Vendor shall maintain policies of insurance that comply with the requirements of this Exhibit B. In the event Vendor elects to maintain a self-insured retention (“SIR”), prior to exhaustion of any SIR, Vendor agrees to respond to any insurance tender as though the impacted policies are first dollar policies.
Workers’ Compensation
| Minimum Required Limits: | Workers’ Compensation – Statutory Limits Employer’s liability: – $1,000,000 Each Accident for Bodily Injury by Accident – $1,000,000 Each Employee for Bodily Injury by Disease – $1,000,000 Aggregate Policy Limit for Bodily Injury by Disease |
| Required Terms and Conditions: |
|
Commercial General Liability: Vendor will maintain Commercial General Liability insurance covering all operations by or on behalf of Vendor on an occurrence basis against claims for bodily injury, property damage (including the loss of use thereof), personal injury and advertising injury. Such insurance will have these minimum limits, terms and conditions:
| Minimum Required Limits: | $5,000,000 General Aggregate Per Project $5,000,000 Products and Completed Operations Aggregate $5,000,000 Bodily Injury/Property Damage Per Occurrence $5,000,000 Personal Injury and Advertising Injury Limit (Limits may be a combination of Primary and Umbrella/Excess policies) |
| Required Terms and Conditions: | ISO Commercial General Liability Policy (Occurrence Form) Products and Completed Operations coverage maintained the longer of the applicable statute of repose or three (3) years after contract completion Blanket Contractual Liability Independent Contractors Broad Form Property Damage Cross Liability and Severability of Interest No exclusion for Explosion, Collapse and Underground (XCU) coverage Personal Injury and Advertising Injury Incidental Medical Malpractice Cybersecurity insurance Include as Additional Insureds – Owner and the other Additional Insureds listed in Exhibit B of this Agreement Waiver of Subrogation in favor of Owner and all other Owner Indemnified Parties in this Agreement |
Automobile Liability: Vendor will maintain Business Auto Liability covering liability arising out of any auto (including owned, non-owned and hired autos), Professional Liability (Errors and Omissions): Vendor will purchase and maintain Professional Liability insurance.
| Minimum Required Limits: | $2,000,000. |
| Required Terms and Conditions: | Insured’s Interest in Joint Ventures (if applicable) Punitive Damages Coverage (where not prohibited by law) Limited Contractual Liability Retroactive Date Prior to Start of Services Extended Reporting Period of 36 Months or More No Pollution Exclusion |
This Security and Privacy Addendum (“Addendum”) dated as of [ ] (the “Effective Date”) is made by and between [INSERT APPLICABLE ENTITY] (“Company”) and[INSERT VENDOR NAME](“Supplier”), and supplements the [NAME OF UNDERLYING AGREEMENT] between Company and Supplier dated as of [INSERT DATE OF ORIGINAL AGREEMENT](the “Agreement”) with respect to the subject matter hereof. In the event that any provisions of this Addendum conflict with the terms of the Agreement and/or any other agreement(s) between the parties, the provisions of this Addendum shall govern. The obligations herein shall survive expiration or termination of the Agreement to the extent that Supplier or any of its Representatives (defined below) has any Company Privacy Data (defined below) in its possession.
