DATA PROTECTION AND PRIVACY
Client Data Definition
All data that Client provides and/or to which Service Provider has access in performing the Services, including without limitation any: (a) Personal Data; (b) Restricted Data; (c) demographic information, data or records relating to Clients and/or prospective Clients of Client or its affiliates; and (d) usage statistics, information related to communications exchanged and/or transactions conducted, as well as all aggregate usage information relating to Client hereunder.
Client Data Definition
Information provided by or at the direction of Client, or to which access was provided in the course Service Provider's performance of the Agreement that (a) identifies an individual (by name, signature, address, telephone number, email address, or other unique identifier); or (b) that can be used to authenticate that individual (including, without limitation, employee identification number, a government-issued identification number, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions, or other personal identifiers). Client business contact information is not by itself Personal Data.
Restricted Data Definition
Information whose loss or compromise could have a severe or serious, adverse impact on Client's business operations and/or reputation.
Service Provider shall adopt, implement and maintain a corporate information security program designed to comply with all applicable federal, state and international laws and protect Client Data from loss, misuse and unauthorized access or disclosure, including, without limitation, annual employee security awareness training and formal information security policies and/or procedures.
Without limiting the foregoing, Service Provider will implement appropriate safeguards to protect Client Data that are no less rigorous than best industry practices and practices Service Provider has implemented to safeguard its own information.
Service Provider shall maintain and retain relevant information (e.g. error reports, planning documents, security policies, etc.) and logs for use in investigating suspected or actual security incidents and breaches for one year and will provide them to Client upon written request from Client or our forensic investigators.
Service Provider may not use, sell, rent, transfer, distribute, or otherwise disclose or make available Client Data for Service Provider's own purposes or for the benefit of anyone other than Client without Client's express written permission.
Service Provider shall support a secure, two-factor authentication method of remote access for all Service Provider, Client, and subservice Service Providers to any environment containing Client Data.
Service Provider shall employ current industry standard strong cryptographic mechanisms to protect the confidentiality and integrity of Client's Data on backups, during electronic transmissions, and when residing on laptops and mobile/portable devices (e.g., smartphones, tablets, USB flash drives, external hard drives, and SD cards).
Service Provider shall ensure that its staff and subservice Service Providers comply with its policies and obligations under this Agreement.
Service Provider shall maintain a disciplinary process to address any unauthorized access, use or disclosure of Client Data by any of Service Provider's officers, partners, principals, employees, agents or independent contractors.
When Client Restricted Data is being hosted the following applies:
(a) Service Provider shall use a secure, two-factor method of remote authentication and authorization for all Service Provider and Client administrators.
(b) Service Provider shall employ current industry standard strong cryptographic mechanisms to protect the confidentiality and integrity of Client’s information on backups and when data is transported outside of controlled areas.
(c) Service Provider shall employ current industry standard strong cryptographic mechanisms to protect Client’s data when residing on laptops and mobile/portable devices (e.g., smartphones, tablets, USB flash drives, external hard drives, and SD cards).
Safeguard Data - Payment Data – applicable if Service Provider will have access to payment data
If Service Provider will have access to or will be collecting, accessing, using, storing, disposing, or disclosing credit, debit or other payment cardholder information, Service Provider warrants that it will at all times remain in compliance with the Payment Card Industry "PCI" Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and implementing such changes as necessary to remain in compliance at Service Provider's expense. Service Provider shall send the most recent copy of its "PCI-DSS Attestation of Compliance" annually to email@example.com.
Service Provider and any of its subservice Service Providers shall provide the ability to enable Client to fulfill obligations to facilitate a data subject's right to access, correct and/or erase Personal Data pertaining to the data subject. Service Provider shall notify Client upon receipt of a complaint in relation to the privacy practices of Service Provider.
Service Provider shall comply with all applicable laws, rules and regulations in delivering the Services (including without limitation the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth 201 CMR 17.00 (2010), EU General Data Protection Regulation (“GDPR”), Turkish Personal Data Protection Law numbered 6698 and its local regulations and any privacy, data protection and computer laws).
Service Provider shall keep data received from or created on behalf of Client in strictest confidence and shall use such degree of care as is appropriate to avoid unauthorized use, modification, or disclosure. Service Provider may only grant access to employees or approved subservice organizations necessary for Service Provider to perform under this Agreement. Service Provider may not use or disclose Client Data except as permitted or required by the Agreement or as otherwise authorized in writing by Client. To the extent Service Provider discloses or makes Client Data available to a third party, Service Provider shall remain liable to Client for the actions and omissions of the third party concerning the treatment of Client Data and shall require via a written agreement signed by the third party that the third party complies with the confidentiality terms and conditions of the Agreement.
