In thousands; unaudited
Exhibit 10.03
CONFIDENTIAL TREATMENT REQUESTED
AMENDMENT NO. 1 TO THE SUPPLY AGREEMENT
This amendment No. 1 (the “Amendment No. 1”) to the Supply Agreement effective as of January 1, 2000 between Intuit Inc. (“Intuit”) and the John H. Harland Company (“Harland”), is made and entered into as of 12 of November, 2003 (“Amendment No. 1 Effective Date”). Capitalized terms not defined herein this Amendment No. 1 shall have the meaning ascribed to them in the Supply Agreement.
RECITALS
| A. | Intuit and Harland are parties to a Supply Agreement made and entered into as of January 1, 2000 (“Supply Agreement”). | |
| B. | Intuit and Harland have entered into addendums prior to the Amendment No. 1 Effective Date and plan to enter into future addendums to add additional products to the Supply Agreement (“Product-Specific Addendums”). | |
| C. | The parties are now entering into this Amendment No. 1 to the Supply Agreement in order to add and/or modify certain standard, mutually agreed upon terms and conditions to the Supply Agreement such that the parties can enter into future Product-Specific Addendums after the Amendment No. 1 Effective Date without having to restate and/or negotiate such terms. |
NOW THEREFORE, the parties hereby amend the Supply Agreement to add and/or modify the following new terms and conditions as follows:
1. GENERALLY. The terms of this Amendment No. 1 shall be applicable to future Product-Specific Addendums entered into by the parties after the Amendment No. 1 Effective Date. Product-Specific Addendums entered into prior to the Amendment No. 1 Effective Date are excluded from this Amendment No. 1.
2. SECURE SOURCING. If any circumstance occurs that prevents Harland or any third party supplier from effectively filling and shipping customer Orders for a specific product line in accordance with Intuit’s specified quality requirements and turnaround times for such specific product line, including but not limited to termination, financial issues, or any disasters, Intuit shall have the right to immediately purchase all such specific product line Products in the possession or control of Harland or third-party suppliers, or immediately take possession of such Intuit-owned specific product line products in the possession or control of Harland or third-party suppliers. In addition, Intuit shall have the right to immediately take over the sourcing of such specific product line Products that are work in process and will be completed at a later date at third-party suppliers. Harland will make Harland-owned specific product line Products available to Intuit at the prices that Harland was charged by its third-party suppliers. Harland will also ensure that any third party supplier of such specific product line Products will make such specific product line Products that are work in process and to be completed at a later date available to Intuit at the prices that the supplier agreed upon with Harland. Intuit will pay Harland reasonable additional costs for Harland’s cooperation in transferring such specific product line Products to Intuit.
Page 1 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
3. SYSTEMS. (*) will fund the development, enhancements and ongoing support of connections to Intuit’s order entry and billing systems, and any changes needed to meet new businesses and services in connection with the Supply Agreement. Harland is responsible for the funding and implementation of development, enhancement, and ongoing support of Harland’s systems, and for the systems of any supplier responsible for providing Products. The level of support for the Intuit FSG account (i.e., dedicated Harland personnel) will be (*) above the levels specified in the Supply Agreement based on the additional volumes resulting from additional products.
4. SAME ORDER SHIPMENTS/PAIRINGS. The specific items paired in the same package are based primarily on the type of products, imprintables and non-imprintables, and size of the products. Harland will pair all items physically able and commercially reasonable in the same package for shipment. In addition, Harland will work with third party suppliers so that these suppliers can pair items in the same package for shipment.
5. PERFORMANCE SCORECARD. Harland will measure and report its performance against the performance scorecard set forth in Exhibit A, and will use their best efforts to meet, exceed and improve performance. Following the end of each calendar quarter, designated team members from both parties will meet and review performance during the past quarter. In connection with these quarterly meetings, the parties will gather the data and rate Harland’s performance in accordance with the performance scorecard set forth in Exhibit A. Harland and Intuit will mutually agree upon any changes to the performance scorecard.