1. Use of Company Privacy Data. Supplier will only access, use, maintain, store, collect, modify, adapt, merge, analyze, combine, aggregate, disclose, disseminate, erase, retain, make available, or otherwise process (“Process”) Company Privacy Data for the limited purpose of and solely as necessary for Supplier to perform its obligations under this Addendum and the Agreement on behalf of Company, and solely in compliance with all Applicable Law (as hereafter defined). Supplier is prohibited from using, retaining, disclosing, or otherwise Processing Company Privacy Data for any other purpose or otherwise outside of the direct business relationship between Company and Supplier. As between Supplier and Company, all Company Privacy Data is and will be deemed to be and will remain the exclusive property of Company. Supplier shall immediately notify Company if Supplier reasonably determines that it can no longer meet its obligations under Applicable Laws. Supplier shall not: (a) combine, update, comingle, or merge Company Privacy Data with any other Personal Data; (b) sell, rent, release, make available or otherwise disclose, Company Privacy Data for monetary or other consideration; (c) Process Company Privacy Data for behavioral or targeted advertising purposes; or (d) re-identify or attempt to re-identify information that has been deidentified or aggregated. Supplier shall not disclose or transfer Company Privacy Data to any third party, including, without limitation, any agent, contractor or sub-contractor, without the prior written permission of Company, except to the extent that a disclosure or transfer is required by law or is expressly authorized under the Agreement. Any such third party to which Supplier discloses Company Privacy Data shall be required by Supplier to enter into written contractual obligations that are no less stringent and protective of Company Privacy Data than the obligations imposed upon Supplier by this Addendum. The acts or omissions of Supplier’s employees, agents, representatives, contractors, subcontractors, subprocessors or affiliates (and such parties’ employees, agents, representatives, contractors, subcontractors, or subprocessors) (collectively, “Representatives”) will also be deemed the acts or omissions of Supplier and Supplier shall be fully and solely responsible for all such acts or omissions. Supplier shall not transmit any Company Privacy Data to any country outside of the jurisdiction from which such Company Privacy Data was collected without the prior written consent of Company and any such approved transfer must be in compliance with all Applicable Laws. Supplier and its Representatives shall immediately delete or securely return, at Company’s discretion, all copies of Company Privacy Data upon expiration or termination of the Agreement, or upon Company’s request. As used herein, “Personal Data” shall mean any information that identifies, relates to, describes, is capable of being associated with or identifying, or could reasonably be linked, directly or indirectly, with a particular individual, consumer, device, or household, including, without limitation, any inferences drawn therefrom or derivatives thereof, or any other information that is regulated as “personal data,” “personally identifiable information,” “personal information,” or other terms of similar meaning under Applicable Laws. “Company Privacy Data” shall mean any Company confidential information and/or proprietary information; any information that identifies, relates to, describes, is capable of being associated with or identifying, or could reasonably be linked, directly or indirectly, with Company; and any Personal Data obtained by or on behalf of Supplier, Processed by or on behalf of Supplier, or made available to Supplier or any third party on behalf of Supplier in connection with, or in relation to, the Agreement, this Addendum, and/or the provision of any products or services to, or on behalf of, Company, including, without limitation, any Personal Data that relates to or could be associated with Company, its employees, customers, and/or prospects, and/or other end-users of Company’s products, services, websites, advertisements, or content. Company Privacy Data includes any aggregated, de-identified or other derivative of other Company Privacy Data. “Applicable Law” shall mean all applicable laws, rules, regulations, ordinances, regulatory guidance, rulings, decisions, and interpretations, and industry guidelines, including, without limitation, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, MA 201 C.M.R. §§ 17.00 et seq., the New York SHIELD Act, and all other applicable privacy, security, and data protection laws and regulations and all related amendments and implementing regulations, all as may be amended, restated or replaced from time to time.
