Upload
others
View
26
Download
0
Embed Size (px)
Citation preview
Data & Network Security Schedule (V10 September 2019)
This global Data & Network Security Schedule (“DNSS”) and its Addenda form part of the Agreement or
Purchase Order. Capitalized terms not specifically defined herein shall have the meaning set forth in the
Agreement. This DNSS shall be considered a Schedule under the Agreement and shall be deemed a part
of the Agreement by and between [insert MICRO FOCUS company/entity] (“MICRO FOCUS”), a insert
country corporation, having a principal place of business at Insert address and [insert Supplier Name]
(“Supplier”).
1. PURPOSE OF THE DNSS & ORDER OF PRECEDENCE.
1.1 Purpose of the DNSS. The purpose of the DNSS is to establish:
1.1.1 Supplier’s obligations in relation to the use and Processing of Data;
1.1.2 Minimum data security standards applicable to the Services or Products provided by Supplier; and
1.1.3 Minimum security standards to be met by Supplier in relation to the Processing of Data and access to MICRO FOCUS Information Systems.
1.2 Order of Precedence. Nothing in this DNSS relieves Supplier of any obligations under the
Agreement, nor shall be deemed a waiver by MICRO FOCUS of any rights or remedies therein.
In the event any term or condition in this DNSS conflicts with a term or condition of any
Agreement with Supplier, then the term or condition of this DNSS shall take precedence and
control over any conflicting terms in the Agreement.
1.3 Addenda to the DNSS:
Addendum 1 - Minimum Information Security Requirements Addendum 2 - Privacy
- Appendix 1 Standard Contractual Clauses for Processors - Appendix 2 HIPAA - Appendix 3 German Commissioned Data Processing Agreement
2. DEFINITIONS.
2.1 “Agreement” means any terms and conditions under which Supplier will provide Services or
Products to MICRO FOCUS, as requested from time to time, and as may further be described
in Addendums that may be attached.
2.2 “Applicable Laws” means applicable local, state, and federal laws, executive orders, rules,
regulations, ordinances, codes, orders, and decrees of all governments or agencies of
domestic or foreign jurisdictions (including privacy laws) in which services are performed or to
which services are performed pursuant to the Agreement.
2.3 “Agent/Subcontractor Agreement/ Business Associate Agreement” or “ASA/BAA” means
the agent/subcontractor agreement or business associate agreement required by MICRO
FOCUS in relation to protected health information as defined under HIPAA.
2.4 “Customer” means an enterprise customer of MICRO FOCUS or its Affiliates.
2.5 “Confidential Data” means all non-public proprietary or confidential information of MICRO FOCUS or a third party (including a Customer) which is obtained by or made available to Supplier in connection with the Services, whether in oral, visual, written, electronic or other
tangible or intangible form, whether or not marked or designated as “confidential” and including, without limitation, information relating to strategy, MICRO FOCUS financials, analytical reports, pricing, internal processed or policies, provided, however, that Confidential Information does not include any information that: (a) is obtained by Supplier on a non-confidential basis from a third-party that was not legally or contractually restricted from disclosing such information; (b)was in Supplier’s possession prior to MICRO FOCUS’ disclosure hereunder; or (c) was or is independently developed by Supplier without using any Confidential Information.
2.6 “Data” means Confidential Data, MICRO FOCUS Personal Data and all other non-public data
Processed by Supplier through the MICRO FOCUS Information Systems or provided to or
accessed by Supplier in connection with the Services.
2.7 “Information Security Assessment” means a review of systems used to support MICRO
FOCUS by an individual or individuals who are knowledgeable in the security assessment of
software. Qualified individuals have proven these skills through obtaining their Offensive
Security Certified Professional (OSCP) certification or a combined years of experience and
Common vulnerabilities and Exposures (CVE) credits as approved by MICRO FOCUS.
2.8 “Sensitive Personal Data” means any information (a) relating to a person’s racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, health or
sex life (or as otherwise defined by applicable Privacy Law); (b) which may facilitate identity
theft; (c) which may permit access to an individual’s financial account; (d) which requires
notification under any data breach notification law if compromised; and (e) Social Security
Number (SSN) or National ID number, driver's license number, credit or debit card information
or other payment card information, bank account or other financial information, health care,
insurance or payment information.
2.9 “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, 42
U.S.C. §§ 1320d – 1320d-8.
2.10 “MICRO FOCUS Personal Data” means any Personal Data, including Sensitive Personal Data
of which MICRO FOCUS, its affiliates or Customers is the Controller (as defined in Addendum
4 to the DNSS) which MICRO FOCUS or its Affiliates will provide to Supplier for Processing on
its or their behalf.
2.11 “Information Systems” means any systems, including, but not limited to, net-services,
networks, computers, personal computing device, mobile devices, removable media,
communication systems and other information systems used and all associated authentication
methodologies.
2.12 “Network Connection” means a connectivity method into MICRO FOCUS Information
Systems which is approved by MICRO FOCUS.
2.13 “Personal Data” means any information relating to an identified or identifiable living individual
(such as name, mailing address, phone number or email address) or as otherwise defined by
applicable Privacy Law.
2.14 “Payment Card” means any payment card/device that bears the logo of the founding
members of the PCI DSS, which are American Express, Discover Financial Services, JCB
International, MasterCard Worldwide, or Visa, Inc. including, but not limited to credit cards,
debits cards and gift cards.
2.15 “Payment Card Industry Security Standards Council” or “PCI-SSC” is the consortium of
the major credit card companies that is responsible for the development, management,
education, and awareness of the PCI Security Standards, including the Data Security Standard
(PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction
Security (PTS) requirements.
2.16 “Process”, “Processing”, or “Processed” means any operation or set of operations which is
performed whether or not by automatic means (including, without limitation, accessing,
collecting, recording, organizing, retaining, storing, adapting or altering, retrieving, consulting,
using, disclosing, making available, aligning, combining, blocking, erasing and destroying Data)
and any equivalent definitions in Applicable Laws to the extent that such definitions should
exceed this definition.
2.17 “Product” or “Products” means any software, code, or logic bearing component (including,
but not limited to, applications, mobile applications, websites, i-frames, pixel tags, operating
system software, BIOS and firmware, middleware, software development kits, compiled
binaries, source code, open source, processors, memory card, or storage capable
components.)
2.18 “Security Breach” means an actual or reasonably suspected breach of security leading to the
accidental or unlawful destruction, loss, exfiltration, alteration or unauthorized disclosure of, or
access to Data, Information Systems, Product or Service.
2.19 “Service” or “Services” means the services to be provided by Supplier pursuant to this
Agreement, as further described in a Statement of Work.
2.20 “Supplier” includes any third party who Processes Data, or provides a Service or Product in
the fulfilment of Supplier obligations under the Agreement.
2.21 “Supplier’s Facilities” means the facilities in or from which Supplier or its agents, employees
or subcontractors Processes Data.
3. ACCESS, USE, AND DISCLOSURE.
3.1 Supplier shall only Process Data and access Information systems to the extent and manner
necessary to provide the Services, in accordance with MICRO FOCUS’ instructions as set out
in this Agreement or as otherwise authorized by MICRO FOCUS in writing.
3.2 Supplier shall comply with the obligations set out in Addendum 4 (Privacy) in relation to the
Processing of MICRO FOCUS Personal Data.
3.3 Any access to or use of MICRO FOCUS Information Systems or Processing of Data by or on
behalf of Supplier for any other purpose shall be deemed a material breach of the Agreement
by Supplier.
3.4 Supplier shall not sell, rent, transfer, distribute, disclose, copy, alter, or remove MICRO FOCUS
Data, MICRO FOCUS Information System, or Product unless authorized in writing by MICRO
FOCUS.
3.5 In the event of any change to the scope of the Services, Products or Data made available to Supplier, the parties shall review the DNSS and consider any amendments required by either party as a consequence of the change in scope.
4. SECURITY REQUIREMENTS.
4.1 Supplier shall:
4.1.1 Ensure all Processing of Data and provisioning of Services and Products complies with all Applicable Laws. Supplier shall ensure that, where required, Supplier has made the appropriate legal notifications, filings, and registrations and obtained the appropriate permits, as required by Applicable Laws. If Supplier cannot Process the Data or provide Services or Products in accordance with such Applicable Laws and this DNSS, or believes that MICRO FOCUS instructions violate Applicable Laws, then Supplier shall immediately notify MICRO FOCUS in writing.
4.1.2 Meet or exceed physical, technical, and administrative safeguards as identified in this DNSS and any of its Addenda, including the HIPAA BAA/ASA (Annex 2 to Addendum 4), to ensure that MICRO FOCUS Data, Product and Services are protected against Security Breach.
4.1.3 Impose on Supplier subcontractors the same obligations imposed on Supplier under the Agreement and this DNSS for the protection of Data, Services, and Products. Supplier shall be responsible for the acts and omissions of its Subcontractors including such actions resulting in a breach of this Agreement.
4.1.4 Designate in writing a primary and alternate information security program manager to act as Supplier’s contact.
(a) Primary (Name, Title, email): __________________________
(b) Alternate (Name, Title, email): _________________________
4.1.5 Develop, implement and maintain a comprehensive information security program with information security industry standard safeguards in place to define roles and responsibilities, protect Data and to provide Services or Products which comply with the contractual obligations set out in this DNSS and the Agreement. Supplier shall ensure that such information security program is documented, available, and communicated to Supplier employees and subcontractors.
4.1.6 Provide (a) appropriate training in relation to the handling and protection of Personal Data; and (b) annual training regarding compliance with physical, technical, and administrative information security safeguards and compliance with this DNSS to Supplier employees and subcontractors.
4.1.7 Regularly, no less frequently than annually, test and monitor the effectiveness of Supplier’s and Supplier subcontractor’s security program relating to Data, Services and Product to ensure compliance with the security requirements of the Agreement, this DNSS and Applicable Laws. Supplier shall adjust and strengthen its information security program based on the results of such testing and monitoring, as well as in response to operational changes that may have a material effect on Supplier’s information security program.
4.2 Supplier personnel security shall
4.2.1 Ensure that criminal background checks and drug screenings, consistent with Applicable Laws, are conducted for all employees and subcontractors who provide Product or Services or Process Data.
4.2.2 Perform criminal background checks which must include all cities, counties, states and federal jurisdictions (or equivalent) where the employee or subcontractor resided or worked for the past seven (7) years. Both felony and misdemeanor records must be checked.
4.2.3 Within the scope of the background check, not assign any person to perform work under the Agreement who has been convicted of a computer, violent, property, fraud, or financial crime which should reasonably preclude the individual from performing the assigned work.
