GROUP CONTRACT AMENDMENT
Exhibit 10.2
CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION (THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A “[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS CORP.
GROUP CONTRACT
AMENDMENT
THIS GROUP CONTRACT AMENDMENT (this “Amendment”) is made as of the 20th day of December, 2011, by and among Nationwide Money Services, Inc., a Nevada corporation (“Nationwide”), Food Lion, LLC, a North Carolina limited liability company (“Food Lion”), J.H. Harvey Co., LLC, a Georgia limited liability company (“Harvey”) and Kash N’ Carry Food Stores, Inc., a Delaware corporation (“K&K,” and together with Food Lion and Harvey, each a “Merchant” and together, the “Merchants”). Nationwide, Food Lion, Harvey and K&K are sometimes referred to in this Amendment collectively as, the “Parties,” and individually as, a “Party”).
W I T N E S S E T H:
WHEREAS, Food Lion, LLC and Nationwide are parties to that certain Agreement dated as of October 5, 2001 (as amended by Amendment No. 1 to the Agreement by and between Food Lion and Nationwide, dated as of August 28, 2003, and as it may be further amended, modified or restated, the “Food Lion Agreement”); and
WHEREAS, Harvey and Nationwide are parties to that certain Automated Teller Machine License/Use Agreement dated as of January 20, 2010 (as amended, modified or restated, the “Harvey Agreement”); and
WHEREAS, Nationwide and K&K are parties to that certain Agreement dated October 10, 2001 (as amended by Amendment No. 1 to the Agreement by and between K&K and Nationwide dated August 28, 2003, and as it may be further amended, modified or restated, the “K&K Agreement”); and
WHEREAS, the Parties desire to modify certain provisions of the Food Lion Agreement, the Harvey Agreement and the K&K Agreement (collectively, the “Agreements”), so that such provisions are uniform among the three Agreements;
CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION (THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A “[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS CORP.
NOW THEREFORE, in consideration of the mutual covenants and promises contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. Extension. The Parties agree and acknowledge that each of the Agreements shall remain (and have remained) in full force and effect in accordance with their current terms and provisions until December 31, 2011, and as amended, shall continue in force until December 31, 2014, as set forth in Section 2(A) below.
2. Amendment. The Parties agree that, effective as of January 1, 2012, each of the Agreements shall be amended as follows:
Notwithstanding any provision of any of the Agreements to the contrary, each of the Agreements shall, effective as of January 1, 2012 be amended to include the following provisions and to delete any provision of the Agreements that is in conflict therewith. For the avoidance of doubt, the following amendments are, among other things, intended to replace, in their entirety, any provisions requiring Nationwide to make any payments or revenue share with respect to any automated teller machines (“ATM’s”) placed pursuant to the Agreements (including, without limitation, any portion of screen advertising or coupon revenues), payments required to be made to Nationwide in connection with any ATM that is moved at the request of Merchant, the fee paid by Food Lion, Harvey or K&K for a permanent removal of an ATM at such Party’s request and Nationwide’s rights to remove ATM’s due to performance issues.
A. Term. Each Agreement shall continue in full force and effect, unless earlier terminated as permitted in such Agreement, until December 31, 2014.
B. Surcharge. Nationwide shall not charge a surcharge in excess of $[XXX] without the prior written consent of the applicable Merchant. In addition, Nationwide shall not charge any surcharge for transactions which relate to any of the credit unions set forth in Exhibit A attached hereto, or any other credit union with which Delhaize Group (the parent of each of the Merchants) has a contractual relationship of which Nationwide is informed in writing, in each case, so long as such credit union continues to contract with Delhaize (collectively, a “Delhaize Associated Credit Union”).
C. Revenue Share. Nationwide shall pay each Merchant an amount equal to (i) [XXXXX percent (XX%)] of the surcharge revenue received by Nationwide, plus [XXX] ($[XXX]) per Free Transaction (as defined below), in each case, with respect transactions undertaken at ATM’s placed at such Merchant’s location pursuant to an Agreement. For purposes of calculation of the above revenue share, “Free Transaction” shall mean any cash withdrawal from a checking or savings account or any credit card or debit card cash advance, for which Nationwide does not receive any surcharge, other than transactions relating to Delhaize Associated Credit Unions (as defined in Section B above) and electronic benefit transfers (EBTs) for which no surcharge is permitted to be charged by law.
