Vendor shall exercise commercially reasonably efforts to prevent unauthorized exposure or disclosure of Customer Data. In addition, and without limiting the generality of the preceding sentence:
(a) DataSec Program. Vendor shall maintain, implement, and comply with a written data security program (the “DataSec Program”) that requires commercially reasonable policies and procedures to ensure compliance with this Section __ (Data Security) and with Section __ (Data Management). The DataSec Program’s policies and procedures shall contain administrative, technical, and physical safeguards, including without limitation: (i) guidelines on the proper disposal of Customer Data after it is no longer needed to carry out the purposes of the Agreement; (ii) access controls on electronic systems used to maintain, access, or transmit Customer Data; (iii) access restrictions at physical locations containing Customer Data; (iv) encryption of electronic Customer Data; (v) dual control procedures; (vi) testing and monitoring of electronic systems; and (vii) procedures to detect actual and attempted attacks on or intrusions into the systems containing or accessing Customer Data. Vendor shall review the DataSec Program and all other Customer Data security precautions regularly, but no less than annually, and update and maintain them to comply with applicable laws, regulations, technology changes, and best practices.
(b) Employee Background Checks. Vendor shall not allow any of its employees or subcontractor personnel to access Customer Data except to the extent that such individual has received a clean report with regard to each of the following: (i) verifications of education and work history; (ii) a 7-year all residence criminal offender record information check; and (iii) a 7-year federal criminal offender record information check. (A clean report refers to a report with no discrepancies in education or work history and no criminal investigations or convictions related to felonies or to crimes involving identity theft or other misuse of sensitive information.) However, the requirements of the preceding sentence shall not apply to the extent forbidden by applicable law.
(c) Audits & Testing.
(i) Vendor shall retain a certified public accounting firm to perform an annual audit of the Services’ data protection features and to provide a SOC 2 Type II report, pursuant to the standards of the American Institute of Certified Public Accountants (the “AICPA”). The most current report shall be due to Customer within ___ business days of the Effective Date and thereafter annually within ___ business days of Vendor’s receipt from the audit firm. If the AICPA revises its relevant reporting standards, Vendor shall provide the report that then most closely resembles a SOC 2 Type II report. In addition, Vendor shall annually conduct its own internal security audit and address security gaps in compliance with its security policies and procedures, including without limitation the DataSec Program.
(ii) If requested by Customer, Vendor shall, on a quarterly basis: (A) permit security reviews (e.g., intrusion detection, firewalls, routers) by Customer on systems storing or processing Customer Data and on Vendor policies and procedures relating to the foregoing; and (B) permit unannounced inspection of any or all security processes and procedures during the Term, including without limitation penetration tests; provided vendor is not required to permit any review or inspection that may compromise the security of Vendor’s other customers or of their data.
(iii) Any report or other result generated through the tests or audits required by this Subsection __(c) will be Vendor’s Confidential Information pursuant to Section __ (Nondisclosure). If any audit or test referenced above uncovers deficiencies or identifies suggested changes in Vendor’s performance of the Services, Vendor shall exercise reasonable efforts promptly to address such identified deficiencies and suggested changes, including without limitation by revising the DataSec Program.
(d) Data Breaches. Vendor shall implement and maintain a program for managing unauthorized disclosure or exposure of Customer Data stored by or accessible through the Services (“Data Breaches”). In the event of a Data Breach, or in the event that Vendor suspects a Data Breach, Vendor shall (i) promptly notify Customer by telephone and (ii) cooperate with Customer and law enforcement agencies, where applicable, to investigate and resolve the Data Breach, including without limitation by providing reasonable assistance to Customer in notifying injured third parties. In addition, Vendor shall provide 1 year of credit monitoring service to any affected individual, unless the Data Breach resulted from Customer’s act or omission. Vendor shall give Customer prompt access to such records related to a Data Breach as Customer may reasonably request; provided such records shall be Vendor’s Confidential Information pursuant to Section __ (Nondisclosure), and Vendor shall not be required to provide Customer with records belonging to, or compromising the security of, its other customers. The provisions of this Subsection __(d) do not limit Customer’s other rights or remedies, if any, resulting from a Data Breach.