4.2.4 Agree to the MICRO FOCUS Drug Testing and Background Check Addendum. If any employee, agent or subcontractor of the Supplier is expected to or does perform work under the Agreement at any MICRO FOCUS site or on behalf of MICRO FOCUS at a customer site for 30 or more days during any given 12-month period, subject to Applicable Laws.
5. DATA, SERVICE AND PRODUCT SECURITY REQUIREMENTS.
5.1 Mobile Device Security. If Supplier is using mobile devices to support or provide Services to
MICRO FOCUS, Supplier shall:
5.1.1 Implement a policy that prohibits the use of any mobile and portable devices that are
not administered and/or managed by Supplier.
5.1.2 As defined in Addendum 1, section 4, use encryption, to protect all Data stored on,
transmitted by, or remotely accessed by mobile and portable devices.
5.1.3 When using network-aware mobile and portable devices that are not laptop computers
to access and/or store Data, such devices must:
(a) Apply remote wipe capabilities; (b) Promptly initiate deletion of all Data when the device is lost or stolen; and, (c) Automatically delete all stored Data after a reasonable number, not to exceed ten
(10), consecutive failed login attempts.
5.2 Call Recording Data. If Supplier is Processing call recordings, then this section shall apply.
5.2.1 Supplier shall not enable, activate, nor make operational any call recording capabilities
for Data collected and processed on behalf of MICRO FOCUS unless approved by
MICRO FOCUS in writing.
5.2.2 Supplier shall notify the other party that Supplier is recording the conversation
(“Recording Notice”) and include the ability to disable inbound and outbound call
recordings if so requested.
5.2.3 Recording Notice shall comply with Applicable Laws and must include the clear and
specific purpose of the recording such as quality monitoring, workforce management,
agent and customer service representative training, evaluation and verification, dispute
resolution or accurate incident reconstruction.
5.2.4 Permission must be obtained from MICRO FOCUS in writing for 50% or greater
recording of Call Recording Data.
5.2.5 If Supplier intends to use call recordings for Supplier’s internal training purposes,
Supplier shall redact all Personal Data.
5.2.6 Call recordings must be promptly deleted after Supplier satisfies the specific purpose
stated in the Recording Notice, which must in no case be longer than 90 calendar days
after the original recording was made, unless otherwise authorized by MICRO FOCUS
in writing.
5.2.7 Call recordings must be protected in accordance with this DNSS and the Agreement.
5.3 Cloud, XaaS, ASP or other Hosting Services. If Supplier will be hosting or providing an MICRO
FOCUS customer or MICRO FOCUS employee-facing solution/service/website (“Solution”), this
section shall apply.
5.3.1 For any MICRO FOCUS customer or MICRO FOCUS employee-facing Solution hosted
on behalf of MICRO FOCUS, but not MICRO FOCUS branded, Supplier shall (a)
clearly and conspicuously communicate to users that Supplier is the Solution provider;
and (b) clearly and conspicuously communicate Supplier’s privacy policy to the users. If
the Solution is co-branded, both companies’ privacy policies must be clearly and
conspicuously posted.
5.3.2 Prominently notify users if their Data will be hosted or Processed outside the country of
origin, as required by Applicable Law.
5.3.3 Provide appropriate controls to maintain logical data segregation of Data from
Supplier’s other customer data. It must not be possible for data to be disclosed to other
parties, nor should Supplier personnel with direct access to Data have cross customer
access with MICRO FOCUS competitors.
5.3.4 For any internet-accessible application requiring MICRO FOCUS user access, Supplier
shall accept and implement SAMLv2 MICRO FOCUS assertions.
5.3.5 Ensure Solution is routinely scanned for viruses.
5.3.6 Ensure the Solution is free of common web application security vulnerabilities as
defined by, but not limited to, the OWASP Top 10
(https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
5.3.7 Any vulnerability findings discovered by either MICRO FOCUS or Supplier will be
addressed in a mutually- agreed upon Remediation Plan and Supplier shall comply
with, and complete, such Remediation Plan within a mutually-agreeable timeframe set
forth therein.
5.3.8 Must not reference hosted third-party code such as JavaScript without the provider of
the code falling under Supplier control via contract to ensure compliance with security
control outlined in this DNSS.
5.4 Processing Payment Cards. If Supplier will be Processing Payment Card Data, then this section
shall apply. All capitalized terms used in this section 5.7, but not defined in this DNSS shall
have the meaning ascribed to them in PCI SSC DSS.
5.4.1 Supplier shall comply with the current Payment Card Industry Security Standards
Council Data Security Standards ("PCI SSC DSS").
(a) Prior to commencement of Services and annually thereafter, Supplier shall
provide (i) a copy of the executive summary from the current Report on
Compliance (“RoC”) or a letter of attestation signed by a PCI SSC certified QSA
describing the scope and Services assessed; and (ii) an Attestation of
Compliance (“AoC”) signed by a PCI SSC certified QSA.
(b) PCI compliance artifacts as described in this section 5.7 shall be submitted to
MICRO FOCUS via encrypted email.
5.4.2 Upon completion of the services under any Statement of Work or termination of the
Agreement, Supplier will promptly remove all Payment Card Data from Supplier’s
Information Systems in accordance with the required process under PCI SSC DSS or
other applicable standard no later than the earlier of 90 days from termination of the
services.
5.4.3 Supplier will notify MICRO FOCUS immediately if at any time Supplier is not in
compliance with PCI SSC DSS and if at any time Supplier knows of any third party
claim regarding PCI SSC DSS compliance.
6. INFORMATION SECURITY ASSESSMENTS
6.1 Information Security Assessments. MICRO FOCUS, or a third party chosen by MICRO FOCUS,
may perform a security assessment (“Information Security Assessment”) of Supplier’s
Information Systems, Services, Solutions and Products. Supplier will work cooperatively with
MICRO FOCUS to determine whether additional or different security measures are required to
protect the Data, Services or Product. Any Information Security Assessment performed by
MICRO FOCUS shall be subject to the limitations identified in section 6.3 of this DNSS.
6.1.1 MICRO FOCUS may perform an Information Security Assessment:
(a) Prior to Supplier providing service to MICRO FOCUS (“Pre-service
Assessment”);
(b) Annually or upon termination/expiration of the Agreement, upon at least 10
calendar days advanced written notice from MICRO FOCUS (“Routine
Compliance Assessment”); and
(c) In the event of a Security Breach and upon one calendar day prior written
notice. MICRO FOCUS reserves the right to be a participant in, and Supplier
shall cooperate with such participation in, any Security Breach investigations
involving Data, including MICRO FOCUS’ review of forensic data relating to the
Security Breach.
6.1.2 Supplier shall promptly disclose to MICRO FOCUS all relevant information requested
by MICRO FOCUS in order to allow MICRO FOCUS to complete a security risk
assessment. Supplier shall permit MICRO FOCUS to perform an Information Security
Assessment using industry standard tools and manual techniques. The results of the
Information Security Assessment shall be treated as both Confidential Data and
confidential data of the Supplier.
6.1.3 During an Information Security Assessment, MICRO FOCUS, or a third party selected
by MICRO FOCUS, may (a) inspect Supplier’s Facilities where Data is Processed,
Services are performed, or Product is developed, and, (b) view copies or extracts of
Supplier’s records and processes resulting from Supplier’s fulfilment of the
requirements of the Agreement, including this DNSS. MICRO FOCUS reserves the
right to perform an Information Security Assessment by any of the following methods:
onsite inspection, questionnaires with requests for supporting documentation, technical
testing, conference calls, or a combination of such methods.
6.1.4 If MICRO FOCUS reasonably determines that any portion of the Information Security
Assessment must be performed at Supplier’s Facilities, the assessment will be
performed (a) not more frequently than once per calendar year (unless there has been
a Security Breach), (b) at MICRO FOCUS’ expense for travel and per diem, (c) on a
date and time mutually agreeable to Supplier and MICRO FOCUS, and (d) pursuant to
any other restrictions and/or limitations mutually agreed to by MICRO FOCUS and
Supplier in writing.
6.2 Vulnerability Assessment and Scanning. MICRO FOCUS may perform periodic vulnerability
assessments using industry standard tools and processes including penetration testing and
review by individuals and teams who are chartered with such review to assess the security of
Supplier, Services, and Product (“Vulnerability Scanning”).
6.2.1 Assessment results shall be communicated to Supplier and treated as both
Confidential Data and confidential data of Supplier.
6.2.2 Authorized MICRO FOCUS cyber security professional(s) may work with Supplier to
identify and validate review and scan findings on production and test systems.
6.2.3 If Supplier utilizes a third party co-location facility in support of Services, Supplier shall
be responsible for (a) informing such third party of MICRO FOCUS’ rights and (b)
ensuring Supplier has written authorization from such third party allowing MICRO
FOCUS to conduct Vulnerability Assessment and Scanning.
6.2.4 The Vulnerability Assessment process includes background research using publicly
available information.
6.3 Scope of Information Security Assessments and Vulnerability Scanning. Information Security Assessments, and Vulnerability Scanning shall not entitle MICRO FOCUS to view, or in any way access records and/or processes:
6.3.1 Not directly related to Data Processed or Services provided by Supplier to MICRO
FOCUS;
6.3.2 In violation of Applicable Laws; and/or
6.3.3 In violation of Supplier’s confidentiality obligations owed to a third party that Supplier
makes MICRO FOCUS aware of in writing.
6.4 Remediation Plan. Any findings during an Information Security Assessment will be addressed in a mutually agreed upon remediation plan and Supplier shall comply with, and complete, such remediation plan within a mutually agreeable timeframe set forth therein (“Remediation Plan”).
7. NOTIFICATION.
7.1 All Notifications, whether related to Security Breach, Inquiry, or DNSS non-compliance,
shall be made to MICRO FOCUS Cyber Defense Center via (a) email at mailto:
[email protected] and (b) telephonically to 9-1-806-151-5713 or 9-1-806-151-
5714.
7.2 Notification of Security Breach. In the event that Supplier experiences or reasonably suspects a
Security Breach affecting Data, Services or Products, Supplier shall use commercially
reasonable efforts to provide MICRO FOCUS with Notification within 12 hours after Supplier
becomes aware of the Security Breach.
7.3 Notification of Inquiry. Except where expressly prohibited by Applicable Laws, Supplier shall,
prior to any disclosure, notify MICRO FOCUS of any claim or information request received from
a judicial, governmental authority, Customer or MICRO FOCUS employee, that it receives (each,
for purposes of this DNSS an “Inquiry”) to allow MICRO FOCUS to object and intervene.