6. SHIPPING METHODS.
| (a) | Harland will be responsible for shipping each completed Order to the Customer’s specified address, and will ensure that any carrier providing Products will ship each completed Order to the Customer’s specified address. Unless otherwise indicated on the Order or otherwise specified by Intuit, shipping shall be via ground, or comparable service where ground is not available. Harland will have implemented a system so that (*) of Orders for Standard Products shipped to an address in the continental United States will be shipped by Harland from a location that, according to material published by such carrier, is within (*) business days of shipment via such carrier ground of the addressee. The selection of each shipping carrier will be subject to Intuit’s approval. Harland will ensure that all third-party suppliers that provide Products can support shipping methods, including Ground, Next Day and Second Day at competitive costs. When the rates are not competitive at a third party supplier, and it is commercially reasonable, Harland will allow the third-party supplier of Products to utilize Harland’s freight rates. | ||
| (b) | Harland will be responsible for the proactive management of carriers to negotiate and manage competitive freight costs, file and credit to Intuit refunds for lost or damaged shipments, and track and ensure the compliance of on-time and quality performance. Harland will report these performance measures monthly in the Performance Scorecard, Exhibit A, and work with their carriers to meet, exceed and improve performance. | ||
| (c) | Harland will be responsible for the management of all carriers for Products supplied and/or fulfilled by Harland or their third party suppliers to ensure that the carrier meets (*) on time performance. Harland will be responsible for crediting |
| Page 2 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| Intuit for any charges, penalties or expedited fees resulting from lost or damaged shipments, and from mistakenly returned packages. In addition, Harland will credit Intuit for reimbursements made by the carrier to Harland for service failures, including failures to meet on-time shipping guarantees. Harland will use its best efforts in working with Intuit to recover these credits in a mutually agreeable and commercially reasonable manner and provide Intuit with a monthly accounting of such credits. Harland will pay to Intuit any credits pursuant to this section within (*) business days of receipt of such credits by Harland from carrier. |
7. PERSONNEL. Harland will identify qualified primary contacts at Harland who will be available to work directly with Intuit as needed. In addition, Harland will identify at least one qualified contact at each third-party supplier of any Products who Intuit will contact in coordination with Harland, with prior notification if practical, on an as needed basis.
8. PRIVACY AND SECURITY STANDARDS. Harland will continue to be in compliance with Intuit’s then-current privacy and security standards, the current version of which are contained in Exhibit B (Comprehensive Security Requirements for Confidential Customer Data and Corporate Information) and Exhibit C (Intuit Service Provider Privacy Attachment). In addition, Harland will meet or exceed, within a reasonable timeframe after disclosure to Harland, Intuit’s then-current mail handling procedures, the current version of which is contained in Exhibit D (Intuit Suspicious Mail Handling Procedures), as well as any specific recommendations that Intuit provides to Harland. Harland is responsible for ensuring that all third party suppliers of any Products will also comply with the then-current version of Intuit’s privacy and security standards and mail handling procedures.
9. BUSINESS CONTINUITY.
| (a) | Harland shall: (i) be responsible for business continuity of operations as to the products and services to be provided under the Supply Agreement; (ii) within (*) days after the Amendment No. 1 Effective Date, submit to Intuit for approval a mutually agreed upon and reasonable business continuity plan (“Business Continuity Plan”) that mitigates and minimizes Intuit service interruptions; and (iii) update the Business Continuity Plan, subject to Intuit’s approval, to reflect changes in technology and industry standards on an annual basis. | ||
| (b) | Harland shall provide Intuit reasonable assistance in Intuit’s assessment of Intuit’s business continuity requirements and provide, for Intuit’s approval, a set of alternatives for the development of a viable Intuit business continuity program, and the estimated fees associated with each alternative. | ||
| (c) | Harland shall immediately provide Intuit with written notice of any service failure relating to the Supply Agreement due to any of the events specified in the second paragraph of Section 22 of the Supply Agreement or any other event beyond Harland’s reasonable control (each a “Force Majeure”) and shall use its best efforts to immediately implement the Business Continuity Plan with regard to such failure. | ||
| (d) | In the event of a Force Majeure, Harland shall not charge Intuit any fees in excess of the fees set forth in the Supply Agreement. |
| Page 3 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| (e) | Whenever a Force Majeure requires that Harland allocate limited resources between or among its customers, Intuit shall receive no less priority in respect to such allocation than any of Harland’s other customers. |
10. RECORDS/AUDIT. Pursuant to Section 40 (d) of the Supply Agreement, Intuit shall have the full right to audit any and all documents, records or other paperwork of Harland’s that they deem necessary or appropriate in order to validate Intuit charges or verify basis for (*). This includes, but is not limited to, Harland’s costs from suppliers and materials costs, and will be utilized to determine (*) information. Harland will maintain accurate records with respect to the information underlying any reports, payments required, and costs under the Supply Agreement. Intuit may, upon no less than (*) days prior written notice to Harland, request an audit by an independent Certified Public Accountant mutually agreed to by both parties, of relevant records of Harland’s upon which such reports are based during normal business hours. Harland shall remit payments or credits to Intuit for the full amount of any disclosed shortfalls. The audit rights set forth herein shall continue for (*) years following the termination of the Supply Agreement for any reason, or for such period as Harland continues to make (*) to Intuit, whichever is longer. No such audit may occur more than (*) during the Term.
