited by law, the Contractor will: (i) immediately notify the District of any subpoenas, warrants, or other legal orders, demands or requests received by the Contractor seeking District Data; (ii) consult with the District regarding the Contractor’s response; (iii) cooperate with the District’s reasonable requests in connection with efforts by the District to intervene and quash or modify the legal order, demand or request; and (iv) upon the District’s request, provide the District with a copy of the Contractor’s response. Upon the District’s request, the Contractor agrees that it will promptly make any District Data held by the Contractor available to the District.

Right of Review and Audit. Upon request by the DistrictEA, the Contractor will shall provide the District EA with copies of its policies and related procedures that pertain to the protection of PII and District DataPII. The policies and procedures It may be made available in a manner form that does not violate Contractor’s own information security policies, confidentiality dentiality obligations, and applicable laws. In addition, Contractor may be required by the District to undergo an audit of Contractor’s its privacy and security safeguards, measures and controls as they pertain it pertains to alignment with the requirements of applicable New York, federal and local laws, rules York State laws and regulations, the District policies applicable to the Contractor, and alignment with the NIST Cybersecurity Framework performed by an independent third party at the Contractor’s expense, and provide the written audit report to the District. The Contractor may provide the District with a recent industry standard audit report performed by an independent third party on the Contractor’s privacy and security s practices as an alternative to undergoing an audit. The determination of whether the previously prepared audit report is “recent” will be determined by the District in its sole judgment. Access to/Disclosure of District Data The Contractor agrees that it will limit the Contractor’s internal access to and only Disclose PII to the Contractor’s officers, employees and Subcontractors who . (a) need to access know the PII in order to provide the Services and that the disclosure of PII will shall be limited to the extent necessary to provide the Services pursuant to the Service Agreementsuch Services. The Contractor must take all actions necessary to shall ensure that all its officers, such employees and Subcontractors subcontractors comply with the terms of this DPA. The . (b) Contractor must ensure that each Subcontractor subcontractor performing functions pursuant to the Service Agreement where the Subcontractor subcontractor will receive or have access to District Data must be PII is contractually bound by a written agreement that includes confidentiality and data security obligations equivalent to, consistent with, and no less protective than, those found in this DPA. The . (c) Contractor must shall examine the data security and privacy measures of its Subcontractors subcontractors prior to utilizing the Subcontractor to ensure compliance with this DPAsubcontractor. If at any point a Subcontractor subcontractor fails to materially comply with the requirements of this DPA, the Contractor mustshall: notify the District EA and prevent the Subcontractor’s continued access to District Data; and, as applicable, retrieve all District Data received or stored by Subcontractor such subcontractor and/or ensure that District Data PII has been securely deleted and destroyed in accordance with this DPA. In the event there is an incident in which the Subcontractor subcontractor compromises PII, the Contractor must shall follow the Data Breach reporting requirements set forth herein. The . (d) Contractor will shall take full responsibility for the acts and omissions of its officers, employees and Subcontractors. The subcontractors. (e) Contractor must not Disclose District Data disclose PII to any other party (a party other than the Contractor’s officers or employees or Subcontractors who does not need access to the District Data to provide the Services pursuant to the Service Agreement) without the prior written consent of the District (if necessary, the District will obtain the required consent(s) from third parties) unless the such disclosure is required by statute, court order or subpoena, and the Contractor makes a reasonable effort to notify the District EA of the court order or subpoena in advance of compliance but in any case, provides notice to the District EA no later than the time the District Data PII is disclosed, unless such disclosure to the District EA is expressly prohibited by the statute, court order or subpoena. Except as prohibited by law, the Contractor will: (i) immediately notify the District of any subpoenas, warrants, or other legal orders, demands or requests received by the Contractor seeking District Data; (ii) consult with the District regarding the Contractor’s response; (iii) cooperate with the District’s reasonable requests in connection with efforts by the District to intervene and quash or modify the legal order, demand or request; and (iv) upon the District’s request, provide the District with a copy of the Contractor’s response. Upon the District’s request, the Contractor agrees that it will promptly make any District Data held by the Contractor available to the District.

