Data Privacy and Security Agreement updated on April 6, 2017
DATA PRIVACY AND SECURITY AGREEMENT
This Data Privacy and Security Agreement (the “DPSA”), supplements the Hewlett Packard Enterprise (“HPE”) Cloud Cruiser Terms of Service (“TOS”). Terms not defined herein shall have the meaning set forth in the TOS, as applicable. In the event of a conflict between the DPSA and the TOS, the order of precedence in decending order is: the TOS, followed by the DPSA.
1.1 In this DPSA, the following words shall have the following specific meanings:
“Data Breach” shall mean any accidental, unlawful, or unauthorized destruction, alteration, disclosure, misuse, loss, compromise, or access to Client Data or any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by HPE Personnel in Processing Client Data or otherwise providing services under the HPE Agreements.
“Client Data” shall mean any and all Data provided by you, your customers, authorized agents and/or subcontractors to HPE, or otherwise Processed by HPE Personnel in connection with the provision of the Service under the HPE Agreements, including, without limitation, (i) all non-public information and data provided to or accessed by HPE Personnel through Client’s network or provided to or accessed by HPE Personnel for hosting or outsourcing services, (ii) Highly Restricted Data, (iii) Personal Data and/or (iv) On-Line Tracking Data. Client Data shall not include any Non-Identifiable Data as such term is defined in the TOS.
“HPE Personnel” means HPE and/or any employee, officer, agent, consultant, auditor, subcontractor, outsourcer or other third party acting on behalf of HPE or under the apparent authority of HPE in connection with providing the Service.
“Directive” means the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended or superseded from time to time
“European Economic Area” and “EEA” mean the Member States of the European Union plus Norway, Iceland and Liechtenstein.
“Highly Restricted Data” shall mean Social Security or other government-issued identification numbers, medical or health information, account security information, individual financial account information, credit/debit/gift or other payment card information, account passwords, individual credit and income information, intellectual property, proprietary business models, pricing, customer infrastructure/system information or data flows and sensitive personal data as defined under applicable Privacy Laws (including the Directive).
“On-line Tracking Data” shall mean any information or data collected in relation to on-line activities which can reasonably be associated with a particular individual, computer or other device and used to deliver behavioral advertising.
“Personal Data” shall mean any information or data that alone or together with any other information relates to an identified or identifiable natural person, or data considered to be personal data as defined under applicable Privacy Laws.
“Privacy Laws” means any law, statute, directive, or regulation (including any and all legislative and/or regulatory amendments or successors thereto) regarding privacy, data protection, information security obligations and/or the Processing of Personal Data (including the Directive).
“Processing”, “Processed” or “Process” (whether in upper or lower case) shall mean any operation or set of operations which is performed upon Client Data irrespective of the purposes and means applied, including access, collection, recording, organization, adaptation, alteration, retrieval, consultation, retention, storage, transfer, disclosure (including disclosure by transmission), dissemination or otherwise making available, alignment, combination, use, blocking, erasure and destruction.
1.2 Client instructs and authorizes HPE to Process the Client Data provided to, or otherwise obtained by, HPE under the HPE Agreements and/or this DPSA for the sole and exclusive purpose of performing HPE’s obligations under the HPE Agreements and/or this DPSA.
2. HPE OBLIGATIONS
2.1 HPE undertakes and warrants that:
(a) HPE Personnel shall only Process Client Data in accordance with the TOS, U.S. Privacy Laws (where applicable) and the terms of this DPSA;
(b) HPE Personnel shall limit the disclosure and Processing of the Client Data to the extent necessary to provide the Service, or as otherwise permitted under this DPSA or by Client in writing, and shall only disclose Client Data on a need to know basis related to the provision of the Service;
(c) HPE shall take all reasonable steps to ensure the reliability of HPE Personnel that have access to the Client Data (including carrying out appropriate background checks) and shall ensure such HPE Personnel are appropriately trained in the care and handling of Client Data including Personal Data and their obligations under applicable Privacy Law;
(d) Upon written request from Client to delete the Client Data or any part thereof, HPE shall use commercially reasonable efforts to promptly delete the Client Data and all copies thereof. If applicable law does not permit HPE Personnel to destroy the Client Data, HPE Personnel shall not use such Client Data for any purpose other than the purpose required by such applicable law, the HPE TOS, and this DPSA, and shall remain bound at all times by the provisions of the DPSA with respect to any Client Data that remains in its possession, custody or control until such Client Data has been destroyed;
(e) HPE shall ensure that HPE Personnel who are authorized to process Client Data use substantially equivalent restrictions and conditions that apply to HPE under this DPSA;
(f) HPE will assist Client with all reasonable requests (including requests for access to Client Data) and/or notifications which may be received from data subjects or any third parties (including regulatory authorities) and will perform all acts reasonable and necessary to enable Client to comply with such requests and/or notifications at Client’s expense. HPE shall promptly notify Client of any such request or notification and, unless required by law, shall not respond to such request or notification unless instructed to do so in writing by Client.
