Common use of Business Practice Commitments Clause in Contracts

Business Practice Commitments. As further consideration for the settlement and releases provided herein, Shift Digital agrees to take reasonable measures to further secure personal information within its custody and control and to maintain such measures already taken. Specifically, Shift Digital agrees that it has or will implement the following: (1) ensure that the default setting for all Microsoft Azure data storage containers is private; (2) conduct frequent enterprise-wide automated scans across its cloud computing platform to confirm that the access settings of all data storage containers are correct; (3) conduct periodic manual reviews of all Microsoft Azure data storage containers to ensure they are set to the correct access settings; (4) maintain role-based security protocols that limit permission to create Microsoft Azure data storage containers to a small number of designated users; (5) encrypt all application data within its control in Microsoft Azure at-rest and in-transit; (6) use Microsoft Azure Security Center tools, such as constant vulnerability scans, to proactively monitor security threats; (7) conduct annual third-party penetration testing of its applications and address any vulnerabilities as appropriate; (8) commission annual third-party assessments of its security programs and practices and update its programs and practices to address threats and vulnerabilities; (9) engage an outside service provider for Virtual Chief Information Security Officer Services and work to build a dedicated data security team; and (10) further develop and formalize its data classification protocols, risk management operations, and incident response procedures.