11. SURVIVAL. In addition to the survival provisions stated in the Supply Agreement, Sections 8 and 10 of this Amendment No. 1 shall survive and continue to bind the parties following the termination of the Supply Agreement.
12. Except as specified in this Amendment No. 1, the terms of the Supply Agreement shall remain in full force and effect. In the event of conflict between the terms and conditions of the Supply Agreement and this Amendment No. 1, the terms of this Amendment No. 1 shall control with respect to the subject matter hereof.
IN WITNESS WHEREOF, Intuit and Harland have executed and entered into this Amendment No. 1 by their duly authorized representatives.
JOHN H. HARLAND COMPANY INTUIT INC.
By: /s/ MARTIN E. KERNER By: /s/ K. MAGGIE RIGGINS
Printed Name:Martin E. Kerner Printed Name: K. Maggie Riggins Title: VP, Gen’l Mgr Title: Sr. Strategic Sourcing Mgr Date: 11/12/03 Date: 11/25/03
Page 4 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
Exhibit A
Performance Scorecard
Monthly Performance Scorecard
Harland / Intuit
Category Category: Service Category Weight (*) Total Score Metric Performance Scale Weight Factor Result Score Doesn’t Meet Meets Exceeds 0 1 2 100 (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* )
Category Category: Operations Category Weight (*) Total Score Metric Performance Scale Weight Factor Result Score Doesn’t Meet Meets Exceeds 0 1 2 100 0 1 2 100 (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* )
Page 5 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
Category Category: Delivery Category Weight (*) Total Score Metric Performance Scale Weight Factor Result Score Doesn’t Meet Meets Exceeds 0 1 2 100 0 1 2 100 (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* )
Category Category: System Effectiveness Category Weight (*) Total Score Metric Performance Scale Weight Factor Result Score Doesn’t Meet Meets Exceeds 0 1 2 100 (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* ) (* )
Category Category: Fulfillment Category Weight (*) Total Score Metric Performance Scale Weight Factor Result Score Doesn’t Meet Meets Exceeds 0 1 2 100 (* ) (* ) (* ) (* ) 0 % 50 % 100 % Overall Score:
Page 6 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
Exhibit B
Comprehensive Security Requirements for Confidential Customer Data
and Corporate Information
SEC-902 Rev. 1.0 (11/14/01)
Definitions
For the purposes of this Exhibit, the following definitions shall apply.
