Common use of Security of Processing and Incident Management Clause in Contracts

Security of Processing and Incident Management. 3.1. Supplier shall implement and maintain appropriate technical and organizational measures designed to protect Personal Information against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access in compliance with Applicable Data Protection Law, including the use of industry-recognized security standards such as ISO 27001 or similar standards where appropriate. 3.2. In particular, Supplier shall comply with the IT, physical and environmental and Human Resources security, confidentiality, training, compliance and audit, business continuity and disaster recovery, and Security Incident and reporting requirements set out in the Oracle Supplier Information and Physical Security Standards, including any relevant appendices referenced therein (“OSSS”) and with the Oracle Supplier Code of Ethics and Business Conduct (“OSCoE”). In order to address evolving business risks, security standards and regulatory compliance requirements, Oracle may update the OSSS and/or OSCoE at its discretion. Suppliers are advised to consult the most recent versions of the OSSS and OSCoE on ▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/corporate/supplier/index.html. 3.3. Supplier shall also: (a) Keep databases containing Personal Information segregated from other Supplier Personal Information using logical access restrictions; (b) Log all access to Personal Information, with information identifying the user accessing or seeking access to such Personal Information, when it was accessed (date and time), and whether the access was authorized or denied; and (c) Maintain audit trails designed to detect and respond to Security Incidents, including logging atypical events (for example, access to Personal Information by unauthorized persons). These audit trails must be maintained at least for one (1) year or the time period prescribed by law, whichever is longer.