2.2 Where HPE Personnel engage in or facilitate the tracking of consumers’ online activities, the obligations and requirements set out in this DPSA in relation to Personal Data shall also extend to On-Line Tracking Data.
3. INTERNATIONAL TRANSFERS
3.1 For transfers to countries outside the EEA: HPE may transfer Personal Data to countries outside the EEA with the prior written consent of Client.
3.2 With respect to any transfer of Personal Data, Client and HPE may require that additional requirements shall be met prior to such transfer taking place in order to comply with applicable law. Client shall be responsible for the reasonable costs of HPE complying with any such requirements provided that such costs have been pre-approved in writing by Client.
4. HPE’S DATA SECURITY OBLIGATIONS
4.1 HPE warrants and undertakes that HPE Personnel have in place and shall maintain appropriate industry standard physical, organizational and technical processes and procedures to protect against any Data Breach, in particular where the Processing involves the transmission of data over a network or storage of data at rest, and against all other unlawful forms of Processing of Client Data.
4.2 HPE shall, and shall ensure that all applicable HPE Personnel shall implement and maintain:
(a) Risk Management policies, procedures and tools which periodically evaluate organizational, administrative, system and technical risks.
(b) Asset Management policies, procedures and tools which (a) identify equipment and media used in the storage or Processing of Client Data; (b) assign responsibility for equipment and media to one or more custodians; and (c) require regular reviews of the asset inventory for accuracy and to identify missing equipment and media.
(c) Access Control and Identity Management policies, procedures and tools in which (a) data and system access rights are assigned to individuals according to their documented responsibilities and the principle of least privilege; (b) user and administrator accounts are assigned to individuals and required to have passwords, password rotation, failed authentication locks, and session timeouts; (c) issuance of privileged access accounts (e.g. administrator or root) require management approval and are held to strict security standards.
(d) Awareness and Training policies, procedures, and tools which address (a) information security threats and best practices; (b) information security policies, procedures, and controls in place to protect Client Data; and (c) each HPE Personnel’s roles and responsibilities in the protection of Client Data.
(e) Accountability policies, procedures, and tools which ensure that (a) account actions can be traced to the individual using the account, (b) the time, date, and type of action is recorded for privileged account actions and account actions affecting Client Data, (c) recorded account actions are actively monitored and can be easily retrieved for analysis, and (d) consequences for policy violations are established, communicated, and acted upon.
(f) Contingency Planning policies, procedures, and tools which define roles and responsibilities and provide clear guidance and training on the proper handling of contingency events including: (a) natural threat events such as floods, tornadoes, earthquakes, hurricanes, and ice storms; (b) accidental threat events such as chemical spills, and mechanical or electrical failures; and (c) intentional acts such as privacy and security breaches, bomb threats, assaults, and theft.
(g) System Maintenance policies, procedures, and tools, including controls related to: (a) structured vulnerability management, including: regular scanning, penetration testing, risk analysis, and timely patching; (b) change management, including documentation of the purpose, security impact analysis, testing plan and results, and authorization for changes; (c) configuration management, including secure baseline configurations; and (d) monitoring to detect and generate alerts for unauthorized changes.
(h) System and Communications Protection policies, procedures, and tools to preserve the confidentiality, integrity, and availability of Client Data, including: (a) physical controls that restrict and monitor access to systems that Process Client Data; (b) technical and administrative controls that protect against malicious software (e.g. viruses, spyware, etc.); (c) technical and administrative controls that protect against malicious actors (e.g. social engineering, phishing, etc.); (d) encryption of data in transit across untrusted and public networks and, in the case of Highly Restricted Data, at rest in all locations where it is stored; (e) periodic encryption key rotation and management; (f) prohibition of Highly Restricted Data and Personal Data being Processed in non-production environments; (g) regular security control reviews and effectiveness testing; and (h) technical and administrative controls regarding remote access and mobile devices.
(i) Media Protection policies and procedures that implement controls to ensure that media containing Client Data is securely handled, including (a) encryption of Client Data on all mobile devices and removable storage; (b) requirement for secure sanitization and destruction methods for media that at any time held Client Data; and (c) requirement that all media, including paper, containing unencrypted Client Data be stored in a secure location.
(j) Reporting policies, procedures, and tools which provide Client with access to relevant documentation and reporting on the implementation, effectiveness, and remediation, if necessary, of the Appropriate Safeguards in place.
4.3 HPE Personnel shall regularly, but in no event less than annually, evaluate, test and monitor the effectiveness of the safeguards set forth in Section 4.2 and shall promptly adjust and/or update such safeguards as reasonably warranted.