7.3.1 In the event Supplier is expressly prohibited by law from notifying MICRO FOCUS, Supplier shall formally request the inquirer to seek the Data directly from the Data Controller
7.3.2 Notification of an Inquiry to MICRO FOCUS shall include a copy of the request and any supporting details. Supplier shall use commercially reasonable efforts to provide MICRO FOCUS with notification within 12 hours after Supplier becomes aware of an Inquiry.
7.4 Within 5 business days of receipt, Supplier shall promptly provide MICRO FOCUS with such
information and assistance, at no additional cost to MICRO FOCUS, as is required by any court
of competent jurisdiction or national regulatory authority, or as is required to timely respond to or
otherwise address any Inquiry, access request, complaint, enforcement notice, claim or similar
action raised.
8. NETWORK CONNECTIVITY & NETWORK SECURITY.
If Supplier is (1) utilizing a remote Network Connection or (2) utilizing a Network Connection at an
MICRO FOCUS Facility to Process Data or provide Services, this section shall apply.
8.1 Supplier’s Use of Network Connection.
8.1.1 Network Connection, duration of connection and mechanism to transmit Data between
Supplier and MICRO FOCUS shall be through MICRO FOCUS IT approved secure
solution.
8.1.2 Supplier may only use the Network Connection for the business purposes as
authorized by MICRO FOCUS.
8.1.3 Supplier will allow only Supplier’s employees who are approved in advance by MICRO
FOCUS (“Authorized Supplier Employees”) to authenticate and access MICRO FOCUS
Information Systems or MICRO FOCUS Owned Equipment.
8.1.4 Supplier shall be solely responsible for ensuring that Authorized Supplier Employees
are not security risks, and upon MICRO FOCUS’ request, Supplier will provide MICRO
FOCUS with any information reasonably necessary for MICRO FOCUS to evaluate
security issues relating to any Authorized Supplier Employee.
8.1.5 Supplier will promptly notify MICRO FOCUS whenever any Authorized Supplier
Employee no longer requires access to MICRO FOCUS Information Systems or
MICRO FOCUS Owned Equipment.
8.2 Use of MICRO FOCUS Owned Equipment at Supplier Facilities.
8.2.1 MICRO FOCUS may, at MICRO FOCUS’ sole discretion, loan to Supplier equipment or
software for use in Supplier Facilities (“MICRO FOCUS Owned Equipment”) under the
terms of an MICRO FOCUS Equipment Loan Agreement. MICRO FOCUS Owned
Equipment will be used solely by Supplier at Supplier’s Facilities and for the purposes
set forth in the Agreement or a MICRO FOCUS Equipment Loan Agreement.
8.2.2 Supplier may not modify the configuration of the MICRO FOCUS-Owned Equipment
unless otherwise set forth in the Agreement or MICRO FOCUS Equipment Loan
Agreement.
8.3 Use of Supplier-Owned Equipment at MICRO FOCUS Facilities. MICRO FOCUS may, at
MICRO FOCUS’ sole discretion, authorize Supplier to utilize Supplier-owned equipment in
MICRO FOCUS Facilities. Supplier-owned equipment must conform to the applicable security
standards set forth in this DNSS.
8.4 Security of MICRO FOCUS Network. Supplier shall ensure its use of the Network Connection
(and Supplier’s use of MICRO FOCUS-Owned Equipment) is secure and is used only for
authorized purposes, and that MICRO FOCUS Data and Information Systems are protected
against improper access, use, loss, alteration, or destruction.
9. DATA RETENTION.
9.1 During Agreement Term and Termination.
9.1.1 Supplier shall retain Data over the term of the Agreement unless otherwise agreed to with MICRO FOCUS. If Supplier cannot retain the Data, Supplier will regularly provide such Data to MICRO FOCUS for MICRO FOCUS to retain.
9.1.2 Supplier shall provide MICRO FOCUS with a means to access and manage Data and, where it is not possible for MICRO FOCUS to do so itself, provide MICRO FOCUS with a copy of all Data held by it in the format and on the media reasonably specified by MICRO FOCUS, or update, correct or delete Data on MICRO FOCUS’ request.
9.1.3 Unless otherwise agreed to by MICRO FOCUS and Supplier in writing, in a manner consistent with Applicable Laws, Supplier shall either (a) destroy all Data, including, without limitation, any and all copies and derivatives thereof, no later than 90 calendar days after the termination or expiration of the Agreement or portion thereof; or (b) return all Data in an agreed upon format to MICRO FOCUS or MICRO FOCUS’ designated recipient no later than 30 calendar days after the termination or expiration of the Agreement or portion thereof.
9.1.4 If Supplier is unable to return or destroy the Data per Applicable law, Supplier shall (a) notify MICRO FOCUS, (b) cease from actively Processing the retained MICRO FOCUS Personal Data, (c) and implement security measures to protect the data.
9.1.5 Supplier may retain limited transactional data to meet legal or business requirements.
9.1.6 Upon request by MICRO FOCUS, Supplier will provide MICRO FOCUS with a certificate or attestation of return or destruction in accordance with Addendum1, section 4.3.
9.1.7 If MICRO FOCUS reasonably suspects that Supplier has not adequately removed or returned Data, MICRO FOCUS or a third party selected by MICRO FOCUS may audit Supplier. If the audit identifies Supplier’s unauthorized retention of Data, then Supplier shall reimburse MICRO FOCUS for the cost of the audit.
9.1.8 Data Placed on ‘Legal Hold’. Supplier will not block, erase or dispose of any Data which Supplier has been notified it must retain in response to an MICRO FOCUS “Legal Hold”. In the event that Supplier believes it is legally required to destroy Data on Legal Hold, Supplier must notify, consult and cooperate with MICRO FOCUS prior to any destruction. Supplier obligations to retain such “Legal Hold” Data shall not be limited by
any agreed-to records or data retention policies or internal policies of Supplier. If Supplier cannot retain the “Legal Hold” Data, Supplier will provide the Data to MICRO FOCUS for MICRO FOCUS to retain.
10. REQUIRED USE OF CRYPTOGRAPHY.
10.1 All Data transmitted by Supplier over any unsecure network or wirelessly (including but not
limited to email, instant messaging and web traffic), stored on portable devices, removable
media and in transit between Supplier’s facilities must be encrypted. Supplier shall at all times
meet or exceed the Cryptography requirements outlined in Addendum 1 of this DNSS.
10.2 All MICRO FOCUS Data stored on Supplier’s and Supplier subcontractor’s Information
Systems must be encrypted at rest.
11. DISASTER RECOVERY.
11.1 Supplier shall maintain a disaster recovery plan for restoring its current and offsite Data files
Processed pursuant to the Agreement.
11.2 Supplier will be responsible for weekly backups and preservation of any Data Processed on
behalf of MICRO FOCUS. All backup copies of Data shall be treated as Confidential Data.
11.3 Supplier will maintain a business continuity plan for restoring its critical business functions.
11.4 Upon request, Supplier will allow MICRO FOCUS to view the disaster recovery and business
continuity plans.
ADDENDUM 1 to the DNSS
MINIMUM INFORMATION SECURITY REQUIREMENTS
This Addendum 1 forms part of the DNSS. Capitalized terms not specifically defined herein shall have the meaning set out in the Agreement.
This Addendum 1 to the DNSS sets forth minimum information security requirements for Supplier’s
Information Systems as required by MICRO FOCUS. Supplier shall either meet or exceed these
requirements at all times.
In technical control sections of this agreement the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. (https://www.ietf.org/rfc/rfc2119.txt)
1 SYSTEM SECURITY. 1.1 System Administration.
1.1.1 Administrator accounts should only be used for the purpose of performing administrative activities, where such activities cannot be performed by an account with lesser-privileges.
1.1.2 Each account with administrative privileges must be traceable to a uniquely-identifiable individual.
1.1.3 Batch system administration activities, such as daemons, jobs, and scripts, must not run with administrative privileges unless no alternative exists.
1.1.4 System accounts or built-in application accounts must not be used to provide generic or unauthorized access.
1.1.5 All access to Information Systems must be authenticated. This includes console access, individual accounts, administrative accounts, and any automated relationships with other systems.
1.1.6 Separation of duties must be maintained so that individuals and accounts must not have access to development and test environments as well as production environments.
1.1.7 Only required services and protocols should be enabled; all others must be explicitly disabled.
1.1.8 All Information Systems or mobile device assets containing Data must be identified, tracked and logically labeled and managed in accordance with the Data sensitivity classification.
1.2 Account Management.
1.2.1 All unnecessary default system accounts must be disabled.
1.2.2 Each account must be assigned to a unique individual, application, or process.
1.2.3 All accounts must be reviewed at least annually to determine if they are still required. Accounts must be disabled upon user termination or user change of roles and responsibilities.
1.2.4 All accounts that utilize passwords for authentication must use passwords that comply with section 3 and must not use Supplier-provided defaults.
1.3 Physical Security. Areas where MICRO FOCUS-Owned Equipment is stored, where Information Systems are used in Processing Data, or where Services or Products are being provided or manufactured must:
1.3.1 Restrict Access to authorized persons only;
1.3.2 Utilize identification and authentication controls to authorize and validate the access;
1.3.3 Securely maintain an audit trail of all access, including times of entry and departure;
1.3.4 Securely manage visitors:
(a) Grant access only for specific authorized purposes;
(b) Record the date and time of entry and departure;
(c) Ensure that all visitors are escorted and supervised at all times; and,
(d) Issue instructions to visitors on security and emergency procedures.
1.3.5 Have physical separation, such as cages or secured doors, and must be controlled and restricted to authorized persons only in areas where Data is Processed, Services are provided, or Products are developed or stored;
1.3.6 Ensure systems are protected against interference with configuration or continued operation;
1.3.7 Ensure video camera surveillance must not capture keyboard and/or console actions and information;
1.3.8 Process, transfer and store hardcopy materials containing Data in a secure manner. Hardcopy materials must be destroyed when no longer needed for business or legal purposes in a manner which ensures that Data cannot be reconstructed. One of the following destruction methods must be used: confetti cut, cross cut shred, incineration, or pulping of the hardcopy materials. All hardcopy disposal containers must be secured with tamper proof locks.
1.4 Media Reuse and Disposal. All media must be securely erased electronically by overwriting or degaussing, through cryptographic erasure, or else physically destroyed prior to disposal or reassignment of the system. The media sanitization procedures must follow the procedures contained in NIST SP 800-88, Guidelines for Media Sanitization, which can be found at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf (the “NIST Guide”).
