A. Data Processing. Provider shall process Covered Data solely for the purposes outlined in the MSA or as otherwise instructed by Subscriber. Provider shall not use Covered Data for any other purpose without prior written consent from Subscriber.
B. Both Provider and Subscriber shall implement appropriate technical and organizational measures to ensure the security and confidentiality of Covered Data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
C. Provider shall not transfer Covered Data to third parties without Subscriber’s prior written consent, except when required by law. In such cases, Provider shall inform Subscriber of the legal requirement, unless prohibited by law.
D. Compliance with Applicable Laws and Regulations. Where applicable, Provider shall adhere to all pertinent data protection laws and regulations governing the processing of Covered Data under this MSA.
E. Confidentiality. Both parties shall treat all information exchanged under this MSA, including but not limited to business plans, proprietary technology, and other sensitive information, as strictly confidential and shall not disclose it to any third party unless required by law or with the express written consent of the other party.
Provider shall take all necessary measures to ensure that its employees, agents, and subcontractors are bound by confidentiality obligations concerning Confidential Information.
F. Data Deletion and Return. Within 1 year of termination or expiration of the MSA, Provider shall either delete all Covered Data processed on behalf of the Subscriber, unless otherwise directed by Subscriber or as required by law.
G. Subscriber Audit Assistance. Provider shall reasonably cooperate with Subscriber during security audits and assessments and provide all necessary information and access to relevant systems.
H. Subscriber Responsibilities. Subscriber will (a) be responsible for Users’ compliance with this Agreement, (b) be responsible for the accuracy, quality, and legality of Covered Data submitted to Provider, the means by which Subscriber acquired Covered Data, Customer’s use of Covered Data with the Services, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Provider promptly of any such unauthorized access or use, (d) use Services and Content only in accordance with this Agreement.
I. Compelled Disclosure. Provider may disclose Subscriber Confidential Information to the extent compelled by law to do so, provided the receiving party gives the disclosing party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.
Data protection and privacy policies will be maintained in accordance with language provided at https://impexium.com/gdpr-privacy-policy/ and https://impexium.com/privacy-policy/
A. Compliance Requirements. Provider shall comply with all applicable laws and regulations related to information security, including but not limited to data protection laws and industry-specific regulations such as PCI-DSS.
Provider shall implement and maintain appropriate technical, physical, and administrative measures to safeguard the security, confidentiality, and integrity of data and systems associated with the services provided in this MSA. Those safeguards will include, but will not be limited to, measures designed to prevent unauthorized access to or disclosure of Covered Data.
Provider shall follow industry best practices to protect against unauthorized access, use, disclosure, alteration, or destruction of Subscriber’s Covered data and systems.
B. Access Control. Provider shall establish and maintain access controls to ensure that only authorized personnel have access to Covered data and systems. Subscriber shall promptly notify Provider of any changes in authorized personnel who should have access to Subscriber Covered data and systems.
C. Data Backup and Recovery. Provider shall establish regular data backup procedures to protect against data loss. These backups shall be stored securely and regularly tested for data integrity.
D. Data Breach Notification. In the event of a Security Incident involving Covered Data, Provider shall notify Subscriber of the data breach as soon as practicable, but no later than 72 hours after determination of a confirmed Security Incident. Communication shall include details of the nature of the breach (without disclosing covered information or Subscriber details), its potential consequences, and the measures taken or proposed to mitigate its effects. Provider will comply with all applicable data breach notification laws governing Covered Data and will take all commercially reasonable efforts to cooperate with Subscriber in investigating the Security Incident.
E. Security Incident Response. Provider will establish and apply suitable technical, administrative, physical, and organizational security measures to safeguard Covered Data within its custody and control, aligning with prevailing industry standards and its Privacy Policy, subject to periodic updates. Provider assumes responsibility for its information technology infrastructure, which grants access to the Services, and will uphold the maintenance of these systems in adherence to recognized industry security norms. Provider will also adhere to all pertinent legal requirements concerning data breach protocols and mandatory notifications.
F. Subcontractors. Provider shall ensure that any subcontractors engaged to perform services under this MSA meet the same security and confidentiality standards as outlined in this Section. Provider shall remain liable for any actions or omissions of subcontractors.
G. Records Retention. Provider shall maintain records of security-related activities, including incident reports and security audits, for a period specified by applicable laws and regulations.