2. Assistance. Supplier shall make available to Company all information necessary to demonstrate compliance with Applicable Law. Without limiting the foregoing, Supplier agrees that Company may take reasonable and appropriate steps to help ensure that Supplier Processes Company Privacy Data in a manner consistent with Company’s and Supplier’s obligations under Applicable Law, and stop or otherwise remediate unauthorized Processing of Company Privacy Data. Should Company receive a request from an individual exercising their rights under Applicable Law, Supplier shall promptly (and in any event, within five (5) days) and at no charge to Company, assist Company in the fulfillment of Company’s obligation to respond to such request. If Supplier receives a request directly from an individual, Supplier will, to the extent not prohibited by Applicable Law or any regulatory authority: (a) promptly (and in no event longer than 24 hours after receipt of such request) notify the designated representative for Company and forward the request to Company for handling; (b) if requested, provide Company with copies of documents or other relevant data relating to the request; (c) not refer to Company or its affiliates in any correspondence with the requester without Company’s prior written consent; (d) not disclose any confidential information of Company or its affiliates without Company’s prior written consent and (e) communicate with the individual in accordance with Company’s instructions. Supplier shall maintain a record of how it assisted Company in responding to each individual rights request. Supplier shall further assist Company in ensuring compliance with Company’s obligations pursuant to Applicable Law with respect to the Processing of Company Privacy Data, taking into account the nature of Processing and the information available to Supplier. Supplier shall maintain complete, accurate, and up-to-date written records of all Processing activities carried out on behalf of Company and shall make available to Company such records and other information as is reasonably requested by Company to demonstrate Supplier’s compliance with its obligations under Applicable Law and this Addendum. Supplier shall promptly inform Company of any requirement under Applicable Law that would require Processing Company Privacy Data in any way other than per Company’s instructions, or if Company’s instructions may infringe or violate Applicable Law. Supplier shall, upon Company’s request, cooperate in good faith with Company to enter into additional or modified contract terms to address any modifications, amendments, or updates to Applicable Law.
3. Security. Supplier will keep confidential Company Privacy Data, and will limit access to such Company Privacy Data only to those of its Representatives who have a need to access Company Privacy Data as necessary for Supplier to comply with its obligations under the Agreement, and will ensure that such Representatives have executed a written agreement that is at least as protective of the Company Privacy Data as the terms of this Addendum. Without limiting any specific security requirements contained in the Agreement and/or any other agreement between the parties, Supplier represents and warrants that it has adopted and implemented, and will maintain for as long as the Agreement is in effect or as long as Supplier Processes Company Privacy Data, whichever is later, appropriate physical, administrative, technical and organizational measures sufficient to protect all Company Privacy Data against accidental, unauthorized, or unlawful Processing, destruction, loss, alteration, communication, use, disclosure, and access, and against all other unlawful activities. Such measures shall comply with the requirements under Applicable Law. Without limiting the generality of the foregoing, Supplier warrants that it shall at all times comply with all security standards and procedures set forth in the Center for Internet Security CIS Controls 8.0 for Implementation Group 3 (or successor version). Supplier represents and warrants that it has a comprehensive written program instructing its Representatives how to protect all Company Privacy Data, in conformance with the standards provided in Applicable Law, and that it will train its Representatives on such program. Supplier shall ensure that (a) any Company Privacy Data transmitted over a network, whether via email, file transfer protocol, or other means of electronic exchange, and (b) any Company Privacy Data stored on a portable device, including but not limited to a laptop computer or USB drive, shall be encrypted using a cryptographic algorithm employing a key length of at least 256 bits. In the event Supplier accesses any Company system, infrastructure, software, hardware, property, computer, device, or equipment (collectively, “Company Systems”), Supplier shall: i) connect only in the manner and through the means authorized by Company and in accordance with any policies, guidelines, or restrictions provided by or on behalf of Company; ii) not connect, access, or use (nor attempt to connect, access, or use) any Company System without the prior authorization of Company; iii) not use personal or shared accounts; iv) not attempt to gain unauthorized access to any Company System or other user’s account; v) not, nor attempt to, use any Company System in any way that is illegal; is abusive; is harmful to or interferes with Company’s other networks or systems or the networks or systems of any other entity; infringes, misappropriates, or otherwise violates the privacy, proprietary, or other rights of any party; or creates a security risk or vulnerability; vi) be responsible for all Company equipment issued to Supplier or in Supplier’s possession or control; and vii) return any Company equipment when no longer required to complete the services under the Agreement, if the Agreement is terminated, or immediately upon Company’s request. Supplier shall be deemed to be in material breach of this Addendum in the event that the acts or omissions of Supplier or any of its Representatives cause, result in, or contribute to any damage to, unauthorized or accidental access to, unauthorized Processing of, loss of, loss of control over, unavailability of, alteration of, and/or disclosure, communication, acquisition, use, reproduction, modification, destruction, or deletion of, vulnerability to, or misuse of any Company System, database, data, materials, or Company Privacy Data. Company Privacy Data shall not be Processed or stored in a cloud or outsourced environment unless preapproved by Company in writing and there is transport encryption in place for communications with and among cloud or outsourced elements.