Right of Review and Audit. Upon written request by the DistrictEA, the Contractor will shall provide the District EA with copies of its policies and related procedures that pertain to the protection of PII and District DataPII. The policies and procedures It may be made available in a manner form that does not violate Contractor’s own information security policies, confidentiality obligations, and applicable laws. In addition, Contractor may be required Upon written request by the District to undergo an audit of Contractor’s privacy and security safeguardsEA, measures and controls as they pertain to alignment with the requirements of applicable New York, federal and local laws, rules and regulations, the District policies applicable to the Contractor, and alignment with the NIST Cybersecurity Framework performed by an independent third party at the Contractor’s expense, and provide the written audit report to the District. The Contractor may provide the District EA with a recent industry standard audit report performed by an independent third party on the Contractor’s privacy and security practices as an alternative to undergoing an audit. The determination of whether the previously prepared such audit report is “recent” not available, Contractor will be determined by allow the District in its sole judgmentEA, upon receipt of a written request protection of PII or any portion thereof. Access to/Disclosure of District Data The Contractor agrees that it will limit cooperate fully with the Contractor’s internal EA and provide access to staff, agents, reports and only Disclose PII to records as reasonably necessary for performing the Contractor’s officersaudit. Audits conducted by EA under this provision shall not exceed one (1) per annum, employees and Subcontractors who need to access must be: (i) conducted disruption t (a) know the PII in order to provide the Services and that the disclosure of PII will shall be limited to the extent necessary to provide the Services pursuant to the Service Agreementsuch Services. The Contractor must take all actions necessary to shall ensure that all its officers, such employees and Subcontractors comply with the terms of this DPA. The DPA and that subcontractors abide by data security obligations in the terms outlined below. (b) Contractor must ensure that each Subcontractor subcontractor performing functions pursuant to the Service Agreement where the Subcontractor subcontractor will receive or have access to District Data must be PII is contractually bound by a written agreement that includes confidentiality and data security obligations equivalent to, consistent with, and no less protective than, those found in this DPA. The . (c) Contractor must shall examine the data security and privacy measures of its Subcontractors subcontractors prior to utilizing the Subcontractor to ensure compliance with this DPAsubcontractor. If at any point a Subcontractor subcontractor fails to materially comply with the data security and privacy requirements of this DPA, the Contractor mustshall: notify the District and prevent the Subcontractor’s continued access to District Data; and, as applicable, retrieve all District Data received or stored by Subcontractor remove such subcontractor and/or ensure that District Data PII has been securely deleted and destroyed in accordance with this DPA. In the event there is an incident in which the Subcontractor subcontractor compromises PII, the Contractor must shall follow the Data Breach reporting requirements set forth herein. The . (d) Contractor will shall take full responsibility for the acts and omissions of its officers, employees and Subcontractors. The subcontractors. (e) Contractor must not Disclose District Data disclose PII to any other party (a party other than the Contractor’s officers or employees or Subcontractors who does not need access to the District Data to provide the Services pursuant to the Service Agreement) without the prior written consent of the District (if necessary, the District will obtain the required consent(s) from third parties) unless the such disclosure is required by statute, court order or subpoena, and the Contractor makes a reasonable effort to notify the District EA of the court order or subpoena in advance of compliance but in any case, provides notice to the District EA no later than the time the District Data PII is disclosed, unless such disclosure to the District EA is expressly prohibited by the statute, court order or subpoena. Except as prohibited by law, the Contractor will: (i) immediately notify the District of any subpoenas, warrants, or other legal orders, demands or requests received by the Contractor seeking District Data; (ii) consult with the District regarding the Contractor’s response; (iii) cooperate with the District’s reasonable requests in connection with efforts by the District to intervene and quash or modify the legal order, demand or request; and (iv) upon the District’s request, provide the District with a copy of the Contractor’s response. Upon the District’s request, the Contractor agrees that it will promptly make any District Data held by the Contractor available to the District.