2 |
CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION (THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A “[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS CORP.
D. New Site Setup Expenses. Merchant will pre-wire electrical and telephone lines, for purposes of placing an ATM in a newly constructed location. Such costs shall be borne by Merchant. Merchant shall provide power and floor space, and prepare the same to enable installation of an ATM, at no cost to Nationwide. Nationwide shall not charge Merchant for any installation of an ATM and shall be responsible for all other costs related to the installation of ATM’s pursuant to the Agreements. Nothing herein is intended to change Merchant’s obligations with respect to the purchase or maintenance of bumpers as set forth in the Agreements.
E. Branding/Advertising. Nationwide shall receive the approval of Merchant before any advertising is placed on, or displayed through, an ATM placed under an Agreement.
F. Telecommunications. Nationwide shall be responsible for providing telecommunication services for ATM’s placed under the Agreement. In cases where it is necessary for Merchant to provide phone service, Nationwide will pay Merchant a one-time fee of $[XXX], due upon the initiation of such phone service, and a $[XXX] fee per month thereafter, payable monthly in arrears payment of the revenue share.
G. ATM Moving Fees. In the event that Merchant requests Nationwide to change the location of an ATM within a store, Merchant shall pay Nationwide the following fees:
(i) $[XXX], if Merchant provides Nationwide at least 21 days’ notice;
(ii) $[XXX], if Merchant provides Nationwide with less than 21 days’ notice;
(iii) $[XXX], if Merchant requests that Nationwide remove an ATM and re-install such ATM at a later date (which date must be within at least ninety days of the date of such removal of the ATM, or Merchant shall be subject to the fees set forth in Section H below).
Any relocation of an ATM requested by Nationwide or to comply with the Americans with Disabilities Act, shall be at Nationwide’s expense.
H. Removal of ATM for In-Store Bank. Merchant shall have the right to request Nationwide to remove an ATM in the event that Merchant is installing a bank branch ATM at such location. In such event, Nationwide will coordinate with Merchant for the removal of such ATM within thirty (30) days of such request. Upon removal of an ATM pursuant to this Section H, Merchant shall pay Nationwide a permanent removal fee equal to $[XXX], plus $[XXX] times the number of months remaining in the Term (as set forth in Section A of this Amendment).
I. ATM Uptime Commitment. Nationwide shall maintain the ATM’s so that they are functional greater than [XXX]% of the time, as calculated for each calendar month.
J. ADA Compliance. All ATM’s placed pursuant to the Agreements shall be compliant with the Americans with Disabilities Act prior to March 15, 2012, or such later date as may be provided for such compliance by law.
3 |
CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION (THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A “[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS CORP.
K. Security. Nationwide shall maintain compliance with the PCI security standards and all other applicable security rules and regulations imposed by law. Nationwide agrees to promptly notify Merchant of any breach in such security requirements.
L. Removal of ATM’s by Nationwide. If, in any calendar month the average number of transactions per ATM for the ATM’s placed at a Merchant is less than the threshold set forth below, Nationwide may, but shall not be obligated to, remove ATM’s placed at such Merchant’s locations, so that the calculation for such month with respect to the remaining ATM’s would exceed the threshold. For purposes of the foregoing, the threshold shall be an average of [XXX] transactions per ATM per month for Food Lion and K&K, and shall be [XXX] transactions per ATM per month for Harvey.
3. Survival of License Agreement. Except as expressly amended hereby, all terms, conditions and obligations contained in the Agreements shall remain in full force and effect.
4. Counterparts. This Agreement may be executed in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Signatures delivered as facsimiles shall be binding to the same extent as original signatures.
IN WITNESS WHEREOF, the Parties have executed this Amendment as of the date first set forth above.
NATIONWIDE MONEY SERVICES, INC. | ||
By: | /s/ Lock Ireland | |
Lock Ireland Title: CEO |
FOOD LION, LLC | ||
By: | /s/ Patti Fletcher | |
Name: Patti Fletcher Title: Assistant Treasurer |
J.H. HARVEY CO., LLC. | ||
By: | /s/ [Insert Name] | |
Name: Patti Fletcher Title: Assistant Treasurer |
KASH N’ CARRY FOOD STORES, INC. | ||
By: | /s/ Patti Fletcher | |
Name: Patti Fletcher Title: Assistant Treasurer |
4 |
Exhibit A
Food Lion Credit Association
5 |
Exhibit A
To Group Contract Amendment
Service Provider Privacy, Confidentiality and Information Security Addendum
This Service Provider Privacy, Confidentiality and Information Security Addendum (this “Addendum”) sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Information (as defined below) associated with services rendered pursuant to the Agreements.