1.5 Backup and Recovery. Supplier shall perform at least table top testing of the disaster recovery plan every 6-months.
1.5.1 Systems must have a formal backup/recovery strategy and plan that must be periodically tested, and a record of tests and results must be maintained for audit.
1.5.2 Backup media must be protected against unauthorized disclosure, alteration, or destruction. Possible mechanisms include, but are not limited to, cryptographic transformation and physical controls.
1.6 Anti-Virus Configuration. Any Information System or Product must have current anti-virus software configured for automatic updates no less than once per week. Such software must be configured to scan for and promptly remove viruses.
1.7 Endpoint Protection. All Information Systems must have reasonable up-to-date versions of system security agent software which must include host firewall, malware protection and up-to-date patches and virus definitions. Such software must be configured to scan for and promptly remove or remediate identified findings on endpoint systems.
2 MALICIOUS USE OF PRODUCT OR HARDWARE.
2.1 Disallowed Uses of Product. No hardware, software or other Product used in support of MICRO FOCUS must ever be used for any malicious purpose.
2.2 Approved Use of Diagnostic Tools.
2.2.1 Diagnostic tools may only be used by personnel whose job function requires usage and must be limited to relevant Information Systems. Tools that may impact the performance of the services provided pursuant to the Agreement through degradation of availability or performance must not be used.
2.2.2 Data gathered as a result of monitoring and recording any network traffic by any means, must be properly protected against unauthorized disclosure, alteration, and destruction. Such Data must only be stored if necessary and must be immediately and securely disposed of when no longer needed.
3 PROTECTION OF PASSWORDS.
3.1 Password Protection.
3.1.1 Passwords must be protected at all times and should not be reversible from storage, using a strong one-way function such as Bcrypt. Where passwords must be stored in a reversible format as when used with a password manager, strong cryptography as outlined the Cryptography requirements outlined in Addendum 1 of this DNSS. Where passwords must be stored for the automation of application related processes, access to the passwords must be restricted so that they can only be read by the specific application processes and super user accounts requiring access.
3.1.2 Access to files containing passwords must be logged
3.1.3 Initial passwords must be changed by the user on first use.
3.1.4 All passwords must be promptly changed if they are suspected of being compromised or known to have been disclosed to unauthorized parties; users must be able to change their own passwords.
3.1.5 Passwords must be uniquely identifiable and each user must be accountable and responsible for any action taken under that user’s own user ID and password. Users must not share or divulge their password to anyone.
3.1.6 The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them. Passwords must not be logged or captured as they are being entered.
3.1.7 Passwords must be encrypted when transmitted across any network.
3.1.8 Requestor’s identity must be verified for any password changes; password change processes must not circumvent password security controls.
3.1.9 Passwords and usernames must not be hard coded in clear text into shell scripts or source code.
3.2 Password Selections.
3.2.1 Passwords complexity should never be less than 3 out of 4 character classes and must have character class choices such as upper case letters, lower case letters, numeric digits, or special characters.
3.2.2 Password length must be configured to be at least 8 characters.
3.2.3 A mechanism must be in place to prevent the reuse of at least the last 6 passwords.
3.3 Password Lockout. Accounts must be set to lockout on not more than 10 consecutive failed login attempts.
3.4 Password Expiration. Password expiry must be defined in organizational password guidance policy in-line with a documented risk assessment of the environment with user passwords expiring every 90 days when used within environments requiring PCI DSS compliance.
4 MICRO FOCUS APPROVED CRYPTOGRAPHY.
4.1 Key Lifecycle.
4.1.1 Keys must be generated in a secure manner.
4.1.2 Keys must only be available to authorized users.
4.1.3 Keys must be protected from unauthorized use, disclosure, alteration, and destruction.
4.1.4 If the private key associated with an asymmetric key pair is compromised for any reason, all associated certificates must be revoked.
4.1.5 Keys must have an appropriate lifetime after which they are securely destroyed.
4.2 MICRO FOCUS Approved Cryptography. Supplier will implement and maintain industry-standard cryptography.
4.2.1 Transmission.
(a) The vendor must maintain secure protocols and cipher suites within the
environment as accepted by the wider security industry and documented by
Qualys SSL Labs best practices.
https://www.ssllabs.com/projects/documentation/
(b) An "A" rating or above is required on the Qualys SSL Labs SSL Server Test:
https://www.ssllabs.com/ssltest/. Upon MICRO FOCUS’ request, Supplier shall
provide server test documentation.
4.2.2 Storage. For storage and database (to include back up media) encryption, AES CCM or GCM authenticated encryption modes must be used and configured in a secure, industry best practices manner which may be validated by MICRO FOCUS.
4.2.3 Use of Hash Algorithms.
(a) The SHA-256, SHA-384, and SHA-512 hash algorithms are approved as
minimum acceptable algorithms for performing digital signatures and
HMACs.
(b) For systems which will not leverage an MICRO FOCUS-provided
authentication solution, industry best practices must be followed to hash
the password in storage.
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
4.2.4 PGP. RIPE-MD/160 Algorithm. RIPE-MD/160 algorithm is approved for use with the OpenPGP protocol.
4.2.5 If at any time the above noted cryptography is no longer recognized as an industry best practice, or if Supplier is unable to implement cryptography consistent with this DNSS, Supplier must receive MICRO FOCUS Cyber Security written approval prior to implementing alternate cryptography.
5 NETWORK SECURITY.
5.1 Network Operations and Management.
5.1.1 Supplier must maintain an intrusion detection system to monitor, detect, and report misuse patterns, suspicious activities, unauthorized users, and other actual and threatened security risks to Data. Supplier shall make available, in an expedited manner if so requested, the necessary support to implement any changes required to maintain the security of the Data and Information System.
5.1.2 Supplier’s intrusion detection system must provide the ability to capture Data for audit purposes of all actual and suspected access exceptions and make such Data available to MICRO FOCUS upon request.
5.2 Network Access Controls.
5.2.1 Networks used in the provisioning of Services for MICRO FOCUS must have dedicated separately-defined logical domains or network compartments, each protected with suitable security perimeters and access control mechanisms. All such networks must implement bi-directional anti-spoofing filters on network boundary devices.
5.2.2 Network access control devices between networks used in the provisioning of Services for MICRO FOCUS and uncontrolled networks must not allow access by default; “deny all” shall be the default state. Networks, IP addresses, and ports must be specifically authorized before access is permitted between networks managed on behalf of MICRO FOCUS and any other networks.
6 PATCHING VULNERABILITIES.
6.1 Security Products. Supplier must maintain security Products on the latest supported version, including implementing any security-related updates made available by security Product vendor. Supplier shall monitor and implement any necessary changes to enhance the security status of the Product or Service.
6.2 Patch and Vulnerability Administration.
6.2.1 Supplier must have a process to review and assess the risk and threat to the environment of all vendor security directives and advisories in a timely and effective manner. Patches must be implemented in a timeframe commensurate with the risk level unless otherwise agreed to with MICRO FOCUS Cyber Security.
6.2.2 Any known or identified vulnerabilities which impact the confidentiality, integrity, or availability of the Product, Service or Data with a Common Vulnerability Scoring System (CVSS) rating of 4 or higher shall be remediated prior to commencement of Services or within 14 days from release of patch or remediation. All vulnerabilities with a rating less than 4 should be implemented within 30 days.
7 CHANGE MANAGEMENT.
7.1 Prior to implementing any new Products, Services, Information Systems or changes to Products, Services, or Information Systems, Supplier must ensure sufficient analysis and testing is performed:
7.1.1 The Product, Service or Information System or any change thereof correctly addresses the functional requirements;
7.1.2 The change does not introduce new known vulnerabilities or security deficiencies;
7.1.3 The change or action does not break or negatively impact the Product, Service or Information System;
7.1.4 The change has been documented and approved by Supplier and MICRO FOCUS;
7.1.5 Supplier’s information security team has tested and approved the change; and,
7.1.6 A process to roll-back the change has been documented.
8 EVENT LOGGING.
8.1 Supplier must have processes and programs to log, detect, report, and resolve any system or security events which may compromise the security of the system. This includes, but is not limited to, access to critical business and infrastructure files, shared files, and successful or failed user authentication.
8.2 Devices and systems requiring security event logging. Network, domain, application and Services infrastructure (including but not limited to, servers, databases, applications, physical access control systems) when used as part of the security controls in support of the Services or Product provided under the Agreement must provide auditable logs of security events.
8.3 Log Entry Content. Log content must capture sufficient information to recreate events and activities in support of forensic activities.
8.3.1 Log entries must indicate, at a minimum: date, time, IP address, system information, user, object, type of transaction or activity, success or failure of transaction, and log source.
8.3.2 Denied access attempts to critical files must be logged.
8.3.3 All authentication transactions must be logged.
8.3.4 All Information Systems that generate or store logs of security events must use a Network Time Protocol (NTP) to synchronize the system clocks.
8.3.5 Log entries should be stored in Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT).
8.4 Log Access Control. Logs must be labeled as “Confidential” and must be protected from unauthorized disclosure, alteration, and destruction.
8.5 Log Retention. Log entries must be retained online for a period of 180 days and archived for a period of 3 years to support forensics and litigation, unless otherwise pursuant to Applicable Laws. Whenever the retention times expressed in this standard conflict with Applicable Laws, the Applicable Laws takes precedence. Archived logs should be retrievable within 7 business days.
8.6 Log Review and Reporting. Documented processes and procedures must be in place for automated or manual reviews, monitoring, and alerting of security-significant events. System logs should be reviewed at least once a month. If necessary, reports shall be drafted and filed in accordance with Applicable Laws.
ADDENDUM 2
Micro Focus Group GDPR Terms for Suppliers
1. Definitions. The following definitions shall apply to this Appendix A. Capitalized terms not otherwise defined in this Appendix A shall have the meanings set forth in the Relevant Agreement.
a. "Data controller", "data processor", "data subject", "personal data", "special categories of personal data" and "processing" shall be as defined in GDPR.
b. “GDPR Data” means all personal data including (where relevant) special categories of personal data which is provided by Micro Focus to Supplier pursuant to the Relevant Agreement or in connection with the products and/or services provided by Supplier thereunder to the extent that GDPR applies to such data.
c. “Relevant Agreement” means the agreement entered into between Supplier and Micro Focus in which Supplier has agreed to and/or is required to process personal data on behalf of Micro Focus as a data processor.
d. "Security Breach" means any breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of or access to the GDPR Data.