| Confidential Information: Information which (i) is proprietary to, about, or created by a specific | ||
| person or company; (ii) gives the specified person or company some competitive business advantage or the opportunity of obtaining such advantage, or the disclosure of which could be detrimental to the interests of the specified person or company; (iii) is designated as Confidential Information by the specified person or company, or from all the relevant circumstances should reasonably be assumed by the receiving party to be confidential and proprietary to the specified person or company. | ||
| The following subcategories of Confidential Information are also defined: |
| - | Secret Information: Information that is used to protect other Confidential Information. Generally, Secret Information is not disclosed to outside parties under any circumstances. | ||
| - | Sensitive Information: Any information that could be misused in such a way as to jeopardize the financial or legal position of its owner, or of the person or company described by the information. | ||
| - | Restricted Information: Information that is not Secret or Sensitive, but whose permissible use has been restricted by its owner. |
Confidential Information includes, but is not limited to, the following types of information and other information of a similar nature (whether or not reduced to writing or designated as Confidential):
| a. | Personally-Identifiable Information. Information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. It includes, without limitation, the following information: | |
| Secret Information: Customer passwords, private encryption keys, and private signature keys. | ||
| Sensitive Information: Customer account numbers, Social Security numbers, taxpayer identification numbers, account balances, account activity, financial information, medical records, legal records, and records of customer services and other data relating to the products and services offered, received, or purchased by customers of Intuit or the Company. | ||
| Restricted Information: Customer names, customer street or e-mail addresses, customer telephone numbers. | ||
| b. | Confidential Corporate Information, consisting of any of the following: | |
| Secret Information: Computer account IDs, passwords for computer or database systems, private encryption keys, SSL keys, computer source code relating to encryption/decryption, |
| Page 7 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| special access privileges, known security vulnerabilities, the results of security audits and reviews, and any information explicitly designated Secret by Intuit or by Company. | ||
| Sensitive Information: Any of the following: |
| (i) | Work Products: Work product resulting from or related to work or projects performed or to be performed for Intuit or the Company, or for customers of Intuit or the Company (including all media on which such information is contained); | ||
| (ii) | Business Operations: Internal Intuit or Company personnel and financial information, names and other information about Service Providers (including without limitation Service Provider characteristics, services and agreements), purchasing and internal cost information, internal services and operational manuals, and the manner and methods of conducting Intuit’s or the Company’s business; | ||
| (iii) | Marketing and Development Operations: Marketing and development information regarding Intuit’s or the Company’s operations (including without limitation marketing and development plans, price and cost data, price and fee amounts, pricing and billing policies, quoting procedures, marketing techniques and methods of obtaining business, forecasts and forecast assumptions and volumes, and future plans and potential strategies of Intuit or the Company which have been or are being discussed); | ||
| (iv) | Other Proprietary Data: Information relating to Intuit’s or the Company’s proprietary business information (including without limitation information pertaining to business transactions and financial performance) or proprietary rights prior to any public disclosure thereof, and information regarding acquiring, protecting, enforcing and licensing proprietary rights (including without limitation patents, copyrights and trade secrets). | ||
| (v) | Designated Information: Notwithstanding the above, any information explicitly designated as Sensitive by Intuit or by Company. |
| Restricted Information: Aggregated or anonymous customer information (any customer information other than Personally Identifiable Customer Information), contractual information or obligations not designated as Sensitive, and any information explicitly designated as Restricted by Intuit or by Company. |
A. Controlling Access to Confidential Information
| 1. | Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, subcontractors, or other agents, unless the following conditions are met: |
| a) | The staff member, subcontractor, or other agent requesting the access can be uniquely identified ( e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; | ||
| b) | The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company ( i.e., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. | ||
| c) | In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete |
| Page 8 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. | |||
| d) | The date, time, requestor, and nature of the access ( i.e., read-only or modify) has been recorded in a log file. |
| 2. | Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. | |
| 3. | Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. | |