1. DEFINITIONS
All capitalized terms used in this Addendum but not defined herein shall have the same meaning ascribed to such terms in the Agreement as supplemented by this Addendum.
1.1. “Access” means access to: (i) Personal Information and/or (ii) Customer information technology (“IT”) resources or systems which use, process or store Personal Information and/or (iii) Customer facilities where Personal Information is used or stored, including, but not limited to, corporate offices, distribution centers, or retail stores.
1.2. “PCI Standard” means the Payment Card Industry Data Security Standard of the PCI Security Standards Council, as may be amended from time to time, which can be found at https://www.pcisecuritystandards.orp/.
1.3. “Personal Information” means any information relating to an identified or identifiable individual, including, but not limited to, name, postal or email address, Social Security number, driver’s license number, date of birth, demographic information, health or medical information, checking and credit card account data, personal identification number, next of kin contact information, in whatever format, including that contained in communications, documents, databases, records, or materials of any kind whether in individual or aggregate form, and regardless of the media in which it is contained, that may be (i) disclosed at any time to Service Provider or Service Provider Personnel by Customer or Customer Personnel in anticipation of, in connection with or incidental to the performance of services of or on behalf of Customer; (ii) Processed (as defined below) at any time by Service Provider or Service Provider Personnel in connection with or incidental to the performance of this Addendum or the Agreement; or (iii) derived by Service Provider or Service Provider Personnel from the information described in (i) or (ii) above. Personal Information includes cardholder data from Customer’s customers, including but not limited to, transaction authorization information, credit card numbers, service codes and expiration dates, and Track 1 and Track 2 data contained on the magnetic stripe of standard credit and debit cards and other information within the scope of the PCI Standard (collectively, “Cardholder Data”).
1.4. “Process”, “Processed” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting or destroying the data.
2. PROTECTION OF PERSONAL INFORMATION
2.1. OBLIGATION TO PROTECT.
2.1.1. Service Provider’s obligations regarding Personal Information shall extend to employees, officers, directors, agents, advisors, contractors, any subcontractors or other party or person acting on behalf of or at the direction of Service Provider (collectively, “Service Provider Personnel”) with Access pursuant to the Agreement or the performance of Services thereunder. Service Provider shall limit Access to Service Provider Personnel who have a need to know the Personal Information as a condition to Service Provider’s performance of Services for or on behalf of Customer and who have agreed in writing to comply with legally-enforceable privacy, confidentiality and security obligations that are substantially similar to those required by this Addendum (including in the case of contractors and subcontractors, an acknowledgement of their responsibility for the security of any Cardholder Data where such contractors or subcontractors Process Cardholder Data or manage any systems (or components of such systems) that store, process or transmit Cardholder Data). Service Provider shall ensure that all Service Provider Personnel comply with the provisions of this Addendum regarding the handling and treatment of Personal Information.
6 |
2.1.2. Service Provider shall not contract any of its rights or obligations concerning Personal Information without the prior written consent of Customer. Where Service Provider, with the consent of Customer, contracts such rights or obligations, Service Provider shall enter into a written agreement with each contractor that imposes obligations on the contractor that are substantially similar to those imposed on Service Provider under this Addendum. Service Provider shall only retain contractors that Service Provider reasonably can expect to be suitable and capable of performing the delegated obligations in accordance with this Addendum, the Agreement and Customer’s instructions.
2.1.3. Service Provider agrees to hold, maintain, and manage (i) the existence and terms of this Addendum, and any related agreement, and (ii) any and all Personal Information in strictest confidence and use due care to prevent any unauthorized or inappropriate disclosure. Service Provider will not, and will not allow any third party under its control (including Service Provider Personnel) to transmit or disclose any of the Personal Information to any third party, except as required in the provision of the Services, required by law or governmental order, or otherwise with Customer’s express written consent.
2.1.4. Service Provider shall notify Customer promptly in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Information. Customer shall have the right to defend such action in lieu of and on behalf of Service Provider. Customer may, if it so chooses, seek a protective order. Service Provider shall reasonably cooperate with Customer in such efforts.