2. GDPR Terms.
With effect from 25 May 2018:
a. The following processing may be performed by Supplier in relation to the Relevant Agreement:
i. Subject-matter of processing
The processing of GDPR Data by Supplier shall be that which is necessary to
comply with Supplier's obligations under the Relevant Agreement.
ii. Duration of processing
The duration of the processing shall be the term of the Relevant Agreement.
iii. Type of GDPR Data
The GDPR Data processed by Supplier shall be as defined above.
iv. Categories of data subjects
The data subjects shall be the subjects of the GDPR Data as defined above.
b. Micro Focus agrees that it shall at all times comply with all requirements applicable to it under GDPR as a data controller or data processor as applicable.
c. Micro Focus and Supplier acknowledge that for the purposes of GDPR, Micro Focus is
the data controller and Supplier is the data processor of any GDPR Data.
d. When processing GDPR Data, Supplier shall, in addition to the measures taken by Micro Focus, implement and maintain all appropriate technical and organizational measures in such a manner (i) to ensure a level of security appropriate to the risk to the GDPR Data when it is processed by Supplier (ii) to protect the GDPR Data from Security Breaches and (iii) to enable Supplier to assist Micro Focus in the fulfilment of its obligations to respond to requests from data subjects exercising their rights under the GDPR.
e. Supplier shall not engage another processor (a "sub processor") without Micro Focus’s prior written authorization.
f. Supplier hereby stipulates that it shall:
i. provide all assistance to Micro Focus as is reasonably requested to enable Micro
Focus to comply with its obligations pursuant to the GDPR;
ii. process the GDPR Data only on documented instructions from Micro Focus, including with regard to transfers of GDPR Data to a third country or an international organization, unless (1) required to do so by European Union or EU Member State law to which Supplier is subject; in such a case, Supplier shall immediately inform Micro Focus of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest or (2) in its opinion, an instruction given by or on behalf of Micro Focus infringes the GDPR, in which instance Supplier shall immediately inform Micro Focus of such opinion;
iii. ensure that persons authorized to access the GDPR Data on behalf of Supplier are limited to those who require access to it for the purpose of complying with Supplier's obligations under the Relevant Agreement and that such authorized persons have committed themselves to contractual obligations of confidentiality or are under an appropriate statutory obligation of confidentiality;
iv. not process or transfer the GDPR Data outside of the European Economic Area (or permit the GDPR Data to be so processed or transferred) unless it has obtained Micro Focus' prior written authorization;
v. without prejudice to the generality of 2. f (i) above, assist Micro Focus in ensuring compliance with its obligations pursuant to GDPR Art. 32-36 taking into account the nature of the processing carried out by Supplier and the information available to Supplier;
vi. promptly (and in any event within 24 hours of becoming aware of a Security Breach) notify Micro Focus of the Security Breach and provide Micro Focus with details of the Security Breach (such details to include but not be limited to, (1) the identity of any affected data subjects (2) any recommended remedial measures that should be taken by it and/or Micro Focus in respect of the Security Breach and (3) all information necessary to enable Micro Focus to assess the risk posed by the Security Breach and establish whether it is required to notify the relevant data protection authorities);
vii. at the choice of Micro Focus, delete or return all GDPR Data to Micro Focus within seven days of the end of the provision of services relating to processing, and delete all copies of such GDPR Data unless European Union or EU Member State law requires the Supplier to retain a copy of the GDPR Data in which case the Supplier shall (to the extent permitted by law) inform Micro Focus of such
retention requirement; and
viii. allow Micro Focus and/or its representatives to conduct audits (including inspections) of all data processing facilities, procedures, documentation and other matters required to demonstrate compliance with the GDPR and this Appendix A. Without prejudice to the foregoing, the Supplier shall contribute to such audits in a reasonable manner, and provide all information reasonably necessary to demonstrate compliance with the GDPR and this Appendix A.
g. Subject to paragraph 2. d of this Appendix A, where Supplier engages a sub processor for carrying out specific processing activities on behalf of Supplier, Supplier shall ensure that any such sub processors are contractually bound by the same data protection terms as set forth herein. Where a sub processor fails to fulfill its data protection obligations, Supplier shall remain fully liable to Micro Focus in respect of any breach of this Appendix A that is caused by an act, error or omission of such sub processor.
h. The Supplier agrees that it shall at all times comply with all requirements applicable to it under the GDPR as a data processor.
3. General.
a. Supplier and Micro Focus hereby acknowledge and agree that any provisions in the Relevant Agreement which provide better protection for Micro Focus against liability arising out of a breach by Supplier of the data protection provisions in the Relevant Agreement than the protection available in respect of other breaches, should be read as if such provisions also apply to breaches of this Appendix A and in particular:
i. any indemnities set out in the Relevant Agreement in which Supplier indemnifies and holds Micro Focus and/or its affiliates harmless from any losses arising out of Supplier's breach of any of its data protection obligations under the Relevant Agreement, shall be read as if such indemnities also apply to losses arising out of Supplier's breach of this Appendix A or any part thereof; and
ii. any liability caps for data protection breaches which are higher than the other caps in the Relevant Agreement shall be read as if such liability caps also apply to losses arising out of Supplier's breach of this Appendix A or any part thereof; and
iii. any exemptions to the liability limitations that are set out in the Relevant
Agreement which apply to the data protection obligations in the Relevant Agreement, shall apply to losses arising out of Supplier's breach of this Appendix A or any part thereof.
APPENDIX 1 TO ADDENDUM 2
STANDARD CONTRACTUAL CLAUSES FOR PROCESSORS
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in
third countries which do not ensure an adequate level of data protection
Data Exporter and Data Importer (as defined in Appendix 1),
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with
respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data
exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) “personal data”, “special categories of data”,
“process/processing”, “controller”, “processor”,
“data subject” and “supervisory authority” shall
have the same meaning as in Directive 95/46/EC
of the European Parliament and of the Council of
24 October 1995 on the protection of individuals
with regard to the processing of personal data and
on the free movement of such data;
(b) “the data exporter” means the controller who
transfers the personal data;
(c) “the data importer” means the processor who
agrees to receive from the data exporter personal
data intended for processing on his behalf after
the transfer in accordance with his instructions
and the terms of the Clauses and who is not
subject to a third country's system ensuring
adequate protection within the meaning of
Article 25(1) of Directive 95/46/EC;
(d) “the sub-processor” means any processor
engaged by the data importer or by any other sub-
processor of the data importer who agrees to
receive from the data importer or from any other
sub-processor of the data importer personal data
exclusively intended for processing activities to
be carried out on behalf of the data exporter after
the transfer in accordance with his instructions,
the terms of the Clauses and the terms of the
written subcontract;
(e) “the applicable data protection law” means the
legislation protecting the fundamental rights and
freedoms of individuals and, in particular, their
right to privacy with respect to the processing of
personal data applicable to a data controller in the
Member State in which the data exporter is
established;
(f) “technical and organizational security measures”
means those measures aimed at protecting
personal data against accidental or unlawful
destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular
where the processing involves the transmission
of data over a network, and against all other
unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special
categories of personal data where applicable are
specified in Appendix 1 which forms an integral part
of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data
exporter this Clause, Clause 4(b) to (i), Clause
5(a) to (e), and (g) to (j), Clause 6(1) and (2),
Clause 7, Clause 8(2), and Clauses 9 to 12 as
third-party beneficiary.
2. The data subject can enforce against the data
importer this Clause, Clause 5(a) to (e) and (g),
Clause 6, Clause 7, Clause 8(2), and Clauses 9 to
12, in cases where the data exporter has factually
disappeared or has ceased to exist in law unless
any successor entity has assumed the entire legal
obligations of the data exporter by contract or by
operation of law, as a result of which it takes on
the rights and obligations of the data exporter, in
which case the data subject can enforce them
against such entity.
3. The data subject can enforce against the sub-
processor this Clause, Clause 5(a) to (e) and (g),
Clause 6, Clause 7, Clause 8(2), and Clauses 9 to
12, in cases where both the data exporter and the
data importer have factually disappeared or
ceased to exist in law or have become insolvent,
unless any successor entity has assumed the
entire legal obligations of the data exporter by
contract or by operation of law as a result of
which it takes on the rights and obligations of the
data exporter, in which case the data subject can
enforce them against such entity. Such third-
party liability of the sub-processor shall be
limited to its own processing operations under
the Clauses.
4. The parties do not object to a data subject being
represented by an association or other body if the
data subject so expressly wishes and if permitted
by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself,
of the personal data has been and will continue to
be carried out in accordance with the relevant
provisions of the applicable data protection law
(and, where applicable, has been notified to the
relevant authorities of the Member State where
the data exporter is established) and does not
violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration
of the personal data processing services will
instruct the data importer to process the personal
data transferred only on the data exporter's behalf
and in accordance with the applicable data
protection law and the Clauses;
(c) that the data importer will provide sufficient
guarantees in respect of the technical and
organizational security measures specified in
Appendix 2 to this contract;
(d) that after assessment of the requirements of the
applicable data protection law, the security
measures are appropriate to protect personal data
against accidental or unlawful destruction or
accidental loss, alteration, unauthorized
disclosure or access, in particular where the
processing involves the transmission of data over
a network, and against all other unlawful forms
of processing, and that these measures ensure a
level of security appropriate to the risks
presented by the processing and the nature of the
data to be protected having regard to the state of
the art and the cost of their implementation;
(e) that it will ensure compliance with the security
measures;
(f) that, if the transfer involves special categories of
data, the data subject has been informed or will
be informed before, or as soon as possible after,
the transfer that its data could be transmitted to a
third country not providing adequate protection
within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the
data importer or any sub-processor pursuant to
Clause 5(b) and Clause 8(3) to the data protection
supervisory authority if the data exporter decides
to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon
request a copy of the Clauses, with the exception
of Appendix 2, and a summary description of the
security measures, as well as a copy of any
contract for subprocessing services which has to
be made in accordance with the Clauses, unless
the Clauses or the contract contain commercial
information, in which case it may remove such
commercial information;
(i) that, in the event of subprocessing, the
processing activity is carried out in accordance
with Clause 11 by a sub-processor providing at
least the same level of protection for the personal
data and the rights of data subject as the data
importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to
(i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the
data exporter and in compliance with its
instructions and the Clauses; if it cannot provide
such compliance for whatever reasons, it agrees
to inform promptly the data exporter of its
inability to comply, in which case the data
exporter is entitled to suspend the transfer of data
and/or terminate the contract;
(b) that it has no reason to believe that the legislation
applicable to it prevents it from fulfilling the
instructions received from the data exporter and
its obligations under the contract and that in the
event of a change in this legislation which is
likely to have a substantial adverse effect on the
warranties and obligations provided by the
Clauses, it will promptly notify the change to the
data exporter as soon as it is aware, in which case
the data exporter is entitled to suspend the
transfer of data and/or terminate the contract;
(c) that it has implemented the technical and
organizational security measures specified in
Appendix 2 before processing the personal data
transferred;
(d) that it will promptly notify the data exporter
about:
(i) any legally binding request for disclosure of
the personal data by a law enforcement
authority unless otherwise prohibited, such
as a prohibition under criminal law to
preserve the confidentiality of a law
enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data
subjects without responding to that request,
unless it has been otherwise authorized to do
so;
(e) to deal promptly and properly with all inquiries
from the data exporter relating to its processing
of the personal data subject to the transfer and to
abide by the advice of the supervisory authority
with regard to the processing of the data
transferred;
(f) at the request of the data exporter to submit its
data processing facilities for audit of the
processing activities covered by the Clauses
which shall be carried out by the data exporter or
an inspection body composed of independent
members and in possession of the required
professional qualifications bound by a duty of
confidentiality, selected by the data exporter,
where applicable, in agreement with the
supervisory authority;
(g) to make available to the data subject upon request
a copy of the Clauses, or any existing contract for
subprocessing, unless the Clauses or contract
contain commercial information, in which case it
may remove such commercial information, with
the exception of Appendix 2 which shall be
replaced by a summary description of the
security measures in those cases where the data
subject is unable to obtain a copy from the data
exporter;
(h) that, in the event of subprocessing, it has
previously informed the data exporter and
obtained its prior written consent;
(i) that the processing services by the sub-processor
will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor
agreement it concludes under the Clauses to the
data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has
suffered damage as a result of any breach of the
obligations referred to in Clause 3 or in Clause
11 by any party or sub-processor is entitled to
receive compensation from the data exporter for
the damage suffered.