| 4. | Passwords used to control Company’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. | |
| 5. | Procedures must be in place to modify or revoke access permissions to Confidential information when staff members leave the Company or when their job responsibilities change. | |
| 6. | Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented. |
B. Transmitting Confidential Information
| 1. | Unless restricted by law, Company must not electronically transmit Secret or Sensitive Information over publicly-accessible networks without using 128-bit SSL or another mechanism that affords similar or greater security and confidentiality. If legal restrictions limit the use of 128-bit SSL encryption technology, Company must use the strongest encryption technology permitted. | |
| 2. | Confidential Information must never be passed in a URL ( e.g., using a Get method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files. |
C. Maintaining a Secure Environment
| 1. | To protect the accuracy and integrity of Confidential Information, all such data must be backed up regularly (no less often than weekly), and the backups stored in secure, environmentally controlled, limited-access facilities. | |
| 2. | Company must promptly install any security-related fixes identified by its hardware or software vendors, if the security threat being addressed by the fix is one that threatens the |
| Page 9 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| privacy or integrity of any Confidential Information covered by this Agreement. Such upgrades must be made as soon as they can safely be installed and integrated into Company’s existing architecture and systems. | ||
| 3. | Intuit may, from time to time, advise Company of recent security threats that have come to its attention, and require Company to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Company must implement these modifications within a mutually-agreeable time, or must obtain written permission from Intuit to take some other course of action to ensure that the privacy and integrity of any Confidential Information is preserved. | |
| 4. | Company must immediately notify Intuit if it knows or suspects that Confidential Information has been compromised or disclosed to unauthorized persons, or if there has been any meaningful or substantial deviation from the requirements contained in the Agreement or this Exhibit. See Section F for contact information. | |
| 5. | Notwithstanding the minimum standards set forth in this Exhibit, Company should monitor and periodically incorporate reasonable industry-standard security safeguards. |
D. Electronic Mail
| 1. | Company shall not send any Secret or Sensitive Information in an e-mail message over publicly accessible networks unless the e-mail is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by Intuit and Company. | |
| 2. | Company and its subcontractors and agents must not reveal the Personally-Identifiable Information of one customer to any other customer or other third party, in any e-mail or other communication, except as permitted in writing by the affected person, as deemed appropriate in light of the interests of the affected person, or as otherwise required by law. |
E. Reviews, Audits, and Remedies
| 1. | Company agrees that Intuit shall have a right to verify Company’s compliance with this Exhibit. Upon 14 days’ prior written notice to Company, Intuit (or its agent) may enter Company’s premises and inspect such of Company’s books, records, facilities and computer systems as Intuit and Company shall mutually agree is necessary to ensure that company complies with the terms, covenants and conditions of this Exhibit. Intuit or its agent shall comply with Company’s standard policies and procedures that apply to third party companies that have access to Company’s premises, and Intuit or its agent shall access Company’s premises during normal business hours (Monday through Friday, 8:00 AM to 5:00 PM). Notwithstanding the foregoing, if Intuit in good faith believes that a threat to security exists that could affect Confidential Information, Company must provide Intuit or its agent access to its premises immediately upon request by Intuit. | |
| 2. | Intuit may inspect or employ third parties to conduct studies of Company’s operational processes, systems and computer network security to determine Company’s compliance with this Exhibit. Intuit agrees to coordinate the scheduling of any such study with Company to minimize disruption to Company’s business. Company agrees to cooperate with Intuit to commence such a study within thirty (30) days from Company’s receipt of written notice of Intuit’s intent to conduct, or to employ a third party to conduct, such a |
| Page 10 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| study. At Company’s request, Intuit will require any third party it employs to conduct such a study to sign a nondisclosure agreement pursuant to which it agrees not to disclose any Confidential Information. Intuit will make the results of any such study available to Company and, depending on the seriousness of any problems found, may require Company to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be borne by Intuit, unless Company is deemed, as a result of such an audit, to be in material nonconformity with the Agreement or this Exhibit. | ||