2.1.5. Service Provider covenants and agrees to adhere to all applicable requirements to be considered compliant with the PCI Standard and shall perform the necessary steps to validate its compliance with the PCI Standard. Service Provider shall provide to Customer a copy of its most recent validation of PCI Standard compliance and all supporting documentation (including any exceptions noted therein) promptly following the Amendment Effective Date, and on an annual basis thereafter (or at such other time to coincide with Customer’s own PCI Standard certification). Service Provider will promptly notify Customer if it learns that it is no longer compliant with the PCI Standard, or reasonably anticipates that it is or will be non-compliant, and will promptly inform Customer of the steps being taken to remediate such non-compliance. Service Provider acknowledges that it is responsible for the security of any Cardholder Data in its possession.
2.2. SERVICE PROVIDER WRITTEN SECURITY POLICY.
2.2.1. Service Provider hereby warrants, represents and covenants that, as of the Amendment Effective Date, it has and will at all times during the term of the Agreement, maintain a comprehensive written information security program that complies with applicable Privacy Laws (as defined below). Service Provider’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (a) establish minimum standards to be met in connection with the safeguarding of Personal Information contained in both paper and electronic records; (b) protect the security and confidentiality of Personal Information in a manner consistent with applicable industry standards; (c) protect against anticipated threats or hazards to the security or integrity of Personal Information; and (d) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or Access to any Personal Information (hereinafter “Information Security Incident”).
7 |
2.2.2. Service Provider shall immediately inform Customer in writing of any Information Security Incident of which Service Provider becomes aware. Such notice shall summarize in reasonable detail the effect on Customer, if known, of the Information Security Incident and the corrective action taken or to be taken by Service Provider. Service Provider shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Customer prior to any publication or communication thereof.
2.2.3. Service Provider shall provide appropriate training to and exercise the necessary and appropriate supervision over its relevant Service Provider Personnel to maintain appropriate privacy, confidentiality and security of Personal Information.
2.3. RETURN OR SECURE DESTRUCTION OF PERSONAL INFORMATION. Promptly upon the expiration or termination of the Agreement or as otherwise requested by Customer, Service Provider shall, at Customer’s written request, either (i) destroy or render unreadable or undecipherable, or (ii) return to Customer, each and every original and copy in every media of all Personal Information in Service Provider’s possession, custody or control by secure means.
2.4. COMPLIANCE.
2.4.1. Service Provider agrees to comply with: (i) all applicable federal, state, and local laws, rules, regulations and governmental requirements, as the same may be amended or supplemented from time to time, pertaining in any way to the privacy, confidentiality, security, management, disclosure, reporting, and any other obligations attaching or arising from the possession or use of Personal Information, including without limitation, the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § § 6801-6827, and all regulations implementing GLBA; the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., as amended by the Fair and Accurate Credit Transactions Act (“FACTA”), and all regulations implementing the FCRA and FACTA; the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); security breach notification laws; laws imposing minimum security requirements (such as 201 Mass. Code Reg. 17.00); laws requiring the secure disposal of records containing certain Personal Information (such as N.Y. Gen. Bus. Law § 399-H)] (collectively, the “Privacy Laws”); (ii) all applicable industry standards concerning privacy, data protection, confidentiality or information security, including, without limitation, the PCI Standard; and (iii) all applicable provisions of Customer written policies currently in effect and as they become effective relating in any way to the privacy, confidentiality and security of Personal Information or applicable privacy policies, statements or notices that are provided to Service Provider in writing.
2.4.2. Service Provider warrants that no applicable law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim prohibits Service Provider from fulfilling its obligations under this Addendum. In the event a law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Service Provider’s ability to fulfill its obligations under this Addendum, Service Provider shall promptly notify Customer in writing and Customer may, in its sole discretion and without penalty of any kind to Customer, suspend the transfer or disclosure of Personal Information to Service Provider or access to Personal Information by Service Provider, terminate any further Processing of Personal Information by Service Provider, and terminate the Agreement, if doing so is necessary to comply with applicable Privacy Laws.
8 |
2.4.3. Service Provider shall enter into any further privacy or information security agreement reasonably requested by Customer for the purpose of compliance with applicable Privacy Laws. In case of any conflict between this Addendum and any such further data privacy or information security agreement, such further agreement shall prevail with regard to the Processing of Personal Information covered by it.
