Service Specific Terms

If included in an Order, this Data Security Agreement (“DSA”) is incorporated in and made a part of that CitizenDeveloper Order between CitizenDeveloper (“CitizenDeveloper”) and Customer (“Customer”) (together, the “Parties”). This DSA shall have the same effective date as the Order.  The Parties hereby agree as follows:

1. DEFINITIONS. Capitalized terms used herein shall have the meanings set forth in this Section 1.
   1. “Authorized Employees” means CitizenDeveloper’s employees who have a need to know or otherwise access Personal Information to enable CitizenDeveloper to perform its obligations under this Agreement.
   2. “Personal Information” means information provided to CitizenDeveloper by or at the direction of Customer, information which is created or obtained by CitizenDeveloper on behalf of Customer, or information to which access was provided to CitizenDeveloper by or at the direction of Customer, in the course of CitizenDeveloper ‘s performance under this Agreement that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, financial account numbers, credit report information, student information, biometric, health, genetic, medical, or medical insurance data, answers to security questions, IP addresses, or precise location data, and other personal identifiers), in case of both subclauses (i) and (ii), including, without limitation, an individual’s (a) government-issued identification number (including Social Security number, driver’s license number, or state-issued identification number); (b) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; or (c) biometric, genetic, health, medical, or medical insurance data. Customer’s business contact information is not by itself deemed to be Personal Information.
   3. “Security Breach” means (i) any act or omission within the control of CitizenDeveloper or its Authorized Employees that materially compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by CitizenDeveloper that relate to the protection of the security, confidentiality, or integrity of Personal Information. Without limiting the foregoing, a material compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information by CitizenDeveloper or its Authorized Employees.
2. STANDARD OF CARE.
   1. CitizenDeveloper acknowledges and agrees that, in the course of its engagement by Customer, CitizenDeveloper may create, receive, or have access to Personal Information. CitizenDeveloper shall comply with the terms and conditions set forth in this Agreement in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Information and be responsible for any Security Breach.
   2. In recognition of the foregoing, CitizenDeveloper agrees and covenants that it shall:
      1. keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure;
      2. not create, collect, receive, access, or use Personal Information in violation of law;
      3. use and disclose Personal Information solely and exclusively for the purposes for which the Personal Information, or access to it, is provided pursuant to the terms and conditions of this DSA, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Information for CitizenDeveloper’s own purposes or for the benefit of anyone other than Customer, in each case, without Customer’s prior written consent; and
      4. not, directly or indirectly, disclose Personal Information to any person other than its Authorized Employees (an “Unauthorized Third Party”) without Customer’s prior written consent unless and to the extent required by Government Authorities or as otherwise, to the extent expressly required by applicable law, in which case, CitizenDeveloper shall use reasonable efforts and to the extent permitted by applicable law to notify Customer before such disclosure or as soon thereafter as reasonably possible.
3. INFORMATION SECURITY
   1. CitizenDeveloper represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all applicable federal, state, and international privacy and data protection laws, as well as all other applicable regulations and directives.
   2. CitizenDeveloper shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed regularly.
   3. Without limiting CitizenDeveloper’s obligations under Section 3(a), CitizenDeveloper shall implement administrative, physical, and technical safeguards to protect Personal Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Personal Information is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this DSA.
   4. At a minimum, CitizenDeveloper’s safeguards for the protection of Personal Information shall include: (i) limiting access of Personal Information to Authorized Employees; (ii) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, application, database, and platform security; (iv) securing information transmission, storage, and disposal; (v) implementing authentication and access controls within media, applications, operating systems, and equipment; (vi) encrypting Personal Information stored on any media; (vii) encrypting Personal Information transmitted over public or wireless networks; (viii) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at CitizenDeveloper’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (ix) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (x) providing appropriate privacy and information security training to CitizenDeveloper’s employees.
   5. During the term of each Authorized Employee’s employment by CitizenDeveloper, CitizenDeveloper shall at all times cause such Authorized Employees to abide strictly by CitizenDeveloper obligations under this DSA. CitizenDeveloper further agrees that it shall maintain a disciplinary process to address any unauthorized access, use, or disclosure of Personal Information by any of CitizenDeveloper’s officers, partners, principals, employees, agents, or CitizenDevelopers.
4. SECURITY BREACH PROCEDURES
   1. As an optional “dedicated 24/7 Security Contact” upgrade to this SKU (i.e. not included unless this upgrade is specifically designated in the Order) CitizenDeveloper shall:
      1. provide Customer with the name and contact information for an employee of CitizenDeveloper who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach;
      2. notify Customer of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after CitizenDeveloper becomes aware of it by email to CitizenDeveloper’s primary business contact within Customer.
   2. Immediately following CitizenDeveloper’s notification to Customer of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach and to comply with applicable law, regulation and industry standards.
   3. CitizenDeveloper shall at its own expense take reasonable steps to immediately contain and remedy any Security Breach and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards.
   4. CitizenDeveloper agrees that it shall not inform any third party of any Security Breach unless compelled to do so by laws, regulations or standards. Further, CitizenDeveloper agrees that Customer shall have the right to (i) provide notice of the Security Breach to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation; and (ii) to determine the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
   5. CitizenDeveloper agrees to maintain and preserve all documents, records, and other data related to any Security Breach.
   6. CitizenDeveloper agrees to reasonably cooperate with Customer at Customer’s expense in any litigation, investigation, or other action deemed reasonably necessary by Customer to protect its rights relating to the use, disclosure, protection, and maintenance of Personal Information.
5. OVERSIGHT OF SECURITY COMPLIANCE. Upon mutual agreement to confirm CitizenDeveloper’s compliance with this DSA, as well as any applicable laws, regulations, and industry standards, CitizenDeveloper may grant an approved third party auditor on Customer’s behalf, permission to perform an assessment, audit, examination, or review of all controls in CitizenDeveloper’s physical and/or technical environment in relation to all Personal Information being handled and/or services being provided to Customer pursuant to this DSA. CitizenDeveloper shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for Customer pursuant to this DSA. In addition, upon Customer’s written request, CitizenDeveloper may provide Customer with the results of a previously performed audit by or on behalf of CitizenDeveloper that assesses the effectiveness of CitizenDeveloper’s information security program as relevant to the security and confidentiality of Personal Information shared during the course of this Agreement.
6. RETURN OR DESTRUCTION OF PERSONAL INFORMATION. At any time during the term of this Agreement at Customer’s request or upon the termination or expiration of this Agreement for any reason, CitizenDeveloper shall, and shall instruct all Authorized Persons to, promptly return to Customer all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to Customer that such Personal Information has been returned to Customer or disposed of securely. CitizenDeveloper shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Information.
7. EQUITABLE RELIEF. CitizenDeveloper acknowledges that any breach of its covenants or obligations set forth in this DSA may cause Customer irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Customer is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court, in addition to any other remedy to which Customer may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this DSA to the contrary.
8. MATERIAL BREACH. CitizenDeveloper’s failure to comply with any of the provisions of this DSA is a material breach of the Order. In such event, Customer may terminate the Order effective immediately upon written notice to the CitizenDeveloper without further liability or obligation to CitizenDeveloper.
9. INDEMNIFICATION. Customer shall defend, indemnify, and hold harmless CitizenDeveloper from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against CitizenDeveloper arising out of or resulting from the actions of Customer that led to a Security Breach.