| 3. | Notwithstanding any time-to-cure provision in this Agreement to the contrary, it shall be completely within Intuit’s discretion to require correction of any demonstrated security-related problem within a shorter period of time. Intuit shall provide written notice of the problem to Company, and Company must immediately take appropriate steps to correct the problem. If Company fails to correct any demonstrated security problem within a commercially-reasonable time, factoring in the work that must be completed to address the problem, and resulting in the material disclosure or threatened disclosure of Intuit’s Confidential Information or Personally-Identifiable Information about Intuit’s customers, Intuit may instruct Company to take such interim measures as are necessary to protect such information. If Company fails or refuses to take those interim and/or permanent measures which are necessary to prevent the material disclosure of such information within a commercially-reasonable time, Intuit may terminate any and all affected agreements between Intuit and Company for cause. |
F. Compliance with U.S. Laws and Regulations
| Company shall comply with all applicable federal, state, and local laws and regulations. |
G. Changes to Requirements
| Intuit may, in its sole discretion, amend these requirements from time to time, as required by law or otherwise. |
H. Contact Information
| The primary business contact person for each party under this Agreement shall designate a primary and an alternate single point of contact for security issues for such party (a “Security SPOC”) and provide mail, email, telephone, home telephone, and pager or portable telephone contact information for such persons. Both parties agree that either the primary or alternate Security SPOC will be available at all times (“24/7/365”). Such designation and information must be given in writing to the other party within ten (10) business days after the effective date of the Agreement. Any updates to the same shall be given promptly in writing to the other party. |
| Page 11 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
Exhibit C
Intuit Service Provider Privacy Attachment
1. INTRODUCTION
| 1.1. | This Intuit Privacy Exhibit (“Exhibit”) governs the manner in which specified customer-related information may be collected, used, or disclosed by Service Provider. Intuit may impose different or additional restrictions in connection with any Intuit business conducted outside of the United States. |
2. DEFINITIONS
| 2.1. | “Affiliate Companies” shall mean any companies controlling, being controlled by, or under common control with another company. | ||
| 2.2. | “Intuit” shall mean Intuit Inc. and its Affiliate Companies. | ||
| 2.3. | “Intuit Customer Data” shall mean any data — whether Personally Identifiable Information or aggregate or anonymous information — either disclosed by Intuit to Service Provider, or to which Service Provider has otherwise obtained access by virtue of its relationship with Intuit. Such Data shall include information pertaining to both customers and prospective customers of Intuit. | ||
| 2.4. | “Intuit Suppression” shall mean the process of matching or merging marketing lists with all relevant Intuit Do Not Contact lists, including, as applicable, “Do Not Mail,” “Do Not E-mail,” and “Do Not Call” lists, for purposes of purging from such marketing lists or otherwise suppressing Intuit Customer Data of those included on such Do Not Contact lists. | ||
| 2.5. | “Opt-out” shall mean the opportunity afforded to Consumers to decline to have their Intuit Customer Data used for purposes other than as necessary to provide the product or service for which the Intuit Customer Data is collected. | ||
| 2.6. | “Service Provider” shall mean the party entering into an agreement with Intuit, into which this Exhibit has been incorporated by reference, as well as all Affiliate Companies of said Service Provider. | ||
| 2.7. | “Personally Identifiable Information” (“PII”) shall mean any information (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact information of an individual person can be derived. PII includes, but is not limited to: name, address, phone number, fax number, email address, financial profiles, medical profile, social security number, and credit card information. Additionally, to the extent unique information, not itself PII, such as, but not necessarily limited to, a personal profile, unique identifier, biometric information, and/or IP address is associated with PII, then such unique information will also be considered PII. |
3. SERVICE PROVIDER RESPONSIBILITIES — GENERAL
Page 12 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| 3.1. | Service Provider shall comply with this Exhibit and all applicable laws, rules and regulations relating to the collection or use of Intuit Customer Data, and agrees to impose and enforce compliance of this Exhibit on all third party service providers with access to Intuit Customer Data. | ||
| 3.2. | Service Provider shall ensure that only those employees or authorized agents who are trained in the proper handling of Intuit Customer Data and who are subject to an obligation to maintain the confidentiality of such information shall have access to Intuit Customer Data. | ||
| 3.3. | Service Provider shall under no circumstances collect, access, use, reproduce or disclose Intuit Customer Data other than as either specifically authorized by, or clearly necessary in order to perform services pursuant to, the agreement this Exhibit is incorporated into. Specifically, Service Provider shall not use Intuit Customer Data on its own behalf. Should Service Provider become legally obligated to disclose Intuit Customer Data other than as permitted by this Exhibit, it shall, unless legally prohibited from doing so, first provide notice to Intuit. | ||
| 3.4. | The constraints imposed by this Exhibit on the collection, use or disclosure of Intuit Customer Data shall specifically apply to Social Security numbers. | ||