2.5. INJUNCTIVE RELIEF. Service Provider agrees that any Processing of Personal Information in violation of Section 2 of this Addendum, Customer’s instructions or any applicable Privacy Law, or any Information Security Incident, may cause immediate and irreparable harm to Customer for which money damages may not constitute an adequate remedy. Therefore, Service Provider agrees that Customer may seek to obtain specific performance and injunctive or other equitable relief for any such violation or incident, in addition to its remedies at law, without proof of actual damages. Service Provider agrees to waive any requirement for the securing or posting of any bond in connection with such remedy.
3. WARRANTY AND INDEMNIFICATION
Service Provider warrants and represents that it is capable of maintaining safeguards for Personal Information as otherwise provided in this Addendum. Notwithstanding anything to the contrary in the Agreement, Service Provider shall indemnify, defend and hold harmless Customer, their officers, directors, shareholders, and employees from any and all third-party claims, losses, demands, liabilities, suits, enforcement actions, damages, penalties, fines, expenses and costs (including attorneys’ fees, consultants’ fees and court costs) arising from or related to (i) the failure of Service Provider to comply with Privacy Laws; (ii) any violation of Section 2 of this Addendum; (iii) the loss, misappropriation or other unauthorized disclosure of Personal Information by Service Provider or Service Provider Personnel; (iv) the negligence, gross negligence, bad faith, or intentional or willful misconduct of Service Provider or Service Provider Personnel in connection with obligations set forth in this Addendum; (v) Service Provider’s use of any contractor providing services in connection with or relating to Service Provider’s performance under this Addendum; and (vi) any Information Security Incident involving Personal Information in Service Provider’s possession, custody or control, or for which Service Provider is otherwise responsible.
4. ACCESS TO CUSTOMER IT RESOURCES OR SYSTEMS
4.1. RESTRICTIONS. Except as specifically contemplated in provision of the Services, Service Provider agrees that it will not and will not allow any Service Provider Personnel or other third party acting at its direction to (i) transfer or use Personal Information (or access Personal Information from) outside of the United States; (ii) attempt unauthorized access to such Personal Information; (iii) input, delete or otherwise modify any Personal Information or make any changes to the Customer’s IT resources or systems; or (iv) access, or attempt to access, any third-party networks or systems from the Customer’s IT resources or systems except as necessary for performance of the Services.
4.2. UNAUTHORIZED STORAGE. Unless expressly authorized in writing by Customer, Service Provider shall not allow any Personal Information to be stored on or Accessed by laptops, USB drives, blackberry devices, or any other portable storage media belonging to Service Provider or Service Provider’s Personnel, except as required for the performance of the Services and only for such duration of time necessary to complete the performance of the applicable Services.
4.3. CREDENTIALS. If Service Provider or Service Provider’s Personnel is provided (i) a login ID, password or other authentication credential such as a digital certificate, token, smartcard, or biometrics device; or (ii) Customer facility identification cards or other physical security access permission (collectively, “Credentials”), Service Provider shall treat Credentials with the utmost care and confidentiality to prevent unauthorized disclosure or misuse. Service Provider acknowledges that any Credentials issued to it are Customer’s Confidential Information subject to the protections provided in the Agreement, and Service Provider and Service Provider Personnel will not share, disclose or use the Credentials in any unauthorized manner. Service Provider agrees that it is responsible for the actions of any individuals using the Credentials issued to it. Upon the termination of the Services or the underlying Agreement, Service Provider will promptly return any Credentials to Customer upon request or when network or physical access is no longer required. Service Provider shall promptly notify Customer if any Service Provider Personnel is terminated or reassigned from Customer’s account, or is otherwise no longer performing Services under the Agreement, so that Customer may deactivate such Service Provider Personnel’s Credentials.
9 |
4.4. SECURITY DESIGN INFORMATION. For the avoidance of doubt, any information related to the design or security topology of Customer’s IT resources and systems acquired by Service Provider or that may be gained by virtue of Service Provider’s Access shall constitute Confidential Information of Customer, and Service Provider shall not share, disclose or use such design or security information in any unauthorized manner.
