Effective Date: January 1, 2012
- A) Access, Use, & Legal Compulsion. Unless it receives Recipient’s prior written consent, Provider: (i) will not access or use data in electronic form collected through the Services from Recipient’s customers or other third parties, or collected or accessible directly from Recipient, (collectively, “Project Data”) other than as necessary to facilitate the Services; and (ii) will not give any third party access to Project Data. Notwithstanding the foregoing, Provider may disclose Project Data as required by applicable law or by proper legal or governmental authority. Provider will give Recipient prompt notice of any such legal or governmental demand and reasonably cooperate with Recipient in any effort to seek a protective order or otherwise to contest such required disclosure, at Recipient’s expense.
- B) Recipient’s Rights. Recipient possesses and retains all right, title, and interest in and to Project Data, and Provider’s use and possession thereof is solely as Recipient’s agent. Recipient may access and copy any Project Data in Provider’s possession at any time. Provider will facilitate such access and copying promptly after Recipient’s request.
- C) Retention & Deletion. Provider will retain any Project Data in its possession until Erased (as defined below) pursuant to this Subsection C). Provider will Erase: (i) all copies of Project Data 30 after collection thereof; (ii) any or all copies of Project Data promptly after Recipient’s written request; and (iii) all copies of Project Data no sooner than 30 business days after termination of Project Agreement and no later than 90 business days after such termination. Notwithstanding the foregoing, Recipient may at any time instruct Provider to retain and not to Erase or otherwise delete Project Data, provided Recipient may not require retention of Project Data for more than 90 business days after termination of this Agreement. Promptly after Erasure pursuant to this Subsection C), Provider will certify such Erasure in writing to Recipient. (“Erase” and “Erasure” refer to the destruction of data so that no copy of the data remains or can be accessed or restored in any way.)
- D) Individuals’ Access. Provider will not allow any of its employees to access Project Data, except to the extent that an employee needs access in order to facilitate the Services and executes a written agreement with Provider agreeing to comply with Provider’s obligations set forth in the Project Agreement. Provider will not grant access to Project Data if information in Provider’s possession would lead a reasonable person to suspect that the individual has committed identity theft or otherwise misused third party data or that the individual presents a threat to the security of Project Data.
- E)Compliance with Law & Policy. Provider will comply with all applicable federal and state laws and regulations governing the handling of Project Data.
- F) Leaks. Provider will promptly notify Recipient of any actual or potential exposure or misappropriation of Project Data (any “Leak”) that comes to Provider’s attention. Provider will cooperate with Recipient and with law enforcement authorities in investigating any such Leak, at Provider’s expense. Provider will likewise cooperate with Recipient and with law enforcement agencies in any effort to notify injured or potentially injured parties, and such cooperation will be at Provider’s expense, except to the extent that the Leak was caused by Recipient.
- G) Injunction. Provider agrees that violation of the provisions of this Data Management and Security policy might cause Recipient irreparable injury, for which monetary damages would not provide adequate compensation, and that in addition to any other remedy, Recipient will be entitled to injunctive relief against such breach or threatened breach, without proving actual damage or posting a bond or other security.