| 3.5. | Service Provider shall, as directed, perform an Intuit Suppression prior to engaging in any marketing activities (e.g., e-mail, telemarketing or direct mail marketing) on behalf of Intuit. In addition, Service Provider shall comply with the rules of the Direct Marketing Association’s Mail Preference Service and Telephone Preference Service in connection with all such marketing activities. Such obligations shall be in addition to performing any other legally required suppressions, including legally-mandated Do Not Mail or Do Not Call procedures. Service Provider shall employ measures as directed by Intuit to ensure that Opt-out requests received in connection with such marketing activities are provided to Intuit in a form permitting Intuit to incorporate them into suppression files or other databases. Suppression lists or files provided to Service Provider by Intuit shall be used solely for purposes of performing an Intuit Suppression and shall be returned or destroyed when no longer needed for such authorized purposes. | ||
| 3.6. | Service Providers conducting telemarketing on Intuit’s behalf shall comply with Intuit’s Do-Not-Call Policy, as follows: |
| This written policy for maintaining a Do-Not-Call list of individuals who do not wish to receive telephone solicitations made by Intuit Inc. or on behalf of Intuit Inc. (by its service providers) is available upon request. |
Do-Not-Call Policy
| Intuit maintains a Do-Not-Call list of individuals, including their telephone numbers, who have requested not to receive telephone solicitations from Intuit. | |||
| Intuit’s Do-Not-Call list applies to Intuit and all its subsidiaries. | |||
| Neither Intuit nor its service providers shall make telephone solicitations to the homes of individuals on Intuit’s Do-Not-Call list. |
| Page 13 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
| If an individual states that he or she does not want to receive telephone solicitation calls, the individual’s name and telephone number must be added to Intuit’s Do-Not-Call list. |
| Intuit must keep a record of an individual’s Do-Not-Call request for ten (10) years from the time the customer makes the request. | |||
| 3.7. | Service Provider shall maintain such records as are necessary to demonstrate its compliance with this Exhibit and shall permit Intuit, or a third party chosen by Intuit and reasonably acceptable to Service Provider, to audit Service Provider’s records and practices relating to its obligations under this Exhibit upon reasonable notice and during regular business hours, and at Intuit’s expense, at the locations where such records and data are maintained, for purposes of verifying Service Provider’s compliance. Intuit shall be provided with a description of all data flows and use of data upon request, and all such data flows and use of data re subject to approval by Intuit. | ||
| 3.8. | Service Provider shall immediately report to Intuit any failure to treat or protect — including specifically any unauthorized use or disclosure of — Intuit Customer Data as set forth in this Exhibit or the agreement it is incorporated into, including any related complaints about Service Provider’s information and collection practices, and to consult with Intuit as to correction thereof. Service Provider agrees that Intuit shall have the right to control and direct any response and/or correction of any such breach. | ||
| 3.9. | Service Provider shall provide Intuit with a contact name and contact information for communications related to this Exhibit, including compliance with or any breaches thereof. | ||
| 3.10. | Intuit may amend this Exhibit from time to time as may be required by law or otherwise. At Intuit’s discretion, Service Providers not willing or able to change practices in accordance with such amendments may be given 30 days to terminate. | ||
| Last Revised July 4, 2002. |
| Page 14 of 15 | Intuit Confidential |
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
Exhibit D
Intuit Suspicious Mail Handling Procedures
The following Intuit Package Handling Requirements shall apply to Harland, its subsidiaries and third party vendors (hereinafter, “Company”) in connection with one or more related service agreements involving the handling of Intuit mail and packages.
The accurate, timely, and proper handling of incoming and outgoing mail and packages are absolutely essential to each party’s business. To ensure that incoming Intuit mail and packages, including, but not limited to, Intuit Customer orders/returns and Intuit/Company vendor orders (“Intuit Materials”) are properly handled, all accesses to, uses of, and processing of Intuit’s Materials must be consistent with the package handling requirements, related procedures, and guidelines which are attached below as Attachment A. Company and Intuit shall comply with the Intuit Package Handling Requirements (as amended from time to time). Upon notice of an amendment, Company shall comply with such amendments to the Intuit Package Handling Requirements as soon as reasonably possible (not to exceed 30 days) based on the importance of the amendment and the severity of the issues that are addressed by the amendment.
Company shall establish and maintain its own organization-wide information security policies, standards, guidelines and procedures, which shall meet or exceed the requirements set forth in the Intuit Package Handling Requirements.
Company shall promptly conduct investigations of any breaches of such Intuit Package Handling Requirements, and shall take steps to remedy and prevent such breaches. Company shall take such further actions as it deems
Page 15 of 15 Intuit Confidential
* We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC.