Service Provider will not transfer Client Data outside of Turkey or the EU unless (a) Service Provider deems the transfer to be appropriate for provision of the Services, (b) the transfer is in compliance with the GDPR and all applicable laws, and (c) Service Provider has received Client's written consent.
Service Provider confirms that where, as a result of transfer of personal data to countries located outside the European Economic Areas (EEA), Personal Data is processed, hosted or stored in countries which do not ensure an adequate level of data protection as verified by the European Commission, an enforceable agreement based upon Standard Model Contract Clauses, Blinding Corporate Rules or Cross Border Privacy Rules for the transfer of personal data to processors established in a third country under the GDPR (the "EU Transfer Agreement"), or any other document approved by the relevant Data Protection Authority, is in place and is maintained in force throughout the term of the Agreement.
Security Breach Notification
"Security Breach" means (a) any act or omission that compromises either Client Data or the physical, technical, administrative, or organizational safeguards put in place by Service Provider (or its agents or subcontractors) that relate to the protection of Client Data, or (b) any unauthorized access, modification, or deletion of Client Data.
Service Provider will email Client at firstname.lastname@example.org of a potential security breach or Security Breach incident as soon as practicable, but no later than six hours after Service Provider becomes aware of it, with a copy to Service Provider's primary business contact within Client. Service Provider will send Client formal notice of a Security Breach within 24 hours after it becomes aware of it.
Security Breach Resolution
In the event of a potential Security Breach or a Security Breach,
a.The parties will, immediately following such discovery and notification to Client, coordinate with each other to investigate the Security Breach. Service Provider shall fully cooperate with Client, including without limitation (i) assisting with any investigation, (ii) providing Client with physical access to the facilities and operations affected, (iii) facilitating interviews with Service Provider's employees and others involved in the matter, and (iv) making available all relevant records, logs, files, and data reporting or other materials required by applicable law, regulation, standard, or as otherwise required by Client.
b.Service Provider shall take immediate steps to remedy the Security Breach and prevent further damage at Service Provider's expense in accordance with applicable privacy rights, laws, regulations and standards.
c.Service Provider may not inform any third party of any Security Breach without first obtaining Client's prior written consent (except as may be expressly required by applicable law), other than to inform a complainant that the matter has been forwarded to Client's legal counsel. Client has the sole right to determine (i) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or in Client's discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. Any such notice or remediation shall be at Service Provider's sole cost and expense.
d.Service Provider shall cooperate with Client in any litigation or other formal action against third parties deemed necessary by Client to protect its rights.
e.Service Provider shall promptly use its best efforts to prevent a recurrence of any such Security Breach.
Cost of Breach
Service Provider shall reimburse Client for all actual costs in responding to, and mitigating damages caused by, any security incident or Security Breach, including costs incurred in providing individuals affected with notice of the breach and credit monitoring services for at least a year after the event.
If the Service Provider is compelled by law to disclose Client Data, Service Provider shall provide as much prior notice of such compelled disclosure as reasonably possible (and to the extent legally permitted) prior to releasing the data and shall take reasonable steps to disclose only that part of the data that is required to be disclosed. Service Provider shall provide Client with assistance reasonably required by Client to contest the disclosure.
Compelled Disclosure – for Personal Data
If a law enforcement agency requests Personal Data of Client, to the extent permitted by applicable law, Service Provider will redirect legal process to Client so that Client may appropriately respond or, if not possible, Service Provider will provide Client with as much notice as reasonably possible of the agency's request. Service Provider will not be obligated to provide prior notice to Client in cases where there is a good faith belief of imminent danger, fear of death or physical injury and will comply without delay.
Client Data and information shall remain the exclusive property of Client regardless of the format that such information takes. Service Provider may use the Client Data only to provide the Services and perform its obligations under this Agreement. Service Provider shall not make copies, summaries, or other reproductions of any Client Data without the prior written consent of Client. Except as otherwise specifically provided for in this Agreement, Service Provider may not share, sell or license Client Data with any third-party.
Data Disposition and Return
Immediately upon termination or expiration of the Agreement, or otherwise upon Client's written request, Service Provider shall return or forensically and securely purge and destroy all Client Data in electronic and any other form, tangible or intangible, that is then in Service Provider's or its subservice Service Provider's possession, including, without limitation, all Client Data on personal computers, systems, other devices, magnetic and other media, and paper. At Client's request, an officer who has authority to bind Service Provider will provide to Client written certification that Service Provider has completed the required purge and destruction.