4.4 In addition, at any point during the term of the Service, HPE shall, upon request, provide Client with a copy of HPE Personnel’s applicable security policies and procedures.
4.5 Payment Card Information: Prior to Processing any payment card information for the Service, HPE Personnel must comply, and remain in compliance at all times during the term of the HPE Agreements, at its own expense, with the Payment Card Industry Data Security Standards (“PCI DSS”). Before Processing any payment card information and annually thereafter, HPE Personnel may submit an attestation to Client stating that they are current in their applicable PCI Report on Compliance/Self-Assessment Questionnaire and PCI Quarterly Network Scan filings and that they remain PCI compliant, as well as any documentation supporting such attestation as reasonably requested by Client from time to time. If at any point HPE Personnel are not in compliance with the PCI DSS or are unable or unwilling to produce adequate evidence of compliance, Client may immediately terminate the Service without liability to Client other than the payment of fees due at the time of termination.
5. INFRASTRUCTURE SECURITY & CONNECTIVITY
5.1 Connection and mechanism to transmit Client Data between HPE Personnel and Client shall be through a Client I/T approved secure solution. Duration of access shall be restricted to only when access is required. HPE Personnel shall use commercially reasonable safeguards to protect against any compromise, unauthorized access or other damage to Client’s network and to secure the HPE Personnel’s networks and IT environments associated with the Service being provided to Client.
5.2 Upon request during the term of the Service, HPE Personnel shall provide Client with a network diagram that outlines HPE’s I/T network supporting the Service.
5.3 Upon request during the term of the Service, HPE shall provide a controls review report and remediation effort as applicable to the Service. The report shall include an assessment of HPE’s applicable general controls and security processes and procedures to ensure compliance with applicable Privacy Laws and industry standards, including if applicable the PCI DSS. The report should be performed at HPE’s expense as part of HPE’s ongoing information security program to evaluate HPE’s general security controls.
5.4 In addition to HPE’s internal control programs, HPE may have independent penetration tests and security vulnerability scans performed on their environment as relevant to this DPSA on a regular basis. HPE commits to remediate all vulnerabilities identified in a timeframe commensurate with the risk.
6. DATA BREACH
In the event of an actual or reasonably suspected Data Breach, HPE shall notify Client promptly (not later than 24 hours) after becoming aware of a Data Breach. Such notification shall be provided, at a minimum, by email to HPE’s primary business contact within Client. In facilitating investigation and remediation of a Data Breach, HPE Personnel shall reasonably cooperate with Client. HPE Personnel shall not inform any third party of any Data Breach except as may be strictly required by applicable Privacy Laws, without first obtaining Client’s prior written consent which consent shall not be unreasonably withheld. Details of any complaint received by HPE Personnel related to Processing of Highly Restricted, Personal Data or On-Line Tracking Data shall be promptly sent to a HPE’s Client business contact. HPE shall take all necessary and commercially reasonable corrective actions, including as may be instructed by Client and applicable Privacy Laws, to remedy or mitigate any Data Breach.
7. PERSONAL DATA REVIEWS
On reasonable notice and during normal business hours, HPE shall: (a) promptly and properly respond to all reasonable inquiries from Client with respect to HPE’s handling of Personal Data in connection with the Service or HPE’s compliance with the DPSA; and (b) permit Client or its designee to inspect any Personal Data in the custody or possession of HPE in connection with the Service and to review HPE’s compliance with its obligations described in the DPSA including the security measures used to protect Personal Data.
8. HPE PERSONNEL
8.1 HPE processing of Client Data by any subcontractor, outsourcer or third-party shall meet the following requirements:
(a) All HPE Personnel meets the requirements of Paragraph 2.1(e);
(b) HPE takes reasonable steps to ensure the HPE Personnel complies with its obligations in respect of the Processing of the Client Data and shall review the HPE Personnel on a regular basis in respect of such Processing, which shall be at least annually and more frequently in the event of a Data Breach or other incident involving Client Data; and
(c) If the review conducted under clause 8.1(b) above reveals any deficiencies, breaches and/or failures on the part of the HPE Personnel to comply, or which may affect HPE Personnel’s ability to comply, with the requirements of this clause 8.1, HPE shall use all commercially reasonable efforts to work with the HPE Personnel to remedy such deficiencies, breaches and/or failures promptly and if a satisfactory remedy cannot be implemented within a reasonable period of time (as determined by HPE), HPE shall no longer be permitted to use such HPE Personnel to provide the Service in which case HPE Personnel shall be required to promptly delete any Client Data in its possession or control.
8.2 HPE shall comply with the provisions of the International Transfers section set out above as if HPE were Client and the HPE Personnel were the HPE.
9. THIRD PARTY RIGHTS
9.1 Nothing in this DPSA shall confer any benefits or rights on any person or entity other than HPE and Client.