PRIVACY AND SECURITY APPENDIX
1. “Personal Information” means information for which Company provides access to Agent/Agency, or information which Agent/Agency has collected from an individual, in accordance with this Agreement that: (i) directly or indirectly identifies an individual; or (ii) can be used to identify or authenticate an individual.
2. Generally Agent/Agency represents and warrants that, in generating the performing its services, Agent/Agency complied with all applicable law, including, without limitation, the California Consumer Privacy Act, and all other state and federal data privacy and protection laws and guidance (collectively the “Privacy Laws”)
3. Consents
a. Agent/Agency will ensure it has obtained any required consents as required under the Privacy Laws for Company and its affiliates to use any Personal Information:
i. as necessary for Company to fulfill its obligations under this Agreement,
ii. as needed for Company to comply with applicable law and as needed for Company’s own internal business purposes including building its own products and enhance its services; and
iii. to ensure that Company and its affiliates may aggregate, de-identify, or anonymized data, which shall no longer be considered Personal Information, for its own research and development as well as to enhance their own products and services.
4. Information Security At a minimum, Agent/Agency shall use commercially reasonable efforts to protect all Personal Information in its possession including: (i) securing business facilities, data centers, paper files, servers, back- up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within media, applications, operating systems and equipment; and (vi) encrypting any Personal Information when stored on any media or transmitted over public or wireless networks.
5. Data.
a. Agent/Agency will be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information under its control or in its possession or the control or possession of its Sub-Agents.
b. Except as necessary to carry out its duties under this Agreement, Agent/Agency shall not use or disclose Personal Information about individuals who seek to obtain Products and Services through Company or its affiliates.
c. Agent/Agency will treat Personal Information as confidential, and limit access to Personal Information to those individuals who need to use the information in connection with the Agent/Agency’s services hereunder. Agent/Agency will establish appropriate safeguards for safeguarding the Personal Information within Agent’s control. Upon termination of this Agreement, Agent/Agency shall deliver Personal Information to Company and destroy all Personal Information relating to this Agreement, except as otherwise required by law.
d. Agent/Agency will disclose, without unreasonable delay and in no event more than two (2) business days following discovery of potential or true instances of data breach incidents to Company. This includes potential instances of incidents involving data that was encrypted. Potential incidents are not intended to include port scans, ping sweeps, unsuccessful login attempts, or other low-severity attempts that do not pass through Agent’s firewall, intrusion prevention system, or other external security protections.
e. Agent/Agency will not collect, use, retain, disclose, sell, or otherwise make Personal Information available for Agent/Agency’s own commercial purposes in a way that does not comply with the Privacy Laws.
f. Agent/Agency will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to market the Products and Services or another compatible operational purpose.
g. Agent/Agency must promptly comply with any consumer request or instruction requiring Agent/Agency to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.
h. Agent/Agency will ensure it has obtained any required consents as required under the Privacy Laws for Company and its affiliates to use any Personal Information:
1. as necessary for Company to fulfill its obligations under this Agreement,
2. as needed for Company to comply with applicable law and as needed for Company’s own internal business purposes including building its own products and enhance its services; and
3. to ensure that Company and its affiliates may aggregate, de-identify, or anonymized data, which shall no longer be considered Personal Information, for its own research and development as well as to enhance their own products and services.