Data Protection Addendum
Savant and Customer have entered into, and may in the future enter into, one or more agreements (each a “License Agreement”) whereby Savant will provide Customer with access to the Savant Solution (as defined in the License Agreement). Subject to the terms of the License Agreement, Savant shall implement data security measures that are consistent with industry best practices and standards so that Savant:
a. Protects the privacy, confidentiality, integrity, and availability of all data which is disclosed by Customer to or otherwise comes into the possession of Savant (“Customer Data”), its affiliates or sub-contractors, directly or indirectly as a result of a License Agreement, including but not limited to Customer’s Confidential Information and any Customer personally identifiable information;
b. Protects against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Customer Data including, but not limited to, identity theft;
c. Complies with all federal, state, and local laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing, storing or use of Customer Data by Savant in accordance with this Agreement;
d. Manages, controls and remediates any threats that Savant identifies in its internal review of its security practices that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the Customer Data, including without limitation identity theft; and
e. Complies with and implements the risk policies listed in this document, together with the data protection and confidentiality obligations of the License Agreement.
2. Organization Security Measures:
a. Environment: Savant shall provide assurance that it sets the foundation for the necessary tone, discipline, and structure to influence the control consciousness of its people necessary, and for the services provided to Customer.
b. Responsibility: Savant shall assign responsibility for information security management to appropriate skilled and senior personnel.
c. Qualification of Employees: Savant shall implement and maintain appropriate security measures and procedures, including background checks following industry best practices, to restrict access to information systems used in connection with the License Agreement or to Customer Data to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and have personal integrity.
d. Obligations of Employees: Savant shall implement and maintain appropriate security measures and procedures in order to verify that any personnel accessing the Customer Data or information systems used in connection with the License Agreement knows his or her obligations and the consequences of any security breach.
e. Segregation of Duties: Savant shall provide reasonable assurance the organization of personnel provides adequate segregation of duties between incompatible functions.
3. Physical Security Measures:
a. Physical Security and Access Control: Savant shall ensure that all systems hosting Customer Data and/or providing services on behalf of Customer are maintained consistent with industry best practices and standards in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing Customer Data designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations.
b. Physical Security for Media: Savant shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to prevent the unauthorized viewing, copying, alteration or removal of any media containing CustomerData, wherever located.
c. Media Destruction: Savant shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to destroy removable media and any mobile device (such as discs, USS drives, DVDs, back-up tapes, laptops and phones) containing Customer Data where that media or mobile device is no longer used, or alternatively to render Customer Data on that removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of the removable media is allowed.
4. Computer System Access Control Measures:
a. Access Controls: Savant shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to ensure the logical separation so that access to all systems hosting Customer Data and/or being used to provide services to Customer shall: be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Customer Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures shall include, but shall not be limited to:
b. Access Rights Policies: Savant shall implement appropriate policies and procedures regarding the granting of access rights to Customer Data in Savant’s possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms of the License Agreement or by Customer in writing may create, modify or cancel the rights of access of the personnel. Savant shall maintain an accurate and up to date list of all personnel who have access to the Customer Data and shall have the facility to promptly disable access by any individual personnel. For purposes of this Schedule, the term “personnel” as to Customer or Savant shall mean a Party’s employees, consultants, subcontractor or other agents.
5. Intrusion Detection/Prevention and Malware:
Savant shall use appropriate security measures and procedures (a) to ensure that Customer Data in Savant’s possession and control, and /or systems being used to provide Services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and (b) to monitor and record each and every instance of access to the Savant’s assets and information systems and to Customer Data to detect the same, and to promptly respond to the same. If any malicious code is found to have been introduced by Savant or any third party into any of Savant’s information systems handling or holding Customer Data, Savant shall take appropriate measures to prevent any unauthorized access or disclosure of any Customer Data and in any case (wherever the code originated), Savant shall, at no additional charge to Customer, remove the malicious code and eliminate the effects of the malicious code. If the malicious code causes a loss of operational efficiency or loss of data, Savant shall monitor the losses and restore lost data in accordance with the terms of the Agreement. Unless, and to the extent, prohibited by law enforcement authorities, Savant shall immediately notify Customer’s Chief Information Security Officer if it knows or reasonably suspects that there has been an actual instances of unauthorized access to the Customer Data and/or systems holding or handling Customer Data and shall cooperate fully in assisting Customer as necessary to enable Customer to comply with its statutory and other legal breach notice requirements, if any.
