Excerpts from our MSA (Master Service Agreement) around confidentiality and data security
-
- Definition. As used herein, "Confidential Information" means all confidential information disclosed by a Party ("Disclosing Party") to the other Party ("Receiving Party"), whether orally or written, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure. Customer’s Confidential Information shall include the Customer Data; Kokomo’s Confidential Information shall include the Service; and Confidential Information of each Party shall include the terms and conditions of this Agreement and all Service Orders, as well as each Party’s respective business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such Party.
- Exclusions. However, Confidential Information (other than Customer Data) shall not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information as evidenced by the records of the Receiving Party.
- Protection of Confidential Information. Except as otherwise permitted in writing by the Disclosing Party, (i) the Receiving Party shall protect the Disclosing Party's Confidential Information by using the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care), and shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) the Receiving Party shall limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for purposes consistent with this Agreement and who are bound by confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. The Receiving Party shall promptly notify the Disclosing Party upon becoming aware of any unauthorized access, use, or disclosure of the Disclosing Party’s Confidential Information.
- Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party's Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.
- Return of Customer Data. Upon expiration or termination of this Agreement and otherwise at any time, Kokomo shall: (a) within 30 days, return to Customer, in a format and media mutually agreed between the Parties, all or any part of the Customer Data; and (b) erase or destroy all or any part of the Customer Data in Kokomo’s possession or control, in each case to the extent so requested by Customer.
- No License. Except as expressly set forth herein, no license or other rights to Confidential Information are granted or implied hereby by either Party.
- Privacy Policy. The Kokomo Privacy Policy is hereby incorporated by reference into, and made a part of, this Agreement. If there is any conflict or inconsistency between this Agreement and the Kokomo Privacy Policy, this Agreement will control.
- Data Security. Kokomo shall ensure that its personnel and subcontractors who have access to Customer Data shall, at all times, utilize appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the Service and all Customer Data (including, to the extent applicable, use of encryption, firewall protection, intrusion detection and prevention tools and network management applications), all in accordance with generally accepted industry standards and the requirements of applicable data protection and privacy laws and regulations. In the event that Kokomo discovers any breach of security with respect to the Services or any Customer Data (“Security Breach”), Kokomo shall: (i) immediately (within 24 hours) notify Customer of the Security Breach; (ii) perform an investigation to learn the cause of the Security Breach; (iii) take commercially reasonable measures to prevent such a Security Breach in the future; and (iv) take commercially reasonable efforts to resolve any such Security Breach and fully cooperate with Customer in complying with any notification or other regulatory requirements that may result from such Security Breach.
Data Loss Plan and Data Destruction Plan
Snippets from MSA and DPA
- Data Loss Plan
Data Security. Kokomo shall ensure that its personnel and subcontractors who have access to Customer Data shall, at all times, utilize appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the Service and all Customer Data (including, to the extent applicable, use of encryption, firewall protection, intrusion detection and prevention tools and network management applications), all in accordance with generally accepted industry standards and the requirements of applicable data protection and privacy laws and regulations. In the event that Kokomo discovers any breach of security with respect to the Services or any Customer Data (“Security Breach”), Kokomo shall: (i) immediately (within 24 hours) notify Customer of the Security Breach; (ii) perform an investigation to learn the cause of the Security Breach; (iii) take commercially reasonable measures to prevent such a Security Breach in the future; and (iv) take commercially reasonable efforts to resolve any such Security Breach and fully cooperate with Customer in complying with any notification or other regulatory requirements that may result from such Security Breach.
- Data Destruction
Return or Destruction of Client Data. At any time and upon Customer’s written request, Kokomo24/7 shall, within ten (10) business days, return all originals and copies of Customer Data, whether in printed or electronic form, including any and all backups and archived data. In lieu of a return of Customer Data, but only with the Client’s written consent, Kokomo24/7 will promptly destroy all originals and copies of Customer Data, whether in printed or electronic form, including any and all backups and archived data, in accordance with industry standards and the federal government’s best practices.
The parties agree that on the termination of the provision of Services, Vendor and any Sub-processor shall, at the choice of Customer, return all Customer Personal Data transferred and the copies thereof to Customer or shall destroy all the Customer Personal Data and certify to Customer that it has done so, unless legislation imposed upon Vendor or any Sub-processor, as applicable, prevents it from returning or destroying all or part of the Customer Personal Data transferred. In that case, Vendor warrants that it will guarantee the confidentiality of the Customer Personal Data transferred and will not actively process the Customer Personal Data transferred anymore.