2. If a data subject is not able to bring a claim for
compensation in accordance with paragraph 1
against the data exporter, arising out of a breach
by the data importer or his sub-processor of any
of their obligations referred to in Clause 3 or in
Clause 11, because the data exporter has
factually disappeared or ceased to exist in law or
has become insolvent, the data importer agrees
that the data subject may issue a claim against the
data importer as if it were the data exporter,
unless any successor entity has assumed the
entire legal obligations of the data exporter by
contract of by operation of law, in which case the
data subject can enforce its rights against such
entity.
The data importer may not rely on a breach by a
sub-processor of its obligations in order to avoid
its own liabilities.
3. If a data subject is not able to bring a claim
against the data exporter or the data importer
referred to in paragraphs 1 and 2, arising out of a
breach by the sub-processor of any of their
obligations referred to in Clause 3 or in Clause
11 because both the data exporter and the data
importer have factually disappeared or ceased to
exist in law or have become insolvent, the sub-
processor agrees that the data subject may issue
a claim against the data sub-processor with
regard to its own processing operations under the
Clauses as if it were the data exporter or the data
importer, unless any successor entity has
assumed the entire legal obligations of the data
exporter or data importer by contract or by
operation of law, in which case the data subject
can enforce its rights against such entity. The
liability of the sub-processor shall be limited to
its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject
invokes against it third-party beneficiary rights
and/or claims compensation for damages under
the Clauses, the data importer will accept the
decision of the data subject:
(a) to refer the dispute to mediation, by an
independent person or, where applicable, by
the supervisory authority;
(b) to refer the dispute to the courts in the
Member State in which the data exporter is
established.
2. The parties agree that the choice made by the
data subject will not prejudice its substantive or
procedural rights to seek remedies in accordance
with other provisions of national or international
law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this
contract with the supervisory authority if it so
requests or if such deposit is required under the
applicable data protection law.
2. The parties agree that the supervisory authority
has the right to conduct an audit of the data
importer, and of any sub-processor, which has
the same scope and is subject to the same
conditions as would apply to an audit of the data
exporter under the applicable data protection
law.
3. The data importer shall promptly inform the data
exporter about the existence of legislation
applicable to it or any sub-processor preventing
the conduct of an audit of the data importer, or
any sub-processor, pursuant to paragraph 2. In
such a case the data exporter shall be entitled to
take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the
Member State in which the data exporter is
established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the
Clauses. This does not preclude the parties from
adding clauses on business related issues where
required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its
processing operations performed on behalf of the
data exporter under the Clauses without the prior
written consent of the data exporter. Where the
data importer subcontracts its obligations under
the Clauses, with the consent of the data exporter,
it shall do so only by way of a written agreement
with the sub-processor which imposes the same
obligations on the sub-processor as are imposed
on the data importer under the Clauses. Where
the sub-processor fails to fulfil its data protection
obligations under such written agreement the
data importer shall remain fully liable to the data
exporter for the performance of the sub-
processor's obligations under such agreement.
2. The prior written contract between the data
importer and the sub-processor shall also provide
for a third-party beneficiary clause as laid down
in Clause 3 for cases where the data subject is not
able to bring the claim for compensation referred
to in paragraph 1 of Clause 6 against the data
exporter or the data importer because they have
factually disappeared or have ceased to exist in
law or have become insolvent and no successor
entity has assumed the entire legal obligations of
the data exporter or data importer by contract or
by operation of law. Such third-party liability of
the sub-processor shall be limited to its own
processing operations under the Clauses.
3. The provisions relating to data protection aspects
for subprocessing of the contract referred to in
paragraph 1 shall be governed by the law of the
Member State in which the data exporter is
established.
4. The data exporter shall keep a list of
subprocessing agreements concluded under the
Clauses and notified by the data importer
pursuant to Clause 5 (j), which shall be updated
at least once a year. The list shall be available to
the data exporter's data protection supervisory
authority.
Clause 12
Obligation after the termination of personal data
processing services
1. The parties agree that on the termination of the
provision of data processing services, the data
importer and the sub-processor shall, at the
choice of the data exporter, return all the personal
data transferred and the copies thereof to the data
exporter or shall destroy all the personal data and
certify to the data exporter that it has done so,
unless legislation imposed upon the data
importer prevents it from returning or destroying
all or part of the personal data transferred. In that
case, the data importer warrants that it will
guarantee the confidentiality of the personal data
transferred and will not actively process the
personal data transferred anymore.
2. The data importer and the sub-processor warrant
that upon request of the data exporter and/or of
the supervisory authority, it will submit its data
processing facilities for an audit of the measures
referred to in paragraph 1.
{Signatures on Following Page}
IN WITNESS WHEREOF, these Clauses are duly executed and delivered on the date set out above:
Data Exporter:
____________________________
Name
____________________________
(Title)
____________________________
(Date)
Data Importer:
____________________________
Name
____________________________
(Title)
____________________________
(Date)
EU Model Contract
Details of the transfer
Data Exporter
[INSERT EXPORTER ENTITY] and its affiliated companies located in the EU, EEA and Switzerland with access to the
business applications and data on the servers, storage and other infrastructure of the Services, which may contain personal
data. The data exporter interacts with the data importer in order to manage the service and obtain support.
Data Importer(s)
[INSERT IMPORTER ENTITY/ENTITIES]
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
[INSERT DATA SUBJECT CATEGORIES]
Categories of data
The personal data transferred concern the following possible categories of data:
[INSERT PERSONAL DATA CATEGORIES]
Special categories of data
The personal data transferred concern the following special categories of data:
The personal data stored by the data exporter on the servers and other infrastructure provided as part of the Services, may
include personal data that falls into the following categories:
inions of a data subject
Processing operations
The personal data transferred will be subject to the following basic processing activities: Data importer will process the
personal data as necessary in order to deliver and support the Services.
[INSERT DESCRIPTION OF PROCESSING]
EU Model Contract
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
This Appendix forms part of the Clauses.
Description of the technical and organisational measures implemented by the Data Importer in accordance with Clauses
4(d) and 5(c):
The Data Importer shall implement the security measures described below.
[INSERT SECURITY MEASURES].
APPENDIX 2 TO ADDENDUM 2 (PRIVACY) - HIPAA BAA/ASA
Agent/Subcontractor Agreement
This Agent/Subcontract Agreement (“Agreement”) is entered into by and between ________________________, with
offices at ______________________________ (“Business Associate”) and ___________________ [Name of
Agent/Subcontractor] (“Agent/Subcontractor”), with offices at ____________________________ (individually a “Party”
and collectively the “Parties”), and is effective as of ______________, (“Effective Date”).
Recitals:
WHEREAS, Business Associate is operating as a Business Associate under the federal Health Insurance Portability and
Accountability Act of 1996, 42 U.S.C. §§ 1320d – 1320d-8 (“HIPAA”), as amended from time to time, and is required to
safeguard individually identifiable health information that Business Associate creates, receives, maintains, or transmits
(hereinafter “Protected Health Information” or “PHI”) on behalf of a Covered Entity in accordance with the requirements
HIPAA establishes and also the requirements set forth in the Health Information Technology for Economic and Clinical
Health (“HITECH”) Act and their respective implementing regulations;
WHEREAS, Agent/Subcontractor is operating as a Business Associate as defined by HIPAA, as amended from time to time,
and is required to safeguard PHI that Agent/Subcontractor creates, receives, maintains, or transmits on behalf of the Business
Associate and/or a Covered Entity in accordance with the requirements of HIPAA and the HITECH Act and their respective
implementing regulations;
WHEREAS, HIPAA mandates that Business Associate, in its capacity as a Business Associate of a Covered Entity, enter
into this Agreement with those agents and subcontractors that perform a service on behalf of Business Associate that involves
the use or disclosure of PHI; and
WHEREAS, Business Associate and Agent/Subcontractor understand that they must enter into this Agreement so that PHI
may be disclosed to Agent/Subcontractor and to allow Agent/Subcontractor to perform functions or activities on behalf of
and/or provide services to Business Associate as set forth in Exhibit A that requires the use or disclosure of PHI.
NOW, THEREFORE, in consideration of the Parties’ continuing obligation to each other and for other good and valuable
consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
Definitions
The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the
meaning ascribed to them in the context in which they first appear. Terms used but not otherwise defined in this
Agreement shall have the same meaning as those terms in the federal Standards for Privacy of Individually Identifiable
Health Information, 45 CFR Parts 160 subpart A and 164 subparts A and E (the “Privacy Rule”); the federal Security
Standards for the Protection of Electronic Protected Health Information, 45 CFR Parts 160 subpart A, and 164 subparts A
and C (the “Security Rule”); and the Notification in the Case of Breach of Unsecured Protected Health Information, 45
CFR Part 164 subpart D (the “Breach Notification Rule”) (collectively the “HIPAA Rules”).
a) “Agent/Subcontractor” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103.
b) “Breach” shall have the same meaning as the term “Breach” is defined in 45 CFR 164.402.
c) “Business Associate” shall have the same meaning as the term “Business Associate” in 45 CFR 160.103 and, as
used in this Agreement, refers to Business Associate in its capacity as an entity that creates, receives, maintains, or
transmits protected health information in providing services to a Covered Entity and/or a Business Associate.
d) “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 CFR 160.103 and refers to a
Health Plan, Health Care Provider or Health Care Clearinghouse, as those entities are defined in 45 CFR 160.103.
e) “Individual” shall have the same meaning as the term “Individual” in 45 CFR 160.103 and shall include a person
who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
f) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in
45 CFR 160.103, and shall refer to PHI obtained from Covered Entity or Business Associate or created, received,
maintained, or transmitted by Agent/Subcontractor on behalf of Business Associate or Covered Entity, including
any PHI that is created, received, maintained, or transmitted in an electronic form (“Electronic PHI”).
g) “Required By Law” shall have the same meaning as the term “Required By Law” in 45 CFR 164.103.
h) “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
i) “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an information system” as defined at 45 CFR
164.304.
j) “Underlying Services Agreement” shall mean any contract or purchase order, express or implied, between
Business Associate and Agent/Subcontractor for services.
k) “Unsecured Protected Health Information” or “Unsecured PHI” shall mean Protected Health Information that is
not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or
methodology specified by the Secretary in guidance as specified under section 13402(h)(2) of Pub. L. 111-5, as
defined at 45 CFR § 164.402.
II) Acknowledgment of Obligations
Agent/Subcontractor acknowledges that it is directly subject to the HIPAA Rules, as amended by the HITECH Act,
including, but not limited to, Sections 164.308, 164.310, 164.312 and Section 164.316, as well as the enforcement and
penalty provisions that the HIPAA Rules provide, as they may be amended from time to time. See 42 U.S.C. §§ 17931,
17934. Agent/Subcontractor agrees that it will (a) comply with all applicable provisions of the HIPAA Rules, as amended
by the HITECH Act and as it may be further amended from time to time; and (b) not act in any way to interfere with or
hinder Business Associate’s ability to comply with the HIPAA Rules, as amended by the HITECH Act and as it may be
further amended from time to time.
III) Obligations and Activities of Agent/Subcontractor
a) Uses and Disclosures of PHI. Without in any way limiting the confidentiality provisions of the Underlying
Services Agreement, with respect to each use and disclosure of PHI Agent/Subcontractor makes pursuant to this
Agreement, or otherwise, Agent/Subcontractor agrees as follows:
i) Agent/Subcontractor agrees to not use or disclose PHI other than as permitted or required by this Agreement
or as Required By Law.
ii) Agent/Subcontractor agrees to mitigate any harmful effect that is known to Agent/Subcontractor of a use or
disclosure of PHI by Agent/Subcontractor in violation of the requirements of this Agreement.
iii) Agent/Subcontractor agrees to report immediately, but no later than [”five calendar days”], to Business
Associate any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.
iv) Agent/Subcontractor agrees to obtain written approval from Business Associate prior to entering into written
agreements with any third party including but not limited to contractor, agent, or supplier that creates,
receives, maintains, or transmits PHI on behalf of Agent/Subcontractor, and to the extent approval is granted,
ensuring that such third party agrees to the same restrictions, conditions, and requirements that apply under
the terms of this Agreement with respect to such information.
v) Agent/Subcontractor agrees to make available and provide Business Associate or, as directed by Business
Associate, Covered Entity or an Individual with access to PHI in a designated record set to meet the
requirements under 45 CFR 164.524. Such access shall be in a timely and reasonable manner, as agreed upon
by the Parties.
vi) Agent/Subcontractor agrees to make any amendment(s) to PHI in a designated record set that Business
Associate directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy
Business Associate’s obligations under 45 CFR 164.526, at the request of Business Associate, in a time and
manner reasonably agreed upon by the Parties.
vii) Agent/Subcontractor agrees to make its internal practices, books, and records, including any policies and
procedures, relating to the use and disclosure of PHI received from, or created or received by
Agent/Subcontractor on behalf of Business Associate, available to the Business Associate or Secretary, in a
time and manner reasonably agreed upon or designated by the Business Associate or Secretary, for purposes
of the Secretary determining a Covered Entity’s or Business Associate’s compliance with the HIPAA Rules.
viii) Agent/Subcontractor agrees to maintain and make available, within five (5) calendar days, the information
required for Business Associate to respond to a request by a Covered Entity or an Individual for an
accounting of disclosures of PHI, as necessary to satisfy Business Associate’s obligations under 45 CFR
164.528, as amended from time to time.
ix) In a time and manner agreed to by the Parties and to the extent the Agent/Subcontractor is to carry out one or
more of Business Associate's obligation(s) under Subpart E of 45 CFR Part 164, Agent/Subcontractor agrees
to comply with the requirements of Subpart E that apply to Business Associate in the performance of such
obligation(s).
b) Securing Electronic PHI.
i) Agent/Subcontractor agrees to use appropriate safeguards and comply with applicable requirements of the
Security Rule and any procedures or requirements specified in the Underlying Services Agreement with
respect to Electronic PHI to prevent the use or disclosure of Electronic PHI other than as provided for by this
Agreement.
ii) Agent/Subcontractor will implement the data security measures of the Security Rule set forth at 45 CFR
164.308, 164.310, 164.312, and 164.316, as they may be amended from time to time. Such compliance shall
include, but not limited to, the implementation of written data security policies and procedures that satisfy the
standards, implementation specifications and other requirements of the Security Rule. Those standards,
implementation specifications and any procedures or other requirements specified in the Underlying Services
Agreement include, but not limited to:
(1) Administrative safeguards, which include risk assessment and periodic reassessments; risk management
security measures; information system activity risk reviews; an assigned security official; workforce
training and sanctions; data access controls; data back-up and disaster recovery plans; and Security
Incident management.
(2) Physical safeguards, which include facility and workstation access controls; portable and removable
device and media management; device and media disposal, re-use, backup and storage controls.
(3) Technical safeguards, which include access, authentication and audit controls; data integrity and
transmission security.
c) Notification of Security Incident.
i) Agent/Subcontractor will notify Business Associate of a Security Incident that is related directly or indirectly
to the services being provided to Business Associate immediately, and in no event later than [for ENTIT and
PPS deals use “2 calendar days”] [for TS, SW, Cloud, and other non-ENTIT or non-PPS deals use “five (5)
calendar days”] after the Discovery of such a Security Incident, as those terms are defined at 45 CFR 164.304
and 164.410. Agent/Subcontractor’s notice to Business Associate shall include the applicable elements as set
forth at 45 CFR 164.410(c).
ii) Agent/Subcontractor agrees to make its employees or agents available to Business Associate and fully
cooperate with any investigations related to known or suspected Security Incidents as requested by Business
Associate.
d) Notification of Breaches of Unsecured PHI.
Agent/Subcontractor will notify Business Associate of Breaches of Unsecured PHI without unreasonable delay and in no
event later than [for ENTIT and PPS deals use “2 calendar days”] [for TS, SW, Cloud, and other non-ENTIT or non-PPS
deals use “five (5) calendar days”] calendar days after the Discovery of such a Breach of Unsecured PHI, as those terms
are defined at 45 CFR 164 subpart D. Agent/Subcontractor’s notice to Business Associate shall include the applicable
elements as set forth at 45 CFR 164.410(c).
e) Assurance of safeguards.
i) Without limiting the notification requirements set forth in this Agreement, upon request from Business
Associate, Agent/Subcontractor shall provide reasonable assurance to Business Associate that
Agent/Subcontractor has taken the steps necessary to comply with the provisions of this Agreement. Such
assurance will be done in a time and manner determined by Business Associate and may be requested prior to
engagement, annually, and/or as well as in connection with the investigation of a Security Incident or
suspected Breach at the discretion of Business Associate.
ii) Business Associate or its authorized representatives may audit, monitor and inspect Agent/Subcontractor’s or
its agents’ facilities and equipment and any documents, information or materials in Agent/Subcontractor’s or
its agents’ possession, custody or control; interview Agent/Subcontractor’s employees, agents, consultants
and subcontractors; and inspect any logs or documentation maintained by Agent/Subcontractor to the extent
relating in any way to Agent/Subcontractor’s obligations under this Agreement. An inspection performed
pursuant to this Agreement shall not unreasonably interfere with the normal conduct of
Agent/Subcontractor’s business. No such inspection by Business Associate as set forth herein shall relieve
Agent/Subcontractor or its agents of any of its obligations under this Agreement.
IV) Permitted Uses and Disclosures by Agent/Subcontractor
In accordance with the limitations in this Agreement and any Underlying Services Agreement, Agent/Subcontractor may
use or disclose PHI as necessary to perform functions on behalf of, and/or provide services to Business Associate, to the
extent such uses or disclosures are permitted by the Privacy Rule, as it may be amended from time to time.
V) Specific Use and Disclosure Provisions
a) In accordance with the limitations in this Agreement, Agent/Subcontractor may use PHI as necessary for the
proper management and administration of Agent/Subcontractor or to carry out the legal responsibilities of
Agent/Subcontractor, to the extent such use is permitted by the Privacy Rule, as it may be amended from time to
time.
b) In accordance with the limitations in this Agreement, Agent/Subcontractor may disclose PHI as necessary for the
proper management and administration of Agent/Subcontractor, provided that such disclosures are (i) Required
By Law, (ii) Agent/Subcontractor obtains reasonable assurances from the person to whom the information is
disclosed that the information will remain confidential and used or further disclosed only as Required By Law or
for the purposes for which it was disclosed to the person, and the person notifies Agent/Subcontractor of any
instances of which it is aware in which the confidentiality of the information has been Breached, or (iii) are
otherwise permitted by the Privacy Rule, as it may be amended from time to time.
c) Agent/Subcontractor may use PHI as necessary to report violations of law to appropriate federal and state
authorities, to the extent permitted by 45 CFR 164.502(j)(1).
VI) Specific Use and Disclosure Restrictions
a) Agent/Subcontractor will restrict the disclosure of an Individual’s PHI in accordance with 45 CFR
164.522(a)(1)(i)(A), notwithstanding paragraph (a)(1)(ii) of that section, when, except as otherwise Required By
Law, Business Associate notifies Agent/Subcontractor that the Individual has made such a restriction request, and
each of the following conditions is satisfied:
i) the disclosure would be to a health plan for the purposes of carrying out payment or health care operations, as
that term may be amended from time to time, and
ii) the PHI pertains solely to a health care item or service for which the health care provider involved has been
paid out-of-pocket in full.
b) In accordance with 45 CFR 164.502(b)(1), Agent/Subcontractor will limit to the extent practicable the use,
disclosure, or request of PHI to the minimum necessary to accomplish the intended purposes of such use,
disclosure, or request, respectively, except that the restrictions set forth herein shall not apply to the exceptions set
forth in CFR 164.502(b)(2). At such time when the Secretary issues further guidance on disclosure limitations, as
mandated by Section 13405(b) of the HITECH Act, Agent/Subcontractor shall comply with the applicable
limitations established in the guidance.
c) Agent/Subcontractor shall not directly or indirectly receive remuneration in exchange for any PHI unless the
Agent/Subcontractor obtains written authorization from Business Associate that includes a specification of
whether the PHI can be further exchanged for remuneration by the entity receiving the PHI of the Individual,
except that this prohibition shall not apply in the following cases, which Agent/Subcontractor will limit
remuneration to a reasonable, cost-based fee to cover the cost to prepare and transmit the Protected Health
Information for such purpose or a fee otherwise expressly permitted by other law:
i) The purpose of the exchange is for research or public health activities, as described at 45 CFR 154.501,
164.512(i), 164.512(b), and 164.514(e), or
ii) The purpose of the exchange is for the treatment of the Individual, subject to 164.506(a) and any regulation
that the Secretary may promulgate to prevent PHI from inappropriate access, use or disclosure, or
iii) The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of
paragraph (6) of the definition of health care operations at 45 CFR 164.501 and pursuant to 164.506(a), or
iv) The purpose of the exchange is for remuneration that is provided by Business Associate to
Agent/Subcontractor for activities involving the exchange of PHI that Agent/Subcontractor undertakes on
behalf of and at the specific request of the Business Associate as set forth in this Agreement, or
v) The purpose of the exchange is to provide an Individual with a copy of the Individual’s PHI pursuant to 45
CFR 164.524 or an accounting of disclosures pursuant to 164.528, or
vi) The purpose of the exchange is otherwise determined by the Secretary in regulations to be similarly necessary
and appropriate.
VII) Obligations of Business Associate
a) Business Associate shall notify Agent/Subcontractor of any known limitation(s) in a Covered Entity’s notice of
privacy practices, in accordance with 45 CFR 164.520, to the extent that such limitation may affect
Agent/Subcontractor’s use or disclosure of PHI.
b) Business Associate shall notify Agent/Subcontractor of any changes in, or revocation of, permission by a Covered
Entity or an Individual to use or disclose PHI, to the extent that such changes may affect Agent/Subcontractor’s
use or disclosure of PHI.
c) Business Associate shall notify Agent/Subcontractor of any restriction to the use or disclosure of PHI that a
Covered Entity has agreed to or is required to abide by in accordance with 45 CFR 164.522 or as mandated
pursuant to Section 13405(c) of the HITECH Act, to the extent that such restriction may affect
Agent/Subcontractor’s use or disclosure of PHI.
VIII) Permissible Requests by Business Associate
Business Associate shall not request Agent/Subcontractor to use or disclose PHI in any manner that would not be
permissible under the Privacy or Security Rules if done by Business Associate or the Covered Entity.
IX) Term and Termination
a) Term. This Agreement shall be effective as of Effective Date and shall continue until terminated. The obligations
under this Agreement shall apply to each Underlying Services Agreement until the later of (i) completion,
termination, or expiration or (ii) when all of the PHI provided by Business Associate to Agent/Subcontractor or
created, received, maintained, or transmitted by Agent/Subcontractor on behalf of Business Associate is destroyed
or returned to Business Associate, in accordance with subsection c) below.
b) Termination for Cause for Failure to Comply with this Agreement by Agent/Subcontractor. Upon any failure to
comply with this Agreement by Agent/Subcontractor, Business Associate shall either:
i) Provide an opportunity for Agent/Subcontractor to cure the failure to comply or end the violation and
terminate this Agreement if Agent/Subcontractor does not cure the failure to comply or end the violation
within the time specified by Business Associate; or
ii) Immediately terminate this Agreement if Agent/Subcontractor has failed to comply with a material term of
this Agreement and cure is not possible and the Agent/Subcontractor has not implemented reasonable steps to
prevent a reoccurrence of such failure to comply.
c) Effect of Termination. Without in any way limiting Agent/Subcontractor’s obligations under the Underlying
Services Agreement:
i) Except as provided below in paragraph (2) of this subsection, upon termination of this Agreement, for any
reason, Agent/Subcontractor shall return or, at Business Associate’s prior approval and direction, destroy all
PHI received from Business Associate, or created, received, maintained, or transmitted by
Agent/Subcontractor on behalf of Business Associate that Agent/Subcontractor maintains in any form.
Agent/Subcontractor shall retain no copies of such information in accordance with the Privacy and Security
Rules, as amended from time to time. This provision shall apply to PHI that is in the possession of
subcontractors or agents of Agent/Subcontractor.
ii) In the event Agent/Subcontractor determines returning or destroying the PHI is infeasible,
Agent/Subcontractor shall provide to Business Associate notification of the conditions that make return or
destruction infeasible. Upon written notification that return or destruction of PHI is infeasible,
Agent/Subcontractor shall extend the protections of this Agreement to such PHI and limit further uses and
disclosures of PHI for so long as Agent/Subcontractor maintains such PHI.
X) Miscellaneous
a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in
effect or as amended.
b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as
is necessary for Business Associate to comply with the requirements of its Business Associate Agreement,
HIPAA, applicable Regulatory References and other federal or state laws and regulations.
c) Survival. The respective rights and obligations of Agent/Subcontractor under Section IX (Term and
Termination), of this Agreement shall survive termination of this Agreement.
d) Interpretation. Any ambiguity in this Agreement shall be resolved to the extent reasonable to permit Business
Associate to comply with HIPAA.
e) Conflicts. To the extent a conflict exists between this Agreement and the Underlying Services Agreement, the
terms and conditions of this Agreement shall take precedence.
IN WITNESS WHEREOF, Business Associate and Agent/Subcontractor have caused this Agreement to be signed and
delivered by their duly authorized representatives, as of the date set forth below.
SUPPLIER: [Micro Focus
Contracting Entity]
Authorized Representative Authorized Global Procurement Representative
Date Date
Printed name Printed name
Title Title
APPENDIX 3 TO ADDENDUM 2
Requirements of Section 11 German Federal Data Protection Act ("FDPA")
1. In order to fully comply with mandatory provisions of Section 11 FDPA regarding the commissioning of the data
importer as a processor under the national laws applicable to the data exporter, the parties agree on the following
amendments to the Standard Contractual Clauses:
(a) Data importer will rectify, delete and/or block personal data if so instructed by data exporter.
(b) Data importer shall control, in an appropriate way, compliance with its data protection obligations and provide
related reports to data exporter.
(c) Data exporter shall have the right to control compliance of data importer with its data protection obligations
(especially with the technical and organizational measures) by adequate and reasonable means (e.g., by
requesting information or audit reports regarding the data importer's data processing systems), it being
understood that such measures may only relate to information and data processing systems that are relevant to
the services. Data importer shall support data exporter in carrying out such controls to the reasonably necessary
extent. Upon request the data importer shall prove to the data exporter that the technical and organizational
measures agreed in Appendix 2 have been implemented.
(d) Data importer shall notify data exporter, without undue delay, if it holds that an instruction violates applicable
law. Upon such notification, data importer shall have the right to refrain from or discontinue (as the case may
be) carrying out the instruction until data exporter has confirmed or changed the instruction. Data importer will
notify the data exporter about all requests by data subjects to access, delete or block personal data, about all
complaints by data subjects and objections of competent data protection authorities and all other risks and
violations.
(e). Data importer shall ensure that any of its or any of its subcontractors’ personnel entrusted with processing
personal data under these Clauses (i) have undertaken to comply with the principle of data secrecy (i.e. to not
collect, process or use personal data without authorization), and (ii) have been duly instructed on the protective
regulations of the applicable data protection laws.
(f) Data importer shall notify to data exporter the contact details of the data importer’s data protection official (if
one was appointed).
(g) Data exporter shall have the right to instruct data importer, both on a general and a case-specific basis, regarding
the "if" and "how" of the collection, processing and use of personal data in connection with the services.
Instructions may also relate to the rectifying, deletion and blocking of data. Instructions shall be given as a rule,
except where the urgency or other circumstances require that an instruction be given in a different form (e.g.,
orally, per e-mail etc.).
(h) Unless otherwise instructed by the data exporter the data importer may return all data being subject of this
agreement to the data exporter at the end of the contract and refrain from any further processing and use of the
data, if possible for the data importer without violating its own legal duties.
(i) The term of these Clauses corresponds to the term of the Commercial Agreement entered into by data exporter
and data importer. These Clauses shall automatically terminate upon any termination or expiration of the
Commercial Agreement.
2. If and to the extent necessary to comply with mandatory provisions regarding the commissioning of the data importer
as a processor under the national laws applicable to the data exporter, data exporter may propose any necessary
amendments to these provisions. Such amendments are deemed accepted by the data importer if it does not reject the
changes within four weeks after having received a notification of the amendments. The data importer shall be
informed about this consequence in the notification. If disputed, the necessity of an amendment shall be deemed
proven if the data exporter presents a respective order (which may be informal) by a competent regulator. The data
exporter is not obliged to demand that the regulator issues a formal order, or to challenge an informal order.
3. In the event of inconsistencies between this appendix and the Standard Contractual Clauses the provisions of the
Standard Contractual Clauses shall prevail. Provisions of this appendix shall however remain valid to the extent that
they do not contradict but merely amend the provisions of the Standard Contractual Clauses.
4. Should any provision or condition of this Model Contract be held or declared invalid, unlawful or unenforceable by
a competent authority or court, then the remainder of this Model Contract shall remain valid. Such an invalidity,
unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this Model Contract.
The provision or condition affected shall be either (i) amended to an extent that ensures its validity, lawfulness and
enforceability, while preserving the parties' intentions, or (ii) construed in a manner as if the invalid, unlawful or
unenforceable part had never been contained therein.