4.5. REMOTE ACCESS. If the Services involve remote Access to a Customer IT resource or system, the parties shall agree upon an encryption mechanism for use in exchanging any Personal Information and any other information in accordance with this Addendum. Upon being provided the same, Service Provider shall use the approved encryption mechanism for all such communications. In addition, Service Provider shall take all reasonable precautions to prevent transmission of a computer virus, malware, or other malicious code to a Customer IT resource or system or any Customer customer or employee where the Services contemplate its access to a Service Provider IT resource or system. Service Provider shall maintain current industry standard anti-virus and anti-malware tools on its IT resources and systems that will interface with a Customer IT resource or system and shall ensure that all its IT resources and systems are maintained with up-to-date security patches, hotfixes, and other similar software or firmware changes. Prior to transmission of information to Customer, Service Provider will use anti-virus software to check for and eradicate viruses. Furthermore, Service Provider shall prohibit Service Provider Personnel from using their personal IT assets or resources to gain access to any Customer IT resource or system except as otherwise provided in the Agreement. If any Services performed by Service Provider Personnel are performed using non-Customer-owned and controlled IT assets and resources, such assets and resources shall comply with this Addendum. Service Provider will notify Customer promptly if a virus, malware, or other malicious code is detected in a file sent to or received from Customer.
4.6. BACKGROUND INVESTIGATIONS. Service Provider acknowledges and agrees that it is responsible for the conduct of reference checks, criminal background checks and such other screening measures as a reasonably prudent employer would deem appropriate, of Service Provider Personnel prior to such individual’s performance of any Services which involve Access. Vendor shall not assign any Vendor Personnel to Customer’s account or otherwise allow any Vendor Personnel to have Access if such Personnel have been found to have engaged in criminal acts that involve fraud, dishonesty, or breach of trust, or that constitute a felony under applicable law. Vendor has the ongoing duty to inform Customer promptly upon learning that any Vendor Personnel have been convicted of a felony, and to remove any such individual promptly from Customer’s account. Notwithstanding the foregoing, Customer, in its sole discretion, has the option of barring any person from any Customer facilities.
5. AUDIT AND MONITORING RIGHTS
5.1. CUSTOMER SYSTEMS. Service Provider’s Personnel, while using the IT resources or systems of Customer, may be subject to monitoring and their activity recorded. Service Provider, for itself and Service Provider Personnel, expressly consents to such monitoring and recording. No advanced notice or warning shall be required to monitor Service Provider Personnel’s use of a Customer IT resource or system.
10 |
5.2. AUDIT RIGHTS. In addition to any other audit rights provided in the Agreement, upon reasonable advance notice, Customer shall have the right to audit Service Provider’s information to the extent required to assess compliance with the terms of this Addendum. During normal business hours, with reasonable notice, Customer or its authorized representatives may reasonably inspect Service Provider’s facilities and equipment, and any information or materials in Service Provider’s possession, custody or control, relating to Service Provider’s obligations under Section 2 of this Addendum. Such audit may be conducted by reputable third party auditors hired on behalf of Customer and reasonably acceptable to Service Provider, and shall be conducted so as to minimize any disruption to the Service Provider’s operations. Service Provider shall provide reasonable cooperation with such auditors and will provide reasonable access to facilities necessary to audit and test compliance. Service Provider shall deal promptly and appropriately with any inquiries from Customer relating to the Processing of Personal Information subject to this Addendum.
5.3. REPORTS. At Customer’s reasonable request (depending upon the type of Access pursuant to the Agreement or the performance of Services thereunder), Service Provider will provide, or cause to be prepared and provided, (i) a description prepared by management of Service Provider of Service Provider’s systems relating to the Services, including the control objectives and related controls applicable to such systems, and/or (ii) an executed copy of one or more opinions or attestations (as applicable) from independent auditors of national reputation engaged and compensated by Service Provider, of Type II examinations in accordance with SAS No. 70 (or a comparable or successor standard, such as Statement on Standards for Attestation Engagements (SSAE) No. 16 or International Standard on Assurance Engagements (ISAE) No. 3402), containing no material exceptions and identifying no material weakness or significant deficiency (each, a “Report”). Any such Reports shall be provided at no expense to Customer and completed as of a date to which the parties agree.
6. OWNERSHIP
As between the parties, the Personal Information and Credentials, together with any intellectual property rights therein, including, but not limited to, copyrights, shall be the sole property of Customer, and Service Provider shall not have or obtain any rights therein.
7. CONFLICT
In the event of a conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall govern and control such conflict.
8. NOTICE
With respect to notice pursuant to paragraph 2.2.2. hereof, notice shall be made telephonically to Customer’s Chief Information Security Officer at ###-###-#### and to Customer’s IT Support at ###-###-####, followed promptly by written notice in the form and manner set forth in the Agreement.
11 |