6. Savant Obligations. Savant will:
a. Implement and maintain appropriate incident response measures and procedures for systems that handle or hold Customer Data
b. Ensure that all networks holding Customer Data are routinely monitored so that operational problems and security incidents are detected, reported, logged, and resolved in a timely manner.
c. In the unlikely event that applicable law requires Savant to process Customer Data other than pursuant to Customer's instructions, Savant will notify Customer (unless prohibited from so doing by applicable law);
d. Without undue delay upon becoming aware, inform Customer if, in Savant's opinion, any instructions provided by Customer infringe Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of that data (“GDPR”);
e. As soon as reasonably practicable upon becoming aware, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in Savant’s possession or under its control (including when transmitted, stored or otherwise processed by Savant) (a "Security Breach");
f. Taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and all information in Savant's possession concerning the Security Breach, including, to the extent known to Savant, the following:
i. the possible cause and consequences of the Security Breach;
ii. the categories of Customer Data involved;
iii. a summary of the possible consequences for the relevant data subjects;
iv. a summary of the unauthorised recipients of the Customer Data; and
v. the measures taken by Savant to mitigate any damage;
g. Unless required to make a disclosure or announcement by applicable law, insofar as a Security Breach relates to Customer, not make any announcement about a Security Breach (a "Breach Notice") without:
i. the prior written consent from Customer; and
ii. prior written approval by Customer of the content, media and timing of the Breach Notice;
h. Taking into account the nature of processing and the information available to Savant, assist Customer when reasonably requested in relation to Customer’s obligations under EU Data Protection Laws with respect to:
i. data protection impact assessments (as that term is defined in the GDPR);
ii. notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and
iii. Customer’s compliance with its obligations under the GDPR with respect to the security of processing.
i. Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under Chapter III of the GDPR. Savant will promptly notify Customer of requests received by Savant, unless otherwise required by applicable law. Customer may make changes to Customer Data processed with the Savant Solution. Except as required by law, Savant will not make changes to that data except as agreed in writing with Customer.
j. Maintain records of its processing activities as required by Article 30.2 of the GDPR, and make those records available to the applicable supervisory authority upon request.
7. Data Management Controls Measures:
a. Customer Data: Customer Data must only be used by Savant for the purposes specified in the License Agreement.
b. Data Integrity Controls: Savant will implement and maintain appropriate security measures and procedures to protect the integrity of the Customer Data in Savant’s possession or control, to prevent the unauthorized recording, alteration or erasure of Customer Data, and to ensure that it is subsequently possible to determine when, by whom and which CustomerData were recorded, altered or erased.
c. Data Destruction: Savant will implement and maintain appropriate security measures and procedures to destroy Customer Data in Savant’s possession or control when appropriate and in accordance with the License Agreement. At the request of Customer at any time, Savant will: (i) promptly return to Customer, in the format and on the media reasonably requested by Customer, all or any part of Customer Data; and (ii) erase or destroy all or any part of Customer Data in Savant’s possession, in each case to the extent so requested by Customer. Customer acknowledges that Savant will have no liability for any limit on its ability to provide the Savant Solution as a result of Savant’s compliance with Customer’s request during any Term of the License Agreement.
d. Software Patching: Savant will implement and maintain appropriate security measures and procedures in order to ensure the regular update and patching of all computer software on systems that handle or hold Customer Data to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches.