Data Management

Data Management

This clause has not yet been updated to address the California Consumer Privacy Act (CCPA). But we will soon!

(a)  Access, Use, & Legal Compulsion. Unless it receives Customer’s prior written consent, Vendor: (i) shall not access, process, or otherwise use Customer Data other than as necessary to facilitate the Services; (ii) shall not give any of its employees access to Customer Data except to the extent that such individual needs access to facilitate performance under this Agreement and is subject to a reasonable written nondisclosure agreement with Vendor protecting such data, with terms reasonably consistent with those of this Section __ (Data Management) and of Section __ (Data Security); and (iii) shall not give any third party access to Customer Data, including without limitation Vendor’s other customers, except subcontractors subject to Subsection __(d) below. Notwithstanding the foregoing, Vendor may disclose Customer Data as required by applicable law or by proper legal or governmental authority. Vendor shall give Customer prompt notice of any such legal or governmental demand and reasonably cooperate with Customer in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense.

(b)  Customer’s Rights. Customer possesses and retains all right, title, and interest in and to Customer Data, and Vendor’s use and possession thereof is solely on Customer’s behalf. Customer may access and copy any Customer Data in Vendor’s possession at any time, and Vendor shall reasonably facilitate such access and copying promptly after Customer’s request.

(c)  Handling, Retention, & Deletion. Vendor shall observe the policies attached to this Agreement as Attachments __ (Privacy Policy) and __ (e-Discovery Policy), including without limitation policies regarding retention and deletion of Customer Data. Customer may revise either such policy by providing new written versions to Vendor; provided Vendor is not required to accept any such revision without reasonable additional compensation if it materially increases Vendor’s obligations. Except as permitted in such policy, Vendor shall not erase Customer Data, or any copy thereof, without Customer’s prior written consent and shall follow any written instructions from Customer regarding retention and erasure of Customer Data. Unless prohibited by applicable law, Vendor shall purge all systems under its control of all Customer Data at such time as Customer may request. Promptly after erasure of Customer Data or any copy thereof, Vendor shall certify such erasure to Customer in writing. In purging or erasing Customer Data as required by this Agreement, Vendor shall leave no data recoverable on its computers or other media, to the maximum extent commercially feasible. Finally, Vendor shall not transfer Customer Data outside _________ (the “Approved Region”) without Customer’s prior written consent.

(d)  Subcontractors. Vendor shall not permit any subcontractor to access Customer Data unless such subcontractor is subject to a written contract with Vendor protecting the data, with terms reasonably consistent with those of this Section __ (Data Management) and of Section __ (Data Security), specifically including without limitation terms consistent with those of Subsection __(a)(ii) above as applied to subcontractor employees. Vendor shall exercise reasonable efforts to ensure that each subcontractor complies with all of the terms of this Agreement related to Customer Data. As between Vendor and Customer, Vendor shall pay any fees or costs related to each subcontractor’s compliance with such terms, including without limitation terms in Section __ below (Data Security) governing audits and inspections.

(e)  Applicable Law. Vendor shall comply with all applicable laws and regulations governing the handling of Customer Data and shall not engage in any activity related to Customer Data that would place Customer in violation of any applicable law, regulation, government request, or judicial process; provided the foregoing does not require that Vendor comply with or be aware of any of the following laws or regulations: ________________________.

(f)  Injunction. Vendor agrees that violation of the provisions of this Section __ (Data Management) or of Section __ (Data Security) below would cause Customer irreparable injury, for which monetary damages would not provide adequate compensation, and that in addition to any other remedy, Customer shall be entitled to injunctive relief against such breach or threatened breach, without proving actual damage and without posting a bond or other security.