If there is a conflict between the language in this Exhibit and the language in the agreement or purchase order, the provisions of this Exhibit will control.
I DATA PROTECTION
A. Data Protection and Security. In providing services to Seagate, Contractor and Contractor employees and agents may have access to Seagate systems and data, including text, images, graphics, clips, files, and any other data in electronic and written format. Such data may include personally identifiable information (“Personal Information”) provided by Seagate or collected by Contractor in connection with this Agreement that (a) identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (b) contains or is derived from contact information of an individual person, such as name, address, phone number, fax number, email address, social security number, passport number, disability status, veteran status, other government-issued identifiers, credit card information, health information, or other sensitive information. Collectively all such data is defined as “Seagate Data.” Contractor shall not use any Seagate Data related to Seagate's employees, customers, or suppliers except as directed by Seagate. All Seagate Data is Seagate confidential information. Contractor shall employ appropriate security measures to prevent the unauthorized disclosure, deletion, alteration, or access to Seagate Data.
B. Data Protection and Retention. Contractor shall comply with all applicable laws regarding processing, transmitting, and storing Seagate Data. Contractor shall not retain Seagate Data longer than necessary to provide the Services, unless required by law. Contractor shall conduct an annual compliance review to confirm that it complies with all data protection requirements.
C. Notification. Contractor shall immediately notify Seagate if any Seagate Data is disclosed, deleted, altered, or accessed without authorization. Contractor shall immediately notify Seagate of any inquiries or complaints related to the Seagate Data. Contractor shall refer individuals requesting access to their Seagate Data to Seagate.
D. Return of Seagate Data. Contractor shall return or destroy the Seagate Data upon Seagate’s request, or upon the completion of the Services and Deliverables that require the Seagate Data, or upon termination of this Agreement, whichever occurs first. Contractor shall document its retention or disposal of Seagate Data, and shall provide a certificate signed by an officer of Contractor certifying that the Seagate Data was securely destroyed.
E. Access and Correction. Contractor shall allow Seagate to access any Seagate Data; and upon Seagate’s request, shall amend, correct, delete, or add Seagate Data as directed by Seagate.
F. Certification. Contractor warrants on its own behalf, and on behalf of any of its subcontractors that are U.S. organizations, certification under the Safe Harbor framework set forth by the U.S. Department of Commerce. If Contractor is not certified under the Safe Harbor frame work, the parties agree to execute the European Union Data Protection terms and conditions. To the extent that Contractor subcontracts any of the Services, Contractor further warrants that any subcontractors that are not Safe Harbor certified will also execute the European Union Safe Harbor terms and conditions and Contractor will provide copies to Seagate upon request.
II ELECTRONIC SECURITY
A. Data Transfers. To protect data confidentiality during transfers, Contractor shall use Secure Sockets Layer (SSL) standards. In addition, Contractor shall maintain at a minimum the following security measures: HTTP with SSL 256-bit encryption (HTTPS); the ability to transfer files via Secure File Transfer Protocol (SFTP); at least 256-bit AES encryption of files and encode data during transmission; and encrypted passwords for hosting services.
B. Contractor Policies. Contractor shall maintain its own security policies and procedures, outlining the minimum-security policies and procedures adhered to by Contractor’s employees or subcontractors. Contractor shall provide a copy of its security policies and procedures documents to Seagate upon request.
C. Mitigation of Vulnerabilities. Contractor shall aggressively mitigate any critical security vulnerabilities discovered at any time Seagate may require Contractor to disclose the specific configuration files for any web servers and associated support functions (such as search engines or databases). Any configuration files disclosed to Seagate are Contractor Confidential Information.
D. Notification of Security Breach. Upon becoming aware of any unlawful access to any Seagate Data stored on Contractor’s equipment or in Contractor’s facilities, or any unauthorized access to any facilities or equipment resulting in loss, disclosure, or alteration of any Seagate Data, or any actual loss of or suspected threats to the security of Seagate Data, Contractor personnel will immediately:
1. notify Seagate’s Electronic Security Department of the incident;
2. investigate or provide required assistance in the investigation of the security incident;
3. provide Seagate with detailed information about the security incident;
4. take all commercially reasonable steps to mitigate the effects of the security incident, or assist Seagate in doing so; and
5. implement a remediation plan and monitor the resolution of breaches and vulnerabilities related to Personal Information to ensure that appropriate corrective action is taken on a timely basis.
E. Reporting. Contractor shall provide a complete report of all issues related to security breaches to Seagate’s Electronic Security department within 24 hours after discovery. Contractor shall provide prior notice to Seagate of any proposed communications to third parties related to any security incident and will work on them in coordination with Seagate. Contractor shall not issue any communication without Seagate’s approval.
III PHYSICAL SECURITY
A. Background Checks. Seagate will conduct criminal background screenings of all Contractor employees and subcontractors who will require unescorted access to Seagate systems, networks or physical sites to ensure contractors meet Seagate security standards. All background screenings will be conducted by a licensed Credit Reporting Agency in compliance with all applicable laws and regulations.
B. Access Restrictions. Any Contractor employee or subcontractor with conviction(s) for theft, violence, or narcotics related offenses will be denied access to Seagate’s systems or networks, and must have escorted access to Seagate’s physical site(s) used to provide the Services, unless otherwise prohibited by applicable law or regulations. Seagate will determine whether any person meets the criteria to have access to the systems, network, or physical site(s).
C. Confidentiality and Compliance. Seagate shall maintain the confidentiality of the reports it will review and to fully comply with all applicable laws, including the Fair Credit Reporting Act and data protection and privacy regulations, when acting pursuant to this Exhibit.