4. Data Incidents. In the event of any actual or reasonably suspected unauthorized, unlawful, and/or accidental access to, loss of control over, and/or loss, unavailability, alteration, Processing, disclosure, communication, acquisition, use, reproduction, modification, destruction, or deletion of Company Privacy Data (“Data Incident”), Supplier shall inform Company within twenty four (24) hours of discovery of the Data Incident. Supplier shall promptly investigate and remediate the Data Incident and provide Company with assurances satisfactory to Company that a similar Data Incident will not reoccur. Supplier agrees to fully cooperate with Company in Company’s investigation and handling of the matter. Except as required by law, Supplier shall not notify any third party of the Data Incident without Company’s prior, written authorization. Supplier shall indemnify and reimburse Company for all costs and liabilities incurred in responding to and/or mitigating damages caused by, or associated with, a Data Incident.
5. Audit. Company reserves the right to conduct regular manual and/or automated reviews, scans, audits, and assessments, including, without limitation, on-site audits and testing of any locations where Company Privacy Data is Processed, to monitor, assess, and ensure Supplier’s compliance with its obligations under Applicable Law and this Addendum. Supplier shall otherwise cooperate with Company in Company’s efforts to monitor Supplier’s and its Representatives’ compliance. On an annual basis, Supplier will conduct a SSAE18 SOC II Type II audit, or other audit acceptable to Company in its sole discretion, of Supplier’s internal controls and will promptly provide the results of such audit to Company, upon Company’s request. Supplier will promptly, at its sole expense, remediate any material deficiencies identified in any audit and provide documentation of its remediation of such deficiencies to Company.
6. Representations and Warranties/Indemnities. Supplier certifies that it understands the restrictions on its Processing of Company Privacy Data as set forth herein and represents and warrants that it will comply with all Applicable Law in the fulfillment of its obligations and otherwise in its rendering of services to Company. Supplier agrees to indemnify, defend and hold harmless, on demand, Company, including its parent, subsidiaries, affiliates and each of their respective officers, shareholders, directors, employees, agents and contractors, from and against any demands, investigations, claims, losses, damages, liabilities, costs or expenses (including reasonable attorneys’ fees) arising out of or relating to: a) Supplier’s or its Representatives’: i) acts or omissions, ii) performance or non-performance of Supplier’s obligations set forth in this Addendum and/or breach of, alleged breach of, and/or failure to comply with this Addendum, and/or iii) failure, or alleged failure, to comply with any Applicable Law; and/or b) any Data Incident. The parties agree that no disclaimer of damages, cap on liability, or other limitation of liability contained in the Agreement will apply to Supplier’s obligations under this Addendum or a Data Incident. Supplier acknowledges and agrees that a threatened or actual breach of this Addendum will result in irreparable harm for which monetary damages will not provide a sufficient remedy. Supplier agrees that Supplier’s failure to comply with any of the provision(s) of this Addendum shall be deemed a material breach of the Agreement and, without limiting any of Company’s other rights or remedies under the Agreement or at law, Company will have the right to terminate the Agreement without liability to Supplier upon written notice to the Supplier in the event of any such failure to comply with any of the provision(s) of this Addendum by Supplier (or a third party working on behalf of Supplier).
7. Additional Details of Processing.
The parties anticipate that Supplier will Process Company Privacy Data under this Addendum and the Agreement as described below:
| Types of Personal Data to be Processed: ________________________________________ | Subject Matter and Duration: As set forth under this Addendum and the Agreement. |
| Nature and Purpose of Processing: ________________________________________ | Obligations/Rights of Company: As set forth under this Addendum and the Agreement. |
| Categories of Data Subjects: ________________________________________ |